]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Factor fail_kw_on_dlt() out.
[libpcap] / gencode.c
1 /*
2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22 #include <config.h>
23
24 #ifdef _WIN32
25 #include <ws2tcpip.h>
26 #else
27 #include <netinet/in.h>
28 #endif /* _WIN32 */
29
30 #include <stdlib.h>
31 #include <string.h>
32 #include <memory.h>
33 #include <setjmp.h>
34 #include <stdarg.h>
35 #include <stdio.h>
36 #include <stdint.h>
37 #include <stddef.h>
38
39 #include "pcap-int.h"
40
41 #include "extract.h"
42
43 #include "ethertype.h"
44 #include "llc.h"
45 #include "gencode.h"
46 #include "ieee80211.h"
47 #include "pflog.h"
48 #include "ppp.h"
49 #include "pcap/sll.h"
50 #include "pcap/ipnet.h"
51 #include "diag-control.h"
52 #include "pcap-util.h"
53
54 #include "scanner.h"
55
56 #if defined(__linux__)
57 #include <linux/types.h>
58 #include <linux/if_packet.h>
59 #include <linux/filter.h>
60 #endif
61
62 #ifdef _WIN32
63 #ifdef HAVE_NPCAP_BPF_H
64 /* Defines BPF extensions for Npcap */
65 #include <npcap-bpf.h>
66 #endif
67 #ifdef INET6
68 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
69 /* IPv6 address */
70 struct in6_addr
71 {
72 union
73 {
74 uint8_t u6_addr8[16];
75 uint16_t u6_addr16[8];
76 uint32_t u6_addr32[4];
77 } in6_u;
78 #define s6_addr in6_u.u6_addr8
79 #define s6_addr16 in6_u.u6_addr16
80 #define s6_addr32 in6_u.u6_addr32
81 #define s6_addr64 in6_u.u6_addr64
82 };
83
84 typedef unsigned short sa_family_t;
85
86 #define __SOCKADDR_COMMON(sa_prefix) \
87 sa_family_t sa_prefix##family
88
89 /* Ditto, for IPv6. */
90 struct sockaddr_in6
91 {
92 __SOCKADDR_COMMON (sin6_);
93 uint16_t sin6_port; /* Transport layer port # */
94 uint32_t sin6_flowinfo; /* IPv6 flow information */
95 struct in6_addr sin6_addr; /* IPv6 address */
96 };
97
98 #ifndef EAI_ADDRFAMILY
99 struct addrinfo {
100 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
101 int ai_family; /* PF_xxx */
102 int ai_socktype; /* SOCK_xxx */
103 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
104 size_t ai_addrlen; /* length of ai_addr */
105 char *ai_canonname; /* canonical name for hostname */
106 struct sockaddr *ai_addr; /* binary address */
107 struct addrinfo *ai_next; /* next structure in linked list */
108 };
109 #endif /* EAI_ADDRFAMILY */
110 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
111 #endif /* INET6 */
112 #else /* _WIN32 */
113 #include <netdb.h> /* for "struct addrinfo" */
114 #endif /* _WIN32 */
115 #include <pcap/namedb.h>
116
117 #include "nametoaddr.h"
118
119 #define ETHERMTU 1500
120
121 #ifndef IPPROTO_HOPOPTS
122 #define IPPROTO_HOPOPTS 0
123 #endif
124 #ifndef IPPROTO_ROUTING
125 #define IPPROTO_ROUTING 43
126 #endif
127 #ifndef IPPROTO_FRAGMENT
128 #define IPPROTO_FRAGMENT 44
129 #endif
130 #ifndef IPPROTO_DSTOPTS
131 #define IPPROTO_DSTOPTS 60
132 #endif
133 #ifndef IPPROTO_SCTP
134 #define IPPROTO_SCTP 132
135 #endif
136
137 #define GENEVE_PORT 6081
138 #define VXLAN_PORT 4789
139
140
141 /*
142 * from: NetBSD: if_arc.h,v 1.13 1999/11/19 20:41:19 thorpej Exp
143 */
144
145 /* RFC 1051 */
146 #define ARCTYPE_IP_OLD 240 /* IP protocol */
147 #define ARCTYPE_ARP_OLD 241 /* address resolution protocol */
148
149 /* RFC 1201 */
150 #define ARCTYPE_IP 212 /* IP protocol */
151 #define ARCTYPE_ARP 213 /* address resolution protocol */
152 #define ARCTYPE_REVARP 214 /* reverse addr resolution protocol */
153
154 #define ARCTYPE_ATALK 221 /* Appletalk */
155 #define ARCTYPE_BANIAN 247 /* Banyan Vines */
156 #define ARCTYPE_IPX 250 /* Novell IPX */
157
158 #define ARCTYPE_INET6 0xc4 /* IPng */
159 #define ARCTYPE_DIAGNOSE 0x80 /* as per ANSI/ATA 878.1 */
160
161
162 /* Based on UNI3.1 standard by ATM Forum */
163
164 /* ATM traffic types based on VPI=0 and (the following VCI */
165 #define VCI_PPC 0x05 /* Point-to-point signal msg */
166 #define VCI_BCC 0x02 /* Broadcast signal msg */
167 #define VCI_OAMF4SC 0x03 /* Segment OAM F4 flow cell */
168 #define VCI_OAMF4EC 0x04 /* End-to-end OAM F4 flow cell */
169 #define VCI_METAC 0x01 /* Meta signal msg */
170 #define VCI_ILMIC 0x10 /* ILMI msg */
171
172 /* Q.2931 signalling messages */
173 #define CALL_PROCEED 0x02 /* call proceeding */
174 #define CONNECT 0x07 /* connect */
175 #define CONNECT_ACK 0x0f /* connect_ack */
176 #define SETUP 0x05 /* setup */
177 #define RELEASE 0x4d /* release */
178 #define RELEASE_DONE 0x5a /* release_done */
179 #define RESTART 0x46 /* restart */
180 #define RESTART_ACK 0x4e /* restart ack */
181 #define STATUS 0x7d /* status */
182 #define STATUS_ENQ 0x75 /* status ack */
183 #define ADD_PARTY 0x80 /* add party */
184 #define ADD_PARTY_ACK 0x81 /* add party ack */
185 #define ADD_PARTY_REJ 0x82 /* add party rej */
186 #define DROP_PARTY 0x83 /* drop party */
187 #define DROP_PARTY_ACK 0x84 /* drop party ack */
188
189 /* Information Element Parameters in the signalling messages */
190 #define CAUSE 0x08 /* cause */
191 #define ENDPT_REF 0x54 /* endpoint reference */
192 #define AAL_PARA 0x58 /* ATM adaptation layer parameters */
193 #define TRAFF_DESCRIP 0x59 /* atm traffic descriptors */
194 #define CONNECT_ID 0x5a /* connection identifier */
195 #define QOS_PARA 0x5c /* quality of service parameters */
196 #define B_HIGHER 0x5d /* broadband higher layer information */
197 #define B_BEARER 0x5e /* broadband bearer capability */
198 #define B_LOWER 0x5f /* broadband lower information */
199 #define CALLING_PARTY 0x6c /* calling party number */
200 #define CALLED_PARTY 0x70 /* called party number */
201
202 #define Q2931 0x09
203
204 /* Q.2931 signalling general messages format */
205 #define PROTO_POS 0 /* offset of protocol discriminator */
206 #define CALL_REF_POS 2 /* offset of call reference value */
207 #define MSG_TYPE_POS 5 /* offset of message type */
208 #define MSG_LEN_POS 7 /* offset of message length */
209 #define IE_BEGIN_POS 9 /* offset of first information element */
210
211 /* format of signalling messages */
212 #define TYPE_POS 0
213 #define LEN_POS 2
214 #define FIELD_BEGIN_POS 4
215
216
217 /* SunATM header for ATM packet */
218 #define SUNATM_DIR_POS 0
219 #define SUNATM_VPI_POS 1
220 #define SUNATM_VCI_POS 2
221 #define SUNATM_PKT_BEGIN_POS 4 /* Start of ATM packet */
222
223 /* Protocol type values in the bottom for bits of the byte at SUNATM_DIR_POS. */
224 #define PT_LANE 0x01 /* LANE */
225 #define PT_LLC 0x02 /* LLC encapsulation */
226 #define PT_ILMI 0x05 /* ILMI */
227 #define PT_QSAAL 0x06 /* Q.SAAL */
228
229
230 /* Types missing from some systems */
231
232 /*
233 * Network layer protocol identifiers
234 */
235 #ifndef ISO8473_CLNP
236 #define ISO8473_CLNP 0x81
237 #endif
238 #ifndef ISO9542_ESIS
239 #define ISO9542_ESIS 0x82
240 #endif
241 #ifndef ISO9542X25_ESIS
242 #define ISO9542X25_ESIS 0x8a
243 #endif
244 #ifndef ISO10589_ISIS
245 #define ISO10589_ISIS 0x83
246 #endif
247
248 #define ISIS_L1_LAN_IIH 15
249 #define ISIS_L2_LAN_IIH 16
250 #define ISIS_PTP_IIH 17
251 #define ISIS_L1_LSP 18
252 #define ISIS_L2_LSP 20
253 #define ISIS_L1_CSNP 24
254 #define ISIS_L2_CSNP 25
255 #define ISIS_L1_PSNP 26
256 #define ISIS_L2_PSNP 27
257
258 #ifndef ISO8878A_CONS
259 #define ISO8878A_CONS 0x84
260 #endif
261 #ifndef ISO10747_IDRP
262 #define ISO10747_IDRP 0x85
263 #endif
264
265 // Same as in tcpdump/print-sl.c.
266 #define SLIPDIR_IN 0
267 #define SLIPDIR_OUT 1
268
269 #ifdef HAVE_OS_PROTO_H
270 #include "os-proto.h"
271 #endif
272
273 #define JMP(c) ((c)|BPF_JMP|BPF_K)
274
275 /*
276 * "Push" the current value of the link-layer header type and link-layer
277 * header offset onto a "stack", and set a new value. (It's not a
278 * full-blown stack; we keep only the top two items.)
279 */
280 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
281 { \
282 (cs)->prevlinktype = (cs)->linktype; \
283 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
284 (cs)->linktype = (new_linktype); \
285 (cs)->off_linkhdr.is_variable = (new_is_variable); \
286 (cs)->off_linkhdr.constant_part = (new_constant_part); \
287 (cs)->off_linkhdr.reg = (new_reg); \
288 (cs)->is_encap = 0; \
289 }
290
291 /*
292 * Offset "not set" value.
293 */
294 #define OFFSET_NOT_SET 0xffffffffU
295
296 /*
297 * Absolute offsets, which are offsets from the beginning of the raw
298 * packet data, are, in the general case, the sum of a variable value
299 * and a constant value; the variable value may be absent, in which
300 * case the offset is only the constant value, and the constant value
301 * may be zero, in which case the offset is only the variable value.
302 *
303 * bpf_abs_offset is a structure containing all that information:
304 *
305 * is_variable is 1 if there's a variable part.
306 *
307 * constant_part is the constant part of the value, possibly zero;
308 *
309 * if is_variable is 1, reg is the register number for a register
310 * containing the variable value if the register has been assigned,
311 * and -1 otherwise.
312 */
313 typedef struct {
314 int is_variable;
315 u_int constant_part;
316 int reg;
317 } bpf_abs_offset;
318
319 /*
320 * Value passed to gen_load_a() to indicate what the offset argument
321 * is relative to the beginning of.
322 */
323 enum e_offrel {
324 OR_PACKET, /* full packet data */
325 OR_LINKHDR, /* link-layer header */
326 OR_PREVLINKHDR, /* previous link-layer header */
327 OR_LLC, /* 802.2 LLC header */
328 OR_PREVMPLSHDR, /* previous MPLS header */
329 OR_LINKTYPE, /* link-layer type */
330 OR_LINKPL, /* link-layer payload */
331 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
332 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
333 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
334 };
335
336 /*
337 * We divvy out chunks of memory rather than call malloc each time so
338 * we don't have to worry about leaking memory. It's probably
339 * not a big deal if all this memory was wasted but if this ever
340 * goes into a library that would probably not be a good idea.
341 *
342 * XXX - this *is* in a library....
343 */
344 #define NCHUNKS 16
345 #define CHUNK0SIZE 1024
346 struct chunk {
347 size_t n_left;
348 void *m;
349 };
350
351 /*
352 * A chunk can store any of:
353 * - a string (guaranteed alignment 1 but present for completeness)
354 * - a block
355 * - an slist
356 * - an arth
357 * For this simple allocator every allocated chunk gets rounded up to the
358 * alignment needed for any chunk.
359 */
360 struct chunk_align {
361 char dummy;
362 union {
363 char c;
364 struct block b;
365 struct slist s;
366 struct arth a;
367 } u;
368 };
369 #define CHUNK_ALIGN (offsetof(struct chunk_align, u))
370
371 /* Code generator state */
372
373 struct _compiler_state {
374 jmp_buf top_ctx;
375 pcap_t *bpf_pcap;
376 int error_set;
377
378 struct icode ic;
379
380 int snaplen;
381
382 int linktype;
383 int prevlinktype;
384 int outermostlinktype;
385
386 bpf_u_int32 netmask;
387 int no_optimize;
388
389 /* Hack for handling VLAN and MPLS stacks. */
390 u_int label_stack_depth;
391 u_int vlan_stack_depth;
392
393 /* XXX */
394 u_int pcap_fddipad;
395
396 /*
397 * As errors are handled by a longjmp, anything allocated must
398 * be freed in the longjmp handler, so it must be reachable
399 * from that handler.
400 *
401 * One thing that's allocated is the result of pcap_nametoaddrinfo();
402 * it must be freed with freeaddrinfo(). This variable points to
403 * any addrinfo structure that would need to be freed.
404 */
405 struct addrinfo *ai;
406
407 /*
408 * Another thing that's allocated is the result of pcap_ether_aton();
409 * it must be freed with free(). This variable points to any
410 * address that would need to be freed.
411 */
412 u_char *e;
413
414 /*
415 * Various code constructs need to know the layout of the packet.
416 * These values give the necessary offsets from the beginning
417 * of the packet data.
418 */
419
420 /*
421 * Absolute offset of the beginning of the link-layer header.
422 */
423 bpf_abs_offset off_linkhdr;
424
425 /*
426 * If we're checking a link-layer header for a packet encapsulated
427 * in another protocol layer, this is the equivalent information
428 * for the previous layers' link-layer header from the beginning
429 * of the raw packet data.
430 */
431 bpf_abs_offset off_prevlinkhdr;
432
433 /*
434 * This is the equivalent information for the outermost layers'
435 * link-layer header.
436 */
437 bpf_abs_offset off_outermostlinkhdr;
438
439 /*
440 * Absolute offset of the beginning of the link-layer payload.
441 */
442 bpf_abs_offset off_linkpl;
443
444 /*
445 * "off_linktype" is the offset to information in the link-layer
446 * header giving the packet type. This is an absolute offset
447 * from the beginning of the packet.
448 *
449 * For Ethernet, it's the offset of the Ethernet type field; this
450 * means that it must have a value that skips VLAN tags.
451 *
452 * For link-layer types that always use 802.2 headers, it's the
453 * offset of the LLC header; this means that it must have a value
454 * that skips VLAN tags.
455 *
456 * For PPP, it's the offset of the PPP type field.
457 *
458 * For Cisco HDLC, it's the offset of the CHDLC type field.
459 *
460 * For BSD loopback, it's the offset of the AF_ value.
461 *
462 * For Linux cooked sockets, it's the offset of the type field.
463 *
464 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
465 * encapsulation, in which case, IP is assumed.
466 */
467 bpf_abs_offset off_linktype;
468
469 /*
470 * TRUE if the link layer includes an ATM pseudo-header.
471 */
472 int is_atm;
473
474 /* TRUE if "geneve" or "vxlan" appeared in the filter; it
475 * causes us to generate code that checks for a Geneve or
476 * VXLAN header respectively and assume that later filters
477 * apply to the encapsulated payload.
478 */
479 int is_encap;
480
481 /*
482 * TRUE if we need variable length part of VLAN offset
483 */
484 int is_vlan_vloffset;
485
486 /*
487 * These are offsets for the ATM pseudo-header.
488 */
489 u_int off_vpi;
490 u_int off_vci;
491 u_int off_proto;
492
493 /*
494 * These are offsets for the MTP2 fields.
495 */
496 u_int off_li;
497 u_int off_li_hsl;
498
499 /*
500 * These are offsets for the MTP3 fields.
501 */
502 u_int off_sio;
503 u_int off_opc;
504 u_int off_dpc;
505 u_int off_sls;
506
507 /*
508 * This is the offset of the first byte after the ATM pseudo_header,
509 * or -1 if there is no ATM pseudo-header.
510 */
511 u_int off_payload;
512
513 /*
514 * These are offsets to the beginning of the network-layer header.
515 * They are relative to the beginning of the link-layer payload
516 * (i.e., they don't include off_linkhdr.constant_part or
517 * off_linkpl.constant_part).
518 *
519 * If the link layer never uses 802.2 LLC:
520 *
521 * "off_nl" and "off_nl_nosnap" are the same.
522 *
523 * If the link layer always uses 802.2 LLC:
524 *
525 * "off_nl" is the offset if there's a SNAP header following
526 * the 802.2 header;
527 *
528 * "off_nl_nosnap" is the offset if there's no SNAP header.
529 *
530 * If the link layer is Ethernet:
531 *
532 * "off_nl" is the offset if the packet is an Ethernet II packet
533 * (we assume no 802.3+802.2+SNAP);
534 *
535 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
536 * with an 802.2 header following it.
537 */
538 u_int off_nl;
539 u_int off_nl_nosnap;
540
541 /*
542 * Here we handle simple allocation of the scratch registers.
543 * If too many registers are alloc'd, the allocator punts.
544 */
545 int regused[BPF_MEMWORDS];
546 int curreg;
547
548 /*
549 * Memory chunks.
550 */
551 struct chunk chunks[NCHUNKS];
552 int cur_chunk;
553 };
554
555 /*
556 * For use by routines outside this file.
557 */
558 /* VARARGS */
559 void
560 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...)
561 {
562 va_list ap;
563
564 /*
565 * If we've already set an error, don't override it.
566 * The lexical analyzer reports some errors by setting
567 * the error and then returning a LEX_ERROR token, which
568 * is not recognized by any grammar rule, and thus forces
569 * the parse to stop. We don't want the error reported
570 * by the lexical analyzer to be overwritten by the syntax
571 * error.
572 */
573 if (!cstate->error_set) {
574 va_start(ap, fmt);
575 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
576 fmt, ap);
577 va_end(ap);
578 cstate->error_set = 1;
579 }
580 }
581
582 /*
583 * For use *ONLY* in routines in this file.
584 */
585 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...)
586 PCAP_PRINTFLIKE(2, 3);
587
588 /* VARARGS */
589 static void PCAP_NORETURN
590 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
591 {
592 va_list ap;
593
594 va_start(ap, fmt);
595 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
596 fmt, ap);
597 va_end(ap);
598 longjmp(cstate->top_ctx, 1);
599 /*NOTREACHED*/
600 #ifdef _AIX
601 PCAP_UNREACHABLE
602 #endif /* _AIX */
603 }
604
605 static int init_linktype(compiler_state_t *, pcap_t *);
606
607 static void init_regs(compiler_state_t *);
608 static int alloc_reg(compiler_state_t *);
609 static void free_reg(compiler_state_t *, int);
610
611 static void initchunks(compiler_state_t *cstate);
612 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t);
613 static void *newchunk(compiler_state_t *cstate, size_t);
614 static void freechunks(compiler_state_t *cstate);
615 static inline struct block *new_block(compiler_state_t *cstate, int);
616 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
617 static struct block *gen_retblk(compiler_state_t *cstate, int);
618 static inline void syntax(compiler_state_t *cstate);
619
620 static void backpatch(struct block *, struct block *);
621 static void merge(struct block *, struct block *);
622 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
623 u_int, bpf_u_int32);
624 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
625 u_int, bpf_u_int32);
626 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
627 u_int, bpf_u_int32);
628 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
629 u_int, bpf_u_int32);
630 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
631 u_int, bpf_u_int32);
632 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
633 u_int, bpf_u_int32, bpf_u_int32);
634 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
635 u_int, const u_char *);
636 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, u_int,
637 u_int, bpf_u_int32, int, int, bpf_u_int32);
638 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
639 u_int, u_int);
640 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
641 u_int);
642 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
643 static struct block *gen_uncond(compiler_state_t *, int);
644 static inline struct block *gen_true(compiler_state_t *);
645 static inline struct block *gen_false(compiler_state_t *);
646 static struct block *gen_ether_linktype(compiler_state_t *, bpf_u_int32);
647 static struct block *gen_ipnet_linktype(compiler_state_t *, bpf_u_int32);
648 static struct block *gen_linux_sll_linktype(compiler_state_t *, bpf_u_int32);
649 static struct slist *gen_load_pflog_llprefixlen(compiler_state_t *);
650 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
651 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
652 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
653 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
654 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
655 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
656 bpf_abs_offset *);
657 static bpf_u_int32 ethertype_to_ppptype(bpf_u_int32);
658 static struct block *gen_linktype(compiler_state_t *, bpf_u_int32);
659 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
660 static struct block *gen_llc_linktype(compiler_state_t *, bpf_u_int32);
661 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
662 int, u_int, u_int);
663 #ifdef INET6
664 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
665 struct in6_addr *, int, u_int, u_int);
666 #endif
667 static struct block *gen_ahostop(compiler_state_t *, const uint8_t, int);
668 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
669 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
670 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
671 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
672 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
673 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
674 static struct block *gen_mpls_linktype(compiler_state_t *, bpf_u_int32);
675 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
676 int, int, int);
677 #ifdef INET6
678 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
679 struct in6_addr *, int, int, int);
680 #endif
681 #ifndef INET6
682 static struct block *gen_gateway(compiler_state_t *, const u_char *,
683 struct addrinfo *, int, int);
684 #endif
685 static struct block *gen_ipfrag(compiler_state_t *);
686 static struct block *gen_portatom(compiler_state_t *, int, bpf_u_int32);
687 static struct block *gen_portrangeatom(compiler_state_t *, u_int, bpf_u_int32,
688 bpf_u_int32);
689 static struct block *gen_portatom6(compiler_state_t *, int, bpf_u_int32);
690 static struct block *gen_portrangeatom6(compiler_state_t *, u_int, bpf_u_int32,
691 bpf_u_int32);
692 static struct block *gen_portop(compiler_state_t *, u_int, u_int, int);
693 static struct block *gen_port(compiler_state_t *, u_int, int, int);
694 static struct block *gen_portrangeop(compiler_state_t *, u_int, u_int,
695 bpf_u_int32, int);
696 static struct block *gen_portrange(compiler_state_t *, u_int, u_int, int, int);
697 struct block *gen_portop6(compiler_state_t *, u_int, u_int, int);
698 static struct block *gen_port6(compiler_state_t *, u_int, int, int);
699 static struct block *gen_portrangeop6(compiler_state_t *, u_int, u_int,
700 bpf_u_int32, int);
701 static struct block *gen_portrange6(compiler_state_t *, u_int, u_int, int, int);
702 static int lookup_proto(compiler_state_t *, const char *, int);
703 #if !defined(NO_PROTOCHAIN)
704 static struct block *gen_protochain(compiler_state_t *, bpf_u_int32, int);
705 #endif /* !defined(NO_PROTOCHAIN) */
706 static struct block *gen_proto(compiler_state_t *, bpf_u_int32, int, int);
707 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
708 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
709 static struct block *gen_mac_multicast(compiler_state_t *, int);
710 static struct block *gen_len(compiler_state_t *, int, int);
711 static struct block *gen_encap_ll_check(compiler_state_t *cstate);
712
713 static struct block *gen_atmfield_code_internal(compiler_state_t *, int,
714 bpf_u_int32, int, int);
715 static struct block *gen_atmtype_llc(compiler_state_t *);
716 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
717
718 static void
719 initchunks(compiler_state_t *cstate)
720 {
721 int i;
722
723 for (i = 0; i < NCHUNKS; i++) {
724 cstate->chunks[i].n_left = 0;
725 cstate->chunks[i].m = NULL;
726 }
727 cstate->cur_chunk = 0;
728 }
729
730 static void *
731 newchunk_nolongjmp(compiler_state_t *cstate, size_t n)
732 {
733 struct chunk *cp;
734 int k;
735 size_t size;
736
737 /* Round up to chunk alignment. */
738 n = (n + CHUNK_ALIGN - 1) & ~(CHUNK_ALIGN - 1);
739
740 cp = &cstate->chunks[cstate->cur_chunk];
741 if (n > cp->n_left) {
742 ++cp;
743 k = ++cstate->cur_chunk;
744 if (k >= NCHUNKS) {
745 bpf_set_error(cstate, "out of memory");
746 return (NULL);
747 }
748 size = CHUNK0SIZE << k;
749 cp->m = (void *)malloc(size);
750 if (cp->m == NULL) {
751 bpf_set_error(cstate, "out of memory");
752 return (NULL);
753 }
754 memset((char *)cp->m, 0, size);
755 cp->n_left = size;
756 if (n > size) {
757 bpf_set_error(cstate, "out of memory");
758 return (NULL);
759 }
760 }
761 cp->n_left -= n;
762 return (void *)((char *)cp->m + cp->n_left);
763 }
764
765 static void *
766 newchunk(compiler_state_t *cstate, size_t n)
767 {
768 void *p;
769
770 p = newchunk_nolongjmp(cstate, n);
771 if (p == NULL) {
772 longjmp(cstate->top_ctx, 1);
773 /*NOTREACHED*/
774 }
775 return (p);
776 }
777
778 static void
779 freechunks(compiler_state_t *cstate)
780 {
781 int i;
782
783 for (i = 0; i < NCHUNKS; ++i)
784 if (cstate->chunks[i].m != NULL)
785 free(cstate->chunks[i].m);
786 }
787
788 /*
789 * A strdup whose allocations are freed after code generation is over.
790 * This is used by the lexical analyzer, so it can't longjmp; it just
791 * returns NULL on an allocation error, and the callers must check
792 * for it.
793 */
794 char *
795 sdup(compiler_state_t *cstate, const char *s)
796 {
797 size_t n = strlen(s) + 1;
798 char *cp = newchunk_nolongjmp(cstate, n);
799
800 if (cp == NULL)
801 return (NULL);
802 pcapint_strlcpy(cp, s, n);
803 return (cp);
804 }
805
806 static inline struct block *
807 new_block(compiler_state_t *cstate, int code)
808 {
809 struct block *p;
810
811 p = (struct block *)newchunk(cstate, sizeof(*p));
812 p->s.code = code;
813 p->head = p;
814
815 return p;
816 }
817
818 static inline struct slist *
819 new_stmt(compiler_state_t *cstate, int code)
820 {
821 struct slist *p;
822
823 p = (struct slist *)newchunk(cstate, sizeof(*p));
824 p->s.code = code;
825
826 return p;
827 }
828
829 static struct block *
830 gen_retblk_internal(compiler_state_t *cstate, int v)
831 {
832 struct block *b = new_block(cstate, BPF_RET|BPF_K);
833
834 b->s.k = v;
835 return b;
836 }
837
838 static struct block *
839 gen_retblk(compiler_state_t *cstate, int v)
840 {
841 if (setjmp(cstate->top_ctx)) {
842 /*
843 * gen_retblk() only fails because a memory
844 * allocation failed in newchunk(), meaning
845 * that it can't return a pointer.
846 *
847 * Return NULL.
848 */
849 return NULL;
850 }
851 return gen_retblk_internal(cstate, v);
852 }
853
854 static inline PCAP_NORETURN_DEF void
855 syntax(compiler_state_t *cstate)
856 {
857 bpf_error(cstate, "syntax error in filter expression");
858 }
859
860 static PCAP_NORETURN_DEF void
861 fail_kw_on_dlt(compiler_state_t *cstate, const char *keyword)
862 {
863 bpf_error(cstate, "'%s' not supported on %s", keyword,
864 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
865 }
866
867 int
868 pcap_compile(pcap_t *p, struct bpf_program *program,
869 const char *buf, int optimize, bpf_u_int32 mask)
870 {
871 #ifdef _WIN32
872 int err;
873 WSADATA wsaData;
874 #endif
875 compiler_state_t cstate;
876 yyscan_t scanner = NULL;
877 YY_BUFFER_STATE in_buffer = NULL;
878 u_int len;
879 int rc;
880
881 /*
882 * If this pcap_t hasn't been activated, it doesn't have a
883 * link-layer type, so we can't use it.
884 */
885 if (!p->activated) {
886 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
887 "not-yet-activated pcap_t passed to pcap_compile");
888 return (PCAP_ERROR);
889 }
890
891 #ifdef _WIN32
892 /*
893 * Initialize Winsock, asking for the latest version (2.2),
894 * as we may be calling Winsock routines to translate
895 * host names to addresses.
896 */
897 err = WSAStartup(MAKEWORD(2, 2), &wsaData);
898 if (err != 0) {
899 pcapint_fmt_errmsg_for_win32_err(p->errbuf, PCAP_ERRBUF_SIZE,
900 err, "Error calling WSAStartup()");
901 return (PCAP_ERROR);
902 }
903 #endif
904
905 #ifdef ENABLE_REMOTE
906 /*
907 * If the device on which we're capturing need to be notified
908 * that a new filter is being compiled, do so.
909 *
910 * This allows them to save a copy of it, in case, for example,
911 * they're implementing a form of remote packet capture, and
912 * want the remote machine to filter out the packets in which
913 * it's sending the packets it's captured.
914 *
915 * XXX - the fact that we happen to be compiling a filter
916 * doesn't necessarily mean we'll be installing it as the
917 * filter for this pcap_t; we might be running it from userland
918 * on captured packets to do packet classification. We really
919 * need a better way of handling this, but this is all that
920 * the WinPcap remote capture code did.
921 */
922 if (p->save_current_filter_op != NULL)
923 (p->save_current_filter_op)(p, buf);
924 #endif
925
926 initchunks(&cstate);
927 cstate.no_optimize = 0;
928 #ifdef INET6
929 cstate.ai = NULL;
930 #endif
931 cstate.e = NULL;
932 cstate.ic.root = NULL;
933 cstate.ic.cur_mark = 0;
934 cstate.bpf_pcap = p;
935 cstate.error_set = 0;
936 init_regs(&cstate);
937
938 cstate.netmask = mask;
939
940 cstate.snaplen = pcap_snapshot(p);
941 if (cstate.snaplen == 0) {
942 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
943 "snaplen of 0 rejects all packets");
944 rc = PCAP_ERROR;
945 goto quit;
946 }
947
948 if (pcap_lex_init(&scanner) != 0) {
949 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
950 errno, "can't initialize scanner");
951 rc = PCAP_ERROR;
952 goto quit;
953 }
954 in_buffer = pcap__scan_string(buf ? buf : "", scanner);
955
956 /*
957 * Associate the compiler state with the lexical analyzer
958 * state.
959 */
960 pcap_set_extra(&cstate, scanner);
961
962 if (init_linktype(&cstate, p) == -1) {
963 rc = PCAP_ERROR;
964 goto quit;
965 }
966 if (pcap_parse(scanner, &cstate) != 0) {
967 #ifdef INET6
968 if (cstate.ai != NULL)
969 freeaddrinfo(cstate.ai);
970 #endif
971 if (cstate.e != NULL)
972 free(cstate.e);
973 rc = PCAP_ERROR;
974 goto quit;
975 }
976
977 if (cstate.ic.root == NULL) {
978 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
979
980 /*
981 * Catch errors reported by gen_retblk().
982 */
983 if (cstate.ic.root== NULL) {
984 rc = PCAP_ERROR;
985 goto quit;
986 }
987 }
988
989 if (optimize && !cstate.no_optimize) {
990 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) {
991 /* Failure */
992 rc = PCAP_ERROR;
993 goto quit;
994 }
995 if (cstate.ic.root == NULL ||
996 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) {
997 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
998 "expression rejects all packets");
999 rc = PCAP_ERROR;
1000 goto quit;
1001 }
1002 }
1003 program->bf_insns = icode_to_fcode(&cstate.ic,
1004 cstate.ic.root, &len, p->errbuf);
1005 if (program->bf_insns == NULL) {
1006 /* Failure */
1007 rc = PCAP_ERROR;
1008 goto quit;
1009 }
1010 program->bf_len = len;
1011
1012 rc = 0; /* We're all okay */
1013
1014 quit:
1015 /*
1016 * Clean up everything for the lexical analyzer.
1017 */
1018 if (in_buffer != NULL)
1019 pcap__delete_buffer(in_buffer, scanner);
1020 if (scanner != NULL)
1021 pcap_lex_destroy(scanner);
1022
1023 /*
1024 * Clean up our own allocated memory.
1025 */
1026 freechunks(&cstate);
1027
1028 #ifdef _WIN32
1029 WSACleanup();
1030 #endif
1031
1032 return (rc);
1033 }
1034
1035 /*
1036 * entry point for using the compiler with no pcap open
1037 * pass in all the stuff that is needed explicitly instead.
1038 */
1039 int
1040 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
1041 struct bpf_program *program,
1042 const char *buf, int optimize, bpf_u_int32 mask)
1043 {
1044 pcap_t *p;
1045 int ret;
1046
1047 p = pcap_open_dead(linktype_arg, snaplen_arg);
1048 if (p == NULL)
1049 return (PCAP_ERROR);
1050 ret = pcap_compile(p, program, buf, optimize, mask);
1051 pcap_close(p);
1052 return (ret);
1053 }
1054
1055 /*
1056 * Clean up a "struct bpf_program" by freeing all the memory allocated
1057 * in it.
1058 */
1059 void
1060 pcap_freecode(struct bpf_program *program)
1061 {
1062 program->bf_len = 0;
1063 if (program->bf_insns != NULL) {
1064 free((char *)program->bf_insns);
1065 program->bf_insns = NULL;
1066 }
1067 }
1068
1069 /*
1070 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
1071 * which of the jt and jf fields has been resolved and which is a pointer
1072 * back to another unresolved block (or nil). At least one of the fields
1073 * in each block is already resolved.
1074 */
1075 static void
1076 backpatch(struct block *list, struct block *target)
1077 {
1078 struct block *next;
1079
1080 while (list) {
1081 if (!list->sense) {
1082 next = JT(list);
1083 JT(list) = target;
1084 } else {
1085 next = JF(list);
1086 JF(list) = target;
1087 }
1088 list = next;
1089 }
1090 }
1091
1092 /*
1093 * Merge the lists in b0 and b1, using the 'sense' field to indicate
1094 * which of jt and jf is the link.
1095 */
1096 static void
1097 merge(struct block *b0, struct block *b1)
1098 {
1099 register struct block **p = &b0;
1100
1101 /* Find end of list. */
1102 while (*p)
1103 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
1104
1105 /* Concatenate the lists. */
1106 *p = b1;
1107 }
1108
1109 int
1110 finish_parse(compiler_state_t *cstate, struct block *p)
1111 {
1112 /*
1113 * Catch errors reported by us and routines below us, and return -1
1114 * on an error.
1115 */
1116 if (setjmp(cstate->top_ctx))
1117 return (-1);
1118
1119 /*
1120 * Insert before the statements of the first (root) block any
1121 * statements needed to load the lengths of any variable-length
1122 * headers into registers.
1123 *
1124 * XXX - a fancier strategy would be to insert those before the
1125 * statements of all blocks that use those lengths and that
1126 * have no predecessors that use them, so that we only compute
1127 * the lengths if we need them. There might be even better
1128 * approaches than that.
1129 *
1130 * However, those strategies would be more complicated, and
1131 * as we don't generate code to compute a length if the
1132 * program has no tests that use the length, and as most
1133 * tests will probably use those lengths, we would just
1134 * postpone computing the lengths so that it's not done
1135 * for tests that fail early, and it's not clear that's
1136 * worth the effort.
1137 */
1138 insert_compute_vloffsets(cstate, p->head);
1139
1140 /*
1141 * For DLT_PPI captures, generate a check of the per-packet
1142 * DLT value to make sure it's DLT_IEEE802_11.
1143 *
1144 * XXX - TurboCap cards use DLT_PPI for Ethernet.
1145 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
1146 * with appropriate Ethernet information and use that rather
1147 * than using something such as DLT_PPI where you don't know
1148 * the link-layer header type until runtime, which, in the
1149 * general case, would force us to generate both Ethernet *and*
1150 * 802.11 code (*and* anything else for which PPI is used)
1151 * and choose between them early in the BPF program?
1152 */
1153 if (cstate->linktype == DLT_PPI) {
1154 struct block *ppi_dlt_check = gen_cmp(cstate, OR_PACKET,
1155 4, BPF_W, SWAPLONG(DLT_IEEE802_11));
1156 gen_and(ppi_dlt_check, p);
1157 }
1158
1159 backpatch(p, gen_retblk_internal(cstate, cstate->snaplen));
1160 p->sense = !p->sense;
1161 backpatch(p, gen_retblk_internal(cstate, 0));
1162 cstate->ic.root = p->head;
1163 return (0);
1164 }
1165
1166 void
1167 gen_and(struct block *b0, struct block *b1)
1168 {
1169 backpatch(b0, b1->head);
1170 b0->sense = !b0->sense;
1171 b1->sense = !b1->sense;
1172 merge(b1, b0);
1173 b1->sense = !b1->sense;
1174 b1->head = b0->head;
1175 }
1176
1177 void
1178 gen_or(struct block *b0, struct block *b1)
1179 {
1180 b0->sense = !b0->sense;
1181 backpatch(b0, b1->head);
1182 b0->sense = !b0->sense;
1183 merge(b1, b0);
1184 b1->head = b0->head;
1185 }
1186
1187 void
1188 gen_not(struct block *b)
1189 {
1190 b->sense = !b->sense;
1191 }
1192
1193 static struct block *
1194 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1195 u_int size, bpf_u_int32 v)
1196 {
1197 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
1198 }
1199
1200 static struct block *
1201 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1202 u_int size, bpf_u_int32 v)
1203 {
1204 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
1205 }
1206
1207 static struct block *
1208 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1209 u_int size, bpf_u_int32 v)
1210 {
1211 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
1212 }
1213
1214 static struct block *
1215 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1216 u_int size, bpf_u_int32 v)
1217 {
1218 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
1219 }
1220
1221 static struct block *
1222 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1223 u_int size, bpf_u_int32 v)
1224 {
1225 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
1226 }
1227
1228 static struct block *
1229 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1230 u_int size, bpf_u_int32 v, bpf_u_int32 mask)
1231 {
1232 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
1233 }
1234
1235 static struct block *
1236 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1237 u_int size, const u_char *v)
1238 {
1239 register struct block *b, *tmp;
1240
1241 b = NULL;
1242 while (size >= 4) {
1243 register const u_char *p = &v[size - 4];
1244
1245 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W,
1246 EXTRACT_BE_U_4(p));
1247 if (b != NULL)
1248 gen_and(b, tmp);
1249 b = tmp;
1250 size -= 4;
1251 }
1252 while (size >= 2) {
1253 register const u_char *p = &v[size - 2];
1254
1255 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H,
1256 EXTRACT_BE_U_2(p));
1257 if (b != NULL)
1258 gen_and(b, tmp);
1259 b = tmp;
1260 size -= 2;
1261 }
1262 if (size > 0) {
1263 tmp = gen_cmp(cstate, offrel, offset, BPF_B, v[0]);
1264 if (b != NULL)
1265 gen_and(b, tmp);
1266 b = tmp;
1267 }
1268 return b;
1269 }
1270
1271 /*
1272 * AND the field of size "size" at offset "offset" relative to the header
1273 * specified by "offrel" with "mask", and compare it with the value "v"
1274 * with the test specified by "jtype"; if "reverse" is true, the test
1275 * should test the opposite of "jtype".
1276 */
1277 static struct block *
1278 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1279 u_int size, bpf_u_int32 mask, int jtype, int reverse,
1280 bpf_u_int32 v)
1281 {
1282 struct slist *s, *s2;
1283 struct block *b;
1284
1285 s = gen_load_a(cstate, offrel, offset, size);
1286
1287 if (mask != 0xffffffff) {
1288 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1289 s2->s.k = mask;
1290 sappend(s, s2);
1291 }
1292
1293 b = new_block(cstate, JMP(jtype));
1294 b->stmts = s;
1295 b->s.k = v;
1296 if (reverse)
1297 gen_not(b);
1298 return b;
1299 }
1300
1301 static int
1302 init_linktype(compiler_state_t *cstate, pcap_t *p)
1303 {
1304 cstate->pcap_fddipad = p->fddipad;
1305
1306 /*
1307 * We start out with only one link-layer header.
1308 */
1309 cstate->outermostlinktype = pcap_datalink(p);
1310 cstate->off_outermostlinkhdr.constant_part = 0;
1311 cstate->off_outermostlinkhdr.is_variable = 0;
1312 cstate->off_outermostlinkhdr.reg = -1;
1313
1314 cstate->prevlinktype = cstate->outermostlinktype;
1315 cstate->off_prevlinkhdr.constant_part = 0;
1316 cstate->off_prevlinkhdr.is_variable = 0;
1317 cstate->off_prevlinkhdr.reg = -1;
1318
1319 cstate->linktype = cstate->outermostlinktype;
1320 cstate->off_linkhdr.constant_part = 0;
1321 cstate->off_linkhdr.is_variable = 0;
1322 cstate->off_linkhdr.reg = -1;
1323
1324 /*
1325 * XXX
1326 */
1327 cstate->off_linkpl.constant_part = 0;
1328 cstate->off_linkpl.is_variable = 0;
1329 cstate->off_linkpl.reg = -1;
1330
1331 cstate->off_linktype.constant_part = 0;
1332 cstate->off_linktype.is_variable = 0;
1333 cstate->off_linktype.reg = -1;
1334
1335 /*
1336 * Assume it's not raw ATM with a pseudo-header, for now.
1337 */
1338 cstate->is_atm = 0;
1339 cstate->off_vpi = OFFSET_NOT_SET;
1340 cstate->off_vci = OFFSET_NOT_SET;
1341 cstate->off_proto = OFFSET_NOT_SET;
1342 cstate->off_payload = OFFSET_NOT_SET;
1343
1344 /*
1345 * And not encapsulated with either Geneve or VXLAN.
1346 */
1347 cstate->is_encap = 0;
1348
1349 /*
1350 * No variable length VLAN offset by default
1351 */
1352 cstate->is_vlan_vloffset = 0;
1353
1354 /*
1355 * And assume we're not doing SS7.
1356 */
1357 cstate->off_li = OFFSET_NOT_SET;
1358 cstate->off_li_hsl = OFFSET_NOT_SET;
1359 cstate->off_sio = OFFSET_NOT_SET;
1360 cstate->off_opc = OFFSET_NOT_SET;
1361 cstate->off_dpc = OFFSET_NOT_SET;
1362 cstate->off_sls = OFFSET_NOT_SET;
1363
1364 cstate->label_stack_depth = 0;
1365 cstate->vlan_stack_depth = 0;
1366
1367 switch (cstate->linktype) {
1368
1369 case DLT_ARCNET:
1370 cstate->off_linktype.constant_part = 2;
1371 cstate->off_linkpl.constant_part = 6;
1372 cstate->off_nl = 0; /* XXX in reality, variable! */
1373 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1374 break;
1375
1376 case DLT_ARCNET_LINUX:
1377 cstate->off_linktype.constant_part = 4;
1378 cstate->off_linkpl.constant_part = 8;
1379 cstate->off_nl = 0; /* XXX in reality, variable! */
1380 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1381 break;
1382
1383 case DLT_EN10MB:
1384 cstate->off_linktype.constant_part = 12;
1385 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1386 cstate->off_nl = 0; /* Ethernet II */
1387 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1388 break;
1389
1390 case DLT_SLIP:
1391 /*
1392 * SLIP doesn't have a link level type. The 16 byte
1393 * header is hacked into our SLIP driver.
1394 */
1395 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1396 cstate->off_linkpl.constant_part = 16;
1397 cstate->off_nl = 0;
1398 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1399 break;
1400
1401 case DLT_SLIP_BSDOS:
1402 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1403 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1404 /* XXX end */
1405 cstate->off_linkpl.constant_part = 24;
1406 cstate->off_nl = 0;
1407 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1408 break;
1409
1410 case DLT_NULL:
1411 case DLT_LOOP:
1412 cstate->off_linktype.constant_part = 0;
1413 cstate->off_linkpl.constant_part = 4;
1414 cstate->off_nl = 0;
1415 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1416 break;
1417
1418 case DLT_ENC:
1419 cstate->off_linktype.constant_part = 0;
1420 cstate->off_linkpl.constant_part = 12;
1421 cstate->off_nl = 0;
1422 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1423 break;
1424
1425 case DLT_PPP:
1426 case DLT_PPP_PPPD:
1427 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1428 case DLT_HDLC: /* NetBSD (Cisco) HDLC */
1429 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1430 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1431 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1432 cstate->off_nl = 0;
1433 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1434 break;
1435
1436 case DLT_PPP_ETHER:
1437 /*
1438 * This does not include the Ethernet header, and
1439 * only covers session state.
1440 */
1441 cstate->off_linktype.constant_part = 6;
1442 cstate->off_linkpl.constant_part = 8;
1443 cstate->off_nl = 0;
1444 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1445 break;
1446
1447 case DLT_PPP_BSDOS:
1448 cstate->off_linktype.constant_part = 5;
1449 cstate->off_linkpl.constant_part = 24;
1450 cstate->off_nl = 0;
1451 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1452 break;
1453
1454 case DLT_FDDI:
1455 /*
1456 * FDDI doesn't really have a link-level type field.
1457 * We set "off_linktype" to the offset of the LLC header.
1458 *
1459 * To check for Ethernet types, we assume that SSAP = SNAP
1460 * is being used and pick out the encapsulated Ethernet type.
1461 * XXX - should we generate code to check for SNAP?
1462 */
1463 cstate->off_linktype.constant_part = 13;
1464 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1465 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1466 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1467 cstate->off_nl = 8; /* 802.2+SNAP */
1468 cstate->off_nl_nosnap = 3; /* 802.2 */
1469 break;
1470
1471 case DLT_IEEE802:
1472 /*
1473 * Token Ring doesn't really have a link-level type field.
1474 * We set "off_linktype" to the offset of the LLC header.
1475 *
1476 * To check for Ethernet types, we assume that SSAP = SNAP
1477 * is being used and pick out the encapsulated Ethernet type.
1478 * XXX - should we generate code to check for SNAP?
1479 *
1480 * XXX - the header is actually variable-length.
1481 * Some various Linux patched versions gave 38
1482 * as "off_linktype" and 40 as "off_nl"; however,
1483 * if a token ring packet has *no* routing
1484 * information, i.e. is not source-routed, the correct
1485 * values are 20 and 22, as they are in the vanilla code.
1486 *
1487 * A packet is source-routed iff the uppermost bit
1488 * of the first byte of the source address, at an
1489 * offset of 8, has the uppermost bit set. If the
1490 * packet is source-routed, the total number of bytes
1491 * of routing information is 2 plus bits 0x1F00 of
1492 * the 16-bit value at an offset of 14 (shifted right
1493 * 8 - figure out which byte that is).
1494 */
1495 cstate->off_linktype.constant_part = 14;
1496 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1497 cstate->off_nl = 8; /* 802.2+SNAP */
1498 cstate->off_nl_nosnap = 3; /* 802.2 */
1499 break;
1500
1501 case DLT_PRISM_HEADER:
1502 case DLT_IEEE802_11_RADIO_AVS:
1503 case DLT_IEEE802_11_RADIO:
1504 cstate->off_linkhdr.is_variable = 1;
1505 /* Fall through, 802.11 doesn't have a variable link
1506 * prefix but is otherwise the same. */
1507 /* FALLTHROUGH */
1508
1509 case DLT_IEEE802_11:
1510 /*
1511 * 802.11 doesn't really have a link-level type field.
1512 * We set "off_linktype.constant_part" to the offset of
1513 * the LLC header.
1514 *
1515 * To check for Ethernet types, we assume that SSAP = SNAP
1516 * is being used and pick out the encapsulated Ethernet type.
1517 * XXX - should we generate code to check for SNAP?
1518 *
1519 * We also handle variable-length radio headers here.
1520 * The Prism header is in theory variable-length, but in
1521 * practice it's always 144 bytes long. However, some
1522 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1523 * sometimes or always supply an AVS header, so we
1524 * have to check whether the radio header is a Prism
1525 * header or an AVS header, so, in practice, it's
1526 * variable-length.
1527 */
1528 cstate->off_linktype.constant_part = 24;
1529 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1530 cstate->off_linkpl.is_variable = 1;
1531 cstate->off_nl = 8; /* 802.2+SNAP */
1532 cstate->off_nl_nosnap = 3; /* 802.2 */
1533 break;
1534
1535 case DLT_PPI:
1536 /*
1537 * At the moment we treat PPI the same way that we treat
1538 * normal Radiotap encoded packets. The difference is in
1539 * the function that generates the code at the beginning
1540 * to compute the header length. Since this code generator
1541 * of PPI supports bare 802.11 encapsulation only (i.e.
1542 * the encapsulated DLT should be DLT_IEEE802_11) we
1543 * generate code to check for this too.
1544 */
1545 cstate->off_linktype.constant_part = 24;
1546 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1547 cstate->off_linkpl.is_variable = 1;
1548 cstate->off_linkhdr.is_variable = 1;
1549 cstate->off_nl = 8; /* 802.2+SNAP */
1550 cstate->off_nl_nosnap = 3; /* 802.2 */
1551 break;
1552
1553 case DLT_ATM_RFC1483:
1554 case DLT_ATM_CLIP: /* Linux ATM defines this */
1555 /*
1556 * assume routed, non-ISO PDUs
1557 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1558 *
1559 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1560 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1561 * latter would presumably be treated the way PPPoE
1562 * should be, so you can do "pppoe and udp port 2049"
1563 * or "pppoa and tcp port 80" and have it check for
1564 * PPPo{A,E} and a PPP protocol of IP and....
1565 */
1566 cstate->off_linktype.constant_part = 0;
1567 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1568 cstate->off_nl = 8; /* 802.2+SNAP */
1569 cstate->off_nl_nosnap = 3; /* 802.2 */
1570 break;
1571
1572 case DLT_SUNATM:
1573 /*
1574 * Full Frontal ATM; you get AALn PDUs with an ATM
1575 * pseudo-header.
1576 */
1577 cstate->is_atm = 1;
1578 cstate->off_vpi = SUNATM_VPI_POS;
1579 cstate->off_vci = SUNATM_VCI_POS;
1580 cstate->off_proto = PROTO_POS;
1581 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1582 cstate->off_linktype.constant_part = cstate->off_payload;
1583 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1584 cstate->off_nl = 8; /* 802.2+SNAP */
1585 cstate->off_nl_nosnap = 3; /* 802.2 */
1586 break;
1587
1588 case DLT_RAW:
1589 case DLT_IPV4:
1590 case DLT_IPV6:
1591 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1592 cstate->off_linkpl.constant_part = 0;
1593 cstate->off_nl = 0;
1594 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1595 break;
1596
1597 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */
1598 cstate->off_linktype.constant_part = 14;
1599 cstate->off_linkpl.constant_part = 16;
1600 cstate->off_nl = 0;
1601 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1602 break;
1603
1604 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */
1605 cstate->off_linktype.constant_part = 0;
1606 cstate->off_linkpl.constant_part = 20;
1607 cstate->off_nl = 0;
1608 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1609 break;
1610
1611 case DLT_LTALK:
1612 /*
1613 * LocalTalk does have a 1-byte type field in the LLAP header,
1614 * but really it just indicates whether there is a "short" or
1615 * "long" DDP packet following.
1616 */
1617 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1618 cstate->off_linkpl.constant_part = 0;
1619 cstate->off_nl = 0;
1620 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1621 break;
1622
1623 case DLT_IP_OVER_FC:
1624 /*
1625 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1626 * link-level type field. We set "off_linktype" to the
1627 * offset of the LLC header.
1628 *
1629 * To check for Ethernet types, we assume that SSAP = SNAP
1630 * is being used and pick out the encapsulated Ethernet type.
1631 * XXX - should we generate code to check for SNAP? RFC
1632 * 2625 says SNAP should be used.
1633 */
1634 cstate->off_linktype.constant_part = 16;
1635 cstate->off_linkpl.constant_part = 16;
1636 cstate->off_nl = 8; /* 802.2+SNAP */
1637 cstate->off_nl_nosnap = 3; /* 802.2 */
1638 break;
1639
1640 case DLT_FRELAY:
1641 /*
1642 * XXX - we should set this to handle SNAP-encapsulated
1643 * frames (NLPID of 0x80).
1644 */
1645 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1646 cstate->off_linkpl.constant_part = 0;
1647 cstate->off_nl = 0;
1648 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1649 break;
1650
1651 /*
1652 * the only BPF-interesting FRF.16 frames are non-control frames;
1653 * Frame Relay has a variable length link-layer
1654 * so lets start with offset 4 for now and increments later on (FIXME);
1655 */
1656 case DLT_MFR:
1657 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1658 cstate->off_linkpl.constant_part = 0;
1659 cstate->off_nl = 4;
1660 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1661 break;
1662
1663 case DLT_APPLE_IP_OVER_IEEE1394:
1664 cstate->off_linktype.constant_part = 16;
1665 cstate->off_linkpl.constant_part = 18;
1666 cstate->off_nl = 0;
1667 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1668 break;
1669
1670 case DLT_SYMANTEC_FIREWALL:
1671 cstate->off_linktype.constant_part = 6;
1672 cstate->off_linkpl.constant_part = 44;
1673 cstate->off_nl = 0; /* Ethernet II */
1674 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1675 break;
1676
1677 case DLT_PFLOG:
1678 cstate->off_linktype.constant_part = 0;
1679 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1680 cstate->off_linkpl.is_variable = 1;
1681 cstate->off_nl = 0;
1682 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1683 break;
1684
1685 case DLT_JUNIPER_MFR:
1686 case DLT_JUNIPER_MLFR:
1687 case DLT_JUNIPER_MLPPP:
1688 case DLT_JUNIPER_PPP:
1689 case DLT_JUNIPER_CHDLC:
1690 case DLT_JUNIPER_FRELAY:
1691 cstate->off_linktype.constant_part = 4;
1692 cstate->off_linkpl.constant_part = 4;
1693 cstate->off_nl = 0;
1694 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1695 break;
1696
1697 case DLT_JUNIPER_ATM1:
1698 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1699 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1700 cstate->off_nl = 0;
1701 cstate->off_nl_nosnap = 10;
1702 break;
1703
1704 case DLT_JUNIPER_ATM2:
1705 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1706 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1707 cstate->off_nl = 0;
1708 cstate->off_nl_nosnap = 10;
1709 break;
1710
1711 /* frames captured on a Juniper PPPoE service PIC
1712 * contain raw ethernet frames */
1713 case DLT_JUNIPER_PPPOE:
1714 case DLT_JUNIPER_ETHER:
1715 cstate->off_linkpl.constant_part = 14;
1716 cstate->off_linktype.constant_part = 16;
1717 cstate->off_nl = 18; /* Ethernet II */
1718 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1719 break;
1720
1721 case DLT_JUNIPER_PPPOE_ATM:
1722 cstate->off_linktype.constant_part = 4;
1723 cstate->off_linkpl.constant_part = 6;
1724 cstate->off_nl = 0;
1725 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1726 break;
1727
1728 case DLT_JUNIPER_GGSN:
1729 cstate->off_linktype.constant_part = 6;
1730 cstate->off_linkpl.constant_part = 12;
1731 cstate->off_nl = 0;
1732 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1733 break;
1734
1735 case DLT_JUNIPER_ES:
1736 cstate->off_linktype.constant_part = 6;
1737 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1738 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1739 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1740 break;
1741
1742 case DLT_JUNIPER_MONITOR:
1743 cstate->off_linktype.constant_part = 12;
1744 cstate->off_linkpl.constant_part = 12;
1745 cstate->off_nl = 0; /* raw IP/IP6 header */
1746 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1747 break;
1748
1749 case DLT_BACNET_MS_TP:
1750 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1751 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1752 cstate->off_nl = OFFSET_NOT_SET;
1753 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1754 break;
1755
1756 case DLT_JUNIPER_SERVICES:
1757 cstate->off_linktype.constant_part = 12;
1758 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1759 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1760 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1761 break;
1762
1763 case DLT_JUNIPER_VP:
1764 cstate->off_linktype.constant_part = 18;
1765 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1766 cstate->off_nl = OFFSET_NOT_SET;
1767 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1768 break;
1769
1770 case DLT_JUNIPER_ST:
1771 cstate->off_linktype.constant_part = 18;
1772 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1773 cstate->off_nl = OFFSET_NOT_SET;
1774 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1775 break;
1776
1777 case DLT_JUNIPER_ISM:
1778 cstate->off_linktype.constant_part = 8;
1779 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1780 cstate->off_nl = OFFSET_NOT_SET;
1781 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1782 break;
1783
1784 case DLT_JUNIPER_VS:
1785 case DLT_JUNIPER_SRX_E2E:
1786 case DLT_JUNIPER_FIBRECHANNEL:
1787 case DLT_JUNIPER_ATM_CEMIC:
1788 cstate->off_linktype.constant_part = 8;
1789 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1790 cstate->off_nl = OFFSET_NOT_SET;
1791 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1792 break;
1793
1794 case DLT_MTP2:
1795 cstate->off_li = 2;
1796 cstate->off_li_hsl = 4;
1797 cstate->off_sio = 3;
1798 cstate->off_opc = 4;
1799 cstate->off_dpc = 4;
1800 cstate->off_sls = 7;
1801 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1802 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1803 cstate->off_nl = OFFSET_NOT_SET;
1804 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1805 break;
1806
1807 case DLT_MTP2_WITH_PHDR:
1808 cstate->off_li = 6;
1809 cstate->off_li_hsl = 8;
1810 cstate->off_sio = 7;
1811 cstate->off_opc = 8;
1812 cstate->off_dpc = 8;
1813 cstate->off_sls = 11;
1814 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1815 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1816 cstate->off_nl = OFFSET_NOT_SET;
1817 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1818 break;
1819
1820 case DLT_ERF:
1821 cstate->off_li = 22;
1822 cstate->off_li_hsl = 24;
1823 cstate->off_sio = 23;
1824 cstate->off_opc = 24;
1825 cstate->off_dpc = 24;
1826 cstate->off_sls = 27;
1827 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1828 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1829 cstate->off_nl = OFFSET_NOT_SET;
1830 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1831 break;
1832
1833 case DLT_PFSYNC:
1834 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1835 cstate->off_linkpl.constant_part = 4;
1836 cstate->off_nl = 0;
1837 cstate->off_nl_nosnap = 0;
1838 break;
1839
1840 case DLT_AX25_KISS:
1841 /*
1842 * Currently, only raw "link[N:M]" filtering is supported.
1843 */
1844 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1845 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1846 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1847 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1848 break;
1849
1850 case DLT_IPNET:
1851 cstate->off_linktype.constant_part = 1;
1852 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
1853 cstate->off_nl = 0;
1854 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1855 break;
1856
1857 case DLT_NETANALYZER:
1858 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1859 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1860 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1861 cstate->off_nl = 0; /* Ethernet II */
1862 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1863 break;
1864
1865 case DLT_NETANALYZER_TRANSPARENT:
1866 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1867 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1868 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1869 cstate->off_nl = 0; /* Ethernet II */
1870 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1871 break;
1872
1873 default:
1874 /*
1875 * For values in the range in which we've assigned new
1876 * DLT_ values, only raw "link[N:M]" filtering is supported.
1877 */
1878 if (cstate->linktype >= DLT_HIGH_MATCHING_MIN &&
1879 cstate->linktype <= DLT_HIGH_MATCHING_MAX) {
1880 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1881 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1882 cstate->off_nl = OFFSET_NOT_SET;
1883 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1884 } else {
1885 bpf_set_error(cstate, "unknown data link type %d (min %d, max %d)",
1886 cstate->linktype, DLT_HIGH_MATCHING_MIN, DLT_HIGH_MATCHING_MAX);
1887 return (-1);
1888 }
1889 break;
1890 }
1891
1892 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1893 return (0);
1894 }
1895
1896 /*
1897 * Load a value relative to the specified absolute offset.
1898 */
1899 static struct slist *
1900 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
1901 u_int offset, u_int size)
1902 {
1903 struct slist *s, *s2;
1904
1905 s = gen_abs_offset_varpart(cstate, abs_offset);
1906
1907 /*
1908 * If "s" is non-null, it has code to arrange that the X register
1909 * contains the variable part of the absolute offset, so we
1910 * generate a load relative to that, with an offset of
1911 * abs_offset->constant_part + offset.
1912 *
1913 * Otherwise, we can do an absolute load with an offset of
1914 * abs_offset->constant_part + offset.
1915 */
1916 if (s != NULL) {
1917 /*
1918 * "s" points to a list of statements that puts the
1919 * variable part of the absolute offset into the X register.
1920 * Do an indirect load, to use the X register as an offset.
1921 */
1922 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1923 s2->s.k = abs_offset->constant_part + offset;
1924 sappend(s, s2);
1925 } else {
1926 /*
1927 * There is no variable part of the absolute offset, so
1928 * just do an absolute load.
1929 */
1930 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1931 s->s.k = abs_offset->constant_part + offset;
1932 }
1933 return s;
1934 }
1935
1936 /*
1937 * Load a value relative to the beginning of the specified header.
1938 */
1939 static struct slist *
1940 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1941 u_int size)
1942 {
1943 struct slist *s, *s2;
1944
1945 /*
1946 * Squelch warnings from compilers that *don't* assume that
1947 * offrel always has a valid enum value and therefore don't
1948 * assume that we'll always go through one of the case arms.
1949 *
1950 * If we have a default case, compilers that *do* assume that
1951 * will then complain about the default case code being
1952 * unreachable.
1953 *
1954 * Damned if you do, damned if you don't.
1955 */
1956 s = NULL;
1957
1958 switch (offrel) {
1959
1960 case OR_PACKET:
1961 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1962 s->s.k = offset;
1963 break;
1964
1965 case OR_LINKHDR:
1966 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1967 break;
1968
1969 case OR_PREVLINKHDR:
1970 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1971 break;
1972
1973 case OR_LLC:
1974 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1975 break;
1976
1977 case OR_PREVMPLSHDR:
1978 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1979 break;
1980
1981 case OR_LINKPL:
1982 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1983 break;
1984
1985 case OR_LINKPL_NOSNAP:
1986 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1987 break;
1988
1989 case OR_LINKTYPE:
1990 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1991 break;
1992
1993 case OR_TRAN_IPV4:
1994 /*
1995 * Load the X register with the length of the IPv4 header
1996 * (plus the offset of the link-layer header, if it's
1997 * preceded by a variable-length header such as a radio
1998 * header), in bytes.
1999 */
2000 s = gen_loadx_iphdrlen(cstate);
2001
2002 /*
2003 * Load the item at {offset of the link-layer payload} +
2004 * {offset, relative to the start of the link-layer
2005 * payload, of the IPv4 header} + {length of the IPv4 header} +
2006 * {specified offset}.
2007 *
2008 * If the offset of the link-layer payload is variable,
2009 * the variable part of that offset is included in the
2010 * value in the X register, and we include the constant
2011 * part in the offset of the load.
2012 */
2013 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
2014 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
2015 sappend(s, s2);
2016 break;
2017
2018 case OR_TRAN_IPV6:
2019 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
2020 break;
2021 }
2022 return s;
2023 }
2024
2025 /*
2026 * Generate code to load into the X register the sum of the length of
2027 * the IPv4 header and the variable part of the offset of the link-layer
2028 * payload.
2029 */
2030 static struct slist *
2031 gen_loadx_iphdrlen(compiler_state_t *cstate)
2032 {
2033 struct slist *s, *s2;
2034
2035 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
2036 if (s != NULL) {
2037 /*
2038 * The offset of the link-layer payload has a variable
2039 * part. "s" points to a list of statements that put
2040 * the variable part of that offset into the X register.
2041 *
2042 * The 4*([k]&0xf) addressing mode can't be used, as we
2043 * don't have a constant offset, so we have to load the
2044 * value in question into the A register and add to it
2045 * the value from the X register.
2046 */
2047 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2048 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
2049 sappend(s, s2);
2050 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2051 s2->s.k = 0xf;
2052 sappend(s, s2);
2053 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2054 s2->s.k = 2;
2055 sappend(s, s2);
2056
2057 /*
2058 * The A register now contains the length of the IP header.
2059 * We need to add to it the variable part of the offset of
2060 * the link-layer payload, which is still in the X
2061 * register, and move the result into the X register.
2062 */
2063 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
2064 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
2065 } else {
2066 /*
2067 * The offset of the link-layer payload is a constant,
2068 * so no code was generated to load the (nonexistent)
2069 * variable part of that offset.
2070 *
2071 * This means we can use the 4*([k]&0xf) addressing
2072 * mode. Load the length of the IPv4 header, which
2073 * is at an offset of cstate->off_nl from the beginning of
2074 * the link-layer payload, and thus at an offset of
2075 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
2076 * of the raw packet data, using that addressing mode.
2077 */
2078 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
2079 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
2080 }
2081 return s;
2082 }
2083
2084
2085 static struct block *
2086 gen_uncond(compiler_state_t *cstate, int rsense)
2087 {
2088 struct block *b;
2089 struct slist *s;
2090
2091 s = new_stmt(cstate, BPF_LD|BPF_IMM);
2092 s->s.k = !rsense;
2093 b = new_block(cstate, JMP(BPF_JEQ));
2094 b->stmts = s;
2095
2096 return b;
2097 }
2098
2099 static inline struct block *
2100 gen_true(compiler_state_t *cstate)
2101 {
2102 return gen_uncond(cstate, 1);
2103 }
2104
2105 static inline struct block *
2106 gen_false(compiler_state_t *cstate)
2107 {
2108 return gen_uncond(cstate, 0);
2109 }
2110
2111 /*
2112 * Generate code to match a particular packet type.
2113 *
2114 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2115 * value, if <= ETHERMTU. We use that to determine whether to
2116 * match the type/length field or to check the type/length field for
2117 * a value <= ETHERMTU to see whether it's a type field and then do
2118 * the appropriate test.
2119 */
2120 static struct block *
2121 gen_ether_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2122 {
2123 struct block *b0, *b1;
2124
2125 switch (ll_proto) {
2126
2127 case LLCSAP_ISONS:
2128 case LLCSAP_IP:
2129 case LLCSAP_NETBEUI:
2130 /*
2131 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2132 * so we check the DSAP and SSAP.
2133 *
2134 * LLCSAP_IP checks for IP-over-802.2, rather
2135 * than IP-over-Ethernet or IP-over-SNAP.
2136 *
2137 * XXX - should we check both the DSAP and the
2138 * SSAP, like this, or should we check just the
2139 * DSAP, as we do for other types <= ETHERMTU
2140 * (i.e., other SAP values)?
2141 */
2142 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2143 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2144 gen_and(b0, b1);
2145 return b1;
2146
2147 case LLCSAP_IPX:
2148 /*
2149 * Check for;
2150 *
2151 * Ethernet_II frames, which are Ethernet
2152 * frames with a frame type of ETHERTYPE_IPX;
2153 *
2154 * Ethernet_802.3 frames, which are 802.3
2155 * frames (i.e., the type/length field is
2156 * a length field, <= ETHERMTU, rather than
2157 * a type field) with the first two bytes
2158 * after the Ethernet/802.3 header being
2159 * 0xFFFF;
2160 *
2161 * Ethernet_802.2 frames, which are 802.3
2162 * frames with an 802.2 LLC header and
2163 * with the IPX LSAP as the DSAP in the LLC
2164 * header;
2165 *
2166 * Ethernet_SNAP frames, which are 802.3
2167 * frames with an LLC header and a SNAP
2168 * header and with an OUI of 0x000000
2169 * (encapsulated Ethernet) and a protocol
2170 * ID of ETHERTYPE_IPX in the SNAP header.
2171 *
2172 * XXX - should we generate the same code both
2173 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
2174 */
2175
2176 /*
2177 * This generates code to check both for the
2178 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
2179 */
2180 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2181 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
2182 gen_or(b0, b1);
2183
2184 /*
2185 * Now we add code to check for SNAP frames with
2186 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
2187 */
2188 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2189 gen_or(b0, b1);
2190
2191 /*
2192 * Now we generate code to check for 802.3
2193 * frames in general.
2194 */
2195 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2196
2197 /*
2198 * Now add the check for 802.3 frames before the
2199 * check for Ethernet_802.2 and Ethernet_802.3,
2200 * as those checks should only be done on 802.3
2201 * frames, not on Ethernet frames.
2202 */
2203 gen_and(b0, b1);
2204
2205 /*
2206 * Now add the check for Ethernet_II frames, and
2207 * do that before checking for the other frame
2208 * types.
2209 */
2210 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2211 gen_or(b0, b1);
2212 return b1;
2213
2214 case ETHERTYPE_ATALK:
2215 case ETHERTYPE_AARP:
2216 /*
2217 * EtherTalk (AppleTalk protocols on Ethernet link
2218 * layer) may use 802.2 encapsulation.
2219 */
2220
2221 /*
2222 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2223 * we check for an Ethernet type field less or equal than
2224 * 1500, which means it's an 802.3 length field.
2225 */
2226 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2227
2228 /*
2229 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2230 * SNAP packets with an organization code of
2231 * 0x080007 (Apple, for Appletalk) and a protocol
2232 * type of ETHERTYPE_ATALK (Appletalk).
2233 *
2234 * 802.2-encapsulated ETHERTYPE_AARP packets are
2235 * SNAP packets with an organization code of
2236 * 0x000000 (encapsulated Ethernet) and a protocol
2237 * type of ETHERTYPE_AARP (Appletalk ARP).
2238 */
2239 if (ll_proto == ETHERTYPE_ATALK)
2240 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2241 else /* ll_proto == ETHERTYPE_AARP */
2242 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2243 gen_and(b0, b1);
2244
2245 /*
2246 * Check for Ethernet encapsulation (Ethertalk
2247 * phase 1?); we just check for the Ethernet
2248 * protocol type.
2249 */
2250 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2251
2252 gen_or(b0, b1);
2253 return b1;
2254
2255 default:
2256 if (ll_proto <= ETHERMTU) {
2257 /*
2258 * This is an LLC SAP value, so the frames
2259 * that match would be 802.2 frames.
2260 * Check that the frame is an 802.2 frame
2261 * (i.e., that the length/type field is
2262 * a length field, <= ETHERMTU) and
2263 * then check the DSAP.
2264 */
2265 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2266 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, ll_proto);
2267 gen_and(b0, b1);
2268 return b1;
2269 } else {
2270 /*
2271 * This is an Ethernet type, so compare
2272 * the length/type field with it (if
2273 * the frame is an 802.2 frame, the length
2274 * field will be <= ETHERMTU, and, as
2275 * "ll_proto" is > ETHERMTU, this test
2276 * will fail and the frame won't match,
2277 * which is what we want).
2278 */
2279 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2280 }
2281 }
2282 }
2283
2284 static struct block *
2285 gen_loopback_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2286 {
2287 /*
2288 * For DLT_NULL, the link-layer header is a 32-bit word
2289 * containing an AF_ value in *host* byte order, and for
2290 * DLT_ENC, the link-layer header begins with a 32-bit
2291 * word containing an AF_ value in host byte order.
2292 *
2293 * In addition, if we're reading a saved capture file,
2294 * the host byte order in the capture may not be the
2295 * same as the host byte order on this machine.
2296 *
2297 * For DLT_LOOP, the link-layer header is a 32-bit
2298 * word containing an AF_ value in *network* byte order.
2299 */
2300 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2301 /*
2302 * The AF_ value is in host byte order, but the BPF
2303 * interpreter will convert it to network byte order.
2304 *
2305 * If this is a save file, and it's from a machine
2306 * with the opposite byte order to ours, we byte-swap
2307 * the AF_ value.
2308 *
2309 * Then we run it through "htonl()", and generate
2310 * code to compare against the result.
2311 */
2312 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2313 ll_proto = SWAPLONG(ll_proto);
2314 ll_proto = htonl(ll_proto);
2315 }
2316 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, ll_proto));
2317 }
2318
2319 /*
2320 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2321 * or IPv6 then we have an error.
2322 */
2323 static struct block *
2324 gen_ipnet_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2325 {
2326 switch (ll_proto) {
2327
2328 case ETHERTYPE_IP:
2329 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET);
2330 /*NOTREACHED*/
2331
2332 case ETHERTYPE_IPV6:
2333 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET6);
2334 /*NOTREACHED*/
2335
2336 default:
2337 break;
2338 }
2339
2340 return gen_false(cstate);
2341 }
2342
2343 /*
2344 * Generate code to match a particular packet type.
2345 *
2346 * "ll_proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2347 * value, if <= ETHERMTU. We use that to determine whether to
2348 * match the type field or to check the type field for the special
2349 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2350 */
2351 static struct block *
2352 gen_linux_sll_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2353 {
2354 struct block *b0, *b1;
2355
2356 switch (ll_proto) {
2357
2358 case LLCSAP_ISONS:
2359 case LLCSAP_IP:
2360 case LLCSAP_NETBEUI:
2361 /*
2362 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2363 * so we check the DSAP and SSAP.
2364 *
2365 * LLCSAP_IP checks for IP-over-802.2, rather
2366 * than IP-over-Ethernet or IP-over-SNAP.
2367 *
2368 * XXX - should we check both the DSAP and the
2369 * SSAP, like this, or should we check just the
2370 * DSAP, as we do for other types <= ETHERMTU
2371 * (i.e., other SAP values)?
2372 */
2373 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2374 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2375 gen_and(b0, b1);
2376 return b1;
2377
2378 case LLCSAP_IPX:
2379 /*
2380 * Ethernet_II frames, which are Ethernet
2381 * frames with a frame type of ETHERTYPE_IPX;
2382 *
2383 * Ethernet_802.3 frames, which have a frame
2384 * type of LINUX_SLL_P_802_3;
2385 *
2386 * Ethernet_802.2 frames, which are 802.3
2387 * frames with an 802.2 LLC header (i.e, have
2388 * a frame type of LINUX_SLL_P_802_2) and
2389 * with the IPX LSAP as the DSAP in the LLC
2390 * header;
2391 *
2392 * Ethernet_SNAP frames, which are 802.3
2393 * frames with an LLC header and a SNAP
2394 * header and with an OUI of 0x000000
2395 * (encapsulated Ethernet) and a protocol
2396 * ID of ETHERTYPE_IPX in the SNAP header.
2397 *
2398 * First, do the checks on LINUX_SLL_P_802_2
2399 * frames; generate the check for either
2400 * Ethernet_802.2 or Ethernet_SNAP frames, and
2401 * then put a check for LINUX_SLL_P_802_2 frames
2402 * before it.
2403 */
2404 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2405 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2406 gen_or(b0, b1);
2407 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2408 gen_and(b0, b1);
2409
2410 /*
2411 * Now check for 802.3 frames and OR that with
2412 * the previous test.
2413 */
2414 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2415 gen_or(b0, b1);
2416
2417 /*
2418 * Now add the check for Ethernet_II frames, and
2419 * do that before checking for the other frame
2420 * types.
2421 */
2422 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2423 gen_or(b0, b1);
2424 return b1;
2425
2426 case ETHERTYPE_ATALK:
2427 case ETHERTYPE_AARP:
2428 /*
2429 * EtherTalk (AppleTalk protocols on Ethernet link
2430 * layer) may use 802.2 encapsulation.
2431 */
2432
2433 /*
2434 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2435 * we check for the 802.2 protocol type in the
2436 * "Ethernet type" field.
2437 */
2438 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2439
2440 /*
2441 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2442 * SNAP packets with an organization code of
2443 * 0x080007 (Apple, for Appletalk) and a protocol
2444 * type of ETHERTYPE_ATALK (Appletalk).
2445 *
2446 * 802.2-encapsulated ETHERTYPE_AARP packets are
2447 * SNAP packets with an organization code of
2448 * 0x000000 (encapsulated Ethernet) and a protocol
2449 * type of ETHERTYPE_AARP (Appletalk ARP).
2450 */
2451 if (ll_proto == ETHERTYPE_ATALK)
2452 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2453 else /* ll_proto == ETHERTYPE_AARP */
2454 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2455 gen_and(b0, b1);
2456
2457 /*
2458 * Check for Ethernet encapsulation (Ethertalk
2459 * phase 1?); we just check for the Ethernet
2460 * protocol type.
2461 */
2462 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2463
2464 gen_or(b0, b1);
2465 return b1;
2466
2467 default:
2468 if (ll_proto <= ETHERMTU) {
2469 /*
2470 * This is an LLC SAP value, so the frames
2471 * that match would be 802.2 frames.
2472 * Check for the 802.2 protocol type
2473 * in the "Ethernet type" field, and
2474 * then check the DSAP.
2475 */
2476 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2477 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2478 ll_proto);
2479 gen_and(b0, b1);
2480 return b1;
2481 } else {
2482 /*
2483 * This is an Ethernet type, so compare
2484 * the length/type field with it (if
2485 * the frame is an 802.2 frame, the length
2486 * field will be <= ETHERMTU, and, as
2487 * "ll_proto" is > ETHERMTU, this test
2488 * will fail and the frame won't match,
2489 * which is what we want).
2490 */
2491 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2492 }
2493 }
2494 }
2495
2496 /*
2497 * Load a value relative to the beginning of the link-layer header after the
2498 * pflog header.
2499 */
2500 static struct slist *
2501 gen_load_pflog_llprefixlen(compiler_state_t *cstate)
2502 {
2503 struct slist *s1, *s2;
2504
2505 /*
2506 * Generate code to load the length of the pflog header into
2507 * the register assigned to hold that length, if one has been
2508 * assigned. (If one hasn't been assigned, no code we've
2509 * generated uses that prefix, so we don't need to generate any
2510 * code to load it.)
2511 */
2512 if (cstate->off_linkpl.reg != -1) {
2513 /*
2514 * The length is in the first byte of the header.
2515 */
2516 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2517 s1->s.k = 0;
2518
2519 /*
2520 * Round it up to a multiple of 4.
2521 * Add 3, and clear the lower 2 bits.
2522 */
2523 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2524 s2->s.k = 3;
2525 sappend(s1, s2);
2526 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2527 s2->s.k = 0xfffffffc;
2528 sappend(s1, s2);
2529
2530 /*
2531 * Now allocate a register to hold that value and store
2532 * it.
2533 */
2534 s2 = new_stmt(cstate, BPF_ST);
2535 s2->s.k = cstate->off_linkpl.reg;
2536 sappend(s1, s2);
2537
2538 /*
2539 * Now move it into the X register.
2540 */
2541 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2542 sappend(s1, s2);
2543
2544 return (s1);
2545 } else
2546 return (NULL);
2547 }
2548
2549 static struct slist *
2550 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2551 {
2552 struct slist *s1, *s2;
2553 struct slist *sjeq_avs_cookie;
2554 struct slist *sjcommon;
2555
2556 /*
2557 * This code is not compatible with the optimizer, as
2558 * we are generating jmp instructions within a normal
2559 * slist of instructions
2560 */
2561 cstate->no_optimize = 1;
2562
2563 /*
2564 * Generate code to load the length of the radio header into
2565 * the register assigned to hold that length, if one has been
2566 * assigned. (If one hasn't been assigned, no code we've
2567 * generated uses that prefix, so we don't need to generate any
2568 * code to load it.)
2569 *
2570 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2571 * or always use the AVS header rather than the Prism header.
2572 * We load a 4-byte big-endian value at the beginning of the
2573 * raw packet data, and see whether, when masked with 0xFFFFF000,
2574 * it's equal to 0x80211000. If so, that indicates that it's
2575 * an AVS header (the masked-out bits are the version number).
2576 * Otherwise, it's a Prism header.
2577 *
2578 * XXX - the Prism header is also, in theory, variable-length,
2579 * but no known software generates headers that aren't 144
2580 * bytes long.
2581 */
2582 if (cstate->off_linkhdr.reg != -1) {
2583 /*
2584 * Load the cookie.
2585 */
2586 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2587 s1->s.k = 0;
2588
2589 /*
2590 * AND it with 0xFFFFF000.
2591 */
2592 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2593 s2->s.k = 0xFFFFF000;
2594 sappend(s1, s2);
2595
2596 /*
2597 * Compare with 0x80211000.
2598 */
2599 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2600 sjeq_avs_cookie->s.k = 0x80211000;
2601 sappend(s1, sjeq_avs_cookie);
2602
2603 /*
2604 * If it's AVS:
2605 *
2606 * The 4 bytes at an offset of 4 from the beginning of
2607 * the AVS header are the length of the AVS header.
2608 * That field is big-endian.
2609 */
2610 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2611 s2->s.k = 4;
2612 sappend(s1, s2);
2613 sjeq_avs_cookie->s.jt = s2;
2614
2615 /*
2616 * Now jump to the code to allocate a register
2617 * into which to save the header length and
2618 * store the length there. (The "jump always"
2619 * instruction needs to have the k field set;
2620 * it's added to the PC, so, as we're jumping
2621 * over a single instruction, it should be 1.)
2622 */
2623 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2624 sjcommon->s.k = 1;
2625 sappend(s1, sjcommon);
2626
2627 /*
2628 * Now for the code that handles the Prism header.
2629 * Just load the length of the Prism header (144)
2630 * into the A register. Have the test for an AVS
2631 * header branch here if we don't have an AVS header.
2632 */
2633 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2634 s2->s.k = 144;
2635 sappend(s1, s2);
2636 sjeq_avs_cookie->s.jf = s2;
2637
2638 /*
2639 * Now allocate a register to hold that value and store
2640 * it. The code for the AVS header will jump here after
2641 * loading the length of the AVS header.
2642 */
2643 s2 = new_stmt(cstate, BPF_ST);
2644 s2->s.k = cstate->off_linkhdr.reg;
2645 sappend(s1, s2);
2646 sjcommon->s.jf = s2;
2647
2648 /*
2649 * Now move it into the X register.
2650 */
2651 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2652 sappend(s1, s2);
2653
2654 return (s1);
2655 } else
2656 return (NULL);
2657 }
2658
2659 static struct slist *
2660 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2661 {
2662 struct slist *s1, *s2;
2663
2664 /*
2665 * Generate code to load the length of the AVS header into
2666 * the register assigned to hold that length, if one has been
2667 * assigned. (If one hasn't been assigned, no code we've
2668 * generated uses that prefix, so we don't need to generate any
2669 * code to load it.)
2670 */
2671 if (cstate->off_linkhdr.reg != -1) {
2672 /*
2673 * The 4 bytes at an offset of 4 from the beginning of
2674 * the AVS header are the length of the AVS header.
2675 * That field is big-endian.
2676 */
2677 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2678 s1->s.k = 4;
2679
2680 /*
2681 * Now allocate a register to hold that value and store
2682 * it.
2683 */
2684 s2 = new_stmt(cstate, BPF_ST);
2685 s2->s.k = cstate->off_linkhdr.reg;
2686 sappend(s1, s2);
2687
2688 /*
2689 * Now move it into the X register.
2690 */
2691 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2692 sappend(s1, s2);
2693
2694 return (s1);
2695 } else
2696 return (NULL);
2697 }
2698
2699 static struct slist *
2700 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2701 {
2702 struct slist *s1, *s2;
2703
2704 /*
2705 * Generate code to load the length of the radiotap header into
2706 * the register assigned to hold that length, if one has been
2707 * assigned. (If one hasn't been assigned, no code we've
2708 * generated uses that prefix, so we don't need to generate any
2709 * code to load it.)
2710 */
2711 if (cstate->off_linkhdr.reg != -1) {
2712 /*
2713 * The 2 bytes at offsets of 2 and 3 from the beginning
2714 * of the radiotap header are the length of the radiotap
2715 * header; unfortunately, it's little-endian, so we have
2716 * to load it a byte at a time and construct the value.
2717 */
2718
2719 /*
2720 * Load the high-order byte, at an offset of 3, shift it
2721 * left a byte, and put the result in the X register.
2722 */
2723 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2724 s1->s.k = 3;
2725 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2726 sappend(s1, s2);
2727 s2->s.k = 8;
2728 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2729 sappend(s1, s2);
2730
2731 /*
2732 * Load the next byte, at an offset of 2, and OR the
2733 * value from the X register into it.
2734 */
2735 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2736 sappend(s1, s2);
2737 s2->s.k = 2;
2738 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2739 sappend(s1, s2);
2740
2741 /*
2742 * Now allocate a register to hold that value and store
2743 * it.
2744 */
2745 s2 = new_stmt(cstate, BPF_ST);
2746 s2->s.k = cstate->off_linkhdr.reg;
2747 sappend(s1, s2);
2748
2749 /*
2750 * Now move it into the X register.
2751 */
2752 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2753 sappend(s1, s2);
2754
2755 return (s1);
2756 } else
2757 return (NULL);
2758 }
2759
2760 /*
2761 * At the moment we treat PPI as normal Radiotap encoded
2762 * packets. The difference is in the function that generates
2763 * the code at the beginning to compute the header length.
2764 * Since this code generator of PPI supports bare 802.11
2765 * encapsulation only (i.e. the encapsulated DLT should be
2766 * DLT_IEEE802_11) we generate code to check for this too;
2767 * that's done in finish_parse().
2768 */
2769 static struct slist *
2770 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
2771 {
2772 struct slist *s1, *s2;
2773
2774 /*
2775 * Generate code to load the length of the radiotap header
2776 * into the register assigned to hold that length, if one has
2777 * been assigned.
2778 */
2779 if (cstate->off_linkhdr.reg != -1) {
2780 /*
2781 * The 2 bytes at offsets of 2 and 3 from the beginning
2782 * of the radiotap header are the length of the radiotap
2783 * header; unfortunately, it's little-endian, so we have
2784 * to load it a byte at a time and construct the value.
2785 */
2786
2787 /*
2788 * Load the high-order byte, at an offset of 3, shift it
2789 * left a byte, and put the result in the X register.
2790 */
2791 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2792 s1->s.k = 3;
2793 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2794 sappend(s1, s2);
2795 s2->s.k = 8;
2796 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2797 sappend(s1, s2);
2798
2799 /*
2800 * Load the next byte, at an offset of 2, and OR the
2801 * value from the X register into it.
2802 */
2803 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2804 sappend(s1, s2);
2805 s2->s.k = 2;
2806 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2807 sappend(s1, s2);
2808
2809 /*
2810 * Now allocate a register to hold that value and store
2811 * it.
2812 */
2813 s2 = new_stmt(cstate, BPF_ST);
2814 s2->s.k = cstate->off_linkhdr.reg;
2815 sappend(s1, s2);
2816
2817 /*
2818 * Now move it into the X register.
2819 */
2820 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2821 sappend(s1, s2);
2822
2823 return (s1);
2824 } else
2825 return (NULL);
2826 }
2827
2828 /*
2829 * Load a value relative to the beginning of the link-layer header after the 802.11
2830 * header, i.e. LLC_SNAP.
2831 * The link-layer header doesn't necessarily begin at the beginning
2832 * of the packet data; there might be a variable-length prefix containing
2833 * radio information.
2834 */
2835 static struct slist *
2836 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2837 {
2838 struct slist *s2;
2839 struct slist *sjset_data_frame_1;
2840 struct slist *sjset_data_frame_2;
2841 struct slist *sjset_qos;
2842 struct slist *sjset_radiotap_flags_present;
2843 struct slist *sjset_radiotap_ext_present;
2844 struct slist *sjset_radiotap_tsft_present;
2845 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2846 struct slist *s_roundup;
2847
2848 if (cstate->off_linkpl.reg == -1) {
2849 /*
2850 * No register has been assigned to the offset of
2851 * the link-layer payload, which means nobody needs
2852 * it; don't bother computing it - just return
2853 * what we already have.
2854 */
2855 return (s);
2856 }
2857
2858 /*
2859 * This code is not compatible with the optimizer, as
2860 * we are generating jmp instructions within a normal
2861 * slist of instructions
2862 */
2863 cstate->no_optimize = 1;
2864
2865 /*
2866 * If "s" is non-null, it has code to arrange that the X register
2867 * contains the length of the prefix preceding the link-layer
2868 * header.
2869 *
2870 * Otherwise, the length of the prefix preceding the link-layer
2871 * header is "off_outermostlinkhdr.constant_part".
2872 */
2873 if (s == NULL) {
2874 /*
2875 * There is no variable-length header preceding the
2876 * link-layer header.
2877 *
2878 * Load the length of the fixed-length prefix preceding
2879 * the link-layer header (if any) into the X register,
2880 * and store it in the cstate->off_linkpl.reg register.
2881 * That length is off_outermostlinkhdr.constant_part.
2882 */
2883 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2884 s->s.k = cstate->off_outermostlinkhdr.constant_part;
2885 }
2886
2887 /*
2888 * The X register contains the offset of the beginning of the
2889 * link-layer header; add 24, which is the minimum length
2890 * of the MAC header for a data frame, to that, and store it
2891 * in cstate->off_linkpl.reg, and then load the Frame Control field,
2892 * which is at the offset in the X register, with an indexed load.
2893 */
2894 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2895 sappend(s, s2);
2896 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2897 s2->s.k = 24;
2898 sappend(s, s2);
2899 s2 = new_stmt(cstate, BPF_ST);
2900 s2->s.k = cstate->off_linkpl.reg;
2901 sappend(s, s2);
2902
2903 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2904 s2->s.k = 0;
2905 sappend(s, s2);
2906
2907 /*
2908 * Check the Frame Control field to see if this is a data frame;
2909 * a data frame has the 0x08 bit (b3) in that field set and the
2910 * 0x04 bit (b2) clear.
2911 */
2912 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2913 sjset_data_frame_1->s.k = 0x08;
2914 sappend(s, sjset_data_frame_1);
2915
2916 /*
2917 * If b3 is set, test b2, otherwise go to the first statement of
2918 * the rest of the program.
2919 */
2920 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2921 sjset_data_frame_2->s.k = 0x04;
2922 sappend(s, sjset_data_frame_2);
2923 sjset_data_frame_1->s.jf = snext;
2924
2925 /*
2926 * If b2 is not set, this is a data frame; test the QoS bit.
2927 * Otherwise, go to the first statement of the rest of the
2928 * program.
2929 */
2930 sjset_data_frame_2->s.jt = snext;
2931 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2932 sjset_qos->s.k = 0x80; /* QoS bit */
2933 sappend(s, sjset_qos);
2934
2935 /*
2936 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2937 * field.
2938 * Otherwise, go to the first statement of the rest of the
2939 * program.
2940 */
2941 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2942 s2->s.k = cstate->off_linkpl.reg;
2943 sappend(s, s2);
2944 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2945 s2->s.k = 2;
2946 sappend(s, s2);
2947 s2 = new_stmt(cstate, BPF_ST);
2948 s2->s.k = cstate->off_linkpl.reg;
2949 sappend(s, s2);
2950
2951 /*
2952 * If we have a radiotap header, look at it to see whether
2953 * there's Atheros padding between the MAC-layer header
2954 * and the payload.
2955 *
2956 * Note: all of the fields in the radiotap header are
2957 * little-endian, so we byte-swap all of the values
2958 * we test against, as they will be loaded as big-endian
2959 * values.
2960 *
2961 * XXX - in the general case, we would have to scan through
2962 * *all* the presence bits, if there's more than one word of
2963 * presence bits. That would require a loop, meaning that
2964 * we wouldn't be able to run the filter in the kernel.
2965 *
2966 * We assume here that the Atheros adapters that insert the
2967 * annoying padding don't have multiple antennae and therefore
2968 * do not generate radiotap headers with multiple presence words.
2969 */
2970 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2971 /*
2972 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2973 * in the first presence flag word?
2974 */
2975 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2976 s2->s.k = 4;
2977 sappend(s, s2);
2978
2979 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2980 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2981 sappend(s, sjset_radiotap_flags_present);
2982
2983 /*
2984 * If not, skip all of this.
2985 */
2986 sjset_radiotap_flags_present->s.jf = snext;
2987
2988 /*
2989 * Otherwise, is the "extension" bit set in that word?
2990 */
2991 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2992 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2993 sappend(s, sjset_radiotap_ext_present);
2994 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2995
2996 /*
2997 * If so, skip all of this.
2998 */
2999 sjset_radiotap_ext_present->s.jt = snext;
3000
3001 /*
3002 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
3003 */
3004 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
3005 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
3006 sappend(s, sjset_radiotap_tsft_present);
3007 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
3008
3009 /*
3010 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
3011 * at an offset of 16 from the beginning of the raw packet
3012 * data (8 bytes for the radiotap header and 8 bytes for
3013 * the TSFT field).
3014 *
3015 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
3016 * is set.
3017 */
3018 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
3019 s2->s.k = 16;
3020 sappend(s, s2);
3021 sjset_radiotap_tsft_present->s.jt = s2;
3022
3023 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
3024 sjset_tsft_datapad->s.k = 0x20;
3025 sappend(s, sjset_tsft_datapad);
3026
3027 /*
3028 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
3029 * at an offset of 8 from the beginning of the raw packet
3030 * data (8 bytes for the radiotap header).
3031 *
3032 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
3033 * is set.
3034 */
3035 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
3036 s2->s.k = 8;
3037 sappend(s, s2);
3038 sjset_radiotap_tsft_present->s.jf = s2;
3039
3040 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
3041 sjset_notsft_datapad->s.k = 0x20;
3042 sappend(s, sjset_notsft_datapad);
3043
3044 /*
3045 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
3046 * set, round the length of the 802.11 header to
3047 * a multiple of 4. Do that by adding 3 and then
3048 * dividing by and multiplying by 4, which we do by
3049 * ANDing with ~3.
3050 */
3051 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
3052 s_roundup->s.k = cstate->off_linkpl.reg;
3053 sappend(s, s_roundup);
3054 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
3055 s2->s.k = 3;
3056 sappend(s, s2);
3057 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
3058 s2->s.k = (bpf_u_int32)~3;
3059 sappend(s, s2);
3060 s2 = new_stmt(cstate, BPF_ST);
3061 s2->s.k = cstate->off_linkpl.reg;
3062 sappend(s, s2);
3063
3064 sjset_tsft_datapad->s.jt = s_roundup;
3065 sjset_tsft_datapad->s.jf = snext;
3066 sjset_notsft_datapad->s.jt = s_roundup;
3067 sjset_notsft_datapad->s.jf = snext;
3068 } else
3069 sjset_qos->s.jf = snext;
3070
3071 return s;
3072 }
3073
3074 static void
3075 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
3076 {
3077 struct slist *s;
3078
3079 /* There is an implicit dependency between the link
3080 * payload and link header since the payload computation
3081 * includes the variable part of the header. Therefore,
3082 * if nobody else has allocated a register for the link
3083 * header and we need it, do it now. */
3084 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
3085 cstate->off_linkhdr.reg == -1)
3086 cstate->off_linkhdr.reg = alloc_reg(cstate);
3087
3088 /*
3089 * For link-layer types that have a variable-length header
3090 * preceding the link-layer header, generate code to load
3091 * the offset of the link-layer header into the register
3092 * assigned to that offset, if any.
3093 *
3094 * XXX - this, and the next switch statement, won't handle
3095 * encapsulation of 802.11 or 802.11+radio information in
3096 * some other protocol stack. That's significantly more
3097 * complicated.
3098 */
3099 switch (cstate->outermostlinktype) {
3100
3101 case DLT_PRISM_HEADER:
3102 s = gen_load_prism_llprefixlen(cstate);
3103 break;
3104
3105 case DLT_IEEE802_11_RADIO_AVS:
3106 s = gen_load_avs_llprefixlen(cstate);
3107 break;
3108
3109 case DLT_IEEE802_11_RADIO:
3110 s = gen_load_radiotap_llprefixlen(cstate);
3111 break;
3112
3113 case DLT_PPI:
3114 s = gen_load_ppi_llprefixlen(cstate);
3115 break;
3116
3117 default:
3118 s = NULL;
3119 break;
3120 }
3121
3122 /*
3123 * For link-layer types that have a variable-length link-layer
3124 * header, generate code to load the offset of the link-layer
3125 * payload into the register assigned to that offset, if any.
3126 */
3127 switch (cstate->outermostlinktype) {
3128
3129 case DLT_IEEE802_11:
3130 case DLT_PRISM_HEADER:
3131 case DLT_IEEE802_11_RADIO_AVS:
3132 case DLT_IEEE802_11_RADIO:
3133 case DLT_PPI:
3134 s = gen_load_802_11_header_len(cstate, s, b->stmts);
3135 break;
3136
3137 case DLT_PFLOG:
3138 s = gen_load_pflog_llprefixlen(cstate);
3139 break;
3140 }
3141
3142 /*
3143 * If there is no initialization yet and we need variable
3144 * length offsets for VLAN, initialize them to zero
3145 */
3146 if (s == NULL && cstate->is_vlan_vloffset) {
3147 struct slist *s2;
3148
3149 if (cstate->off_linkpl.reg == -1)
3150 cstate->off_linkpl.reg = alloc_reg(cstate);
3151 if (cstate->off_linktype.reg == -1)
3152 cstate->off_linktype.reg = alloc_reg(cstate);
3153
3154 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
3155 s->s.k = 0;
3156 s2 = new_stmt(cstate, BPF_ST);
3157 s2->s.k = cstate->off_linkpl.reg;
3158 sappend(s, s2);
3159 s2 = new_stmt(cstate, BPF_ST);
3160 s2->s.k = cstate->off_linktype.reg;
3161 sappend(s, s2);
3162 }
3163
3164 /*
3165 * If we have any offset-loading code, append all the
3166 * existing statements in the block to those statements,
3167 * and make the resulting list the list of statements
3168 * for the block.
3169 */
3170 if (s != NULL) {
3171 sappend(s, b->stmts);
3172 b->stmts = s;
3173 }
3174 }
3175
3176 /*
3177 * Take an absolute offset, and:
3178 *
3179 * if it has no variable part, return NULL;
3180 *
3181 * if it has a variable part, generate code to load the register
3182 * containing that variable part into the X register, returning
3183 * a pointer to that code - if no register for that offset has
3184 * been allocated, allocate it first.
3185 *
3186 * (The code to set that register will be generated later, but will
3187 * be placed earlier in the code sequence.)
3188 */
3189 static struct slist *
3190 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
3191 {
3192 struct slist *s;
3193
3194 if (off->is_variable) {
3195 if (off->reg == -1) {
3196 /*
3197 * We haven't yet assigned a register for the
3198 * variable part of the offset of the link-layer
3199 * header; allocate one.
3200 */
3201 off->reg = alloc_reg(cstate);
3202 }
3203
3204 /*
3205 * Load the register containing the variable part of the
3206 * offset of the link-layer header into the X register.
3207 */
3208 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
3209 s->s.k = off->reg;
3210 return s;
3211 } else {
3212 /*
3213 * That offset isn't variable, there's no variable part,
3214 * so we don't need to generate any code.
3215 */
3216 return NULL;
3217 }
3218 }
3219
3220 /*
3221 * Map an Ethernet type to the equivalent PPP type.
3222 */
3223 static bpf_u_int32
3224 ethertype_to_ppptype(bpf_u_int32 ll_proto)
3225 {
3226 switch (ll_proto) {
3227
3228 case ETHERTYPE_IP:
3229 ll_proto = PPP_IP;
3230 break;
3231
3232 case ETHERTYPE_IPV6:
3233 ll_proto = PPP_IPV6;
3234 break;
3235
3236 case ETHERTYPE_DN:
3237 ll_proto = PPP_DECNET;
3238 break;
3239
3240 case ETHERTYPE_ATALK:
3241 ll_proto = PPP_APPLE;
3242 break;
3243
3244 case ETHERTYPE_NS:
3245 ll_proto = PPP_NS;
3246 break;
3247
3248 case LLCSAP_ISONS:
3249 ll_proto = PPP_OSI;
3250 break;
3251
3252 case LLCSAP_8021D:
3253 /*
3254 * I'm assuming the "Bridging PDU"s that go
3255 * over PPP are Spanning Tree Protocol
3256 * Bridging PDUs.
3257 */
3258 ll_proto = PPP_BRPDU;
3259 break;
3260
3261 case LLCSAP_IPX:
3262 ll_proto = PPP_IPX;
3263 break;
3264 }
3265 return (ll_proto);
3266 }
3267
3268 /*
3269 * Generate any tests that, for encapsulation of a link-layer packet
3270 * inside another protocol stack, need to be done to check for those
3271 * link-layer packets (and that haven't already been done by a check
3272 * for that encapsulation).
3273 */
3274 static struct block *
3275 gen_prevlinkhdr_check(compiler_state_t *cstate)
3276 {
3277 struct block *b0;
3278
3279 if (cstate->is_encap)
3280 return gen_encap_ll_check(cstate);
3281
3282 switch (cstate->prevlinktype) {
3283
3284 case DLT_SUNATM:
3285 /*
3286 * This is LANE-encapsulated Ethernet; check that the LANE
3287 * packet doesn't begin with an LE Control marker, i.e.
3288 * that it's data, not a control message.
3289 *
3290 * (We've already generated a test for LANE.)
3291 */
3292 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3293 gen_not(b0);
3294 return b0;
3295
3296 default:
3297 /*
3298 * No such tests are necessary.
3299 */
3300 return NULL;
3301 }
3302 /*NOTREACHED*/
3303 }
3304
3305 /*
3306 * The three different values we should check for when checking for an
3307 * IPv6 packet with DLT_NULL.
3308 */
3309 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3310 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3311 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */
3312
3313 /*
3314 * Generate code to match a particular packet type by matching the
3315 * link-layer type field or fields in the 802.2 LLC header.
3316 *
3317 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3318 * value, if <= ETHERMTU.
3319 */
3320 static struct block *
3321 gen_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3322 {
3323 struct block *b0, *b1, *b2;
3324
3325 /* are we checking MPLS-encapsulated packets? */
3326 if (cstate->label_stack_depth > 0)
3327 return gen_mpls_linktype(cstate, ll_proto);
3328
3329 switch (cstate->linktype) {
3330
3331 case DLT_EN10MB:
3332 case DLT_NETANALYZER:
3333 case DLT_NETANALYZER_TRANSPARENT:
3334 /* Geneve has an EtherType regardless of whether there is an
3335 * L2 header. VXLAN always has an EtherType. */
3336 if (!cstate->is_encap)
3337 b0 = gen_prevlinkhdr_check(cstate);
3338 else
3339 b0 = NULL;
3340
3341 b1 = gen_ether_linktype(cstate, ll_proto);
3342 if (b0 != NULL)
3343 gen_and(b0, b1);
3344 return b1;
3345 /*NOTREACHED*/
3346
3347 case DLT_C_HDLC:
3348 case DLT_HDLC:
3349 switch (ll_proto) {
3350
3351 case LLCSAP_ISONS:
3352 ll_proto = (ll_proto << 8 | LLCSAP_ISONS);
3353 /* fall through */
3354
3355 default:
3356 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3357 /*NOTREACHED*/
3358 }
3359
3360 case DLT_IEEE802_11:
3361 case DLT_PRISM_HEADER:
3362 case DLT_IEEE802_11_RADIO_AVS:
3363 case DLT_IEEE802_11_RADIO:
3364 case DLT_PPI:
3365 /*
3366 * Check that we have a data frame.
3367 */
3368 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B,
3369 IEEE80211_FC0_TYPE_DATA,
3370 IEEE80211_FC0_TYPE_MASK);
3371
3372 /*
3373 * Now check for the specified link-layer type.
3374 */
3375 b1 = gen_llc_linktype(cstate, ll_proto);
3376 gen_and(b0, b1);
3377 return b1;
3378 /*NOTREACHED*/
3379
3380 case DLT_FDDI:
3381 /*
3382 * XXX - check for LLC frames.
3383 */
3384 return gen_llc_linktype(cstate, ll_proto);
3385 /*NOTREACHED*/
3386
3387 case DLT_IEEE802:
3388 /*
3389 * XXX - check for LLC PDUs, as per IEEE 802.5.
3390 */
3391 return gen_llc_linktype(cstate, ll_proto);
3392 /*NOTREACHED*/
3393
3394 case DLT_ATM_RFC1483:
3395 case DLT_ATM_CLIP:
3396 case DLT_IP_OVER_FC:
3397 return gen_llc_linktype(cstate, ll_proto);
3398 /*NOTREACHED*/
3399
3400 case DLT_SUNATM:
3401 /*
3402 * Check for an LLC-encapsulated version of this protocol;
3403 * if we were checking for LANE, linktype would no longer
3404 * be DLT_SUNATM.
3405 *
3406 * Check for LLC encapsulation and then check the protocol.
3407 */
3408 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3409 b1 = gen_llc_linktype(cstate, ll_proto);
3410 gen_and(b0, b1);
3411 return b1;
3412 /*NOTREACHED*/
3413
3414 case DLT_LINUX_SLL:
3415 return gen_linux_sll_linktype(cstate, ll_proto);
3416 /*NOTREACHED*/
3417
3418 case DLT_SLIP:
3419 case DLT_SLIP_BSDOS:
3420 case DLT_RAW:
3421 /*
3422 * These types don't provide any type field; packets
3423 * are always IPv4 or IPv6.
3424 *
3425 * XXX - for IPv4, check for a version number of 4, and,
3426 * for IPv6, check for a version number of 6?
3427 */
3428 switch (ll_proto) {
3429
3430 case ETHERTYPE_IP:
3431 /* Check for a version number of 4. */
3432 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3433
3434 case ETHERTYPE_IPV6:
3435 /* Check for a version number of 6. */
3436 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3437
3438 default:
3439 return gen_false(cstate); /* always false */
3440 }
3441 /*NOTREACHED*/
3442
3443 case DLT_IPV4:
3444 /*
3445 * Raw IPv4, so no type field.
3446 */
3447 if (ll_proto == ETHERTYPE_IP)
3448 return gen_true(cstate); /* always true */
3449
3450 /* Checking for something other than IPv4; always false */
3451 return gen_false(cstate);
3452 /*NOTREACHED*/
3453
3454 case DLT_IPV6:
3455 /*
3456 * Raw IPv6, so no type field.
3457 */
3458 if (ll_proto == ETHERTYPE_IPV6)
3459 return gen_true(cstate); /* always true */
3460
3461 /* Checking for something other than IPv6; always false */
3462 return gen_false(cstate);
3463 /*NOTREACHED*/
3464
3465 case DLT_PPP:
3466 case DLT_PPP_PPPD:
3467 case DLT_PPP_SERIAL:
3468 case DLT_PPP_ETHER:
3469 /*
3470 * We use Ethernet protocol types inside libpcap;
3471 * map them to the corresponding PPP protocol types.
3472 */
3473 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3474 ethertype_to_ppptype(ll_proto));
3475 /*NOTREACHED*/
3476
3477 case DLT_PPP_BSDOS:
3478 /*
3479 * We use Ethernet protocol types inside libpcap;
3480 * map them to the corresponding PPP protocol types.
3481 */
3482 switch (ll_proto) {
3483
3484 case ETHERTYPE_IP:
3485 /*
3486 * Also check for Van Jacobson-compressed IP.
3487 * XXX - do this for other forms of PPP?
3488 */
3489 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3490 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3491 gen_or(b0, b1);
3492 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3493 gen_or(b1, b0);
3494 return b0;
3495
3496 default:
3497 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3498 ethertype_to_ppptype(ll_proto));
3499 }
3500 /*NOTREACHED*/
3501
3502 case DLT_NULL:
3503 case DLT_LOOP:
3504 case DLT_ENC:
3505 switch (ll_proto) {
3506
3507 case ETHERTYPE_IP:
3508 return (gen_loopback_linktype(cstate, AF_INET));
3509
3510 case ETHERTYPE_IPV6:
3511 /*
3512 * AF_ values may, unfortunately, be platform-
3513 * dependent; AF_INET isn't, because everybody
3514 * used 4.2BSD's value, but AF_INET6 is, because
3515 * 4.2BSD didn't have a value for it (given that
3516 * IPv6 didn't exist back in the early 1980's),
3517 * and they all picked their own values.
3518 *
3519 * This means that, if we're reading from a
3520 * savefile, we need to check for all the
3521 * possible values.
3522 *
3523 * If we're doing a live capture, we only need
3524 * to check for this platform's value; however,
3525 * Npcap uses 24, which isn't Windows's AF_INET6
3526 * value. (Given the multiple different values,
3527 * programs that read pcap files shouldn't be
3528 * checking for their platform's AF_INET6 value
3529 * anyway, they should check for all of the
3530 * possible values. and they might as well do
3531 * that even for live captures.)
3532 */
3533 if (cstate->bpf_pcap->rfile != NULL) {
3534 /*
3535 * Savefile - check for all three
3536 * possible IPv6 values.
3537 */
3538 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3539 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3540 gen_or(b0, b1);
3541 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3542 gen_or(b0, b1);
3543 return (b1);
3544 } else {
3545 /*
3546 * Live capture, so we only need to
3547 * check for the value used on this
3548 * platform.
3549 */
3550 #ifdef _WIN32
3551 /*
3552 * Npcap doesn't use Windows's AF_INET6,
3553 * as that collides with AF_IPX on
3554 * some BSDs (both have the value 23).
3555 * Instead, it uses 24.
3556 */
3557 return (gen_loopback_linktype(cstate, 24));
3558 #else /* _WIN32 */
3559 #ifdef AF_INET6
3560 return (gen_loopback_linktype(cstate, AF_INET6));
3561 #else /* AF_INET6 */
3562 /*
3563 * I guess this platform doesn't support
3564 * IPv6, so we just reject all packets.
3565 */
3566 return gen_false(cstate);
3567 #endif /* AF_INET6 */
3568 #endif /* _WIN32 */
3569 }
3570
3571 default:
3572 /*
3573 * Not a type on which we support filtering.
3574 * XXX - support those that have AF_ values
3575 * #defined on this platform, at least?
3576 */
3577 return gen_false(cstate);
3578 }
3579
3580 case DLT_PFLOG:
3581 /*
3582 * af field is host byte order in contrast to the rest of
3583 * the packet.
3584 */
3585 if (ll_proto == ETHERTYPE_IP)
3586 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3587 BPF_B, AF_INET));
3588 else if (ll_proto == ETHERTYPE_IPV6)
3589 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3590 BPF_B, AF_INET6));
3591 else
3592 return gen_false(cstate);
3593 /*NOTREACHED*/
3594
3595 case DLT_ARCNET:
3596 case DLT_ARCNET_LINUX:
3597 /*
3598 * XXX should we check for first fragment if the protocol
3599 * uses PHDS?
3600 */
3601 switch (ll_proto) {
3602
3603 default:
3604 return gen_false(cstate);
3605
3606 case ETHERTYPE_IPV6:
3607 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3608 ARCTYPE_INET6));
3609
3610 case ETHERTYPE_IP:
3611 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3612 ARCTYPE_IP);
3613 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3614 ARCTYPE_IP_OLD);
3615 gen_or(b0, b1);
3616 return (b1);
3617
3618 case ETHERTYPE_ARP:
3619 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3620 ARCTYPE_ARP);
3621 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3622 ARCTYPE_ARP_OLD);
3623 gen_or(b0, b1);
3624 return (b1);
3625
3626 case ETHERTYPE_REVARP:
3627 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3628 ARCTYPE_REVARP));
3629
3630 case ETHERTYPE_ATALK:
3631 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3632 ARCTYPE_ATALK));
3633 }
3634 /*NOTREACHED*/
3635
3636 case DLT_LTALK:
3637 switch (ll_proto) {
3638 case ETHERTYPE_ATALK:
3639 return gen_true(cstate);
3640 default:
3641 return gen_false(cstate);
3642 }
3643 /*NOTREACHED*/
3644
3645 case DLT_FRELAY:
3646 /*
3647 * XXX - assumes a 2-byte Frame Relay header with
3648 * DLCI and flags. What if the address is longer?
3649 */
3650 switch (ll_proto) {
3651
3652 case ETHERTYPE_IP:
3653 /*
3654 * Check for the special NLPID for IP.
3655 */
3656 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3657
3658 case ETHERTYPE_IPV6:
3659 /*
3660 * Check for the special NLPID for IPv6.
3661 */
3662 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3663
3664 case LLCSAP_ISONS:
3665 /*
3666 * Check for several OSI protocols.
3667 *
3668 * Frame Relay packets typically have an OSI
3669 * NLPID at the beginning; we check for each
3670 * of them.
3671 *
3672 * What we check for is the NLPID and a frame
3673 * control field of UI, i.e. 0x03 followed
3674 * by the NLPID.
3675 */
3676 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3677 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3678 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3679 gen_or(b1, b2);
3680 gen_or(b0, b2);
3681 return b2;
3682
3683 default:
3684 return gen_false(cstate);
3685 }
3686 /*NOTREACHED*/
3687
3688 case DLT_MFR:
3689 break; // not implemented
3690
3691 case DLT_JUNIPER_MFR:
3692 case DLT_JUNIPER_MLFR:
3693 case DLT_JUNIPER_MLPPP:
3694 case DLT_JUNIPER_ATM1:
3695 case DLT_JUNIPER_ATM2:
3696 case DLT_JUNIPER_PPPOE:
3697 case DLT_JUNIPER_PPPOE_ATM:
3698 case DLT_JUNIPER_GGSN:
3699 case DLT_JUNIPER_ES:
3700 case DLT_JUNIPER_MONITOR:
3701 case DLT_JUNIPER_SERVICES:
3702 case DLT_JUNIPER_ETHER:
3703 case DLT_JUNIPER_PPP:
3704 case DLT_JUNIPER_FRELAY:
3705 case DLT_JUNIPER_CHDLC:
3706 case DLT_JUNIPER_VP:
3707 case DLT_JUNIPER_ST:
3708 case DLT_JUNIPER_ISM:
3709 case DLT_JUNIPER_VS:
3710 case DLT_JUNIPER_SRX_E2E:
3711 case DLT_JUNIPER_FIBRECHANNEL:
3712 case DLT_JUNIPER_ATM_CEMIC:
3713
3714 /* just lets verify the magic number for now -
3715 * on ATM we may have up to 6 different encapsulations on the wire
3716 * and need a lot of heuristics to figure out that the payload
3717 * might be;
3718 *
3719 * FIXME encapsulation specific BPF_ filters
3720 */
3721 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3722
3723 case DLT_BACNET_MS_TP:
3724 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3725
3726 case DLT_IPNET:
3727 return gen_ipnet_linktype(cstate, ll_proto);
3728
3729 case DLT_LINUX_IRDA:
3730 case DLT_DOCSIS:
3731 case DLT_MTP2:
3732 case DLT_MTP2_WITH_PHDR:
3733 case DLT_ERF:
3734 case DLT_PFSYNC:
3735 case DLT_LINUX_LAPD:
3736 case DLT_USB_FREEBSD:
3737 case DLT_USB_LINUX:
3738 case DLT_USB_LINUX_MMAPPED:
3739 case DLT_USBPCAP:
3740 case DLT_BLUETOOTH_HCI_H4:
3741 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3742 case DLT_CAN20B:
3743 case DLT_CAN_SOCKETCAN:
3744 case DLT_IEEE802_15_4:
3745 case DLT_IEEE802_15_4_LINUX:
3746 case DLT_IEEE802_15_4_NONASK_PHY:
3747 case DLT_IEEE802_15_4_NOFCS:
3748 case DLT_IEEE802_15_4_TAP:
3749 case DLT_IEEE802_16_MAC_CPS_RADIO:
3750 case DLT_SITA:
3751 case DLT_RAIF1:
3752 case DLT_IPMB_KONTRON:
3753 case DLT_I2C_LINUX:
3754 case DLT_AX25_KISS:
3755 case DLT_NFLOG:
3756 /* Using the fixed-size NFLOG header it is possible to tell only
3757 * the address family of the packet, other meaningful data is
3758 * either missing or behind TLVs.
3759 */
3760 break; // not implemented
3761
3762 default:
3763 /*
3764 * Does this link-layer header type have a field
3765 * indicating the type of the next protocol? If
3766 * so, off_linktype.constant_part will be the offset of that
3767 * field in the packet; if not, it will be OFFSET_NOT_SET.
3768 */
3769 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3770 /*
3771 * Yes; assume it's an Ethernet type. (If
3772 * it's not, it needs to be handled specially
3773 * above.)
3774 */
3775 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3776 /*NOTREACHED */
3777 }
3778 }
3779 bpf_error(cstate, "link-layer type filtering not implemented for %s",
3780 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
3781 }
3782
3783 /*
3784 * Check for an LLC SNAP packet with a given organization code and
3785 * protocol type; we check the entire contents of the 802.2 LLC and
3786 * snap headers, checking for DSAP and SSAP of SNAP and a control
3787 * field of 0x03 in the LLC header, and for the specified organization
3788 * code and protocol type in the SNAP header.
3789 */
3790 static struct block *
3791 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
3792 {
3793 u_char snapblock[8];
3794
3795 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3796 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3797 snapblock[2] = 0x03; /* control = UI */
3798 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */
3799 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */
3800 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */
3801 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */
3802 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */
3803 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3804 }
3805
3806 /*
3807 * Generate code to match frames with an LLC header.
3808 */
3809 static struct block *
3810 gen_llc_internal(compiler_state_t *cstate)
3811 {
3812 struct block *b0, *b1;
3813
3814 switch (cstate->linktype) {
3815
3816 case DLT_EN10MB:
3817 /*
3818 * We check for an Ethernet type field less or equal than
3819 * 1500, which means it's an 802.3 length field.
3820 */
3821 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3822
3823 /*
3824 * Now check for the purported DSAP and SSAP not being
3825 * 0xFF, to rule out NetWare-over-802.3.
3826 */
3827 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
3828 gen_not(b1);
3829 gen_and(b0, b1);
3830 return b1;
3831
3832 case DLT_SUNATM:
3833 /*
3834 * We check for LLC traffic.
3835 */
3836 b0 = gen_atmtype_llc(cstate);
3837 return b0;
3838
3839 case DLT_IEEE802: /* Token Ring */
3840 /*
3841 * XXX - check for LLC frames.
3842 */
3843 return gen_true(cstate);
3844
3845 case DLT_FDDI:
3846 /*
3847 * XXX - check for LLC frames.
3848 */
3849 return gen_true(cstate);
3850
3851 case DLT_ATM_RFC1483:
3852 /*
3853 * For LLC encapsulation, these are defined to have an
3854 * 802.2 LLC header.
3855 *
3856 * For VC encapsulation, they don't, but there's no
3857 * way to check for that; the protocol used on the VC
3858 * is negotiated out of band.
3859 */
3860 return gen_true(cstate);
3861
3862 case DLT_IEEE802_11:
3863 case DLT_PRISM_HEADER:
3864 case DLT_IEEE802_11_RADIO:
3865 case DLT_IEEE802_11_RADIO_AVS:
3866 case DLT_PPI:
3867 /*
3868 * Check that we have a data frame.
3869 */
3870 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B,
3871 IEEE80211_FC0_TYPE_DATA,
3872 IEEE80211_FC0_TYPE_MASK);
3873
3874 default:
3875 fail_kw_on_dlt(cstate, "llc");
3876 /*NOTREACHED*/
3877 }
3878 }
3879
3880 struct block *
3881 gen_llc(compiler_state_t *cstate)
3882 {
3883 /*
3884 * Catch errors reported by us and routines below us, and return NULL
3885 * on an error.
3886 */
3887 if (setjmp(cstate->top_ctx))
3888 return (NULL);
3889
3890 return gen_llc_internal(cstate);
3891 }
3892
3893 struct block *
3894 gen_llc_i(compiler_state_t *cstate)
3895 {
3896 struct block *b0, *b1;
3897 struct slist *s;
3898
3899 /*
3900 * Catch errors reported by us and routines below us, and return NULL
3901 * on an error.
3902 */
3903 if (setjmp(cstate->top_ctx))
3904 return (NULL);
3905
3906 /*
3907 * Check whether this is an LLC frame.
3908 */
3909 b0 = gen_llc_internal(cstate);
3910
3911 /*
3912 * Load the control byte and test the low-order bit; it must
3913 * be clear for I frames.
3914 */
3915 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3916 b1 = new_block(cstate, JMP(BPF_JSET));
3917 b1->s.k = 0x01;
3918 b1->stmts = s;
3919 gen_not(b1);
3920 gen_and(b0, b1);
3921 return b1;
3922 }
3923
3924 struct block *
3925 gen_llc_s(compiler_state_t *cstate)
3926 {
3927 struct block *b0, *b1;
3928
3929 /*
3930 * Catch errors reported by us and routines below us, and return NULL
3931 * on an error.
3932 */
3933 if (setjmp(cstate->top_ctx))
3934 return (NULL);
3935
3936 /*
3937 * Check whether this is an LLC frame.
3938 */
3939 b0 = gen_llc_internal(cstate);
3940
3941 /*
3942 * Now compare the low-order 2 bit of the control byte against
3943 * the appropriate value for S frames.
3944 */
3945 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3946 gen_and(b0, b1);
3947 return b1;
3948 }
3949
3950 struct block *
3951 gen_llc_u(compiler_state_t *cstate)
3952 {
3953 struct block *b0, *b1;
3954
3955 /*
3956 * Catch errors reported by us and routines below us, and return NULL
3957 * on an error.
3958 */
3959 if (setjmp(cstate->top_ctx))
3960 return (NULL);
3961
3962 /*
3963 * Check whether this is an LLC frame.
3964 */
3965 b0 = gen_llc_internal(cstate);
3966
3967 /*
3968 * Now compare the low-order 2 bit of the control byte against
3969 * the appropriate value for U frames.
3970 */
3971 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3972 gen_and(b0, b1);
3973 return b1;
3974 }
3975
3976 struct block *
3977 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3978 {
3979 struct block *b0, *b1;
3980
3981 /*
3982 * Catch errors reported by us and routines below us, and return NULL
3983 * on an error.
3984 */
3985 if (setjmp(cstate->top_ctx))
3986 return (NULL);
3987
3988 /*
3989 * Check whether this is an LLC frame.
3990 */
3991 b0 = gen_llc_internal(cstate);
3992
3993 /*
3994 * Now check for an S frame with the appropriate type.
3995 */
3996 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3997 gen_and(b0, b1);
3998 return b1;
3999 }
4000
4001 struct block *
4002 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
4003 {
4004 struct block *b0, *b1;
4005
4006 /*
4007 * Catch errors reported by us and routines below us, and return NULL
4008 * on an error.
4009 */
4010 if (setjmp(cstate->top_ctx))
4011 return (NULL);
4012
4013 /*
4014 * Check whether this is an LLC frame.
4015 */
4016 b0 = gen_llc_internal(cstate);
4017
4018 /*
4019 * Now check for a U frame with the appropriate type.
4020 */
4021 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
4022 gen_and(b0, b1);
4023 return b1;
4024 }
4025
4026 /*
4027 * Generate code to match a particular packet type, for link-layer types
4028 * using 802.2 LLC headers.
4029 *
4030 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
4031 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
4032 *
4033 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
4034 * value, if <= ETHERMTU. We use that to determine whether to
4035 * match the DSAP or both DSAP and LSAP or to check the OUI and
4036 * protocol ID in a SNAP header.
4037 */
4038 static struct block *
4039 gen_llc_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
4040 {
4041 /*
4042 * XXX - handle token-ring variable-length header.
4043 */
4044 switch (ll_proto) {
4045
4046 case LLCSAP_IP:
4047 case LLCSAP_ISONS:
4048 case LLCSAP_NETBEUI:
4049 /*
4050 * XXX - should we check both the DSAP and the
4051 * SSAP, like this, or should we check just the
4052 * DSAP, as we do for other SAP values?
4053 */
4054 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
4055 ((ll_proto << 8) | ll_proto));
4056
4057 case LLCSAP_IPX:
4058 /*
4059 * XXX - are there ever SNAP frames for IPX on
4060 * non-Ethernet 802.x networks?
4061 */
4062 return gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
4063
4064 case ETHERTYPE_ATALK:
4065 /*
4066 * 802.2-encapsulated ETHERTYPE_ATALK packets are
4067 * SNAP packets with an organization code of
4068 * 0x080007 (Apple, for Appletalk) and a protocol
4069 * type of ETHERTYPE_ATALK (Appletalk).
4070 *
4071 * XXX - check for an organization code of
4072 * encapsulated Ethernet as well?
4073 */
4074 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
4075
4076 default:
4077 /*
4078 * XXX - we don't have to check for IPX 802.3
4079 * here, but should we check for the IPX Ethertype?
4080 */
4081 if (ll_proto <= ETHERMTU) {
4082 /*
4083 * This is an LLC SAP value, so check
4084 * the DSAP.
4085 */
4086 return gen_cmp(cstate, OR_LLC, 0, BPF_B, ll_proto);
4087 } else {
4088 /*
4089 * This is an Ethernet type; we assume that it's
4090 * unlikely that it'll appear in the right place
4091 * at random, and therefore check only the
4092 * location that would hold the Ethernet type
4093 * in a SNAP frame with an organization code of
4094 * 0x000000 (encapsulated Ethernet).
4095 *
4096 * XXX - if we were to check for the SNAP DSAP and
4097 * LSAP, as per XXX, and were also to check for an
4098 * organization code of 0x000000 (encapsulated
4099 * Ethernet), we'd do
4100 *
4101 * return gen_snap(cstate, 0x000000, ll_proto);
4102 *
4103 * here; for now, we don't, as per the above.
4104 * I don't know whether it's worth the extra CPU
4105 * time to do the right check or not.
4106 */
4107 return gen_cmp(cstate, OR_LLC, 6, BPF_H, ll_proto);
4108 }
4109 }
4110 }
4111
4112 static struct block *
4113 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4114 int dir, u_int src_off, u_int dst_off)
4115 {
4116 struct block *b0, *b1;
4117 u_int offset;
4118
4119 switch (dir) {
4120
4121 case Q_SRC:
4122 offset = src_off;
4123 break;
4124
4125 case Q_DST:
4126 offset = dst_off;
4127 break;
4128
4129 case Q_AND:
4130 b0 = gen_hostop(cstate, addr, mask, Q_SRC, src_off, dst_off);
4131 b1 = gen_hostop(cstate, addr, mask, Q_DST, src_off, dst_off);
4132 gen_and(b0, b1);
4133 return b1;
4134
4135 case Q_DEFAULT:
4136 case Q_OR:
4137 b0 = gen_hostop(cstate, addr, mask, Q_SRC, src_off, dst_off);
4138 b1 = gen_hostop(cstate, addr, mask, Q_DST, src_off, dst_off);
4139 gen_or(b0, b1);
4140 return b1;
4141
4142 case Q_ADDR1:
4143 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4144 /*NOTREACHED*/
4145
4146 case Q_ADDR2:
4147 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4148 /*NOTREACHED*/
4149
4150 case Q_ADDR3:
4151 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4152 /*NOTREACHED*/
4153
4154 case Q_ADDR4:
4155 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4156 /*NOTREACHED*/
4157
4158 case Q_RA:
4159 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4160 /*NOTREACHED*/
4161
4162 case Q_TA:
4163 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4164 /*NOTREACHED*/
4165
4166 default:
4167 abort();
4168 /*NOTREACHED*/
4169 }
4170 return gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, addr, mask);
4171 }
4172
4173 #ifdef INET6
4174 static struct block *
4175 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
4176 struct in6_addr *mask, int dir, u_int src_off, u_int dst_off)
4177 {
4178 struct block *b0, *b1;
4179 u_int offset;
4180 /*
4181 * Code below needs to access four separate 32-bit parts of the 128-bit
4182 * IPv6 address and mask. In some OSes this is as simple as using the
4183 * s6_addr32 pseudo-member of struct in6_addr, which contains a union of
4184 * 8-, 16- and 32-bit arrays. In other OSes this is not the case, as
4185 * far as libpcap sees it. Hence copy the data before use to avoid
4186 * potential unaligned memory access and the associated compiler
4187 * warnings (whether genuine or not).
4188 */
4189 bpf_u_int32 a[4], m[4];
4190
4191 switch (dir) {
4192
4193 case Q_SRC:
4194 offset = src_off;
4195 break;
4196
4197 case Q_DST:
4198 offset = dst_off;
4199 break;
4200
4201 case Q_AND:
4202 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, src_off, dst_off);
4203 b1 = gen_hostop6(cstate, addr, mask, Q_DST, src_off, dst_off);
4204 gen_and(b0, b1);
4205 return b1;
4206
4207 case Q_DEFAULT:
4208 case Q_OR:
4209 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, src_off, dst_off);
4210 b1 = gen_hostop6(cstate, addr, mask, Q_DST, src_off, dst_off);
4211 gen_or(b0, b1);
4212 return b1;
4213
4214 case Q_ADDR1:
4215 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4216 /*NOTREACHED*/
4217
4218 case Q_ADDR2:
4219 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4220 /*NOTREACHED*/
4221
4222 case Q_ADDR3:
4223 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4224 /*NOTREACHED*/
4225
4226 case Q_ADDR4:
4227 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4228 /*NOTREACHED*/
4229
4230 case Q_RA:
4231 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4232 /*NOTREACHED*/
4233
4234 case Q_TA:
4235 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4236 /*NOTREACHED*/
4237
4238 default:
4239 abort();
4240 /*NOTREACHED*/
4241 }
4242 /* this order is important */
4243 memcpy(a, addr, sizeof(a));
4244 memcpy(m, mask, sizeof(m));
4245 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
4246 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
4247 gen_and(b0, b1);
4248 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
4249 gen_and(b0, b1);
4250 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
4251 gen_and(b0, b1);
4252 return b1;
4253 }
4254 #endif
4255
4256 static struct block *
4257 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4258 {
4259 register struct block *b0, *b1;
4260
4261 switch (dir) {
4262 case Q_SRC:
4263 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
4264
4265 case Q_DST:
4266 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
4267
4268 case Q_AND:
4269 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4270 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4271 gen_and(b0, b1);
4272 return b1;
4273
4274 case Q_DEFAULT:
4275 case Q_OR:
4276 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4277 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4278 gen_or(b0, b1);
4279 return b1;
4280
4281 case Q_ADDR1:
4282 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers");
4283 /*NOTREACHED*/
4284
4285 case Q_ADDR2:
4286 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers");
4287 /*NOTREACHED*/
4288
4289 case Q_ADDR3:
4290 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers");
4291 /*NOTREACHED*/
4292
4293 case Q_ADDR4:
4294 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers");
4295 /*NOTREACHED*/
4296
4297 case Q_RA:
4298 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
4299 /*NOTREACHED*/
4300
4301 case Q_TA:
4302 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
4303 /*NOTREACHED*/
4304 }
4305 abort();
4306 /*NOTREACHED*/
4307 }
4308
4309 /*
4310 * Like gen_ehostop, but for DLT_FDDI
4311 */
4312 static struct block *
4313 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4314 {
4315 struct block *b0, *b1;
4316
4317 switch (dir) {
4318 case Q_SRC:
4319 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4320
4321 case Q_DST:
4322 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4323
4324 case Q_AND:
4325 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4326 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4327 gen_and(b0, b1);
4328 return b1;
4329
4330 case Q_DEFAULT:
4331 case Q_OR:
4332 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4333 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4334 gen_or(b0, b1);
4335 return b1;
4336
4337 case Q_ADDR1:
4338 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4339 /*NOTREACHED*/
4340
4341 case Q_ADDR2:
4342 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4343 /*NOTREACHED*/
4344
4345 case Q_ADDR3:
4346 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4347 /*NOTREACHED*/
4348
4349 case Q_ADDR4:
4350 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4351 /*NOTREACHED*/
4352
4353 case Q_RA:
4354 bpf_error(cstate, "'ra' is only supported on 802.11");
4355 /*NOTREACHED*/
4356
4357 case Q_TA:
4358 bpf_error(cstate, "'ta' is only supported on 802.11");
4359 /*NOTREACHED*/
4360 }
4361 abort();
4362 /*NOTREACHED*/
4363 }
4364
4365 /*
4366 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4367 */
4368 static struct block *
4369 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4370 {
4371 register struct block *b0, *b1;
4372
4373 switch (dir) {
4374 case Q_SRC:
4375 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4376
4377 case Q_DST:
4378 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4379
4380 case Q_AND:
4381 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4382 b1 = gen_thostop(cstate, eaddr, Q_DST);
4383 gen_and(b0, b1);
4384 return b1;
4385
4386 case Q_DEFAULT:
4387 case Q_OR:
4388 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4389 b1 = gen_thostop(cstate, eaddr, Q_DST);
4390 gen_or(b0, b1);
4391 return b1;
4392
4393 case Q_ADDR1:
4394 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4395 /*NOTREACHED*/
4396
4397 case Q_ADDR2:
4398 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4399 /*NOTREACHED*/
4400
4401 case Q_ADDR3:
4402 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4403 /*NOTREACHED*/
4404
4405 case Q_ADDR4:
4406 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4407 /*NOTREACHED*/
4408
4409 case Q_RA:
4410 bpf_error(cstate, "'ra' is only supported on 802.11");
4411 /*NOTREACHED*/
4412
4413 case Q_TA:
4414 bpf_error(cstate, "'ta' is only supported on 802.11");
4415 /*NOTREACHED*/
4416 }
4417 abort();
4418 /*NOTREACHED*/
4419 }
4420
4421 /*
4422 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4423 * various 802.11 + radio headers.
4424 */
4425 static struct block *
4426 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4427 {
4428 register struct block *b0, *b1, *b2;
4429 register struct slist *s;
4430
4431 #ifdef ENABLE_WLAN_FILTERING_PATCH
4432 /*
4433 * TODO GV 20070613
4434 * We need to disable the optimizer because the optimizer is buggy
4435 * and wipes out some LD instructions generated by the below
4436 * code to validate the Frame Control bits
4437 */
4438 cstate->no_optimize = 1;
4439 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4440
4441 switch (dir) {
4442 case Q_SRC:
4443 /*
4444 * Oh, yuk.
4445 *
4446 * For control frames, there is no SA.
4447 *
4448 * For management frames, SA is at an
4449 * offset of 10 from the beginning of
4450 * the packet.
4451 *
4452 * For data frames, SA is at an offset
4453 * of 10 from the beginning of the packet
4454 * if From DS is clear, at an offset of
4455 * 16 from the beginning of the packet
4456 * if From DS is set and To DS is clear,
4457 * and an offset of 24 from the beginning
4458 * of the packet if From DS is set and To DS
4459 * is set.
4460 */
4461
4462 /*
4463 * Generate the tests to be done for data frames
4464 * with From DS set.
4465 *
4466 * First, check for To DS set, i.e. check "link[1] & 0x01".
4467 */
4468 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4469 b1 = new_block(cstate, JMP(BPF_JSET));
4470 b1->s.k = 0x01; /* To DS */
4471 b1->stmts = s;
4472
4473 /*
4474 * If To DS is set, the SA is at 24.
4475 */
4476 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4477 gen_and(b1, b0);
4478
4479 /*
4480 * Now, check for To DS not set, i.e. check
4481 * "!(link[1] & 0x01)".
4482 */
4483 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4484 b2 = new_block(cstate, JMP(BPF_JSET));
4485 b2->s.k = 0x01; /* To DS */
4486 b2->stmts = s;
4487 gen_not(b2);
4488
4489 /*
4490 * If To DS is not set, the SA is at 16.
4491 */
4492 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4493 gen_and(b2, b1);
4494
4495 /*
4496 * Now OR together the last two checks. That gives
4497 * the complete set of checks for data frames with
4498 * From DS set.
4499 */
4500 gen_or(b1, b0);
4501
4502 /*
4503 * Now check for From DS being set, and AND that with
4504 * the ORed-together checks.
4505 */
4506 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4507 b1 = new_block(cstate, JMP(BPF_JSET));
4508 b1->s.k = 0x02; /* From DS */
4509 b1->stmts = s;
4510 gen_and(b1, b0);
4511
4512 /*
4513 * Now check for data frames with From DS not set.
4514 */
4515 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4516 b2 = new_block(cstate, JMP(BPF_JSET));
4517 b2->s.k = 0x02; /* From DS */
4518 b2->stmts = s;
4519 gen_not(b2);
4520
4521 /*
4522 * If From DS isn't set, the SA is at 10.
4523 */
4524 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4525 gen_and(b2, b1);
4526
4527 /*
4528 * Now OR together the checks for data frames with
4529 * From DS not set and for data frames with From DS
4530 * set; that gives the checks done for data frames.
4531 */
4532 gen_or(b1, b0);
4533
4534 /*
4535 * Now check for a data frame.
4536 * I.e, check "link[0] & 0x08".
4537 */
4538 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4539 b1 = new_block(cstate, JMP(BPF_JSET));
4540 b1->s.k = 0x08;
4541 b1->stmts = s;
4542
4543 /*
4544 * AND that with the checks done for data frames.
4545 */
4546 gen_and(b1, b0);
4547
4548 /*
4549 * If the high-order bit of the type value is 0, this
4550 * is a management frame.
4551 * I.e, check "!(link[0] & 0x08)".
4552 */
4553 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4554 b2 = new_block(cstate, JMP(BPF_JSET));
4555 b2->s.k = 0x08;
4556 b2->stmts = s;
4557 gen_not(b2);
4558
4559 /*
4560 * For management frames, the SA is at 10.
4561 */
4562 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4563 gen_and(b2, b1);
4564
4565 /*
4566 * OR that with the checks done for data frames.
4567 * That gives the checks done for management and
4568 * data frames.
4569 */
4570 gen_or(b1, b0);
4571
4572 /*
4573 * If the low-order bit of the type value is 1,
4574 * this is either a control frame or a frame
4575 * with a reserved type, and thus not a
4576 * frame with an SA.
4577 *
4578 * I.e., check "!(link[0] & 0x04)".
4579 */
4580 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4581 b1 = new_block(cstate, JMP(BPF_JSET));
4582 b1->s.k = 0x04;
4583 b1->stmts = s;
4584 gen_not(b1);
4585
4586 /*
4587 * AND that with the checks for data and management
4588 * frames.
4589 */
4590 gen_and(b1, b0);
4591 return b0;
4592
4593 case Q_DST:
4594 /*
4595 * Oh, yuk.
4596 *
4597 * For control frames, there is no DA.
4598 *
4599 * For management frames, DA is at an
4600 * offset of 4 from the beginning of
4601 * the packet.
4602 *
4603 * For data frames, DA is at an offset
4604 * of 4 from the beginning of the packet
4605 * if To DS is clear and at an offset of
4606 * 16 from the beginning of the packet
4607 * if To DS is set.
4608 */
4609
4610 /*
4611 * Generate the tests to be done for data frames.
4612 *
4613 * First, check for To DS set, i.e. "link[1] & 0x01".
4614 */
4615 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4616 b1 = new_block(cstate, JMP(BPF_JSET));
4617 b1->s.k = 0x01; /* To DS */
4618 b1->stmts = s;
4619
4620 /*
4621 * If To DS is set, the DA is at 16.
4622 */
4623 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4624 gen_and(b1, b0);
4625
4626 /*
4627 * Now, check for To DS not set, i.e. check
4628 * "!(link[1] & 0x01)".
4629 */
4630 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4631 b2 = new_block(cstate, JMP(BPF_JSET));
4632 b2->s.k = 0x01; /* To DS */
4633 b2->stmts = s;
4634 gen_not(b2);
4635
4636 /*
4637 * If To DS is not set, the DA is at 4.
4638 */
4639 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4640 gen_and(b2, b1);
4641
4642 /*
4643 * Now OR together the last two checks. That gives
4644 * the complete set of checks for data frames.
4645 */
4646 gen_or(b1, b0);
4647
4648 /*
4649 * Now check for a data frame.
4650 * I.e, check "link[0] & 0x08".
4651 */
4652 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4653 b1 = new_block(cstate, JMP(BPF_JSET));
4654 b1->s.k = 0x08;
4655 b1->stmts = s;
4656
4657 /*
4658 * AND that with the checks done for data frames.
4659 */
4660 gen_and(b1, b0);
4661
4662 /*
4663 * If the high-order bit of the type value is 0, this
4664 * is a management frame.
4665 * I.e, check "!(link[0] & 0x08)".
4666 */
4667 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4668 b2 = new_block(cstate, JMP(BPF_JSET));
4669 b2->s.k = 0x08;
4670 b2->stmts = s;
4671 gen_not(b2);
4672
4673 /*
4674 * For management frames, the DA is at 4.
4675 */
4676 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4677 gen_and(b2, b1);
4678
4679 /*
4680 * OR that with the checks done for data frames.
4681 * That gives the checks done for management and
4682 * data frames.
4683 */
4684 gen_or(b1, b0);
4685
4686 /*
4687 * If the low-order bit of the type value is 1,
4688 * this is either a control frame or a frame
4689 * with a reserved type, and thus not a
4690 * frame with an SA.
4691 *
4692 * I.e., check "!(link[0] & 0x04)".
4693 */
4694 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4695 b1 = new_block(cstate, JMP(BPF_JSET));
4696 b1->s.k = 0x04;
4697 b1->stmts = s;
4698 gen_not(b1);
4699
4700 /*
4701 * AND that with the checks for data and management
4702 * frames.
4703 */
4704 gen_and(b1, b0);
4705 return b0;
4706
4707 case Q_AND:
4708 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4709 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4710 gen_and(b0, b1);
4711 return b1;
4712
4713 case Q_DEFAULT:
4714 case Q_OR:
4715 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4716 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4717 gen_or(b0, b1);
4718 return b1;
4719
4720 /*
4721 * XXX - add BSSID keyword?
4722 */
4723 case Q_ADDR1:
4724 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4725
4726 case Q_ADDR2:
4727 /*
4728 * Not present in CTS or ACK control frames.
4729 */
4730 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4731 IEEE80211_FC0_TYPE_MASK);
4732 gen_not(b0);
4733 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4734 IEEE80211_FC0_SUBTYPE_MASK);
4735 gen_not(b1);
4736 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4737 IEEE80211_FC0_SUBTYPE_MASK);
4738 gen_not(b2);
4739 gen_and(b1, b2);
4740 gen_or(b0, b2);
4741 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4742 gen_and(b2, b1);
4743 return b1;
4744
4745 case Q_ADDR3:
4746 /*
4747 * Not present in control frames.
4748 */
4749 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4750 IEEE80211_FC0_TYPE_MASK);
4751 gen_not(b0);
4752 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4753 gen_and(b0, b1);
4754 return b1;
4755
4756 case Q_ADDR4:
4757 /*
4758 * Present only if the direction mask has both "From DS"
4759 * and "To DS" set. Neither control frames nor management
4760 * frames should have both of those set, so we don't
4761 * check the frame type.
4762 */
4763 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4764 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4765 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4766 gen_and(b0, b1);
4767 return b1;
4768
4769 case Q_RA:
4770 /*
4771 * Not present in management frames; addr1 in other
4772 * frames.
4773 */
4774
4775 /*
4776 * If the high-order bit of the type value is 0, this
4777 * is a management frame.
4778 * I.e, check "(link[0] & 0x08)".
4779 */
4780 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4781 b1 = new_block(cstate, JMP(BPF_JSET));
4782 b1->s.k = 0x08;
4783 b1->stmts = s;
4784
4785 /*
4786 * Check addr1.
4787 */
4788 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4789
4790 /*
4791 * AND that with the check of addr1.
4792 */
4793 gen_and(b1, b0);
4794 return (b0);
4795
4796 case Q_TA:
4797 /*
4798 * Not present in management frames; addr2, if present,
4799 * in other frames.
4800 */
4801
4802 /*
4803 * Not present in CTS or ACK control frames.
4804 */
4805 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4806 IEEE80211_FC0_TYPE_MASK);
4807 gen_not(b0);
4808 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4809 IEEE80211_FC0_SUBTYPE_MASK);
4810 gen_not(b1);
4811 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4812 IEEE80211_FC0_SUBTYPE_MASK);
4813 gen_not(b2);
4814 gen_and(b1, b2);
4815 gen_or(b0, b2);
4816
4817 /*
4818 * If the high-order bit of the type value is 0, this
4819 * is a management frame.
4820 * I.e, check "(link[0] & 0x08)".
4821 */
4822 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4823 b1 = new_block(cstate, JMP(BPF_JSET));
4824 b1->s.k = 0x08;
4825 b1->stmts = s;
4826
4827 /*
4828 * AND that with the check for frames other than
4829 * CTS and ACK frames.
4830 */
4831 gen_and(b1, b2);
4832
4833 /*
4834 * Check addr2.
4835 */
4836 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4837 gen_and(b2, b1);
4838 return b1;
4839 }
4840 abort();
4841 /*NOTREACHED*/
4842 }
4843
4844 /*
4845 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4846 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4847 * as the RFC states.)
4848 */
4849 static struct block *
4850 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4851 {
4852 register struct block *b0, *b1;
4853
4854 switch (dir) {
4855 case Q_SRC:
4856 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4857
4858 case Q_DST:
4859 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4860
4861 case Q_AND:
4862 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4863 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4864 gen_and(b0, b1);
4865 return b1;
4866
4867 case Q_DEFAULT:
4868 case Q_OR:
4869 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4870 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4871 gen_or(b0, b1);
4872 return b1;
4873
4874 case Q_ADDR1:
4875 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4876 /*NOTREACHED*/
4877
4878 case Q_ADDR2:
4879 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4880 /*NOTREACHED*/
4881
4882 case Q_ADDR3:
4883 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4884 /*NOTREACHED*/
4885
4886 case Q_ADDR4:
4887 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4888 /*NOTREACHED*/
4889
4890 case Q_RA:
4891 bpf_error(cstate, "'ra' is only supported on 802.11");
4892 /*NOTREACHED*/
4893
4894 case Q_TA:
4895 bpf_error(cstate, "'ta' is only supported on 802.11");
4896 /*NOTREACHED*/
4897 }
4898 abort();
4899 /*NOTREACHED*/
4900 }
4901
4902 /*
4903 * This is quite tricky because there may be pad bytes in front of the
4904 * DECNET header, and then there are two possible data packet formats that
4905 * carry both src and dst addresses, plus 5 packet types in a format that
4906 * carries only the src node, plus 2 types that use a different format and
4907 * also carry just the src node.
4908 *
4909 * Yuck.
4910 *
4911 * Instead of doing those all right, we just look for data packets with
4912 * 0 or 1 bytes of padding. If you want to look at other packets, that
4913 * will require a lot more hacking.
4914 *
4915 * To add support for filtering on DECNET "areas" (network numbers)
4916 * one would want to add a "mask" argument to this routine. That would
4917 * make the filter even more inefficient, although one could be clever
4918 * and not generate masking instructions if the mask is 0xFFFF.
4919 */
4920 static struct block *
4921 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
4922 {
4923 struct block *b0, *b1, *b2, *tmp;
4924 u_int offset_lh; /* offset if long header is received */
4925 u_int offset_sh; /* offset if short header is received */
4926
4927 switch (dir) {
4928
4929 case Q_DST:
4930 offset_sh = 1; /* follows flags */
4931 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4932 break;
4933
4934 case Q_SRC:
4935 offset_sh = 3; /* follows flags, dstnode */
4936 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4937 break;
4938
4939 case Q_AND:
4940 /* Inefficient because we do our Calvinball dance twice */
4941 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4942 b1 = gen_dnhostop(cstate, addr, Q_DST);
4943 gen_and(b0, b1);
4944 return b1;
4945
4946 case Q_DEFAULT:
4947 case Q_OR:
4948 /* Inefficient because we do our Calvinball dance twice */
4949 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4950 b1 = gen_dnhostop(cstate, addr, Q_DST);
4951 gen_or(b0, b1);
4952 return b1;
4953
4954 case Q_ADDR1:
4955 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4956 /*NOTREACHED*/
4957
4958 case Q_ADDR2:
4959 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4960 /*NOTREACHED*/
4961
4962 case Q_ADDR3:
4963 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4964 /*NOTREACHED*/
4965
4966 case Q_ADDR4:
4967 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4968 /*NOTREACHED*/
4969
4970 case Q_RA:
4971 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4972 /*NOTREACHED*/
4973
4974 case Q_TA:
4975 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4976 /*NOTREACHED*/
4977
4978 default:
4979 abort();
4980 /*NOTREACHED*/
4981 }
4982 /*
4983 * In a DECnet message inside an Ethernet frame the first two bytes
4984 * immediately after EtherType are the [litle-endian] DECnet message
4985 * length, which is irrelevant in this context.
4986 *
4987 * "pad = 1" means the third byte equals 0x81, thus it is the PLENGTH
4988 * 8-bit bitmap of the optional padding before the packet route header.
4989 * The bitmap always has bit 7 set to 1 and in this case has bits 0-6
4990 * (TOTAL-PAD-SEQUENCE-LENGTH) set to integer value 1. The latter
4991 * means there aren't any PAD bytes after the bitmap, so the header
4992 * begins at the fourth byte. "pad = 0" means bit 7 of the third byte
4993 * is set to 0, thus the header begins at the third byte.
4994 *
4995 * The header can be in several (as mentioned above) formats, all of
4996 * which begin with the FLAGS 8-bit bitmap, which always has bit 7
4997 * (PF, "pad field") set to 0 regardless of any padding present before
4998 * the header. "Short header" means bits 0-2 of the bitmap encode the
4999 * integer value 2 (SFDP), and "long header" means value 6 (LFDP).
5000 *
5001 * To test PLENGTH and FLAGS, use multiple-byte constants with the
5002 * values and the masks, this maps to the required single bytes of
5003 * the message correctly on both big-endian and little-endian hosts.
5004 * For the DECnet address use SWAPSHORT(), which always swaps bytes,
5005 * because the wire encoding is little-endian and BPF multiple-byte
5006 * loads are big-endian. When the destination address is near enough
5007 * to PLENGTH and FLAGS, generate one 32-bit comparison instead of two
5008 * smaller ones.
5009 */
5010 /* Check for pad = 1, long header case */
5011 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 0x8106U, 0xFF07U);
5012 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
5013 BPF_H, SWAPSHORT(addr));
5014 gen_and(tmp, b1);
5015 /* Check for pad = 0, long header case */
5016 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, 0x06U, 0x07U);
5017 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H,
5018 SWAPSHORT(addr));
5019 gen_and(tmp, b2);
5020 gen_or(b2, b1);
5021 /* Check for pad = 1, short header case */
5022 if (dir == Q_DST) {
5023 b2 = gen_mcmp(cstate, OR_LINKPL, 2, BPF_W,
5024 0x81020000U | SWAPSHORT(addr),
5025 0xFF07FFFFU);
5026 } else {
5027 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 0x8102U, 0xFF07U);
5028 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H,
5029 SWAPSHORT(addr));
5030 gen_and(tmp, b2);
5031 }
5032 gen_or(b2, b1);
5033 /* Check for pad = 0, short header case */
5034 if (dir == Q_DST) {
5035 b2 = gen_mcmp(cstate, OR_LINKPL, 2, BPF_W,
5036 0x02000000U | SWAPSHORT(addr) << 8,
5037 0x07FFFF00U);
5038 } else {
5039 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, 0x02U, 0x07U);
5040 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H,
5041 SWAPSHORT(addr));
5042 gen_and(tmp, b2);
5043 }
5044 gen_or(b2, b1);
5045
5046 return b1;
5047 }
5048
5049 /*
5050 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
5051 * test the bottom-of-stack bit, and then check the version number
5052 * field in the IP header.
5053 */
5054 static struct block *
5055 gen_mpls_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
5056 {
5057 struct block *b0, *b1;
5058
5059 switch (ll_proto) {
5060
5061 case ETHERTYPE_IP:
5062 /* match the bottom-of-stack bit */
5063 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
5064 /* match the IPv4 version number */
5065 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
5066 gen_and(b0, b1);
5067 return b1;
5068
5069 case ETHERTYPE_IPV6:
5070 /* match the bottom-of-stack bit */
5071 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
5072 /* match the IPv4 version number */
5073 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
5074 gen_and(b0, b1);
5075 return b1;
5076
5077 default:
5078 /* FIXME add other L3 proto IDs */
5079 bpf_error(cstate, "unsupported protocol over mpls");
5080 /*NOTREACHED*/
5081 }
5082 }
5083
5084 static struct block *
5085 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
5086 int proto, int dir, int type)
5087 {
5088 struct block *b0, *b1;
5089 const char *typestr;
5090
5091 if (type == Q_NET)
5092 typestr = "net";
5093 else
5094 typestr = "host";
5095
5096 switch (proto) {
5097
5098 case Q_DEFAULT:
5099 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
5100 /*
5101 * Only check for non-IPv4 addresses if we're not
5102 * checking MPLS-encapsulated packets.
5103 */
5104 if (cstate->label_stack_depth == 0) {
5105 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
5106 gen_or(b0, b1);
5107 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
5108 gen_or(b1, b0);
5109 }
5110 return b0;
5111
5112 case Q_LINK:
5113 bpf_error(cstate, "link-layer modifier applied to %s", typestr);
5114
5115 case Q_IP:
5116 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5117 b1 = gen_hostop(cstate, addr, mask, dir, 12, 16);
5118 gen_and(b0, b1);
5119 return b1;
5120
5121 case Q_RARP:
5122 b0 = gen_linktype(cstate, ETHERTYPE_REVARP);
5123 b1 = gen_hostop(cstate, addr, mask, dir, 14, 24);
5124 gen_and(b0, b1);
5125 return b1;
5126
5127 case Q_ARP:
5128 b0 = gen_linktype(cstate, ETHERTYPE_ARP);
5129 b1 = gen_hostop(cstate, addr, mask, dir, 14, 24);
5130 gen_and(b0, b1);
5131 return b1;
5132
5133 case Q_SCTP:
5134 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
5135
5136 case Q_TCP:
5137 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
5138
5139 case Q_UDP:
5140 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
5141
5142 case Q_ICMP:
5143 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
5144
5145 case Q_IGMP:
5146 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
5147
5148 case Q_IGRP:
5149 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
5150
5151 case Q_ATALK:
5152 bpf_error(cstate, "AppleTalk host filtering not implemented");
5153
5154 case Q_DECNET:
5155 b0 = gen_linktype(cstate, ETHERTYPE_DN);
5156 b1 = gen_dnhostop(cstate, addr, dir);
5157 gen_and(b0, b1);
5158 return b1;
5159
5160 case Q_LAT:
5161 bpf_error(cstate, "LAT host filtering not implemented");
5162
5163 case Q_SCA:
5164 bpf_error(cstate, "SCA host filtering not implemented");
5165
5166 case Q_MOPRC:
5167 bpf_error(cstate, "MOPRC host filtering not implemented");
5168
5169 case Q_MOPDL:
5170 bpf_error(cstate, "MOPDL host filtering not implemented");
5171
5172 case Q_IPV6:
5173 bpf_error(cstate, "'ip6' modifier applied to ip host");
5174
5175 case Q_ICMPV6:
5176 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
5177
5178 case Q_AH:
5179 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
5180
5181 case Q_ESP:
5182 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
5183
5184 case Q_PIM:
5185 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
5186
5187 case Q_VRRP:
5188 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
5189
5190 case Q_AARP:
5191 bpf_error(cstate, "AARP host filtering not implemented");
5192
5193 case Q_ISO:
5194 bpf_error(cstate, "ISO host filtering not implemented");
5195
5196 case Q_ESIS:
5197 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
5198
5199 case Q_ISIS:
5200 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
5201
5202 case Q_CLNP:
5203 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
5204
5205 case Q_STP:
5206 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
5207
5208 case Q_IPX:
5209 bpf_error(cstate, "IPX host filtering not implemented");
5210
5211 case Q_NETBEUI:
5212 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
5213
5214 case Q_ISIS_L1:
5215 bpf_error(cstate, "'l1' modifier applied to %s", typestr);
5216
5217 case Q_ISIS_L2:
5218 bpf_error(cstate, "'l2' modifier applied to %s", typestr);
5219
5220 case Q_ISIS_IIH:
5221 bpf_error(cstate, "'iih' modifier applied to %s", typestr);
5222
5223 case Q_ISIS_SNP:
5224 bpf_error(cstate, "'snp' modifier applied to %s", typestr);
5225
5226 case Q_ISIS_CSNP:
5227 bpf_error(cstate, "'csnp' modifier applied to %s", typestr);
5228
5229 case Q_ISIS_PSNP:
5230 bpf_error(cstate, "'psnp' modifier applied to %s", typestr);
5231
5232 case Q_ISIS_LSP:
5233 bpf_error(cstate, "'lsp' modifier applied to %s", typestr);
5234
5235 case Q_RADIO:
5236 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
5237
5238 case Q_CARP:
5239 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
5240
5241 default:
5242 abort();
5243 }
5244 /*NOTREACHED*/
5245 }
5246
5247 #ifdef INET6
5248 static struct block *
5249 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
5250 struct in6_addr *mask, int proto, int dir, int type)
5251 {
5252 struct block *b0, *b1;
5253 const char *typestr;
5254
5255 if (type == Q_NET)
5256 typestr = "net";
5257 else
5258 typestr = "host";
5259
5260 switch (proto) {
5261
5262 case Q_DEFAULT:
5263 case Q_IPV6:
5264 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5265 b1 = gen_hostop6(cstate, addr, mask, dir, 8, 24);
5266 gen_and(b0, b1);
5267 return b1;
5268
5269 case Q_LINK:
5270 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
5271
5272 case Q_IP:
5273 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
5274
5275 case Q_RARP:
5276 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
5277
5278 case Q_ARP:
5279 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
5280
5281 case Q_SCTP:
5282 bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr);
5283
5284 case Q_TCP:
5285 bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr);
5286
5287 case Q_UDP:
5288 bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr);
5289
5290 case Q_ICMP:
5291 bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr);
5292
5293 case Q_IGMP:
5294 bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr);
5295
5296 case Q_IGRP:
5297 bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr);
5298
5299 case Q_ATALK:
5300 bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr);
5301
5302 case Q_DECNET:
5303 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
5304
5305 case Q_LAT:
5306 bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr);
5307
5308 case Q_SCA:
5309 bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr);
5310
5311 case Q_MOPRC:
5312 bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr);
5313
5314 case Q_MOPDL:
5315 bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr);
5316
5317 case Q_ICMPV6:
5318 bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr);
5319
5320 case Q_AH:
5321 bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr);
5322
5323 case Q_ESP:
5324 bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr);
5325
5326 case Q_PIM:
5327 bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr);
5328
5329 case Q_VRRP:
5330 bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr);
5331
5332 case Q_AARP:
5333 bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr);
5334
5335 case Q_ISO:
5336 bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr);
5337
5338 case Q_ESIS:
5339 bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr);
5340
5341 case Q_ISIS:
5342 bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr);
5343
5344 case Q_CLNP:
5345 bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr);
5346
5347 case Q_STP:
5348 bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr);
5349
5350 case Q_IPX:
5351 bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr);
5352
5353 case Q_NETBEUI:
5354 bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr);
5355
5356 case Q_ISIS_L1:
5357 bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr);
5358
5359 case Q_ISIS_L2:
5360 bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr);
5361
5362 case Q_ISIS_IIH:
5363 bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr);
5364
5365 case Q_ISIS_SNP:
5366 bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr);
5367
5368 case Q_ISIS_CSNP:
5369 bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr);
5370
5371 case Q_ISIS_PSNP:
5372 bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr);
5373
5374 case Q_ISIS_LSP:
5375 bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr);
5376
5377 case Q_RADIO:
5378 bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr);
5379
5380 case Q_CARP:
5381 bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr);
5382
5383 default:
5384 abort();
5385 }
5386 /*NOTREACHED*/
5387 }
5388 #endif
5389
5390 #ifndef INET6
5391 static struct block *
5392 gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
5393 struct addrinfo *alist, int proto, int dir)
5394 {
5395 struct block *b0, *b1, *tmp;
5396 struct addrinfo *ai;
5397 struct sockaddr_in *sin;
5398
5399 if (dir != 0)
5400 bpf_error(cstate, "direction applied to 'gateway'");
5401
5402 switch (proto) {
5403 case Q_DEFAULT:
5404 case Q_IP:
5405 case Q_ARP:
5406 case Q_RARP:
5407 switch (cstate->linktype) {
5408 case DLT_EN10MB:
5409 case DLT_NETANALYZER:
5410 case DLT_NETANALYZER_TRANSPARENT:
5411 b1 = gen_prevlinkhdr_check(cstate);
5412 b0 = gen_ehostop(cstate, eaddr, Q_OR);
5413 if (b1 != NULL)
5414 gen_and(b1, b0);
5415 break;
5416 case DLT_FDDI:
5417 b0 = gen_fhostop(cstate, eaddr, Q_OR);
5418 break;
5419 case DLT_IEEE802:
5420 b0 = gen_thostop(cstate, eaddr, Q_OR);
5421 break;
5422 case DLT_IEEE802_11:
5423 case DLT_PRISM_HEADER:
5424 case DLT_IEEE802_11_RADIO_AVS:
5425 case DLT_IEEE802_11_RADIO:
5426 case DLT_PPI:
5427 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5428 break;
5429 case DLT_IP_OVER_FC:
5430 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5431 break;
5432 case DLT_SUNATM:
5433 /*
5434 * This is LLC-multiplexed traffic; if it were
5435 * LANE, cstate->linktype would have been set to
5436 * DLT_EN10MB.
5437 */
5438 /* FALLTHROUGH */
5439 default:
5440 bpf_error(cstate,
5441 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5442 }
5443 b1 = NULL;
5444 for (ai = alist; ai != NULL; ai = ai->ai_next) {
5445 /*
5446 * Does it have an address?
5447 */
5448 if (ai->ai_addr != NULL) {
5449 /*
5450 * Yes. Is it an IPv4 address?
5451 */
5452 if (ai->ai_addr->sa_family == AF_INET) {
5453 /*
5454 * Generate an entry for it.
5455 */
5456 sin = (struct sockaddr_in *)ai->ai_addr;
5457 tmp = gen_host(cstate,
5458 ntohl(sin->sin_addr.s_addr),
5459 0xffffffff, proto, Q_OR, Q_HOST);
5460 /*
5461 * Is it the *first* IPv4 address?
5462 */
5463 if (b1 == NULL) {
5464 /*
5465 * Yes, so start with it.
5466 */
5467 b1 = tmp;
5468 } else {
5469 /*
5470 * No, so OR it into the
5471 * existing set of
5472 * addresses.
5473 */
5474 gen_or(b1, tmp);
5475 b1 = tmp;
5476 }
5477 }
5478 }
5479 }
5480 if (b1 == NULL) {
5481 /*
5482 * No IPv4 addresses found.
5483 */
5484 return (NULL);
5485 }
5486 gen_not(b1);
5487 gen_and(b0, b1);
5488 return b1;
5489 }
5490 bpf_error(cstate, "illegal modifier of 'gateway'");
5491 /*NOTREACHED*/
5492 }
5493 #endif
5494
5495 static struct block *
5496 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto)
5497 {
5498 struct block *b0;
5499 struct block *b1 = NULL;
5500
5501 switch (proto) {
5502
5503 case Q_SCTP:
5504 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_DEFAULT, Q_DEFAULT);
5505 break;
5506
5507 case Q_TCP:
5508 b1 = gen_proto(cstate, IPPROTO_TCP, Q_DEFAULT, Q_DEFAULT);
5509 break;
5510
5511 case Q_UDP:
5512 b1 = gen_proto(cstate, IPPROTO_UDP, Q_DEFAULT, Q_DEFAULT);
5513 break;
5514
5515 case Q_ICMP:
5516 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5517 break;
5518
5519 #ifndef IPPROTO_IGMP
5520 #define IPPROTO_IGMP 2
5521 #endif
5522
5523 case Q_IGMP:
5524 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5525 break;
5526
5527 #ifndef IPPROTO_IGRP
5528 #define IPPROTO_IGRP 9
5529 #endif
5530 case Q_IGRP:
5531 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5532 break;
5533
5534 #ifndef IPPROTO_PIM
5535 #define IPPROTO_PIM 103
5536 #endif
5537
5538 case Q_PIM:
5539 b1 = gen_proto(cstate, IPPROTO_PIM, Q_DEFAULT, Q_DEFAULT);
5540 break;
5541
5542 #ifndef IPPROTO_VRRP
5543 #define IPPROTO_VRRP 112
5544 #endif
5545
5546 case Q_VRRP:
5547 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5548 break;
5549
5550 #ifndef IPPROTO_CARP
5551 #define IPPROTO_CARP 112
5552 #endif
5553
5554 case Q_CARP:
5555 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5556 break;
5557
5558 case Q_IP:
5559 b1 = gen_linktype(cstate, ETHERTYPE_IP);
5560 break;
5561
5562 case Q_ARP:
5563 b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5564 break;
5565
5566 case Q_RARP:
5567 b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5568 break;
5569
5570 case Q_LINK:
5571 break; // invalid syntax
5572
5573 case Q_ATALK:
5574 b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5575 break;
5576
5577 case Q_AARP:
5578 b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5579 break;
5580
5581 case Q_DECNET:
5582 b1 = gen_linktype(cstate, ETHERTYPE_DN);
5583 break;
5584
5585 case Q_SCA:
5586 b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5587 break;
5588
5589 case Q_LAT:
5590 b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5591 break;
5592
5593 case Q_MOPDL:
5594 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5595 break;
5596
5597 case Q_MOPRC:
5598 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5599 break;
5600
5601 case Q_IPV6:
5602 b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5603 break;
5604
5605 #ifndef IPPROTO_ICMPV6
5606 #define IPPROTO_ICMPV6 58
5607 #endif
5608 case Q_ICMPV6:
5609 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5610 break;
5611
5612 #ifndef IPPROTO_AH
5613 #define IPPROTO_AH 51
5614 #endif
5615 case Q_AH:
5616 b1 = gen_proto(cstate, IPPROTO_AH, Q_DEFAULT, Q_DEFAULT);
5617 break;
5618
5619 #ifndef IPPROTO_ESP
5620 #define IPPROTO_ESP 50
5621 #endif
5622 case Q_ESP:
5623 b1 = gen_proto(cstate, IPPROTO_ESP, Q_DEFAULT, Q_DEFAULT);
5624 break;
5625
5626 case Q_ISO:
5627 b1 = gen_linktype(cstate, LLCSAP_ISONS);
5628 break;
5629
5630 case Q_ESIS:
5631 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5632 break;
5633
5634 case Q_ISIS:
5635 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5636 break;
5637
5638 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5639 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5640 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5641 gen_or(b0, b1);
5642 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5643 gen_or(b0, b1);
5644 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5645 gen_or(b0, b1);
5646 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5647 gen_or(b0, b1);
5648 break;
5649
5650 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5651 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5652 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5653 gen_or(b0, b1);
5654 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5655 gen_or(b0, b1);
5656 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5657 gen_or(b0, b1);
5658 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5659 gen_or(b0, b1);
5660 break;
5661
5662 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5663 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5664 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5665 gen_or(b0, b1);
5666 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5667 gen_or(b0, b1);
5668 break;
5669
5670 case Q_ISIS_LSP:
5671 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5672 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5673 gen_or(b0, b1);
5674 break;
5675
5676 case Q_ISIS_SNP:
5677 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5678 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5679 gen_or(b0, b1);
5680 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5681 gen_or(b0, b1);
5682 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5683 gen_or(b0, b1);
5684 break;
5685
5686 case Q_ISIS_CSNP:
5687 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5688 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5689 gen_or(b0, b1);
5690 break;
5691
5692 case Q_ISIS_PSNP:
5693 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5694 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5695 gen_or(b0, b1);
5696 break;
5697
5698 case Q_CLNP:
5699 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5700 break;
5701
5702 case Q_STP:
5703 b1 = gen_linktype(cstate, LLCSAP_8021D);
5704 break;
5705
5706 case Q_IPX:
5707 b1 = gen_linktype(cstate, LLCSAP_IPX);
5708 break;
5709
5710 case Q_NETBEUI:
5711 b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5712 break;
5713
5714 case Q_RADIO:
5715 break; // invalid syntax
5716
5717 default:
5718 abort();
5719 }
5720 if (b1)
5721 return b1;
5722 bpf_error(cstate, "'%s' cannot be used as an abbreviation", pqkw(proto));
5723 }
5724
5725 struct block *
5726 gen_proto_abbrev(compiler_state_t *cstate, int proto)
5727 {
5728 /*
5729 * Catch errors reported by us and routines below us, and return NULL
5730 * on an error.
5731 */
5732 if (setjmp(cstate->top_ctx))
5733 return (NULL);
5734
5735 return gen_proto_abbrev_internal(cstate, proto);
5736 }
5737
5738 static struct block *
5739 gen_ipfrag(compiler_state_t *cstate)
5740 {
5741 struct slist *s;
5742 struct block *b;
5743
5744 /* not IPv4 frag other than the first frag */
5745 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5746 b = new_block(cstate, JMP(BPF_JSET));
5747 b->s.k = 0x1fff;
5748 b->stmts = s;
5749 gen_not(b);
5750
5751 return b;
5752 }
5753
5754 /*
5755 * Generate a comparison to a port value in the transport-layer header
5756 * at the specified offset from the beginning of that header.
5757 *
5758 * XXX - this handles a variable-length prefix preceding the link-layer
5759 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5760 * variable-length link-layer headers (such as Token Ring or 802.11
5761 * headers).
5762 */
5763 static struct block *
5764 gen_portatom(compiler_state_t *cstate, int off, bpf_u_int32 v)
5765 {
5766 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5767 }
5768
5769 static struct block *
5770 gen_portatom6(compiler_state_t *cstate, int off, bpf_u_int32 v)
5771 {
5772 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5773 }
5774
5775 static struct block *
5776 gen_portop(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5777 {
5778 struct block *b0, *b1, *tmp;
5779
5780 /* ip proto 'proto' and not a fragment other than the first fragment */
5781 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5782 b0 = gen_ipfrag(cstate);
5783 gen_and(tmp, b0);
5784
5785 switch (dir) {
5786 case Q_SRC:
5787 b1 = gen_portatom(cstate, 0, port);
5788 break;
5789
5790 case Q_DST:
5791 b1 = gen_portatom(cstate, 2, port);
5792 break;
5793
5794 case Q_AND:
5795 tmp = gen_portatom(cstate, 0, port);
5796 b1 = gen_portatom(cstate, 2, port);
5797 gen_and(tmp, b1);
5798 break;
5799
5800 case Q_DEFAULT:
5801 case Q_OR:
5802 tmp = gen_portatom(cstate, 0, port);
5803 b1 = gen_portatom(cstate, 2, port);
5804 gen_or(tmp, b1);
5805 break;
5806
5807 case Q_ADDR1:
5808 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports");
5809 /*NOTREACHED*/
5810
5811 case Q_ADDR2:
5812 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports");
5813 /*NOTREACHED*/
5814
5815 case Q_ADDR3:
5816 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports");
5817 /*NOTREACHED*/
5818
5819 case Q_ADDR4:
5820 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports");
5821 /*NOTREACHED*/
5822
5823 case Q_RA:
5824 bpf_error(cstate, "'ra' is not a valid qualifier for ports");
5825 /*NOTREACHED*/
5826
5827 case Q_TA:
5828 bpf_error(cstate, "'ta' is not a valid qualifier for ports");
5829 /*NOTREACHED*/
5830
5831 default:
5832 abort();
5833 /*NOTREACHED*/
5834 }
5835 gen_and(b0, b1);
5836
5837 return b1;
5838 }
5839
5840 static struct block *
5841 gen_port(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5842 {
5843 struct block *b0, *b1, *tmp;
5844
5845 /*
5846 * ether proto ip
5847 *
5848 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5849 * not LLC encapsulation with LLCSAP_IP.
5850 *
5851 * For IEEE 802 networks - which includes 802.5 token ring
5852 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5853 * says that SNAP encapsulation is used, not LLC encapsulation
5854 * with LLCSAP_IP.
5855 *
5856 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5857 * RFC 2225 say that SNAP encapsulation is used, not LLC
5858 * encapsulation with LLCSAP_IP.
5859 *
5860 * So we always check for ETHERTYPE_IP.
5861 */
5862 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5863
5864 switch (ip_proto) {
5865 case IPPROTO_UDP:
5866 case IPPROTO_TCP:
5867 case IPPROTO_SCTP:
5868 b1 = gen_portop(cstate, port, (u_int)ip_proto, dir);
5869 break;
5870
5871 case PROTO_UNDEF:
5872 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5873 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5874 gen_or(tmp, b1);
5875 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5876 gen_or(tmp, b1);
5877 break;
5878
5879 default:
5880 abort();
5881 }
5882 gen_and(b0, b1);
5883 return b1;
5884 }
5885
5886 struct block *
5887 gen_portop6(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5888 {
5889 struct block *b0, *b1, *tmp;
5890
5891 /* ip6 proto 'proto' */
5892 /* XXX - catch the first fragment of a fragmented packet? */
5893 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
5894
5895 switch (dir) {
5896 case Q_SRC:
5897 b1 = gen_portatom6(cstate, 0, port);
5898 break;
5899
5900 case Q_DST:
5901 b1 = gen_portatom6(cstate, 2, port);
5902 break;
5903
5904 case Q_AND:
5905 tmp = gen_portatom6(cstate, 0, port);
5906 b1 = gen_portatom6(cstate, 2, port);
5907 gen_and(tmp, b1);
5908 break;
5909
5910 case Q_DEFAULT:
5911 case Q_OR:
5912 tmp = gen_portatom6(cstate, 0, port);
5913 b1 = gen_portatom6(cstate, 2, port);
5914 gen_or(tmp, b1);
5915 break;
5916
5917 default:
5918 abort();
5919 }
5920 gen_and(b0, b1);
5921
5922 return b1;
5923 }
5924
5925 static struct block *
5926 gen_port6(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5927 {
5928 struct block *b0, *b1, *tmp;
5929
5930 /* link proto ip6 */
5931 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5932
5933 switch (ip_proto) {
5934 case IPPROTO_UDP:
5935 case IPPROTO_TCP:
5936 case IPPROTO_SCTP:
5937 b1 = gen_portop6(cstate, port, (u_int)ip_proto, dir);
5938 break;
5939
5940 case PROTO_UNDEF:
5941 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5942 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5943 gen_or(tmp, b1);
5944 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5945 gen_or(tmp, b1);
5946 break;
5947
5948 default:
5949 abort();
5950 }
5951 gen_and(b0, b1);
5952 return b1;
5953 }
5954
5955 /* gen_portrange code */
5956 static struct block *
5957 gen_portrangeatom(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
5958 bpf_u_int32 v2)
5959 {
5960 struct block *b1, *b2;
5961
5962 if (v1 > v2) {
5963 /*
5964 * Reverse the order of the ports, so v1 is the lower one.
5965 */
5966 bpf_u_int32 vtemp;
5967
5968 vtemp = v1;
5969 v1 = v2;
5970 v2 = vtemp;
5971 }
5972
5973 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1);
5974 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2);
5975
5976 gen_and(b1, b2);
5977
5978 return b2;
5979 }
5980
5981 static struct block *
5982 gen_portrangeop(compiler_state_t *cstate, u_int port1, u_int port2,
5983 bpf_u_int32 proto, int dir)
5984 {
5985 struct block *b0, *b1, *tmp;
5986
5987 /* ip proto 'proto' and not a fragment other than the first fragment */
5988 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5989 b0 = gen_ipfrag(cstate);
5990 gen_and(tmp, b0);
5991
5992 switch (dir) {
5993 case Q_SRC:
5994 b1 = gen_portrangeatom(cstate, 0, port1, port2);
5995 break;
5996
5997 case Q_DST:
5998 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5999 break;
6000
6001 case Q_AND:
6002 tmp = gen_portrangeatom(cstate, 0, port1, port2);
6003 b1 = gen_portrangeatom(cstate, 2, port1, port2);
6004 gen_and(tmp, b1);
6005 break;
6006
6007 case Q_DEFAULT:
6008 case Q_OR:
6009 tmp = gen_portrangeatom(cstate, 0, port1, port2);
6010 b1 = gen_portrangeatom(cstate, 2, port1, port2);
6011 gen_or(tmp, b1);
6012 break;
6013
6014 case Q_ADDR1:
6015 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges");
6016 /*NOTREACHED*/
6017
6018 case Q_ADDR2:
6019 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges");
6020 /*NOTREACHED*/
6021
6022 case Q_ADDR3:
6023 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges");
6024 /*NOTREACHED*/
6025
6026 case Q_ADDR4:
6027 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges");
6028 /*NOTREACHED*/
6029
6030 case Q_RA:
6031 bpf_error(cstate, "'ra' is not a valid qualifier for port ranges");
6032 /*NOTREACHED*/
6033
6034 case Q_TA:
6035 bpf_error(cstate, "'ta' is not a valid qualifier for port ranges");
6036 /*NOTREACHED*/
6037
6038 default:
6039 abort();
6040 /*NOTREACHED*/
6041 }
6042 gen_and(b0, b1);
6043
6044 return b1;
6045 }
6046
6047 static struct block *
6048 gen_portrange(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
6049 int dir)
6050 {
6051 struct block *b0, *b1, *tmp;
6052
6053 /* link proto ip */
6054 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6055
6056 switch (ip_proto) {
6057 case IPPROTO_UDP:
6058 case IPPROTO_TCP:
6059 case IPPROTO_SCTP:
6060 b1 = gen_portrangeop(cstate, port1, port2, (bpf_u_int32)ip_proto,
6061 dir);
6062 break;
6063
6064 case PROTO_UNDEF:
6065 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
6066 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
6067 gen_or(tmp, b1);
6068 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
6069 gen_or(tmp, b1);
6070 break;
6071
6072 default:
6073 abort();
6074 }
6075 gen_and(b0, b1);
6076 return b1;
6077 }
6078
6079 static struct block *
6080 gen_portrangeatom6(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
6081 bpf_u_int32 v2)
6082 {
6083 struct block *b1, *b2;
6084
6085 if (v1 > v2) {
6086 /*
6087 * Reverse the order of the ports, so v1 is the lower one.
6088 */
6089 bpf_u_int32 vtemp;
6090
6091 vtemp = v1;
6092 v1 = v2;
6093 v2 = vtemp;
6094 }
6095
6096 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1);
6097 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2);
6098
6099 gen_and(b1, b2);
6100
6101 return b2;
6102 }
6103
6104 static struct block *
6105 gen_portrangeop6(compiler_state_t *cstate, u_int port1, u_int port2,
6106 bpf_u_int32 proto, int dir)
6107 {
6108 struct block *b0, *b1, *tmp;
6109
6110 /* ip6 proto 'proto' */
6111 /* XXX - catch the first fragment of a fragmented packet? */
6112 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
6113
6114 switch (dir) {
6115 case Q_SRC:
6116 b1 = gen_portrangeatom6(cstate, 0, port1, port2);
6117 break;
6118
6119 case Q_DST:
6120 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
6121 break;
6122
6123 case Q_AND:
6124 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
6125 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
6126 gen_and(tmp, b1);
6127 break;
6128
6129 case Q_DEFAULT:
6130 case Q_OR:
6131 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
6132 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
6133 gen_or(tmp, b1);
6134 break;
6135
6136 default:
6137 abort();
6138 }
6139 gen_and(b0, b1);
6140
6141 return b1;
6142 }
6143
6144 static struct block *
6145 gen_portrange6(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
6146 int dir)
6147 {
6148 struct block *b0, *b1, *tmp;
6149
6150 /* link proto ip6 */
6151 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6152
6153 switch (ip_proto) {
6154 case IPPROTO_UDP:
6155 case IPPROTO_TCP:
6156 case IPPROTO_SCTP:
6157 b1 = gen_portrangeop6(cstate, port1, port2, (bpf_u_int32)ip_proto,
6158 dir);
6159 break;
6160
6161 case PROTO_UNDEF:
6162 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
6163 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
6164 gen_or(tmp, b1);
6165 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
6166 gen_or(tmp, b1);
6167 break;
6168
6169 default:
6170 abort();
6171 }
6172 gen_and(b0, b1);
6173 return b1;
6174 }
6175
6176 static int
6177 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
6178 {
6179 register int v;
6180
6181 switch (proto) {
6182
6183 case Q_DEFAULT:
6184 case Q_IP:
6185 case Q_IPV6:
6186 v = pcap_nametoproto(name);
6187 if (v == PROTO_UNDEF)
6188 bpf_error(cstate, "unknown ip proto '%s'", name);
6189 break;
6190
6191 case Q_LINK:
6192 /* XXX should look up h/w protocol type based on cstate->linktype */
6193 v = pcap_nametoeproto(name);
6194 if (v == PROTO_UNDEF) {
6195 v = pcap_nametollc(name);
6196 if (v == PROTO_UNDEF)
6197 bpf_error(cstate, "unknown ether proto '%s'", name);
6198 }
6199 break;
6200
6201 case Q_ISO:
6202 if (strcmp(name, "esis") == 0)
6203 v = ISO9542_ESIS;
6204 else if (strcmp(name, "isis") == 0)
6205 v = ISO10589_ISIS;
6206 else if (strcmp(name, "clnp") == 0)
6207 v = ISO8473_CLNP;
6208 else
6209 bpf_error(cstate, "unknown osi proto '%s'", name);
6210 break;
6211
6212 default:
6213 v = PROTO_UNDEF;
6214 break;
6215 }
6216 return v;
6217 }
6218
6219 #if !defined(NO_PROTOCHAIN)
6220 static struct block *
6221 gen_protochain(compiler_state_t *cstate, bpf_u_int32 v, int proto)
6222 {
6223 struct block *b0, *b;
6224 struct slist *s[100];
6225 int fix2, fix3, fix4, fix5;
6226 int ahcheck, again, end;
6227 int i, max;
6228 int reg2 = alloc_reg(cstate);
6229
6230 memset(s, 0, sizeof(s));
6231 fix3 = fix4 = fix5 = 0;
6232
6233 switch (proto) {
6234 case Q_IP:
6235 case Q_IPV6:
6236 break;
6237 case Q_DEFAULT:
6238 b0 = gen_protochain(cstate, v, Q_IP);
6239 b = gen_protochain(cstate, v, Q_IPV6);
6240 gen_or(b0, b);
6241 return b;
6242 default:
6243 bpf_error(cstate, "bad protocol applied for 'protochain'");
6244 /*NOTREACHED*/
6245 }
6246
6247 /*
6248 * We don't handle variable-length prefixes before the link-layer
6249 * header, or variable-length link-layer headers, here yet.
6250 * We might want to add BPF instructions to do the protochain
6251 * work, to simplify that and, on platforms that have a BPF
6252 * interpreter with the new instructions, let the filtering
6253 * be done in the kernel. (We already require a modified BPF
6254 * engine to do the protochain stuff, to support backward
6255 * branches, and backward branch support is unlikely to appear
6256 * in kernel BPF engines.)
6257 */
6258 if (cstate->off_linkpl.is_variable)
6259 bpf_error(cstate, "'protochain' not supported with variable length headers");
6260
6261 /*
6262 * To quote a comment in optimize.c:
6263 *
6264 * "These data structures are used in a Cocke and Schwartz style
6265 * value numbering scheme. Since the flowgraph is acyclic,
6266 * exit values can be propagated from a node's predecessors
6267 * provided it is uniquely defined."
6268 *
6269 * "Acyclic" means "no backward branches", which means "no
6270 * loops", so we have to turn the optimizer off.
6271 */
6272 cstate->no_optimize = 1;
6273
6274 /*
6275 * s[0] is a dummy entry to protect other BPF insn from damage
6276 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
6277 * hard to find interdependency made by jump table fixup.
6278 */
6279 i = 0;
6280 s[i] = new_stmt(cstate, 0); /*dummy*/
6281 i++;
6282
6283 switch (proto) {
6284 case Q_IP:
6285 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6286
6287 /* A = ip->ip_p */
6288 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6289 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
6290 i++;
6291 /* X = ip->ip_hl << 2 */
6292 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
6293 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6294 i++;
6295 break;
6296
6297 case Q_IPV6:
6298 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6299
6300 /* A = ip6->ip_nxt */
6301 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6302 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
6303 i++;
6304 /* X = sizeof(struct ip6_hdr) */
6305 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
6306 s[i]->s.k = 40;
6307 i++;
6308 break;
6309
6310 default:
6311 bpf_error(cstate, "unsupported proto to gen_protochain");
6312 /*NOTREACHED*/
6313 }
6314
6315 /* again: if (A == v) goto end; else fall through; */
6316 again = i;
6317 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6318 s[i]->s.k = v;
6319 s[i]->s.jt = NULL; /*later*/
6320 s[i]->s.jf = NULL; /*update in next stmt*/
6321 fix5 = i;
6322 i++;
6323
6324 #ifndef IPPROTO_NONE
6325 #define IPPROTO_NONE 59
6326 #endif
6327 /* if (A == IPPROTO_NONE) goto end */
6328 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6329 s[i]->s.jt = NULL; /*later*/
6330 s[i]->s.jf = NULL; /*update in next stmt*/
6331 s[i]->s.k = IPPROTO_NONE;
6332 s[fix5]->s.jf = s[i];
6333 fix2 = i;
6334 i++;
6335
6336 if (proto == Q_IPV6) {
6337 int v6start, v6end, v6advance, j;
6338
6339 v6start = i;
6340 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
6341 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6342 s[i]->s.jt = NULL; /*later*/
6343 s[i]->s.jf = NULL; /*update in next stmt*/
6344 s[i]->s.k = IPPROTO_HOPOPTS;
6345 s[fix2]->s.jf = s[i];
6346 i++;
6347 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
6348 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6349 s[i]->s.jt = NULL; /*later*/
6350 s[i]->s.jf = NULL; /*update in next stmt*/
6351 s[i]->s.k = IPPROTO_DSTOPTS;
6352 i++;
6353 /* if (A == IPPROTO_ROUTING) goto v6advance */
6354 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6355 s[i]->s.jt = NULL; /*later*/
6356 s[i]->s.jf = NULL; /*update in next stmt*/
6357 s[i]->s.k = IPPROTO_ROUTING;
6358 i++;
6359 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
6360 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6361 s[i]->s.jt = NULL; /*later*/
6362 s[i]->s.jf = NULL; /*later*/
6363 s[i]->s.k = IPPROTO_FRAGMENT;
6364 fix3 = i;
6365 v6end = i;
6366 i++;
6367
6368 /* v6advance: */
6369 v6advance = i;
6370
6371 /*
6372 * in short,
6373 * A = P[X + packet head];
6374 * X = X + (P[X + packet head + 1] + 1) * 8;
6375 */
6376 /* A = P[X + packet head] */
6377 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6378 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6379 i++;
6380 /* MEM[reg2] = A */
6381 s[i] = new_stmt(cstate, BPF_ST);
6382 s[i]->s.k = reg2;
6383 i++;
6384 /* A = P[X + packet head + 1]; */
6385 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6386 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
6387 i++;
6388 /* A += 1 */
6389 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6390 s[i]->s.k = 1;
6391 i++;
6392 /* A *= 8 */
6393 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6394 s[i]->s.k = 8;
6395 i++;
6396 /* A += X */
6397 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
6398 s[i]->s.k = 0;
6399 i++;
6400 /* X = A; */
6401 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6402 i++;
6403 /* A = MEM[reg2] */
6404 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6405 s[i]->s.k = reg2;
6406 i++;
6407
6408 /* goto again; (must use BPF_JA for backward jump) */
6409 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6410 s[i]->s.k = again - i - 1;
6411 s[i - 1]->s.jf = s[i];
6412 i++;
6413
6414 /* fixup */
6415 for (j = v6start; j <= v6end; j++)
6416 s[j]->s.jt = s[v6advance];
6417 } else {
6418 /* nop */
6419 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6420 s[i]->s.k = 0;
6421 s[fix2]->s.jf = s[i];
6422 i++;
6423 }
6424
6425 /* ahcheck: */
6426 ahcheck = i;
6427 /* if (A == IPPROTO_AH) then fall through; else goto end; */
6428 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6429 s[i]->s.jt = NULL; /*later*/
6430 s[i]->s.jf = NULL; /*later*/
6431 s[i]->s.k = IPPROTO_AH;
6432 if (fix3)
6433 s[fix3]->s.jf = s[ahcheck];
6434 fix4 = i;
6435 i++;
6436
6437 /*
6438 * in short,
6439 * A = P[X];
6440 * X = X + (P[X + 1] + 2) * 4;
6441 */
6442 /* A = X */
6443 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6444 i++;
6445 /* A = P[X + packet head]; */
6446 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6447 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6448 i++;
6449 /* MEM[reg2] = A */
6450 s[i] = new_stmt(cstate, BPF_ST);
6451 s[i]->s.k = reg2;
6452 i++;
6453 /* A = X */
6454 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6455 i++;
6456 /* A += 1 */
6457 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6458 s[i]->s.k = 1;
6459 i++;
6460 /* X = A */
6461 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6462 i++;
6463 /* A = P[X + packet head] */
6464 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6465 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6466 i++;
6467 /* A += 2 */
6468 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6469 s[i]->s.k = 2;
6470 i++;
6471 /* A *= 4 */
6472 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6473 s[i]->s.k = 4;
6474 i++;
6475 /* X = A; */
6476 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6477 i++;
6478 /* A = MEM[reg2] */
6479 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6480 s[i]->s.k = reg2;
6481 i++;
6482
6483 /* goto again; (must use BPF_JA for backward jump) */
6484 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6485 s[i]->s.k = again - i - 1;
6486 i++;
6487
6488 /* end: nop */
6489 end = i;
6490 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6491 s[i]->s.k = 0;
6492 s[fix2]->s.jt = s[end];
6493 s[fix4]->s.jf = s[end];
6494 s[fix5]->s.jt = s[end];
6495 i++;
6496
6497 /*
6498 * make slist chain
6499 */
6500 max = i;
6501 for (i = 0; i < max - 1; i++)
6502 s[i]->next = s[i + 1];
6503 s[max - 1]->next = NULL;
6504
6505 /*
6506 * emit final check
6507 */
6508 b = new_block(cstate, JMP(BPF_JEQ));
6509 b->stmts = s[1]; /*remember, s[0] is dummy*/
6510 b->s.k = v;
6511
6512 free_reg(cstate, reg2);
6513
6514 gen_and(b0, b);
6515 return b;
6516 }
6517 #endif /* !defined(NO_PROTOCHAIN) */
6518
6519 /*
6520 * Generate code that checks whether the packet is a packet for protocol
6521 * <proto> and whether the type field in that protocol's header has
6522 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6523 * IP packet and checks the protocol number in the IP header against <v>.
6524 *
6525 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6526 * against Q_IP and Q_IPV6.
6527 */
6528 static struct block *
6529 gen_proto(compiler_state_t *cstate, bpf_u_int32 v, int proto, int dir)
6530 {
6531 struct block *b0, *b1;
6532 struct block *b2;
6533
6534 if (dir != Q_DEFAULT)
6535 bpf_error(cstate, "direction applied to 'proto'");
6536
6537 switch (proto) {
6538 case Q_DEFAULT:
6539 b0 = gen_proto(cstate, v, Q_IP, dir);
6540 b1 = gen_proto(cstate, v, Q_IPV6, dir);
6541 gen_or(b0, b1);
6542 return b1;
6543
6544 case Q_LINK:
6545 return gen_linktype(cstate, v);
6546
6547 case Q_IP:
6548 /*
6549 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6550 * not LLC encapsulation with LLCSAP_IP.
6551 *
6552 * For IEEE 802 networks - which includes 802.5 token ring
6553 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6554 * says that SNAP encapsulation is used, not LLC encapsulation
6555 * with LLCSAP_IP.
6556 *
6557 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6558 * RFC 2225 say that SNAP encapsulation is used, not LLC
6559 * encapsulation with LLCSAP_IP.
6560 *
6561 * So we always check for ETHERTYPE_IP.
6562 */
6563 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6564 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, v);
6565 gen_and(b0, b1);
6566 return b1;
6567
6568 case Q_ARP:
6569 bpf_error(cstate, "arp does not encapsulate another protocol");
6570 /*NOTREACHED*/
6571
6572 case Q_RARP:
6573 bpf_error(cstate, "rarp does not encapsulate another protocol");
6574 /*NOTREACHED*/
6575
6576 case Q_SCTP:
6577 bpf_error(cstate, "'sctp proto' is bogus");
6578 /*NOTREACHED*/
6579
6580 case Q_TCP:
6581 bpf_error(cstate, "'tcp proto' is bogus");
6582 /*NOTREACHED*/
6583
6584 case Q_UDP:
6585 bpf_error(cstate, "'udp proto' is bogus");
6586 /*NOTREACHED*/
6587
6588 case Q_ICMP:
6589 bpf_error(cstate, "'icmp proto' is bogus");
6590 /*NOTREACHED*/
6591
6592 case Q_IGMP:
6593 bpf_error(cstate, "'igmp proto' is bogus");
6594 /*NOTREACHED*/
6595
6596 case Q_IGRP:
6597 bpf_error(cstate, "'igrp proto' is bogus");
6598 /*NOTREACHED*/
6599
6600 case Q_ATALK:
6601 bpf_error(cstate, "AppleTalk encapsulation is not specifiable");
6602 /*NOTREACHED*/
6603
6604 case Q_DECNET:
6605 bpf_error(cstate, "DECNET encapsulation is not specifiable");
6606 /*NOTREACHED*/
6607
6608 case Q_LAT:
6609 bpf_error(cstate, "LAT does not encapsulate another protocol");
6610 /*NOTREACHED*/
6611
6612 case Q_SCA:
6613 bpf_error(cstate, "SCA does not encapsulate another protocol");
6614 /*NOTREACHED*/
6615
6616 case Q_MOPRC:
6617 bpf_error(cstate, "MOPRC does not encapsulate another protocol");
6618 /*NOTREACHED*/
6619
6620 case Q_MOPDL:
6621 bpf_error(cstate, "MOPDL does not encapsulate another protocol");
6622 /*NOTREACHED*/
6623
6624 case Q_IPV6:
6625 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6626 /*
6627 * Also check for a fragment header before the final
6628 * header.
6629 */
6630 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6631 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, v);
6632 gen_and(b2, b1);
6633 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, v);
6634 gen_or(b2, b1);
6635 gen_and(b0, b1);
6636 return b1;
6637
6638 case Q_ICMPV6:
6639 bpf_error(cstate, "'icmp6 proto' is bogus");
6640 /*NOTREACHED*/
6641
6642 case Q_AH:
6643 bpf_error(cstate, "'ah proto' is bogus");
6644 /*NOTREACHED*/
6645
6646 case Q_ESP:
6647 bpf_error(cstate, "'esp proto' is bogus");
6648 /*NOTREACHED*/
6649
6650 case Q_PIM:
6651 bpf_error(cstate, "'pim proto' is bogus");
6652 /*NOTREACHED*/
6653
6654 case Q_VRRP:
6655 bpf_error(cstate, "'vrrp proto' is bogus");
6656 /*NOTREACHED*/
6657
6658 case Q_AARP:
6659 bpf_error(cstate, "'aarp proto' is bogus");
6660 /*NOTREACHED*/
6661
6662 case Q_ISO:
6663 switch (cstate->linktype) {
6664
6665 case DLT_FRELAY:
6666 /*
6667 * Frame Relay packets typically have an OSI
6668 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6669 * generates code to check for all the OSI
6670 * NLPIDs, so calling it and then adding a check
6671 * for the particular NLPID for which we're
6672 * looking is bogus, as we can just check for
6673 * the NLPID.
6674 *
6675 * What we check for is the NLPID and a frame
6676 * control field value of UI, i.e. 0x03 followed
6677 * by the NLPID.
6678 *
6679 * XXX - assumes a 2-byte Frame Relay header with
6680 * DLCI and flags. What if the address is longer?
6681 *
6682 * XXX - what about SNAP-encapsulated frames?
6683 */
6684 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6685 /*NOTREACHED*/
6686
6687 case DLT_C_HDLC:
6688 case DLT_HDLC:
6689 /*
6690 * Cisco uses an Ethertype lookalike - for OSI,
6691 * it's 0xfefe.
6692 */
6693 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6694 /* OSI in C-HDLC is stuffed with a fudge byte */
6695 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, v);
6696 gen_and(b0, b1);
6697 return b1;
6698
6699 default:
6700 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6701 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, v);
6702 gen_and(b0, b1);
6703 return b1;
6704 }
6705
6706 case Q_ESIS:
6707 bpf_error(cstate, "'esis proto' is bogus");
6708 /*NOTREACHED*/
6709
6710 case Q_ISIS:
6711 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6712 /*
6713 * 4 is the offset of the PDU type relative to the IS-IS
6714 * header.
6715 */
6716 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, v);
6717 gen_and(b0, b1);
6718 return b1;
6719
6720 case Q_CLNP:
6721 bpf_error(cstate, "'clnp proto' is not supported");
6722 /*NOTREACHED*/
6723
6724 case Q_STP:
6725 bpf_error(cstate, "'stp proto' is bogus");
6726 /*NOTREACHED*/
6727
6728 case Q_IPX:
6729 bpf_error(cstate, "'ipx proto' is bogus");
6730 /*NOTREACHED*/
6731
6732 case Q_NETBEUI:
6733 bpf_error(cstate, "'netbeui proto' is bogus");
6734 /*NOTREACHED*/
6735
6736 case Q_ISIS_L1:
6737 bpf_error(cstate, "'l1 proto' is bogus");
6738 /*NOTREACHED*/
6739
6740 case Q_ISIS_L2:
6741 bpf_error(cstate, "'l2 proto' is bogus");
6742 /*NOTREACHED*/
6743
6744 case Q_ISIS_IIH:
6745 bpf_error(cstate, "'iih proto' is bogus");
6746 /*NOTREACHED*/
6747
6748 case Q_ISIS_SNP:
6749 bpf_error(cstate, "'snp proto' is bogus");
6750 /*NOTREACHED*/
6751
6752 case Q_ISIS_CSNP:
6753 bpf_error(cstate, "'csnp proto' is bogus");
6754 /*NOTREACHED*/
6755
6756 case Q_ISIS_PSNP:
6757 bpf_error(cstate, "'psnp proto' is bogus");
6758 /*NOTREACHED*/
6759
6760 case Q_ISIS_LSP:
6761 bpf_error(cstate, "'lsp proto' is bogus");
6762 /*NOTREACHED*/
6763
6764 case Q_RADIO:
6765 bpf_error(cstate, "'radio proto' is bogus");
6766 /*NOTREACHED*/
6767
6768 case Q_CARP:
6769 bpf_error(cstate, "'carp proto' is bogus");
6770 /*NOTREACHED*/
6771
6772 default:
6773 abort();
6774 /*NOTREACHED*/
6775 }
6776 /*NOTREACHED*/
6777 }
6778
6779 /*
6780 * Convert a non-numeric name to a port number.
6781 */
6782 static int
6783 nametoport(compiler_state_t *cstate, const char *name, int ipproto)
6784 {
6785 struct addrinfo hints, *res, *ai;
6786 int error;
6787 struct sockaddr_in *in4;
6788 #ifdef INET6
6789 struct sockaddr_in6 *in6;
6790 #endif
6791 int port = -1;
6792
6793 /*
6794 * We check for both TCP and UDP in case there are
6795 * ambiguous entries.
6796 */
6797 memset(&hints, 0, sizeof(hints));
6798 hints.ai_family = PF_UNSPEC;
6799 hints.ai_socktype = (ipproto == IPPROTO_TCP) ? SOCK_STREAM : SOCK_DGRAM;
6800 hints.ai_protocol = ipproto;
6801 error = getaddrinfo(NULL, name, &hints, &res);
6802 if (error != 0) {
6803 switch (error) {
6804
6805 case EAI_NONAME:
6806 case EAI_SERVICE:
6807 /*
6808 * No such port. Just return -1.
6809 */
6810 break;
6811
6812 #ifdef EAI_SYSTEM
6813 case EAI_SYSTEM:
6814 /*
6815 * We don't use strerror() because it's not
6816 * guaranteed to be thread-safe on all platforms
6817 * (probably because it might use a non-thread-local
6818 * buffer into which to format an error message
6819 * if the error code isn't one for which it has
6820 * a canned string; three cheers for C string
6821 * handling).
6822 */
6823 bpf_set_error(cstate, "getaddrinfo(\"%s\" fails with system error: %d",
6824 name, errno);
6825 port = -2; /* a real error */
6826 break;
6827 #endif
6828
6829 default:
6830 /*
6831 * This is a real error, not just "there's
6832 * no such service name".
6833 *
6834 * We don't use gai_strerror() because it's not
6835 * guaranteed to be thread-safe on all platforms
6836 * (probably because it might use a non-thread-local
6837 * buffer into which to format an error message
6838 * if the error code isn't one for which it has
6839 * a canned string; three cheers for C string
6840 * handling).
6841 */
6842 bpf_set_error(cstate, "getaddrinfo(\"%s\") fails with error: %d",
6843 name, error);
6844 port = -2; /* a real error */
6845 break;
6846 }
6847 } else {
6848 /*
6849 * OK, we found it. Did it find anything?
6850 */
6851 for (ai = res; ai != NULL; ai = ai->ai_next) {
6852 /*
6853 * Does it have an address?
6854 */
6855 if (ai->ai_addr != NULL) {
6856 /*
6857 * Yes. Get a port number; we're done.
6858 */
6859 if (ai->ai_addr->sa_family == AF_INET) {
6860 in4 = (struct sockaddr_in *)ai->ai_addr;
6861 port = ntohs(in4->sin_port);
6862 break;
6863 }
6864 #ifdef INET6
6865 if (ai->ai_addr->sa_family == AF_INET6) {
6866 in6 = (struct sockaddr_in6 *)ai->ai_addr;
6867 port = ntohs(in6->sin6_port);
6868 break;
6869 }
6870 #endif
6871 }
6872 }
6873 freeaddrinfo(res);
6874 }
6875 return port;
6876 }
6877
6878 /*
6879 * Convert a string to a port number.
6880 */
6881 static bpf_u_int32
6882 stringtoport(compiler_state_t *cstate, const char *string, size_t string_size,
6883 int *proto)
6884 {
6885 stoulen_ret ret;
6886 char *cpy;
6887 bpf_u_int32 val;
6888 int tcp_port = -1;
6889 int udp_port = -1;
6890
6891 /*
6892 * See if it's a number.
6893 */
6894 ret = stoulen(string, string_size, &val, cstate);
6895 switch (ret) {
6896
6897 case STOULEN_OK:
6898 /* Unknown port type - it's just a number. */
6899 *proto = PROTO_UNDEF;
6900 break;
6901
6902 case STOULEN_NOT_OCTAL_NUMBER:
6903 case STOULEN_NOT_HEX_NUMBER:
6904 case STOULEN_NOT_DECIMAL_NUMBER:
6905 /*
6906 * Not a valid number; try looking it up as a port.
6907 */
6908 cpy = malloc(string_size + 1); /* +1 for terminating '\0' */
6909 memcpy(cpy, string, string_size);
6910 cpy[string_size] = '\0';
6911 tcp_port = nametoport(cstate, cpy, IPPROTO_TCP);
6912 if (tcp_port == -2) {
6913 /*
6914 * We got a hard error; the error string has
6915 * already been set.
6916 */
6917 free(cpy);
6918 longjmp(cstate->top_ctx, 1);
6919 /*NOTREACHED*/
6920 }
6921 udp_port = nametoport(cstate, cpy, IPPROTO_UDP);
6922 if (udp_port == -2) {
6923 /*
6924 * We got a hard error; the error string has
6925 * already been set.
6926 */
6927 free(cpy);
6928 longjmp(cstate->top_ctx, 1);
6929 /*NOTREACHED*/
6930 }
6931
6932 /*
6933 * We need to check /etc/services for ambiguous entries.
6934 * If we find an ambiguous entry, and it has the
6935 * same port number, change the proto to PROTO_UNDEF
6936 * so both TCP and UDP will be checked.
6937 */
6938 if (tcp_port >= 0) {
6939 val = (bpf_u_int32)tcp_port;
6940 *proto = IPPROTO_TCP;
6941 if (udp_port >= 0) {
6942 if (udp_port == tcp_port)
6943 *proto = PROTO_UNDEF;
6944 #ifdef notdef
6945 else
6946 /* Can't handle ambiguous names that refer
6947 to different port numbers. */
6948 warning("ambiguous port %s in /etc/services",
6949 cpy);
6950 #endif
6951 }
6952 free(cpy);
6953 break;
6954 }
6955 if (udp_port >= 0) {
6956 val = (bpf_u_int32)udp_port;
6957 *proto = IPPROTO_UDP;
6958 free(cpy);
6959 break;
6960 }
6961 bpf_set_error(cstate, "'%s' is not a valid port", cpy);
6962 free(cpy);
6963 longjmp(cstate->top_ctx, 1);
6964 /*NOTREACHED*/
6965 #ifdef _AIX
6966 PCAP_UNREACHABLE
6967 #endif /* _AIX */
6968
6969 case STOULEN_ERROR:
6970 /* Error already set. */
6971 longjmp(cstate->top_ctx, 1);
6972 /*NOTREACHED*/
6973 #ifdef _AIX
6974 PCAP_UNREACHABLE
6975 #endif /* _AIX */
6976
6977 default:
6978 /* Should not happen */
6979 bpf_set_error(cstate, "stoulen returned %d - this should not happen", ret);
6980 longjmp(cstate->top_ctx, 1);
6981 /*NOTREACHED*/
6982 }
6983 return (val);
6984 }
6985
6986 /*
6987 * Convert a string in the form PPP-PPP, which correspond to ports, to
6988 * a starting and ending port in a port range.
6989 */
6990 static void
6991 stringtoportrange(compiler_state_t *cstate, const char *string,
6992 bpf_u_int32 *port1, bpf_u_int32 *port2, int *proto)
6993 {
6994 char *hyphen_off;
6995 const char *first, *second;
6996 size_t first_size, second_size;
6997 int save_proto;
6998
6999 if ((hyphen_off = strchr(string, '-')) == NULL)
7000 bpf_error(cstate, "port range '%s' contains no hyphen", string);
7001
7002 /*
7003 * Make sure there are no other hyphens.
7004 *
7005 * XXX - we support named ports, but there are some port names
7006 * in /etc/services that include hyphens, so this would rule
7007 * that out.
7008 */
7009 if (strchr(hyphen_off + 1, '-') != NULL)
7010 bpf_error(cstate, "port range '%s' contains more than one hyphen",
7011 string);
7012
7013 /*
7014 * Get the length of the first port.
7015 */
7016 first = string;
7017 first_size = hyphen_off - string;
7018 if (first_size == 0) {
7019 /* Range of "-port", which we don't support. */
7020 bpf_error(cstate, "port range '%s' has no starting port", string);
7021 }
7022
7023 /*
7024 * Try to convert it to a port.
7025 */
7026 *port1 = stringtoport(cstate, first, first_size, proto);
7027 save_proto = *proto;
7028
7029 /*
7030 * Get the length of the second port.
7031 */
7032 second = hyphen_off + 1;
7033 second_size = strlen(second);
7034 if (second_size == 0) {
7035 /* Range of "port-", which we don't support. */
7036 bpf_error(cstate, "port range '%s' has no ending port", string);
7037 }
7038
7039 /*
7040 * Try to convert it to a port.
7041 */
7042 *port2 = stringtoport(cstate, second, second_size, proto);
7043 if (*proto != save_proto)
7044 *proto = PROTO_UNDEF;
7045 }
7046
7047 struct block *
7048 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
7049 {
7050 int proto = q.proto;
7051 int dir = q.dir;
7052 int tproto;
7053 u_char *eaddr;
7054 bpf_u_int32 mask, addr;
7055 struct addrinfo *res, *res0;
7056 struct sockaddr_in *sin4;
7057 #ifdef INET6
7058 int tproto6;
7059 struct sockaddr_in6 *sin6;
7060 struct in6_addr mask128;
7061 #endif /*INET6*/
7062 struct block *b, *tmp;
7063 int port, real_proto;
7064 bpf_u_int32 port1, port2;
7065
7066 /*
7067 * Catch errors reported by us and routines below us, and return NULL
7068 * on an error.
7069 */
7070 if (setjmp(cstate->top_ctx))
7071 return (NULL);
7072
7073 switch (q.addr) {
7074
7075 case Q_NET:
7076 addr = pcap_nametonetaddr(name);
7077 if (addr == 0)
7078 bpf_error(cstate, "unknown network '%s'", name);
7079 /* Left justify network addr and calculate its network mask */
7080 mask = 0xffffffff;
7081 while (addr && (addr & 0xff000000) == 0) {
7082 addr <<= 8;
7083 mask <<= 8;
7084 }
7085 return gen_host(cstate, addr, mask, proto, dir, q.addr);
7086
7087 case Q_DEFAULT:
7088 case Q_HOST:
7089 if (proto == Q_LINK) {
7090 switch (cstate->linktype) {
7091
7092 case DLT_EN10MB:
7093 case DLT_NETANALYZER:
7094 case DLT_NETANALYZER_TRANSPARENT:
7095 eaddr = pcap_ether_hostton(name);
7096 if (eaddr == NULL)
7097 bpf_error(cstate,
7098 "unknown ether host '%s'", name);
7099 tmp = gen_prevlinkhdr_check(cstate);
7100 b = gen_ehostop(cstate, eaddr, dir);
7101 if (tmp != NULL)
7102 gen_and(tmp, b);
7103 free(eaddr);
7104 return b;
7105
7106 case DLT_FDDI:
7107 eaddr = pcap_ether_hostton(name);
7108 if (eaddr == NULL)
7109 bpf_error(cstate,
7110 "unknown FDDI host '%s'", name);
7111 b = gen_fhostop(cstate, eaddr, dir);
7112 free(eaddr);
7113 return b;
7114
7115 case DLT_IEEE802:
7116 eaddr = pcap_ether_hostton(name);
7117 if (eaddr == NULL)
7118 bpf_error(cstate,
7119 "unknown token ring host '%s'", name);
7120 b = gen_thostop(cstate, eaddr, dir);
7121 free(eaddr);
7122 return b;
7123
7124 case DLT_IEEE802_11:
7125 case DLT_PRISM_HEADER:
7126 case DLT_IEEE802_11_RADIO_AVS:
7127 case DLT_IEEE802_11_RADIO:
7128 case DLT_PPI:
7129 eaddr = pcap_ether_hostton(name);
7130 if (eaddr == NULL)
7131 bpf_error(cstate,
7132 "unknown 802.11 host '%s'", name);
7133 b = gen_wlanhostop(cstate, eaddr, dir);
7134 free(eaddr);
7135 return b;
7136
7137 case DLT_IP_OVER_FC:
7138 eaddr = pcap_ether_hostton(name);
7139 if (eaddr == NULL)
7140 bpf_error(cstate,
7141 "unknown Fibre Channel host '%s'", name);
7142 b = gen_ipfchostop(cstate, eaddr, dir);
7143 free(eaddr);
7144 return b;
7145 }
7146
7147 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
7148 } else if (proto == Q_DECNET) {
7149 /*
7150 * A long time ago on Ultrix libpcap supported
7151 * translation of DECnet host names into DECnet
7152 * addresses, but this feature is history now.
7153 */
7154 bpf_error(cstate, "invalid DECnet address '%s'", name);
7155 } else {
7156 #ifdef INET6
7157 memset(&mask128, 0xff, sizeof(mask128));
7158 #endif
7159 res0 = res = pcap_nametoaddrinfo(name);
7160 if (res == NULL)
7161 bpf_error(cstate, "unknown host '%s'", name);
7162 cstate->ai = res;
7163 b = tmp = NULL;
7164 tproto = proto;
7165 #ifdef INET6
7166 tproto6 = proto;
7167 #endif
7168 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
7169 tproto == Q_DEFAULT) {
7170 tproto = Q_IP;
7171 #ifdef INET6
7172 tproto6 = Q_IPV6;
7173 #endif
7174 }
7175 for (res = res0; res; res = res->ai_next) {
7176 switch (res->ai_family) {
7177 case AF_INET:
7178 #ifdef INET6
7179 if (tproto == Q_IPV6)
7180 continue;
7181 #endif
7182
7183 sin4 = (struct sockaddr_in *)
7184 res->ai_addr;
7185 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
7186 0xffffffff, tproto, dir, q.addr);
7187 break;
7188 #ifdef INET6
7189 case AF_INET6:
7190 if (tproto6 == Q_IP)
7191 continue;
7192
7193 sin6 = (struct sockaddr_in6 *)
7194 res->ai_addr;
7195 tmp = gen_host6(cstate, &sin6->sin6_addr,
7196 &mask128, tproto6, dir, q.addr);
7197 break;
7198 #endif
7199 default:
7200 continue;
7201 }
7202 if (b)
7203 gen_or(b, tmp);
7204 b = tmp;
7205 }
7206 cstate->ai = NULL;
7207 freeaddrinfo(res0);
7208 if (b == NULL) {
7209 bpf_error(cstate, "unknown host '%s'%s", name,
7210 (proto == Q_DEFAULT)
7211 ? ""
7212 : " for specified address family");
7213 }
7214 return b;
7215 }
7216
7217 case Q_PORT:
7218 if (proto != Q_DEFAULT &&
7219 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
7220 bpf_error(cstate, "illegal qualifier of 'port'");
7221 if (pcap_nametoport(name, &port, &real_proto) == 0)
7222 bpf_error(cstate, "unknown port '%s'", name);
7223 if (proto == Q_UDP) {
7224 if (real_proto == IPPROTO_TCP)
7225 bpf_error(cstate, "port '%s' is tcp", name);
7226 else if (real_proto == IPPROTO_SCTP)
7227 bpf_error(cstate, "port '%s' is sctp", name);
7228 else
7229 /* override PROTO_UNDEF */
7230 real_proto = IPPROTO_UDP;
7231 }
7232 if (proto == Q_TCP) {
7233 if (real_proto == IPPROTO_UDP)
7234 bpf_error(cstate, "port '%s' is udp", name);
7235
7236 else if (real_proto == IPPROTO_SCTP)
7237 bpf_error(cstate, "port '%s' is sctp", name);
7238 else
7239 /* override PROTO_UNDEF */
7240 real_proto = IPPROTO_TCP;
7241 }
7242 if (proto == Q_SCTP) {
7243 if (real_proto == IPPROTO_UDP)
7244 bpf_error(cstate, "port '%s' is udp", name);
7245
7246 else if (real_proto == IPPROTO_TCP)
7247 bpf_error(cstate, "port '%s' is tcp", name);
7248 else
7249 /* override PROTO_UNDEF */
7250 real_proto = IPPROTO_SCTP;
7251 }
7252 if (port < 0)
7253 bpf_error(cstate, "illegal port number %d < 0", port);
7254 if (port > 65535)
7255 bpf_error(cstate, "illegal port number %d > 65535", port);
7256 b = gen_port(cstate, port, real_proto, dir);
7257 gen_or(gen_port6(cstate, port, real_proto, dir), b);
7258 return b;
7259
7260 case Q_PORTRANGE:
7261 if (proto != Q_DEFAULT &&
7262 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
7263 bpf_error(cstate, "illegal qualifier of 'portrange'");
7264 stringtoportrange(cstate, name, &port1, &port2, &real_proto);
7265 if (proto == Q_UDP) {
7266 if (real_proto == IPPROTO_TCP)
7267 bpf_error(cstate, "port in range '%s' is tcp", name);
7268 else if (real_proto == IPPROTO_SCTP)
7269 bpf_error(cstate, "port in range '%s' is sctp", name);
7270 else
7271 /* override PROTO_UNDEF */
7272 real_proto = IPPROTO_UDP;
7273 }
7274 if (proto == Q_TCP) {
7275 if (real_proto == IPPROTO_UDP)
7276 bpf_error(cstate, "port in range '%s' is udp", name);
7277 else if (real_proto == IPPROTO_SCTP)
7278 bpf_error(cstate, "port in range '%s' is sctp", name);
7279 else
7280 /* override PROTO_UNDEF */
7281 real_proto = IPPROTO_TCP;
7282 }
7283 if (proto == Q_SCTP) {
7284 if (real_proto == IPPROTO_UDP)
7285 bpf_error(cstate, "port in range '%s' is udp", name);
7286 else if (real_proto == IPPROTO_TCP)
7287 bpf_error(cstate, "port in range '%s' is tcp", name);
7288 else
7289 /* override PROTO_UNDEF */
7290 real_proto = IPPROTO_SCTP;
7291 }
7292 if (port1 > 65535)
7293 bpf_error(cstate, "illegal port number %d > 65535", port1);
7294 if (port2 > 65535)
7295 bpf_error(cstate, "illegal port number %d > 65535", port2);
7296
7297 b = gen_portrange(cstate, port1, port2, real_proto, dir);
7298 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
7299 return b;
7300
7301 case Q_GATEWAY:
7302 #ifndef INET6
7303 eaddr = pcap_ether_hostton(name);
7304 if (eaddr == NULL)
7305 bpf_error(cstate, "unknown ether host: %s", name);
7306
7307 res = pcap_nametoaddrinfo(name);
7308 cstate->ai = res;
7309 if (res == NULL)
7310 bpf_error(cstate, "unknown host '%s'", name);
7311 b = gen_gateway(cstate, eaddr, res, proto, dir);
7312 cstate->ai = NULL;
7313 freeaddrinfo(res);
7314 free(eaddr);
7315 if (b == NULL)
7316 bpf_error(cstate, "unknown host '%s'", name);
7317 return b;
7318 #else
7319 bpf_error(cstate, "'gateway' not supported in this configuration");
7320 #endif /*INET6*/
7321
7322 case Q_PROTO:
7323 real_proto = lookup_proto(cstate, name, proto);
7324 if (real_proto >= 0)
7325 return gen_proto(cstate, real_proto, proto, dir);
7326 else
7327 bpf_error(cstate, "unknown protocol: %s", name);
7328
7329 #if !defined(NO_PROTOCHAIN)
7330 case Q_PROTOCHAIN:
7331 real_proto = lookup_proto(cstate, name, proto);
7332 if (real_proto >= 0)
7333 return gen_protochain(cstate, real_proto, proto);
7334 else
7335 bpf_error(cstate, "unknown protocol: %s", name);
7336 #endif /* !defined(NO_PROTOCHAIN) */
7337
7338 case Q_UNDEF:
7339 syntax(cstate);
7340 /*NOTREACHED*/
7341 }
7342 abort();
7343 /*NOTREACHED*/
7344 }
7345
7346 struct block *
7347 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
7348 bpf_u_int32 masklen, struct qual q)
7349 {
7350 register int nlen, mlen;
7351 bpf_u_int32 n, m;
7352 uint64_t m64;
7353
7354 /*
7355 * Catch errors reported by us and routines below us, and return NULL
7356 * on an error.
7357 */
7358 if (setjmp(cstate->top_ctx))
7359 return (NULL);
7360
7361 nlen = pcapint_atoin(s1, &n);
7362 if (nlen < 0)
7363 bpf_error(cstate, "invalid IPv4 address '%s'", s1);
7364 /* Promote short ipaddr */
7365 n <<= 32 - nlen;
7366
7367 if (s2 != NULL) {
7368 mlen = pcapint_atoin(s2, &m);
7369 if (mlen < 0)
7370 bpf_error(cstate, "invalid IPv4 address '%s'", s2);
7371 /* Promote short ipaddr */
7372 m <<= 32 - mlen;
7373 if ((n & ~m) != 0)
7374 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
7375 s1, s2);
7376 } else {
7377 /* Convert mask len to mask */
7378 if (masklen > 32)
7379 bpf_error(cstate, "mask length must be <= 32");
7380 m64 = UINT64_C(0xffffffff) << (32 - masklen);
7381 m = (bpf_u_int32)m64;
7382 if ((n & ~m) != 0)
7383 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
7384 s1, masklen);
7385 }
7386
7387 switch (q.addr) {
7388
7389 case Q_NET:
7390 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
7391
7392 default:
7393 bpf_error(cstate, "Mask syntax for networks only");
7394 /*NOTREACHED*/
7395 }
7396 /*NOTREACHED*/
7397 }
7398
7399 struct block *
7400 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
7401 {
7402 bpf_u_int32 mask;
7403 int proto;
7404 int dir;
7405 register int vlen;
7406
7407 /*
7408 * Catch errors reported by us and routines below us, and return NULL
7409 * on an error.
7410 */
7411 if (setjmp(cstate->top_ctx))
7412 return (NULL);
7413
7414 proto = q.proto;
7415 dir = q.dir;
7416 if (s == NULL) {
7417 /*
7418 * v contains a 32-bit unsigned parsed from a string of the
7419 * form {N}, which could be decimal, hexadecimal or octal.
7420 * Although it would be possible to use the value as a raw
7421 * 16-bit DECnet address when the value fits into 16 bits, this
7422 * would be a questionable feature: DECnet address wire
7423 * encoding is little-endian, so this would not work as
7424 * intuitively as the same works for [big-endian] IPv4
7425 * addresses (0x01020304 means 1.2.3.4).
7426 */
7427 if (proto == Q_DECNET)
7428 bpf_error(cstate, "invalid DECnet address '%u'", v);
7429 vlen = 32;
7430 } else if (proto == Q_DECNET) {
7431 /*
7432 * s points to a string of the form {N}.{N}, {N}.{N}.{N} or
7433 * {N}.{N}.{N}.{N}, of which only the first potentially stands
7434 * for a valid DECnet address.
7435 */
7436 vlen = pcapint_atodn(s, &v);
7437 if (vlen == 0)
7438 bpf_error(cstate, "invalid DECnet address '%s'", s);
7439 } else {
7440 /*
7441 * s points to a string of the form {N}.{N}, {N}.{N}.{N} or
7442 * {N}.{N}.{N}.{N}, all of which potentially stand for a valid
7443 * IPv4 address.
7444 */
7445 vlen = pcapint_atoin(s, &v);
7446 if (vlen < 0)
7447 bpf_error(cstate, "invalid IPv4 address '%s'", s);
7448 }
7449
7450 switch (q.addr) {
7451
7452 case Q_DEFAULT:
7453 case Q_HOST:
7454 case Q_NET:
7455 if (proto == Q_DECNET)
7456 return gen_host(cstate, v, 0, proto, dir, q.addr);
7457 else if (proto == Q_LINK) {
7458 bpf_error(cstate, "illegal link layer address");
7459 } else {
7460 mask = 0xffffffff;
7461 if (s == NULL && q.addr == Q_NET) {
7462 /* Promote short net number */
7463 while (v && (v & 0xff000000) == 0) {
7464 v <<= 8;
7465 mask <<= 8;
7466 }
7467 } else {
7468 /* Promote short ipaddr */
7469 v <<= 32 - vlen;
7470 mask <<= 32 - vlen ;
7471 }
7472 return gen_host(cstate, v, mask, proto, dir, q.addr);
7473 }
7474
7475 case Q_PORT:
7476 if (proto == Q_UDP)
7477 proto = IPPROTO_UDP;
7478 else if (proto == Q_TCP)
7479 proto = IPPROTO_TCP;
7480 else if (proto == Q_SCTP)
7481 proto = IPPROTO_SCTP;
7482 else if (proto == Q_DEFAULT)
7483 proto = PROTO_UNDEF;
7484 else
7485 bpf_error(cstate, "illegal qualifier of 'port'");
7486
7487 if (v > 65535)
7488 bpf_error(cstate, "illegal port number %u > 65535", v);
7489
7490 {
7491 struct block *b;
7492 b = gen_port(cstate, v, proto, dir);
7493 gen_or(gen_port6(cstate, v, proto, dir), b);
7494 return b;
7495 }
7496
7497 case Q_PORTRANGE:
7498 if (proto == Q_UDP)
7499 proto = IPPROTO_UDP;
7500 else if (proto == Q_TCP)
7501 proto = IPPROTO_TCP;
7502 else if (proto == Q_SCTP)
7503 proto = IPPROTO_SCTP;
7504 else if (proto == Q_DEFAULT)
7505 proto = PROTO_UNDEF;
7506 else
7507 bpf_error(cstate, "illegal qualifier of 'portrange'");
7508
7509 if (v > 65535)
7510 bpf_error(cstate, "illegal port number %u > 65535", v);
7511
7512 {
7513 struct block *b;
7514 b = gen_portrange(cstate, v, v, proto, dir);
7515 gen_or(gen_portrange6(cstate, v, v, proto, dir), b);
7516 return b;
7517 }
7518
7519 case Q_GATEWAY:
7520 bpf_error(cstate, "'gateway' requires a name");
7521 /*NOTREACHED*/
7522
7523 case Q_PROTO:
7524 return gen_proto(cstate, v, proto, dir);
7525
7526 #if !defined(NO_PROTOCHAIN)
7527 case Q_PROTOCHAIN:
7528 return gen_protochain(cstate, v, proto);
7529 #endif
7530
7531 case Q_UNDEF:
7532 syntax(cstate);
7533 /*NOTREACHED*/
7534
7535 default:
7536 abort();
7537 /*NOTREACHED*/
7538 }
7539 /*NOTREACHED*/
7540 }
7541
7542 #ifdef INET6
7543 struct block *
7544 gen_mcode6(compiler_state_t *cstate, const char *s, bpf_u_int32 masklen,
7545 struct qual q)
7546 {
7547 struct addrinfo *res;
7548 struct in6_addr *addr;
7549 struct in6_addr mask;
7550 struct block *b;
7551 bpf_u_int32 a[4], m[4]; /* Same as in gen_hostop6(). */
7552
7553 /*
7554 * Catch errors reported by us and routines below us, and return NULL
7555 * on an error.
7556 */
7557 if (setjmp(cstate->top_ctx))
7558 return (NULL);
7559
7560 res = pcap_nametoaddrinfo(s);
7561 if (!res)
7562 bpf_error(cstate, "invalid ip6 address %s", s);
7563 cstate->ai = res;
7564 if (res->ai_next)
7565 bpf_error(cstate, "%s resolved to multiple address", s);
7566 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
7567
7568 if (masklen > sizeof(mask.s6_addr) * 8)
7569 bpf_error(cstate, "mask length must be <= %zu", sizeof(mask.s6_addr) * 8);
7570 memset(&mask, 0, sizeof(mask));
7571 memset(&mask.s6_addr, 0xff, masklen / 8);
7572 if (masklen % 8) {
7573 mask.s6_addr[masklen / 8] =
7574 (0xff << (8 - masklen % 8)) & 0xff;
7575 }
7576
7577 memcpy(a, addr, sizeof(a));
7578 memcpy(m, &mask, sizeof(m));
7579 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
7580 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
7581 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s, masklen);
7582 }
7583
7584 switch (q.addr) {
7585
7586 case Q_DEFAULT:
7587 case Q_HOST:
7588 if (masklen != 128)
7589 bpf_error(cstate, "Mask syntax for networks only");
7590 /* FALLTHROUGH */
7591
7592 case Q_NET:
7593 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
7594 cstate->ai = NULL;
7595 freeaddrinfo(res);
7596 return b;
7597
7598 default:
7599 bpf_error(cstate, "invalid qualifier against IPv6 address");
7600 /*NOTREACHED*/
7601 }
7602 }
7603 #endif /*INET6*/
7604
7605 struct block *
7606 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
7607 {
7608 struct block *b, *tmp;
7609
7610 /*
7611 * Catch errors reported by us and routines below us, and return NULL
7612 * on an error.
7613 */
7614 if (setjmp(cstate->top_ctx))
7615 return (NULL);
7616
7617 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
7618 cstate->e = pcap_ether_aton(s);
7619 if (cstate->e == NULL)
7620 bpf_error(cstate, "malloc");
7621 switch (cstate->linktype) {
7622 case DLT_EN10MB:
7623 case DLT_NETANALYZER:
7624 case DLT_NETANALYZER_TRANSPARENT:
7625 tmp = gen_prevlinkhdr_check(cstate);
7626 b = gen_ehostop(cstate, cstate->e, (int)q.dir);
7627 if (tmp != NULL)
7628 gen_and(tmp, b);
7629 break;
7630 case DLT_FDDI:
7631 b = gen_fhostop(cstate, cstate->e, (int)q.dir);
7632 break;
7633 case DLT_IEEE802:
7634 b = gen_thostop(cstate, cstate->e, (int)q.dir);
7635 break;
7636 case DLT_IEEE802_11:
7637 case DLT_PRISM_HEADER:
7638 case DLT_IEEE802_11_RADIO_AVS:
7639 case DLT_IEEE802_11_RADIO:
7640 case DLT_PPI:
7641 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir);
7642 break;
7643 case DLT_IP_OVER_FC:
7644 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir);
7645 break;
7646 default:
7647 free(cstate->e);
7648 cstate->e = NULL;
7649 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
7650 /*NOTREACHED*/
7651 }
7652 free(cstate->e);
7653 cstate->e = NULL;
7654 return (b);
7655 }
7656 bpf_error(cstate, "ethernet address used in non-ether expression");
7657 /*NOTREACHED*/
7658 }
7659
7660 void
7661 sappend(struct slist *s0, struct slist *s1)
7662 {
7663 /*
7664 * This is definitely not the best way to do this, but the
7665 * lists will rarely get long.
7666 */
7667 while (s0->next)
7668 s0 = s0->next;
7669 s0->next = s1;
7670 }
7671
7672 static struct slist *
7673 xfer_to_x(compiler_state_t *cstate, struct arth *a)
7674 {
7675 struct slist *s;
7676
7677 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
7678 s->s.k = a->regno;
7679 return s;
7680 }
7681
7682 static struct slist *
7683 xfer_to_a(compiler_state_t *cstate, struct arth *a)
7684 {
7685 struct slist *s;
7686
7687 s = new_stmt(cstate, BPF_LD|BPF_MEM);
7688 s->s.k = a->regno;
7689 return s;
7690 }
7691
7692 /*
7693 * Modify "index" to use the value stored into its register as an
7694 * offset relative to the beginning of the header for the protocol
7695 * "proto", and allocate a register and put an item "size" bytes long
7696 * (1, 2, or 4) at that offset into that register, making it the register
7697 * for "index".
7698 */
7699 static struct arth *
7700 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst,
7701 bpf_u_int32 size)
7702 {
7703 int size_code;
7704 struct slist *s, *tmp;
7705 struct block *b;
7706 int regno = alloc_reg(cstate);
7707
7708 free_reg(cstate, inst->regno);
7709 switch (size) {
7710
7711 default:
7712 bpf_error(cstate, "data size must be 1, 2, or 4");
7713 /*NOTREACHED*/
7714
7715 case 1:
7716 size_code = BPF_B;
7717 break;
7718
7719 case 2:
7720 size_code = BPF_H;
7721 break;
7722
7723 case 4:
7724 size_code = BPF_W;
7725 break;
7726 }
7727 switch (proto) {
7728 default:
7729 bpf_error(cstate, "'%s' does not support the index operation", pqkw(proto));
7730
7731 case Q_RADIO:
7732 /*
7733 * The offset is relative to the beginning of the packet
7734 * data, if we have a radio header. (If we don't, this
7735 * is an error.)
7736 */
7737 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
7738 cstate->linktype != DLT_IEEE802_11_RADIO &&
7739 cstate->linktype != DLT_PRISM_HEADER)
7740 bpf_error(cstate, "radio information not present in capture");
7741
7742 /*
7743 * Load into the X register the offset computed into the
7744 * register specified by "index".
7745 */
7746 s = xfer_to_x(cstate, inst);
7747
7748 /*
7749 * Load the item at that offset.
7750 */
7751 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7752 sappend(s, tmp);
7753 sappend(inst->s, s);
7754 break;
7755
7756 case Q_LINK:
7757 /*
7758 * The offset is relative to the beginning of
7759 * the link-layer header.
7760 *
7761 * XXX - what about ATM LANE? Should the index be
7762 * relative to the beginning of the AAL5 frame, so
7763 * that 0 refers to the beginning of the LE Control
7764 * field, or relative to the beginning of the LAN
7765 * frame, so that 0 refers, for Ethernet LANE, to
7766 * the beginning of the destination address?
7767 */
7768 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
7769
7770 /*
7771 * If "s" is non-null, it has code to arrange that the
7772 * X register contains the length of the prefix preceding
7773 * the link-layer header. Add to it the offset computed
7774 * into the register specified by "index", and move that
7775 * into the X register. Otherwise, just load into the X
7776 * register the offset computed into the register specified
7777 * by "index".
7778 */
7779 if (s != NULL) {
7780 sappend(s, xfer_to_a(cstate, inst));
7781 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7782 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7783 } else
7784 s = xfer_to_x(cstate, inst);
7785
7786 /*
7787 * Load the item at the sum of the offset we've put in the
7788 * X register and the offset of the start of the link
7789 * layer header (which is 0 if the radio header is
7790 * variable-length; that header length is what we put
7791 * into the X register and then added to the index).
7792 */
7793 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7794 tmp->s.k = cstate->off_linkhdr.constant_part;
7795 sappend(s, tmp);
7796 sappend(inst->s, s);
7797 break;
7798
7799 case Q_IP:
7800 case Q_ARP:
7801 case Q_RARP:
7802 case Q_ATALK:
7803 case Q_DECNET:
7804 case Q_SCA:
7805 case Q_LAT:
7806 case Q_MOPRC:
7807 case Q_MOPDL:
7808 case Q_IPV6:
7809 /*
7810 * The offset is relative to the beginning of
7811 * the network-layer header.
7812 * XXX - are there any cases where we want
7813 * cstate->off_nl_nosnap?
7814 */
7815 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7816
7817 /*
7818 * If "s" is non-null, it has code to arrange that the
7819 * X register contains the variable part of the offset
7820 * of the link-layer payload. Add to it the offset
7821 * computed into the register specified by "index",
7822 * and move that into the X register. Otherwise, just
7823 * load into the X register the offset computed into
7824 * the register specified by "index".
7825 */
7826 if (s != NULL) {
7827 sappend(s, xfer_to_a(cstate, inst));
7828 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7829 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7830 } else
7831 s = xfer_to_x(cstate, inst);
7832
7833 /*
7834 * Load the item at the sum of the offset we've put in the
7835 * X register, the offset of the start of the network
7836 * layer header from the beginning of the link-layer
7837 * payload, and the constant part of the offset of the
7838 * start of the link-layer payload.
7839 */
7840 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7841 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7842 sappend(s, tmp);
7843 sappend(inst->s, s);
7844
7845 /*
7846 * Do the computation only if the packet contains
7847 * the protocol in question.
7848 */
7849 b = gen_proto_abbrev_internal(cstate, proto);
7850 if (inst->b)
7851 gen_and(inst->b, b);
7852 inst->b = b;
7853 break;
7854
7855 case Q_SCTP:
7856 case Q_TCP:
7857 case Q_UDP:
7858 case Q_ICMP:
7859 case Q_IGMP:
7860 case Q_IGRP:
7861 case Q_PIM:
7862 case Q_VRRP:
7863 case Q_CARP:
7864 /*
7865 * The offset is relative to the beginning of
7866 * the transport-layer header.
7867 *
7868 * Load the X register with the length of the IPv4 header
7869 * (plus the offset of the link-layer header, if it's
7870 * a variable-length header), in bytes.
7871 *
7872 * XXX - are there any cases where we want
7873 * cstate->off_nl_nosnap?
7874 * XXX - we should, if we're built with
7875 * IPv6 support, generate code to load either
7876 * IPv4, IPv6, or both, as appropriate.
7877 */
7878 s = gen_loadx_iphdrlen(cstate);
7879
7880 /*
7881 * The X register now contains the sum of the variable
7882 * part of the offset of the link-layer payload and the
7883 * length of the network-layer header.
7884 *
7885 * Load into the A register the offset relative to
7886 * the beginning of the transport layer header,
7887 * add the X register to that, move that to the
7888 * X register, and load with an offset from the
7889 * X register equal to the sum of the constant part of
7890 * the offset of the link-layer payload and the offset,
7891 * relative to the beginning of the link-layer payload,
7892 * of the network-layer header.
7893 */
7894 sappend(s, xfer_to_a(cstate, inst));
7895 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7896 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7897 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code));
7898 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7899 sappend(inst->s, s);
7900
7901 /*
7902 * Do the computation only if the packet contains
7903 * the protocol in question - which is true only
7904 * if this is an IP datagram and is the first or
7905 * only fragment of that datagram.
7906 */
7907 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate));
7908 if (inst->b)
7909 gen_and(inst->b, b);
7910 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b);
7911 inst->b = b;
7912 break;
7913 case Q_ICMPV6:
7914 /*
7915 * Do the computation only if the packet contains
7916 * the protocol in question.
7917 */
7918 b = gen_proto_abbrev_internal(cstate, Q_IPV6);
7919 if (inst->b)
7920 gen_and(inst->b, b);
7921 inst->b = b;
7922
7923 /*
7924 * Check if we have an icmp6 next header
7925 */
7926 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58);
7927 if (inst->b)
7928 gen_and(inst->b, b);
7929 inst->b = b;
7930
7931 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7932 /*
7933 * If "s" is non-null, it has code to arrange that the
7934 * X register contains the variable part of the offset
7935 * of the link-layer payload. Add to it the offset
7936 * computed into the register specified by "index",
7937 * and move that into the X register. Otherwise, just
7938 * load into the X register the offset computed into
7939 * the register specified by "index".
7940 */
7941 if (s != NULL) {
7942 sappend(s, xfer_to_a(cstate, inst));
7943 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7944 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7945 } else
7946 s = xfer_to_x(cstate, inst);
7947
7948 /*
7949 * Load the item at the sum of the offset we've put in the
7950 * X register, the offset of the start of the network
7951 * layer header from the beginning of the link-layer
7952 * payload, and the constant part of the offset of the
7953 * start of the link-layer payload.
7954 */
7955 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7956 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40;
7957
7958 sappend(s, tmp);
7959 sappend(inst->s, s);
7960
7961 break;
7962 }
7963 inst->regno = regno;
7964 s = new_stmt(cstate, BPF_ST);
7965 s->s.k = regno;
7966 sappend(inst->s, s);
7967
7968 return inst;
7969 }
7970
7971 struct arth *
7972 gen_load(compiler_state_t *cstate, int proto, struct arth *inst,
7973 bpf_u_int32 size)
7974 {
7975 /*
7976 * Catch errors reported by us and routines below us, and return NULL
7977 * on an error.
7978 */
7979 if (setjmp(cstate->top_ctx))
7980 return (NULL);
7981
7982 return gen_load_internal(cstate, proto, inst, size);
7983 }
7984
7985 static struct block *
7986 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0,
7987 struct arth *a1, int reversed)
7988 {
7989 struct slist *s0, *s1, *s2;
7990 struct block *b, *tmp;
7991
7992 s0 = xfer_to_x(cstate, a1);
7993 s1 = xfer_to_a(cstate, a0);
7994 if (code == BPF_JEQ) {
7995 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
7996 b = new_block(cstate, JMP(code));
7997 sappend(s1, s2);
7998 }
7999 else
8000 b = new_block(cstate, BPF_JMP|code|BPF_X);
8001 if (reversed)
8002 gen_not(b);
8003
8004 sappend(s0, s1);
8005 sappend(a1->s, s0);
8006 sappend(a0->s, a1->s);
8007
8008 b->stmts = a0->s;
8009
8010 free_reg(cstate, a0->regno);
8011 free_reg(cstate, a1->regno);
8012
8013 /* 'and' together protocol checks */
8014 if (a0->b) {
8015 if (a1->b) {
8016 gen_and(a0->b, tmp = a1->b);
8017 }
8018 else
8019 tmp = a0->b;
8020 } else
8021 tmp = a1->b;
8022
8023 if (tmp)
8024 gen_and(tmp, b);
8025
8026 return b;
8027 }
8028
8029 struct block *
8030 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
8031 struct arth *a1, int reversed)
8032 {
8033 /*
8034 * Catch errors reported by us and routines below us, and return NULL
8035 * on an error.
8036 */
8037 if (setjmp(cstate->top_ctx))
8038 return (NULL);
8039
8040 return gen_relation_internal(cstate, code, a0, a1, reversed);
8041 }
8042
8043 struct arth *
8044 gen_loadlen(compiler_state_t *cstate)
8045 {
8046 int regno;
8047 struct arth *a;
8048 struct slist *s;
8049
8050 /*
8051 * Catch errors reported by us and routines below us, and return NULL
8052 * on an error.
8053 */
8054 if (setjmp(cstate->top_ctx))
8055 return (NULL);
8056
8057 regno = alloc_reg(cstate);
8058 a = (struct arth *)newchunk(cstate, sizeof(*a));
8059 s = new_stmt(cstate, BPF_LD|BPF_LEN);
8060 s->next = new_stmt(cstate, BPF_ST);
8061 s->next->s.k = regno;
8062 a->s = s;
8063 a->regno = regno;
8064
8065 return a;
8066 }
8067
8068 static struct arth *
8069 gen_loadi_internal(compiler_state_t *cstate, bpf_u_int32 val)
8070 {
8071 struct arth *a;
8072 struct slist *s;
8073 int reg;
8074
8075 a = (struct arth *)newchunk(cstate, sizeof(*a));
8076
8077 reg = alloc_reg(cstate);
8078
8079 s = new_stmt(cstate, BPF_LD|BPF_IMM);
8080 s->s.k = val;
8081 s->next = new_stmt(cstate, BPF_ST);
8082 s->next->s.k = reg;
8083 a->s = s;
8084 a->regno = reg;
8085
8086 return a;
8087 }
8088
8089 struct arth *
8090 gen_loadi(compiler_state_t *cstate, bpf_u_int32 val)
8091 {
8092 /*
8093 * Catch errors reported by us and routines below us, and return NULL
8094 * on an error.
8095 */
8096 if (setjmp(cstate->top_ctx))
8097 return (NULL);
8098
8099 return gen_loadi_internal(cstate, val);
8100 }
8101
8102 /*
8103 * The a_arg dance is to avoid annoying whining by compilers that
8104 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
8105 * It's not *used* after setjmp returns.
8106 */
8107 struct arth *
8108 gen_neg(compiler_state_t *cstate, struct arth *a_arg)
8109 {
8110 struct arth *a = a_arg;
8111 struct slist *s;
8112
8113 /*
8114 * Catch errors reported by us and routines below us, and return NULL
8115 * on an error.
8116 */
8117 if (setjmp(cstate->top_ctx))
8118 return (NULL);
8119
8120 s = xfer_to_a(cstate, a);
8121 sappend(a->s, s);
8122 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
8123 s->s.k = 0;
8124 sappend(a->s, s);
8125 s = new_stmt(cstate, BPF_ST);
8126 s->s.k = a->regno;
8127 sappend(a->s, s);
8128
8129 return a;
8130 }
8131
8132 /*
8133 * The a0_arg dance is to avoid annoying whining by compilers that
8134 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
8135 * It's not *used* after setjmp returns.
8136 */
8137 struct arth *
8138 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg,
8139 struct arth *a1)
8140 {
8141 struct arth *a0 = a0_arg;
8142 struct slist *s0, *s1, *s2;
8143
8144 /*
8145 * Catch errors reported by us and routines below us, and return NULL
8146 * on an error.
8147 */
8148 if (setjmp(cstate->top_ctx))
8149 return (NULL);
8150
8151 /*
8152 * Disallow division by, or modulus by, zero; we do this here
8153 * so that it gets done even if the optimizer is disabled.
8154 *
8155 * Also disallow shifts by a value greater than 31; we do this
8156 * here, for the same reason.
8157 */
8158 if (code == BPF_DIV) {
8159 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
8160 bpf_error(cstate, "division by zero");
8161 } else if (code == BPF_MOD) {
8162 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
8163 bpf_error(cstate, "modulus by zero");
8164 } else if (code == BPF_LSH || code == BPF_RSH) {
8165 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k > 31)
8166 bpf_error(cstate, "shift by more than 31 bits");
8167 }
8168 s0 = xfer_to_x(cstate, a1);
8169 s1 = xfer_to_a(cstate, a0);
8170 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
8171
8172 sappend(s1, s2);
8173 sappend(s0, s1);
8174 sappend(a1->s, s0);
8175 sappend(a0->s, a1->s);
8176
8177 free_reg(cstate, a0->regno);
8178 free_reg(cstate, a1->regno);
8179
8180 s0 = new_stmt(cstate, BPF_ST);
8181 a0->regno = s0->s.k = alloc_reg(cstate);
8182 sappend(a0->s, s0);
8183
8184 return a0;
8185 }
8186
8187 /*
8188 * Initialize the table of used registers and the current register.
8189 */
8190 static void
8191 init_regs(compiler_state_t *cstate)
8192 {
8193 cstate->curreg = 0;
8194 memset(cstate->regused, 0, sizeof cstate->regused);
8195 }
8196
8197 /*
8198 * Return the next free register.
8199 */
8200 static int
8201 alloc_reg(compiler_state_t *cstate)
8202 {
8203 int n = BPF_MEMWORDS;
8204
8205 while (--n >= 0) {
8206 if (cstate->regused[cstate->curreg])
8207 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
8208 else {
8209 cstate->regused[cstate->curreg] = 1;
8210 return cstate->curreg;
8211 }
8212 }
8213 bpf_error(cstate, "too many registers needed to evaluate expression");
8214 /*NOTREACHED*/
8215 }
8216
8217 /*
8218 * Return a register to the table so it can
8219 * be used later.
8220 */
8221 static void
8222 free_reg(compiler_state_t *cstate, int n)
8223 {
8224 cstate->regused[n] = 0;
8225 }
8226
8227 static struct block *
8228 gen_len(compiler_state_t *cstate, int jmp, int n)
8229 {
8230 struct slist *s;
8231 struct block *b;
8232
8233 s = new_stmt(cstate, BPF_LD|BPF_LEN);
8234 b = new_block(cstate, JMP(jmp));
8235 b->stmts = s;
8236 b->s.k = n;
8237
8238 return b;
8239 }
8240
8241 struct block *
8242 gen_greater(compiler_state_t *cstate, int n)
8243 {
8244 /*
8245 * Catch errors reported by us and routines below us, and return NULL
8246 * on an error.
8247 */
8248 if (setjmp(cstate->top_ctx))
8249 return (NULL);
8250
8251 return gen_len(cstate, BPF_JGE, n);
8252 }
8253
8254 /*
8255 * Actually, this is less than or equal.
8256 */
8257 struct block *
8258 gen_less(compiler_state_t *cstate, int n)
8259 {
8260 struct block *b;
8261
8262 /*
8263 * Catch errors reported by us and routines below us, and return NULL
8264 * on an error.
8265 */
8266 if (setjmp(cstate->top_ctx))
8267 return (NULL);
8268
8269 b = gen_len(cstate, BPF_JGT, n);
8270 gen_not(b);
8271
8272 return b;
8273 }
8274
8275 /*
8276 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
8277 * the beginning of the link-layer header.
8278 * XXX - that means you can't test values in the radiotap header, but
8279 * as that header is difficult if not impossible to parse generally
8280 * without a loop, that might not be a severe problem. A new keyword
8281 * "radio" could be added for that, although what you'd really want
8282 * would be a way of testing particular radio header values, which
8283 * would generate code appropriate to the radio header in question.
8284 */
8285 struct block *
8286 gen_byteop(compiler_state_t *cstate, int op, int idx, bpf_u_int32 val)
8287 {
8288 struct block *b;
8289 struct slist *s;
8290
8291 /*
8292 * Catch errors reported by us and routines below us, and return NULL
8293 * on an error.
8294 */
8295 if (setjmp(cstate->top_ctx))
8296 return (NULL);
8297
8298 switch (op) {
8299 default:
8300 abort();
8301
8302 case '=':
8303 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8304
8305 case '<':
8306 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8307 return b;
8308
8309 case '>':
8310 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8311 return b;
8312
8313 case '|':
8314 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
8315 break;
8316
8317 case '&':
8318 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
8319 break;
8320 }
8321 s->s.k = val;
8322 b = new_block(cstate, JMP(BPF_JEQ));
8323 b->stmts = s;
8324 gen_not(b);
8325
8326 return b;
8327 }
8328
8329 struct block *
8330 gen_broadcast(compiler_state_t *cstate, int proto)
8331 {
8332 bpf_u_int32 hostmask;
8333 struct block *b0, *b1, *b2;
8334 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
8335
8336 /*
8337 * Catch errors reported by us and routines below us, and return NULL
8338 * on an error.
8339 */
8340 if (setjmp(cstate->top_ctx))
8341 return (NULL);
8342
8343 switch (proto) {
8344
8345 case Q_DEFAULT:
8346 case Q_LINK:
8347 switch (cstate->linktype) {
8348 case DLT_ARCNET:
8349 case DLT_ARCNET_LINUX:
8350 // ARCnet broadcast is [8-bit] destination address 0.
8351 return gen_ahostop(cstate, 0, Q_DST);
8352 case DLT_EN10MB:
8353 case DLT_NETANALYZER:
8354 case DLT_NETANALYZER_TRANSPARENT:
8355 b1 = gen_prevlinkhdr_check(cstate);
8356 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
8357 if (b1 != NULL)
8358 gen_and(b1, b0);
8359 return b0;
8360 case DLT_FDDI:
8361 return gen_fhostop(cstate, ebroadcast, Q_DST);
8362 case DLT_IEEE802:
8363 return gen_thostop(cstate, ebroadcast, Q_DST);
8364 case DLT_IEEE802_11:
8365 case DLT_PRISM_HEADER:
8366 case DLT_IEEE802_11_RADIO_AVS:
8367 case DLT_IEEE802_11_RADIO:
8368 case DLT_PPI:
8369 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
8370 case DLT_IP_OVER_FC:
8371 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
8372 }
8373 fail_kw_on_dlt(cstate, "broadcast");
8374 /*NOTREACHED*/
8375
8376 case Q_IP:
8377 /*
8378 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
8379 * as an indication that we don't know the netmask, and fail
8380 * in that case.
8381 */
8382 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
8383 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
8384 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8385 hostmask = ~cstate->netmask;
8386 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 0, hostmask);
8387 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, hostmask, hostmask);
8388 gen_or(b1, b2);
8389 gen_and(b0, b2);
8390 return b2;
8391 }
8392 bpf_error(cstate, "only link-layer/IP broadcast filters supported");
8393 /*NOTREACHED*/
8394 }
8395
8396 /*
8397 * Generate code to test the low-order bit of a MAC address (that's
8398 * the bottom bit of the *first* byte).
8399 */
8400 static struct block *
8401 gen_mac_multicast(compiler_state_t *cstate, int offset)
8402 {
8403 register struct block *b0;
8404 register struct slist *s;
8405
8406 /* link[offset] & 1 != 0 */
8407 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
8408 b0 = new_block(cstate, JMP(BPF_JSET));
8409 b0->s.k = 1;
8410 b0->stmts = s;
8411 return b0;
8412 }
8413
8414 struct block *
8415 gen_multicast(compiler_state_t *cstate, int proto)
8416 {
8417 register struct block *b0, *b1, *b2;
8418 register struct slist *s;
8419
8420 /*
8421 * Catch errors reported by us and routines below us, and return NULL
8422 * on an error.
8423 */
8424 if (setjmp(cstate->top_ctx))
8425 return (NULL);
8426
8427 switch (proto) {
8428
8429 case Q_DEFAULT:
8430 case Q_LINK:
8431 switch (cstate->linktype) {
8432 case DLT_ARCNET:
8433 case DLT_ARCNET_LINUX:
8434 // ARCnet multicast is the same as broadcast.
8435 return gen_ahostop(cstate, 0, Q_DST);
8436 case DLT_EN10MB:
8437 case DLT_NETANALYZER:
8438 case DLT_NETANALYZER_TRANSPARENT:
8439 b1 = gen_prevlinkhdr_check(cstate);
8440 /* ether[0] & 1 != 0 */
8441 b0 = gen_mac_multicast(cstate, 0);
8442 if (b1 != NULL)
8443 gen_and(b1, b0);
8444 return b0;
8445 case DLT_FDDI:
8446 /*
8447 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
8448 *
8449 * XXX - was that referring to bit-order issues?
8450 */
8451 /* fddi[1] & 1 != 0 */
8452 return gen_mac_multicast(cstate, 1);
8453 case DLT_IEEE802:
8454 /* tr[2] & 1 != 0 */
8455 return gen_mac_multicast(cstate, 2);
8456 case DLT_IEEE802_11:
8457 case DLT_PRISM_HEADER:
8458 case DLT_IEEE802_11_RADIO_AVS:
8459 case DLT_IEEE802_11_RADIO:
8460 case DLT_PPI:
8461 /*
8462 * Oh, yuk.
8463 *
8464 * For control frames, there is no DA.
8465 *
8466 * For management frames, DA is at an
8467 * offset of 4 from the beginning of
8468 * the packet.
8469 *
8470 * For data frames, DA is at an offset
8471 * of 4 from the beginning of the packet
8472 * if To DS is clear and at an offset of
8473 * 16 from the beginning of the packet
8474 * if To DS is set.
8475 */
8476
8477 /*
8478 * Generate the tests to be done for data frames.
8479 *
8480 * First, check for To DS set, i.e. "link[1] & 0x01".
8481 */
8482 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8483 b1 = new_block(cstate, JMP(BPF_JSET));
8484 b1->s.k = 0x01; /* To DS */
8485 b1->stmts = s;
8486
8487 /*
8488 * If To DS is set, the DA is at 16.
8489 */
8490 b0 = gen_mac_multicast(cstate, 16);
8491 gen_and(b1, b0);
8492
8493 /*
8494 * Now, check for To DS not set, i.e. check
8495 * "!(link[1] & 0x01)".
8496 */
8497 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8498 b2 = new_block(cstate, JMP(BPF_JSET));
8499 b2->s.k = 0x01; /* To DS */
8500 b2->stmts = s;
8501 gen_not(b2);
8502
8503 /*
8504 * If To DS is not set, the DA is at 4.
8505 */
8506 b1 = gen_mac_multicast(cstate, 4);
8507 gen_and(b2, b1);
8508
8509 /*
8510 * Now OR together the last two checks. That gives
8511 * the complete set of checks for data frames.
8512 */
8513 gen_or(b1, b0);
8514
8515 /*
8516 * Now check for a data frame.
8517 * I.e, check "link[0] & 0x08".
8518 */
8519 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8520 b1 = new_block(cstate, JMP(BPF_JSET));
8521 b1->s.k = 0x08;
8522 b1->stmts = s;
8523
8524 /*
8525 * AND that with the checks done for data frames.
8526 */
8527 gen_and(b1, b0);
8528
8529 /*
8530 * If the high-order bit of the type value is 0, this
8531 * is a management frame.
8532 * I.e, check "!(link[0] & 0x08)".
8533 */
8534 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8535 b2 = new_block(cstate, JMP(BPF_JSET));
8536 b2->s.k = 0x08;
8537 b2->stmts = s;
8538 gen_not(b2);
8539
8540 /*
8541 * For management frames, the DA is at 4.
8542 */
8543 b1 = gen_mac_multicast(cstate, 4);
8544 gen_and(b2, b1);
8545
8546 /*
8547 * OR that with the checks done for data frames.
8548 * That gives the checks done for management and
8549 * data frames.
8550 */
8551 gen_or(b1, b0);
8552
8553 /*
8554 * If the low-order bit of the type value is 1,
8555 * this is either a control frame or a frame
8556 * with a reserved type, and thus not a
8557 * frame with an SA.
8558 *
8559 * I.e., check "!(link[0] & 0x04)".
8560 */
8561 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8562 b1 = new_block(cstate, JMP(BPF_JSET));
8563 b1->s.k = 0x04;
8564 b1->stmts = s;
8565 gen_not(b1);
8566
8567 /*
8568 * AND that with the checks for data and management
8569 * frames.
8570 */
8571 gen_and(b1, b0);
8572 return b0;
8573 case DLT_IP_OVER_FC:
8574 b0 = gen_mac_multicast(cstate, 2);
8575 return b0;
8576 default:
8577 break;
8578 }
8579 fail_kw_on_dlt(cstate, "multicast");
8580 /*NOTREACHED*/
8581
8582 case Q_IP:
8583 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8584 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, 224);
8585 gen_and(b0, b1);
8586 return b1;
8587
8588 case Q_IPV6:
8589 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
8590 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, 255);
8591 gen_and(b0, b1);
8592 return b1;
8593 }
8594 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
8595 /*NOTREACHED*/
8596 }
8597
8598 #ifdef __linux__
8599 /*
8600 * This is Linux; we require PF_PACKET support. If this is a *live* capture,
8601 * we can look at special meta-data in the filter expression; otherwise we
8602 * can't because it is either a savefile (rfile != NULL) or a pcap_t created
8603 * using pcap_open_dead() (rfile == NULL). Thus check for a flag that
8604 * pcap_activate() conditionally sets.
8605 */
8606 static void
8607 require_basic_bpf_extensions(compiler_state_t *cstate, const char *keyword)
8608 {
8609 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_BASIC_HANDLING)
8610 return;
8611 bpf_error(cstate, "%s not supported on %s (not a live capture)",
8612 keyword,
8613 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8614 }
8615 #endif // __linux__
8616
8617 struct block *
8618 gen_ifindex(compiler_state_t *cstate, int ifindex)
8619 {
8620 register struct block *b0;
8621
8622 /*
8623 * Catch errors reported by us and routines below us, and return NULL
8624 * on an error.
8625 */
8626 if (setjmp(cstate->top_ctx))
8627 return (NULL);
8628
8629 /*
8630 * Only some data link types support ifindex qualifiers.
8631 */
8632 switch (cstate->linktype) {
8633 case DLT_LINUX_SLL2:
8634 /* match packets on this interface */
8635 b0 = gen_cmp(cstate, OR_LINKHDR, 4, BPF_W, ifindex);
8636 break;
8637 default:
8638 #if defined(__linux__)
8639 require_basic_bpf_extensions(cstate, "ifindex");
8640 /* match ifindex */
8641 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_IFINDEX, BPF_W,
8642 ifindex);
8643 #else /* defined(__linux__) */
8644 fail_kw_on_dlt(cstate, "ifindex");
8645 /*NOTREACHED*/
8646 #endif /* defined(__linux__) */
8647 }
8648 return (b0);
8649 }
8650
8651 /*
8652 * Filter on inbound (outbound == 0) or outbound (outbound == 1) traffic.
8653 * Outbound traffic is sent by this machine, while inbound traffic is
8654 * sent by a remote machine (and may include packets destined for a
8655 * unicast or multicast link-layer address we are not subscribing to).
8656 * These are the same definitions implemented by pcap_setdirection().
8657 * Capturing only unicast traffic destined for this host is probably
8658 * better accomplished using a higher-layer filter.
8659 */
8660 struct block *
8661 gen_inbound_outbound(compiler_state_t *cstate, const int outbound)
8662 {
8663 register struct block *b0;
8664
8665 /*
8666 * Catch errors reported by us and routines below us, and return NULL
8667 * on an error.
8668 */
8669 if (setjmp(cstate->top_ctx))
8670 return (NULL);
8671
8672 /*
8673 * Only some data link types support inbound/outbound qualifiers.
8674 */
8675 switch (cstate->linktype) {
8676 case DLT_SLIP:
8677 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B,
8678 outbound ? SLIPDIR_OUT : SLIPDIR_IN);
8679 break;
8680
8681 case DLT_IPNET:
8682 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H,
8683 outbound ? IPNET_OUTBOUND : IPNET_INBOUND);
8684 break;
8685
8686 case DLT_LINUX_SLL:
8687 /* match outgoing packets */
8688 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
8689 if (! outbound) {
8690 /* to filter on inbound traffic, invert the match */
8691 gen_not(b0);
8692 }
8693 break;
8694
8695 case DLT_LINUX_SLL2:
8696 /* match outgoing packets */
8697 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING);
8698 if (! outbound) {
8699 /* to filter on inbound traffic, invert the match */
8700 gen_not(b0);
8701 }
8702 break;
8703
8704 case DLT_PFLOG:
8705 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
8706 outbound ? PF_OUT : PF_IN);
8707 break;
8708
8709 case DLT_PPP_PPPD:
8710 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, outbound ? PPP_PPPD_OUT : PPP_PPPD_IN);
8711 break;
8712
8713 case DLT_JUNIPER_MFR:
8714 case DLT_JUNIPER_MLFR:
8715 case DLT_JUNIPER_MLPPP:
8716 case DLT_JUNIPER_ATM1:
8717 case DLT_JUNIPER_ATM2:
8718 case DLT_JUNIPER_PPPOE:
8719 case DLT_JUNIPER_PPPOE_ATM:
8720 case DLT_JUNIPER_GGSN:
8721 case DLT_JUNIPER_ES:
8722 case DLT_JUNIPER_MONITOR:
8723 case DLT_JUNIPER_SERVICES:
8724 case DLT_JUNIPER_ETHER:
8725 case DLT_JUNIPER_PPP:
8726 case DLT_JUNIPER_FRELAY:
8727 case DLT_JUNIPER_CHDLC:
8728 case DLT_JUNIPER_VP:
8729 case DLT_JUNIPER_ST:
8730 case DLT_JUNIPER_ISM:
8731 case DLT_JUNIPER_VS:
8732 case DLT_JUNIPER_SRX_E2E:
8733 case DLT_JUNIPER_FIBRECHANNEL:
8734 case DLT_JUNIPER_ATM_CEMIC:
8735 /* juniper flags (including direction) are stored
8736 * the byte after the 3-byte magic number */
8737 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, outbound ? 0 : 1, 0x01);
8738 break;
8739
8740 default:
8741 /*
8742 * If we have packet meta-data indicating a direction,
8743 * and that metadata can be checked by BPF code, check
8744 * it. Otherwise, give up, as this link-layer type has
8745 * nothing in the packet data.
8746 *
8747 * Currently, the only platform where a BPF filter can
8748 * check that metadata is Linux with the in-kernel
8749 * BPF interpreter. If other packet capture mechanisms
8750 * and BPF filters also supported this, it would be
8751 * nice. It would be even better if they made that
8752 * metadata available so that we could provide it
8753 * with newer capture APIs, allowing it to be saved
8754 * in pcapng files.
8755 */
8756 #if defined(__linux__)
8757 require_basic_bpf_extensions(cstate, outbound ? "outbound" : "inbound");
8758 /* match outgoing packets */
8759 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
8760 PACKET_OUTGOING);
8761 if (! outbound) {
8762 /* to filter on inbound traffic, invert the match */
8763 gen_not(b0);
8764 }
8765 #else /* defined(__linux__) */
8766 fail_kw_on_dlt(cstate, outbound ? "outbound" : "inbound");
8767 /*NOTREACHED*/
8768 #endif /* defined(__linux__) */
8769 }
8770 return (b0);
8771 }
8772
8773 /* PF firewall log matched interface */
8774 struct block *
8775 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
8776 {
8777 struct block *b0;
8778 u_int len, off;
8779
8780 /*
8781 * Catch errors reported by us and routines below us, and return NULL
8782 * on an error.
8783 */
8784 if (setjmp(cstate->top_ctx))
8785 return (NULL);
8786
8787 if (cstate->linktype != DLT_PFLOG) {
8788 bpf_error(cstate, "ifname supported only on PF linktype");
8789 /*NOTREACHED*/
8790 }
8791 len = sizeof(((struct pfloghdr *)0)->ifname);
8792 off = offsetof(struct pfloghdr, ifname);
8793 if (strlen(ifname) >= len) {
8794 bpf_error(cstate, "ifname interface names can only be %d characters",
8795 len-1);
8796 /*NOTREACHED*/
8797 }
8798 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname),
8799 (const u_char *)ifname);
8800 return (b0);
8801 }
8802
8803 /* PF firewall log ruleset name */
8804 struct block *
8805 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
8806 {
8807 struct block *b0;
8808
8809 /*
8810 * Catch errors reported by us and routines below us, and return NULL
8811 * on an error.
8812 */
8813 if (setjmp(cstate->top_ctx))
8814 return (NULL);
8815
8816 if (cstate->linktype != DLT_PFLOG) {
8817 bpf_error(cstate, "ruleset supported only on PF linktype");
8818 /*NOTREACHED*/
8819 }
8820
8821 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
8822 bpf_error(cstate, "ruleset names can only be %ld characters",
8823 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
8824 /*NOTREACHED*/
8825 }
8826
8827 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
8828 (u_int)strlen(ruleset), (const u_char *)ruleset);
8829 return (b0);
8830 }
8831
8832 /* PF firewall log rule number */
8833 struct block *
8834 gen_pf_rnr(compiler_state_t *cstate, int rnr)
8835 {
8836 struct block *b0;
8837
8838 /*
8839 * Catch errors reported by us and routines below us, and return NULL
8840 * on an error.
8841 */
8842 if (setjmp(cstate->top_ctx))
8843 return (NULL);
8844
8845 if (cstate->linktype != DLT_PFLOG) {
8846 bpf_error(cstate, "rnr supported only on PF linktype");
8847 /*NOTREACHED*/
8848 }
8849
8850 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
8851 (bpf_u_int32)rnr);
8852 return (b0);
8853 }
8854
8855 /* PF firewall log sub-rule number */
8856 struct block *
8857 gen_pf_srnr(compiler_state_t *cstate, int srnr)
8858 {
8859 struct block *b0;
8860
8861 /*
8862 * Catch errors reported by us and routines below us, and return NULL
8863 * on an error.
8864 */
8865 if (setjmp(cstate->top_ctx))
8866 return (NULL);
8867
8868 if (cstate->linktype != DLT_PFLOG) {
8869 bpf_error(cstate, "srnr supported only on PF linktype");
8870 /*NOTREACHED*/
8871 }
8872
8873 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
8874 (bpf_u_int32)srnr);
8875 return (b0);
8876 }
8877
8878 /* PF firewall log reason code */
8879 struct block *
8880 gen_pf_reason(compiler_state_t *cstate, int reason)
8881 {
8882 struct block *b0;
8883
8884 /*
8885 * Catch errors reported by us and routines below us, and return NULL
8886 * on an error.
8887 */
8888 if (setjmp(cstate->top_ctx))
8889 return (NULL);
8890
8891 if (cstate->linktype != DLT_PFLOG) {
8892 bpf_error(cstate, "reason supported only on PF linktype");
8893 /*NOTREACHED*/
8894 }
8895
8896 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
8897 (bpf_u_int32)reason);
8898 return (b0);
8899 }
8900
8901 /* PF firewall log action */
8902 struct block *
8903 gen_pf_action(compiler_state_t *cstate, int action)
8904 {
8905 struct block *b0;
8906
8907 /*
8908 * Catch errors reported by us and routines below us, and return NULL
8909 * on an error.
8910 */
8911 if (setjmp(cstate->top_ctx))
8912 return (NULL);
8913
8914 if (cstate->linktype != DLT_PFLOG) {
8915 bpf_error(cstate, "action supported only on PF linktype");
8916 /*NOTREACHED*/
8917 }
8918
8919 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
8920 (bpf_u_int32)action);
8921 return (b0);
8922 }
8923
8924 /* IEEE 802.11 wireless header */
8925 struct block *
8926 gen_p80211_type(compiler_state_t *cstate, bpf_u_int32 type, bpf_u_int32 mask)
8927 {
8928 struct block *b0;
8929
8930 /*
8931 * Catch errors reported by us and routines below us, and return NULL
8932 * on an error.
8933 */
8934 if (setjmp(cstate->top_ctx))
8935 return (NULL);
8936
8937 switch (cstate->linktype) {
8938
8939 case DLT_IEEE802_11:
8940 case DLT_PRISM_HEADER:
8941 case DLT_IEEE802_11_RADIO_AVS:
8942 case DLT_IEEE802_11_RADIO:
8943 case DLT_PPI:
8944 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, type, mask);
8945 break;
8946
8947 default:
8948 fail_kw_on_dlt(cstate, "type/subtype");
8949 /*NOTREACHED*/
8950 }
8951
8952 return (b0);
8953 }
8954
8955 struct block *
8956 gen_p80211_fcdir(compiler_state_t *cstate, bpf_u_int32 fcdir)
8957 {
8958 struct block *b0;
8959
8960 /*
8961 * Catch errors reported by us and routines below us, and return NULL
8962 * on an error.
8963 */
8964 if (setjmp(cstate->top_ctx))
8965 return (NULL);
8966
8967 switch (cstate->linktype) {
8968
8969 case DLT_IEEE802_11:
8970 case DLT_PRISM_HEADER:
8971 case DLT_IEEE802_11_RADIO_AVS:
8972 case DLT_IEEE802_11_RADIO:
8973 case DLT_PPI:
8974 break;
8975
8976 default:
8977 fail_kw_on_dlt(cstate, "dir");
8978 /*NOTREACHED*/
8979 }
8980
8981 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, fcdir,
8982 IEEE80211_FC1_DIR_MASK);
8983
8984 return (b0);
8985 }
8986
8987 // Process an ARCnet host address string.
8988 struct block *
8989 gen_acode(compiler_state_t *cstate, const char *s, struct qual q)
8990 {
8991 /*
8992 * Catch errors reported by us and routines below us, and return NULL
8993 * on an error.
8994 */
8995 if (setjmp(cstate->top_ctx))
8996 return (NULL);
8997
8998 switch (cstate->linktype) {
8999
9000 case DLT_ARCNET:
9001 case DLT_ARCNET_LINUX:
9002 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
9003 q.proto == Q_LINK) {
9004 uint8_t addr;
9005 /*
9006 * The lexer currently defines the address format in a
9007 * way that makes this error condition never true.
9008 * Let's check it anyway in case this part of the lexer
9009 * changes in future.
9010 */
9011 if (! pcapint_atoan(s, &addr))
9012 bpf_error(cstate, "invalid ARCnet address '%s'", s);
9013 return gen_ahostop(cstate, addr, (int)q.dir);
9014 } else
9015 bpf_error(cstate, "ARCnet address used in non-arc expression");
9016 /*NOTREACHED*/
9017
9018 default:
9019 bpf_error(cstate, "aid supported only on ARCnet");
9020 /*NOTREACHED*/
9021 }
9022 }
9023
9024 // Compare an ARCnet host address with the given value.
9025 static struct block *
9026 gen_ahostop(compiler_state_t *cstate, const uint8_t eaddr, int dir)
9027 {
9028 register struct block *b0, *b1;
9029
9030 switch (dir) {
9031 /*
9032 * ARCnet is different from Ethernet: the source address comes before
9033 * the destination address, each is one byte long. This holds for all
9034 * three "buffer formats" in RFC 1201 Section 2.1, see also page 4-10
9035 * in the 1983 edition of the "ARCNET Designer's Handbook" published
9036 * by Datapoint (document number 61610-01).
9037 */
9038 case Q_SRC:
9039 return gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, eaddr);
9040
9041 case Q_DST:
9042 return gen_cmp(cstate, OR_LINKHDR, 1, BPF_B, eaddr);
9043
9044 case Q_AND:
9045 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
9046 b1 = gen_ahostop(cstate, eaddr, Q_DST);
9047 gen_and(b0, b1);
9048 return b1;
9049
9050 case Q_DEFAULT:
9051 case Q_OR:
9052 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
9053 b1 = gen_ahostop(cstate, eaddr, Q_DST);
9054 gen_or(b0, b1);
9055 return b1;
9056
9057 case Q_ADDR1:
9058 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
9059 /*NOTREACHED*/
9060
9061 case Q_ADDR2:
9062 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
9063 /*NOTREACHED*/
9064
9065 case Q_ADDR3:
9066 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
9067 /*NOTREACHED*/
9068
9069 case Q_ADDR4:
9070 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
9071 /*NOTREACHED*/
9072
9073 case Q_RA:
9074 bpf_error(cstate, "'ra' is only supported on 802.11");
9075 /*NOTREACHED*/
9076
9077 case Q_TA:
9078 bpf_error(cstate, "'ta' is only supported on 802.11");
9079 /*NOTREACHED*/
9080 }
9081 abort();
9082 /*NOTREACHED*/
9083 }
9084
9085 static struct block *
9086 gen_vlan_tpid_test(compiler_state_t *cstate)
9087 {
9088 struct block *b0, *b1;
9089
9090 /* check for VLAN, including 802.1ad and QinQ */
9091 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
9092 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
9093 gen_or(b0,b1);
9094 b0 = b1;
9095 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
9096 gen_or(b0,b1);
9097
9098 return b1;
9099 }
9100
9101 static struct block *
9102 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num)
9103 {
9104 if (vlan_num > 0x0fff) {
9105 bpf_error(cstate, "VLAN tag %u greater than maximum %u",
9106 vlan_num, 0x0fff);
9107 }
9108 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, vlan_num, 0x0fff);
9109 }
9110
9111 static struct block *
9112 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
9113 int has_vlan_tag)
9114 {
9115 struct block *b0, *b1;
9116
9117 b0 = gen_vlan_tpid_test(cstate);
9118
9119 if (has_vlan_tag) {
9120 b1 = gen_vlan_vid_test(cstate, vlan_num);
9121 gen_and(b0, b1);
9122 b0 = b1;
9123 }
9124
9125 /*
9126 * Both payload and link header type follow the VLAN tags so that
9127 * both need to be updated.
9128 */
9129 cstate->off_linkpl.constant_part += 4;
9130 cstate->off_linktype.constant_part += 4;
9131
9132 return b0;
9133 }
9134
9135 #if defined(SKF_AD_VLAN_TAG_PRESENT)
9136 /* add v to variable part of off */
9137 static void
9138 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off,
9139 bpf_u_int32 v, struct slist *s)
9140 {
9141 struct slist *s2;
9142
9143 if (!off->is_variable)
9144 off->is_variable = 1;
9145 if (off->reg == -1)
9146 off->reg = alloc_reg(cstate);
9147
9148 s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
9149 s2->s.k = off->reg;
9150 sappend(s, s2);
9151 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
9152 s2->s.k = v;
9153 sappend(s, s2);
9154 s2 = new_stmt(cstate, BPF_ST);
9155 s2->s.k = off->reg;
9156 sappend(s, s2);
9157 }
9158
9159 /*
9160 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload
9161 * and link type offsets first
9162 */
9163 static void
9164 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid)
9165 {
9166 struct slist s;
9167
9168 /* offset determined at run time, shift variable part */
9169 s.next = NULL;
9170 cstate->is_vlan_vloffset = 1;
9171 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s);
9172 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s);
9173
9174 /* we get a pointer to a chain of or-ed blocks, patch first of them */
9175 sappend(s.next, b_tpid->head->stmts);
9176 b_tpid->head->stmts = s.next;
9177 }
9178
9179 /*
9180 * patch block b_vid (VLAN id test) to load VID value either from packet
9181 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true
9182 */
9183 static void
9184 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid)
9185 {
9186 struct slist *s, *s2, *sjeq;
9187 unsigned cnt;
9188
9189 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
9190 s->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT);
9191
9192 /* true -> next instructions, false -> beginning of b_vid */
9193 sjeq = new_stmt(cstate, JMP(BPF_JEQ));
9194 sjeq->s.k = 1;
9195 sjeq->s.jf = b_vid->stmts;
9196 sappend(s, sjeq);
9197
9198 s2 = new_stmt(cstate, BPF_LD|BPF_H|BPF_ABS);
9199 s2->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG);
9200 sappend(s, s2);
9201 sjeq->s.jt = s2;
9202
9203 /* Jump to the test in b_vid. We need to jump one instruction before
9204 * the end of the b_vid block so that we only skip loading the TCI
9205 * from packet data and not the 'and' instruction extracting VID.
9206 */
9207 cnt = 0;
9208 for (s2 = b_vid->stmts; s2; s2 = s2->next)
9209 cnt++;
9210 s2 = new_stmt(cstate, JMP(BPF_JA));
9211 s2->s.k = cnt - 1;
9212 sappend(s, s2);
9213
9214 /* insert our statements at the beginning of b_vid */
9215 sappend(s, b_vid->stmts);
9216 b_vid->stmts = s;
9217 }
9218
9219 /*
9220 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF
9221 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN
9222 * tag can be either in metadata or in packet data; therefore if the
9223 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link
9224 * header for VLAN tag. As the decision is done at run time, we need
9225 * update variable part of the offsets
9226 */
9227 static struct block *
9228 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
9229 int has_vlan_tag)
9230 {
9231 struct block *b0, *b_tpid, *b_vid = NULL;
9232 struct slist *s;
9233
9234 /* generate new filter code based on extracting packet
9235 * metadata */
9236 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
9237 s->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT);
9238
9239 b0 = new_block(cstate, JMP(BPF_JEQ));
9240 b0->stmts = s;
9241 b0->s.k = 1;
9242
9243 /*
9244 * This is tricky. We need to insert the statements updating variable
9245 * parts of offsets before the traditional TPID and VID tests so
9246 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but
9247 * we do not want this update to affect those checks. That's why we
9248 * generate both test blocks first and insert the statements updating
9249 * variable parts of both offsets after that. This wouldn't work if
9250 * there already were variable length link header when entering this
9251 * function but gen_vlan_bpf_extensions() isn't called in that case.
9252 */
9253 b_tpid = gen_vlan_tpid_test(cstate);
9254 if (has_vlan_tag)
9255 b_vid = gen_vlan_vid_test(cstate, vlan_num);
9256
9257 gen_vlan_patch_tpid_test(cstate, b_tpid);
9258 gen_or(b0, b_tpid);
9259 b0 = b_tpid;
9260
9261 if (has_vlan_tag) {
9262 gen_vlan_patch_vid_test(cstate, b_vid);
9263 gen_and(b0, b_vid);
9264 b0 = b_vid;
9265 }
9266
9267 return b0;
9268 }
9269 #endif
9270
9271 /*
9272 * support IEEE 802.1Q VLAN trunk over ethernet
9273 */
9274 struct block *
9275 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag)
9276 {
9277 struct block *b0;
9278
9279 /*
9280 * Catch errors reported by us and routines below us, and return NULL
9281 * on an error.
9282 */
9283 if (setjmp(cstate->top_ctx))
9284 return (NULL);
9285
9286 /* can't check for VLAN-encapsulated packets inside MPLS */
9287 if (cstate->label_stack_depth > 0)
9288 bpf_error(cstate, "no VLAN match after MPLS");
9289
9290 /*
9291 * Check for a VLAN packet, and then change the offsets to point
9292 * to the type and data fields within the VLAN packet. Just
9293 * increment the offsets, so that we can support a hierarchy, e.g.
9294 * "vlan 100 && vlan 200" to capture VLAN 200 encapsulated within
9295 * VLAN 100.
9296 *
9297 * XXX - this is a bit of a kludge. If we were to split the
9298 * compiler into a parser that parses an expression and
9299 * generates an expression tree, and a code generator that
9300 * takes an expression tree (which could come from our
9301 * parser or from some other parser) and generates BPF code,
9302 * we could perhaps make the offsets parameters of routines
9303 * and, in the handler for an "AND" node, pass to subnodes
9304 * other than the VLAN node the adjusted offsets.
9305 *
9306 * This would mean that "vlan" would, instead of changing the
9307 * behavior of *all* tests after it, change only the behavior
9308 * of tests ANDed with it. That would change the documented
9309 * semantics of "vlan", which might break some expressions.
9310 * However, it would mean that "(vlan and ip) or ip" would check
9311 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
9312 * checking only for VLAN-encapsulated IP, so that could still
9313 * be considered worth doing; it wouldn't break expressions
9314 * that are of the form "vlan and ..." or "vlan N and ...",
9315 * which I suspect are the most common expressions involving
9316 * "vlan". "vlan or ..." doesn't necessarily do what the user
9317 * would really want, now, as all the "or ..." tests would
9318 * be done assuming a VLAN, even though the "or" could be viewed
9319 * as meaning "or, if this isn't a VLAN packet...".
9320 */
9321 switch (cstate->linktype) {
9322
9323 case DLT_EN10MB:
9324 /*
9325 * Newer version of the Linux kernel pass around
9326 * packets in which the VLAN tag has been removed
9327 * from the packet data and put into metadata.
9328 *
9329 * This requires special treatment.
9330 */
9331 #if defined(SKF_AD_VLAN_TAG_PRESENT)
9332 /* Verify that this is the outer part of the packet and
9333 * not encapsulated somehow. */
9334 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
9335 cstate->off_linkhdr.constant_part ==
9336 cstate->off_outermostlinkhdr.constant_part) {
9337 /*
9338 * Do we need special VLAN handling?
9339 */
9340 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
9341 b0 = gen_vlan_bpf_extensions(cstate, vlan_num,
9342 has_vlan_tag);
9343 else
9344 b0 = gen_vlan_no_bpf_extensions(cstate,
9345 vlan_num, has_vlan_tag);
9346 } else
9347 #endif
9348 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num,
9349 has_vlan_tag);
9350 break;
9351
9352 case DLT_NETANALYZER:
9353 case DLT_NETANALYZER_TRANSPARENT:
9354 case DLT_IEEE802_11:
9355 case DLT_PRISM_HEADER:
9356 case DLT_IEEE802_11_RADIO_AVS:
9357 case DLT_IEEE802_11_RADIO:
9358 /*
9359 * These are either Ethernet packets with an additional
9360 * metadata header (the NetAnalyzer types), or 802.11
9361 * packets, possibly with an additional metadata header.
9362 *
9363 * For the first of those, the VLAN tag is in the normal
9364 * place, so the special-case handling above isn't
9365 * necessary.
9366 *
9367 * For the second of those, we don't do the special-case
9368 * handling for now.
9369 */
9370 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag);
9371 break;
9372
9373 default:
9374 bpf_error(cstate, "no VLAN support for %s",
9375 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9376 /*NOTREACHED*/
9377 }
9378
9379 cstate->vlan_stack_depth++;
9380
9381 return (b0);
9382 }
9383
9384 /*
9385 * support for MPLS
9386 *
9387 * The label_num_arg dance is to avoid annoying whining by compilers that
9388 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9389 * It's not *used* after setjmp returns.
9390 */
9391 static struct block *
9392 gen_mpls_internal(compiler_state_t *cstate, bpf_u_int32 label_num,
9393 int has_label_num)
9394 {
9395 struct block *b0, *b1;
9396
9397 if (cstate->label_stack_depth > 0) {
9398 /* just match the bottom-of-stack bit clear */
9399 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
9400 } else {
9401 /*
9402 * We're not in an MPLS stack yet, so check the link-layer
9403 * type against MPLS.
9404 */
9405 switch (cstate->linktype) {
9406
9407 case DLT_C_HDLC: /* fall through */
9408 case DLT_HDLC:
9409 case DLT_EN10MB:
9410 case DLT_NETANALYZER:
9411 case DLT_NETANALYZER_TRANSPARENT:
9412 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
9413 break;
9414
9415 case DLT_PPP:
9416 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
9417 break;
9418
9419 /* FIXME add other DLT_s ...
9420 * for Frame-Relay/and ATM this may get messy due to SNAP headers
9421 * leave it for now */
9422
9423 default:
9424 bpf_error(cstate, "no MPLS support for %s",
9425 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9426 /*NOTREACHED*/
9427 }
9428 }
9429
9430 /* If a specific MPLS label is requested, check it */
9431 if (has_label_num) {
9432 if (label_num > 0xFFFFF) {
9433 bpf_error(cstate, "MPLS label %u greater than maximum %u",
9434 label_num, 0xFFFFF);
9435 }
9436 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
9437 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, label_num,
9438 0xfffff000); /* only compare the first 20 bits */
9439 gen_and(b0, b1);
9440 b0 = b1;
9441 }
9442
9443 /*
9444 * Change the offsets to point to the type and data fields within
9445 * the MPLS packet. Just increment the offsets, so that we
9446 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
9447 * capture packets with an outer label of 100000 and an inner
9448 * label of 1024.
9449 *
9450 * Increment the MPLS stack depth as well; this indicates that
9451 * we're checking MPLS-encapsulated headers, to make sure higher
9452 * level code generators don't try to match against IP-related
9453 * protocols such as Q_ARP, Q_RARP etc.
9454 *
9455 * XXX - this is a bit of a kludge. See comments in gen_vlan().
9456 */
9457 cstate->off_nl_nosnap += 4;
9458 cstate->off_nl += 4;
9459 cstate->label_stack_depth++;
9460 return (b0);
9461 }
9462
9463 struct block *
9464 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num, int has_label_num)
9465 {
9466 /*
9467 * Catch errors reported by us and routines below us, and return NULL
9468 * on an error.
9469 */
9470 if (setjmp(cstate->top_ctx))
9471 return (NULL);
9472
9473 return gen_mpls_internal(cstate, label_num, has_label_num);
9474 }
9475
9476 /*
9477 * Support PPPOE discovery and session.
9478 */
9479 struct block *
9480 gen_pppoed(compiler_state_t *cstate)
9481 {
9482 /*
9483 * Catch errors reported by us and routines below us, and return NULL
9484 * on an error.
9485 */
9486 if (setjmp(cstate->top_ctx))
9487 return (NULL);
9488
9489 /* check for PPPoE discovery */
9490 return gen_linktype(cstate, ETHERTYPE_PPPOED);
9491 }
9492
9493 /*
9494 * RFC 2516 Section 4:
9495 *
9496 * The Ethernet payload for PPPoE is as follows:
9497 *
9498 * 1 2 3
9499 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
9500 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
9501 * | VER | TYPE | CODE | SESSION_ID |
9502 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
9503 * | LENGTH | payload ~
9504 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
9505 */
9506 struct block *
9507 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num)
9508 {
9509 struct block *b0, *b1;
9510
9511 /*
9512 * Catch errors reported by us and routines below us, and return NULL
9513 * on an error.
9514 */
9515 if (setjmp(cstate->top_ctx))
9516 return (NULL);
9517
9518 /*
9519 * Test against the PPPoE session link-layer type.
9520 */
9521 b0 = gen_linktype(cstate, ETHERTYPE_PPPOES);
9522
9523 /* If a specific session is requested, check PPPoE session id */
9524 if (has_sess_num) {
9525 if (sess_num > UINT16_MAX) {
9526 bpf_error(cstate, "PPPoE session number %u greater than maximum %u",
9527 sess_num, UINT16_MAX);
9528 }
9529 b1 = gen_cmp(cstate, OR_LINKPL, 2, BPF_H, sess_num);
9530 gen_and(b0, b1);
9531 b0 = b1;
9532 }
9533
9534 /*
9535 * Change the offsets to point to the type and data fields within
9536 * the PPP packet, and note that this is PPPoE rather than
9537 * raw PPP.
9538 *
9539 * XXX - this is a bit of a kludge. See the comments in
9540 * gen_vlan().
9541 *
9542 * The "network-layer" protocol is PPPoE, which has a 6-byte
9543 * PPPoE header, followed by a PPP packet.
9544 *
9545 * There is no HDLC encapsulation for the PPP packet (it's
9546 * encapsulated in PPPoES instead), so the link-layer type
9547 * starts at the first byte of the PPP packet. For PPPoE,
9548 * that offset is relative to the beginning of the total
9549 * link-layer payload, including any 802.2 LLC header, so
9550 * it's 6 bytes past cstate->off_nl.
9551 */
9552 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
9553 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
9554 cstate->off_linkpl.reg);
9555
9556 cstate->off_linktype = cstate->off_linkhdr;
9557 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
9558
9559 cstate->off_nl = 0;
9560 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
9561
9562 return b0;
9563 }
9564
9565 /* Check that this is Geneve and the VNI is correct if
9566 * specified. Parameterized to handle both IPv4 and IPv6. */
9567 static struct block *
9568 gen_geneve_check(compiler_state_t *cstate,
9569 struct block *(*gen_portfn)(compiler_state_t *, u_int, int, int),
9570 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9571 {
9572 struct block *b0, *b1;
9573
9574 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
9575
9576 /* Check that we are operating on version 0. Otherwise, we
9577 * can't decode the rest of the fields. The version is 2 bits
9578 * in the first byte of the Geneve header. */
9579 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, 0, 0xc0);
9580 gen_and(b0, b1);
9581 b0 = b1;
9582
9583 if (has_vni) {
9584 if (vni > 0xffffff) {
9585 bpf_error(cstate, "Geneve VNI %u greater than maximum %u",
9586 vni, 0xffffff);
9587 }
9588 vni <<= 8; /* VNI is in the upper 3 bytes */
9589 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00);
9590 gen_and(b0, b1);
9591 b0 = b1;
9592 }
9593
9594 return b0;
9595 }
9596
9597 /* The IPv4 and IPv6 Geneve checks need to do two things:
9598 * - Verify that this actually is Geneve with the right VNI.
9599 * - Place the IP header length (plus variable link prefix if
9600 * needed) into register A to be used later to compute
9601 * the inner packet offsets. */
9602 static struct block *
9603 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9604 {
9605 struct block *b0, *b1;
9606 struct slist *s, *s1;
9607
9608 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9609
9610 /* Load the IP header length into A. */
9611 s = gen_loadx_iphdrlen(cstate);
9612
9613 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9614 sappend(s, s1);
9615
9616 /* Forcibly append these statements to the true condition
9617 * of the protocol check by creating a new block that is
9618 * always true and ANDing them. */
9619 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9620 b1->stmts = s;
9621 b1->s.k = 0;
9622
9623 gen_and(b0, b1);
9624
9625 return b1;
9626 }
9627
9628 static struct block *
9629 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9630 {
9631 struct block *b0, *b1;
9632 struct slist *s, *s1;
9633
9634 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9635
9636 /* Load the IP header length. We need to account for a
9637 * variable length link prefix if there is one. */
9638 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9639 if (s) {
9640 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9641 s1->s.k = 40;
9642 sappend(s, s1);
9643
9644 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9645 s1->s.k = 0;
9646 sappend(s, s1);
9647 } else {
9648 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9649 s->s.k = 40;
9650 }
9651
9652 /* Forcibly append these statements to the true condition
9653 * of the protocol check by creating a new block that is
9654 * always true and ANDing them. */
9655 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9656 sappend(s, s1);
9657
9658 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9659 b1->stmts = s;
9660 b1->s.k = 0;
9661
9662 gen_and(b0, b1);
9663
9664 return b1;
9665 }
9666
9667 /* We need to store three values based on the Geneve header::
9668 * - The offset of the linktype.
9669 * - The offset of the end of the Geneve header.
9670 * - The offset of the end of the encapsulated MAC header. */
9671 static struct slist *
9672 gen_geneve_offsets(compiler_state_t *cstate)
9673 {
9674 struct slist *s, *s1, *s_proto;
9675
9676 /* First we need to calculate the offset of the Geneve header
9677 * itself. This is composed of the IP header previously calculated
9678 * (include any variable link prefix) and stored in A plus the
9679 * fixed sized headers (fixed link prefix, MAC length, and UDP
9680 * header). */
9681 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9682 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9683
9684 /* Stash this in X since we'll need it later. */
9685 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9686 sappend(s, s1);
9687
9688 /* The EtherType in Geneve is 2 bytes in. Calculate this and
9689 * store it. */
9690 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9691 s1->s.k = 2;
9692 sappend(s, s1);
9693
9694 cstate->off_linktype.reg = alloc_reg(cstate);
9695 cstate->off_linktype.is_variable = 1;
9696 cstate->off_linktype.constant_part = 0;
9697
9698 s1 = new_stmt(cstate, BPF_ST);
9699 s1->s.k = cstate->off_linktype.reg;
9700 sappend(s, s1);
9701
9702 /* Load the Geneve option length and mask and shift to get the
9703 * number of bytes. It is stored in the first byte of the Geneve
9704 * header. */
9705 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
9706 s1->s.k = 0;
9707 sappend(s, s1);
9708
9709 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
9710 s1->s.k = 0x3f;
9711 sappend(s, s1);
9712
9713 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
9714 s1->s.k = 4;
9715 sappend(s, s1);
9716
9717 /* Add in the rest of the Geneve base header. */
9718 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9719 s1->s.k = 8;
9720 sappend(s, s1);
9721
9722 /* Add the Geneve header length to its offset and store. */
9723 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9724 s1->s.k = 0;
9725 sappend(s, s1);
9726
9727 /* Set the encapsulated type as Ethernet. Even though we may
9728 * not actually have Ethernet inside there are two reasons this
9729 * is useful:
9730 * - The linktype field is always in EtherType format regardless
9731 * of whether it is in Geneve or an inner Ethernet frame.
9732 * - The only link layer that we have specific support for is
9733 * Ethernet. We will confirm that the packet actually is
9734 * Ethernet at runtime before executing these checks. */
9735 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9736
9737 s1 = new_stmt(cstate, BPF_ST);
9738 s1->s.k = cstate->off_linkhdr.reg;
9739 sappend(s, s1);
9740
9741 /* Calculate whether we have an Ethernet header or just raw IP/
9742 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
9743 * and linktype by 14 bytes so that the network header can be found
9744 * seamlessly. Otherwise, keep what we've calculated already. */
9745
9746 /* We have a bare jmp so we can't use the optimizer. */
9747 cstate->no_optimize = 1;
9748
9749 /* Load the EtherType in the Geneve header, 2 bytes in. */
9750 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
9751 s1->s.k = 2;
9752 sappend(s, s1);
9753
9754 /* Load X with the end of the Geneve header. */
9755 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9756 s1->s.k = cstate->off_linkhdr.reg;
9757 sappend(s, s1);
9758
9759 /* Check if the EtherType is Transparent Ethernet Bridging. At the
9760 * end of this check, we should have the total length in X. In
9761 * the non-Ethernet case, it's already there. */
9762 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
9763 s_proto->s.k = ETHERTYPE_TEB;
9764 sappend(s, s_proto);
9765
9766 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9767 sappend(s, s1);
9768 s_proto->s.jt = s1;
9769
9770 /* Since this is Ethernet, use the EtherType of the payload
9771 * directly as the linktype. Overwrite what we already have. */
9772 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9773 s1->s.k = 12;
9774 sappend(s, s1);
9775
9776 s1 = new_stmt(cstate, BPF_ST);
9777 s1->s.k = cstate->off_linktype.reg;
9778 sappend(s, s1);
9779
9780 /* Advance two bytes further to get the end of the Ethernet
9781 * header. */
9782 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9783 s1->s.k = 2;
9784 sappend(s, s1);
9785
9786 /* Move the result to X. */
9787 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9788 sappend(s, s1);
9789
9790 /* Store the final result of our linkpl calculation. */
9791 cstate->off_linkpl.reg = alloc_reg(cstate);
9792 cstate->off_linkpl.is_variable = 1;
9793 cstate->off_linkpl.constant_part = 0;
9794
9795 s1 = new_stmt(cstate, BPF_STX);
9796 s1->s.k = cstate->off_linkpl.reg;
9797 sappend(s, s1);
9798 s_proto->s.jf = s1;
9799
9800 cstate->off_nl = 0;
9801
9802 return s;
9803 }
9804
9805 /* Check to see if this is a Geneve packet. */
9806 struct block *
9807 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9808 {
9809 struct block *b0, *b1;
9810 struct slist *s;
9811
9812 /*
9813 * Catch errors reported by us and routines below us, and return NULL
9814 * on an error.
9815 */
9816 if (setjmp(cstate->top_ctx))
9817 return (NULL);
9818
9819 b0 = gen_geneve4(cstate, vni, has_vni);
9820 b1 = gen_geneve6(cstate, vni, has_vni);
9821
9822 gen_or(b0, b1);
9823 b0 = b1;
9824
9825 /* Later filters should act on the payload of the Geneve frame,
9826 * update all of the header pointers. Attach this code so that
9827 * it gets executed in the event that the Geneve filter matches. */
9828 s = gen_geneve_offsets(cstate);
9829
9830 b1 = gen_true(cstate);
9831 sappend(s, b1->stmts);
9832 b1->stmts = s;
9833
9834 gen_and(b0, b1);
9835
9836 cstate->is_encap = 1;
9837
9838 return b1;
9839 }
9840
9841 /* Check that this is VXLAN and the VNI is correct if
9842 * specified. Parameterized to handle both IPv4 and IPv6. */
9843 static struct block *
9844 gen_vxlan_check(compiler_state_t *cstate,
9845 struct block *(*gen_portfn)(compiler_state_t *, u_int, int, int),
9846 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9847 {
9848 struct block *b0, *b1;
9849
9850 b0 = gen_portfn(cstate, VXLAN_PORT, IPPROTO_UDP, Q_DST);
9851
9852 /* Check that the VXLAN header has the flag bits set
9853 * correctly. */
9854 b1 = gen_cmp(cstate, offrel, 8, BPF_B, 0x08);
9855 gen_and(b0, b1);
9856 b0 = b1;
9857
9858 if (has_vni) {
9859 if (vni > 0xffffff) {
9860 bpf_error(cstate, "VXLAN VNI %u greater than maximum %u",
9861 vni, 0xffffff);
9862 }
9863 vni <<= 8; /* VNI is in the upper 3 bytes */
9864 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00);
9865 gen_and(b0, b1);
9866 b0 = b1;
9867 }
9868
9869 return b0;
9870 }
9871
9872 /* The IPv4 and IPv6 VXLAN checks need to do two things:
9873 * - Verify that this actually is VXLAN with the right VNI.
9874 * - Place the IP header length (plus variable link prefix if
9875 * needed) into register A to be used later to compute
9876 * the inner packet offsets. */
9877 static struct block *
9878 gen_vxlan4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9879 {
9880 struct block *b0, *b1;
9881 struct slist *s, *s1;
9882
9883 b0 = gen_vxlan_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9884
9885 /* Load the IP header length into A. */
9886 s = gen_loadx_iphdrlen(cstate);
9887
9888 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9889 sappend(s, s1);
9890
9891 /* Forcibly append these statements to the true condition
9892 * of the protocol check by creating a new block that is
9893 * always true and ANDing them. */
9894 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9895 b1->stmts = s;
9896 b1->s.k = 0;
9897
9898 gen_and(b0, b1);
9899
9900 return b1;
9901 }
9902
9903 static struct block *
9904 gen_vxlan6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9905 {
9906 struct block *b0, *b1;
9907 struct slist *s, *s1;
9908
9909 b0 = gen_vxlan_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9910
9911 /* Load the IP header length. We need to account for a
9912 * variable length link prefix if there is one. */
9913 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9914 if (s) {
9915 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9916 s1->s.k = 40;
9917 sappend(s, s1);
9918
9919 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9920 s1->s.k = 0;
9921 sappend(s, s1);
9922 } else {
9923 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9924 s->s.k = 40;
9925 }
9926
9927 /* Forcibly append these statements to the true condition
9928 * of the protocol check by creating a new block that is
9929 * always true and ANDing them. */
9930 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9931 sappend(s, s1);
9932
9933 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9934 b1->stmts = s;
9935 b1->s.k = 0;
9936
9937 gen_and(b0, b1);
9938
9939 return b1;
9940 }
9941
9942 /* We need to store three values based on the VXLAN header:
9943 * - The offset of the linktype.
9944 * - The offset of the end of the VXLAN header.
9945 * - The offset of the end of the encapsulated MAC header. */
9946 static struct slist *
9947 gen_vxlan_offsets(compiler_state_t *cstate)
9948 {
9949 struct slist *s, *s1;
9950
9951 /* Calculate the offset of the VXLAN header itself. This
9952 * includes the IP header computed previously (including any
9953 * variable link prefix) and stored in A plus the fixed size
9954 * headers (fixed link prefix, MAC length, UDP header). */
9955 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9956 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9957
9958 /* Add the VXLAN header length to its offset and store */
9959 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9960 s1->s.k = 8;
9961 sappend(s, s1);
9962
9963 /* Push the link header. VXLAN packets always contain Ethernet
9964 * frames. */
9965 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9966
9967 s1 = new_stmt(cstate, BPF_ST);
9968 s1->s.k = cstate->off_linkhdr.reg;
9969 sappend(s, s1);
9970
9971 /* As the payload is an Ethernet packet, we can use the
9972 * EtherType of the payload directly as the linktype. */
9973 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9974 s1->s.k = 12;
9975 sappend(s, s1);
9976
9977 cstate->off_linktype.reg = alloc_reg(cstate);
9978 cstate->off_linktype.is_variable = 1;
9979 cstate->off_linktype.constant_part = 0;
9980
9981 s1 = new_stmt(cstate, BPF_ST);
9982 s1->s.k = cstate->off_linktype.reg;
9983 sappend(s, s1);
9984
9985 /* Two bytes further is the end of the Ethernet header and the
9986 * start of the payload. */
9987 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9988 s1->s.k = 2;
9989 sappend(s, s1);
9990
9991 /* Move the result to X. */
9992 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9993 sappend(s, s1);
9994
9995 /* Store the final result of our linkpl calculation. */
9996 cstate->off_linkpl.reg = alloc_reg(cstate);
9997 cstate->off_linkpl.is_variable = 1;
9998 cstate->off_linkpl.constant_part = 0;
9999
10000 s1 = new_stmt(cstate, BPF_STX);
10001 s1->s.k = cstate->off_linkpl.reg;
10002 sappend(s, s1);
10003
10004 cstate->off_nl = 0;
10005
10006 return s;
10007 }
10008
10009 /* Check to see if this is a VXLAN packet. */
10010 struct block *
10011 gen_vxlan(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
10012 {
10013 struct block *b0, *b1;
10014 struct slist *s;
10015
10016 /*
10017 * Catch errors reported by us and routines below us, and return NULL
10018 * on an error.
10019 */
10020 if (setjmp(cstate->top_ctx))
10021 return (NULL);
10022
10023 b0 = gen_vxlan4(cstate, vni, has_vni);
10024 b1 = gen_vxlan6(cstate, vni, has_vni);
10025
10026 gen_or(b0, b1);
10027 b0 = b1;
10028
10029 /* Later filters should act on the payload of the VXLAN frame,
10030 * update all of the header pointers. Attach this code so that
10031 * it gets executed in the event that the VXLAN filter matches. */
10032 s = gen_vxlan_offsets(cstate);
10033
10034 b1 = gen_true(cstate);
10035 sappend(s, b1->stmts);
10036 b1->stmts = s;
10037
10038 gen_and(b0, b1);
10039
10040 cstate->is_encap = 1;
10041
10042 return b1;
10043 }
10044
10045 /* Check that the encapsulated frame has a link layer header
10046 * for Ethernet filters. */
10047 static struct block *
10048 gen_encap_ll_check(compiler_state_t *cstate)
10049 {
10050 struct block *b0;
10051 struct slist *s, *s1;
10052
10053 /* The easiest way to see if there is a link layer present
10054 * is to check if the link layer header and payload are not
10055 * the same. */
10056
10057 /* Geneve always generates pure variable offsets so we can
10058 * compare only the registers. */
10059 s = new_stmt(cstate, BPF_LD|BPF_MEM);
10060 s->s.k = cstate->off_linkhdr.reg;
10061
10062 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
10063 s1->s.k = cstate->off_linkpl.reg;
10064 sappend(s, s1);
10065
10066 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
10067 b0->stmts = s;
10068 b0->s.k = 0;
10069 gen_not(b0);
10070
10071 return b0;
10072 }
10073
10074 static struct block *
10075 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield,
10076 bpf_u_int32 jvalue, int jtype, int reverse)
10077 {
10078 struct block *b0;
10079
10080 switch (atmfield) {
10081
10082 case A_VPI:
10083 if (!cstate->is_atm)
10084 bpf_error(cstate, "'vpi' supported only on raw ATM");
10085 if (cstate->off_vpi == OFFSET_NOT_SET)
10086 abort();
10087 if (jvalue > UINT8_MAX)
10088 bpf_error(cstate, "VPI value %u > %u", jvalue, UINT8_MAX);
10089 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B,
10090 0xffffffffU, jtype, reverse, jvalue);
10091 break;
10092
10093 case A_VCI:
10094 if (!cstate->is_atm)
10095 bpf_error(cstate, "'vci' supported only on raw ATM");
10096 if (cstate->off_vci == OFFSET_NOT_SET)
10097 abort();
10098 if (jvalue > UINT16_MAX)
10099 bpf_error(cstate, "VCI value %u > %u", jvalue, UINT16_MAX);
10100 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H,
10101 0xffffffffU, jtype, reverse, jvalue);
10102 break;
10103
10104 case A_PROTOTYPE:
10105 if (cstate->off_proto == OFFSET_NOT_SET)
10106 abort(); /* XXX - this isn't on FreeBSD */
10107 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B,
10108 0x0fU, jtype, reverse, jvalue);
10109 break;
10110
10111 case A_MSGTYPE:
10112 if (cstate->off_payload == OFFSET_NOT_SET)
10113 abort();
10114 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B,
10115 0xffffffffU, jtype, reverse, jvalue);
10116 break;
10117
10118 default:
10119 abort();
10120 }
10121 return b0;
10122 }
10123
10124 static struct block *
10125 gen_atmtype_metac(compiler_state_t *cstate)
10126 {
10127 struct block *b0, *b1;
10128
10129 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10130 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0);
10131 gen_and(b0, b1);
10132 return b1;
10133 }
10134
10135 static struct block *
10136 gen_atmtype_sc(compiler_state_t *cstate)
10137 {
10138 struct block *b0, *b1;
10139
10140 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10141 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0);
10142 gen_and(b0, b1);
10143 return b1;
10144 }
10145
10146 static struct block *
10147 gen_atmtype_llc(compiler_state_t *cstate)
10148 {
10149 struct block *b0;
10150
10151 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
10152 cstate->linktype = cstate->prevlinktype;
10153 return b0;
10154 }
10155
10156 struct block *
10157 gen_atmfield_code(compiler_state_t *cstate, int atmfield,
10158 bpf_u_int32 jvalue, int jtype, int reverse)
10159 {
10160 /*
10161 * Catch errors reported by us and routines below us, and return NULL
10162 * on an error.
10163 */
10164 if (setjmp(cstate->top_ctx))
10165 return (NULL);
10166
10167 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype,
10168 reverse);
10169 }
10170
10171 struct block *
10172 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
10173 {
10174 struct block *b0, *b1;
10175
10176 /*
10177 * Catch errors reported by us and routines below us, and return NULL
10178 * on an error.
10179 */
10180 if (setjmp(cstate->top_ctx))
10181 return (NULL);
10182
10183 switch (type) {
10184
10185 case A_METAC:
10186 /* Get all packets in Meta signalling Circuit */
10187 if (!cstate->is_atm)
10188 bpf_error(cstate, "'metac' supported only on raw ATM");
10189 b1 = gen_atmtype_metac(cstate);
10190 break;
10191
10192 case A_BCC:
10193 /* Get all packets in Broadcast Circuit*/
10194 if (!cstate->is_atm)
10195 bpf_error(cstate, "'bcc' supported only on raw ATM");
10196 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10197 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0);
10198 gen_and(b0, b1);
10199 break;
10200
10201 case A_OAMF4SC:
10202 /* Get all cells in Segment OAM F4 circuit*/
10203 if (!cstate->is_atm)
10204 bpf_error(cstate, "'oam4sc' supported only on raw ATM");
10205 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10206 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10207 gen_and(b0, b1);
10208 break;
10209
10210 case A_OAMF4EC:
10211 /* Get all cells in End-to-End OAM F4 Circuit*/
10212 if (!cstate->is_atm)
10213 bpf_error(cstate, "'oam4ec' supported only on raw ATM");
10214 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10215 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10216 gen_and(b0, b1);
10217 break;
10218
10219 case A_SC:
10220 /* Get all packets in connection Signalling Circuit */
10221 if (!cstate->is_atm)
10222 bpf_error(cstate, "'sc' supported only on raw ATM");
10223 b1 = gen_atmtype_sc(cstate);
10224 break;
10225
10226 case A_ILMIC:
10227 /* Get all packets in ILMI Circuit */
10228 if (!cstate->is_atm)
10229 bpf_error(cstate, "'ilmic' supported only on raw ATM");
10230 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10231 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0);
10232 gen_and(b0, b1);
10233 break;
10234
10235 case A_LANE:
10236 /* Get all LANE packets */
10237 if (!cstate->is_atm)
10238 bpf_error(cstate, "'lane' supported only on raw ATM");
10239 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
10240
10241 /*
10242 * Arrange that all subsequent tests assume LANE
10243 * rather than LLC-encapsulated packets, and set
10244 * the offsets appropriately for LANE-encapsulated
10245 * Ethernet.
10246 *
10247 * We assume LANE means Ethernet, not Token Ring.
10248 */
10249 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
10250 cstate->off_payload + 2, /* Ethernet header */
10251 -1);
10252 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
10253 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
10254 cstate->off_nl = 0; /* Ethernet II */
10255 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
10256 break;
10257
10258 default:
10259 abort();
10260 }
10261 return b1;
10262 }
10263
10264 /*
10265 * Filtering for MTP2 messages based on li value
10266 * FISU, length is null
10267 * LSSU, length is 1 or 2
10268 * MSU, length is 3 or more
10269 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
10270 */
10271 struct block *
10272 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
10273 {
10274 struct block *b0, *b1;
10275
10276 /*
10277 * Catch errors reported by us and routines below us, and return NULL
10278 * on an error.
10279 */
10280 if (setjmp(cstate->top_ctx))
10281 return (NULL);
10282
10283 switch (type) {
10284
10285 case M_FISU:
10286 if ( (cstate->linktype != DLT_MTP2) &&
10287 (cstate->linktype != DLT_ERF) &&
10288 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10289 bpf_error(cstate, "'fisu' supported only on MTP2");
10290 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
10291 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10292 0x3fU, BPF_JEQ, 0, 0U);
10293 break;
10294
10295 case M_LSSU:
10296 if ( (cstate->linktype != DLT_MTP2) &&
10297 (cstate->linktype != DLT_ERF) &&
10298 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10299 bpf_error(cstate, "'lssu' supported only on MTP2");
10300 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10301 0x3fU, BPF_JGT, 1, 2U);
10302 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10303 0x3fU, BPF_JGT, 0, 0U);
10304 gen_and(b1, b0);
10305 break;
10306
10307 case M_MSU:
10308 if ( (cstate->linktype != DLT_MTP2) &&
10309 (cstate->linktype != DLT_ERF) &&
10310 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10311 bpf_error(cstate, "'msu' supported only on MTP2");
10312 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10313 0x3fU, BPF_JGT, 0, 2U);
10314 break;
10315
10316 case MH_FISU:
10317 if ( (cstate->linktype != DLT_MTP2) &&
10318 (cstate->linktype != DLT_ERF) &&
10319 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10320 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL");
10321 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
10322 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10323 0xff80U, BPF_JEQ, 0, 0U);
10324 break;
10325
10326 case MH_LSSU:
10327 if ( (cstate->linktype != DLT_MTP2) &&
10328 (cstate->linktype != DLT_ERF) &&
10329 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10330 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL");
10331 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10332 0xff80U, BPF_JGT, 1, 0x0100U);
10333 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10334 0xff80U, BPF_JGT, 0, 0U);
10335 gen_and(b1, b0);
10336 break;
10337
10338 case MH_MSU:
10339 if ( (cstate->linktype != DLT_MTP2) &&
10340 (cstate->linktype != DLT_ERF) &&
10341 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10342 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL");
10343 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10344 0xff80U, BPF_JGT, 0, 0x0100U);
10345 break;
10346
10347 default:
10348 abort();
10349 }
10350 return b0;
10351 }
10352
10353 /*
10354 * These maximum valid values are all-ones, so they double as the bitmasks
10355 * before any bitwise shifting.
10356 */
10357 #define MTP2_SIO_MAXVAL UINT8_MAX
10358 #define MTP3_PC_MAXVAL 0x3fffU
10359 #define MTP3_SLS_MAXVAL 0xfU
10360
10361 static struct block *
10362 gen_mtp3field_code_internal(compiler_state_t *cstate, int mtp3field,
10363 bpf_u_int32 jvalue, int jtype, int reverse)
10364 {
10365 struct block *b0;
10366 u_int newoff_sio;
10367 u_int newoff_opc;
10368 u_int newoff_dpc;
10369 u_int newoff_sls;
10370
10371 newoff_sio = cstate->off_sio;
10372 newoff_opc = cstate->off_opc;
10373 newoff_dpc = cstate->off_dpc;
10374 newoff_sls = cstate->off_sls;
10375 switch (mtp3field) {
10376
10377 /*
10378 * See UTU-T Rec. Q.703, Section 2.2, Figure 3/Q.703.
10379 *
10380 * SIO is the simplest field: the size is one byte and the offset is a
10381 * multiple of bytes, so the only detail to get right is the value of
10382 * the [right-to-left] field offset.
10383 */
10384 case MH_SIO:
10385 newoff_sio += 3; /* offset for MTP2_HSL */
10386 /* FALLTHROUGH */
10387
10388 case M_SIO:
10389 if (cstate->off_sio == OFFSET_NOT_SET)
10390 bpf_error(cstate, "'sio' supported only on SS7");
10391 if(jvalue > MTP2_SIO_MAXVAL)
10392 bpf_error(cstate, "sio value %u too big; max value = %u",
10393 jvalue, MTP2_SIO_MAXVAL);
10394 // Here the bitmask means "do not apply a bitmask".
10395 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, UINT32_MAX,
10396 jtype, reverse, jvalue);
10397 break;
10398
10399 /*
10400 * See UTU-T Rec. Q.704, Section 2.2, Figure 3/Q.704.
10401 *
10402 * SLS, OPC and DPC are more complicated: none of these is sized in a
10403 * multiple of 8 bits, MTP3 encoding is little-endian and MTP packet
10404 * diagrams are meant to be read right-to-left. This means in the
10405 * diagrams within individual fields and concatenations thereof
10406 * bitwise shifts and masks can be noted in the common left-to-right
10407 * manner until each final value is ready to be byte-swapped and
10408 * handed to gen_ncmp(). See also gen_dnhostop(), which solves a
10409 * similar problem in a similar way.
10410 *
10411 * Offsets of fields within the packet header always have the
10412 * right-to-left meaning. Note that in DLT_MTP2 and possibly other
10413 * DLTs the offset does not include the F (Flag) field at the
10414 * beginning of each message.
10415 *
10416 * For example, if the 8-bit SIO field has a 3 byte [RTL] offset, the
10417 * 32-bit standard routing header has a 4 byte [RTL] offset and could
10418 * be tested entirely using a single BPF_W comparison. In this case
10419 * the 14-bit DPC field [LTR] bitmask would be 0x3FFF, the 14-bit OPC
10420 * field [LTR] bitmask would be (0x3FFF << 14) and the 4-bit SLS field
10421 * [LTR] bitmask would be (0xF << 28), all of which conveniently
10422 * correlates with the [RTL] packet diagram until the byte-swapping is
10423 * done before use.
10424 *
10425 * The code below uses this approach for OPC, which spans 3 bytes.
10426 * DPC and SLS use shorter loads, SLS also uses a different offset.
10427 */
10428 case MH_OPC:
10429 newoff_opc += 3;
10430
10431 /* FALLTHROUGH */
10432 case M_OPC:
10433 if (cstate->off_opc == OFFSET_NOT_SET)
10434 bpf_error(cstate, "'opc' supported only on SS7");
10435 if (jvalue > MTP3_PC_MAXVAL)
10436 bpf_error(cstate, "opc value %u too big; max value = %u",
10437 jvalue, MTP3_PC_MAXVAL);
10438 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W,
10439 SWAPLONG(MTP3_PC_MAXVAL << 14), jtype, reverse,
10440 SWAPLONG(jvalue << 14));
10441 break;
10442
10443 case MH_DPC:
10444 newoff_dpc += 3;
10445 /* FALLTHROUGH */
10446
10447 case M_DPC:
10448 if (cstate->off_dpc == OFFSET_NOT_SET)
10449 bpf_error(cstate, "'dpc' supported only on SS7");
10450 if (jvalue > MTP3_PC_MAXVAL)
10451 bpf_error(cstate, "dpc value %u too big; max value = %u",
10452 jvalue, MTP3_PC_MAXVAL);
10453 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_H,
10454 SWAPSHORT(MTP3_PC_MAXVAL), jtype, reverse,
10455 SWAPSHORT(jvalue));
10456 break;
10457
10458 case MH_SLS:
10459 newoff_sls += 3;
10460 /* FALLTHROUGH */
10461
10462 case M_SLS:
10463 if (cstate->off_sls == OFFSET_NOT_SET)
10464 bpf_error(cstate, "'sls' supported only on SS7");
10465 if (jvalue > MTP3_SLS_MAXVAL)
10466 bpf_error(cstate, "sls value %u too big; max value = %u",
10467 jvalue, MTP3_SLS_MAXVAL);
10468 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B,
10469 MTP3_SLS_MAXVAL << 4, jtype, reverse,
10470 jvalue << 4);
10471 break;
10472
10473 default:
10474 abort();
10475 }
10476 return b0;
10477 }
10478
10479 struct block *
10480 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field,
10481 bpf_u_int32 jvalue, int jtype, int reverse)
10482 {
10483 /*
10484 * Catch errors reported by us and routines below us, and return NULL
10485 * on an error.
10486 */
10487 if (setjmp(cstate->top_ctx))
10488 return (NULL);
10489
10490 return gen_mtp3field_code_internal(cstate, mtp3field, jvalue, jtype,
10491 reverse);
10492 }
10493
10494 static struct block *
10495 gen_msg_abbrev(compiler_state_t *cstate, int type)
10496 {
10497 struct block *b1;
10498
10499 /*
10500 * Q.2931 signalling protocol messages for handling virtual circuits
10501 * establishment and teardown
10502 */
10503 switch (type) {
10504
10505 case A_SETUP:
10506 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0);
10507 break;
10508
10509 case A_CALLPROCEED:
10510 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
10511 break;
10512
10513 case A_CONNECT:
10514 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0);
10515 break;
10516
10517 case A_CONNECTACK:
10518 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
10519 break;
10520
10521 case A_RELEASE:
10522 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0);
10523 break;
10524
10525 case A_RELEASE_DONE:
10526 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
10527 break;
10528
10529 default:
10530 abort();
10531 }
10532 return b1;
10533 }
10534
10535 struct block *
10536 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
10537 {
10538 struct block *b0, *b1;
10539
10540 /*
10541 * Catch errors reported by us and routines below us, and return NULL
10542 * on an error.
10543 */
10544 if (setjmp(cstate->top_ctx))
10545 return (NULL);
10546
10547 switch (type) {
10548
10549 case A_OAM:
10550 if (!cstate->is_atm)
10551 bpf_error(cstate, "'oam' supported only on raw ATM");
10552 /* OAM F4 type */
10553 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10554 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10555 gen_or(b0, b1);
10556 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10557 gen_and(b0, b1);
10558 break;
10559
10560 case A_OAMF4:
10561 if (!cstate->is_atm)
10562 bpf_error(cstate, "'oamf4' supported only on raw ATM");
10563 /* OAM F4 type */
10564 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10565 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10566 gen_or(b0, b1);
10567 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10568 gen_and(b0, b1);
10569 break;
10570
10571 case A_CONNECTMSG:
10572 /*
10573 * Get Q.2931 signalling messages for switched
10574 * virtual connection
10575 */
10576 if (!cstate->is_atm)
10577 bpf_error(cstate, "'connectmsg' supported only on raw ATM");
10578 b0 = gen_msg_abbrev(cstate, A_SETUP);
10579 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
10580 gen_or(b0, b1);
10581 b0 = gen_msg_abbrev(cstate, A_CONNECT);
10582 gen_or(b0, b1);
10583 b0 = gen_msg_abbrev(cstate, A_CONNECTACK);
10584 gen_or(b0, b1);
10585 b0 = gen_msg_abbrev(cstate, A_RELEASE);
10586 gen_or(b0, b1);
10587 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
10588 gen_or(b0, b1);
10589 b0 = gen_atmtype_sc(cstate);
10590 gen_and(b0, b1);
10591 break;
10592
10593 case A_METACONNECT:
10594 if (!cstate->is_atm)
10595 bpf_error(cstate, "'metaconnect' supported only on raw ATM");
10596 b0 = gen_msg_abbrev(cstate, A_SETUP);
10597 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
10598 gen_or(b0, b1);
10599 b0 = gen_msg_abbrev(cstate, A_CONNECT);
10600 gen_or(b0, b1);
10601 b0 = gen_msg_abbrev(cstate, A_RELEASE);
10602 gen_or(b0, b1);
10603 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
10604 gen_or(b0, b1);
10605 b0 = gen_atmtype_metac(cstate);
10606 gen_and(b0, b1);
10607 break;
10608
10609 default:
10610 abort();
10611 }
10612 return b1;
10613 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism