]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
From OpenBSD: fix a comment.
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.29 2005-07-31 19:02:32 guy Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #endif /* WIN32 */
37
38 /*
39 * XXX - why was this included even on UNIX?
40 */
41 #ifdef __MINGW32__
42 #include "IP6_misc.h"
43 #endif
44
45 #ifndef WIN32
46
47 #ifdef __NetBSD__
48 #include <sys/param.h>
49 #endif
50
51 #include <netinet/in.h>
52
53 #endif /* WIN32 */
54
55 #include <stdlib.h>
56 #include <string.h>
57 #include <memory.h>
58 #include <setjmp.h>
59 #include <stdarg.h>
60
61 #ifdef MSDOS
62 #include "pcap-dos.h"
63 #endif
64
65 #include "pcap-int.h"
66
67 #include "ethertype.h"
68 #include "nlpid.h"
69 #include "llc.h"
70 #include "gencode.h"
71 #include "atmuni31.h"
72 #include "sunatmpos.h"
73 #include "ppp.h"
74 #include "sll.h"
75 #include "arcnet.h"
76 #include "pf.h"
77 #ifndef offsetof
78 #define offsetof(s, e) ((size_t)&((s *)0)->e)
79 #endif
80 #ifdef INET6
81 #ifndef WIN32
82 #include <netdb.h> /* for "struct addrinfo" */
83 #endif /* WIN32 */
84 #endif /*INET6*/
85 #include <pcap-namedb.h>
86
87 #define ETHERMTU 1500
88
89 #ifndef IPPROTO_SCTP
90 #define IPPROTO_SCTP 132
91 #endif
92
93 #ifdef HAVE_OS_PROTO_H
94 #include "os-proto.h"
95 #endif
96
97 #define JMP(c) ((c)|BPF_JMP|BPF_K)
98
99 /* Locals */
100 static jmp_buf top_ctx;
101 static pcap_t *bpf_pcap;
102
103 /* Hack for updating VLAN, MPLS offsets. */
104 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
105
106 /* XXX */
107 #ifdef PCAP_FDDIPAD
108 static int pcap_fddipad;
109 #endif
110
111 /* VARARGS */
112 void
113 bpf_error(const char *fmt, ...)
114 {
115 va_list ap;
116
117 va_start(ap, fmt);
118 if (bpf_pcap != NULL)
119 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
120 fmt, ap);
121 va_end(ap);
122 longjmp(top_ctx, 1);
123 /* NOTREACHED */
124 }
125
126 static void init_linktype(pcap_t *);
127
128 static int alloc_reg(void);
129 static void free_reg(int);
130
131 static struct block *root;
132
133 /*
134 * Value passed to gen_load_a() to indicate what the offset argument
135 * is relative to.
136 */
137 enum e_offrel {
138 OR_PACKET, /* relative to the beginning of the packet */
139 OR_LINK, /* relative to the link-layer header */
140 OR_NET, /* relative to the network-layer header */
141 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
142 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
143 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
144 };
145
146 /*
147 * We divy out chunks of memory rather than call malloc each time so
148 * we don't have to worry about leaking memory. It's probably
149 * not a big deal if all this memory was wasted but if this ever
150 * goes into a library that would probably not be a good idea.
151 *
152 * XXX - this *is* in a library....
153 */
154 #define NCHUNKS 16
155 #define CHUNK0SIZE 1024
156 struct chunk {
157 u_int n_left;
158 void *m;
159 };
160
161 static struct chunk chunks[NCHUNKS];
162 static int cur_chunk;
163
164 static void *newchunk(u_int);
165 static void freechunks(void);
166 static inline struct block *new_block(int);
167 static inline struct slist *new_stmt(int);
168 static struct block *gen_retblk(int);
169 static inline void syntax(void);
170
171 static void backpatch(struct block *, struct block *);
172 static void merge(struct block *, struct block *);
173 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
174 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
175 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
176 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
177 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
178 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
179 bpf_u_int32);
180 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
181 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
182 bpf_u_int32, bpf_u_int32, int, bpf_int32);
183 static struct slist *gen_load_llrel(u_int, u_int);
184 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
185 static struct slist *gen_loadx_iphdrlen(void);
186 static struct block *gen_uncond(int);
187 static inline struct block *gen_true(void);
188 static inline struct block *gen_false(void);
189 static struct block *gen_ether_linktype(int);
190 static struct block *gen_linux_sll_linktype(int);
191 static void insert_radiotap_load_llprefixlen(struct block *);
192 static void insert_load_llprefixlen(struct block *);
193 static struct slist *gen_llprefixlen(void);
194 static struct block *gen_linktype(int);
195 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
196 static struct block *gen_llc_linktype(int);
197 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
198 #ifdef INET6
199 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
200 #endif
201 static struct block *gen_ahostop(const u_char *, int);
202 static struct block *gen_ehostop(const u_char *, int);
203 static struct block *gen_fhostop(const u_char *, int);
204 static struct block *gen_thostop(const u_char *, int);
205 static struct block *gen_wlanhostop(const u_char *, int);
206 static struct block *gen_ipfchostop(const u_char *, int);
207 static struct block *gen_dnhostop(bpf_u_int32, int);
208 static struct block *gen_null(int);
209 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
210 #ifdef INET6
211 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
212 #endif
213 #ifndef INET6
214 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
215 #endif
216 static struct block *gen_ipfrag(void);
217 static struct block *gen_portatom(int, bpf_int32);
218 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
219 #ifdef INET6
220 static struct block *gen_portatom6(int, bpf_int32);
221 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
222 #endif
223 struct block *gen_portop(int, int, int);
224 static struct block *gen_port(int, int, int);
225 struct block *gen_portrangeop(int, int, int, int);
226 static struct block *gen_portrange(int, int, int, int);
227 #ifdef INET6
228 struct block *gen_portop6(int, int, int);
229 static struct block *gen_port6(int, int, int);
230 struct block *gen_portrangeop6(int, int, int, int);
231 static struct block *gen_portrange6(int, int, int, int);
232 #endif
233 static int lookup_proto(const char *, int);
234 static struct block *gen_protochain(int, int, int);
235 static struct block *gen_proto(int, int, int);
236 static struct slist *xfer_to_x(struct arth *);
237 static struct slist *xfer_to_a(struct arth *);
238 static struct block *gen_mac_multicast(int);
239 static struct block *gen_len(int, int);
240
241 static struct block *gen_msg_abbrev(int type);
242
243 static void *
244 newchunk(n)
245 u_int n;
246 {
247 struct chunk *cp;
248 int k;
249 size_t size;
250
251 #ifndef __NetBSD__
252 /* XXX Round up to nearest long. */
253 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
254 #else
255 /* XXX Round up to structure boundary. */
256 n = ALIGN(n);
257 #endif
258
259 cp = &chunks[cur_chunk];
260 if (n > cp->n_left) {
261 ++cp, k = ++cur_chunk;
262 if (k >= NCHUNKS)
263 bpf_error("out of memory");
264 size = CHUNK0SIZE << k;
265 cp->m = (void *)malloc(size);
266 if (cp->m == NULL)
267 bpf_error("out of memory");
268 memset((char *)cp->m, 0, size);
269 cp->n_left = size;
270 if (n > size)
271 bpf_error("out of memory");
272 }
273 cp->n_left -= n;
274 return (void *)((char *)cp->m + cp->n_left);
275 }
276
277 static void
278 freechunks()
279 {
280 int i;
281
282 cur_chunk = 0;
283 for (i = 0; i < NCHUNKS; ++i)
284 if (chunks[i].m != NULL) {
285 free(chunks[i].m);
286 chunks[i].m = NULL;
287 }
288 }
289
290 /*
291 * A strdup whose allocations are freed after code generation is over.
292 */
293 char *
294 sdup(s)
295 register const char *s;
296 {
297 int n = strlen(s) + 1;
298 char *cp = newchunk(n);
299
300 strlcpy(cp, s, n);
301 return (cp);
302 }
303
304 static inline struct block *
305 new_block(code)
306 int code;
307 {
308 struct block *p;
309
310 p = (struct block *)newchunk(sizeof(*p));
311 p->s.code = code;
312 p->head = p;
313
314 return p;
315 }
316
317 static inline struct slist *
318 new_stmt(code)
319 int code;
320 {
321 struct slist *p;
322
323 p = (struct slist *)newchunk(sizeof(*p));
324 p->s.code = code;
325
326 return p;
327 }
328
329 static struct block *
330 gen_retblk(v)
331 int v;
332 {
333 struct block *b = new_block(BPF_RET|BPF_K);
334
335 b->s.k = v;
336 return b;
337 }
338
339 static inline void
340 syntax()
341 {
342 bpf_error("syntax error in filter expression");
343 }
344
345 static bpf_u_int32 netmask;
346 static int snaplen;
347 int no_optimize;
348
349 int
350 pcap_compile(pcap_t *p, struct bpf_program *program,
351 char *buf, int optimize, bpf_u_int32 mask)
352 {
353 extern int n_errors;
354 int len;
355
356 no_optimize = 0;
357 n_errors = 0;
358 root = NULL;
359 bpf_pcap = p;
360 if (setjmp(top_ctx)) {
361 lex_cleanup();
362 freechunks();
363 return (-1);
364 }
365
366 netmask = mask;
367
368 snaplen = pcap_snapshot(p);
369 if (snaplen == 0) {
370 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
371 "snaplen of 0 rejects all packets");
372 return -1;
373 }
374
375 lex_init(buf ? buf : "");
376 init_linktype(p);
377 (void)pcap_parse();
378
379 if (n_errors)
380 syntax();
381
382 if (root == NULL)
383 root = gen_retblk(snaplen);
384
385 if (optimize && !no_optimize) {
386 bpf_optimize(&root);
387 if (root == NULL ||
388 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
389 bpf_error("expression rejects all packets");
390 }
391 program->bf_insns = icode_to_fcode(root, &len);
392 program->bf_len = len;
393
394 lex_cleanup();
395 freechunks();
396 return (0);
397 }
398
399 /*
400 * entry point for using the compiler with no pcap open
401 * pass in all the stuff that is needed explicitly instead.
402 */
403 int
404 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
405 struct bpf_program *program,
406 char *buf, int optimize, bpf_u_int32 mask)
407 {
408 pcap_t *p;
409 int ret;
410
411 p = pcap_open_dead(linktype_arg, snaplen_arg);
412 if (p == NULL)
413 return (-1);
414 ret = pcap_compile(p, program, buf, optimize, mask);
415 pcap_close(p);
416 return (ret);
417 }
418
419 /*
420 * Clean up a "struct bpf_program" by freeing all the memory allocated
421 * in it.
422 */
423 void
424 pcap_freecode(struct bpf_program *program)
425 {
426 program->bf_len = 0;
427 if (program->bf_insns != NULL) {
428 free((char *)program->bf_insns);
429 program->bf_insns = NULL;
430 }
431 }
432
433 /*
434 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
435 * which of the jt and jf fields has been resolved and which is a pointer
436 * back to another unresolved block (or nil). At least one of the fields
437 * in each block is already resolved.
438 */
439 static void
440 backpatch(list, target)
441 struct block *list, *target;
442 {
443 struct block *next;
444
445 while (list) {
446 if (!list->sense) {
447 next = JT(list);
448 JT(list) = target;
449 } else {
450 next = JF(list);
451 JF(list) = target;
452 }
453 list = next;
454 }
455 }
456
457 /*
458 * Merge the lists in b0 and b1, using the 'sense' field to indicate
459 * which of jt and jf is the link.
460 */
461 static void
462 merge(b0, b1)
463 struct block *b0, *b1;
464 {
465 register struct block **p = &b0;
466
467 /* Find end of list. */
468 while (*p)
469 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
470
471 /* Concatenate the lists. */
472 *p = b1;
473 }
474
475 void
476 finish_parse(p)
477 struct block *p;
478 {
479 backpatch(p, gen_retblk(snaplen));
480 p->sense = !p->sense;
481 backpatch(p, gen_retblk(0));
482 root = p->head;
483
484 /*
485 * Insert before the statements of the first (root) block any
486 * statements needed to load the lengths of any variable-length
487 * headers into registers.
488 *
489 * XXX - a fancier strategy would be to insert those before the
490 * statements of all blocks that use those lengths and that
491 * have no predecessors that use them, so that we only compute
492 * the lengths if we need them. There might be even better
493 * approaches than that. However, as we're currently only
494 * handling variable-length radiotap headers, and as all
495 * filtering expressions other than raw link[M:N] tests
496 * require the length of that header, doing more for that
497 * header length isn't really worth the effort.
498 */
499 insert_load_llprefixlen(root);
500 }
501
502 void
503 gen_and(b0, b1)
504 struct block *b0, *b1;
505 {
506 backpatch(b0, b1->head);
507 b0->sense = !b0->sense;
508 b1->sense = !b1->sense;
509 merge(b1, b0);
510 b1->sense = !b1->sense;
511 b1->head = b0->head;
512 }
513
514 void
515 gen_or(b0, b1)
516 struct block *b0, *b1;
517 {
518 b0->sense = !b0->sense;
519 backpatch(b0, b1->head);
520 b0->sense = !b0->sense;
521 merge(b1, b0);
522 b1->head = b0->head;
523 }
524
525 void
526 gen_not(b)
527 struct block *b;
528 {
529 b->sense = !b->sense;
530 }
531
532 static struct block *
533 gen_cmp(offrel, offset, size, v)
534 enum e_offrel offrel;
535 u_int offset, size;
536 bpf_int32 v;
537 {
538 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
539 }
540
541 static struct block *
542 gen_cmp_gt(offrel, offset, size, v)
543 enum e_offrel offrel;
544 u_int offset, size;
545 bpf_int32 v;
546 {
547 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
548 }
549
550 static struct block *
551 gen_cmp_ge(offrel, offset, size, v)
552 enum e_offrel offrel;
553 u_int offset, size;
554 bpf_int32 v;
555 {
556 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
557 }
558
559 static struct block *
560 gen_cmp_lt(offrel, offset, size, v)
561 enum e_offrel offrel;
562 u_int offset, size;
563 bpf_int32 v;
564 {
565 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
566 }
567
568 static struct block *
569 gen_cmp_le(offrel, offset, size, v)
570 enum e_offrel offrel;
571 u_int offset, size;
572 bpf_int32 v;
573 {
574 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
575 }
576
577 static struct block *
578 gen_mcmp(offrel, offset, size, v, mask)
579 enum e_offrel offrel;
580 u_int offset, size;
581 bpf_int32 v;
582 bpf_u_int32 mask;
583 {
584 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
585 }
586
587 static struct block *
588 gen_bcmp(offrel, offset, size, v)
589 enum e_offrel offrel;
590 register u_int offset, size;
591 register const u_char *v;
592 {
593 register struct block *b, *tmp;
594
595 b = NULL;
596 while (size >= 4) {
597 register const u_char *p = &v[size - 4];
598 bpf_int32 w = ((bpf_int32)p[0] << 24) |
599 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
600
601 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
602 if (b != NULL)
603 gen_and(b, tmp);
604 b = tmp;
605 size -= 4;
606 }
607 while (size >= 2) {
608 register const u_char *p = &v[size - 2];
609 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
610
611 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
612 if (b != NULL)
613 gen_and(b, tmp);
614 b = tmp;
615 size -= 2;
616 }
617 if (size > 0) {
618 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
619 if (b != NULL)
620 gen_and(b, tmp);
621 b = tmp;
622 }
623 return b;
624 }
625
626 /*
627 * AND the field of size "size" at offset "offset" relative to the header
628 * specified by "offrel" with "mask", and compare it with the value "v"
629 * with the test specified by "jtype"; if "reverse" is true, the test
630 * should test the opposite of "jtype".
631 */
632 static struct block *
633 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
634 enum e_offrel offrel;
635 bpf_int32 v;
636 bpf_u_int32 offset, size, mask, jtype;
637 int reverse;
638 {
639 struct slist *s, *s2;
640 struct block *b;
641
642 s = gen_load_a(offrel, offset, size);
643
644 if (mask != 0xffffffff) {
645 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
646 s2->s.k = mask;
647 sappend(s, s2);
648 }
649
650 b = new_block(JMP(jtype));
651 b->stmts = s;
652 b->s.k = v;
653 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
654 gen_not(b);
655 return b;
656 }
657
658 /*
659 * Various code constructs need to know the layout of the data link
660 * layer. These variables give the necessary offsets from the beginning
661 * of the packet data.
662 *
663 * If the link layer has variable_length headers, the offsets are offsets
664 * from the end of the link-link-layer header, and "reg_ll_size" is
665 * the register number for a register containing the length of the
666 * link-layer header. Otherwise, "reg_ll_size" is -1.
667 */
668 static int reg_ll_size;
669
670 /*
671 * This is the offset of the beginning of the link-layer header.
672 * It's usually 0, except for 802.11 with a fixed-length radio header.
673 */
674 static u_int off_ll;
675
676 /*
677 * This is the offset of the beginning of the MAC-layer header.
678 * It's usually 0, except for ATM LANE.
679 */
680 static u_int off_mac;
681
682 /*
683 * "off_linktype" is the offset to information in the link-layer header
684 * giving the packet type.
685 *
686 * For Ethernet, it's the offset of the Ethernet type field.
687 *
688 * For link-layer types that always use 802.2 headers, it's the
689 * offset of the LLC header.
690 *
691 * For PPP, it's the offset of the PPP type field.
692 *
693 * For Cisco HDLC, it's the offset of the CHDLC type field.
694 *
695 * For BSD loopback, it's the offset of the AF_ value.
696 *
697 * For Linux cooked sockets, it's the offset of the type field.
698 *
699 * It's set to -1 for no encapsulation, in which case, IP is assumed.
700 */
701 static u_int off_linktype;
702
703 /*
704 * TRUE if the link layer includes an ATM pseudo-header.
705 */
706 static int is_atm = 0;
707
708 /*
709 * TRUE if "lane" appeared in the filter; it causes us to generate
710 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
711 */
712 static int is_lane = 0;
713
714 /*
715 * These are offsets for the ATM pseudo-header.
716 */
717 static u_int off_vpi;
718 static u_int off_vci;
719 static u_int off_proto;
720
721 /*
722 * These are offsets for the MTP3 fields.
723 */
724 static u_int off_sio;
725 static u_int off_opc;
726 static u_int off_dpc;
727 static u_int off_sls;
728
729 /*
730 * This is the offset of the first byte after the ATM pseudo_header,
731 * or -1 if there is no ATM pseudo-header.
732 */
733 static u_int off_payload;
734
735 /*
736 * These are offsets to the beginning of the network-layer header.
737 *
738 * If the link layer never uses 802.2 LLC:
739 *
740 * "off_nl" and "off_nl_nosnap" are the same.
741 *
742 * If the link layer always uses 802.2 LLC:
743 *
744 * "off_nl" is the offset if there's a SNAP header following
745 * the 802.2 header;
746 *
747 * "off_nl_nosnap" is the offset if there's no SNAP header.
748 *
749 * If the link layer is Ethernet:
750 *
751 * "off_nl" is the offset if the packet is an Ethernet II packet
752 * (we assume no 802.3+802.2+SNAP);
753 *
754 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
755 * with an 802.2 header following it.
756 */
757 static u_int off_nl;
758 static u_int off_nl_nosnap;
759
760 static int linktype;
761
762 static void
763 init_linktype(p)
764 pcap_t *p;
765 {
766 linktype = pcap_datalink(p);
767 #ifdef PCAP_FDDIPAD
768 pcap_fddipad = p->fddipad;
769 #endif
770
771 /*
772 * Assume it's not raw ATM with a pseudo-header, for now.
773 */
774 off_mac = 0;
775 is_atm = 0;
776 is_lane = 0;
777 off_vpi = -1;
778 off_vci = -1;
779 off_proto = -1;
780 off_payload = -1;
781
782 off_sio = -1;
783 off_opc = -1;
784 off_dpc = -1;
785 off_sls = -1;
786
787 /*
788 * Also assume it's not 802.11 with a fixed-length radio header.
789 */
790 off_ll = 0;
791
792 orig_linktype = -1;
793 orig_nl = -1;
794 label_stack_depth = 0;
795
796 reg_ll_size = -1;
797
798 switch (linktype) {
799
800 case DLT_ARCNET:
801 off_linktype = 2;
802 off_nl = 6; /* XXX in reality, variable! */
803 off_nl_nosnap = 6; /* no 802.2 LLC */
804 return;
805
806 case DLT_ARCNET_LINUX:
807 off_linktype = 4;
808 off_nl = 8; /* XXX in reality, variable! */
809 off_nl_nosnap = 8; /* no 802.2 LLC */
810 return;
811
812 case DLT_EN10MB:
813 off_linktype = 12;
814 off_nl = 14; /* Ethernet II */
815 off_nl_nosnap = 17; /* 802.3+802.2 */
816 return;
817
818 case DLT_SLIP:
819 /*
820 * SLIP doesn't have a link level type. The 16 byte
821 * header is hacked into our SLIP driver.
822 */
823 off_linktype = -1;
824 off_nl = 16;
825 off_nl_nosnap = 16; /* no 802.2 LLC */
826 return;
827
828 case DLT_SLIP_BSDOS:
829 /* XXX this may be the same as the DLT_PPP_BSDOS case */
830 off_linktype = -1;
831 /* XXX end */
832 off_nl = 24;
833 off_nl_nosnap = 24; /* no 802.2 LLC */
834 return;
835
836 case DLT_NULL:
837 case DLT_LOOP:
838 off_linktype = 0;
839 off_nl = 4;
840 off_nl_nosnap = 4; /* no 802.2 LLC */
841 return;
842
843 case DLT_ENC:
844 off_linktype = 0;
845 off_nl = 12;
846 off_nl_nosnap = 12; /* no 802.2 LLC */
847 return;
848
849 case DLT_PPP:
850 case DLT_PPP_PPPD:
851 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
852 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
853 off_linktype = 2;
854 off_nl = 4;
855 off_nl_nosnap = 4; /* no 802.2 LLC */
856 return;
857
858 case DLT_PPP_ETHER:
859 /*
860 * This does no include the Ethernet header, and
861 * only covers session state.
862 */
863 off_linktype = 6;
864 off_nl = 8;
865 off_nl_nosnap = 8; /* no 802.2 LLC */
866 return;
867
868 case DLT_PPP_BSDOS:
869 off_linktype = 5;
870 off_nl = 24;
871 off_nl_nosnap = 24; /* no 802.2 LLC */
872 return;
873
874 case DLT_FDDI:
875 /*
876 * FDDI doesn't really have a link-level type field.
877 * We set "off_linktype" to the offset of the LLC header.
878 *
879 * To check for Ethernet types, we assume that SSAP = SNAP
880 * is being used and pick out the encapsulated Ethernet type.
881 * XXX - should we generate code to check for SNAP?
882 */
883 off_linktype = 13;
884 #ifdef PCAP_FDDIPAD
885 off_linktype += pcap_fddipad;
886 #endif
887 off_nl = 21; /* FDDI+802.2+SNAP */
888 off_nl_nosnap = 16; /* FDDI+802.2 */
889 #ifdef PCAP_FDDIPAD
890 off_nl += pcap_fddipad;
891 off_nl_nosnap += pcap_fddipad;
892 #endif
893 return;
894
895 case DLT_IEEE802:
896 /*
897 * Token Ring doesn't really have a link-level type field.
898 * We set "off_linktype" to the offset of the LLC header.
899 *
900 * To check for Ethernet types, we assume that SSAP = SNAP
901 * is being used and pick out the encapsulated Ethernet type.
902 * XXX - should we generate code to check for SNAP?
903 *
904 * XXX - the header is actually variable-length.
905 * Some various Linux patched versions gave 38
906 * as "off_linktype" and 40 as "off_nl"; however,
907 * if a token ring packet has *no* routing
908 * information, i.e. is not source-routed, the correct
909 * values are 20 and 22, as they are in the vanilla code.
910 *
911 * A packet is source-routed iff the uppermost bit
912 * of the first byte of the source address, at an
913 * offset of 8, has the uppermost bit set. If the
914 * packet is source-routed, the total number of bytes
915 * of routing information is 2 plus bits 0x1F00 of
916 * the 16-bit value at an offset of 14 (shifted right
917 * 8 - figure out which byte that is).
918 */
919 off_linktype = 14;
920 off_nl = 22; /* Token Ring+802.2+SNAP */
921 off_nl_nosnap = 17; /* Token Ring+802.2 */
922 return;
923
924 case DLT_IEEE802_11:
925 /*
926 * 802.11 doesn't really have a link-level type field.
927 * We set "off_linktype" to the offset of the LLC header.
928 *
929 * To check for Ethernet types, we assume that SSAP = SNAP
930 * is being used and pick out the encapsulated Ethernet type.
931 * XXX - should we generate code to check for SNAP?
932 *
933 * XXX - the header is actually variable-length. We
934 * assume a 24-byte link-layer header, as appears in
935 * data frames in networks with no bridges. If the
936 * fromds and tods 802.11 header bits are both set,
937 * it's actually supposed to be 30 bytes.
938 */
939 off_linktype = 24;
940 off_nl = 32; /* 802.11+802.2+SNAP */
941 off_nl_nosnap = 27; /* 802.11+802.2 */
942 return;
943
944 case DLT_PRISM_HEADER:
945 /*
946 * Same as 802.11, but with an additional header before
947 * the 802.11 header, containing a bunch of additional
948 * information including radio-level information.
949 *
950 * The header is 144 bytes long.
951 *
952 * XXX - same variable-length header problem; at least
953 * the Prism header is fixed-length.
954 */
955 off_ll = 144;
956 off_linktype = 144+24;
957 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */
958 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
959 return;
960
961 case DLT_IEEE802_11_RADIO_AVS:
962 /*
963 * Same as 802.11, but with an additional header before
964 * the 802.11 header, containing a bunch of additional
965 * information including radio-level information.
966 *
967 * The header is 64 bytes long, at least in its
968 * current incarnation.
969 *
970 * XXX - same variable-length header problem, only
971 * more so; this header is also variable-length,
972 * with the length being the 32-bit big-endian
973 * number at an offset of 4 from the beginning
974 * of the radio header.
975 */
976 off_ll = 64;
977 off_linktype = 64+24;
978 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */
979 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */
980 return;
981
982 case DLT_IEEE802_11_RADIO:
983 /*
984 * Same as 802.11, but with an additional header before
985 * the 802.11 header, containing a bunch of additional
986 * information including radio-level information.
987 *
988 * The radiotap header is variable length, and we
989 * generate code to compute its length and store it
990 * in a register. These offsets are relative to the
991 * beginning of the 802.11 header.
992 */
993 off_linktype = 24;
994 off_nl = 32; /* 802.11+802.2+SNAP */
995 off_nl_nosnap = 27; /* 802.11+802.2 */
996 return;
997
998 case DLT_ATM_RFC1483:
999 case DLT_ATM_CLIP: /* Linux ATM defines this */
1000 /*
1001 * assume routed, non-ISO PDUs
1002 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1003 *
1004 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1005 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1006 * latter would presumably be treated the way PPPoE
1007 * should be, so you can do "pppoe and udp port 2049"
1008 * or "pppoa and tcp port 80" and have it check for
1009 * PPPo{A,E} and a PPP protocol of IP and....
1010 */
1011 off_linktype = 0;
1012 off_nl = 8; /* 802.2+SNAP */
1013 off_nl_nosnap = 3; /* 802.2 */
1014 return;
1015
1016 case DLT_SUNATM:
1017 /*
1018 * Full Frontal ATM; you get AALn PDUs with an ATM
1019 * pseudo-header.
1020 */
1021 is_atm = 1;
1022 off_vpi = SUNATM_VPI_POS;
1023 off_vci = SUNATM_VCI_POS;
1024 off_proto = PROTO_POS;
1025 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
1026 off_payload = SUNATM_PKT_BEGIN_POS;
1027 off_linktype = off_payload;
1028 off_nl = off_payload+8; /* 802.2+SNAP */
1029 off_nl_nosnap = off_payload+3; /* 802.2 */
1030 return;
1031
1032 case DLT_RAW:
1033 off_linktype = -1;
1034 off_nl = 0;
1035 off_nl_nosnap = 0; /* no 802.2 LLC */
1036 return;
1037
1038 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1039 off_linktype = 14;
1040 off_nl = 16;
1041 off_nl_nosnap = 16; /* no 802.2 LLC */
1042 return;
1043
1044 case DLT_LTALK:
1045 /*
1046 * LocalTalk does have a 1-byte type field in the LLAP header,
1047 * but really it just indicates whether there is a "short" or
1048 * "long" DDP packet following.
1049 */
1050 off_linktype = -1;
1051 off_nl = 0;
1052 off_nl_nosnap = 0; /* no 802.2 LLC */
1053 return;
1054
1055 case DLT_IP_OVER_FC:
1056 /*
1057 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1058 * link-level type field. We set "off_linktype" to the
1059 * offset of the LLC header.
1060 *
1061 * To check for Ethernet types, we assume that SSAP = SNAP
1062 * is being used and pick out the encapsulated Ethernet type.
1063 * XXX - should we generate code to check for SNAP? RFC
1064 * 2625 says SNAP should be used.
1065 */
1066 off_linktype = 16;
1067 off_nl = 24; /* IPFC+802.2+SNAP */
1068 off_nl_nosnap = 19; /* IPFC+802.2 */
1069 return;
1070
1071 case DLT_FRELAY:
1072 /*
1073 * XXX - we should set this to handle SNAP-encapsulated
1074 * frames (NLPID of 0x80).
1075 */
1076 off_linktype = -1;
1077 off_nl = 0;
1078 off_nl_nosnap = 0; /* no 802.2 LLC */
1079 return;
1080
1081 case DLT_APPLE_IP_OVER_IEEE1394:
1082 off_linktype = 16;
1083 off_nl = 18;
1084 off_nl_nosnap = 18; /* no 802.2 LLC */
1085 return;
1086
1087 case DLT_LINUX_IRDA:
1088 /*
1089 * Currently, only raw "link[N:M]" filtering is supported.
1090 */
1091 off_linktype = -1;
1092 off_nl = -1;
1093 off_nl_nosnap = -1;
1094 return;
1095
1096 case DLT_DOCSIS:
1097 /*
1098 * Currently, only raw "link[N:M]" filtering is supported.
1099 */
1100 off_linktype = -1;
1101 off_nl = -1;
1102 off_nl_nosnap = -1;
1103 return;
1104
1105 case DLT_SYMANTEC_FIREWALL:
1106 off_linktype = 6;
1107 off_nl = 44; /* Ethernet II */
1108 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1109 return;
1110
1111 case DLT_PFLOG:
1112 off_linktype = 0;
1113 /* XXX read this from pf.h? */
1114 off_nl = PFLOG_HDRLEN;
1115 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */
1116 return;
1117
1118 case DLT_JUNIPER_MFR:
1119 case DLT_JUNIPER_MLFR:
1120 case DLT_JUNIPER_MLPPP:
1121 off_linktype = 4;
1122 off_nl = 4;
1123 off_nl_nosnap = -1; /* no 802.2 LLC */
1124 return;
1125
1126 case DLT_JUNIPER_ATM1:
1127 off_linktype = 4; /* in reality variable between 4-8 */
1128 off_nl = 4;
1129 off_nl_nosnap = 14;
1130 return;
1131
1132 case DLT_JUNIPER_ATM2:
1133 off_linktype = 8; /* in reality variable between 8-12 */
1134 off_nl = 8;
1135 off_nl_nosnap = 18;
1136 return;
1137
1138 /* frames captured on a Juniper PPPoE service PIC
1139 * contain raw ethernet frames */
1140 case DLT_JUNIPER_PPPOE:
1141 off_linktype = 16;
1142 off_nl = 18; /* Ethernet II */
1143 off_nl_nosnap = 21; /* 802.3+802.2 */
1144 return;
1145
1146 case DLT_JUNIPER_PPPOE_ATM:
1147 off_linktype = 4;
1148 off_nl = 6;
1149 off_nl_nosnap = -1; /* no 802.2 LLC */
1150 return;
1151
1152 case DLT_JUNIPER_GGSN:
1153 off_linktype = 6;
1154 off_nl = 12;
1155 off_nl_nosnap = -1; /* no 802.2 LLC */
1156 return;
1157
1158 case DLT_JUNIPER_ES:
1159 off_linktype = 6;
1160 off_nl = -1; /* not really a network layer but raw IP adresses */
1161 off_nl_nosnap = -1; /* no 802.2 LLC */
1162 return;
1163
1164 case DLT_JUNIPER_MONITOR:
1165 off_linktype = 12;
1166 off_nl = 12; /* raw IP/IP6 header */
1167 off_nl_nosnap = -1; /* no 802.2 LLC */
1168 return;
1169
1170 case DLT_JUNIPER_SERVICES:
1171 off_linktype = 12;
1172 off_nl = -1; /* L3 proto location dep. on cookie type */
1173 off_nl_nosnap = -1; /* no 802.2 LLC */
1174 return;
1175
1176 case DLT_MTP2:
1177 off_sio = 3;
1178 off_opc = 4;
1179 off_dpc = 4;
1180 off_sls = 7;
1181 off_linktype = -1;
1182 off_nl = -1;
1183 off_nl_nosnap = -1;
1184 return;
1185
1186 #ifdef DLT_PFSYNC
1187 case DLT_PFSYNC:
1188 off_linktype = -1;
1189 off_nl = 4;
1190 off_nl_nosnap = 4;
1191 return;
1192 #endif
1193
1194 case DLT_LINUX_LAPD:
1195 /*
1196 * Currently, only raw "link[N:M]" filtering is supported.
1197 */
1198 off_linktype = -1;
1199 off_nl = -1;
1200 off_nl_nosnap = -1;
1201 return;
1202 }
1203 bpf_error("unknown data link type %d", linktype);
1204 /* NOTREACHED */
1205 }
1206
1207 /*
1208 * Load a value relative to the beginning of the link-layer header.
1209 * The link-layer header doesn't necessarily begin at the beginning
1210 * of the packet data; there might be a variable-length prefix containing
1211 * radio information.
1212 */
1213 static struct slist *
1214 gen_load_llrel(offset, size)
1215 u_int offset, size;
1216 {
1217 struct slist *s, *s2;
1218
1219 s = gen_llprefixlen();
1220
1221 /*
1222 * If "s" is non-null, it has code to arrange that the X register
1223 * contains the length of the prefix preceding the link-layer
1224 * header.
1225 */
1226 if (s != NULL) {
1227 s2 = new_stmt(BPF_LD|BPF_IND|size);
1228 s2->s.k = offset;
1229 sappend(s, s2);
1230 } else {
1231 s = new_stmt(BPF_LD|BPF_ABS|size);
1232 s->s.k = offset;
1233 }
1234 return s;
1235 }
1236
1237 /*
1238 * Load a value relative to the beginning of the specified header.
1239 */
1240 static struct slist *
1241 gen_load_a(offrel, offset, size)
1242 enum e_offrel offrel;
1243 u_int offset, size;
1244 {
1245 struct slist *s, *s2;
1246
1247 switch (offrel) {
1248
1249 case OR_PACKET:
1250 s = gen_load_llrel(offset, size);
1251 break;
1252
1253 case OR_LINK:
1254 s = gen_load_llrel(off_ll + offset, size);
1255 break;
1256
1257 case OR_NET:
1258 s = gen_load_llrel(off_nl + offset, size);
1259 break;
1260
1261 case OR_NET_NOSNAP:
1262 s = gen_load_llrel(off_nl_nosnap + offset, size);
1263 break;
1264
1265 case OR_TRAN_IPV4:
1266 /*
1267 * Load the X register with the length of the IPv4 header,
1268 * in bytes.
1269 */
1270 s = gen_loadx_iphdrlen();
1271
1272 /*
1273 * Load the item at {length of the link-layer header} +
1274 * {length of the IPv4 header} + {specified offset}.
1275 */
1276 s2 = new_stmt(BPF_LD|BPF_IND|size);
1277 s2->s.k = off_nl + offset;
1278 sappend(s, s2);
1279 break;
1280
1281 case OR_TRAN_IPV6:
1282 s = gen_load_llrel(off_nl + 40 + offset, size);
1283 break;
1284
1285 default:
1286 abort();
1287 return NULL;
1288 }
1289 return s;
1290 }
1291
1292 /*
1293 * Generate code to load into the X register the sum of the length of
1294 * the IPv4 header and any variable-length header preceding the link-layer
1295 * header.
1296 */
1297 static struct slist *
1298 gen_loadx_iphdrlen()
1299 {
1300 struct slist *s, *s2;
1301
1302 s = gen_llprefixlen();
1303 if (s != NULL) {
1304 /*
1305 * There's a variable-length prefix preceding the
1306 * link-layer header. "s" points to a list of statements
1307 * that put the length of that prefix into the X register.
1308 * The 4*([k]&0xf) addressing mode can't be used, as we
1309 * don't have a constant offset, so we have to load the
1310 * value in question into the A register and add to it
1311 * the value from the X register.
1312 */
1313 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1314 s2->s.k = off_nl;
1315 sappend(s, s2);
1316 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1317 s2->s.k = 0xf;
1318 sappend(s, s2);
1319 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1320 s2->s.k = 2;
1321 sappend(s, s2);
1322
1323 /*
1324 * The A register now contains the length of the
1325 * IP header. We need to add to it the length
1326 * of the prefix preceding the link-layer
1327 * header, which is still in the X register, and
1328 * move the result into the X register.
1329 */
1330 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1331 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1332 } else {
1333 /*
1334 * There is no variable-length header preceding the
1335 * link-layer header; if there's a fixed-length
1336 * header preceding it, its length is included in
1337 * the off_ variables, so it doesn't need to be added.
1338 */
1339 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1340 s->s.k = off_nl;
1341 }
1342 return s;
1343 }
1344
1345 static struct block *
1346 gen_uncond(rsense)
1347 int rsense;
1348 {
1349 struct block *b;
1350 struct slist *s;
1351
1352 s = new_stmt(BPF_LD|BPF_IMM);
1353 s->s.k = !rsense;
1354 b = new_block(JMP(BPF_JEQ));
1355 b->stmts = s;
1356
1357 return b;
1358 }
1359
1360 static inline struct block *
1361 gen_true()
1362 {
1363 return gen_uncond(1);
1364 }
1365
1366 static inline struct block *
1367 gen_false()
1368 {
1369 return gen_uncond(0);
1370 }
1371
1372 /*
1373 * Byte-swap a 32-bit number.
1374 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1375 * big-endian platforms.)
1376 */
1377 #define SWAPLONG(y) \
1378 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1379
1380 /*
1381 * Generate code to match a particular packet type.
1382 *
1383 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1384 * value, if <= ETHERMTU. We use that to determine whether to
1385 * match the type/length field or to check the type/length field for
1386 * a value <= ETHERMTU to see whether it's a type field and then do
1387 * the appropriate test.
1388 */
1389 static struct block *
1390 gen_ether_linktype(proto)
1391 register int proto;
1392 {
1393 struct block *b0, *b1;
1394
1395 switch (proto) {
1396
1397 case LLCSAP_ISONS:
1398 case LLCSAP_IP:
1399 case LLCSAP_NETBEUI:
1400 /*
1401 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1402 * so we check the DSAP and SSAP.
1403 *
1404 * LLCSAP_IP checks for IP-over-802.2, rather
1405 * than IP-over-Ethernet or IP-over-SNAP.
1406 *
1407 * XXX - should we check both the DSAP and the
1408 * SSAP, like this, or should we check just the
1409 * DSAP, as we do for other types <= ETHERMTU
1410 * (i.e., other SAP values)?
1411 */
1412 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1413 gen_not(b0);
1414 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1415 ((proto << 8) | proto));
1416 gen_and(b0, b1);
1417 return b1;
1418
1419 case LLCSAP_IPX:
1420 /*
1421 * Check for;
1422 *
1423 * Ethernet_II frames, which are Ethernet
1424 * frames with a frame type of ETHERTYPE_IPX;
1425 *
1426 * Ethernet_802.3 frames, which are 802.3
1427 * frames (i.e., the type/length field is
1428 * a length field, <= ETHERMTU, rather than
1429 * a type field) with the first two bytes
1430 * after the Ethernet/802.3 header being
1431 * 0xFFFF;
1432 *
1433 * Ethernet_802.2 frames, which are 802.3
1434 * frames with an 802.2 LLC header and
1435 * with the IPX LSAP as the DSAP in the LLC
1436 * header;
1437 *
1438 * Ethernet_SNAP frames, which are 802.3
1439 * frames with an LLC header and a SNAP
1440 * header and with an OUI of 0x000000
1441 * (encapsulated Ethernet) and a protocol
1442 * ID of ETHERTYPE_IPX in the SNAP header.
1443 *
1444 * XXX - should we generate the same code both
1445 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1446 */
1447
1448 /*
1449 * This generates code to check both for the
1450 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1451 */
1452 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1453 (bpf_int32)LLCSAP_IPX);
1454 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H,
1455 (bpf_int32)0xFFFF);
1456 gen_or(b0, b1);
1457
1458 /*
1459 * Now we add code to check for SNAP frames with
1460 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1461 */
1462 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1463 gen_or(b0, b1);
1464
1465 /*
1466 * Now we generate code to check for 802.3
1467 * frames in general.
1468 */
1469 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1470 gen_not(b0);
1471
1472 /*
1473 * Now add the check for 802.3 frames before the
1474 * check for Ethernet_802.2 and Ethernet_802.3,
1475 * as those checks should only be done on 802.3
1476 * frames, not on Ethernet frames.
1477 */
1478 gen_and(b0, b1);
1479
1480 /*
1481 * Now add the check for Ethernet_II frames, and
1482 * do that before checking for the other frame
1483 * types.
1484 */
1485 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1486 (bpf_int32)ETHERTYPE_IPX);
1487 gen_or(b0, b1);
1488 return b1;
1489
1490 case ETHERTYPE_ATALK:
1491 case ETHERTYPE_AARP:
1492 /*
1493 * EtherTalk (AppleTalk protocols on Ethernet link
1494 * layer) may use 802.2 encapsulation.
1495 */
1496
1497 /*
1498 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1499 * we check for an Ethernet type field less than
1500 * 1500, which means it's an 802.3 length field.
1501 */
1502 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1503 gen_not(b0);
1504
1505 /*
1506 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1507 * SNAP packets with an organization code of
1508 * 0x080007 (Apple, for Appletalk) and a protocol
1509 * type of ETHERTYPE_ATALK (Appletalk).
1510 *
1511 * 802.2-encapsulated ETHERTYPE_AARP packets are
1512 * SNAP packets with an organization code of
1513 * 0x000000 (encapsulated Ethernet) and a protocol
1514 * type of ETHERTYPE_AARP (Appletalk ARP).
1515 */
1516 if (proto == ETHERTYPE_ATALK)
1517 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1518 else /* proto == ETHERTYPE_AARP */
1519 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1520 gen_and(b0, b1);
1521
1522 /*
1523 * Check for Ethernet encapsulation (Ethertalk
1524 * phase 1?); we just check for the Ethernet
1525 * protocol type.
1526 */
1527 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1528
1529 gen_or(b0, b1);
1530 return b1;
1531
1532 default:
1533 if (proto <= ETHERMTU) {
1534 /*
1535 * This is an LLC SAP value, so the frames
1536 * that match would be 802.2 frames.
1537 * Check that the frame is an 802.2 frame
1538 * (i.e., that the length/type field is
1539 * a length field, <= ETHERMTU) and
1540 * then check the DSAP.
1541 */
1542 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1543 gen_not(b0);
1544 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1545 (bpf_int32)proto);
1546 gen_and(b0, b1);
1547 return b1;
1548 } else {
1549 /*
1550 * This is an Ethernet type, so compare
1551 * the length/type field with it (if
1552 * the frame is an 802.2 frame, the length
1553 * field will be <= ETHERMTU, and, as
1554 * "proto" is > ETHERMTU, this test
1555 * will fail and the frame won't match,
1556 * which is what we want).
1557 */
1558 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1559 (bpf_int32)proto);
1560 }
1561 }
1562 }
1563
1564 /*
1565 * Generate code to match a particular packet type.
1566 *
1567 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1568 * value, if <= ETHERMTU. We use that to determine whether to
1569 * match the type field or to check the type field for the special
1570 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1571 */
1572 static struct block *
1573 gen_linux_sll_linktype(proto)
1574 register int proto;
1575 {
1576 struct block *b0, *b1;
1577
1578 switch (proto) {
1579
1580 case LLCSAP_ISONS:
1581 case LLCSAP_IP:
1582 case LLCSAP_NETBEUI:
1583 /*
1584 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1585 * so we check the DSAP and SSAP.
1586 *
1587 * LLCSAP_IP checks for IP-over-802.2, rather
1588 * than IP-over-Ethernet or IP-over-SNAP.
1589 *
1590 * XXX - should we check both the DSAP and the
1591 * SSAP, like this, or should we check just the
1592 * DSAP, as we do for other types <= ETHERMTU
1593 * (i.e., other SAP values)?
1594 */
1595 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1596 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1597 ((proto << 8) | proto));
1598 gen_and(b0, b1);
1599 return b1;
1600
1601 case LLCSAP_IPX:
1602 /*
1603 * Ethernet_II frames, which are Ethernet
1604 * frames with a frame type of ETHERTYPE_IPX;
1605 *
1606 * Ethernet_802.3 frames, which have a frame
1607 * type of LINUX_SLL_P_802_3;
1608 *
1609 * Ethernet_802.2 frames, which are 802.3
1610 * frames with an 802.2 LLC header (i.e, have
1611 * a frame type of LINUX_SLL_P_802_2) and
1612 * with the IPX LSAP as the DSAP in the LLC
1613 * header;
1614 *
1615 * Ethernet_SNAP frames, which are 802.3
1616 * frames with an LLC header and a SNAP
1617 * header and with an OUI of 0x000000
1618 * (encapsulated Ethernet) and a protocol
1619 * ID of ETHERTYPE_IPX in the SNAP header.
1620 *
1621 * First, do the checks on LINUX_SLL_P_802_2
1622 * frames; generate the check for either
1623 * Ethernet_802.2 or Ethernet_SNAP frames, and
1624 * then put a check for LINUX_SLL_P_802_2 frames
1625 * before it.
1626 */
1627 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1628 (bpf_int32)LLCSAP_IPX);
1629 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1630 off_linktype + 2);
1631 gen_or(b0, b1);
1632 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1633 gen_and(b0, b1);
1634
1635 /*
1636 * Now check for 802.3 frames and OR that with
1637 * the previous test.
1638 */
1639 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1640 gen_or(b0, b1);
1641
1642 /*
1643 * Now add the check for Ethernet_II frames, and
1644 * do that before checking for the other frame
1645 * types.
1646 */
1647 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1648 (bpf_int32)ETHERTYPE_IPX);
1649 gen_or(b0, b1);
1650 return b1;
1651
1652 case ETHERTYPE_ATALK:
1653 case ETHERTYPE_AARP:
1654 /*
1655 * EtherTalk (AppleTalk protocols on Ethernet link
1656 * layer) may use 802.2 encapsulation.
1657 */
1658
1659 /*
1660 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1661 * we check for the 802.2 protocol type in the
1662 * "Ethernet type" field.
1663 */
1664 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1665
1666 /*
1667 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1668 * SNAP packets with an organization code of
1669 * 0x080007 (Apple, for Appletalk) and a protocol
1670 * type of ETHERTYPE_ATALK (Appletalk).
1671 *
1672 * 802.2-encapsulated ETHERTYPE_AARP packets are
1673 * SNAP packets with an organization code of
1674 * 0x000000 (encapsulated Ethernet) and a protocol
1675 * type of ETHERTYPE_AARP (Appletalk ARP).
1676 */
1677 if (proto == ETHERTYPE_ATALK)
1678 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1679 off_linktype + 2);
1680 else /* proto == ETHERTYPE_AARP */
1681 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1682 off_linktype + 2);
1683 gen_and(b0, b1);
1684
1685 /*
1686 * Check for Ethernet encapsulation (Ethertalk
1687 * phase 1?); we just check for the Ethernet
1688 * protocol type.
1689 */
1690 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1691
1692 gen_or(b0, b1);
1693 return b1;
1694
1695 default:
1696 if (proto <= ETHERMTU) {
1697 /*
1698 * This is an LLC SAP value, so the frames
1699 * that match would be 802.2 frames.
1700 * Check for the 802.2 protocol type
1701 * in the "Ethernet type" field, and
1702 * then check the DSAP.
1703 */
1704 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1705 LINUX_SLL_P_802_2);
1706 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1707 (bpf_int32)proto);
1708 gen_and(b0, b1);
1709 return b1;
1710 } else {
1711 /*
1712 * This is an Ethernet type, so compare
1713 * the length/type field with it (if
1714 * the frame is an 802.2 frame, the length
1715 * field will be <= ETHERMTU, and, as
1716 * "proto" is > ETHERMTU, this test
1717 * will fail and the frame won't match,
1718 * which is what we want).
1719 */
1720 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1721 (bpf_int32)proto);
1722 }
1723 }
1724 }
1725
1726 static void
1727 insert_radiotap_load_llprefixlen(b)
1728 struct block *b;
1729 {
1730 struct slist *s1, *s2;
1731
1732 /*
1733 * Prepend to the statements in this block code to load the
1734 * length of the radiotap header into the register assigned
1735 * to hold that length, if one has been assigned.
1736 */
1737 if (reg_ll_size != -1) {
1738 /*
1739 * The 2 bytes at offsets of 2 and 3 from the beginning
1740 * of the radiotap header are the length of the radiotap
1741 * header; unfortunately, it's little-endian, so we have
1742 * to load it a byte at a time and construct the value.
1743 */
1744
1745 /*
1746 * Load the high-order byte, at an offset of 3, shift it
1747 * left a byte, and put the result in the X register.
1748 */
1749 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1750 s1->s.k = 3;
1751 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1752 sappend(s1, s2);
1753 s2->s.k = 8;
1754 s2 = new_stmt(BPF_MISC|BPF_TAX);
1755 sappend(s1, s2);
1756
1757 /*
1758 * Load the next byte, at an offset of 2, and OR the
1759 * value from the X register into it.
1760 */
1761 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1762 sappend(s1, s2);
1763 s2->s.k = 2;
1764 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
1765 sappend(s1, s2);
1766
1767 /*
1768 * Now allocate a register to hold that value and store
1769 * it.
1770 */
1771 s2 = new_stmt(BPF_ST);
1772 s2->s.k = reg_ll_size;
1773 sappend(s1, s2);
1774
1775 /*
1776 * Now move it into the X register.
1777 */
1778 s2 = new_stmt(BPF_MISC|BPF_TAX);
1779 sappend(s1, s2);
1780
1781 /*
1782 * Now append all the existing statements in this
1783 * block to these statements.
1784 */
1785 sappend(s1, b->stmts);
1786 b->stmts = s1;
1787 }
1788 }
1789
1790
1791 static void
1792 insert_load_llprefixlen(b)
1793 struct block *b;
1794 {
1795 switch (linktype) {
1796
1797 case DLT_IEEE802_11_RADIO:
1798 insert_radiotap_load_llprefixlen(b);
1799 }
1800 }
1801
1802
1803 static struct slist *
1804 gen_radiotap_llprefixlen(void)
1805 {
1806 struct slist *s;
1807
1808 if (reg_ll_size == -1) {
1809 /*
1810 * We haven't yet assigned a register for the length
1811 * of the radiotap header; allocate one.
1812 */
1813 reg_ll_size = alloc_reg();
1814 }
1815
1816 /*
1817 * Load the register containing the radiotap length
1818 * into the X register.
1819 */
1820 s = new_stmt(BPF_LDX|BPF_MEM);
1821 s->s.k = reg_ll_size;
1822 return s;
1823 }
1824
1825 /*
1826 * Generate code to compute the link-layer header length, if necessary,
1827 * putting it into the X register, and to return either a pointer to a
1828 * "struct slist" for the list of statements in that code, or NULL if
1829 * no code is necessary.
1830 */
1831 static struct slist *
1832 gen_llprefixlen(void)
1833 {
1834 switch (linktype) {
1835
1836 case DLT_IEEE802_11_RADIO:
1837 return gen_radiotap_llprefixlen();
1838
1839 default:
1840 return NULL;
1841 }
1842 }
1843
1844 /*
1845 * Generate code to match a particular packet type by matching the
1846 * link-layer type field or fields in the 802.2 LLC header.
1847 *
1848 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1849 * value, if <= ETHERMTU.
1850 */
1851 static struct block *
1852 gen_linktype(proto)
1853 register int proto;
1854 {
1855 struct block *b0, *b1, *b2;
1856
1857 /* has the linktype been poisoned by MPLS expression ? */
1858 if (off_linktype == (u_int)-1) {
1859 switch(proto) {
1860 /* FIXME add other L3 proto IDs */
1861 case ETHERTYPE_IP:
1862 case PPP_IP:
1863 return gen_null(Q_IP);
1864 /* FIXME add other L3 proto IDs */
1865 case ETHERTYPE_IPV6:
1866 case PPP_IPV6:
1867 return gen_null(Q_IPV6);
1868 default:
1869 bpf_error("unsupported protocol over mpls");
1870 /* NOTREACHED */
1871 }
1872 }
1873
1874 switch (linktype) {
1875
1876 case DLT_EN10MB:
1877 return gen_ether_linktype(proto);
1878 /*NOTREACHED*/
1879 break;
1880
1881 case DLT_C_HDLC:
1882 switch (proto) {
1883
1884 case LLCSAP_ISONS:
1885 proto = (proto << 8 | LLCSAP_ISONS);
1886 /* fall through */
1887
1888 default:
1889 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1890 (bpf_int32)proto);
1891 /*NOTREACHED*/
1892 break;
1893 }
1894 break;
1895
1896 case DLT_FDDI:
1897 case DLT_IEEE802:
1898 case DLT_IEEE802_11:
1899 case DLT_IEEE802_11_RADIO_AVS:
1900 case DLT_IEEE802_11_RADIO:
1901 case DLT_PRISM_HEADER:
1902 case DLT_ATM_RFC1483:
1903 case DLT_ATM_CLIP:
1904 case DLT_IP_OVER_FC:
1905 return gen_llc_linktype(proto);
1906 /*NOTREACHED*/
1907 break;
1908
1909 case DLT_SUNATM:
1910 /*
1911 * If "is_lane" is set, check for a LANE-encapsulated
1912 * version of this protocol, otherwise check for an
1913 * LLC-encapsulated version of this protocol.
1914 *
1915 * We assume LANE means Ethernet, not Token Ring.
1916 */
1917 if (is_lane) {
1918 /*
1919 * Check that the packet doesn't begin with an
1920 * LE Control marker. (We've already generated
1921 * a test for LANE.)
1922 */
1923 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
1924 0xFF00);
1925 gen_not(b0);
1926
1927 /*
1928 * Now generate an Ethernet test.
1929 */
1930 b1 = gen_ether_linktype(proto);
1931 gen_and(b0, b1);
1932 return b1;
1933 } else {
1934 /*
1935 * Check for LLC encapsulation and then check the
1936 * protocol.
1937 */
1938 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1939 b1 = gen_llc_linktype(proto);
1940 gen_and(b0, b1);
1941 return b1;
1942 }
1943 /*NOTREACHED*/
1944 break;
1945
1946 case DLT_LINUX_SLL:
1947 return gen_linux_sll_linktype(proto);
1948 /*NOTREACHED*/
1949 break;
1950
1951 case DLT_SLIP:
1952 case DLT_SLIP_BSDOS:
1953 case DLT_RAW:
1954 /*
1955 * These types don't provide any type field; packets
1956 * are always IP.
1957 *
1958 * XXX - for IPv4, check for a version number of 4, and,
1959 * for IPv6, check for a version number of 6?
1960 */
1961 switch (proto) {
1962
1963 case ETHERTYPE_IP:
1964 #ifdef INET6
1965 case ETHERTYPE_IPV6:
1966 #endif
1967 return gen_true(); /* always true */
1968
1969 default:
1970 return gen_false(); /* always false */
1971 }
1972 /*NOTREACHED*/
1973 break;
1974
1975 case DLT_PPP:
1976 case DLT_PPP_PPPD:
1977 case DLT_PPP_SERIAL:
1978 case DLT_PPP_ETHER:
1979 /*
1980 * We use Ethernet protocol types inside libpcap;
1981 * map them to the corresponding PPP protocol types.
1982 */
1983 switch (proto) {
1984
1985 case ETHERTYPE_IP:
1986 proto = PPP_IP;
1987 break;
1988
1989 #ifdef INET6
1990 case ETHERTYPE_IPV6:
1991 proto = PPP_IPV6;
1992 break;
1993 #endif
1994
1995 case ETHERTYPE_DN:
1996 proto = PPP_DECNET;
1997 break;
1998
1999 case ETHERTYPE_ATALK:
2000 proto = PPP_APPLE;
2001 break;
2002
2003 case ETHERTYPE_NS:
2004 proto = PPP_NS;
2005 break;
2006
2007 case LLCSAP_ISONS:
2008 proto = PPP_OSI;
2009 break;
2010
2011 case LLCSAP_8021D:
2012 /*
2013 * I'm assuming the "Bridging PDU"s that go
2014 * over PPP are Spanning Tree Protocol
2015 * Bridging PDUs.
2016 */
2017 proto = PPP_BRPDU;
2018 break;
2019
2020 case LLCSAP_IPX:
2021 proto = PPP_IPX;
2022 break;
2023 }
2024 break;
2025
2026 case DLT_PPP_BSDOS:
2027 /*
2028 * We use Ethernet protocol types inside libpcap;
2029 * map them to the corresponding PPP protocol types.
2030 */
2031 switch (proto) {
2032
2033 case ETHERTYPE_IP:
2034 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
2035 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
2036 gen_or(b0, b1);
2037 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
2038 gen_or(b1, b0);
2039 return b0;
2040
2041 #ifdef INET6
2042 case ETHERTYPE_IPV6:
2043 proto = PPP_IPV6;
2044 /* more to go? */
2045 break;
2046 #endif
2047
2048 case ETHERTYPE_DN:
2049 proto = PPP_DECNET;
2050 break;
2051
2052 case ETHERTYPE_ATALK:
2053 proto = PPP_APPLE;
2054 break;
2055
2056 case ETHERTYPE_NS:
2057 proto = PPP_NS;
2058 break;
2059
2060 case LLCSAP_ISONS:
2061 proto = PPP_OSI;
2062 break;
2063
2064 case LLCSAP_8021D:
2065 /*
2066 * I'm assuming the "Bridging PDU"s that go
2067 * over PPP are Spanning Tree Protocol
2068 * Bridging PDUs.
2069 */
2070 proto = PPP_BRPDU;
2071 break;
2072
2073 case LLCSAP_IPX:
2074 proto = PPP_IPX;
2075 break;
2076 }
2077 break;
2078
2079 case DLT_NULL:
2080 case DLT_LOOP:
2081 case DLT_ENC:
2082 /*
2083 * For DLT_NULL, the link-layer header is a 32-bit
2084 * word containing an AF_ value in *host* byte order,
2085 * and for DLT_ENC, the link-layer header begins
2086 * with a 32-bit work containing an AF_ value in
2087 * host byte order.
2088 *
2089 * In addition, if we're reading a saved capture file,
2090 * the host byte order in the capture may not be the
2091 * same as the host byte order on this machine.
2092 *
2093 * For DLT_LOOP, the link-layer header is a 32-bit
2094 * word containing an AF_ value in *network* byte order.
2095 *
2096 * XXX - AF_ values may, unfortunately, be platform-
2097 * dependent; for example, FreeBSD's AF_INET6 is 24
2098 * whilst NetBSD's and OpenBSD's is 26.
2099 *
2100 * This means that, when reading a capture file, just
2101 * checking for our AF_INET6 value won't work if the
2102 * capture file came from another OS.
2103 */
2104 switch (proto) {
2105
2106 case ETHERTYPE_IP:
2107 proto = AF_INET;
2108 break;
2109
2110 #ifdef INET6
2111 case ETHERTYPE_IPV6:
2112 proto = AF_INET6;
2113 break;
2114 #endif
2115
2116 default:
2117 /*
2118 * Not a type on which we support filtering.
2119 * XXX - support those that have AF_ values
2120 * #defined on this platform, at least?
2121 */
2122 return gen_false();
2123 }
2124
2125 if (linktype == DLT_NULL || linktype == DLT_ENC) {
2126 /*
2127 * The AF_ value is in host byte order, but
2128 * the BPF interpreter will convert it to
2129 * network byte order.
2130 *
2131 * If this is a save file, and it's from a
2132 * machine with the opposite byte order to
2133 * ours, we byte-swap the AF_ value.
2134 *
2135 * Then we run it through "htonl()", and
2136 * generate code to compare against the result.
2137 */
2138 if (bpf_pcap->sf.rfile != NULL &&
2139 bpf_pcap->sf.swapped)
2140 proto = SWAPLONG(proto);
2141 proto = htonl(proto);
2142 }
2143 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
2144
2145 case DLT_PFLOG:
2146 /*
2147 * af field is host byte order in contrast to the rest of
2148 * the packet.
2149 */
2150 if (proto == ETHERTYPE_IP)
2151 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2152 BPF_B, (bpf_int32)AF_INET));
2153 #ifdef INET6
2154 else if (proto == ETHERTYPE_IPV6)
2155 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2156 BPF_B, (bpf_int32)AF_INET6));
2157 #endif /* INET6 */
2158 else
2159 return gen_false();
2160 /*NOTREACHED*/
2161 break;
2162
2163 case DLT_ARCNET:
2164 case DLT_ARCNET_LINUX:
2165 /*
2166 * XXX should we check for first fragment if the protocol
2167 * uses PHDS?
2168 */
2169 switch (proto) {
2170
2171 default:
2172 return gen_false();
2173
2174 #ifdef INET6
2175 case ETHERTYPE_IPV6:
2176 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2177 (bpf_int32)ARCTYPE_INET6));
2178 #endif /* INET6 */
2179
2180 case ETHERTYPE_IP:
2181 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2182 (bpf_int32)ARCTYPE_IP);
2183 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2184 (bpf_int32)ARCTYPE_IP_OLD);
2185 gen_or(b0, b1);
2186 return (b1);
2187
2188 case ETHERTYPE_ARP:
2189 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2190 (bpf_int32)ARCTYPE_ARP);
2191 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2192 (bpf_int32)ARCTYPE_ARP_OLD);
2193 gen_or(b0, b1);
2194 return (b1);
2195
2196 case ETHERTYPE_REVARP:
2197 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2198 (bpf_int32)ARCTYPE_REVARP));
2199
2200 case ETHERTYPE_ATALK:
2201 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2202 (bpf_int32)ARCTYPE_ATALK));
2203 }
2204 /*NOTREACHED*/
2205 break;
2206
2207 case DLT_LTALK:
2208 switch (proto) {
2209 case ETHERTYPE_ATALK:
2210 return gen_true();
2211 default:
2212 return gen_false();
2213 }
2214 /*NOTREACHED*/
2215 break;
2216
2217 case DLT_FRELAY:
2218 /*
2219 * XXX - assumes a 2-byte Frame Relay header with
2220 * DLCI and flags. What if the address is longer?
2221 */
2222 switch (proto) {
2223
2224 case ETHERTYPE_IP:
2225 /*
2226 * Check for the special NLPID for IP.
2227 */
2228 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
2229
2230 #ifdef INET6
2231 case ETHERTYPE_IPV6:
2232 /*
2233 * Check for the special NLPID for IPv6.
2234 */
2235 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
2236 #endif
2237
2238 case LLCSAP_ISONS:
2239 /*
2240 * Check for several OSI protocols.
2241 *
2242 * Frame Relay packets typically have an OSI
2243 * NLPID at the beginning; we check for each
2244 * of them.
2245 *
2246 * What we check for is the NLPID and a frame
2247 * control field of UI, i.e. 0x03 followed
2248 * by the NLPID.
2249 */
2250 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
2251 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
2252 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
2253 gen_or(b1, b2);
2254 gen_or(b0, b2);
2255 return b2;
2256
2257 default:
2258 return gen_false();
2259 }
2260 /*NOTREACHED*/
2261 break;
2262
2263 case DLT_JUNIPER_MFR:
2264 case DLT_JUNIPER_MLFR:
2265 case DLT_JUNIPER_MLPPP:
2266 case DLT_JUNIPER_ATM1:
2267 case DLT_JUNIPER_ATM2:
2268 case DLT_JUNIPER_PPPOE:
2269 case DLT_JUNIPER_PPPOE_ATM:
2270 case DLT_JUNIPER_GGSN:
2271 case DLT_JUNIPER_ES:
2272 case DLT_JUNIPER_MONITOR:
2273 case DLT_JUNIPER_SERVICES:
2274 /* just lets verify the magic number for now -
2275 * on ATM we may have up to 6 different encapsulations on the wire
2276 * and need a lot of heuristics to figure out that the payload
2277 * might be;
2278 *
2279 * FIXME encapsulation specific BPF_ filters
2280 */
2281 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
2282
2283 case DLT_LINUX_IRDA:
2284 bpf_error("IrDA link-layer type filtering not implemented");
2285
2286 case DLT_DOCSIS:
2287 bpf_error("DOCSIS link-layer type filtering not implemented");
2288
2289 case DLT_LINUX_LAPD:
2290 bpf_error("LAPD link-layer type filtering not implemented");
2291 }
2292
2293 /*
2294 * All the types that have no encapsulation should either be
2295 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
2296 * all packets are IP packets, or should be handled in some
2297 * special case, if none of them are (if some are and some
2298 * aren't, the lack of encapsulation is a problem, as we'd
2299 * have to find some other way of determining the packet type).
2300 *
2301 * Therefore, if "off_linktype" is -1, there's an error.
2302 */
2303 if (off_linktype == (u_int)-1)
2304 abort();
2305
2306 /*
2307 * Any type not handled above should always have an Ethernet
2308 * type at an offset of "off_linktype". (PPP is partially
2309 * handled above - the protocol type is mapped from the
2310 * Ethernet and LLC types we use internally to the corresponding
2311 * PPP type - but the PPP type is always specified by a value
2312 * at "off_linktype", so we don't have to do the code generation
2313 * above.)
2314 */
2315 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2316 }
2317
2318 /*
2319 * Check for an LLC SNAP packet with a given organization code and
2320 * protocol type; we check the entire contents of the 802.2 LLC and
2321 * snap headers, checking for DSAP and SSAP of SNAP and a control
2322 * field of 0x03 in the LLC header, and for the specified organization
2323 * code and protocol type in the SNAP header.
2324 */
2325 static struct block *
2326 gen_snap(orgcode, ptype, offset)
2327 bpf_u_int32 orgcode;
2328 bpf_u_int32 ptype;
2329 u_int offset;
2330 {
2331 u_char snapblock[8];
2332
2333 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
2334 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
2335 snapblock[2] = 0x03; /* control = UI */
2336 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
2337 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
2338 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
2339 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
2340 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
2341 return gen_bcmp(OR_LINK, offset, 8, snapblock);
2342 }
2343
2344 /*
2345 * Generate code to match a particular packet type, for link-layer types
2346 * using 802.2 LLC headers.
2347 *
2348 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
2349 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
2350 *
2351 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2352 * value, if <= ETHERMTU. We use that to determine whether to
2353 * match the DSAP or both DSAP and LSAP or to check the OUI and
2354 * protocol ID in a SNAP header.
2355 */
2356 static struct block *
2357 gen_llc_linktype(proto)
2358 int proto;
2359 {
2360 /*
2361 * XXX - handle token-ring variable-length header.
2362 */
2363 switch (proto) {
2364
2365 case LLCSAP_IP:
2366 case LLCSAP_ISONS:
2367 case LLCSAP_NETBEUI:
2368 /*
2369 * XXX - should we check both the DSAP and the
2370 * SSAP, like this, or should we check just the
2371 * DSAP, as we do for other types <= ETHERMTU
2372 * (i.e., other SAP values)?
2373 */
2374 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32)
2375 ((proto << 8) | proto));
2376
2377 case LLCSAP_IPX:
2378 /*
2379 * XXX - are there ever SNAP frames for IPX on
2380 * non-Ethernet 802.x networks?
2381 */
2382 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2383 (bpf_int32)LLCSAP_IPX);
2384
2385 case ETHERTYPE_ATALK:
2386 /*
2387 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2388 * SNAP packets with an organization code of
2389 * 0x080007 (Apple, for Appletalk) and a protocol
2390 * type of ETHERTYPE_ATALK (Appletalk).
2391 *
2392 * XXX - check for an organization code of
2393 * encapsulated Ethernet as well?
2394 */
2395 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
2396
2397 default:
2398 /*
2399 * XXX - we don't have to check for IPX 802.3
2400 * here, but should we check for the IPX Ethertype?
2401 */
2402 if (proto <= ETHERMTU) {
2403 /*
2404 * This is an LLC SAP value, so check
2405 * the DSAP.
2406 */
2407 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2408 (bpf_int32)proto);
2409 } else {
2410 /*
2411 * This is an Ethernet type; we assume that it's
2412 * unlikely that it'll appear in the right place
2413 * at random, and therefore check only the
2414 * location that would hold the Ethernet type
2415 * in a SNAP frame with an organization code of
2416 * 0x000000 (encapsulated Ethernet).
2417 *
2418 * XXX - if we were to check for the SNAP DSAP and
2419 * LSAP, as per XXX, and were also to check for an
2420 * organization code of 0x000000 (encapsulated
2421 * Ethernet), we'd do
2422 *
2423 * return gen_snap(0x000000, proto,
2424 * off_linktype);
2425 *
2426 * here; for now, we don't, as per the above.
2427 * I don't know whether it's worth the extra CPU
2428 * time to do the right check or not.
2429 */
2430 return gen_cmp(OR_LINK, off_linktype+6, BPF_H,
2431 (bpf_int32)proto);
2432 }
2433 }
2434 }
2435
2436 static struct block *
2437 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
2438 bpf_u_int32 addr;
2439 bpf_u_int32 mask;
2440 int dir, proto;
2441 u_int src_off, dst_off;
2442 {
2443 struct block *b0, *b1;
2444 u_int offset;
2445
2446 switch (dir) {
2447
2448 case Q_SRC:
2449 offset = src_off;
2450 break;
2451
2452 case Q_DST:
2453 offset = dst_off;
2454 break;
2455
2456 case Q_AND:
2457 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2458 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2459 gen_and(b0, b1);
2460 return b1;
2461
2462 case Q_OR:
2463 case Q_DEFAULT:
2464 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2465 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2466 gen_or(b0, b1);
2467 return b1;
2468
2469 default:
2470 abort();
2471 }
2472 b0 = gen_linktype(proto);
2473 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
2474 gen_and(b0, b1);
2475 return b1;
2476 }
2477
2478 #ifdef INET6
2479 static struct block *
2480 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2481 struct in6_addr *addr;
2482 struct in6_addr *mask;
2483 int dir, proto;
2484 u_int src_off, dst_off;
2485 {
2486 struct block *b0, *b1;
2487 u_int offset;
2488 u_int32_t *a, *m;
2489
2490 switch (dir) {
2491
2492 case Q_SRC:
2493 offset = src_off;
2494 break;
2495
2496 case Q_DST:
2497 offset = dst_off;
2498 break;
2499
2500 case Q_AND:
2501 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2502 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2503 gen_and(b0, b1);
2504 return b1;
2505
2506 case Q_OR:
2507 case Q_DEFAULT:
2508 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2509 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2510 gen_or(b0, b1);
2511 return b1;
2512
2513 default:
2514 abort();
2515 }
2516 /* this order is important */
2517 a = (u_int32_t *)addr;
2518 m = (u_int32_t *)mask;
2519 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2520 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2521 gen_and(b0, b1);
2522 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2523 gen_and(b0, b1);
2524 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2525 gen_and(b0, b1);
2526 b0 = gen_linktype(proto);
2527 gen_and(b0, b1);
2528 return b1;
2529 }
2530 #endif /*INET6*/
2531
2532 static struct block *
2533 gen_ehostop(eaddr, dir)
2534 register const u_char *eaddr;
2535 register int dir;
2536 {
2537 register struct block *b0, *b1;
2538
2539 switch (dir) {
2540 case Q_SRC:
2541 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
2542
2543 case Q_DST:
2544 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
2545
2546 case Q_AND:
2547 b0 = gen_ehostop(eaddr, Q_SRC);
2548 b1 = gen_ehostop(eaddr, Q_DST);
2549 gen_and(b0, b1);
2550 return b1;
2551
2552 case Q_DEFAULT:
2553 case Q_OR:
2554 b0 = gen_ehostop(eaddr, Q_SRC);
2555 b1 = gen_ehostop(eaddr, Q_DST);
2556 gen_or(b0, b1);
2557 return b1;
2558 }
2559 abort();
2560 /* NOTREACHED */
2561 }
2562
2563 /*
2564 * Like gen_ehostop, but for DLT_FDDI
2565 */
2566 static struct block *
2567 gen_fhostop(eaddr, dir)
2568 register const u_char *eaddr;
2569 register int dir;
2570 {
2571 struct block *b0, *b1;
2572
2573 switch (dir) {
2574 case Q_SRC:
2575 #ifdef PCAP_FDDIPAD
2576 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
2577 #else
2578 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
2579 #endif
2580
2581 case Q_DST:
2582 #ifdef PCAP_FDDIPAD
2583 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
2584 #else
2585 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
2586 #endif
2587
2588 case Q_AND:
2589 b0 = gen_fhostop(eaddr, Q_SRC);
2590 b1 = gen_fhostop(eaddr, Q_DST);
2591 gen_and(b0, b1);
2592 return b1;
2593
2594 case Q_DEFAULT:
2595 case Q_OR:
2596 b0 = gen_fhostop(eaddr, Q_SRC);
2597 b1 = gen_fhostop(eaddr, Q_DST);
2598 gen_or(b0, b1);
2599 return b1;
2600 }
2601 abort();
2602 /* NOTREACHED */
2603 }
2604
2605 /*
2606 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2607 */
2608 static struct block *
2609 gen_thostop(eaddr, dir)
2610 register const u_char *eaddr;
2611 register int dir;
2612 {
2613 register struct block *b0, *b1;
2614
2615 switch (dir) {
2616 case Q_SRC:
2617 return gen_bcmp(OR_LINK, 8, 6, eaddr);
2618
2619 case Q_DST:
2620 return gen_bcmp(OR_LINK, 2, 6, eaddr);
2621
2622 case Q_AND:
2623 b0 = gen_thostop(eaddr, Q_SRC);
2624 b1 = gen_thostop(eaddr, Q_DST);
2625 gen_and(b0, b1);
2626 return b1;
2627
2628 case Q_DEFAULT:
2629 case Q_OR:
2630 b0 = gen_thostop(eaddr, Q_SRC);
2631 b1 = gen_thostop(eaddr, Q_DST);
2632 gen_or(b0, b1);
2633 return b1;
2634 }
2635 abort();
2636 /* NOTREACHED */
2637 }
2638
2639 /*
2640 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2641 */
2642 static struct block *
2643 gen_wlanhostop(eaddr, dir)
2644 register const u_char *eaddr;
2645 register int dir;
2646 {
2647 register struct block *b0, *b1, *b2;
2648 register struct slist *s;
2649
2650 switch (dir) {
2651 case Q_SRC:
2652 /*
2653 * Oh, yuk.
2654 *
2655 * For control frames, there is no SA.
2656 *
2657 * For management frames, SA is at an
2658 * offset of 10 from the beginning of
2659 * the packet.
2660 *
2661 * For data frames, SA is at an offset
2662 * of 10 from the beginning of the packet
2663 * if From DS is clear, at an offset of
2664 * 16 from the beginning of the packet
2665 * if From DS is set and To DS is clear,
2666 * and an offset of 24 from the beginning
2667 * of the packet if From DS is set and To DS
2668 * is set.
2669 */
2670
2671 /*
2672 * Generate the tests to be done for data frames
2673 * with From DS set.
2674 *
2675 * First, check for To DS set, i.e. check "link[1] & 0x01".
2676 */
2677 s = gen_load_a(OR_LINK, 1, BPF_B);
2678 b1 = new_block(JMP(BPF_JSET));
2679 b1->s.k = 0x01; /* To DS */
2680 b1->stmts = s;
2681
2682 /*
2683 * If To DS is set, the SA is at 24.
2684 */
2685 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
2686 gen_and(b1, b0);
2687
2688 /*
2689 * Now, check for To DS not set, i.e. check
2690 * "!(link[1] & 0x01)".
2691 */
2692 s = gen_load_a(OR_LINK, 1, BPF_B);
2693 b2 = new_block(JMP(BPF_JSET));
2694 b2->s.k = 0x01; /* To DS */
2695 b2->stmts = s;
2696 gen_not(b2);
2697
2698 /*
2699 * If To DS is not set, the SA is at 16.
2700 */
2701 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
2702 gen_and(b2, b1);
2703
2704 /*
2705 * Now OR together the last two checks. That gives
2706 * the complete set of checks for data frames with
2707 * From DS set.
2708 */
2709 gen_or(b1, b0);
2710
2711 /*
2712 * Now check for From DS being set, and AND that with
2713 * the ORed-together checks.
2714 */
2715 s = gen_load_a(OR_LINK, 1, BPF_B);
2716 b1 = new_block(JMP(BPF_JSET));
2717 b1->s.k = 0x02; /* From DS */
2718 b1->stmts = s;
2719 gen_and(b1, b0);
2720
2721 /*
2722 * Now check for data frames with From DS not set.
2723 */
2724 s = gen_load_a(OR_LINK, 1, BPF_B);
2725 b2 = new_block(JMP(BPF_JSET));
2726 b2->s.k = 0x02; /* From DS */
2727 b2->stmts = s;
2728 gen_not(b2);
2729
2730 /*
2731 * If From DS isn't set, the SA is at 10.
2732 */
2733 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
2734 gen_and(b2, b1);
2735
2736 /*
2737 * Now OR together the checks for data frames with
2738 * From DS not set and for data frames with From DS
2739 * set; that gives the checks done for data frames.
2740 */
2741 gen_or(b1, b0);
2742
2743 /*
2744 * Now check for a data frame.
2745 * I.e, check "link[0] & 0x08".
2746 */
2747 gen_load_a(OR_LINK, 0, BPF_B);
2748 b1 = new_block(JMP(BPF_JSET));
2749 b1->s.k = 0x08;
2750 b1->stmts = s;
2751
2752 /*
2753 * AND that with the checks done for data frames.
2754 */
2755 gen_and(b1, b0);
2756
2757 /*
2758 * If the high-order bit of the type value is 0, this
2759 * is a management frame.
2760 * I.e, check "!(link[0] & 0x08)".
2761 */
2762 s = gen_load_a(OR_LINK, 0, BPF_B);
2763 b2 = new_block(JMP(BPF_JSET));
2764 b2->s.k = 0x08;
2765 b2->stmts = s;
2766 gen_not(b2);
2767
2768 /*
2769 * For management frames, the SA is at 10.
2770 */
2771 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
2772 gen_and(b2, b1);
2773
2774 /*
2775 * OR that with the checks done for data frames.
2776 * That gives the checks done for management and
2777 * data frames.
2778 */
2779 gen_or(b1, b0);
2780
2781 /*
2782 * If the low-order bit of the type value is 1,
2783 * this is either a control frame or a frame
2784 * with a reserved type, and thus not a
2785 * frame with an SA.
2786 *
2787 * I.e., check "!(link[0] & 0x04)".
2788 */
2789 s = gen_load_a(OR_LINK, 0, BPF_B);
2790 b1 = new_block(JMP(BPF_JSET));
2791 b1->s.k = 0x04;
2792 b1->stmts = s;
2793 gen_not(b1);
2794
2795 /*
2796 * AND that with the checks for data and management
2797 * frames.
2798 */
2799 gen_and(b1, b0);
2800 return b0;
2801
2802 case Q_DST:
2803 /*
2804 * Oh, yuk.
2805 *
2806 * For control frames, there is no DA.
2807 *
2808 * For management frames, DA is at an
2809 * offset of 4 from the beginning of
2810 * the packet.
2811 *
2812 * For data frames, DA is at an offset
2813 * of 4 from the beginning of the packet
2814 * if To DS is clear and at an offset of
2815 * 16 from the beginning of the packet
2816 * if To DS is set.
2817 */
2818
2819 /*
2820 * Generate the tests to be done for data frames.
2821 *
2822 * First, check for To DS set, i.e. "link[1] & 0x01".
2823 */
2824 s = gen_load_a(OR_LINK, 1, BPF_B);
2825 b1 = new_block(JMP(BPF_JSET));
2826 b1->s.k = 0x01; /* To DS */
2827 b1->stmts = s;
2828
2829 /*
2830 * If To DS is set, the DA is at 16.
2831 */
2832 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
2833 gen_and(b1, b0);
2834
2835 /*
2836 * Now, check for To DS not set, i.e. check
2837 * "!(link[1] & 0x01)".
2838 */
2839 s = gen_load_a(OR_LINK, 1, BPF_B);
2840 b2 = new_block(JMP(BPF_JSET));
2841 b2->s.k = 0x01; /* To DS */
2842 b2->stmts = s;
2843 gen_not(b2);
2844
2845 /*
2846 * If To DS is not set, the DA is at 4.
2847 */
2848 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
2849 gen_and(b2, b1);
2850
2851 /*
2852 * Now OR together the last two checks. That gives
2853 * the complete set of checks for data frames.
2854 */
2855 gen_or(b1, b0);
2856
2857 /*
2858 * Now check for a data frame.
2859 * I.e, check "link[0] & 0x08".
2860 */
2861 s = gen_load_a(OR_LINK, 0, BPF_B);
2862 b1 = new_block(JMP(BPF_JSET));
2863 b1->s.k = 0x08;
2864 b1->stmts = s;
2865
2866 /*
2867 * AND that with the checks done for data frames.
2868 */
2869 gen_and(b1, b0);
2870
2871 /*
2872 * If the high-order bit of the type value is 0, this
2873 * is a management frame.
2874 * I.e, check "!(link[0] & 0x08)".
2875 */
2876 s = gen_load_a(OR_LINK, 0, BPF_B);
2877 b2 = new_block(JMP(BPF_JSET));
2878 b2->s.k = 0x08;
2879 b2->stmts = s;
2880 gen_not(b2);
2881
2882 /*
2883 * For management frames, the DA is at 4.
2884 */
2885 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
2886 gen_and(b2, b1);
2887
2888 /*
2889 * OR that with the checks done for data frames.
2890 * That gives the checks done for management and
2891 * data frames.
2892 */
2893 gen_or(b1, b0);
2894
2895 /*
2896 * If the low-order bit of the type value is 1,
2897 * this is either a control frame or a frame
2898 * with a reserved type, and thus not a
2899 * frame with an SA.
2900 *
2901 * I.e., check "!(link[0] & 0x04)".
2902 */
2903 s = gen_load_a(OR_LINK, 0, BPF_B);
2904 b1 = new_block(JMP(BPF_JSET));
2905 b1->s.k = 0x04;
2906 b1->stmts = s;
2907 gen_not(b1);
2908
2909 /*
2910 * AND that with the checks for data and management
2911 * frames.
2912 */
2913 gen_and(b1, b0);
2914 return b0;
2915
2916 case Q_AND:
2917 b0 = gen_wlanhostop(eaddr, Q_SRC);
2918 b1 = gen_wlanhostop(eaddr, Q_DST);
2919 gen_and(b0, b1);
2920 return b1;
2921
2922 case Q_DEFAULT:
2923 case Q_OR:
2924 b0 = gen_wlanhostop(eaddr, Q_SRC);
2925 b1 = gen_wlanhostop(eaddr, Q_DST);
2926 gen_or(b0, b1);
2927 return b1;
2928 }
2929 abort();
2930 /* NOTREACHED */
2931 }
2932
2933 /*
2934 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2935 * (We assume that the addresses are IEEE 48-bit MAC addresses,
2936 * as the RFC states.)
2937 */
2938 static struct block *
2939 gen_ipfchostop(eaddr, dir)
2940 register const u_char *eaddr;
2941 register int dir;
2942 {
2943 register struct block *b0, *b1;
2944
2945 switch (dir) {
2946 case Q_SRC:
2947 return gen_bcmp(OR_LINK, 10, 6, eaddr);
2948
2949 case Q_DST:
2950 return gen_bcmp(OR_LINK, 2, 6, eaddr);
2951
2952 case Q_AND:
2953 b0 = gen_ipfchostop(eaddr, Q_SRC);
2954 b1 = gen_ipfchostop(eaddr, Q_DST);
2955 gen_and(b0, b1);
2956 return b1;
2957
2958 case Q_DEFAULT:
2959 case Q_OR:
2960 b0 = gen_ipfchostop(eaddr, Q_SRC);
2961 b1 = gen_ipfchostop(eaddr, Q_DST);
2962 gen_or(b0, b1);
2963 return b1;
2964 }
2965 abort();
2966 /* NOTREACHED */
2967 }
2968
2969 /*
2970 * This is quite tricky because there may be pad bytes in front of the
2971 * DECNET header, and then there are two possible data packet formats that
2972 * carry both src and dst addresses, plus 5 packet types in a format that
2973 * carries only the src node, plus 2 types that use a different format and
2974 * also carry just the src node.
2975 *
2976 * Yuck.
2977 *
2978 * Instead of doing those all right, we just look for data packets with
2979 * 0 or 1 bytes of padding. If you want to look at other packets, that
2980 * will require a lot more hacking.
2981 *
2982 * To add support for filtering on DECNET "areas" (network numbers)
2983 * one would want to add a "mask" argument to this routine. That would
2984 * make the filter even more inefficient, although one could be clever
2985 * and not generate masking instructions if the mask is 0xFFFF.
2986 */
2987 static struct block *
2988 gen_dnhostop(addr, dir)
2989 bpf_u_int32 addr;
2990 int dir;
2991 {
2992 struct block *b0, *b1, *b2, *tmp;
2993 u_int offset_lh; /* offset if long header is received */
2994 u_int offset_sh; /* offset if short header is received */
2995
2996 switch (dir) {
2997
2998 case Q_DST:
2999 offset_sh = 1; /* follows flags */
3000 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
3001 break;
3002
3003 case Q_SRC:
3004 offset_sh = 3; /* follows flags, dstnode */
3005 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
3006 break;
3007
3008 case Q_AND:
3009 /* Inefficient because we do our Calvinball dance twice */
3010 b0 = gen_dnhostop(addr, Q_SRC);
3011 b1 = gen_dnhostop(addr, Q_DST);
3012 gen_and(b0, b1);
3013 return b1;
3014
3015 case Q_OR:
3016 case Q_DEFAULT:
3017 /* Inefficient because we do our Calvinball dance twice */
3018 b0 = gen_dnhostop(addr, Q_SRC);
3019 b1 = gen_dnhostop(addr, Q_DST);
3020 gen_or(b0, b1);
3021 return b1;
3022
3023 case Q_ISO:
3024 bpf_error("ISO host filtering not implemented");
3025
3026 default:
3027 abort();
3028 }
3029 b0 = gen_linktype(ETHERTYPE_DN);
3030 /* Check for pad = 1, long header case */
3031 tmp = gen_mcmp(OR_NET, 2, BPF_H,
3032 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
3033 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
3034 BPF_H, (bpf_int32)ntohs(addr));
3035 gen_and(tmp, b1);
3036 /* Check for pad = 0, long header case */
3037 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
3038 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
3039 gen_and(tmp, b2);
3040 gen_or(b2, b1);
3041 /* Check for pad = 1, short header case */
3042 tmp = gen_mcmp(OR_NET, 2, BPF_H,
3043 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
3044 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
3045 gen_and(tmp, b2);
3046 gen_or(b2, b1);
3047 /* Check for pad = 0, short header case */
3048 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
3049 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
3050 gen_and(tmp, b2);
3051 gen_or(b2, b1);
3052
3053 /* Combine with test for linktype */
3054 gen_and(b0, b1);
3055 return b1;
3056 }
3057
3058 /* generate a null link-layer encapsulation
3059 *
3060 * which is matching for 0x4 in the first byte of the IPv4 header
3061 * matching for 0x6 in the first byte of the IPv6 header
3062 *
3063 * we need this for matching to an IP payload in MPLS packets
3064 */
3065 static struct block *
3066 gen_null(proto)
3067 int proto;
3068 {
3069 struct block *b0, *b1;
3070 switch (proto) {
3071 case Q_IP:
3072 /* match the bottom-of-stack bit */
3073 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3074 /* match the IPv4 version number */
3075 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
3076 gen_and(b0,b1);
3077 return b1;
3078 case Q_IPV6:
3079 /* match the bottom-of-stack bit */
3080 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3081 /* match the IPv4 version number */
3082 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
3083 gen_and(b0,b1);
3084 return b1;
3085 default:
3086 abort();
3087 }
3088 }
3089
3090 static struct block *
3091 gen_host(addr, mask, proto, dir)
3092 bpf_u_int32 addr;
3093 bpf_u_int32 mask;
3094 int proto;
3095 int dir;
3096 {
3097 struct block *b0, *b1;
3098
3099 switch (proto) {
3100
3101 case Q_DEFAULT:
3102 b0 = gen_host(addr, mask, Q_IP, dir);
3103 if (off_linktype != (u_int)-1) {
3104 b1 = gen_host(addr, mask, Q_ARP, dir);
3105 gen_or(b0, b1);
3106 b0 = gen_host(addr, mask, Q_RARP, dir);
3107 gen_or(b1, b0);
3108 }
3109 return b0;
3110
3111 case Q_IP:
3112 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
3113
3114 case Q_RARP:
3115 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
3116
3117 case Q_ARP:
3118 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
3119
3120 case Q_TCP:
3121 bpf_error("'tcp' modifier applied to host");
3122
3123 case Q_SCTP:
3124 bpf_error("'sctp' modifier applied to host");
3125
3126 case Q_UDP:
3127 bpf_error("'udp' modifier applied to host");
3128
3129 case Q_ICMP:
3130 bpf_error("'icmp' modifier applied to host");
3131
3132 case Q_IGMP:
3133 bpf_error("'igmp' modifier applied to host");
3134
3135 case Q_IGRP:
3136 bpf_error("'igrp' modifier applied to host");
3137
3138 case Q_PIM:
3139 bpf_error("'pim' modifier applied to host");
3140
3141 case Q_VRRP:
3142 bpf_error("'vrrp' modifier applied to host");
3143
3144 case Q_ATALK:
3145 bpf_error("ATALK host filtering not implemented");
3146
3147 case Q_AARP:
3148 bpf_error("AARP host filtering not implemented");
3149
3150 case Q_DECNET:
3151 return gen_dnhostop(addr, dir);
3152
3153 case Q_SCA:
3154 bpf_error("SCA host filtering not implemented");
3155
3156 case Q_LAT:
3157 bpf_error("LAT host filtering not implemented");
3158
3159 case Q_MOPDL:
3160 bpf_error("MOPDL host filtering not implemented");
3161
3162 case Q_MOPRC:
3163 bpf_error("MOPRC host filtering not implemented");
3164
3165 #ifdef INET6
3166 case Q_IPV6:
3167 bpf_error("'ip6' modifier applied to ip host");
3168
3169 case Q_ICMPV6:
3170 bpf_error("'icmp6' modifier applied to host");
3171 #endif /* INET6 */
3172
3173 case Q_AH:
3174 bpf_error("'ah' modifier applied to host");
3175
3176 case Q_ESP:
3177 bpf_error("'esp' modifier applied to host");
3178
3179 case Q_ISO:
3180 bpf_error("ISO host filtering not implemented");
3181
3182 case Q_ESIS:
3183 bpf_error("'esis' modifier applied to host");
3184
3185 case Q_ISIS:
3186 bpf_error("'isis' modifier applied to host");
3187
3188 case Q_CLNP:
3189 bpf_error("'clnp' modifier applied to host");
3190
3191 case Q_STP:
3192 bpf_error("'stp' modifier applied to host");
3193
3194 case Q_IPX:
3195 bpf_error("IPX host filtering not implemented");
3196
3197 case Q_NETBEUI:
3198 bpf_error("'netbeui' modifier applied to host");
3199
3200 case Q_RADIO:
3201 bpf_error("'radio' modifier applied to host");
3202
3203 default:
3204 abort();
3205 }
3206 /* NOTREACHED */
3207 }
3208
3209 #ifdef INET6
3210 static struct block *
3211 gen_host6(addr, mask, proto, dir)
3212 struct in6_addr *addr;
3213 struct in6_addr *mask;
3214 int proto;
3215 int dir;
3216 {
3217 switch (proto) {
3218
3219 case Q_DEFAULT:
3220 return gen_host6(addr, mask, Q_IPV6, dir);
3221
3222 case Q_IP:
3223 bpf_error("'ip' modifier applied to ip6 host");
3224
3225 case Q_RARP:
3226 bpf_error("'rarp' modifier applied to ip6 host");
3227
3228 case Q_ARP:
3229 bpf_error("'arp' modifier applied to ip6 host");
3230
3231 case Q_SCTP:
3232 bpf_error("'sctp' modifier applied to host");
3233
3234 case Q_TCP:
3235 bpf_error("'tcp' modifier applied to host");
3236
3237 case Q_UDP:
3238 bpf_error("'udp' modifier applied to host");
3239
3240 case Q_ICMP:
3241 bpf_error("'icmp' modifier applied to host");
3242
3243 case Q_IGMP:
3244 bpf_error("'igmp' modifier applied to host");
3245
3246 case Q_IGRP:
3247 bpf_error("'igrp' modifier applied to host");
3248
3249 case Q_PIM:
3250 bpf_error("'pim' modifier applied to host");
3251
3252 case Q_VRRP:
3253 bpf_error("'vrrp' modifier applied to host");
3254
3255 case Q_ATALK:
3256 bpf_error("ATALK host filtering not implemented");
3257
3258 case Q_AARP:
3259 bpf_error("AARP host filtering not implemented");
3260
3261 case Q_DECNET:
3262 bpf_error("'decnet' modifier applied to ip6 host");
3263
3264 case Q_SCA:
3265 bpf_error("SCA host filtering not implemented");
3266
3267 case Q_LAT:
3268 bpf_error("LAT host filtering not implemented");
3269
3270 case Q_MOPDL:
3271 bpf_error("MOPDL host filtering not implemented");
3272
3273 case Q_MOPRC:
3274 bpf_error("MOPRC host filtering not implemented");
3275
3276 case Q_IPV6:
3277 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
3278
3279 case Q_ICMPV6:
3280 bpf_error("'icmp6' modifier applied to host");
3281
3282 case Q_AH:
3283 bpf_error("'ah' modifier applied to host");
3284
3285 case Q_ESP:
3286 bpf_error("'esp' modifier applied to host");
3287
3288 case Q_ISO:
3289 bpf_error("ISO host filtering not implemented");
3290
3291 case Q_ESIS:
3292 bpf_error("'esis' modifier applied to host");
3293
3294 case Q_ISIS:
3295 bpf_error("'isis' modifier applied to host");
3296
3297 case Q_CLNP:
3298 bpf_error("'clnp' modifier applied to host");
3299
3300 case Q_STP:
3301 bpf_error("'stp' modifier applied to host");
3302
3303 case Q_IPX:
3304 bpf_error("IPX host filtering not implemented");
3305
3306 case Q_NETBEUI:
3307 bpf_error("'netbeui' modifier applied to host");
3308
3309 case Q_RADIO:
3310 bpf_error("'radio' modifier applied to host");
3311
3312 default:
3313 abort();
3314 }
3315 /* NOTREACHED */
3316 }
3317 #endif /*INET6*/
3318
3319 #ifndef INET6
3320 static struct block *
3321 gen_gateway(eaddr, alist, proto, dir)
3322 const u_char *eaddr;
3323 bpf_u_int32 **alist;
3324 int proto;
3325 int dir;
3326 {
3327 struct block *b0, *b1, *tmp;
3328
3329 if (dir != 0)
3330 bpf_error("direction applied to 'gateway'");
3331
3332 switch (proto) {
3333 case Q_DEFAULT:
3334 case Q_IP:
3335 case Q_ARP:
3336 case Q_RARP:
3337 if (linktype == DLT_EN10MB)
3338 b0 = gen_ehostop(eaddr, Q_OR);
3339 else if (linktype == DLT_FDDI)
3340 b0 = gen_fhostop(eaddr, Q_OR);
3341 else if (linktype == DLT_IEEE802)
3342 b0 = gen_thostop(eaddr, Q_OR);
3343 else if (linktype == DLT_IEEE802_11 ||
3344 linktype == DLT_IEEE802_11_RADIO_AVS ||
3345 linktype == DLT_IEEE802_11_RADIO ||
3346 linktype == DLT_PRISM_HEADER)
3347 b0 = gen_wlanhostop(eaddr, Q_OR);
3348 else if (linktype == DLT_SUNATM && is_lane) {
3349 /*
3350 * Check that the packet doesn't begin with an
3351 * LE Control marker. (We've already generated
3352 * a test for LANE.)
3353 */
3354 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3355 0xFF00);
3356 gen_not(b1);
3357
3358 /*
3359 * Now check the MAC address.
3360 */
3361 b0 = gen_ehostop(eaddr, Q_OR);
3362 gen_and(b1, b0);
3363 } else if (linktype == DLT_IP_OVER_FC)
3364 b0 = gen_ipfchostop(eaddr, Q_OR);
3365 else
3366 bpf_error(
3367 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
3368
3369 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
3370 while (*alist) {
3371 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
3372 gen_or(b1, tmp);
3373 b1 = tmp;
3374 }
3375 gen_not(b1);
3376 gen_and(b0, b1);
3377 return b1;
3378 }
3379 bpf_error("illegal modifier of 'gateway'");
3380 /* NOTREACHED */
3381 }
3382 #endif
3383
3384 struct block *
3385 gen_proto_abbrev(proto)
3386 int proto;
3387 {
3388 struct block *b0;
3389 struct block *b1;
3390
3391 switch (proto) {
3392
3393 case Q_SCTP:
3394 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
3395 #ifdef INET6
3396 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
3397 gen_or(b0, b1);
3398 #endif
3399 break;
3400
3401 case Q_TCP:
3402 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
3403 #ifdef INET6
3404 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
3405 gen_or(b0, b1);
3406 #endif
3407 break;
3408
3409 case Q_UDP:
3410 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
3411 #ifdef INET6
3412 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
3413 gen_or(b0, b1);
3414 #endif
3415 break;
3416
3417 case Q_ICMP:
3418 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
3419 break;
3420
3421 #ifndef IPPROTO_IGMP
3422 #define IPPROTO_IGMP 2
3423 #endif
3424
3425 case Q_IGMP:
3426 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
3427 break;
3428
3429 #ifndef IPPROTO_IGRP
3430 #define IPPROTO_IGRP 9
3431 #endif
3432 case Q_IGRP:
3433 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
3434 break;
3435
3436 #ifndef IPPROTO_PIM
3437 #define IPPROTO_PIM 103
3438 #endif
3439
3440 case Q_PIM:
3441 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
3442 #ifdef INET6
3443 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
3444 gen_or(b0, b1);
3445 #endif
3446 break;
3447
3448 #ifndef IPPROTO_VRRP
3449 #define IPPROTO_VRRP 112
3450 #endif
3451
3452 case Q_VRRP:
3453 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
3454 break;
3455
3456 case Q_IP:
3457 b1 = gen_linktype(ETHERTYPE_IP);
3458 break;
3459
3460 case Q_ARP:
3461 b1 = gen_linktype(ETHERTYPE_ARP);
3462 break;
3463
3464 case Q_RARP:
3465 b1 = gen_linktype(ETHERTYPE_REVARP);
3466 break;
3467
3468 case Q_LINK:
3469 bpf_error("link layer applied in wrong context");
3470
3471 case Q_ATALK:
3472 b1 = gen_linktype(ETHERTYPE_ATALK);
3473 break;
3474
3475 case Q_AARP:
3476 b1 = gen_linktype(ETHERTYPE_AARP);
3477 break;
3478
3479 case Q_DECNET:
3480 b1 = gen_linktype(ETHERTYPE_DN);
3481 break;
3482
3483 case Q_SCA:
3484 b1 = gen_linktype(ETHERTYPE_SCA);
3485 break;
3486
3487 case Q_LAT:
3488 b1 = gen_linktype(ETHERTYPE_LAT);
3489 break;
3490
3491 case Q_MOPDL:
3492 b1 = gen_linktype(ETHERTYPE_MOPDL);
3493 break;
3494
3495 case Q_MOPRC:
3496 b1 = gen_linktype(ETHERTYPE_MOPRC);
3497 break;
3498
3499 #ifdef INET6
3500 case Q_IPV6:
3501 b1 = gen_linktype(ETHERTYPE_IPV6);
3502 break;
3503
3504 #ifndef IPPROTO_ICMPV6
3505 #define IPPROTO_ICMPV6 58
3506 #endif
3507 case Q_ICMPV6:
3508 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3509 break;
3510 #endif /* INET6 */
3511
3512 #ifndef IPPROTO_AH
3513 #define IPPROTO_AH 51
3514 #endif
3515 case Q_AH:
3516 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3517 #ifdef INET6
3518 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3519 gen_or(b0, b1);
3520 #endif
3521 break;
3522
3523 #ifndef IPPROTO_ESP
3524 #define IPPROTO_ESP 50
3525 #endif
3526 case Q_ESP:
3527 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3528 #ifdef INET6
3529 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3530 gen_or(b0, b1);
3531 #endif
3532 break;
3533
3534 case Q_ISO:
3535 b1 = gen_linktype(LLCSAP_ISONS);
3536 break;
3537
3538 case Q_ESIS:
3539 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3540 break;
3541
3542 case Q_ISIS:
3543 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3544 break;
3545
3546 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3547 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3548 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3549 gen_or(b0, b1);
3550 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3551 gen_or(b0, b1);
3552 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3553 gen_or(b0, b1);
3554 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3555 gen_or(b0, b1);
3556 break;
3557
3558 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3559 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3560 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3561 gen_or(b0, b1);
3562 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3563 gen_or(b0, b1);
3564 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3565 gen_or(b0, b1);
3566 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3567 gen_or(b0, b1);
3568 break;
3569
3570 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3571 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3572 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3573 gen_or(b0, b1);
3574 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3575 gen_or(b0, b1);
3576 break;
3577
3578 case Q_ISIS_LSP:
3579 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3580 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3581 gen_or(b0, b1);
3582 break;
3583
3584 case Q_ISIS_SNP:
3585 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3586 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3587 gen_or(b0, b1);
3588 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3589 gen_or(b0, b1);
3590 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3591 gen_or(b0, b1);
3592 break;
3593
3594 case Q_ISIS_CSNP:
3595 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3596 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3597 gen_or(b0, b1);
3598 break;
3599
3600 case Q_ISIS_PSNP:
3601 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3602 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3603 gen_or(b0, b1);
3604 break;
3605
3606 case Q_CLNP:
3607 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3608 break;
3609
3610 case Q_STP:
3611 b1 = gen_linktype(LLCSAP_8021D);
3612 break;
3613
3614 case Q_IPX:
3615 b1 = gen_linktype(LLCSAP_IPX);
3616 break;
3617
3618 case Q_NETBEUI:
3619 b1 = gen_linktype(LLCSAP_NETBEUI);
3620 break;
3621
3622 case Q_RADIO:
3623 bpf_error("'radio' is not a valid protocol type");
3624
3625 default:
3626 abort();
3627 }
3628 return b1;
3629 }
3630
3631 static struct block *
3632 gen_ipfrag()
3633 {
3634 struct slist *s;
3635 struct block *b;
3636
3637 /* not ip frag */
3638 s = gen_load_a(OR_NET, 6, BPF_H);
3639 b = new_block(JMP(BPF_JSET));
3640 b->s.k = 0x1fff;
3641 b->stmts = s;
3642 gen_not(b);
3643
3644 return b;
3645 }
3646
3647 /*
3648 * Generate a comparison to a port value in the transport-layer header
3649 * at the specified offset from the beginning of that header.
3650 *
3651 * XXX - this handles a variable-length prefix preceding the link-layer
3652 * header, such as the radiotap or AVS radio prefix, but doesn't handle
3653 * variable-length link-layer headers (such as Token Ring or 802.11
3654 * headers).
3655 */
3656 static struct block *
3657 gen_portatom(off, v)
3658 int off;
3659 bpf_int32 v;
3660 {
3661 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
3662 }
3663
3664 #ifdef INET6
3665 static struct block *
3666 gen_portatom6(off, v)
3667 int off;
3668 bpf_int32 v;
3669 {
3670 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
3671 }
3672 #endif/*INET6*/
3673
3674 struct block *
3675 gen_portop(port, proto, dir)
3676 int port, proto, dir;
3677 {
3678 struct block *b0, *b1, *tmp;
3679
3680 /* ip proto 'proto' */
3681 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
3682 b0 = gen_ipfrag();
3683 gen_and(tmp, b0);
3684
3685 switch (dir) {
3686 case Q_SRC:
3687 b1 = gen_portatom(0, (bpf_int32)port);
3688 break;
3689
3690 case Q_DST:
3691 b1 = gen_portatom(2, (bpf_int32)port);
3692 break;
3693
3694 case Q_OR:
3695 case Q_DEFAULT:
3696 tmp = gen_portatom(0, (bpf_int32)port);
3697 b1 = gen_portatom(2, (bpf_int32)port);
3698 gen_or(tmp, b1);
3699 break;
3700
3701 case Q_AND:
3702 tmp = gen_portatom(0, (bpf_int32)port);
3703 b1 = gen_portatom(2, (bpf_int32)port);
3704 gen_and(tmp, b1);
3705 break;
3706
3707 default:
3708 abort();
3709 }
3710 gen_and(b0, b1);
3711
3712 return b1;
3713 }
3714
3715 static struct block *
3716 gen_port(port, ip_proto, dir)
3717 int port;
3718 int ip_proto;
3719 int dir;
3720 {
3721 struct block *b0, *b1, *tmp;
3722
3723 /*
3724 * ether proto ip
3725 *
3726 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3727 * not LLC encapsulation with LLCSAP_IP.
3728 *
3729 * For IEEE 802 networks - which includes 802.5 token ring
3730 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3731 * says that SNAP encapsulation is used, not LLC encapsulation
3732 * with LLCSAP_IP.
3733 *
3734 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3735 * RFC 2225 say that SNAP encapsulation is used, not LLC
3736 * encapsulation with LLCSAP_IP.
3737 *
3738 * So we always check for ETHERTYPE_IP.
3739 */
3740 b0 = gen_linktype(ETHERTYPE_IP);
3741
3742 switch (ip_proto) {
3743 case IPPROTO_UDP:
3744 case IPPROTO_TCP:
3745 case IPPROTO_SCTP:
3746 b1 = gen_portop(port, ip_proto, dir);
3747 break;
3748
3749 case PROTO_UNDEF:
3750 tmp = gen_portop(port, IPPROTO_TCP, dir);
3751 b1 = gen_portop(port, IPPROTO_UDP, dir);
3752 gen_or(tmp, b1);
3753 tmp = gen_portop(port, IPPROTO_SCTP, dir);
3754 gen_or(tmp, b1);
3755 break;
3756
3757 default:
3758 abort();
3759 }
3760 gen_and(b0, b1);
3761 return b1;
3762 }
3763
3764 #ifdef INET6
3765 struct block *
3766 gen_portop6(port, proto, dir)
3767 int port, proto, dir;
3768 {
3769 struct block *b0, *b1, *tmp;
3770
3771 /* ip6 proto 'proto' */
3772 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
3773
3774 switch (dir) {
3775 case Q_SRC:
3776 b1 = gen_portatom6(0, (bpf_int32)port);
3777 break;
3778
3779 case Q_DST:
3780 b1 = gen_portatom6(2, (bpf_int32)port);
3781 break;
3782
3783 case Q_OR:
3784 case Q_DEFAULT:
3785 tmp = gen_portatom6(0, (bpf_int32)port);
3786 b1 = gen_portatom6(2, (bpf_int32)port);
3787 gen_or(tmp, b1);
3788 break;
3789
3790 case Q_AND:
3791 tmp = gen_portatom6(0, (bpf_int32)port);
3792 b1 = gen_portatom6(2, (bpf_int32)port);
3793 gen_and(tmp, b1);
3794 break;
3795
3796 default:
3797 abort();
3798 }
3799 gen_and(b0, b1);
3800
3801 return b1;
3802 }
3803
3804 static struct block *
3805 gen_port6(port, ip_proto, dir)
3806 int port;
3807 int ip_proto;
3808 int dir;
3809 {
3810 struct block *b0, *b1, *tmp;
3811
3812 /* link proto ip6 */
3813 b0 = gen_linktype(ETHERTYPE_IPV6);
3814
3815 switch (ip_proto) {
3816 case IPPROTO_UDP:
3817 case IPPROTO_TCP:
3818 case IPPROTO_SCTP:
3819 b1 = gen_portop6(port, ip_proto, dir);
3820 break;
3821
3822 case PROTO_UNDEF:
3823 tmp = gen_portop6(port, IPPROTO_TCP, dir);
3824 b1 = gen_portop6(port, IPPROTO_UDP, dir);
3825 gen_or(tmp, b1);
3826 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3827 gen_or(tmp, b1);
3828 break;
3829
3830 default:
3831 abort();
3832 }
3833 gen_and(b0, b1);
3834 return b1;
3835 }
3836 #endif /* INET6 */
3837
3838 /* gen_portrange code */
3839 static struct block *
3840 gen_portrangeatom(off, v1, v2)
3841 int off;
3842 bpf_int32 v1, v2;
3843 {
3844 struct block *b1, *b2;
3845
3846 if (v1 > v2) {
3847 /*
3848 * Reverse the order of the ports, so v1 is the lower one.
3849 */
3850 bpf_int32 vtemp;
3851
3852 vtemp = v1;
3853 v1 = v2;
3854 v2 = vtemp;
3855 }
3856
3857 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
3858 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
3859
3860 gen_and(b1, b2);
3861
3862 return b2;
3863 }
3864
3865 struct block *
3866 gen_portrangeop(port1, port2, proto, dir)
3867 int port1, port2;
3868 int proto;
3869 int dir;
3870 {
3871 struct block *b0, *b1, *tmp;
3872
3873 /* ip proto 'proto' */
3874 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
3875 b0 = gen_ipfrag();
3876 gen_and(tmp, b0);
3877
3878 switch (dir) {
3879 case Q_SRC:
3880 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3881 break;
3882
3883 case Q_DST:
3884 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3885 break;
3886
3887 case Q_OR:
3888 case Q_DEFAULT:
3889 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3890 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3891 gen_or(tmp, b1);
3892 break;
3893
3894 case Q_AND:
3895 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3896 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3897 gen_and(tmp, b1);
3898 break;
3899
3900 default:
3901 abort();
3902 }
3903 gen_and(b0, b1);
3904
3905 return b1;
3906 }
3907
3908 static struct block *
3909 gen_portrange(port1, port2, ip_proto, dir)
3910 int port1, port2;
3911 int ip_proto;
3912 int dir;
3913 {
3914 struct block *b0, *b1, *tmp;
3915
3916 /* link proto ip */
3917 b0 = gen_linktype(ETHERTYPE_IP);
3918
3919 switch (ip_proto) {
3920 case IPPROTO_UDP:
3921 case IPPROTO_TCP:
3922 case IPPROTO_SCTP:
3923 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
3924 break;
3925
3926 case PROTO_UNDEF:
3927 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
3928 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
3929 gen_or(tmp, b1);
3930 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
3931 gen_or(tmp, b1);
3932 break;
3933
3934 default:
3935 abort();
3936 }
3937 gen_and(b0, b1);
3938 return b1;
3939 }
3940
3941 #ifdef INET6
3942 static struct block *
3943 gen_portrangeatom6(off, v1, v2)
3944 int off;
3945 bpf_int32 v1, v2;
3946 {
3947 struct block *b1, *b2;
3948
3949 if (v1 > v2) {
3950 /*
3951 * Reverse the order of the ports, so v1 is the lower one.
3952 */
3953 bpf_int32 vtemp;
3954
3955 vtemp = v1;
3956 v1 = v2;
3957 v2 = vtemp;
3958 }
3959
3960 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
3961 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
3962
3963 gen_and(b1, b2);
3964
3965 return b2;
3966 }
3967
3968 struct block *
3969 gen_portrangeop6(port1, port2, proto, dir)
3970 int port1, port2;
3971 int proto;
3972 int dir;
3973 {
3974 struct block *b0, *b1, *tmp;
3975
3976 /* ip6 proto 'proto' */
3977 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
3978
3979 switch (dir) {
3980 case Q_SRC:
3981 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
3982 break;
3983
3984 case Q_DST:
3985 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
3986 break;
3987
3988 case Q_OR:
3989 case Q_DEFAULT:
3990 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
3991 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
3992 gen_or(tmp, b1);
3993 break;
3994
3995 case Q_AND:
3996 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
3997 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
3998 gen_and(tmp, b1);
3999 break;
4000
4001 default:
4002 abort();
4003 }
4004 gen_and(b0, b1);
4005
4006 return b1;
4007 }
4008
4009 static struct block *
4010 gen_portrange6(port1, port2, ip_proto, dir)
4011 int port1, port2;
4012 int ip_proto;
4013 int dir;
4014 {
4015 struct block *b0, *b1, *tmp;
4016
4017 /* link proto ip6 */
4018 b0 = gen_linktype(ETHERTYPE_IPV6);
4019
4020 switch (ip_proto) {
4021 case IPPROTO_UDP:
4022 case IPPROTO_TCP:
4023 case IPPROTO_SCTP:
4024 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
4025 break;
4026
4027 case PROTO_UNDEF:
4028 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
4029 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
4030 gen_or(tmp, b1);
4031 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
4032 gen_or(tmp, b1);
4033 break;
4034
4035 default:
4036 abort();
4037 }
4038 gen_and(b0, b1);
4039 return b1;
4040 }
4041 #endif /* INET6 */
4042
4043 static int
4044 lookup_proto(name, proto)
4045 register const char *name;
4046 register int proto;
4047 {
4048 register int v;
4049
4050 switch (proto) {
4051
4052 case Q_DEFAULT:
4053 case Q_IP:
4054 case Q_IPV6:
4055 v = pcap_nametoproto(name);
4056 if (v == PROTO_UNDEF)
4057 bpf_error("unknown ip proto '%s'", name);
4058 break;
4059
4060 case Q_LINK:
4061 /* XXX should look up h/w protocol type based on linktype */
4062 v = pcap_nametoeproto(name);
4063 if (v == PROTO_UNDEF) {
4064 v = pcap_nametollc(name);
4065 if (v == PROTO_UNDEF)
4066 bpf_error("unknown ether proto '%s'", name);
4067 }
4068 break;
4069
4070 case Q_ISO:
4071 if (strcmp(name, "esis") == 0)
4072 v = ISO9542_ESIS;
4073 else if (strcmp(name, "isis") == 0)
4074 v = ISO10589_ISIS;
4075 else if (strcmp(name, "clnp") == 0)
4076 v = ISO8473_CLNP;
4077 else
4078 bpf_error("unknown osi proto '%s'", name);
4079 break;
4080
4081 default:
4082 v = PROTO_UNDEF;
4083 break;
4084 }
4085 return v;
4086 }
4087
4088 #if 0
4089 struct stmt *
4090 gen_joinsp(s, n)
4091 struct stmt **s;
4092 int n;
4093 {
4094 return NULL;
4095 }
4096 #endif
4097
4098 static struct block *
4099 gen_protochain(v, proto, dir)
4100 int v;
4101 int proto;
4102 int dir;
4103 {
4104 #ifdef NO_PROTOCHAIN
4105 return gen_proto(v, proto, dir);
4106 #else
4107 struct block *b0, *b;
4108 struct slist *s[100];
4109 int fix2, fix3, fix4, fix5;
4110 int ahcheck, again, end;
4111 int i, max;
4112 int reg2 = alloc_reg();
4113
4114 memset(s, 0, sizeof(s));
4115 fix2 = fix3 = fix4 = fix5 = 0;
4116
4117 switch (proto) {
4118 case Q_IP:
4119 case Q_IPV6:
4120 break;
4121 case Q_DEFAULT:
4122 b0 = gen_protochain(v, Q_IP, dir);
4123 b = gen_protochain(v, Q_IPV6, dir);
4124 gen_or(b0, b);
4125 return b;
4126 default:
4127 bpf_error("bad protocol applied for 'protochain'");
4128 /*NOTREACHED*/
4129 }
4130
4131 /*
4132 * We don't handle variable-length radiotap here headers yet.
4133 * We might want to add BPF instructions to do the protochain
4134 * work, to simplify that and, on platforms that have a BPF
4135 * interpreter with the new instructions, let the filtering
4136 * be done in the kernel. (We already require a modified BPF
4137 * engine to do the protochain stuff, to support backward
4138 * branches, and backward branch support is unlikely to appear
4139 * in kernel BPF engines.)
4140 */
4141 if (linktype == DLT_IEEE802_11_RADIO)
4142 bpf_error("'protochain' not supported with radiotap headers");
4143
4144 no_optimize = 1; /*this code is not compatible with optimzer yet */
4145
4146 /*
4147 * s[0] is a dummy entry to protect other BPF insn from damage
4148 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
4149 * hard to find interdependency made by jump table fixup.
4150 */
4151 i = 0;
4152 s[i] = new_stmt(0); /*dummy*/
4153 i++;
4154
4155 switch (proto) {
4156 case Q_IP:
4157 b0 = gen_linktype(ETHERTYPE_IP);
4158
4159 /* A = ip->ip_p */
4160 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4161 s[i]->s.k = off_nl + 9;
4162 i++;
4163 /* X = ip->ip_hl << 2 */
4164 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4165 s[i]->s.k = off_nl;
4166 i++;
4167 break;
4168 #ifdef INET6
4169 case Q_IPV6:
4170 b0 = gen_linktype(ETHERTYPE_IPV6);
4171
4172 /* A = ip6->ip_nxt */
4173 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4174 s[i]->s.k = off_nl + 6;
4175 i++;
4176 /* X = sizeof(struct ip6_hdr) */
4177 s[i] = new_stmt(BPF_LDX|BPF_IMM);
4178 s[i]->s.k = 40;
4179 i++;
4180 break;
4181 #endif
4182 default:
4183 bpf_error("unsupported proto to gen_protochain");
4184 /*NOTREACHED*/
4185 }
4186
4187 /* again: if (A == v) goto end; else fall through; */
4188 again = i;
4189 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4190 s[i]->s.k = v;
4191 s[i]->s.jt = NULL; /*later*/
4192 s[i]->s.jf = NULL; /*update in next stmt*/
4193 fix5 = i;
4194 i++;
4195
4196 #ifndef IPPROTO_NONE
4197 #define IPPROTO_NONE 59
4198 #endif
4199 /* if (A == IPPROTO_NONE) goto end */
4200 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4201 s[i]->s.jt = NULL; /*later*/
4202 s[i]->s.jf = NULL; /*update in next stmt*/
4203 s[i]->s.k = IPPROTO_NONE;
4204 s[fix5]->s.jf = s[i];
4205 fix2 = i;
4206 i++;
4207
4208 #ifdef INET6
4209 if (proto == Q_IPV6) {
4210 int v6start, v6end, v6advance, j;
4211
4212 v6start = i;
4213 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
4214 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4215 s[i]->s.jt = NULL; /*later*/
4216 s[i]->s.jf = NULL; /*update in next stmt*/
4217 s[i]->s.k = IPPROTO_HOPOPTS;
4218 s[fix2]->s.jf = s[i];
4219 i++;
4220 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
4221 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4222 s[i]->s.jt = NULL; /*later*/
4223 s[i]->s.jf = NULL; /*update in next stmt*/
4224 s[i]->s.k = IPPROTO_DSTOPTS;
4225 i++;
4226 /* if (A == IPPROTO_ROUTING) goto v6advance */
4227 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4228 s[i]->s.jt = NULL; /*later*/
4229 s[i]->s.jf = NULL; /*update in next stmt*/
4230 s[i]->s.k = IPPROTO_ROUTING;
4231 i++;
4232 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
4233 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4234 s[i]->s.jt = NULL; /*later*/
4235 s[i]->s.jf = NULL; /*later*/
4236 s[i]->s.k = IPPROTO_FRAGMENT;
4237 fix3 = i;
4238 v6end = i;
4239 i++;
4240
4241 /* v6advance: */
4242 v6advance = i;
4243
4244 /*
4245 * in short,
4246 * A = P[X];
4247 * X = X + (P[X + 1] + 1) * 8;
4248 */
4249 /* A = X */
4250 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4251 i++;
4252 /* A = P[X + packet head] */
4253 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4254 s[i]->s.k = off_nl;
4255 i++;
4256 /* MEM[reg2] = A */
4257 s[i] = new_stmt(BPF_ST);
4258 s[i]->s.k = reg2;
4259 i++;
4260 /* A = X */
4261 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4262 i++;
4263 /* A += 1 */
4264 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4265 s[i]->s.k = 1;
4266 i++;
4267 /* X = A */
4268 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4269 i++;
4270 /* A = P[X + packet head]; */
4271 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4272 s[i]->s.k = off_nl;
4273 i++;
4274 /* A += 1 */
4275 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4276 s[i]->s.k = 1;
4277 i++;
4278 /* A *= 8 */
4279 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4280 s[i]->s.k = 8;
4281 i++;
4282 /* X = A; */
4283 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4284 i++;
4285 /* A = MEM[reg2] */
4286 s[i] = new_stmt(BPF_LD|BPF_MEM);
4287 s[i]->s.k = reg2;
4288 i++;
4289
4290 /* goto again; (must use BPF_JA for backward jump) */
4291 s[i] = new_stmt(BPF_JMP|BPF_JA);
4292 s[i]->s.k = again - i - 1;
4293 s[i - 1]->s.jf = s[i];
4294 i++;
4295
4296 /* fixup */
4297 for (j = v6start; j <= v6end; j++)
4298 s[j]->s.jt = s[v6advance];
4299 } else
4300 #endif
4301 {
4302 /* nop */
4303 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4304 s[i]->s.k = 0;
4305 s[fix2]->s.jf = s[i];
4306 i++;
4307 }
4308
4309 /* ahcheck: */
4310 ahcheck = i;
4311 /* if (A == IPPROTO_AH) then fall through; else goto end; */
4312 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4313 s[i]->s.jt = NULL; /*later*/
4314 s[i]->s.jf = NULL; /*later*/
4315 s[i]->s.k = IPPROTO_AH;
4316 if (fix3)
4317 s[fix3]->s.jf = s[ahcheck];
4318 fix4 = i;
4319 i++;
4320
4321 /*
4322 * in short,
4323 * A = P[X];
4324 * X = X + (P[X + 1] + 2) * 4;
4325 */
4326 /* A = X */
4327 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4328 i++;
4329 /* A = P[X + packet head]; */
4330 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4331 s[i]->s.k = off_nl;
4332 i++;
4333 /* MEM[reg2] = A */
4334 s[i] = new_stmt(BPF_ST);
4335 s[i]->s.k = reg2;
4336 i++;
4337 /* A = X */
4338 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4339 i++;
4340 /* A += 1 */
4341 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4342 s[i]->s.k = 1;
4343 i++;
4344 /* X = A */
4345 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4346 i++;
4347 /* A = P[X + packet head] */
4348 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4349 s[i]->s.k = off_nl;
4350 i++;
4351 /* A += 2 */
4352 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4353 s[i]->s.k = 2;
4354 i++;
4355 /* A *= 4 */
4356 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4357 s[i]->s.k = 4;
4358 i++;
4359 /* X = A; */
4360 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4361 i++;
4362 /* A = MEM[reg2] */
4363 s[i] = new_stmt(BPF_LD|BPF_MEM);
4364 s[i]->s.k = reg2;
4365 i++;
4366
4367 /* goto again; (must use BPF_JA for backward jump) */
4368 s[i] = new_stmt(BPF_JMP|BPF_JA);
4369 s[i]->s.k = again - i - 1;
4370 i++;
4371
4372 /* end: nop */
4373 end = i;
4374 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4375 s[i]->s.k = 0;
4376 s[fix2]->s.jt = s[end];
4377 s[fix4]->s.jf = s[end];
4378 s[fix5]->s.jt = s[end];
4379 i++;
4380
4381 /*
4382 * make slist chain
4383 */
4384 max = i;
4385 for (i = 0; i < max - 1; i++)
4386 s[i]->next = s[i + 1];
4387 s[max - 1]->next = NULL;
4388
4389 /*
4390 * emit final check
4391 */
4392 b = new_block(JMP(BPF_JEQ));
4393 b->stmts = s[1]; /*remember, s[0] is dummy*/
4394 b->s.k = v;
4395
4396 free_reg(reg2);
4397
4398 gen_and(b0, b);
4399 return b;
4400 #endif
4401 }
4402
4403 /*
4404 * Generate code that checks whether the packet is a packet for protocol
4405 * <proto> and whether the type field in that protocol's header has
4406 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
4407 * IP packet and checks the protocol number in the IP header against <v>.
4408 *
4409 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
4410 * against Q_IP and Q_IPV6.
4411 */
4412 static struct block *
4413 gen_proto(v, proto, dir)
4414 int v;
4415 int proto;
4416 int dir;
4417 {
4418 struct block *b0, *b1;
4419
4420 if (dir != Q_DEFAULT)
4421 bpf_error("direction applied to 'proto'");
4422
4423 switch (proto) {
4424 case Q_DEFAULT:
4425 #ifdef INET6
4426 b0 = gen_proto(v, Q_IP, dir);
4427 b1 = gen_proto(v, Q_IPV6, dir);
4428 gen_or(b0, b1);
4429 return b1;
4430 #else
4431 /*FALLTHROUGH*/
4432 #endif
4433 case Q_IP:
4434 /*
4435 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4436 * not LLC encapsulation with LLCSAP_IP.
4437 *
4438 * For IEEE 802 networks - which includes 802.5 token ring
4439 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4440 * says that SNAP encapsulation is used, not LLC encapsulation
4441 * with LLCSAP_IP.
4442 *
4443 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4444 * RFC 2225 say that SNAP encapsulation is used, not LLC
4445 * encapsulation with LLCSAP_IP.
4446 *
4447 * So we always check for ETHERTYPE_IP.
4448 */
4449
4450 b0 = gen_linktype(ETHERTYPE_IP);
4451 #ifndef CHASE_CHAIN
4452 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
4453 #else
4454 b1 = gen_protochain(v, Q_IP);
4455 #endif
4456 gen_and(b0, b1);
4457 return b1;
4458
4459 case Q_ISO:
4460 switch (linktype) {
4461
4462 case DLT_FRELAY:
4463 /*
4464 * Frame Relay packets typically have an OSI
4465 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
4466 * generates code to check for all the OSI
4467 * NLPIDs, so calling it and then adding a check
4468 * for the particular NLPID for which we're
4469 * looking is bogus, as we can just check for
4470 * the NLPID.
4471 *
4472 * What we check for is the NLPID and a frame
4473 * control field value of UI, i.e. 0x03 followed
4474 * by the NLPID.
4475 *
4476 * XXX - assumes a 2-byte Frame Relay header with
4477 * DLCI and flags. What if the address is longer?
4478 *
4479 * XXX - what about SNAP-encapsulated frames?
4480 */
4481 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
4482 /*NOTREACHED*/
4483 break;
4484
4485 case DLT_C_HDLC:
4486 /*
4487 * Cisco uses an Ethertype lookalike - for OSI,
4488 * it's 0xfefe.
4489 */
4490 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
4491 /* OSI in C-HDLC is stuffed with a fudge byte */
4492 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
4493 gen_and(b0, b1);
4494 return b1;
4495
4496 default:
4497 b0 = gen_linktype(LLCSAP_ISONS);
4498 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
4499 gen_and(b0, b1);
4500 return b1;
4501 }
4502
4503 case Q_ISIS:
4504 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4505 /*
4506 * 4 is the offset of the PDU type relative to the IS-IS
4507 * header.
4508 */
4509 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
4510 gen_and(b0, b1);
4511 return b1;
4512
4513 case Q_ARP:
4514 bpf_error("arp does not encapsulate another protocol");
4515 /* NOTREACHED */
4516
4517 case Q_RARP:
4518 bpf_error("rarp does not encapsulate another protocol");
4519 /* NOTREACHED */
4520
4521 case Q_ATALK:
4522 bpf_error("atalk encapsulation is not specifiable");
4523 /* NOTREACHED */
4524
4525 case Q_DECNET:
4526 bpf_error("decnet encapsulation is not specifiable");
4527 /* NOTREACHED */
4528
4529 case Q_SCA:
4530 bpf_error("sca does not encapsulate another protocol");
4531 /* NOTREACHED */
4532
4533 case Q_LAT:
4534 bpf_error("lat does not encapsulate another protocol");
4535 /* NOTREACHED */
4536
4537 case Q_MOPRC:
4538 bpf_error("moprc does not encapsulate another protocol");
4539 /* NOTREACHED */
4540
4541 case Q_MOPDL:
4542 bpf_error("mopdl does not encapsulate another protocol");
4543 /* NOTREACHED */
4544
4545 case Q_LINK:
4546 return gen_linktype(v);
4547
4548 case Q_UDP:
4549 bpf_error("'udp proto' is bogus");
4550 /* NOTREACHED */
4551
4552 case Q_TCP:
4553 bpf_error("'tcp proto' is bogus");
4554 /* NOTREACHED */
4555
4556 case Q_SCTP:
4557 bpf_error("'sctp proto' is bogus");
4558 /* NOTREACHED */
4559
4560 case Q_ICMP:
4561 bpf_error("'icmp proto' is bogus");
4562 /* NOTREACHED */
4563
4564 case Q_IGMP:
4565 bpf_error("'igmp proto' is bogus");
4566 /* NOTREACHED */
4567
4568 case Q_IGRP:
4569 bpf_error("'igrp proto' is bogus");
4570 /* NOTREACHED */
4571
4572 case Q_PIM:
4573 bpf_error("'pim proto' is bogus");
4574 /* NOTREACHED */
4575
4576 case Q_VRRP:
4577 bpf_error("'vrrp proto' is bogus");
4578 /* NOTREACHED */
4579
4580 #ifdef INET6
4581 case Q_IPV6:
4582 b0 = gen_linktype(ETHERTYPE_IPV6);
4583 #ifndef CHASE_CHAIN
4584 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
4585 #else
4586 b1 = gen_protochain(v, Q_IPV6);
4587 #endif
4588 gen_and(b0, b1);
4589 return b1;
4590
4591 case Q_ICMPV6:
4592 bpf_error("'icmp6 proto' is bogus");
4593 #endif /* INET6 */
4594
4595 case Q_AH:
4596 bpf_error("'ah proto' is bogus");
4597
4598 case Q_ESP:
4599 bpf_error("'ah proto' is bogus");
4600
4601 case Q_STP:
4602 bpf_error("'stp proto' is bogus");
4603
4604 case Q_IPX:
4605 bpf_error("'ipx proto' is bogus");
4606
4607 case Q_NETBEUI:
4608 bpf_error("'netbeui proto' is bogus");
4609
4610 case Q_RADIO:
4611 bpf_error("'radio proto' is bogus");
4612
4613 default:
4614 abort();
4615 /* NOTREACHED */
4616 }
4617 /* NOTREACHED */
4618 }
4619
4620 struct block *
4621 gen_scode(name, q)
4622 register const char *name;
4623 struct qual q;
4624 {
4625 int proto = q.proto;
4626 int dir = q.dir;
4627 int tproto;
4628 u_char *eaddr;
4629 bpf_u_int32 mask, addr;
4630 #ifndef INET6
4631 bpf_u_int32 **alist;
4632 #else
4633 int tproto6;
4634 struct sockaddr_in *sin;
4635 struct sockaddr_in6 *sin6;
4636 struct addrinfo *res, *res0;
4637 struct in6_addr mask128;
4638 #endif /*INET6*/
4639 struct block *b, *tmp;
4640 int port, real_proto;
4641 int port1, port2;
4642
4643 switch (q.addr) {
4644
4645 case Q_NET:
4646 addr = pcap_nametonetaddr(name);
4647 if (addr == 0)
4648 bpf_error("unknown network '%s'", name);
4649 /* Left justify network addr and calculate its network mask */
4650 mask = 0xffffffff;
4651 while (addr && (addr & 0xff000000) == 0) {
4652 addr <<= 8;
4653 mask <<= 8;
4654 }
4655 return gen_host(addr, mask, proto, dir);
4656
4657 case Q_DEFAULT:
4658 case Q_HOST:
4659 if (proto == Q_LINK) {
4660 switch (linktype) {
4661
4662 case DLT_EN10MB:
4663 eaddr = pcap_ether_hostton(name);
4664 if (eaddr == NULL)
4665 bpf_error(
4666 "unknown ether host '%s'", name);
4667 b = gen_ehostop(eaddr, dir);
4668 free(eaddr);
4669 return b;
4670
4671 case DLT_FDDI:
4672 eaddr = pcap_ether_hostton(name);
4673 if (eaddr == NULL)
4674 bpf_error(
4675 "unknown FDDI host '%s'", name);
4676 b = gen_fhostop(eaddr, dir);
4677 free(eaddr);
4678 return b;
4679
4680 case DLT_IEEE802:
4681 eaddr = pcap_ether_hostton(name);
4682 if (eaddr == NULL)
4683 bpf_error(
4684 "unknown token ring host '%s'", name);
4685 b = gen_thostop(eaddr, dir);
4686 free(eaddr);
4687 return b;
4688
4689 case DLT_IEEE802_11:
4690 case DLT_IEEE802_11_RADIO_AVS:
4691 case DLT_IEEE802_11_RADIO:
4692 case DLT_PRISM_HEADER:
4693 eaddr = pcap_ether_hostton(name);
4694 if (eaddr == NULL)
4695 bpf_error(
4696 "unknown 802.11 host '%s'", name);
4697 b = gen_wlanhostop(eaddr, dir);
4698 free(eaddr);
4699 return b;
4700
4701 case DLT_IP_OVER_FC:
4702 eaddr = pcap_ether_hostton(name);
4703 if (eaddr == NULL)
4704 bpf_error(
4705 "unknown Fibre Channel host '%s'", name);
4706 b = gen_ipfchostop(eaddr, dir);
4707 free(eaddr);
4708 return b;
4709
4710 case DLT_SUNATM:
4711 if (!is_lane)
4712 break;
4713
4714 /*
4715 * Check that the packet doesn't begin
4716 * with an LE Control marker. (We've
4717 * already generated a test for LANE.)
4718 */
4719 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4720 BPF_H, 0xFF00);
4721 gen_not(tmp);
4722
4723 eaddr = pcap_ether_hostton(name);
4724 if (eaddr == NULL)
4725 bpf_error(
4726 "unknown ether host '%s'", name);
4727 b = gen_ehostop(eaddr, dir);
4728 gen_and(tmp, b);
4729 free(eaddr);
4730 return b;
4731 }
4732
4733 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
4734 } else if (proto == Q_DECNET) {
4735 unsigned short dn_addr = __pcap_nametodnaddr(name);
4736 /*
4737 * I don't think DECNET hosts can be multihomed, so
4738 * there is no need to build up a list of addresses
4739 */
4740 return (gen_host(dn_addr, 0, proto, dir));
4741 } else {
4742 #ifndef INET6
4743 alist = pcap_nametoaddr(name);
4744 if (alist == NULL || *alist == NULL)
4745 bpf_error("unknown host '%s'", name);
4746 tproto = proto;
4747 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
4748 tproto = Q_IP;
4749 b = gen_host(**alist++, 0xffffffff, tproto, dir);
4750 while (*alist) {
4751 tmp = gen_host(**alist++, 0xffffffff,
4752 tproto, dir);
4753 gen_or(b, tmp);
4754 b = tmp;
4755 }
4756 return b;
4757 #else
4758 memset(&mask128, 0xff, sizeof(mask128));
4759 res0 = res = pcap_nametoaddrinfo(name);
4760 if (res == NULL)
4761 bpf_error("unknown host '%s'", name);
4762 b = tmp = NULL;
4763 tproto = tproto6 = proto;
4764 if (off_linktype == -1 && tproto == Q_DEFAULT) {
4765 tproto = Q_IP;
4766 tproto6 = Q_IPV6;
4767 }
4768 for (res = res0; res; res = res->ai_next) {
4769 switch (res->ai_family) {
4770 case AF_INET:
4771 if (tproto == Q_IPV6)
4772 continue;
4773
4774 sin = (struct sockaddr_in *)
4775 res->ai_addr;
4776 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
4777 0xffffffff, tproto, dir);
4778 break;
4779 case AF_INET6:
4780 if (tproto6 == Q_IP)
4781 continue;
4782
4783 sin6 = (struct sockaddr_in6 *)
4784 res->ai_addr;
4785 tmp = gen_host6(&sin6->sin6_addr,
4786 &mask128, tproto6, dir);
4787 break;
4788 default:
4789 continue;
4790 }
4791 if (b)
4792 gen_or(b, tmp);
4793 b = tmp;
4794 }
4795 freeaddrinfo(res0);
4796 if (b == NULL) {
4797 bpf_error("unknown host '%s'%s", name,
4798 (proto == Q_DEFAULT)
4799 ? ""
4800 : " for specified address family");
4801 }
4802 return b;
4803 #endif /*INET6*/
4804 }
4805
4806 case Q_PORT:
4807 if (proto != Q_DEFAULT &&
4808 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4809 bpf_error("illegal qualifier of 'port'");
4810 if (pcap_nametoport(name, &port, &real_proto) == 0)
4811 bpf_error("unknown port '%s'", name);
4812 if (proto == Q_UDP) {
4813 if (real_proto == IPPROTO_TCP)
4814 bpf_error("port '%s' is tcp", name);
4815 else if (real_proto == IPPROTO_SCTP)
4816 bpf_error("port '%s' is sctp", name);
4817 else
4818 /* override PROTO_UNDEF */
4819 real_proto = IPPROTO_UDP;
4820 }
4821 if (proto == Q_TCP) {
4822 if (real_proto == IPPROTO_UDP)
4823 bpf_error("port '%s' is udp", name);
4824
4825 else if (real_proto == IPPROTO_SCTP)
4826 bpf_error("port '%s' is sctp", name);
4827 else
4828 /* override PROTO_UNDEF */
4829 real_proto = IPPROTO_TCP;
4830 }
4831 if (proto == Q_SCTP) {
4832 if (real_proto == IPPROTO_UDP)
4833 bpf_error("port '%s' is udp", name);
4834
4835 else if (real_proto == IPPROTO_TCP)
4836 bpf_error("port '%s' is tcp", name);
4837 else
4838 /* override PROTO_UNDEF */
4839 real_proto = IPPROTO_SCTP;
4840 }
4841 #ifndef INET6
4842 return gen_port(port, real_proto, dir);
4843 #else
4844 {
4845 struct block *b;
4846 b = gen_port(port, real_proto, dir);
4847 gen_or(gen_port6(port, real_proto, dir), b);
4848 return b;
4849 }
4850 #endif /* INET6 */
4851
4852 case Q_PORTRANGE:
4853 if (proto != Q_DEFAULT &&
4854 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4855 bpf_error("illegal qualifier of 'portrange'");
4856 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
4857 bpf_error("unknown port in range '%s'", name);
4858 if (proto == Q_UDP) {
4859 if (real_proto == IPPROTO_TCP)
4860 bpf_error("port in range '%s' is tcp", name);
4861 else if (real_proto == IPPROTO_SCTP)
4862 bpf_error("port in range '%s' is sctp", name);
4863 else
4864 /* override PROTO_UNDEF */
4865 real_proto = IPPROTO_UDP;
4866 }
4867 if (proto == Q_TCP) {
4868 if (real_proto == IPPROTO_UDP)
4869 bpf_error("port in range '%s' is udp", name);
4870 else if (real_proto == IPPROTO_SCTP)
4871 bpf_error("port in range '%s' is sctp", name);
4872 else
4873 /* override PROTO_UNDEF */
4874 real_proto = IPPROTO_TCP;
4875 }
4876 if (proto == Q_SCTP) {
4877 if (real_proto == IPPROTO_UDP)
4878 bpf_error("port in range '%s' is udp", name);
4879 else if (real_proto == IPPROTO_TCP)
4880 bpf_error("port in range '%s' is tcp", name);
4881 else
4882 /* override PROTO_UNDEF */
4883 real_proto = IPPROTO_SCTP;
4884 }
4885 #ifndef INET6
4886 return gen_portrange(port1, port2, real_proto, dir);
4887 #else
4888 {
4889 struct block *b;
4890 b = gen_portrange(port1, port2, real_proto, dir);
4891 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
4892 return b;
4893 }
4894 #endif /* INET6 */
4895
4896 case Q_GATEWAY:
4897 #ifndef INET6
4898 eaddr = pcap_ether_hostton(name);
4899 if (eaddr == NULL)
4900 bpf_error("unknown ether host: %s", name);
4901
4902 alist = pcap_nametoaddr(name);
4903 if (alist == NULL || *alist == NULL)
4904 bpf_error("unknown host '%s'", name);
4905 b = gen_gateway(eaddr, alist, proto, dir);
4906 free(eaddr);
4907 return b;
4908 #else
4909 bpf_error("'gateway' not supported in this configuration");
4910 #endif /*INET6*/
4911
4912 case Q_PROTO:
4913 real_proto = lookup_proto(name, proto);
4914 if (real_proto >= 0)
4915 return gen_proto(real_proto, proto, dir);
4916 else
4917 bpf_error("unknown protocol: %s", name);
4918
4919 case Q_PROTOCHAIN:
4920 real_proto = lookup_proto(name, proto);
4921 if (real_proto >= 0)
4922 return gen_protochain(real_proto, proto, dir);
4923 else
4924 bpf_error("unknown protocol: %s", name);
4925
4926
4927 case Q_UNDEF:
4928 syntax();
4929 /* NOTREACHED */
4930 }
4931 abort();
4932 /* NOTREACHED */
4933 }
4934
4935 struct block *
4936 gen_mcode(s1, s2, masklen, q)
4937 register const char *s1, *s2;
4938 register int masklen;
4939 struct qual q;
4940 {
4941 register int nlen, mlen;
4942 bpf_u_int32 n, m;
4943
4944 nlen = __pcap_atoin(s1, &n);
4945 /* Promote short ipaddr */
4946 n <<= 32 - nlen;
4947
4948 if (s2 != NULL) {
4949 mlen = __pcap_atoin(s2, &m);
4950 /* Promote short ipaddr */
4951 m <<= 32 - mlen;
4952 if ((n & ~m) != 0)
4953 bpf_error("non-network bits set in \"%s mask %s\"",
4954 s1, s2);
4955 } else {
4956 /* Convert mask len to mask */
4957 if (masklen > 32)
4958 bpf_error("mask length must be <= 32");
4959 m = 0xffffffff << (32 - masklen);
4960 if ((n & ~m) != 0)
4961 bpf_error("non-network bits set in \"%s/%d\"",
4962 s1, masklen);
4963 }
4964
4965 switch (q.addr) {
4966
4967 case Q_NET:
4968 return gen_host(n, m, q.proto, q.dir);
4969
4970 default:
4971 bpf_error("Mask syntax for networks only");
4972 /* NOTREACHED */
4973 }
4974 /* NOTREACHED */
4975 }
4976
4977 struct block *
4978 gen_ncode(s, v, q)
4979 register const char *s;
4980 bpf_u_int32 v;
4981 struct qual q;
4982 {
4983 bpf_u_int32 mask;
4984 int proto = q.proto;
4985 int dir = q.dir;
4986 register int vlen;
4987
4988 if (s == NULL)
4989 vlen = 32;
4990 else if (q.proto == Q_DECNET)
4991 vlen = __pcap_atodn(s, &v);
4992 else
4993 vlen = __pcap_atoin(s, &v);
4994
4995 switch (q.addr) {
4996
4997 case Q_DEFAULT:
4998 case Q_HOST:
4999 case Q_NET:
5000 if (proto == Q_DECNET)
5001 return gen_host(v, 0, proto, dir);
5002 else if (proto == Q_LINK) {
5003 bpf_error("illegal link layer address");
5004 } else {
5005 mask = 0xffffffff;
5006 if (s == NULL && q.addr == Q_NET) {
5007 /* Promote short net number */
5008 while (v && (v & 0xff000000) == 0) {
5009 v <<= 8;
5010 mask <<= 8;
5011 }
5012 } else {
5013 /* Promote short ipaddr */
5014 v <<= 32 - vlen;
5015 mask <<= 32 - vlen;
5016 }
5017 return gen_host(v, mask, proto, dir);
5018 }
5019
5020 case Q_PORT:
5021 if (proto == Q_UDP)
5022 proto = IPPROTO_UDP;
5023 else if (proto == Q_TCP)
5024 proto = IPPROTO_TCP;
5025 else if (proto == Q_SCTP)
5026 proto = IPPROTO_SCTP;
5027 else if (proto == Q_DEFAULT)
5028 proto = PROTO_UNDEF;
5029 else
5030 bpf_error("illegal qualifier of 'port'");
5031
5032 #ifndef INET6
5033 return gen_port((int)v, proto, dir);
5034 #else
5035 {
5036 struct block *b;
5037 b = gen_port((int)v, proto, dir);
5038 gen_or(gen_port6((int)v, proto, dir), b);
5039 return b;
5040 }
5041 #endif /* INET6 */
5042
5043 case Q_PORTRANGE:
5044 if (proto == Q_UDP)
5045 proto = IPPROTO_UDP;
5046 else if (proto == Q_TCP)
5047 proto = IPPROTO_TCP;
5048 else if (proto == Q_SCTP)
5049 proto = IPPROTO_SCTP;
5050 else if (proto == Q_DEFAULT)
5051 proto = PROTO_UNDEF;
5052 else
5053 bpf_error("illegal qualifier of 'portrange'");
5054
5055 #ifndef INET6
5056 return gen_portrange((int)v, (int)v, proto, dir);
5057 #else
5058 {
5059 struct block *b;
5060 b = gen_portrange((int)v, (int)v, proto, dir);
5061 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
5062 return b;
5063 }
5064 #endif /* INET6 */
5065
5066 case Q_GATEWAY:
5067 bpf_error("'gateway' requires a name");
5068 /* NOTREACHED */
5069
5070 case Q_PROTO:
5071 return gen_proto((int)v, proto, dir);
5072
5073 case Q_PROTOCHAIN:
5074 return gen_protochain((int)v, proto, dir);
5075
5076 case Q_UNDEF:
5077 syntax();
5078 /* NOTREACHED */
5079
5080 default:
5081 abort();
5082 /* NOTREACHED */
5083 }
5084 /* NOTREACHED */
5085 }
5086
5087 #ifdef INET6
5088 struct block *
5089 gen_mcode6(s1, s2, masklen, q)
5090 register const char *s1, *s2;
5091 register int masklen;
5092 struct qual q;
5093 {
5094 struct addrinfo *res;
5095 struct in6_addr *addr;
5096 struct in6_addr mask;
5097 struct block *b;
5098 u_int32_t *a, *m;
5099
5100 if (s2)
5101 bpf_error("no mask %s supported", s2);
5102
5103 res = pcap_nametoaddrinfo(s1);
5104 if (!res)
5105 bpf_error("invalid ip6 address %s", s1);
5106 if (res->ai_next)
5107 bpf_error("%s resolved to multiple address", s1);
5108 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
5109
5110 if (sizeof(mask) * 8 < masklen)
5111 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
5112 memset(&mask, 0, sizeof(mask));
5113 memset(&mask, 0xff, masklen / 8);
5114 if (masklen % 8) {
5115 mask.s6_addr[masklen / 8] =
5116 (0xff << (8 - masklen % 8)) & 0xff;
5117 }
5118
5119 a = (u_int32_t *)addr;
5120 m = (u_int32_t *)&mask;
5121 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
5122 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
5123 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
5124 }
5125
5126 switch (q.addr) {
5127
5128 case Q_DEFAULT:
5129 case Q_HOST:
5130 if (masklen != 128)
5131 bpf_error("Mask syntax for networks only");
5132 /* FALLTHROUGH */
5133
5134 case Q_NET:
5135 b = gen_host6(addr, &mask, q.proto, q.dir);
5136 freeaddrinfo(res);
5137 return b;
5138
5139 default:
5140 bpf_error("invalid qualifier against IPv6 address");
5141 /* NOTREACHED */
5142 }
5143 }
5144 #endif /*INET6*/
5145
5146 struct block *
5147 gen_ecode(eaddr, q)
5148 register const u_char *eaddr;
5149 struct qual q;
5150 {
5151 struct block *b, *tmp;
5152
5153 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5154 if (linktype == DLT_EN10MB)
5155 return gen_ehostop(eaddr, (int)q.dir);
5156 if (linktype == DLT_FDDI)
5157 return gen_fhostop(eaddr, (int)q.dir);
5158 if (linktype == DLT_IEEE802)
5159 return gen_thostop(eaddr, (int)q.dir);
5160 if (linktype == DLT_IEEE802_11 ||
5161 linktype == DLT_IEEE802_11_RADIO_AVS ||
5162 linktype == DLT_IEEE802_11_RADIO ||
5163 linktype == DLT_PRISM_HEADER)
5164 return gen_wlanhostop(eaddr, (int)q.dir);
5165 if (linktype == DLT_SUNATM && is_lane) {
5166 /*
5167 * Check that the packet doesn't begin with an
5168 * LE Control marker. (We've already generated
5169 * a test for LANE.)
5170 */
5171 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5172 0xFF00);
5173 gen_not(tmp);
5174
5175 /*
5176 * Now check the MAC address.
5177 */
5178 b = gen_ehostop(eaddr, (int)q.dir);
5179 gen_and(tmp, b);
5180 return b;
5181 }
5182 if (linktype == DLT_IP_OVER_FC)
5183 return gen_ipfchostop(eaddr, (int)q.dir);
5184 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5185 }
5186 bpf_error("ethernet address used in non-ether expression");
5187 /* NOTREACHED */
5188 }
5189
5190 void
5191 sappend(s0, s1)
5192 struct slist *s0, *s1;
5193 {
5194 /*
5195 * This is definitely not the best way to do this, but the
5196 * lists will rarely get long.
5197 */
5198 while (s0->next)
5199 s0 = s0->next;
5200 s0->next = s1;
5201 }
5202
5203 static struct slist *
5204 xfer_to_x(a)
5205 struct arth *a;
5206 {
5207 struct slist *s;
5208
5209 s = new_stmt(BPF_LDX|BPF_MEM);
5210 s->s.k = a->regno;
5211 return s;
5212 }
5213
5214 static struct slist *
5215 xfer_to_a(a)
5216 struct arth *a;
5217 {
5218 struct slist *s;
5219
5220 s = new_stmt(BPF_LD|BPF_MEM);
5221 s->s.k = a->regno;
5222 return s;
5223 }
5224
5225 /*
5226 * Modify "index" to use the value stored into its register as an
5227 * offset relative to the beginning of the header for the protocol
5228 * "proto", and allocate a register and put an item "size" bytes long
5229 * (1, 2, or 4) at that offset into that register, making it the register
5230 * for "index".
5231 */
5232 struct arth *
5233 gen_load(proto, index, size)
5234 int proto;
5235 struct arth *index;
5236 int size;
5237 {
5238 struct slist *s, *tmp;
5239 struct block *b;
5240 int regno = alloc_reg();
5241
5242 free_reg(index->regno);
5243 switch (size) {
5244
5245 default:
5246 bpf_error("data size must be 1, 2, or 4");
5247
5248 case 1:
5249 size = BPF_B;
5250 break;
5251
5252 case 2:
5253 size = BPF_H;
5254 break;
5255
5256 case 4:
5257 size = BPF_W;
5258 break;
5259 }
5260 switch (proto) {
5261 default:
5262 bpf_error("unsupported index operation");
5263
5264 case Q_RADIO:
5265 /*
5266 * The offset is relative to the beginning of the packet
5267 * data, if we have a radio header. (If we don't, this
5268 * is an error.)
5269 */
5270 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
5271 linktype != DLT_IEEE802_11_RADIO &&
5272 linktype != DLT_PRISM_HEADER)
5273 bpf_error("radio information not present in capture");
5274
5275 /*
5276 * Load into the X register the offset computed into the
5277 * register specifed by "index".
5278 */
5279 s = xfer_to_x(index);
5280
5281 /*
5282 * Load the item at that offset.
5283 */
5284 tmp = new_stmt(BPF_LD|BPF_IND|size);
5285 sappend(s, tmp);
5286 sappend(index->s, s);
5287 break;
5288
5289 case Q_LINK:
5290 /*
5291 * The offset is relative to the beginning of
5292 * the link-layer header.
5293 *
5294 * XXX - what about ATM LANE? Should the index be
5295 * relative to the beginning of the AAL5 frame, so
5296 * that 0 refers to the beginning of the LE Control
5297 * field, or relative to the beginning of the LAN
5298 * frame, so that 0 refers, for Ethernet LANE, to
5299 * the beginning of the destination address?
5300 */
5301 s = gen_llprefixlen();
5302
5303 /*
5304 * If "s" is non-null, it has code to arrange that the
5305 * X register contains the length of the prefix preceding
5306 * the link-layer header. Add to it the offset computed
5307 * into the register specified by "index", and move that
5308 * into the X register. Otherwise, just load into the X
5309 * register the offset computed into the register specifed
5310 * by "index".
5311 */
5312 if (s != NULL) {
5313 sappend(s, xfer_to_a(index));
5314 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5315 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5316 } else
5317 s = xfer_to_x(index);
5318
5319 /*
5320 * Load the item at the sum of the offset we've put in the
5321 * X register and the offset of the start of the link
5322 * layer header (which is 0 if the radio header is
5323 * variable-length; that header length is what we put
5324 * into the X register and then added to the index).
5325 */
5326 tmp = new_stmt(BPF_LD|BPF_IND|size);
5327 tmp->s.k = off_ll;
5328 sappend(s, tmp);
5329 sappend(index->s, s);
5330 break;
5331
5332 case Q_IP:
5333 case Q_ARP:
5334 case Q_RARP:
5335 case Q_ATALK:
5336 case Q_DECNET:
5337 case Q_SCA:
5338 case Q_LAT:
5339 case Q_MOPRC:
5340 case Q_MOPDL:
5341 #ifdef INET6
5342 case Q_IPV6:
5343 #endif
5344 /*
5345 * The offset is relative to the beginning of
5346 * the network-layer header.
5347 * XXX - are there any cases where we want
5348 * off_nl_nosnap?
5349 */
5350 s = gen_llprefixlen();
5351
5352 /*
5353 * If "s" is non-null, it has code to arrange that the
5354 * X register contains the length of the prefix preceding
5355 * the link-layer header. Add to it the offset computed
5356 * into the register specified by "index", and move that
5357 * into the X register. Otherwise, just load into the X
5358 * register the offset computed into the register specifed
5359 * by "index".
5360 */
5361 if (s != NULL) {
5362 sappend(s, xfer_to_a(index));
5363 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5364 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5365 } else
5366 s = xfer_to_x(index);
5367
5368 /*
5369 * Load the item at the sum of the offset we've put in the
5370 * X register and the offset of the start of the network
5371 * layer header.
5372 */
5373 tmp = new_stmt(BPF_LD|BPF_IND|size);
5374 tmp->s.k = off_nl;
5375 sappend(s, tmp);
5376 sappend(index->s, s);
5377
5378 /*
5379 * Do the computation only if the packet contains
5380 * the protocol in question.
5381 */
5382 b = gen_proto_abbrev(proto);
5383 if (index->b)
5384 gen_and(index->b, b);
5385 index->b = b;
5386 break;
5387
5388 case Q_SCTP:
5389 case Q_TCP:
5390 case Q_UDP:
5391 case Q_ICMP:
5392 case Q_IGMP:
5393 case Q_IGRP:
5394 case Q_PIM:
5395 case Q_VRRP:
5396 /*
5397 * The offset is relative to the beginning of
5398 * the transport-layer header.
5399 * XXX - are there any cases where we want
5400 * off_nl_nosnap?
5401 * XXX - we should, if we're built with
5402 * IPv6 support, generate code to load either
5403 * IPv4, IPv6, or both, as appropriate.
5404 */
5405 s = gen_loadx_iphdrlen();
5406
5407 /*
5408 * The X register now contains the sum of the offset
5409 * of the beginning of the link-layer header and
5410 * the length of the network-layer header. Load
5411 * into the A register the offset relative to
5412 * the beginning of the transport layer header,
5413 * add the X register to that, move that to the
5414 * X register, and load with an offset from the
5415 * X register equal to the offset of the network
5416 * layer header relative to the beginning of
5417 * the link-layer header.
5418 */
5419 sappend(s, xfer_to_a(index));
5420 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5421 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5422 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
5423 tmp->s.k = off_nl;
5424 sappend(index->s, s);
5425
5426 /*
5427 * Do the computation only if the packet contains
5428 * the protocol in question - which is true only
5429 * if this is an IP datagram and is the first or
5430 * only fragment of that datagram.
5431 */
5432 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
5433 if (index->b)
5434 gen_and(index->b, b);
5435 #ifdef INET6
5436 gen_and(gen_proto_abbrev(Q_IP), b);
5437 #endif
5438 index->b = b;
5439 break;
5440 #ifdef INET6
5441 case Q_ICMPV6:
5442 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
5443 /*NOTREACHED*/
5444 #endif
5445 }
5446 index->regno = regno;
5447 s = new_stmt(BPF_ST);
5448 s->s.k = regno;
5449 sappend(index->s, s);
5450
5451 return index;
5452 }
5453
5454 struct block *
5455 gen_relation(code, a0, a1, reversed)
5456 int code;
5457 struct arth *a0, *a1;
5458 int reversed;
5459 {
5460 struct slist *s0, *s1, *s2;
5461 struct block *b, *tmp;
5462
5463 s0 = xfer_to_x(a1);
5464 s1 = xfer_to_a(a0);
5465 if (code == BPF_JEQ) {
5466 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
5467 b = new_block(JMP(code));
5468 sappend(s1, s2);
5469 }
5470 else
5471 b = new_block(BPF_JMP|code|BPF_X);
5472 if (reversed)
5473 gen_not(b);
5474
5475 sappend(s0, s1);
5476 sappend(a1->s, s0);
5477 sappend(a0->s, a1->s);
5478
5479 b->stmts = a0->s;
5480
5481 free_reg(a0->regno);
5482 free_reg(a1->regno);
5483
5484 /* 'and' together protocol checks */
5485 if (a0->b) {
5486 if (a1->b) {
5487 gen_and(a0->b, tmp = a1->b);
5488 }
5489 else
5490 tmp = a0->b;
5491 } else
5492 tmp = a1->b;
5493
5494 if (tmp)
5495 gen_and(tmp, b);
5496
5497 return b;
5498 }
5499
5500 struct arth *
5501 gen_loadlen()
5502 {
5503 int regno = alloc_reg();
5504 struct arth *a = (struct arth *)newchunk(sizeof(*a));
5505 struct slist *s;
5506
5507 s = new_stmt(BPF_LD|BPF_LEN);
5508 s->next = new_stmt(BPF_ST);
5509 s->next->s.k = regno;
5510 a->s = s;
5511 a->regno = regno;
5512
5513 return a;
5514 }
5515
5516 struct arth *
5517 gen_loadi(val)
5518 int val;
5519 {
5520 struct arth *a;
5521 struct slist *s;
5522 int reg;
5523
5524 a = (struct arth *)newchunk(sizeof(*a));
5525
5526 reg = alloc_reg();
5527
5528 s = new_stmt(BPF_LD|BPF_IMM);
5529 s->s.k = val;
5530 s->next = new_stmt(BPF_ST);
5531 s->next->s.k = reg;
5532 a->s = s;
5533 a->regno = reg;
5534
5535 return a;
5536 }
5537
5538 struct arth *
5539 gen_neg(a)
5540 struct arth *a;
5541 {
5542 struct slist *s;
5543
5544 s = xfer_to_a(a);
5545 sappend(a->s, s);
5546 s = new_stmt(BPF_ALU|BPF_NEG);
5547 s->s.k = 0;
5548 sappend(a->s, s);
5549 s = new_stmt(BPF_ST);
5550 s->s.k = a->regno;
5551 sappend(a->s, s);
5552
5553 return a;
5554 }
5555
5556 struct arth *
5557 gen_arth(code, a0, a1)
5558 int code;
5559 struct arth *a0, *a1;
5560 {
5561 struct slist *s0, *s1, *s2;
5562
5563 s0 = xfer_to_x(a1);
5564 s1 = xfer_to_a(a0);
5565 s2 = new_stmt(BPF_ALU|BPF_X|code);
5566
5567 sappend(s1, s2);
5568 sappend(s0, s1);
5569 sappend(a1->s, s0);
5570 sappend(a0->s, a1->s);
5571
5572 free_reg(a0->regno);
5573 free_reg(a1->regno);
5574
5575 s0 = new_stmt(BPF_ST);
5576 a0->regno = s0->s.k = alloc_reg();
5577 sappend(a0->s, s0);
5578
5579 return a0;
5580 }
5581
5582 /*
5583 * Here we handle simple allocation of the scratch registers.
5584 * If too many registers are alloc'd, the allocator punts.
5585 */
5586 static int regused[BPF_MEMWORDS];
5587 static int curreg;
5588
5589 /*
5590 * Return the next free register.
5591 */
5592 static int
5593 alloc_reg()
5594 {
5595 int n = BPF_MEMWORDS;
5596
5597 while (--n >= 0) {
5598 if (regused[curreg])
5599 curreg = (curreg + 1) % BPF_MEMWORDS;
5600 else {
5601 regused[curreg] = 1;
5602 return curreg;
5603 }
5604 }
5605 bpf_error("too many registers needed to evaluate expression");
5606 /* NOTREACHED */
5607 }
5608
5609 /*
5610 * Return a register to the table so it can
5611 * be used later.
5612 */
5613 static void
5614 free_reg(n)
5615 int n;
5616 {
5617 regused[n] = 0;
5618 }
5619
5620 static struct block *
5621 gen_len(jmp, n)
5622 int jmp, n;
5623 {
5624 struct slist *s;
5625 struct block *b;
5626
5627 s = new_stmt(BPF_LD|BPF_LEN);
5628 b = new_block(JMP(jmp));
5629 b->stmts = s;
5630 b->s.k = n;
5631
5632 return b;
5633 }
5634
5635 struct block *
5636 gen_greater(n)
5637 int n;
5638 {
5639 return gen_len(BPF_JGE, n);
5640 }
5641
5642 /*
5643 * Actually, this is less than or equal.
5644 */
5645 struct block *
5646 gen_less(n)
5647 int n;
5648 {
5649 struct block *b;
5650
5651 b = gen_len(BPF_JGT, n);
5652 gen_not(b);
5653
5654 return b;
5655 }
5656
5657 /*
5658 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
5659 * the beginning of the link-layer header.
5660 * XXX - that means you can't test values in the radiotap header, but
5661 * as that header is difficult if not impossible to parse generally
5662 * without a loop, that might not be a severe problem. A new keyword
5663 * "radio" could be added for that, although what you'd really want
5664 * would be a way of testing particular radio header values, which
5665 * would generate code appropriate to the radio header in question.
5666 */
5667 struct block *
5668 gen_byteop(op, idx, val)
5669 int op, idx, val;
5670 {
5671 struct block *b;
5672 struct slist *s;
5673
5674 switch (op) {
5675 default:
5676 abort();
5677
5678 case '=':
5679 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5680
5681 case '<':
5682 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5683 return b;
5684
5685 case '>':
5686 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5687 return b;
5688
5689 case '|':
5690 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
5691 break;
5692
5693 case '&':
5694 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
5695 break;
5696 }
5697 s->s.k = val;
5698 b = new_block(JMP(BPF_JEQ));
5699 b->stmts = s;
5700 gen_not(b);
5701
5702 return b;
5703 }
5704
5705 static u_char abroadcast[] = { 0x0 };
5706
5707 struct block *
5708 gen_broadcast(proto)
5709 int proto;
5710 {
5711 bpf_u_int32 hostmask;
5712 struct block *b0, *b1, *b2;
5713 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
5714
5715 switch (proto) {
5716
5717 case Q_DEFAULT:
5718 case Q_LINK:
5719 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5720 return gen_ahostop(abroadcast, Q_DST);
5721 if (linktype == DLT_EN10MB)
5722 return gen_ehostop(ebroadcast, Q_DST);
5723 if (linktype == DLT_FDDI)
5724 return gen_fhostop(ebroadcast, Q_DST);
5725 if (linktype == DLT_IEEE802)
5726 return gen_thostop(ebroadcast, Q_DST);
5727 if (linktype == DLT_IEEE802_11 ||
5728 linktype == DLT_IEEE802_11_RADIO_AVS ||
5729 linktype == DLT_IEEE802_11_RADIO ||
5730 linktype == DLT_PRISM_HEADER)
5731 return gen_wlanhostop(ebroadcast, Q_DST);
5732 if (linktype == DLT_IP_OVER_FC)
5733 return gen_ipfchostop(ebroadcast, Q_DST);
5734 if (linktype == DLT_SUNATM && is_lane) {
5735 /*
5736 * Check that the packet doesn't begin with an
5737 * LE Control marker. (We've already generated
5738 * a test for LANE.)
5739 */
5740 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5741 0xFF00);
5742 gen_not(b1);
5743
5744 /*
5745 * Now check the MAC address.
5746 */
5747 b0 = gen_ehostop(ebroadcast, Q_DST);
5748 gen_and(b1, b0);
5749 return b0;
5750 }
5751 bpf_error("not a broadcast link");
5752 break;
5753
5754 case Q_IP:
5755 b0 = gen_linktype(ETHERTYPE_IP);
5756 hostmask = ~netmask;
5757 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
5758 b2 = gen_mcmp(OR_NET, 16, BPF_W,
5759 (bpf_int32)(~0 & hostmask), hostmask);
5760 gen_or(b1, b2);
5761 gen_and(b0, b2);
5762 return b2;
5763 }
5764 bpf_error("only link-layer/IP broadcast filters supported");
5765 /* NOTREACHED */
5766 }
5767
5768 /*
5769 * Generate code to test the low-order bit of a MAC address (that's
5770 * the bottom bit of the *first* byte).
5771 */
5772 static struct block *
5773 gen_mac_multicast(offset)
5774 int offset;
5775 {
5776 register struct block *b0;
5777 register struct slist *s;
5778
5779 /* link[offset] & 1 != 0 */
5780 s = gen_load_a(OR_LINK, offset, BPF_B);
5781 b0 = new_block(JMP(BPF_JSET));
5782 b0->s.k = 1;
5783 b0->stmts = s;
5784 return b0;
5785 }
5786
5787 struct block *
5788 gen_multicast(proto)
5789 int proto;
5790 {
5791 register struct block *b0, *b1, *b2;
5792 register struct slist *s;
5793
5794 switch (proto) {
5795
5796 case Q_DEFAULT:
5797 case Q_LINK:
5798 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5799 /* all ARCnet multicasts use the same address */
5800 return gen_ahostop(abroadcast, Q_DST);
5801
5802 if (linktype == DLT_EN10MB) {
5803 /* ether[0] & 1 != 0 */
5804 return gen_mac_multicast(0);
5805 }
5806
5807 if (linktype == DLT_FDDI) {
5808 /*
5809 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
5810 *
5811 * XXX - was that referring to bit-order issues?
5812 */
5813 /* fddi[1] & 1 != 0 */
5814 return gen_mac_multicast(1);
5815 }
5816
5817 if (linktype == DLT_IEEE802) {
5818 /* tr[2] & 1 != 0 */
5819 return gen_mac_multicast(2);
5820 }
5821
5822 if (linktype == DLT_IEEE802_11 ||
5823 linktype == DLT_IEEE802_11_RADIO_AVS ||
5824 linktype == DLT_IEEE802_11_RADIO ||
5825 linktype == DLT_PRISM_HEADER) {
5826 /*
5827 * Oh, yuk.
5828 *
5829 * For control frames, there is no DA.
5830 *
5831 * For management frames, DA is at an
5832 * offset of 4 from the beginning of
5833 * the packet.
5834 *
5835 * For data frames, DA is at an offset
5836 * of 4 from the beginning of the packet
5837 * if To DS is clear and at an offset of
5838 * 16 from the beginning of the packet
5839 * if To DS is set.
5840 */
5841
5842 /*
5843 * Generate the tests to be done for data frames.
5844 *
5845 * First, check for To DS set, i.e. "link[1] & 0x01".
5846 */
5847 s = gen_load_a(OR_LINK, 1, BPF_B);
5848 b1 = new_block(JMP(BPF_JSET));
5849 b1->s.k = 0x01; /* To DS */
5850 b1->stmts = s;
5851
5852 /*
5853 * If To DS is set, the DA is at 16.
5854 */
5855 b0 = gen_mac_multicast(16);
5856 gen_and(b1, b0);
5857
5858 /*
5859 * Now, check for To DS not set, i.e. check
5860 * "!(link[1] & 0x01)".
5861 */
5862 s = gen_load_a(OR_LINK, 1, BPF_B);
5863 b2 = new_block(JMP(BPF_JSET));
5864 b2->s.k = 0x01; /* To DS */
5865 b2->stmts = s;
5866 gen_not(b2);
5867
5868 /*
5869 * If To DS is not set, the DA is at 4.
5870 */
5871 b1 = gen_mac_multicast(4);
5872 gen_and(b2, b1);
5873
5874 /*
5875 * Now OR together the last two checks. That gives
5876 * the complete set of checks for data frames.
5877 */
5878 gen_or(b1, b0);
5879
5880 /*
5881 * Now check for a data frame.
5882 * I.e, check "link[0] & 0x08".
5883 */
5884 s = gen_load_a(OR_LINK, 0, BPF_B);
5885 b1 = new_block(JMP(BPF_JSET));
5886 b1->s.k = 0x08;
5887 b1->stmts = s;
5888
5889 /*
5890 * AND that with the checks done for data frames.
5891 */
5892 gen_and(b1, b0);
5893
5894 /*
5895 * If the high-order bit of the type value is 0, this
5896 * is a management frame.
5897 * I.e, check "!(link[0] & 0x08)".
5898 */
5899 s = gen_load_a(OR_LINK, 0, BPF_B);
5900 b2 = new_block(JMP(BPF_JSET));
5901 b2->s.k = 0x08;
5902 b2->stmts = s;
5903 gen_not(b2);
5904
5905 /*
5906 * For management frames, the DA is at 4.
5907 */
5908 b1 = gen_mac_multicast(4);
5909 gen_and(b2, b1);
5910
5911 /*
5912 * OR that with the checks done for data frames.
5913 * That gives the checks done for management and
5914 * data frames.
5915 */
5916 gen_or(b1, b0);
5917
5918 /*
5919 * If the low-order bit of the type value is 1,
5920 * this is either a control frame or a frame
5921 * with a reserved type, and thus not a
5922 * frame with an SA.
5923 *
5924 * I.e., check "!(link[0] & 0x04)".
5925 */
5926 s = gen_load_a(OR_LINK, 0, BPF_B);
5927 b1 = new_block(JMP(BPF_JSET));
5928 b1->s.k = 0x04;
5929 b1->stmts = s;
5930 gen_not(b1);
5931
5932 /*
5933 * AND that with the checks for data and management
5934 * frames.
5935 */
5936 gen_and(b1, b0);
5937 return b0;
5938 }
5939
5940 if (linktype == DLT_IP_OVER_FC) {
5941 b0 = gen_mac_multicast(2);
5942 return b0;
5943 }
5944
5945 if (linktype == DLT_SUNATM && is_lane) {
5946 /*
5947 * Check that the packet doesn't begin with an
5948 * LE Control marker. (We've already generated
5949 * a test for LANE.)
5950 */
5951 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5952 0xFF00);
5953 gen_not(b1);
5954
5955 /* ether[off_mac] & 1 != 0 */
5956 b0 = gen_mac_multicast(off_mac);
5957 gen_and(b1, b0);
5958 return b0;
5959 }
5960
5961 /* Link not known to support multicasts */
5962 break;
5963
5964 case Q_IP:
5965 b0 = gen_linktype(ETHERTYPE_IP);
5966 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
5967 gen_and(b0, b1);
5968 return b1;
5969
5970 #ifdef INET6
5971 case Q_IPV6:
5972 b0 = gen_linktype(ETHERTYPE_IPV6);
5973 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
5974 gen_and(b0, b1);
5975 return b1;
5976 #endif /* INET6 */
5977 }
5978 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
5979 /* NOTREACHED */
5980 }
5981
5982 /*
5983 * generate command for inbound/outbound. It's here so we can
5984 * make it link-type specific. 'dir' = 0 implies "inbound",
5985 * = 1 implies "outbound".
5986 */
5987 struct block *
5988 gen_inbound(dir)
5989 int dir;
5990 {
5991 register struct block *b0;
5992
5993 /*
5994 * Only some data link types support inbound/outbound qualifiers.
5995 */
5996 switch (linktype) {
5997 case DLT_SLIP:
5998 b0 = gen_relation(BPF_JEQ,
5999 gen_load(Q_LINK, gen_loadi(0), 1),
6000 gen_loadi(0),
6001 dir);
6002 break;
6003
6004 case DLT_LINUX_SLL:
6005 if (dir) {
6006 /*
6007 * Match packets sent by this machine.
6008 */
6009 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
6010 } else {
6011 /*
6012 * Match packets sent to this machine.
6013 * (No broadcast or multicast packets, or
6014 * packets sent to some other machine and
6015 * received promiscuously.)
6016 *
6017 * XXX - packets sent to other machines probably
6018 * shouldn't be matched, but what about broadcast
6019 * or multicast packets we received?
6020 */
6021 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
6022 }
6023 break;
6024
6025 case DLT_PFLOG:
6026 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
6027 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
6028 break;
6029
6030 case DLT_PPP_PPPD:
6031 if (dir) {
6032 /* match outgoing packets */
6033 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
6034 } else {
6035 /* match incoming packets */
6036 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
6037 }
6038 break;
6039
6040 case DLT_JUNIPER_MFR:
6041 case DLT_JUNIPER_MLFR:
6042 case DLT_JUNIPER_MLPPP:
6043 case DLT_JUNIPER_ATM1:
6044 case DLT_JUNIPER_ATM2:
6045 case DLT_JUNIPER_PPPOE:
6046 case DLT_JUNIPER_PPPOE_ATM:
6047 case DLT_JUNIPER_GGSN:
6048 case DLT_JUNIPER_ES:
6049 case DLT_JUNIPER_MONITOR:
6050 case DLT_JUNIPER_SERVICES:
6051 /* juniper flags (including direction) are stored
6052 * the byte after the 3-byte magic number */
6053 if (dir) {
6054 /* match outgoing packets */
6055 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
6056 } else {
6057 /* match incoming packets */
6058 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
6059 }
6060 break;
6061
6062 default:
6063 bpf_error("inbound/outbound not supported on linktype %d",
6064 linktype);
6065 b0 = NULL;
6066 /* NOTREACHED */
6067 }
6068 return (b0);
6069 }
6070
6071 /* PF firewall log matched interface */
6072 struct block *
6073 gen_pf_ifname(const char *ifname)
6074 {
6075 struct block *b0;
6076 u_int len, off;
6077
6078 if (linktype == DLT_PFLOG) {
6079 len = sizeof(((struct pfloghdr *)0)->ifname);
6080 off = offsetof(struct pfloghdr, ifname);
6081 } else {
6082 bpf_error("ifname not supported on linktype 0x%x", linktype);
6083 /* NOTREACHED */
6084 }
6085 if (strlen(ifname) >= len) {
6086 bpf_error("ifname interface names can only be %d characters",
6087 len-1);
6088 /* NOTREACHED */
6089 }
6090 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
6091 return (b0);
6092 }
6093
6094 /* PF firewall log ruleset name */
6095 struct block *
6096 gen_pf_ruleset(char *ruleset)
6097 {
6098 struct block *b0;
6099
6100 if (linktype != DLT_PFLOG) {
6101 bpf_error("ruleset not supported on linktype 0x%x", linktype);
6102 /* NOTREACHED */
6103 }
6104 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
6105 bpf_error("ruleset names can only be %ld characters",
6106 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
6107 /* NOTREACHED */
6108 }
6109 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
6110 strlen(ruleset), (const u_char *)ruleset);
6111 return (b0);
6112 }
6113
6114 /* PF firewall log rule number */
6115 struct block *
6116 gen_pf_rnr(int rnr)
6117 {
6118 struct block *b0;
6119
6120 if (linktype == DLT_PFLOG) {
6121 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
6122 (bpf_int32)rnr);
6123 } else {
6124 bpf_error("rnr not supported on linktype 0x%x", linktype);
6125 /* NOTREACHED */
6126 }
6127
6128 return (b0);
6129 }
6130
6131 /* PF firewall log sub-rule number */
6132 struct block *
6133 gen_pf_srnr(int srnr)
6134 {
6135 struct block *b0;
6136
6137 if (linktype != DLT_PFLOG) {
6138 bpf_error("srnr not supported on linktype 0x%x", linktype);
6139 /* NOTREACHED */
6140 }
6141
6142 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
6143 (bpf_int32)srnr);
6144 return (b0);
6145 }
6146
6147 /* PF firewall log reason code */
6148 struct block *
6149 gen_pf_reason(int reason)
6150 {
6151 struct block *b0;
6152
6153 if (linktype == DLT_PFLOG) {
6154 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
6155 (bpf_int32)reason);
6156 } else {
6157 bpf_error("reason not supported on linktype 0x%x", linktype);
6158 /* NOTREACHED */
6159 }
6160
6161 return (b0);
6162 }
6163
6164 /* PF firewall log action */
6165 struct block *
6166 gen_pf_action(int action)
6167 {
6168 struct block *b0;
6169
6170 if (linktype == DLT_PFLOG) {
6171 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
6172 (bpf_int32)action);
6173 } else {
6174 bpf_error("action not supported on linktype 0x%x", linktype);
6175 /* NOTREACHED */
6176 }
6177
6178 return (b0);
6179 }
6180
6181 struct block *
6182 gen_acode(eaddr, q)
6183 register const u_char *eaddr;
6184 struct qual q;
6185 {
6186 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6187 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
6188 return gen_ahostop(eaddr, (int)q.dir);
6189 }
6190 bpf_error("ARCnet address used in non-arc expression");
6191 /* NOTREACHED */
6192 }
6193
6194 static struct block *
6195 gen_ahostop(eaddr, dir)
6196 register const u_char *eaddr;
6197 register int dir;
6198 {
6199 register struct block *b0, *b1;
6200
6201 switch (dir) {
6202 /* src comes first, different from Ethernet */
6203 case Q_SRC:
6204 return gen_bcmp(OR_LINK, 0, 1, eaddr);
6205
6206 case Q_DST:
6207 return gen_bcmp(OR_LINK, 1, 1, eaddr);
6208
6209 case Q_AND:
6210 b0 = gen_ahostop(eaddr, Q_SRC);
6211 b1 = gen_ahostop(eaddr, Q_DST);
6212 gen_and(b0, b1);
6213 return b1;
6214
6215 case Q_DEFAULT:
6216 case Q_OR:
6217 b0 = gen_ahostop(eaddr, Q_SRC);
6218 b1 = gen_ahostop(eaddr, Q_DST);
6219 gen_or(b0, b1);
6220 return b1;
6221 }
6222 abort();
6223 /* NOTREACHED */
6224 }
6225
6226 /*
6227 * support IEEE 802.1Q VLAN trunk over ethernet
6228 */
6229 struct block *
6230 gen_vlan(vlan_num)
6231 int vlan_num;
6232 {
6233 struct block *b0,*b1;
6234
6235 /*
6236 * Change the offsets to point to the type and data fields within
6237 * the VLAN packet. Just increment the offsets, so that we
6238 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to
6239 * capture VLAN 200 encapsulated within VLAN 100.
6240 *
6241 * XXX - this is a bit of a kludge. If we were to split the
6242 * compiler into a parser that parses an expression and
6243 * generates an expression tree, and a code generator that
6244 * takes an expression tree (which could come from our
6245 * parser or from some other parser) and generates BPF code,
6246 * we could perhaps make the offsets parameters of routines
6247 * and, in the handler for an "AND" node, pass to subnodes
6248 * other than the VLAN node the adjusted offsets.
6249 *
6250 * This would mean that "vlan" would, instead of changing the
6251 * behavior of *all* tests after it, change only the behavior
6252 * of tests ANDed with it. That would change the documented
6253 * semantics of "vlan", which might break some expressions.
6254 * However, it would mean that "(vlan and ip) or ip" would check
6255 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6256 * checking only for VLAN-encapsulated IP, so that could still
6257 * be considered worth doing; it wouldn't break expressions
6258 * that are of the form "vlan and ..." or "vlan N and ...",
6259 * which I suspect are the most common expressions involving
6260 * "vlan". "vlan or ..." doesn't necessarily do what the user
6261 * would really want, now, as all the "or ..." tests would
6262 * be done assuming a VLAN, even though the "or" could be viewed
6263 * as meaning "or, if this isn't a VLAN packet...".
6264 */
6265 orig_linktype = off_linktype; /* save original values */
6266 orig_nl = off_nl;
6267
6268 switch (linktype) {
6269
6270 case DLT_EN10MB:
6271 off_linktype += 4;
6272 off_nl_nosnap += 4;
6273 off_nl += 4;
6274 break;
6275
6276 default:
6277 bpf_error("no VLAN support for data link type %d",
6278 linktype);
6279 /*NOTREACHED*/
6280 }
6281
6282 /* check for VLAN */
6283 if (orig_linktype != (u_int)-1)
6284 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
6285 else
6286 bpf_error("no VLAN match after MPLS");
6287
6288 /* If a specific VLAN is requested, check VLAN id */
6289 if (vlan_num >= 0) {
6290 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num,
6291 0x0fff);
6292 gen_and(b0, b1);
6293 b0 = b1;
6294 }
6295
6296 return (b0);
6297 }
6298
6299 /*
6300 * support for MPLS
6301 */
6302 struct block *
6303 gen_mpls(label_num)
6304 int label_num;
6305 {
6306 struct block *b0,*b1;
6307
6308 /*
6309 * Change the offsets to point to the type and data fields within
6310 * the MPLS packet. Just increment the offsets, so that we
6311 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
6312 * capture packets with an outer label of 100000 and an inner
6313 * label of 1024.
6314 *
6315 * XXX - this is a bit of a kludge. See comments in gen_vlan().
6316 */
6317 orig_linktype = off_linktype; /* save original values */
6318 orig_nl = off_nl;
6319
6320 if (label_stack_depth > 0) {
6321 /* just match the bottom-of-stack bit clear */
6322 b0 = gen_mcmp(OR_LINK, orig_nl-2, BPF_B, 0, 0x01);
6323 } else {
6324
6325 /* poison the linktype to make sure higher level
6326 * code generators don't try to match against IP related protocols like
6327 * Q_ARP, Q_RARP etc. */
6328 off_linktype = -1;
6329 switch (linktype) {
6330
6331 case DLT_C_HDLC: /* fall through */
6332 case DLT_EN10MB:
6333 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H,
6334 (bpf_int32)ETHERTYPE_MPLS);
6335 break;
6336
6337 case DLT_PPP:
6338 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H,
6339 (bpf_int32)PPP_MPLS_UCAST);
6340 break;
6341
6342 /* FIXME add other DLT_s ...
6343 * for Frame-Relay/and ATM this may get messy due to SNAP headers
6344 * leave it for now */
6345
6346 default:
6347 bpf_error("no MPLS support for data link type %d",
6348 linktype);
6349 b0 = NULL;
6350 /*NOTREACHED*/
6351 break;
6352 }
6353 }
6354
6355 /* If a specific MPLS label is requested, check it */
6356 if (label_num >= 0) {
6357 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
6358 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num,
6359 0xfffff000); /* only compare the first 20 bits */
6360 gen_and(b0, b1);
6361 b0 = b1;
6362 }
6363
6364 off_nl_nosnap += 4;
6365 off_nl += 4;
6366 label_stack_depth++;
6367 return (b0);
6368 }
6369
6370 struct block *
6371 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
6372 int atmfield;
6373 bpf_int32 jvalue;
6374 bpf_u_int32 jtype;
6375 int reverse;
6376 {
6377 struct block *b0;
6378
6379 switch (atmfield) {
6380
6381 case A_VPI:
6382 if (!is_atm)
6383 bpf_error("'vpi' supported only on raw ATM");
6384 if (off_vpi == (u_int)-1)
6385 abort();
6386 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
6387 reverse, jvalue);
6388 break;
6389
6390 case A_VCI:
6391 if (!is_atm)
6392 bpf_error("'vci' supported only on raw ATM");
6393 if (off_vci == (u_int)-1)
6394 abort();
6395 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
6396 reverse, jvalue);
6397 break;
6398
6399 case A_PROTOTYPE:
6400 if (off_proto == (u_int)-1)
6401 abort(); /* XXX - this isn't on FreeBSD */
6402 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
6403 reverse, jvalue);
6404 break;
6405
6406 case A_MSGTYPE:
6407 if (off_payload == (u_int)-1)
6408 abort();
6409 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
6410 0xffffffff, jtype, reverse, jvalue);
6411 break;
6412
6413 case A_CALLREFTYPE:
6414 if (!is_atm)
6415 bpf_error("'callref' supported only on raw ATM");
6416 if (off_proto == (u_int)-1)
6417 abort();
6418 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
6419 jtype, reverse, jvalue);
6420 break;
6421
6422 default:
6423 abort();
6424 }
6425 return b0;
6426 }
6427
6428 struct block *
6429 gen_atmtype_abbrev(type)
6430 int type;
6431 {
6432 struct block *b0, *b1;
6433
6434 switch (type) {
6435
6436 case A_METAC:
6437 /* Get all packets in Meta signalling Circuit */
6438 if (!is_atm)
6439 bpf_error("'metac' supported only on raw ATM");
6440 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6441 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
6442 gen_and(b0, b1);
6443 break;
6444
6445 case A_BCC:
6446 /* Get all packets in Broadcast Circuit*/
6447 if (!is_atm)
6448 bpf_error("'bcc' supported only on raw ATM");
6449 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6450 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
6451 gen_and(b0, b1);
6452 break;
6453
6454 case A_OAMF4SC:
6455 /* Get all cells in Segment OAM F4 circuit*/
6456 if (!is_atm)
6457 bpf_error("'oam4sc' supported only on raw ATM");
6458 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6459 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
6460 gen_and(b0, b1);
6461 break;
6462
6463 case A_OAMF4EC:
6464 /* Get all cells in End-to-End OAM F4 Circuit*/
6465 if (!is_atm)
6466 bpf_error("'oam4ec' supported only on raw ATM");
6467 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6468 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
6469 gen_and(b0, b1);
6470 break;
6471
6472 case A_SC:
6473 /* Get all packets in connection Signalling Circuit */
6474 if (!is_atm)
6475 bpf_error("'sc' supported only on raw ATM");
6476 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6477 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
6478 gen_and(b0, b1);
6479 break;
6480
6481 case A_ILMIC:
6482 /* Get all packets in ILMI Circuit */
6483 if (!is_atm)
6484 bpf_error("'ilmic' supported only on raw ATM");
6485 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6486 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
6487 gen_and(b0, b1);
6488 break;
6489
6490 case A_LANE:
6491 /* Get all LANE packets */
6492 if (!is_atm)
6493 bpf_error("'lane' supported only on raw ATM");
6494 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
6495
6496 /*
6497 * Arrange that all subsequent tests assume LANE
6498 * rather than LLC-encapsulated packets, and set
6499 * the offsets appropriately for LANE-encapsulated
6500 * Ethernet.
6501 *
6502 * "off_mac" is the offset of the Ethernet header,
6503 * which is 2 bytes past the ATM pseudo-header
6504 * (skipping the pseudo-header and 2-byte LE Client
6505 * field). The other offsets are Ethernet offsets
6506 * relative to "off_mac".
6507 */
6508 is_lane = 1;
6509 off_mac = off_payload + 2; /* MAC header */
6510 off_linktype = off_mac + 12;
6511 off_nl = off_mac + 14; /* Ethernet II */
6512 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
6513 break;
6514
6515 case A_LLC:
6516 /* Get all LLC-encapsulated packets */
6517 if (!is_atm)
6518 bpf_error("'llc' supported only on raw ATM");
6519 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
6520 is_lane = 0;
6521 break;
6522
6523 default:
6524 abort();
6525 }
6526 return b1;
6527 }
6528
6529 struct block *
6530 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
6531 int mtp3field;
6532 bpf_u_int32 jvalue;
6533 bpf_u_int32 jtype;
6534 int reverse;
6535 {
6536 struct block *b0;
6537 bpf_u_int32 val1 , val2 , val3;
6538
6539 switch (mtp3field) {
6540
6541 case M_SIO:
6542 if (off_sio == (u_int)-1)
6543 bpf_error("'sio' supported only on SS7");
6544 /* sio coded on 1 byte so max value 255 */
6545 if(jvalue > 255)
6546 bpf_error("sio value %u too big; max value = 255",
6547 jvalue);
6548 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
6549 (u_int)jtype, reverse, (u_int)jvalue);
6550 break;
6551
6552 case M_OPC:
6553 if (off_opc == (u_int)-1)
6554 bpf_error("'opc' supported only on SS7");
6555 /* opc coded on 14 bits so max value 16383 */
6556 if (jvalue > 16383)
6557 bpf_error("opc value %u too big; max value = 16383",
6558 jvalue);
6559 /* the following instructions are made to convert jvalue
6560 * to the form used to write opc in an ss7 message*/
6561 val1 = jvalue & 0x00003c00;
6562 val1 = val1 >>10;
6563 val2 = jvalue & 0x000003fc;
6564 val2 = val2 <<6;
6565 val3 = jvalue & 0x00000003;
6566 val3 = val3 <<22;
6567 jvalue = val1 + val2 + val3;
6568 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
6569 (u_int)jtype, reverse, (u_int)jvalue);
6570 break;
6571
6572 case M_DPC:
6573 if (off_dpc == (u_int)-1)
6574 bpf_error("'dpc' supported only on SS7");
6575 /* dpc coded on 14 bits so max value 16383 */
6576 if (jvalue > 16383)
6577 bpf_error("dpc value %u too big; max value = 16383",
6578 jvalue);
6579 /* the following instructions are made to convert jvalue
6580 * to the forme used to write dpc in an ss7 message*/
6581 val1 = jvalue & 0x000000ff;
6582 val1 = val1 << 24;
6583 val2 = jvalue & 0x00003f00;
6584 val2 = val2 << 8;
6585 jvalue = val1 + val2;
6586 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
6587 (u_int)jtype, reverse, (u_int)jvalue);
6588 break;
6589
6590 case M_SLS:
6591 if (off_sls == (u_int)-1)
6592 bpf_error("'sls' supported only on SS7");
6593 /* sls coded on 4 bits so max value 15 */
6594 if (jvalue > 15)
6595 bpf_error("sls value %u too big; max value = 15",
6596 jvalue);
6597 /* the following instruction is made to convert jvalue
6598 * to the forme used to write sls in an ss7 message*/
6599 jvalue = jvalue << 4;
6600 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
6601 (u_int)jtype,reverse, (u_int)jvalue);
6602 break;
6603
6604 default:
6605 abort();
6606 }
6607 return b0;
6608 }
6609
6610 static struct block *
6611 gen_msg_abbrev(type)
6612 int type;
6613 {
6614 struct block *b1;
6615
6616 /*
6617 * Q.2931 signalling protocol messages for handling virtual circuits
6618 * establishment and teardown
6619 */
6620 switch (type) {
6621
6622 case A_SETUP:
6623 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
6624 break;
6625
6626 case A_CALLPROCEED:
6627 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
6628 break;
6629
6630 case A_CONNECT:
6631 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
6632 break;
6633
6634 case A_CONNECTACK:
6635 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
6636 break;
6637
6638 case A_RELEASE:
6639 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
6640 break;
6641
6642 case A_RELEASE_DONE:
6643 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
6644 break;
6645
6646 default:
6647 abort();
6648 }
6649 return b1;
6650 }
6651
6652 struct block *
6653 gen_atmmulti_abbrev(type)
6654 int type;
6655 {
6656 struct block *b0, *b1;
6657
6658 switch (type) {
6659
6660 case A_OAM:
6661 if (!is_atm)
6662 bpf_error("'oam' supported only on raw ATM");
6663 b1 = gen_atmmulti_abbrev(A_OAMF4);
6664 break;
6665
6666 case A_OAMF4:
6667 if (!is_atm)
6668 bpf_error("'oamf4' supported only on raw ATM");
6669 /* OAM F4 type */
6670 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
6671 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
6672 gen_or(b0, b1);
6673 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6674 gen_and(b0, b1);
6675 break;
6676
6677 case A_CONNECTMSG:
6678 /*
6679 * Get Q.2931 signalling messages for switched
6680 * virtual connection
6681 */
6682 if (!is_atm)
6683 bpf_error("'connectmsg' supported only on raw ATM");
6684 b0 = gen_msg_abbrev(A_SETUP);
6685 b1 = gen_msg_abbrev(A_CALLPROCEED);
6686 gen_or(b0, b1);
6687 b0 = gen_msg_abbrev(A_CONNECT);
6688 gen_or(b0, b1);
6689 b0 = gen_msg_abbrev(A_CONNECTACK);
6690 gen_or(b0, b1);
6691 b0 = gen_msg_abbrev(A_RELEASE);
6692 gen_or(b0, b1);
6693 b0 = gen_msg_abbrev(A_RELEASE_DONE);
6694 gen_or(b0, b1);
6695 b0 = gen_atmtype_abbrev(A_SC);
6696 gen_and(b0, b1);
6697 break;
6698
6699 case A_METACONNECT:
6700 if (!is_atm)
6701 bpf_error("'metaconnect' supported only on raw ATM");
6702 b0 = gen_msg_abbrev(A_SETUP);
6703 b1 = gen_msg_abbrev(A_CALLPROCEED);
6704 gen_or(b0, b1);
6705 b0 = gen_msg_abbrev(A_CONNECT);
6706 gen_or(b0, b1);
6707 b0 = gen_msg_abbrev(A_RELEASE);
6708 gen_or(b0, b1);
6709 b0 = gen_msg_abbrev(A_RELEASE_DONE);
6710 gen_or(b0, b1);
6711 b0 = gen_atmtype_abbrev(A_METAC);
6712 gen_and(b0, b1);
6713 break;
6714
6715 default:
6716 abort();
6717 }
6718 return b1;
6719 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism