]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
When using pcap_create_common() in pcap_fopen_offline(), leave
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #endif /* WIN32 */
37
38 /*
39 * XXX - why was this included even on UNIX?
40 */
41 #ifdef __MINGW32__
42 #include "IP6_misc.h"
43 #endif
44
45 #ifndef WIN32
46
47 #ifdef __NetBSD__
48 #include <sys/param.h>
49 #endif
50
51 #include <netinet/in.h>
52 #include <arpa/inet.h>
53
54 #endif /* WIN32 */
55
56 #include <stdlib.h>
57 #include <string.h>
58 #include <memory.h>
59 #include <setjmp.h>
60 #include <stdarg.h>
61
62 #ifdef MSDOS
63 #include "pcap-dos.h"
64 #endif
65
66 #include "pcap-int.h"
67
68 #include "ethertype.h"
69 #include "nlpid.h"
70 #include "llc.h"
71 #include "gencode.h"
72 #include "ieee80211.h"
73 #include "atmuni31.h"
74 #include "sunatmpos.h"
75 #include "ppp.h"
76 #include "pcap/sll.h"
77 #include "arcnet.h"
78 #ifdef HAVE_NET_PFVAR_H
79 #include <sys/socket.h>
80 #include <net/if.h>
81 #include <net/pfvar.h>
82 #include <net/if_pflog.h>
83 #endif
84 #ifndef offsetof
85 #define offsetof(s, e) ((size_t)&((s *)0)->e)
86 #endif
87 #ifdef INET6
88 #ifndef WIN32
89 #include <netdb.h> /* for "struct addrinfo" */
90 #endif /* WIN32 */
91 #endif /*INET6*/
92 #include <pcap/namedb.h>
93
94 #define ETHERMTU 1500
95
96 #ifndef IPPROTO_SCTP
97 #define IPPROTO_SCTP 132
98 #endif
99
100 #ifdef HAVE_OS_PROTO_H
101 #include "os-proto.h"
102 #endif
103
104 #define JMP(c) ((c)|BPF_JMP|BPF_K)
105
106 /* Locals */
107 static jmp_buf top_ctx;
108 static pcap_t *bpf_pcap;
109
110 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
111 #ifdef WIN32
112 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
113 #else
114 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
115 #endif
116
117 /* XXX */
118 #ifdef PCAP_FDDIPAD
119 static int pcap_fddipad;
120 #endif
121
122 /* VARARGS */
123 void
124 bpf_error(const char *fmt, ...)
125 {
126 va_list ap;
127
128 va_start(ap, fmt);
129 if (bpf_pcap != NULL)
130 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
131 fmt, ap);
132 va_end(ap);
133 longjmp(top_ctx, 1);
134 /* NOTREACHED */
135 }
136
137 static void init_linktype(pcap_t *);
138
139 static void init_regs(void);
140 static int alloc_reg(void);
141 static void free_reg(int);
142
143 static struct block *root;
144
145 /*
146 * Value passed to gen_load_a() to indicate what the offset argument
147 * is relative to.
148 */
149 enum e_offrel {
150 OR_PACKET, /* relative to the beginning of the packet */
151 OR_LINK, /* relative to the beginning of the link-layer header */
152 OR_MACPL, /* relative to the end of the MAC-layer header */
153 OR_NET, /* relative to the network-layer header */
154 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
155 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
156 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
157 };
158
159 #ifdef INET6
160 /*
161 * As errors are handled by a longjmp, anything allocated must be freed
162 * in the longjmp handler, so it must be reachable from that handler.
163 * One thing that's allocated is the result of pcap_nametoaddrinfo();
164 * it must be freed with freeaddrinfo(). This variable points to any
165 * addrinfo structure that would need to be freed.
166 */
167 static struct addrinfo *ai;
168 #endif
169
170 /*
171 * We divy out chunks of memory rather than call malloc each time so
172 * we don't have to worry about leaking memory. It's probably
173 * not a big deal if all this memory was wasted but if this ever
174 * goes into a library that would probably not be a good idea.
175 *
176 * XXX - this *is* in a library....
177 */
178 #define NCHUNKS 16
179 #define CHUNK0SIZE 1024
180 struct chunk {
181 u_int n_left;
182 void *m;
183 };
184
185 static struct chunk chunks[NCHUNKS];
186 static int cur_chunk;
187
188 static void *newchunk(u_int);
189 static void freechunks(void);
190 static inline struct block *new_block(int);
191 static inline struct slist *new_stmt(int);
192 static struct block *gen_retblk(int);
193 static inline void syntax(void);
194
195 static void backpatch(struct block *, struct block *);
196 static void merge(struct block *, struct block *);
197 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
198 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
199 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
200 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
201 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
202 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
203 bpf_u_int32);
204 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
205 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
206 bpf_u_int32, bpf_u_int32, int, bpf_int32);
207 static struct slist *gen_load_llrel(u_int, u_int);
208 static struct slist *gen_load_macplrel(u_int, u_int);
209 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
210 static struct slist *gen_loadx_iphdrlen(void);
211 static struct block *gen_uncond(int);
212 static inline struct block *gen_true(void);
213 static inline struct block *gen_false(void);
214 static struct block *gen_ether_linktype(int);
215 static struct block *gen_linux_sll_linktype(int);
216 static struct slist *gen_load_prism_llprefixlen(void);
217 static struct slist *gen_load_avs_llprefixlen(void);
218 static struct slist *gen_load_radiotap_llprefixlen(void);
219 static struct slist *gen_load_ppi_llprefixlen(void);
220 static void insert_compute_vloffsets(struct block *);
221 static struct slist *gen_llprefixlen(void);
222 static struct slist *gen_off_macpl(void);
223 static int ethertype_to_ppptype(int);
224 static struct block *gen_linktype(int);
225 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
226 static struct block *gen_llc_linktype(int);
227 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
228 #ifdef INET6
229 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
230 #endif
231 static struct block *gen_ahostop(const u_char *, int);
232 static struct block *gen_ehostop(const u_char *, int);
233 static struct block *gen_fhostop(const u_char *, int);
234 static struct block *gen_thostop(const u_char *, int);
235 static struct block *gen_wlanhostop(const u_char *, int);
236 static struct block *gen_ipfchostop(const u_char *, int);
237 static struct block *gen_dnhostop(bpf_u_int32, int);
238 static struct block *gen_mpls_linktype(int);
239 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
240 #ifdef INET6
241 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
242 #endif
243 #ifndef INET6
244 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
245 #endif
246 static struct block *gen_ipfrag(void);
247 static struct block *gen_portatom(int, bpf_int32);
248 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
249 #ifdef INET6
250 static struct block *gen_portatom6(int, bpf_int32);
251 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
252 #endif
253 struct block *gen_portop(int, int, int);
254 static struct block *gen_port(int, int, int);
255 struct block *gen_portrangeop(int, int, int, int);
256 static struct block *gen_portrange(int, int, int, int);
257 #ifdef INET6
258 struct block *gen_portop6(int, int, int);
259 static struct block *gen_port6(int, int, int);
260 struct block *gen_portrangeop6(int, int, int, int);
261 static struct block *gen_portrange6(int, int, int, int);
262 #endif
263 static int lookup_proto(const char *, int);
264 static struct block *gen_protochain(int, int, int);
265 static struct block *gen_proto(int, int, int);
266 static struct slist *xfer_to_x(struct arth *);
267 static struct slist *xfer_to_a(struct arth *);
268 static struct block *gen_mac_multicast(int);
269 static struct block *gen_len(int, int);
270 static struct block *gen_check_802_11_data_frame(void);
271
272 static struct block *gen_ppi_dlt_check(void);
273 static struct block *gen_msg_abbrev(int type);
274
275 static void *
276 newchunk(n)
277 u_int n;
278 {
279 struct chunk *cp;
280 int k;
281 size_t size;
282
283 #ifndef __NetBSD__
284 /* XXX Round up to nearest long. */
285 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
286 #else
287 /* XXX Round up to structure boundary. */
288 n = ALIGN(n);
289 #endif
290
291 cp = &chunks[cur_chunk];
292 if (n > cp->n_left) {
293 ++cp, k = ++cur_chunk;
294 if (k >= NCHUNKS)
295 bpf_error("out of memory");
296 size = CHUNK0SIZE << k;
297 cp->m = (void *)malloc(size);
298 if (cp->m == NULL)
299 bpf_error("out of memory");
300 memset((char *)cp->m, 0, size);
301 cp->n_left = size;
302 if (n > size)
303 bpf_error("out of memory");
304 }
305 cp->n_left -= n;
306 return (void *)((char *)cp->m + cp->n_left);
307 }
308
309 static void
310 freechunks()
311 {
312 int i;
313
314 cur_chunk = 0;
315 for (i = 0; i < NCHUNKS; ++i)
316 if (chunks[i].m != NULL) {
317 free(chunks[i].m);
318 chunks[i].m = NULL;
319 }
320 }
321
322 /*
323 * A strdup whose allocations are freed after code generation is over.
324 */
325 char *
326 sdup(s)
327 register const char *s;
328 {
329 int n = strlen(s) + 1;
330 char *cp = newchunk(n);
331
332 strlcpy(cp, s, n);
333 return (cp);
334 }
335
336 static inline struct block *
337 new_block(code)
338 int code;
339 {
340 struct block *p;
341
342 p = (struct block *)newchunk(sizeof(*p));
343 p->s.code = code;
344 p->head = p;
345
346 return p;
347 }
348
349 static inline struct slist *
350 new_stmt(code)
351 int code;
352 {
353 struct slist *p;
354
355 p = (struct slist *)newchunk(sizeof(*p));
356 p->s.code = code;
357
358 return p;
359 }
360
361 static struct block *
362 gen_retblk(v)
363 int v;
364 {
365 struct block *b = new_block(BPF_RET|BPF_K);
366
367 b->s.k = v;
368 return b;
369 }
370
371 static inline void
372 syntax()
373 {
374 bpf_error("syntax error in filter expression");
375 }
376
377 static bpf_u_int32 netmask;
378 static int snaplen;
379 int no_optimize;
380 #ifdef WIN32
381 static int
382 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
383 const char *buf, int optimize, bpf_u_int32 mask);
384
385 int
386 pcap_compile(pcap_t *p, struct bpf_program *program,
387 const char *buf, int optimize, bpf_u_int32 mask)
388 {
389 int result;
390
391 EnterCriticalSection(&g_PcapCompileCriticalSection);
392
393 result = pcap_compile_unsafe(p, program, buf, optimize, mask);
394
395 LeaveCriticalSection(&g_PcapCompileCriticalSection);
396
397 return result;
398 }
399
400 static int
401 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
402 const char *buf, int optimize, bpf_u_int32 mask)
403 #else /* WIN32 */
404 int
405 pcap_compile(pcap_t *p, struct bpf_program *program,
406 const char *buf, int optimize, bpf_u_int32 mask)
407 #endif /* WIN32 */
408 {
409 extern int n_errors;
410 const char * volatile xbuf = buf;
411 int len;
412
413 no_optimize = 0;
414 n_errors = 0;
415 root = NULL;
416 bpf_pcap = p;
417 init_regs();
418 if (setjmp(top_ctx)) {
419 #ifdef INET6
420 if (ai != NULL) {
421 freeaddrinfo(ai);
422 ai = NULL;
423 }
424 #endif
425 lex_cleanup();
426 freechunks();
427 return (-1);
428 }
429
430 netmask = mask;
431
432 snaplen = pcap_snapshot(p);
433 if (snaplen == 0) {
434 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
435 "snaplen of 0 rejects all packets");
436 return -1;
437 }
438
439 lex_init(xbuf ? xbuf : "");
440 init_linktype(p);
441 (void)pcap_parse();
442
443 if (n_errors)
444 syntax();
445
446 if (root == NULL)
447 root = gen_retblk(snaplen);
448
449 if (optimize && !no_optimize) {
450 bpf_optimize(&root);
451 if (root == NULL ||
452 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
453 bpf_error("expression rejects all packets");
454 }
455 program->bf_insns = icode_to_fcode(root, &len);
456 program->bf_len = len;
457
458 lex_cleanup();
459 freechunks();
460 return (0);
461 }
462
463 /*
464 * entry point for using the compiler with no pcap open
465 * pass in all the stuff that is needed explicitly instead.
466 */
467 int
468 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
469 struct bpf_program *program,
470 const char *buf, int optimize, bpf_u_int32 mask)
471 {
472 pcap_t *p;
473 int ret;
474
475 p = pcap_open_dead(linktype_arg, snaplen_arg);
476 if (p == NULL)
477 return (-1);
478 ret = pcap_compile(p, program, buf, optimize, mask);
479 pcap_close(p);
480 return (ret);
481 }
482
483 /*
484 * Clean up a "struct bpf_program" by freeing all the memory allocated
485 * in it.
486 */
487 void
488 pcap_freecode(struct bpf_program *program)
489 {
490 program->bf_len = 0;
491 if (program->bf_insns != NULL) {
492 free((char *)program->bf_insns);
493 program->bf_insns = NULL;
494 }
495 }
496
497 /*
498 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
499 * which of the jt and jf fields has been resolved and which is a pointer
500 * back to another unresolved block (or nil). At least one of the fields
501 * in each block is already resolved.
502 */
503 static void
504 backpatch(list, target)
505 struct block *list, *target;
506 {
507 struct block *next;
508
509 while (list) {
510 if (!list->sense) {
511 next = JT(list);
512 JT(list) = target;
513 } else {
514 next = JF(list);
515 JF(list) = target;
516 }
517 list = next;
518 }
519 }
520
521 /*
522 * Merge the lists in b0 and b1, using the 'sense' field to indicate
523 * which of jt and jf is the link.
524 */
525 static void
526 merge(b0, b1)
527 struct block *b0, *b1;
528 {
529 register struct block **p = &b0;
530
531 /* Find end of list. */
532 while (*p)
533 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
534
535 /* Concatenate the lists. */
536 *p = b1;
537 }
538
539 void
540 finish_parse(p)
541 struct block *p;
542 {
543 struct block *ppi_dlt_check;
544
545 /*
546 * Insert before the statements of the first (root) block any
547 * statements needed to load the lengths of any variable-length
548 * headers into registers.
549 *
550 * XXX - a fancier strategy would be to insert those before the
551 * statements of all blocks that use those lengths and that
552 * have no predecessors that use them, so that we only compute
553 * the lengths if we need them. There might be even better
554 * approaches than that.
555 *
556 * However, those strategies would be more complicated, and
557 * as we don't generate code to compute a length if the
558 * program has no tests that use the length, and as most
559 * tests will probably use those lengths, we would just
560 * postpone computing the lengths so that it's not done
561 * for tests that fail early, and it's not clear that's
562 * worth the effort.
563 */
564 insert_compute_vloffsets(p->head);
565
566 /*
567 * For DLT_PPI captures, generate a check of the per-packet
568 * DLT value to make sure it's DLT_IEEE802_11.
569 */
570 ppi_dlt_check = gen_ppi_dlt_check();
571 if (ppi_dlt_check != NULL)
572 gen_and(ppi_dlt_check, p);
573
574 backpatch(p, gen_retblk(snaplen));
575 p->sense = !p->sense;
576 backpatch(p, gen_retblk(0));
577 root = p->head;
578 }
579
580 void
581 gen_and(b0, b1)
582 struct block *b0, *b1;
583 {
584 backpatch(b0, b1->head);
585 b0->sense = !b0->sense;
586 b1->sense = !b1->sense;
587 merge(b1, b0);
588 b1->sense = !b1->sense;
589 b1->head = b0->head;
590 }
591
592 void
593 gen_or(b0, b1)
594 struct block *b0, *b1;
595 {
596 b0->sense = !b0->sense;
597 backpatch(b0, b1->head);
598 b0->sense = !b0->sense;
599 merge(b1, b0);
600 b1->head = b0->head;
601 }
602
603 void
604 gen_not(b)
605 struct block *b;
606 {
607 b->sense = !b->sense;
608 }
609
610 static struct block *
611 gen_cmp(offrel, offset, size, v)
612 enum e_offrel offrel;
613 u_int offset, size;
614 bpf_int32 v;
615 {
616 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
617 }
618
619 static struct block *
620 gen_cmp_gt(offrel, offset, size, v)
621 enum e_offrel offrel;
622 u_int offset, size;
623 bpf_int32 v;
624 {
625 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
626 }
627
628 static struct block *
629 gen_cmp_ge(offrel, offset, size, v)
630 enum e_offrel offrel;
631 u_int offset, size;
632 bpf_int32 v;
633 {
634 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
635 }
636
637 static struct block *
638 gen_cmp_lt(offrel, offset, size, v)
639 enum e_offrel offrel;
640 u_int offset, size;
641 bpf_int32 v;
642 {
643 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
644 }
645
646 static struct block *
647 gen_cmp_le(offrel, offset, size, v)
648 enum e_offrel offrel;
649 u_int offset, size;
650 bpf_int32 v;
651 {
652 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
653 }
654
655 static struct block *
656 gen_mcmp(offrel, offset, size, v, mask)
657 enum e_offrel offrel;
658 u_int offset, size;
659 bpf_int32 v;
660 bpf_u_int32 mask;
661 {
662 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
663 }
664
665 static struct block *
666 gen_bcmp(offrel, offset, size, v)
667 enum e_offrel offrel;
668 register u_int offset, size;
669 register const u_char *v;
670 {
671 register struct block *b, *tmp;
672
673 b = NULL;
674 while (size >= 4) {
675 register const u_char *p = &v[size - 4];
676 bpf_int32 w = ((bpf_int32)p[0] << 24) |
677 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
678
679 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
680 if (b != NULL)
681 gen_and(b, tmp);
682 b = tmp;
683 size -= 4;
684 }
685 while (size >= 2) {
686 register const u_char *p = &v[size - 2];
687 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
688
689 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
690 if (b != NULL)
691 gen_and(b, tmp);
692 b = tmp;
693 size -= 2;
694 }
695 if (size > 0) {
696 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
697 if (b != NULL)
698 gen_and(b, tmp);
699 b = tmp;
700 }
701 return b;
702 }
703
704 /*
705 * AND the field of size "size" at offset "offset" relative to the header
706 * specified by "offrel" with "mask", and compare it with the value "v"
707 * with the test specified by "jtype"; if "reverse" is true, the test
708 * should test the opposite of "jtype".
709 */
710 static struct block *
711 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
712 enum e_offrel offrel;
713 bpf_int32 v;
714 bpf_u_int32 offset, size, mask, jtype;
715 int reverse;
716 {
717 struct slist *s, *s2;
718 struct block *b;
719
720 s = gen_load_a(offrel, offset, size);
721
722 if (mask != 0xffffffff) {
723 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
724 s2->s.k = mask;
725 sappend(s, s2);
726 }
727
728 b = new_block(JMP(jtype));
729 b->stmts = s;
730 b->s.k = v;
731 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
732 gen_not(b);
733 return b;
734 }
735
736 /*
737 * Various code constructs need to know the layout of the data link
738 * layer. These variables give the necessary offsets from the beginning
739 * of the packet data.
740 */
741
742 /*
743 * This is the offset of the beginning of the link-layer header from
744 * the beginning of the raw packet data.
745 *
746 * It's usually 0, except for 802.11 with a fixed-length radio header.
747 * (For 802.11 with a variable-length radio header, we have to generate
748 * code to compute that offset; off_ll is 0 in that case.)
749 */
750 static u_int off_ll;
751
752 /*
753 * If there's a variable-length header preceding the link-layer header,
754 * "reg_off_ll" is the register number for a register containing the
755 * length of that header, and therefore the offset of the link-layer
756 * header from the beginning of the raw packet data. Otherwise,
757 * "reg_off_ll" is -1.
758 */
759 static int reg_off_ll;
760
761 /*
762 * This is the offset of the beginning of the MAC-layer header from
763 * the beginning of the link-layer header.
764 * It's usually 0, except for ATM LANE, where it's the offset, relative
765 * to the beginning of the raw packet data, of the Ethernet header.
766 */
767 static u_int off_mac;
768
769 /*
770 * This is the offset of the beginning of the MAC-layer payload,
771 * from the beginning of the raw packet data.
772 *
773 * I.e., it's the sum of the length of the link-layer header (without,
774 * for example, any 802.2 LLC header, so it's the MAC-layer
775 * portion of that header), plus any prefix preceding the
776 * link-layer header.
777 */
778 static u_int off_macpl;
779
780 /*
781 * This is 1 if the offset of the beginning of the MAC-layer payload
782 * from the beginning of the link-layer header is variable-length.
783 */
784 static int off_macpl_is_variable;
785
786 /*
787 * If the link layer has variable_length headers, "reg_off_macpl"
788 * is the register number for a register containing the length of the
789 * link-layer header plus the length of any variable-length header
790 * preceding the link-layer header. Otherwise, "reg_off_macpl"
791 * is -1.
792 */
793 static int reg_off_macpl;
794
795 /*
796 * "off_linktype" is the offset to information in the link-layer header
797 * giving the packet type. This offset is relative to the beginning
798 * of the link-layer header (i.e., it doesn't include off_ll).
799 *
800 * For Ethernet, it's the offset of the Ethernet type field.
801 *
802 * For link-layer types that always use 802.2 headers, it's the
803 * offset of the LLC header.
804 *
805 * For PPP, it's the offset of the PPP type field.
806 *
807 * For Cisco HDLC, it's the offset of the CHDLC type field.
808 *
809 * For BSD loopback, it's the offset of the AF_ value.
810 *
811 * For Linux cooked sockets, it's the offset of the type field.
812 *
813 * It's set to -1 for no encapsulation, in which case, IP is assumed.
814 */
815 static u_int off_linktype;
816
817 /*
818 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
819 * checks to check the PPP header, assumed to follow a LAN-style link-
820 * layer header and a PPPoE session header.
821 */
822 static int is_pppoes = 0;
823
824 /*
825 * TRUE if the link layer includes an ATM pseudo-header.
826 */
827 static int is_atm = 0;
828
829 /*
830 * TRUE if "lane" appeared in the filter; it causes us to generate
831 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
832 */
833 static int is_lane = 0;
834
835 /*
836 * These are offsets for the ATM pseudo-header.
837 */
838 static u_int off_vpi;
839 static u_int off_vci;
840 static u_int off_proto;
841
842 /*
843 * These are offsets for the MTP2 fields.
844 */
845 static u_int off_li;
846
847 /*
848 * These are offsets for the MTP3 fields.
849 */
850 static u_int off_sio;
851 static u_int off_opc;
852 static u_int off_dpc;
853 static u_int off_sls;
854
855 /*
856 * This is the offset of the first byte after the ATM pseudo_header,
857 * or -1 if there is no ATM pseudo-header.
858 */
859 static u_int off_payload;
860
861 /*
862 * These are offsets to the beginning of the network-layer header.
863 * They are relative to the beginning of the MAC-layer payload (i.e.,
864 * they don't include off_ll or off_macpl).
865 *
866 * If the link layer never uses 802.2 LLC:
867 *
868 * "off_nl" and "off_nl_nosnap" are the same.
869 *
870 * If the link layer always uses 802.2 LLC:
871 *
872 * "off_nl" is the offset if there's a SNAP header following
873 * the 802.2 header;
874 *
875 * "off_nl_nosnap" is the offset if there's no SNAP header.
876 *
877 * If the link layer is Ethernet:
878 *
879 * "off_nl" is the offset if the packet is an Ethernet II packet
880 * (we assume no 802.3+802.2+SNAP);
881 *
882 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
883 * with an 802.2 header following it.
884 */
885 static u_int off_nl;
886 static u_int off_nl_nosnap;
887
888 static int linktype;
889
890 static void
891 init_linktype(p)
892 pcap_t *p;
893 {
894 linktype = pcap_datalink(p);
895 #ifdef PCAP_FDDIPAD
896 pcap_fddipad = p->fddipad;
897 #endif
898
899 /*
900 * Assume it's not raw ATM with a pseudo-header, for now.
901 */
902 off_mac = 0;
903 is_atm = 0;
904 is_lane = 0;
905 off_vpi = -1;
906 off_vci = -1;
907 off_proto = -1;
908 off_payload = -1;
909
910 /*
911 * And that we're not doing PPPoE.
912 */
913 is_pppoes = 0;
914
915 /*
916 * And assume we're not doing SS7.
917 */
918 off_li = -1;
919 off_sio = -1;
920 off_opc = -1;
921 off_dpc = -1;
922 off_sls = -1;
923
924 /*
925 * Also assume it's not 802.11.
926 */
927 off_ll = 0;
928 off_macpl = 0;
929 off_macpl_is_variable = 0;
930
931 orig_linktype = -1;
932 orig_nl = -1;
933 label_stack_depth = 0;
934
935 reg_off_ll = -1;
936 reg_off_macpl = -1;
937
938 switch (linktype) {
939
940 case DLT_ARCNET:
941 off_linktype = 2;
942 off_macpl = 6;
943 off_nl = 0; /* XXX in reality, variable! */
944 off_nl_nosnap = 0; /* no 802.2 LLC */
945 return;
946
947 case DLT_ARCNET_LINUX:
948 off_linktype = 4;
949 off_macpl = 8;
950 off_nl = 0; /* XXX in reality, variable! */
951 off_nl_nosnap = 0; /* no 802.2 LLC */
952 return;
953
954 case DLT_EN10MB:
955 off_linktype = 12;
956 off_macpl = 14; /* Ethernet header length */
957 off_nl = 0; /* Ethernet II */
958 off_nl_nosnap = 3; /* 802.3+802.2 */
959 return;
960
961 case DLT_SLIP:
962 /*
963 * SLIP doesn't have a link level type. The 16 byte
964 * header is hacked into our SLIP driver.
965 */
966 off_linktype = -1;
967 off_macpl = 16;
968 off_nl = 0;
969 off_nl_nosnap = 0; /* no 802.2 LLC */
970 return;
971
972 case DLT_SLIP_BSDOS:
973 /* XXX this may be the same as the DLT_PPP_BSDOS case */
974 off_linktype = -1;
975 /* XXX end */
976 off_macpl = 24;
977 off_nl = 0;
978 off_nl_nosnap = 0; /* no 802.2 LLC */
979 return;
980
981 case DLT_NULL:
982 case DLT_LOOP:
983 off_linktype = 0;
984 off_macpl = 4;
985 off_nl = 0;
986 off_nl_nosnap = 0; /* no 802.2 LLC */
987 return;
988
989 case DLT_ENC:
990 off_linktype = 0;
991 off_macpl = 12;
992 off_nl = 0;
993 off_nl_nosnap = 0; /* no 802.2 LLC */
994 return;
995
996 case DLT_PPP:
997 case DLT_PPP_PPPD:
998 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
999 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1000 off_linktype = 2;
1001 off_macpl = 4;
1002 off_nl = 0;
1003 off_nl_nosnap = 0; /* no 802.2 LLC */
1004 return;
1005
1006 case DLT_PPP_ETHER:
1007 /*
1008 * This does no include the Ethernet header, and
1009 * only covers session state.
1010 */
1011 off_linktype = 6;
1012 off_macpl = 8;
1013 off_nl = 0;
1014 off_nl_nosnap = 0; /* no 802.2 LLC */
1015 return;
1016
1017 case DLT_PPP_BSDOS:
1018 off_linktype = 5;
1019 off_macpl = 24;
1020 off_nl = 0;
1021 off_nl_nosnap = 0; /* no 802.2 LLC */
1022 return;
1023
1024 case DLT_FDDI:
1025 /*
1026 * FDDI doesn't really have a link-level type field.
1027 * We set "off_linktype" to the offset of the LLC header.
1028 *
1029 * To check for Ethernet types, we assume that SSAP = SNAP
1030 * is being used and pick out the encapsulated Ethernet type.
1031 * XXX - should we generate code to check for SNAP?
1032 */
1033 off_linktype = 13;
1034 #ifdef PCAP_FDDIPAD
1035 off_linktype += pcap_fddipad;
1036 #endif
1037 off_macpl = 13; /* FDDI MAC header length */
1038 #ifdef PCAP_FDDIPAD
1039 off_macpl += pcap_fddipad;
1040 #endif
1041 off_nl = 8; /* 802.2+SNAP */
1042 off_nl_nosnap = 3; /* 802.2 */
1043 return;
1044
1045 case DLT_IEEE802:
1046 /*
1047 * Token Ring doesn't really have a link-level type field.
1048 * We set "off_linktype" to the offset of the LLC header.
1049 *
1050 * To check for Ethernet types, we assume that SSAP = SNAP
1051 * is being used and pick out the encapsulated Ethernet type.
1052 * XXX - should we generate code to check for SNAP?
1053 *
1054 * XXX - the header is actually variable-length.
1055 * Some various Linux patched versions gave 38
1056 * as "off_linktype" and 40 as "off_nl"; however,
1057 * if a token ring packet has *no* routing
1058 * information, i.e. is not source-routed, the correct
1059 * values are 20 and 22, as they are in the vanilla code.
1060 *
1061 * A packet is source-routed iff the uppermost bit
1062 * of the first byte of the source address, at an
1063 * offset of 8, has the uppermost bit set. If the
1064 * packet is source-routed, the total number of bytes
1065 * of routing information is 2 plus bits 0x1F00 of
1066 * the 16-bit value at an offset of 14 (shifted right
1067 * 8 - figure out which byte that is).
1068 */
1069 off_linktype = 14;
1070 off_macpl = 14; /* Token Ring MAC header length */
1071 off_nl = 8; /* 802.2+SNAP */
1072 off_nl_nosnap = 3; /* 802.2 */
1073 return;
1074
1075 case DLT_IEEE802_11:
1076 case DLT_PRISM_HEADER:
1077 case DLT_IEEE802_11_RADIO_AVS:
1078 case DLT_IEEE802_11_RADIO:
1079 /*
1080 * 802.11 doesn't really have a link-level type field.
1081 * We set "off_linktype" to the offset of the LLC header.
1082 *
1083 * To check for Ethernet types, we assume that SSAP = SNAP
1084 * is being used and pick out the encapsulated Ethernet type.
1085 * XXX - should we generate code to check for SNAP?
1086 *
1087 * We also handle variable-length radio headers here.
1088 * The Prism header is in theory variable-length, but in
1089 * practice it's always 144 bytes long. However, some
1090 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1091 * sometimes or always supply an AVS header, so we
1092 * have to check whether the radio header is a Prism
1093 * header or an AVS header, so, in practice, it's
1094 * variable-length.
1095 */
1096 off_linktype = 24;
1097 off_macpl = 0; /* link-layer header is variable-length */
1098 off_macpl_is_variable = 1;
1099 off_nl = 8; /* 802.2+SNAP */
1100 off_nl_nosnap = 3; /* 802.2 */
1101 return;
1102
1103 case DLT_PPI:
1104 /*
1105 * At the moment we treat PPI the same way that we treat
1106 * normal Radiotap encoded packets. The difference is in
1107 * the function that generates the code at the beginning
1108 * to compute the header length. Since this code generator
1109 * of PPI supports bare 802.11 encapsulation only (i.e.
1110 * the encapsulated DLT should be DLT_IEEE802_11) we
1111 * generate code to check for this too.
1112 */
1113 off_linktype = 24;
1114 off_macpl = 0; /* link-layer header is variable-length */
1115 off_macpl_is_variable = 1;
1116 off_nl = 8; /* 802.2+SNAP */
1117 off_nl_nosnap = 3; /* 802.2 */
1118 return;
1119
1120 case DLT_ATM_RFC1483:
1121 case DLT_ATM_CLIP: /* Linux ATM defines this */
1122 /*
1123 * assume routed, non-ISO PDUs
1124 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1125 *
1126 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1127 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1128 * latter would presumably be treated the way PPPoE
1129 * should be, so you can do "pppoe and udp port 2049"
1130 * or "pppoa and tcp port 80" and have it check for
1131 * PPPo{A,E} and a PPP protocol of IP and....
1132 */
1133 off_linktype = 0;
1134 off_macpl = 0; /* packet begins with LLC header */
1135 off_nl = 8; /* 802.2+SNAP */
1136 off_nl_nosnap = 3; /* 802.2 */
1137 return;
1138
1139 case DLT_SUNATM:
1140 /*
1141 * Full Frontal ATM; you get AALn PDUs with an ATM
1142 * pseudo-header.
1143 */
1144 is_atm = 1;
1145 off_vpi = SUNATM_VPI_POS;
1146 off_vci = SUNATM_VCI_POS;
1147 off_proto = PROTO_POS;
1148 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1149 off_payload = SUNATM_PKT_BEGIN_POS;
1150 off_linktype = off_payload;
1151 off_macpl = off_payload; /* if LLC-encapsulated */
1152 off_nl = 8; /* 802.2+SNAP */
1153 off_nl_nosnap = 3; /* 802.2 */
1154 return;
1155
1156 case DLT_RAW:
1157 off_linktype = -1;
1158 off_macpl = 0;
1159 off_nl = 0;
1160 off_nl_nosnap = 0; /* no 802.2 LLC */
1161 return;
1162
1163 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1164 off_linktype = 14;
1165 off_macpl = 16;
1166 off_nl = 0;
1167 off_nl_nosnap = 0; /* no 802.2 LLC */
1168 return;
1169
1170 case DLT_LTALK:
1171 /*
1172 * LocalTalk does have a 1-byte type field in the LLAP header,
1173 * but really it just indicates whether there is a "short" or
1174 * "long" DDP packet following.
1175 */
1176 off_linktype = -1;
1177 off_macpl = 0;
1178 off_nl = 0;
1179 off_nl_nosnap = 0; /* no 802.2 LLC */
1180 return;
1181
1182 case DLT_IP_OVER_FC:
1183 /*
1184 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1185 * link-level type field. We set "off_linktype" to the
1186 * offset of the LLC header.
1187 *
1188 * To check for Ethernet types, we assume that SSAP = SNAP
1189 * is being used and pick out the encapsulated Ethernet type.
1190 * XXX - should we generate code to check for SNAP? RFC
1191 * 2625 says SNAP should be used.
1192 */
1193 off_linktype = 16;
1194 off_macpl = 16;
1195 off_nl = 8; /* 802.2+SNAP */
1196 off_nl_nosnap = 3; /* 802.2 */
1197 return;
1198
1199 case DLT_FRELAY:
1200 /*
1201 * XXX - we should set this to handle SNAP-encapsulated
1202 * frames (NLPID of 0x80).
1203 */
1204 off_linktype = -1;
1205 off_macpl = 0;
1206 off_nl = 0;
1207 off_nl_nosnap = 0; /* no 802.2 LLC */
1208 return;
1209
1210 /*
1211 * the only BPF-interesting FRF.16 frames are non-control frames;
1212 * Frame Relay has a variable length link-layer
1213 * so lets start with offset 4 for now and increments later on (FIXME);
1214 */
1215 case DLT_MFR:
1216 off_linktype = -1;
1217 off_macpl = 0;
1218 off_nl = 4;
1219 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1220 return;
1221
1222 case DLT_APPLE_IP_OVER_IEEE1394:
1223 off_linktype = 16;
1224 off_macpl = 18;
1225 off_nl = 0;
1226 off_nl_nosnap = 0; /* no 802.2 LLC */
1227 return;
1228
1229 case DLT_LINUX_IRDA:
1230 /*
1231 * Currently, only raw "link[N:M]" filtering is supported.
1232 */
1233 off_linktype = -1;
1234 off_macpl = -1;
1235 off_nl = -1;
1236 off_nl_nosnap = -1;
1237 return;
1238
1239 case DLT_DOCSIS:
1240 /*
1241 * Currently, only raw "link[N:M]" filtering is supported.
1242 */
1243 off_linktype = -1;
1244 off_macpl = -1;
1245 off_nl = -1;
1246 off_nl_nosnap = -1;
1247 return;
1248
1249 case DLT_SYMANTEC_FIREWALL:
1250 off_linktype = 6;
1251 off_macpl = 44;
1252 off_nl = 0; /* Ethernet II */
1253 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1254 return;
1255
1256 #ifdef HAVE_NET_PFVAR_H
1257 case DLT_PFLOG:
1258 off_linktype = 0;
1259 off_macpl = PFLOG_HDRLEN;
1260 off_nl = 0;
1261 off_nl_nosnap = 0; /* no 802.2 LLC */
1262 return;
1263 #endif
1264
1265 case DLT_JUNIPER_MFR:
1266 case DLT_JUNIPER_MLFR:
1267 case DLT_JUNIPER_MLPPP:
1268 case DLT_JUNIPER_PPP:
1269 case DLT_JUNIPER_CHDLC:
1270 case DLT_JUNIPER_FRELAY:
1271 off_linktype = 4;
1272 off_macpl = 4;
1273 off_nl = 0;
1274 off_nl_nosnap = -1; /* no 802.2 LLC */
1275 return;
1276
1277 case DLT_JUNIPER_ATM1:
1278 off_linktype = 4; /* in reality variable between 4-8 */
1279 off_macpl = 4; /* in reality variable between 4-8 */
1280 off_nl = 0;
1281 off_nl_nosnap = 10;
1282 return;
1283
1284 case DLT_JUNIPER_ATM2:
1285 off_linktype = 8; /* in reality variable between 8-12 */
1286 off_macpl = 8; /* in reality variable between 8-12 */
1287 off_nl = 0;
1288 off_nl_nosnap = 10;
1289 return;
1290
1291 /* frames captured on a Juniper PPPoE service PIC
1292 * contain raw ethernet frames */
1293 case DLT_JUNIPER_PPPOE:
1294 case DLT_JUNIPER_ETHER:
1295 off_macpl = 14;
1296 off_linktype = 16;
1297 off_nl = 18; /* Ethernet II */
1298 off_nl_nosnap = 21; /* 802.3+802.2 */
1299 return;
1300
1301 case DLT_JUNIPER_PPPOE_ATM:
1302 off_linktype = 4;
1303 off_macpl = 6;
1304 off_nl = 0;
1305 off_nl_nosnap = -1; /* no 802.2 LLC */
1306 return;
1307
1308 case DLT_JUNIPER_GGSN:
1309 off_linktype = 6;
1310 off_macpl = 12;
1311 off_nl = 0;
1312 off_nl_nosnap = -1; /* no 802.2 LLC */
1313 return;
1314
1315 case DLT_JUNIPER_ES:
1316 off_linktype = 6;
1317 off_macpl = -1; /* not really a network layer but raw IP addresses */
1318 off_nl = -1; /* not really a network layer but raw IP addresses */
1319 off_nl_nosnap = -1; /* no 802.2 LLC */
1320 return;
1321
1322 case DLT_JUNIPER_MONITOR:
1323 off_linktype = 12;
1324 off_macpl = 12;
1325 off_nl = 0; /* raw IP/IP6 header */
1326 off_nl_nosnap = -1; /* no 802.2 LLC */
1327 return;
1328
1329 case DLT_JUNIPER_SERVICES:
1330 off_linktype = 12;
1331 off_macpl = -1; /* L3 proto location dep. on cookie type */
1332 off_nl = -1; /* L3 proto location dep. on cookie type */
1333 off_nl_nosnap = -1; /* no 802.2 LLC */
1334 return;
1335
1336 case DLT_JUNIPER_VP:
1337 off_linktype = 18;
1338 off_macpl = -1;
1339 off_nl = -1;
1340 off_nl_nosnap = -1;
1341 return;
1342
1343 case DLT_JUNIPER_ST:
1344 off_linktype = 18;
1345 off_macpl = -1;
1346 off_nl = -1;
1347 off_nl_nosnap = -1;
1348 return;
1349
1350 case DLT_JUNIPER_ISM:
1351 off_linktype = 8;
1352 off_macpl = -1;
1353 off_nl = -1;
1354 off_nl_nosnap = -1;
1355 return;
1356
1357 case DLT_MTP2:
1358 off_li = 2;
1359 off_sio = 3;
1360 off_opc = 4;
1361 off_dpc = 4;
1362 off_sls = 7;
1363 off_linktype = -1;
1364 off_macpl = -1;
1365 off_nl = -1;
1366 off_nl_nosnap = -1;
1367 return;
1368
1369 case DLT_MTP2_WITH_PHDR:
1370 off_li = 6;
1371 off_sio = 7;
1372 off_opc = 8;
1373 off_dpc = 8;
1374 off_sls = 11;
1375 off_linktype = -1;
1376 off_macpl = -1;
1377 off_nl = -1;
1378 off_nl_nosnap = -1;
1379 return;
1380
1381 case DLT_ERF:
1382 off_li = 22;
1383 off_sio = 23;
1384 off_opc = 24;
1385 off_dpc = 24;
1386 off_sls = 27;
1387 off_linktype = -1;
1388 off_macpl = -1;
1389 off_nl = -1;
1390 off_nl_nosnap = -1;
1391 return;
1392
1393 #ifdef DLT_PFSYNC
1394 case DLT_PFSYNC:
1395 off_linktype = -1;
1396 off_macpl = 4;
1397 off_nl = 0;
1398 off_nl_nosnap = 0;
1399 return;
1400 #endif
1401
1402 case DLT_LINUX_LAPD:
1403 /*
1404 * Currently, only raw "link[N:M]" filtering is supported.
1405 */
1406 off_linktype = -1;
1407 off_macpl = -1;
1408 off_nl = -1;
1409 off_nl_nosnap = -1;
1410 return;
1411
1412 case DLT_USB:
1413 /*
1414 * Currently, only raw "link[N:M]" filtering is supported.
1415 */
1416 off_linktype = -1;
1417 off_macpl = -1;
1418 off_nl = -1;
1419 off_nl_nosnap = -1;
1420 return;
1421
1422 case DLT_BLUETOOTH_HCI_H4:
1423 /*
1424 * Currently, only raw "link[N:M]" filtering is supported.
1425 */
1426 off_linktype = -1;
1427 off_macpl = -1;
1428 off_nl = -1;
1429 off_nl_nosnap = -1;
1430 return;
1431
1432 case DLT_USB_LINUX:
1433 /*
1434 * Currently, only raw "link[N:M]" filtering is supported.
1435 */
1436 off_linktype = -1;
1437 off_macpl = -1;
1438 off_nl = -1;
1439 off_nl_nosnap = -1;
1440 return;
1441
1442 case DLT_CAN20B:
1443 /*
1444 * Currently, only raw "link[N:M]" filtering is supported.
1445 */
1446 off_linktype = -1;
1447 off_macpl = -1;
1448 off_nl = -1;
1449 off_nl_nosnap = -1;
1450 return;
1451
1452 case DLT_IEEE802_15_4_LINUX:
1453 /*
1454 * Currently, only raw "link[N:M]" filtering is supported.
1455 */
1456 off_linktype = -1;
1457 off_macpl = -1;
1458 off_nl = -1;
1459 off_nl_nosnap = -1;
1460 return;
1461
1462 case DLT_IEEE802_16_MAC_CPS_RADIO:
1463 /*
1464 * Currently, only raw "link[N:M]" filtering is supported.
1465 */
1466 off_linktype = -1;
1467 off_macpl = -1;
1468 off_nl = -1;
1469 off_nl_nosnap = -1;
1470 return;
1471
1472 case DLT_IEEE802_15_4:
1473 /*
1474 * Currently, only raw "link[N:M]" filtering is supported.
1475 */
1476 off_linktype = -1;
1477 off_macpl = -1;
1478 off_nl = -1;
1479 off_nl_nosnap = -1;
1480 return;
1481
1482 case DLT_SITA:
1483 /*
1484 * Currently, only raw "link[N:M]" filtering is supported.
1485 */
1486 off_linktype = -1;
1487 off_macpl = -1;
1488 off_nl = -1;
1489 off_nl_nosnap = -1;
1490 return;
1491
1492 case DLT_RAIF1:
1493 /*
1494 * Currently, only raw "link[N:M]" filtering is supported.
1495 */
1496 off_linktype = -1;
1497 off_macpl = -1;
1498 off_nl = -1;
1499 off_nl_nosnap = -1;
1500 return;
1501
1502 case DLT_IPMB:
1503 /*
1504 * Currently, only raw "link[N:M]" filtering is supported.
1505 */
1506 off_linktype = -1;
1507 off_macpl = -1;
1508 off_nl = -1;
1509 off_nl_nosnap = -1;
1510 return;
1511
1512 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
1513 /*
1514 * Currently, only raw "link[N:M]" filtering is supported.
1515 */
1516 off_linktype = -1;
1517 off_macpl = -1;
1518 off_nl = -1;
1519 off_nl_nosnap = -1;
1520 return;
1521
1522 case DLT_AX25_KISS:
1523 /*
1524 * Currently, only raw "link[N:M]" filtering is supported.
1525 */
1526 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1527 off_macpl = -1;
1528 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1529 off_nl_nosnap = -1; /* no 802.2 LLC */
1530 off_mac = 1; /* step over the kiss length byte */
1531 return;
1532
1533 case DLT_IEEE802_15_4_NONASK_PHY:
1534 /*
1535 * Currently, only raw "link[N:M]" filtering is supported.
1536 */
1537 off_linktype = -1;
1538 off_macpl = -1;
1539 off_nl = -1;
1540 off_nl_nosnap = -1;
1541 return;
1542
1543 case DLT_MPLS:
1544 /*
1545 * Currently, only raw "link[N:M]" filtering is supported.
1546 */
1547 off_linktype = -1;
1548 off_macpl = -1;
1549 off_nl = -1;
1550 off_nl_nosnap = -1;
1551 return;
1552
1553 case DLT_USB_LINUX_MMAPPED:
1554 /*
1555 * Currently, only raw "link[N:M]" filtering is supported.
1556 */
1557 off_linktype = -1;
1558 off_macpl = -1;
1559 off_nl = -1;
1560 off_nl_nosnap = -1;
1561 return;
1562 }
1563 bpf_error("unknown data link type %d", linktype);
1564 /* NOTREACHED */
1565 }
1566
1567 /*
1568 * Load a value relative to the beginning of the link-layer header.
1569 * The link-layer header doesn't necessarily begin at the beginning
1570 * of the packet data; there might be a variable-length prefix containing
1571 * radio information.
1572 */
1573 static struct slist *
1574 gen_load_llrel(offset, size)
1575 u_int offset, size;
1576 {
1577 struct slist *s, *s2;
1578
1579 s = gen_llprefixlen();
1580
1581 /*
1582 * If "s" is non-null, it has code to arrange that the X register
1583 * contains the length of the prefix preceding the link-layer
1584 * header.
1585 *
1586 * Otherwise, the length of the prefix preceding the link-layer
1587 * header is "off_ll".
1588 */
1589 if (s != NULL) {
1590 /*
1591 * There's a variable-length prefix preceding the
1592 * link-layer header. "s" points to a list of statements
1593 * that put the length of that prefix into the X register.
1594 * do an indirect load, to use the X register as an offset.
1595 */
1596 s2 = new_stmt(BPF_LD|BPF_IND|size);
1597 s2->s.k = offset;
1598 sappend(s, s2);
1599 } else {
1600 /*
1601 * There is no variable-length header preceding the
1602 * link-layer header; add in off_ll, which, if there's
1603 * a fixed-length header preceding the link-layer header,
1604 * is the length of that header.
1605 */
1606 s = new_stmt(BPF_LD|BPF_ABS|size);
1607 s->s.k = offset + off_ll;
1608 }
1609 return s;
1610 }
1611
1612 /*
1613 * Load a value relative to the beginning of the MAC-layer payload.
1614 */
1615 static struct slist *
1616 gen_load_macplrel(offset, size)
1617 u_int offset, size;
1618 {
1619 struct slist *s, *s2;
1620
1621 s = gen_off_macpl();
1622
1623 /*
1624 * If s is non-null, the offset of the MAC-layer payload is
1625 * variable, and s points to a list of instructions that
1626 * arrange that the X register contains that offset.
1627 *
1628 * Otherwise, the offset of the MAC-layer payload is constant,
1629 * and is in off_macpl.
1630 */
1631 if (s != NULL) {
1632 /*
1633 * The offset of the MAC-layer payload is in the X
1634 * register. Do an indirect load, to use the X register
1635 * as an offset.
1636 */
1637 s2 = new_stmt(BPF_LD|BPF_IND|size);
1638 s2->s.k = offset;
1639 sappend(s, s2);
1640 } else {
1641 /*
1642 * The offset of the MAC-layer payload is constant,
1643 * and is in off_macpl; load the value at that offset
1644 * plus the specified offset.
1645 */
1646 s = new_stmt(BPF_LD|BPF_ABS|size);
1647 s->s.k = off_macpl + offset;
1648 }
1649 return s;
1650 }
1651
1652 /*
1653 * Load a value relative to the beginning of the specified header.
1654 */
1655 static struct slist *
1656 gen_load_a(offrel, offset, size)
1657 enum e_offrel offrel;
1658 u_int offset, size;
1659 {
1660 struct slist *s, *s2;
1661
1662 switch (offrel) {
1663
1664 case OR_PACKET:
1665 s = new_stmt(BPF_LD|BPF_ABS|size);
1666 s->s.k = offset;
1667 break;
1668
1669 case OR_LINK:
1670 s = gen_load_llrel(offset, size);
1671 break;
1672
1673 case OR_MACPL:
1674 s = gen_load_macplrel(offset, size);
1675 break;
1676
1677 case OR_NET:
1678 s = gen_load_macplrel(off_nl + offset, size);
1679 break;
1680
1681 case OR_NET_NOSNAP:
1682 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1683 break;
1684
1685 case OR_TRAN_IPV4:
1686 /*
1687 * Load the X register with the length of the IPv4 header
1688 * (plus the offset of the link-layer header, if it's
1689 * preceded by a variable-length header such as a radio
1690 * header), in bytes.
1691 */
1692 s = gen_loadx_iphdrlen();
1693
1694 /*
1695 * Load the item at {offset of the MAC-layer payload} +
1696 * {offset, relative to the start of the MAC-layer
1697 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1698 * {specified offset}.
1699 *
1700 * (If the offset of the MAC-layer payload is variable,
1701 * it's included in the value in the X register, and
1702 * off_macpl is 0.)
1703 */
1704 s2 = new_stmt(BPF_LD|BPF_IND|size);
1705 s2->s.k = off_macpl + off_nl + offset;
1706 sappend(s, s2);
1707 break;
1708
1709 case OR_TRAN_IPV6:
1710 s = gen_load_macplrel(off_nl + 40 + offset, size);
1711 break;
1712
1713 default:
1714 abort();
1715 return NULL;
1716 }
1717 return s;
1718 }
1719
1720 /*
1721 * Generate code to load into the X register the sum of the length of
1722 * the IPv4 header and any variable-length header preceding the link-layer
1723 * header.
1724 */
1725 static struct slist *
1726 gen_loadx_iphdrlen()
1727 {
1728 struct slist *s, *s2;
1729
1730 s = gen_off_macpl();
1731 if (s != NULL) {
1732 /*
1733 * There's a variable-length prefix preceding the
1734 * link-layer header, or the link-layer header is itself
1735 * variable-length. "s" points to a list of statements
1736 * that put the offset of the MAC-layer payload into
1737 * the X register.
1738 *
1739 * The 4*([k]&0xf) addressing mode can't be used, as we
1740 * don't have a constant offset, so we have to load the
1741 * value in question into the A register and add to it
1742 * the value from the X register.
1743 */
1744 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1745 s2->s.k = off_nl;
1746 sappend(s, s2);
1747 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1748 s2->s.k = 0xf;
1749 sappend(s, s2);
1750 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1751 s2->s.k = 2;
1752 sappend(s, s2);
1753
1754 /*
1755 * The A register now contains the length of the
1756 * IP header. We need to add to it the offset of
1757 * the MAC-layer payload, which is still in the X
1758 * register, and move the result into the X register.
1759 */
1760 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1761 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1762 } else {
1763 /*
1764 * There is no variable-length header preceding the
1765 * link-layer header, and the link-layer header is
1766 * fixed-length; load the length of the IPv4 header,
1767 * which is at an offset of off_nl from the beginning
1768 * of the MAC-layer payload, and thus at an offset
1769 * of off_mac_pl + off_nl from the beginning of the
1770 * raw packet data.
1771 */
1772 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1773 s->s.k = off_macpl + off_nl;
1774 }
1775 return s;
1776 }
1777
1778 static struct block *
1779 gen_uncond(rsense)
1780 int rsense;
1781 {
1782 struct block *b;
1783 struct slist *s;
1784
1785 s = new_stmt(BPF_LD|BPF_IMM);
1786 s->s.k = !rsense;
1787 b = new_block(JMP(BPF_JEQ));
1788 b->stmts = s;
1789
1790 return b;
1791 }
1792
1793 static inline struct block *
1794 gen_true()
1795 {
1796 return gen_uncond(1);
1797 }
1798
1799 static inline struct block *
1800 gen_false()
1801 {
1802 return gen_uncond(0);
1803 }
1804
1805 /*
1806 * Byte-swap a 32-bit number.
1807 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1808 * big-endian platforms.)
1809 */
1810 #define SWAPLONG(y) \
1811 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1812
1813 /*
1814 * Generate code to match a particular packet type.
1815 *
1816 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1817 * value, if <= ETHERMTU. We use that to determine whether to
1818 * match the type/length field or to check the type/length field for
1819 * a value <= ETHERMTU to see whether it's a type field and then do
1820 * the appropriate test.
1821 */
1822 static struct block *
1823 gen_ether_linktype(proto)
1824 register int proto;
1825 {
1826 struct block *b0, *b1;
1827
1828 switch (proto) {
1829
1830 case LLCSAP_ISONS:
1831 case LLCSAP_IP:
1832 case LLCSAP_NETBEUI:
1833 /*
1834 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1835 * so we check the DSAP and SSAP.
1836 *
1837 * LLCSAP_IP checks for IP-over-802.2, rather
1838 * than IP-over-Ethernet or IP-over-SNAP.
1839 *
1840 * XXX - should we check both the DSAP and the
1841 * SSAP, like this, or should we check just the
1842 * DSAP, as we do for other types <= ETHERMTU
1843 * (i.e., other SAP values)?
1844 */
1845 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1846 gen_not(b0);
1847 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1848 ((proto << 8) | proto));
1849 gen_and(b0, b1);
1850 return b1;
1851
1852 case LLCSAP_IPX:
1853 /*
1854 * Check for;
1855 *
1856 * Ethernet_II frames, which are Ethernet
1857 * frames with a frame type of ETHERTYPE_IPX;
1858 *
1859 * Ethernet_802.3 frames, which are 802.3
1860 * frames (i.e., the type/length field is
1861 * a length field, <= ETHERMTU, rather than
1862 * a type field) with the first two bytes
1863 * after the Ethernet/802.3 header being
1864 * 0xFFFF;
1865 *
1866 * Ethernet_802.2 frames, which are 802.3
1867 * frames with an 802.2 LLC header and
1868 * with the IPX LSAP as the DSAP in the LLC
1869 * header;
1870 *
1871 * Ethernet_SNAP frames, which are 802.3
1872 * frames with an LLC header and a SNAP
1873 * header and with an OUI of 0x000000
1874 * (encapsulated Ethernet) and a protocol
1875 * ID of ETHERTYPE_IPX in the SNAP header.
1876 *
1877 * XXX - should we generate the same code both
1878 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1879 */
1880
1881 /*
1882 * This generates code to check both for the
1883 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1884 */
1885 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1886 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1887 gen_or(b0, b1);
1888
1889 /*
1890 * Now we add code to check for SNAP frames with
1891 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1892 */
1893 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1894 gen_or(b0, b1);
1895
1896 /*
1897 * Now we generate code to check for 802.3
1898 * frames in general.
1899 */
1900 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1901 gen_not(b0);
1902
1903 /*
1904 * Now add the check for 802.3 frames before the
1905 * check for Ethernet_802.2 and Ethernet_802.3,
1906 * as those checks should only be done on 802.3
1907 * frames, not on Ethernet frames.
1908 */
1909 gen_and(b0, b1);
1910
1911 /*
1912 * Now add the check for Ethernet_II frames, and
1913 * do that before checking for the other frame
1914 * types.
1915 */
1916 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1917 (bpf_int32)ETHERTYPE_IPX);
1918 gen_or(b0, b1);
1919 return b1;
1920
1921 case ETHERTYPE_ATALK:
1922 case ETHERTYPE_AARP:
1923 /*
1924 * EtherTalk (AppleTalk protocols on Ethernet link
1925 * layer) may use 802.2 encapsulation.
1926 */
1927
1928 /*
1929 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1930 * we check for an Ethernet type field less than
1931 * 1500, which means it's an 802.3 length field.
1932 */
1933 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1934 gen_not(b0);
1935
1936 /*
1937 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1938 * SNAP packets with an organization code of
1939 * 0x080007 (Apple, for Appletalk) and a protocol
1940 * type of ETHERTYPE_ATALK (Appletalk).
1941 *
1942 * 802.2-encapsulated ETHERTYPE_AARP packets are
1943 * SNAP packets with an organization code of
1944 * 0x000000 (encapsulated Ethernet) and a protocol
1945 * type of ETHERTYPE_AARP (Appletalk ARP).
1946 */
1947 if (proto == ETHERTYPE_ATALK)
1948 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1949 else /* proto == ETHERTYPE_AARP */
1950 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1951 gen_and(b0, b1);
1952
1953 /*
1954 * Check for Ethernet encapsulation (Ethertalk
1955 * phase 1?); we just check for the Ethernet
1956 * protocol type.
1957 */
1958 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1959
1960 gen_or(b0, b1);
1961 return b1;
1962
1963 default:
1964 if (proto <= ETHERMTU) {
1965 /*
1966 * This is an LLC SAP value, so the frames
1967 * that match would be 802.2 frames.
1968 * Check that the frame is an 802.2 frame
1969 * (i.e., that the length/type field is
1970 * a length field, <= ETHERMTU) and
1971 * then check the DSAP.
1972 */
1973 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1974 gen_not(b0);
1975 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1976 (bpf_int32)proto);
1977 gen_and(b0, b1);
1978 return b1;
1979 } else {
1980 /*
1981 * This is an Ethernet type, so compare
1982 * the length/type field with it (if
1983 * the frame is an 802.2 frame, the length
1984 * field will be <= ETHERMTU, and, as
1985 * "proto" is > ETHERMTU, this test
1986 * will fail and the frame won't match,
1987 * which is what we want).
1988 */
1989 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1990 (bpf_int32)proto);
1991 }
1992 }
1993 }
1994
1995 /*
1996 * Generate code to match a particular packet type.
1997 *
1998 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1999 * value, if <= ETHERMTU. We use that to determine whether to
2000 * match the type field or to check the type field for the special
2001 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2002 */
2003 static struct block *
2004 gen_linux_sll_linktype(proto)
2005 register int proto;
2006 {
2007 struct block *b0, *b1;
2008
2009 switch (proto) {
2010
2011 case LLCSAP_ISONS:
2012 case LLCSAP_IP:
2013 case LLCSAP_NETBEUI:
2014 /*
2015 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2016 * so we check the DSAP and SSAP.
2017 *
2018 * LLCSAP_IP checks for IP-over-802.2, rather
2019 * than IP-over-Ethernet or IP-over-SNAP.
2020 *
2021 * XXX - should we check both the DSAP and the
2022 * SSAP, like this, or should we check just the
2023 * DSAP, as we do for other types <= ETHERMTU
2024 * (i.e., other SAP values)?
2025 */
2026 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2027 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
2028 ((proto << 8) | proto));
2029 gen_and(b0, b1);
2030 return b1;
2031
2032 case LLCSAP_IPX:
2033 /*
2034 * Ethernet_II frames, which are Ethernet
2035 * frames with a frame type of ETHERTYPE_IPX;
2036 *
2037 * Ethernet_802.3 frames, which have a frame
2038 * type of LINUX_SLL_P_802_3;
2039 *
2040 * Ethernet_802.2 frames, which are 802.3
2041 * frames with an 802.2 LLC header (i.e, have
2042 * a frame type of LINUX_SLL_P_802_2) and
2043 * with the IPX LSAP as the DSAP in the LLC
2044 * header;
2045 *
2046 * Ethernet_SNAP frames, which are 802.3
2047 * frames with an LLC header and a SNAP
2048 * header and with an OUI of 0x000000
2049 * (encapsulated Ethernet) and a protocol
2050 * ID of ETHERTYPE_IPX in the SNAP header.
2051 *
2052 * First, do the checks on LINUX_SLL_P_802_2
2053 * frames; generate the check for either
2054 * Ethernet_802.2 or Ethernet_SNAP frames, and
2055 * then put a check for LINUX_SLL_P_802_2 frames
2056 * before it.
2057 */
2058 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2059 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
2060 gen_or(b0, b1);
2061 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2062 gen_and(b0, b1);
2063
2064 /*
2065 * Now check for 802.3 frames and OR that with
2066 * the previous test.
2067 */
2068 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
2069 gen_or(b0, b1);
2070
2071 /*
2072 * Now add the check for Ethernet_II frames, and
2073 * do that before checking for the other frame
2074 * types.
2075 */
2076 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2077 (bpf_int32)ETHERTYPE_IPX);
2078 gen_or(b0, b1);
2079 return b1;
2080
2081 case ETHERTYPE_ATALK:
2082 case ETHERTYPE_AARP:
2083 /*
2084 * EtherTalk (AppleTalk protocols on Ethernet link
2085 * layer) may use 802.2 encapsulation.
2086 */
2087
2088 /*
2089 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2090 * we check for the 802.2 protocol type in the
2091 * "Ethernet type" field.
2092 */
2093 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2094
2095 /*
2096 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2097 * SNAP packets with an organization code of
2098 * 0x080007 (Apple, for Appletalk) and a protocol
2099 * type of ETHERTYPE_ATALK (Appletalk).
2100 *
2101 * 802.2-encapsulated ETHERTYPE_AARP packets are
2102 * SNAP packets with an organization code of
2103 * 0x000000 (encapsulated Ethernet) and a protocol
2104 * type of ETHERTYPE_AARP (Appletalk ARP).
2105 */
2106 if (proto == ETHERTYPE_ATALK)
2107 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2108 else /* proto == ETHERTYPE_AARP */
2109 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2110 gen_and(b0, b1);
2111
2112 /*
2113 * Check for Ethernet encapsulation (Ethertalk
2114 * phase 1?); we just check for the Ethernet
2115 * protocol type.
2116 */
2117 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2118
2119 gen_or(b0, b1);
2120 return b1;
2121
2122 default:
2123 if (proto <= ETHERMTU) {
2124 /*
2125 * This is an LLC SAP value, so the frames
2126 * that match would be 802.2 frames.
2127 * Check for the 802.2 protocol type
2128 * in the "Ethernet type" field, and
2129 * then check the DSAP.
2130 */
2131 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2132 LINUX_SLL_P_802_2);
2133 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2134 (bpf_int32)proto);
2135 gen_and(b0, b1);
2136 return b1;
2137 } else {
2138 /*
2139 * This is an Ethernet type, so compare
2140 * the length/type field with it (if
2141 * the frame is an 802.2 frame, the length
2142 * field will be <= ETHERMTU, and, as
2143 * "proto" is > ETHERMTU, this test
2144 * will fail and the frame won't match,
2145 * which is what we want).
2146 */
2147 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2148 (bpf_int32)proto);
2149 }
2150 }
2151 }
2152
2153 static struct slist *
2154 gen_load_prism_llprefixlen()
2155 {
2156 struct slist *s1, *s2;
2157 struct slist *sjeq_avs_cookie;
2158 struct slist *sjcommon;
2159
2160 /*
2161 * This code is not compatible with the optimizer, as
2162 * we are generating jmp instructions within a normal
2163 * slist of instructions
2164 */
2165 no_optimize = 1;
2166
2167 /*
2168 * Generate code to load the length of the radio header into
2169 * the register assigned to hold that length, if one has been
2170 * assigned. (If one hasn't been assigned, no code we've
2171 * generated uses that prefix, so we don't need to generate any
2172 * code to load it.)
2173 *
2174 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2175 * or always use the AVS header rather than the Prism header.
2176 * We load a 4-byte big-endian value at the beginning of the
2177 * raw packet data, and see whether, when masked with 0xFFFFF000,
2178 * it's equal to 0x80211000. If so, that indicates that it's
2179 * an AVS header (the masked-out bits are the version number).
2180 * Otherwise, it's a Prism header.
2181 *
2182 * XXX - the Prism header is also, in theory, variable-length,
2183 * but no known software generates headers that aren't 144
2184 * bytes long.
2185 */
2186 if (reg_off_ll != -1) {
2187 /*
2188 * Load the cookie.
2189 */
2190 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2191 s1->s.k = 0;
2192
2193 /*
2194 * AND it with 0xFFFFF000.
2195 */
2196 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2197 s2->s.k = 0xFFFFF000;
2198 sappend(s1, s2);
2199
2200 /*
2201 * Compare with 0x80211000.
2202 */
2203 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2204 sjeq_avs_cookie->s.k = 0x80211000;
2205 sappend(s1, sjeq_avs_cookie);
2206
2207 /*
2208 * If it's AVS:
2209 *
2210 * The 4 bytes at an offset of 4 from the beginning of
2211 * the AVS header are the length of the AVS header.
2212 * That field is big-endian.
2213 */
2214 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2215 s2->s.k = 4;
2216 sappend(s1, s2);
2217 sjeq_avs_cookie->s.jt = s2;
2218
2219 /*
2220 * Now jump to the code to allocate a register
2221 * into which to save the header length and
2222 * store the length there. (The "jump always"
2223 * instruction needs to have the k field set;
2224 * it's added to the PC, so, as we're jumping
2225 * over a single instruction, it should be 1.)
2226 */
2227 sjcommon = new_stmt(JMP(BPF_JA));
2228 sjcommon->s.k = 1;
2229 sappend(s1, sjcommon);
2230
2231 /*
2232 * Now for the code that handles the Prism header.
2233 * Just load the length of the Prism header (144)
2234 * into the A register. Have the test for an AVS
2235 * header branch here if we don't have an AVS header.
2236 */
2237 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2238 s2->s.k = 144;
2239 sappend(s1, s2);
2240 sjeq_avs_cookie->s.jf = s2;
2241
2242 /*
2243 * Now allocate a register to hold that value and store
2244 * it. The code for the AVS header will jump here after
2245 * loading the length of the AVS header.
2246 */
2247 s2 = new_stmt(BPF_ST);
2248 s2->s.k = reg_off_ll;
2249 sappend(s1, s2);
2250 sjcommon->s.jf = s2;
2251
2252 /*
2253 * Now move it into the X register.
2254 */
2255 s2 = new_stmt(BPF_MISC|BPF_TAX);
2256 sappend(s1, s2);
2257
2258 return (s1);
2259 } else
2260 return (NULL);
2261 }
2262
2263 static struct slist *
2264 gen_load_avs_llprefixlen()
2265 {
2266 struct slist *s1, *s2;
2267
2268 /*
2269 * Generate code to load the length of the AVS header into
2270 * the register assigned to hold that length, if one has been
2271 * assigned. (If one hasn't been assigned, no code we've
2272 * generated uses that prefix, so we don't need to generate any
2273 * code to load it.)
2274 */
2275 if (reg_off_ll != -1) {
2276 /*
2277 * The 4 bytes at an offset of 4 from the beginning of
2278 * the AVS header are the length of the AVS header.
2279 * That field is big-endian.
2280 */
2281 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2282 s1->s.k = 4;
2283
2284 /*
2285 * Now allocate a register to hold that value and store
2286 * it.
2287 */
2288 s2 = new_stmt(BPF_ST);
2289 s2->s.k = reg_off_ll;
2290 sappend(s1, s2);
2291
2292 /*
2293 * Now move it into the X register.
2294 */
2295 s2 = new_stmt(BPF_MISC|BPF_TAX);
2296 sappend(s1, s2);
2297
2298 return (s1);
2299 } else
2300 return (NULL);
2301 }
2302
2303 static struct slist *
2304 gen_load_radiotap_llprefixlen()
2305 {
2306 struct slist *s1, *s2;
2307
2308 /*
2309 * Generate code to load the length of the radiotap header into
2310 * the register assigned to hold that length, if one has been
2311 * assigned. (If one hasn't been assigned, no code we've
2312 * generated uses that prefix, so we don't need to generate any
2313 * code to load it.)
2314 */
2315 if (reg_off_ll != -1) {
2316 /*
2317 * The 2 bytes at offsets of 2 and 3 from the beginning
2318 * of the radiotap header are the length of the radiotap
2319 * header; unfortunately, it's little-endian, so we have
2320 * to load it a byte at a time and construct the value.
2321 */
2322
2323 /*
2324 * Load the high-order byte, at an offset of 3, shift it
2325 * left a byte, and put the result in the X register.
2326 */
2327 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2328 s1->s.k = 3;
2329 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2330 sappend(s1, s2);
2331 s2->s.k = 8;
2332 s2 = new_stmt(BPF_MISC|BPF_TAX);
2333 sappend(s1, s2);
2334
2335 /*
2336 * Load the next byte, at an offset of 2, and OR the
2337 * value from the X register into it.
2338 */
2339 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2340 sappend(s1, s2);
2341 s2->s.k = 2;
2342 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2343 sappend(s1, s2);
2344
2345 /*
2346 * Now allocate a register to hold that value and store
2347 * it.
2348 */
2349 s2 = new_stmt(BPF_ST);
2350 s2->s.k = reg_off_ll;
2351 sappend(s1, s2);
2352
2353 /*
2354 * Now move it into the X register.
2355 */
2356 s2 = new_stmt(BPF_MISC|BPF_TAX);
2357 sappend(s1, s2);
2358
2359 return (s1);
2360 } else
2361 return (NULL);
2362 }
2363
2364 /*
2365 * At the moment we treat PPI as normal Radiotap encoded
2366 * packets. The difference is in the function that generates
2367 * the code at the beginning to compute the header length.
2368 * Since this code generator of PPI supports bare 802.11
2369 * encapsulation only (i.e. the encapsulated DLT should be
2370 * DLT_IEEE802_11) we generate code to check for this too;
2371 * that's done in finish_parse().
2372 */
2373 static struct slist *
2374 gen_load_ppi_llprefixlen()
2375 {
2376 struct slist *s1, *s2;
2377
2378 /*
2379 * Generate code to load the length of the radiotap header
2380 * into the register assigned to hold that length, if one has
2381 * been assigned.
2382 */
2383 if (reg_off_ll != -1) {
2384 /*
2385 * The 2 bytes at offsets of 2 and 3 from the beginning
2386 * of the radiotap header are the length of the radiotap
2387 * header; unfortunately, it's little-endian, so we have
2388 * to load it a byte at a time and construct the value.
2389 */
2390
2391 /*
2392 * Load the high-order byte, at an offset of 3, shift it
2393 * left a byte, and put the result in the X register.
2394 */
2395 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2396 s1->s.k = 3;
2397 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2398 sappend(s1, s2);
2399 s2->s.k = 8;
2400 s2 = new_stmt(BPF_MISC|BPF_TAX);
2401 sappend(s1, s2);
2402
2403 /*
2404 * Load the next byte, at an offset of 2, and OR the
2405 * value from the X register into it.
2406 */
2407 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2408 sappend(s1, s2);
2409 s2->s.k = 2;
2410 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2411 sappend(s1, s2);
2412
2413 /*
2414 * Now allocate a register to hold that value and store
2415 * it.
2416 */
2417 s2 = new_stmt(BPF_ST);
2418 s2->s.k = reg_off_ll;
2419 sappend(s1, s2);
2420
2421 /*
2422 * Now move it into the X register.
2423 */
2424 s2 = new_stmt(BPF_MISC|BPF_TAX);
2425 sappend(s1, s2);
2426
2427 return (s1);
2428 } else
2429 return (NULL);
2430 }
2431
2432 /*
2433 * Load a value relative to the beginning of the link-layer header after the 802.11
2434 * header, i.e. LLC_SNAP.
2435 * The link-layer header doesn't necessarily begin at the beginning
2436 * of the packet data; there might be a variable-length prefix containing
2437 * radio information.
2438 */
2439 static struct slist *
2440 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2441 {
2442 struct slist *s2;
2443 struct slist *sjset_data_frame_1;
2444 struct slist *sjset_data_frame_2;
2445 struct slist *sjset_qos;
2446 struct slist *sjset_radiotap_flags;
2447 struct slist *sjset_radiotap_tsft;
2448 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2449 struct slist *s_roundup;
2450
2451 if (reg_off_macpl == -1) {
2452 /*
2453 * No register has been assigned to the offset of
2454 * the MAC-layer payload, which means nobody needs
2455 * it; don't bother computing it - just return
2456 * what we already have.
2457 */
2458 return (s);
2459 }
2460
2461 /*
2462 * This code is not compatible with the optimizer, as
2463 * we are generating jmp instructions within a normal
2464 * slist of instructions
2465 */
2466 no_optimize = 1;
2467
2468 /*
2469 * If "s" is non-null, it has code to arrange that the X register
2470 * contains the length of the prefix preceding the link-layer
2471 * header.
2472 *
2473 * Otherwise, the length of the prefix preceding the link-layer
2474 * header is "off_ll".
2475 */
2476 if (s == NULL) {
2477 /*
2478 * There is no variable-length header preceding the
2479 * link-layer header.
2480 *
2481 * Load the length of the fixed-length prefix preceding
2482 * the link-layer header (if any) into the X register,
2483 * and store it in the reg_off_macpl register.
2484 * That length is off_ll.
2485 */
2486 s = new_stmt(BPF_LDX|BPF_IMM);
2487 s->s.k = off_ll;
2488 }
2489
2490 /*
2491 * The X register contains the offset of the beginning of the
2492 * link-layer header; add 24, which is the minimum length
2493 * of the MAC header for a data frame, to that, and store it
2494 * in reg_off_macpl, and then load the Frame Control field,
2495 * which is at the offset in the X register, with an indexed load.
2496 */
2497 s2 = new_stmt(BPF_MISC|BPF_TXA);
2498 sappend(s, s2);
2499 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2500 s2->s.k = 24;
2501 sappend(s, s2);
2502 s2 = new_stmt(BPF_ST);
2503 s2->s.k = reg_off_macpl;
2504 sappend(s, s2);
2505
2506 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2507 s2->s.k = 0;
2508 sappend(s, s2);
2509
2510 /*
2511 * Check the Frame Control field to see if this is a data frame;
2512 * a data frame has the 0x08 bit (b3) in that field set and the
2513 * 0x04 bit (b2) clear.
2514 */
2515 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2516 sjset_data_frame_1->s.k = 0x08;
2517 sappend(s, sjset_data_frame_1);
2518
2519 /*
2520 * If b3 is set, test b2, otherwise go to the first statement of
2521 * the rest of the program.
2522 */
2523 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2524 sjset_data_frame_2->s.k = 0x04;
2525 sappend(s, sjset_data_frame_2);
2526 sjset_data_frame_1->s.jf = snext;
2527
2528 /*
2529 * If b2 is not set, this is a data frame; test the QoS bit.
2530 * Otherwise, go to the first statement of the rest of the
2531 * program.
2532 */
2533 sjset_data_frame_2->s.jt = snext;
2534 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2535 sjset_qos->s.k = 0x80; /* QoS bit */
2536 sappend(s, sjset_qos);
2537
2538 /*
2539 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2540 * field.
2541 * Otherwise, go to the first statement of the rest of the
2542 * program.
2543 */
2544 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2545 s2->s.k = reg_off_macpl;
2546 sappend(s, s2);
2547 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2548 s2->s.k = 2;
2549 sappend(s, s2);
2550 s2 = new_stmt(BPF_ST);
2551 s2->s.k = reg_off_macpl;
2552 sappend(s, s2);
2553
2554 /*
2555 * If we have a radiotap header, look at it to see whether
2556 * there's Atheros padding between the MAC-layer header
2557 * and the payload.
2558 *
2559 * Note: all of the fields in the radiotap header are
2560 * little-endian, so we byte-swap all of the values
2561 * we test against, as they will be loaded as big-endian
2562 * values.
2563 */
2564 if (linktype == DLT_IEEE802_11_RADIO) {
2565 /*
2566 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2567 * in the presence flag?
2568 */
2569 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2570 s2->s.k = 4;
2571 sappend(s, s2);
2572
2573 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2574 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2575 sappend(s, sjset_radiotap_flags);
2576
2577 /*
2578 * If not, skip all of this.
2579 */
2580 sjset_radiotap_flags->s.jf = snext;
2581
2582 /*
2583 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2584 */
2585 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2586 new_stmt(JMP(BPF_JSET));
2587 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2588 sappend(s, sjset_radiotap_tsft);
2589
2590 /*
2591 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2592 * at an offset of 16 from the beginning of the raw packet
2593 * data (8 bytes for the radiotap header and 8 bytes for
2594 * the TSFT field).
2595 *
2596 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2597 * is set.
2598 */
2599 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2600 s2->s.k = 16;
2601 sappend(s, s2);
2602
2603 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2604 sjset_tsft_datapad->s.k = 0x20;
2605 sappend(s, sjset_tsft_datapad);
2606
2607 /*
2608 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2609 * at an offset of 8 from the beginning of the raw packet
2610 * data (8 bytes for the radiotap header).
2611 *
2612 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2613 * is set.
2614 */
2615 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2616 s2->s.k = 8;
2617 sappend(s, s2);
2618
2619 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2620 sjset_notsft_datapad->s.k = 0x20;
2621 sappend(s, sjset_notsft_datapad);
2622
2623 /*
2624 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2625 * set, round the length of the 802.11 header to
2626 * a multiple of 4. Do that by adding 3 and then
2627 * dividing by and multiplying by 4, which we do by
2628 * ANDing with ~3.
2629 */
2630 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2631 s_roundup->s.k = reg_off_macpl;
2632 sappend(s, s_roundup);
2633 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2634 s2->s.k = 3;
2635 sappend(s, s2);
2636 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2637 s2->s.k = ~3;
2638 sappend(s, s2);
2639 s2 = new_stmt(BPF_ST);
2640 s2->s.k = reg_off_macpl;
2641 sappend(s, s2);
2642
2643 sjset_tsft_datapad->s.jt = s_roundup;
2644 sjset_tsft_datapad->s.jf = snext;
2645 sjset_notsft_datapad->s.jt = s_roundup;
2646 sjset_notsft_datapad->s.jf = snext;
2647 } else
2648 sjset_qos->s.jf = snext;
2649
2650 return s;
2651 }
2652
2653 static void
2654 insert_compute_vloffsets(b)
2655 struct block *b;
2656 {
2657 struct slist *s;
2658
2659 /*
2660 * For link-layer types that have a variable-length header
2661 * preceding the link-layer header, generate code to load
2662 * the offset of the link-layer header into the register
2663 * assigned to that offset, if any.
2664 */
2665 switch (linktype) {
2666
2667 case DLT_PRISM_HEADER:
2668 s = gen_load_prism_llprefixlen();
2669 break;
2670
2671 case DLT_IEEE802_11_RADIO_AVS:
2672 s = gen_load_avs_llprefixlen();
2673 break;
2674
2675 case DLT_IEEE802_11_RADIO:
2676 s = gen_load_radiotap_llprefixlen();
2677 break;
2678
2679 case DLT_PPI:
2680 s = gen_load_ppi_llprefixlen();
2681 break;
2682
2683 default:
2684 s = NULL;
2685 break;
2686 }
2687
2688 /*
2689 * For link-layer types that have a variable-length link-layer
2690 * header, generate code to load the offset of the MAC-layer
2691 * payload into the register assigned to that offset, if any.
2692 */
2693 switch (linktype) {
2694
2695 case DLT_IEEE802_11:
2696 case DLT_PRISM_HEADER:
2697 case DLT_IEEE802_11_RADIO_AVS:
2698 case DLT_IEEE802_11_RADIO:
2699 case DLT_PPI:
2700 s = gen_load_802_11_header_len(s, b->stmts);
2701 break;
2702 }
2703
2704 /*
2705 * If we have any offset-loading code, append all the
2706 * existing statements in the block to those statements,
2707 * and make the resulting list the list of statements
2708 * for the block.
2709 */
2710 if (s != NULL) {
2711 sappend(s, b->stmts);
2712 b->stmts = s;
2713 }
2714 }
2715
2716 static struct block *
2717 gen_ppi_dlt_check(void)
2718 {
2719 struct slist *s_load_dlt;
2720 struct block *b;
2721
2722 if (linktype == DLT_PPI)
2723 {
2724 /* Create the statements that check for the DLT
2725 */
2726 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2727 s_load_dlt->s.k = 4;
2728
2729 b = new_block(JMP(BPF_JEQ));
2730
2731 b->stmts = s_load_dlt;
2732 b->s.k = SWAPLONG(DLT_IEEE802_11);
2733 }
2734 else
2735 {
2736 b = NULL;
2737 }
2738
2739 return b;
2740 }
2741
2742 static struct slist *
2743 gen_prism_llprefixlen(void)
2744 {
2745 struct slist *s;
2746
2747 if (reg_off_ll == -1) {
2748 /*
2749 * We haven't yet assigned a register for the length
2750 * of the radio header; allocate one.
2751 */
2752 reg_off_ll = alloc_reg();
2753 }
2754
2755 /*
2756 * Load the register containing the radio length
2757 * into the X register.
2758 */
2759 s = new_stmt(BPF_LDX|BPF_MEM);
2760 s->s.k = reg_off_ll;
2761 return s;
2762 }
2763
2764 static struct slist *
2765 gen_avs_llprefixlen(void)
2766 {
2767 struct slist *s;
2768
2769 if (reg_off_ll == -1) {
2770 /*
2771 * We haven't yet assigned a register for the length
2772 * of the AVS header; allocate one.
2773 */
2774 reg_off_ll = alloc_reg();
2775 }
2776
2777 /*
2778 * Load the register containing the AVS length
2779 * into the X register.
2780 */
2781 s = new_stmt(BPF_LDX|BPF_MEM);
2782 s->s.k = reg_off_ll;
2783 return s;
2784 }
2785
2786 static struct slist *
2787 gen_radiotap_llprefixlen(void)
2788 {
2789 struct slist *s;
2790
2791 if (reg_off_ll == -1) {
2792 /*
2793 * We haven't yet assigned a register for the length
2794 * of the radiotap header; allocate one.
2795 */
2796 reg_off_ll = alloc_reg();
2797 }
2798
2799 /*
2800 * Load the register containing the radiotap length
2801 * into the X register.
2802 */
2803 s = new_stmt(BPF_LDX|BPF_MEM);
2804 s->s.k = reg_off_ll;
2805 return s;
2806 }
2807
2808 /*
2809 * At the moment we treat PPI as normal Radiotap encoded
2810 * packets. The difference is in the function that generates
2811 * the code at the beginning to compute the header length.
2812 * Since this code generator of PPI supports bare 802.11
2813 * encapsulation only (i.e. the encapsulated DLT should be
2814 * DLT_IEEE802_11) we generate code to check for this too.
2815 */
2816 static struct slist *
2817 gen_ppi_llprefixlen(void)
2818 {
2819 struct slist *s;
2820
2821 if (reg_off_ll == -1) {
2822 /*
2823 * We haven't yet assigned a register for the length
2824 * of the radiotap header; allocate one.
2825 */
2826 reg_off_ll = alloc_reg();
2827 }
2828
2829 /*
2830 * Load the register containing the PPI length
2831 * into the X register.
2832 */
2833 s = new_stmt(BPF_LDX|BPF_MEM);
2834 s->s.k = reg_off_ll;
2835 return s;
2836 }
2837
2838 /*
2839 * Generate code to compute the link-layer header length, if necessary,
2840 * putting it into the X register, and to return either a pointer to a
2841 * "struct slist" for the list of statements in that code, or NULL if
2842 * no code is necessary.
2843 */
2844 static struct slist *
2845 gen_llprefixlen(void)
2846 {
2847 switch (linktype) {
2848
2849 case DLT_PRISM_HEADER:
2850 return gen_prism_llprefixlen();
2851
2852 case DLT_IEEE802_11_RADIO_AVS:
2853 return gen_avs_llprefixlen();
2854
2855 case DLT_IEEE802_11_RADIO:
2856 return gen_radiotap_llprefixlen();
2857
2858 case DLT_PPI:
2859 return gen_ppi_llprefixlen();
2860
2861 default:
2862 return NULL;
2863 }
2864 }
2865
2866 /*
2867 * Generate code to load the register containing the offset of the
2868 * MAC-layer payload into the X register; if no register for that offset
2869 * has been allocated, allocate it first.
2870 */
2871 static struct slist *
2872 gen_off_macpl(void)
2873 {
2874 struct slist *s;
2875
2876 if (off_macpl_is_variable) {
2877 if (reg_off_macpl == -1) {
2878 /*
2879 * We haven't yet assigned a register for the offset
2880 * of the MAC-layer payload; allocate one.
2881 */
2882 reg_off_macpl = alloc_reg();
2883 }
2884
2885 /*
2886 * Load the register containing the offset of the MAC-layer
2887 * payload into the X register.
2888 */
2889 s = new_stmt(BPF_LDX|BPF_MEM);
2890 s->s.k = reg_off_macpl;
2891 return s;
2892 } else {
2893 /*
2894 * That offset isn't variable, so we don't need to
2895 * generate any code.
2896 */
2897 return NULL;
2898 }
2899 }
2900
2901 /*
2902 * Map an Ethernet type to the equivalent PPP type.
2903 */
2904 static int
2905 ethertype_to_ppptype(proto)
2906 int proto;
2907 {
2908 switch (proto) {
2909
2910 case ETHERTYPE_IP:
2911 proto = PPP_IP;
2912 break;
2913
2914 #ifdef INET6
2915 case ETHERTYPE_IPV6:
2916 proto = PPP_IPV6;
2917 break;
2918 #endif
2919
2920 case ETHERTYPE_DN:
2921 proto = PPP_DECNET;
2922 break;
2923
2924 case ETHERTYPE_ATALK:
2925 proto = PPP_APPLE;
2926 break;
2927
2928 case ETHERTYPE_NS:
2929 proto = PPP_NS;
2930 break;
2931
2932 case LLCSAP_ISONS:
2933 proto = PPP_OSI;
2934 break;
2935
2936 case LLCSAP_8021D:
2937 /*
2938 * I'm assuming the "Bridging PDU"s that go
2939 * over PPP are Spanning Tree Protocol
2940 * Bridging PDUs.
2941 */
2942 proto = PPP_BRPDU;
2943 break;
2944
2945 case LLCSAP_IPX:
2946 proto = PPP_IPX;
2947 break;
2948 }
2949 return (proto);
2950 }
2951
2952 /*
2953 * Generate code to match a particular packet type by matching the
2954 * link-layer type field or fields in the 802.2 LLC header.
2955 *
2956 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2957 * value, if <= ETHERMTU.
2958 */
2959 static struct block *
2960 gen_linktype(proto)
2961 register int proto;
2962 {
2963 struct block *b0, *b1, *b2;
2964
2965 /* are we checking MPLS-encapsulated packets? */
2966 if (label_stack_depth > 0) {
2967 switch (proto) {
2968 case ETHERTYPE_IP:
2969 case PPP_IP:
2970 /* FIXME add other L3 proto IDs */
2971 return gen_mpls_linktype(Q_IP);
2972
2973 case ETHERTYPE_IPV6:
2974 case PPP_IPV6:
2975 /* FIXME add other L3 proto IDs */
2976 return gen_mpls_linktype(Q_IPV6);
2977
2978 default:
2979 bpf_error("unsupported protocol over mpls");
2980 /* NOTREACHED */
2981 }
2982 }
2983
2984 /*
2985 * Are we testing PPPoE packets?
2986 */
2987 if (is_pppoes) {
2988 /*
2989 * The PPPoE session header is part of the
2990 * MAC-layer payload, so all references
2991 * should be relative to the beginning of
2992 * that payload.
2993 */
2994
2995 /*
2996 * We use Ethernet protocol types inside libpcap;
2997 * map them to the corresponding PPP protocol types.
2998 */
2999 proto = ethertype_to_ppptype(proto);
3000 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
3001 }
3002
3003 switch (linktype) {
3004
3005 case DLT_EN10MB:
3006 return gen_ether_linktype(proto);
3007 /*NOTREACHED*/
3008 break;
3009
3010 case DLT_C_HDLC:
3011 switch (proto) {
3012
3013 case LLCSAP_ISONS:
3014 proto = (proto << 8 | LLCSAP_ISONS);
3015 /* fall through */
3016
3017 default:
3018 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3019 (bpf_int32)proto);
3020 /*NOTREACHED*/
3021 break;
3022 }
3023 break;
3024
3025 case DLT_IEEE802_11:
3026 case DLT_PRISM_HEADER:
3027 case DLT_IEEE802_11_RADIO_AVS:
3028 case DLT_IEEE802_11_RADIO:
3029 case DLT_PPI:
3030 /*
3031 * Check that we have a data frame.
3032 */
3033 b0 = gen_check_802_11_data_frame();
3034
3035 /*
3036 * Now check for the specified link-layer type.
3037 */
3038 b1 = gen_llc_linktype(proto);
3039 gen_and(b0, b1);
3040 return b1;
3041 /*NOTREACHED*/
3042 break;
3043
3044 case DLT_FDDI:
3045 /*
3046 * XXX - check for asynchronous frames, as per RFC 1103.
3047 */
3048 return gen_llc_linktype(proto);
3049 /*NOTREACHED*/
3050 break;
3051
3052 case DLT_IEEE802:
3053 /*
3054 * XXX - check for LLC PDUs, as per IEEE 802.5.
3055 */
3056 return gen_llc_linktype(proto);
3057 /*NOTREACHED*/
3058 break;
3059
3060 case DLT_ATM_RFC1483:
3061 case DLT_ATM_CLIP:
3062 case DLT_IP_OVER_FC:
3063 return gen_llc_linktype(proto);
3064 /*NOTREACHED*/
3065 break;
3066
3067 case DLT_SUNATM:
3068 /*
3069 * If "is_lane" is set, check for a LANE-encapsulated
3070 * version of this protocol, otherwise check for an
3071 * LLC-encapsulated version of this protocol.
3072 *
3073 * We assume LANE means Ethernet, not Token Ring.
3074 */
3075 if (is_lane) {
3076 /*
3077 * Check that the packet doesn't begin with an
3078 * LE Control marker. (We've already generated
3079 * a test for LANE.)
3080 */
3081 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3082 0xFF00);
3083 gen_not(b0);
3084
3085 /*
3086 * Now generate an Ethernet test.
3087 */
3088 b1 = gen_ether_linktype(proto);
3089 gen_and(b0, b1);
3090 return b1;
3091 } else {
3092 /*
3093 * Check for LLC encapsulation and then check the
3094 * protocol.
3095 */
3096 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3097 b1 = gen_llc_linktype(proto);
3098 gen_and(b0, b1);
3099 return b1;
3100 }
3101 /*NOTREACHED*/
3102 break;
3103
3104 case DLT_LINUX_SLL:
3105 return gen_linux_sll_linktype(proto);
3106 /*NOTREACHED*/
3107 break;
3108
3109 case DLT_SLIP:
3110 case DLT_SLIP_BSDOS:
3111 case DLT_RAW:
3112 /*
3113 * These types don't provide any type field; packets
3114 * are always IPv4 or IPv6.
3115 *
3116 * XXX - for IPv4, check for a version number of 4, and,
3117 * for IPv6, check for a version number of 6?
3118 */
3119 switch (proto) {
3120
3121 case ETHERTYPE_IP:
3122 /* Check for a version number of 4. */
3123 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3124 #ifdef INET6
3125 case ETHERTYPE_IPV6:
3126 /* Check for a version number of 6. */
3127 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3128 #endif
3129
3130 default:
3131 return gen_false(); /* always false */
3132 }
3133 /*NOTREACHED*/
3134 break;
3135
3136 case DLT_PPP:
3137 case DLT_PPP_PPPD:
3138 case DLT_PPP_SERIAL:
3139 case DLT_PPP_ETHER:
3140 /*
3141 * We use Ethernet protocol types inside libpcap;
3142 * map them to the corresponding PPP protocol types.
3143 */
3144 proto = ethertype_to_ppptype(proto);
3145 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3146 /*NOTREACHED*/
3147 break;
3148
3149 case DLT_PPP_BSDOS:
3150 /*
3151 * We use Ethernet protocol types inside libpcap;
3152 * map them to the corresponding PPP protocol types.
3153 */
3154 switch (proto) {
3155
3156 case ETHERTYPE_IP:
3157 /*
3158 * Also check for Van Jacobson-compressed IP.
3159 * XXX - do this for other forms of PPP?
3160 */
3161 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3162 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3163 gen_or(b0, b1);
3164 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3165 gen_or(b1, b0);
3166 return b0;
3167
3168 default:
3169 proto = ethertype_to_ppptype(proto);
3170 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3171 (bpf_int32)proto);
3172 }
3173 /*NOTREACHED*/
3174 break;
3175
3176 case DLT_NULL:
3177 case DLT_LOOP:
3178 case DLT_ENC:
3179 /*
3180 * For DLT_NULL, the link-layer header is a 32-bit
3181 * word containing an AF_ value in *host* byte order,
3182 * and for DLT_ENC, the link-layer header begins
3183 * with a 32-bit work containing an AF_ value in
3184 * host byte order.
3185 *
3186 * In addition, if we're reading a saved capture file,
3187 * the host byte order in the capture may not be the
3188 * same as the host byte order on this machine.
3189 *
3190 * For DLT_LOOP, the link-layer header is a 32-bit
3191 * word containing an AF_ value in *network* byte order.
3192 *
3193 * XXX - AF_ values may, unfortunately, be platform-
3194 * dependent; for example, FreeBSD's AF_INET6 is 24
3195 * whilst NetBSD's and OpenBSD's is 26.
3196 *
3197 * This means that, when reading a capture file, just
3198 * checking for our AF_INET6 value won't work if the
3199 * capture file came from another OS.
3200 */
3201 switch (proto) {
3202
3203 case ETHERTYPE_IP:
3204 proto = AF_INET;
3205 break;
3206
3207 #ifdef INET6
3208 case ETHERTYPE_IPV6:
3209 proto = AF_INET6;
3210 break;
3211 #endif
3212
3213 default:
3214 /*
3215 * Not a type on which we support filtering.
3216 * XXX - support those that have AF_ values
3217 * #defined on this platform, at least?
3218 */
3219 return gen_false();
3220 }
3221
3222 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3223 /*
3224 * The AF_ value is in host byte order, but
3225 * the BPF interpreter will convert it to
3226 * network byte order.
3227 *
3228 * If this is a save file, and it's from a
3229 * machine with the opposite byte order to
3230 * ours, we byte-swap the AF_ value.
3231 *
3232 * Then we run it through "htonl()", and
3233 * generate code to compare against the result.
3234 */
3235 if (bpf_pcap->sf.rfile != NULL &&
3236 bpf_pcap->sf.swapped)
3237 proto = SWAPLONG(proto);
3238 proto = htonl(proto);
3239 }
3240 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3241
3242 #ifdef HAVE_NET_PFVAR_H
3243 case DLT_PFLOG:
3244 /*
3245 * af field is host byte order in contrast to the rest of
3246 * the packet.
3247 */
3248 if (proto == ETHERTYPE_IP)
3249 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3250 BPF_B, (bpf_int32)AF_INET));
3251 #ifdef INET6
3252 else if (proto == ETHERTYPE_IPV6)
3253 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3254 BPF_B, (bpf_int32)AF_INET6));
3255 #endif /* INET6 */
3256 else
3257 return gen_false();
3258 /*NOTREACHED*/
3259 break;
3260 #endif /* HAVE_NET_PFVAR_H */
3261
3262 case DLT_ARCNET:
3263 case DLT_ARCNET_LINUX:
3264 /*
3265 * XXX should we check for first fragment if the protocol
3266 * uses PHDS?
3267 */
3268 switch (proto) {
3269
3270 default:
3271 return gen_false();
3272
3273 #ifdef INET6
3274 case ETHERTYPE_IPV6:
3275 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3276 (bpf_int32)ARCTYPE_INET6));
3277 #endif /* INET6 */
3278
3279 case ETHERTYPE_IP:
3280 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3281 (bpf_int32)ARCTYPE_IP);
3282 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3283 (bpf_int32)ARCTYPE_IP_OLD);
3284 gen_or(b0, b1);
3285 return (b1);
3286
3287 case ETHERTYPE_ARP:
3288 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3289 (bpf_int32)ARCTYPE_ARP);
3290 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3291 (bpf_int32)ARCTYPE_ARP_OLD);
3292 gen_or(b0, b1);
3293 return (b1);
3294
3295 case ETHERTYPE_REVARP:
3296 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3297 (bpf_int32)ARCTYPE_REVARP));
3298
3299 case ETHERTYPE_ATALK:
3300 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3301 (bpf_int32)ARCTYPE_ATALK));
3302 }
3303 /*NOTREACHED*/
3304 break;
3305
3306 case DLT_LTALK:
3307 switch (proto) {
3308 case ETHERTYPE_ATALK:
3309 return gen_true();
3310 default:
3311 return gen_false();
3312 }
3313 /*NOTREACHED*/
3314 break;
3315
3316 case DLT_FRELAY:
3317 /*
3318 * XXX - assumes a 2-byte Frame Relay header with
3319 * DLCI and flags. What if the address is longer?
3320 */
3321 switch (proto) {
3322
3323 case ETHERTYPE_IP:
3324 /*
3325 * Check for the special NLPID for IP.
3326 */
3327 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3328
3329 #ifdef INET6
3330 case ETHERTYPE_IPV6:
3331 /*
3332 * Check for the special NLPID for IPv6.
3333 */
3334 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3335 #endif
3336
3337 case LLCSAP_ISONS:
3338 /*
3339 * Check for several OSI protocols.
3340 *
3341 * Frame Relay packets typically have an OSI
3342 * NLPID at the beginning; we check for each
3343 * of them.
3344 *
3345 * What we check for is the NLPID and a frame
3346 * control field of UI, i.e. 0x03 followed
3347 * by the NLPID.
3348 */
3349 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3350 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3351 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3352 gen_or(b1, b2);
3353 gen_or(b0, b2);
3354 return b2;
3355
3356 default:
3357 return gen_false();
3358 }
3359 /*NOTREACHED*/
3360 break;
3361
3362 case DLT_MFR:
3363 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3364
3365 case DLT_JUNIPER_MFR:
3366 case DLT_JUNIPER_MLFR:
3367 case DLT_JUNIPER_MLPPP:
3368 case DLT_JUNIPER_ATM1:
3369 case DLT_JUNIPER_ATM2:
3370 case DLT_JUNIPER_PPPOE:
3371 case DLT_JUNIPER_PPPOE_ATM:
3372 case DLT_JUNIPER_GGSN:
3373 case DLT_JUNIPER_ES:
3374 case DLT_JUNIPER_MONITOR:
3375 case DLT_JUNIPER_SERVICES:
3376 case DLT_JUNIPER_ETHER:
3377 case DLT_JUNIPER_PPP:
3378 case DLT_JUNIPER_FRELAY:
3379 case DLT_JUNIPER_CHDLC:
3380 case DLT_JUNIPER_VP:
3381 case DLT_JUNIPER_ST:
3382 case DLT_JUNIPER_ISM:
3383 /* just lets verify the magic number for now -
3384 * on ATM we may have up to 6 different encapsulations on the wire
3385 * and need a lot of heuristics to figure out that the payload
3386 * might be;
3387 *
3388 * FIXME encapsulation specific BPF_ filters
3389 */
3390 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3391
3392 case DLT_LINUX_IRDA:
3393 bpf_error("IrDA link-layer type filtering not implemented");
3394
3395 case DLT_DOCSIS:
3396 bpf_error("DOCSIS link-layer type filtering not implemented");
3397
3398 case DLT_MTP2:
3399 case DLT_MTP2_WITH_PHDR:
3400 bpf_error("MTP2 link-layer type filtering not implemented");
3401
3402 case DLT_ERF:
3403 bpf_error("ERF link-layer type filtering not implemented");
3404
3405 #ifdef DLT_PFSYNC
3406 case DLT_PFSYNC:
3407 bpf_error("PFSYNC link-layer type filtering not implemented");
3408 #endif
3409
3410 case DLT_LINUX_LAPD:
3411 bpf_error("LAPD link-layer type filtering not implemented");
3412
3413 case DLT_USB:
3414 case DLT_USB_LINUX:
3415 case DLT_USB_LINUX_MMAPPED:
3416 bpf_error("USB link-layer type filtering not implemented");
3417
3418 case DLT_BLUETOOTH_HCI_H4:
3419 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3420 bpf_error("Bluetooth link-layer type filtering not implemented");
3421
3422 case DLT_CAN20B:
3423 bpf_error("CAN20B link-layer type filtering not implemented");
3424
3425 case DLT_IEEE802_15_4:
3426 case DLT_IEEE802_15_4_LINUX:
3427 case DLT_IEEE802_15_4_NONASK_PHY:
3428 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3429
3430 case DLT_IEEE802_16_MAC_CPS_RADIO:
3431 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3432
3433 case DLT_SITA:
3434 bpf_error("SITA link-layer type filtering not implemented");
3435
3436 case DLT_RAIF1:
3437 bpf_error("RAIF1 link-layer type filtering not implemented");
3438
3439 case DLT_IPMB:
3440 bpf_error("IPMB link-layer type filtering not implemented");
3441
3442 case DLT_AX25_KISS:
3443 bpf_error("AX.25 link-layer type filtering not implemented");
3444 }
3445
3446 /*
3447 * All the types that have no encapsulation should either be
3448 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3449 * all packets are IP packets, or should be handled in some
3450 * special case, if none of them are (if some are and some
3451 * aren't, the lack of encapsulation is a problem, as we'd
3452 * have to find some other way of determining the packet type).
3453 *
3454 * Therefore, if "off_linktype" is -1, there's an error.
3455 */
3456 if (off_linktype == (u_int)-1)
3457 abort();
3458
3459 /*
3460 * Any type not handled above should always have an Ethernet
3461 * type at an offset of "off_linktype".
3462 */
3463 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3464 }
3465
3466 /*
3467 * Check for an LLC SNAP packet with a given organization code and
3468 * protocol type; we check the entire contents of the 802.2 LLC and
3469 * snap headers, checking for DSAP and SSAP of SNAP and a control
3470 * field of 0x03 in the LLC header, and for the specified organization
3471 * code and protocol type in the SNAP header.
3472 */
3473 static struct block *
3474 gen_snap(orgcode, ptype)
3475 bpf_u_int32 orgcode;
3476 bpf_u_int32 ptype;
3477 {
3478 u_char snapblock[8];
3479
3480 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3481 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3482 snapblock[2] = 0x03; /* control = UI */
3483 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3484 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3485 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3486 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3487 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3488 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3489 }
3490
3491 /*
3492 * Generate code to match a particular packet type, for link-layer types
3493 * using 802.2 LLC headers.
3494 *
3495 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3496 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3497 *
3498 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3499 * value, if <= ETHERMTU. We use that to determine whether to
3500 * match the DSAP or both DSAP and LSAP or to check the OUI and
3501 * protocol ID in a SNAP header.
3502 */
3503 static struct block *
3504 gen_llc_linktype(proto)
3505 int proto;
3506 {
3507 /*
3508 * XXX - handle token-ring variable-length header.
3509 */
3510 switch (proto) {
3511
3512 case LLCSAP_IP:
3513 case LLCSAP_ISONS:
3514 case LLCSAP_NETBEUI:
3515 /*
3516 * XXX - should we check both the DSAP and the
3517 * SSAP, like this, or should we check just the
3518 * DSAP, as we do for other types <= ETHERMTU
3519 * (i.e., other SAP values)?
3520 */
3521 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3522 ((proto << 8) | proto));
3523
3524 case LLCSAP_IPX:
3525 /*
3526 * XXX - are there ever SNAP frames for IPX on
3527 * non-Ethernet 802.x networks?
3528 */
3529 return gen_cmp(OR_MACPL, 0, BPF_B,
3530 (bpf_int32)LLCSAP_IPX);
3531
3532 case ETHERTYPE_ATALK:
3533 /*
3534 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3535 * SNAP packets with an organization code of
3536 * 0x080007 (Apple, for Appletalk) and a protocol
3537 * type of ETHERTYPE_ATALK (Appletalk).
3538 *
3539 * XXX - check for an organization code of
3540 * encapsulated Ethernet as well?
3541 */
3542 return gen_snap(0x080007, ETHERTYPE_ATALK);
3543
3544 default:
3545 /*
3546 * XXX - we don't have to check for IPX 802.3
3547 * here, but should we check for the IPX Ethertype?
3548 */
3549 if (proto <= ETHERMTU) {
3550 /*
3551 * This is an LLC SAP value, so check
3552 * the DSAP.
3553 */
3554 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3555 } else {
3556 /*
3557 * This is an Ethernet type; we assume that it's
3558 * unlikely that it'll appear in the right place
3559 * at random, and therefore check only the
3560 * location that would hold the Ethernet type
3561 * in a SNAP frame with an organization code of
3562 * 0x000000 (encapsulated Ethernet).
3563 *
3564 * XXX - if we were to check for the SNAP DSAP and
3565 * LSAP, as per XXX, and were also to check for an
3566 * organization code of 0x000000 (encapsulated
3567 * Ethernet), we'd do
3568 *
3569 * return gen_snap(0x000000, proto);
3570 *
3571 * here; for now, we don't, as per the above.
3572 * I don't know whether it's worth the extra CPU
3573 * time to do the right check or not.
3574 */
3575 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3576 }
3577 }
3578 }
3579
3580 static struct block *
3581 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3582 bpf_u_int32 addr;
3583 bpf_u_int32 mask;
3584 int dir, proto;
3585 u_int src_off, dst_off;
3586 {
3587 struct block *b0, *b1;
3588 u_int offset;
3589
3590 switch (dir) {
3591
3592 case Q_SRC:
3593 offset = src_off;
3594 break;
3595
3596 case Q_DST:
3597 offset = dst_off;
3598 break;
3599
3600 case Q_AND:
3601 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3602 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3603 gen_and(b0, b1);
3604 return b1;
3605
3606 case Q_OR:
3607 case Q_DEFAULT:
3608 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3609 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3610 gen_or(b0, b1);
3611 return b1;
3612
3613 default:
3614 abort();
3615 }
3616 b0 = gen_linktype(proto);
3617 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3618 gen_and(b0, b1);
3619 return b1;
3620 }
3621
3622 #ifdef INET6
3623 static struct block *
3624 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3625 struct in6_addr *addr;
3626 struct in6_addr *mask;
3627 int dir, proto;
3628 u_int src_off, dst_off;
3629 {
3630 struct block *b0, *b1;
3631 u_int offset;
3632 u_int32_t *a, *m;
3633
3634 switch (dir) {
3635
3636 case Q_SRC:
3637 offset = src_off;
3638 break;
3639
3640 case Q_DST:
3641 offset = dst_off;
3642 break;
3643
3644 case Q_AND:
3645 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3646 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3647 gen_and(b0, b1);
3648 return b1;
3649
3650 case Q_OR:
3651 case Q_DEFAULT:
3652 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3653 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3654 gen_or(b0, b1);
3655 return b1;
3656
3657 default:
3658 abort();
3659 }
3660 /* this order is important */
3661 a = (u_int32_t *)addr;
3662 m = (u_int32_t *)mask;
3663 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3664 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3665 gen_and(b0, b1);
3666 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3667 gen_and(b0, b1);
3668 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3669 gen_and(b0, b1);
3670 b0 = gen_linktype(proto);
3671 gen_and(b0, b1);
3672 return b1;
3673 }
3674 #endif /*INET6*/
3675
3676 static struct block *
3677 gen_ehostop(eaddr, dir)
3678 register const u_char *eaddr;
3679 register int dir;
3680 {
3681 register struct block *b0, *b1;
3682
3683 switch (dir) {
3684 case Q_SRC:
3685 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3686
3687 case Q_DST:
3688 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3689
3690 case Q_AND:
3691 b0 = gen_ehostop(eaddr, Q_SRC);
3692 b1 = gen_ehostop(eaddr, Q_DST);
3693 gen_and(b0, b1);
3694 return b1;
3695
3696 case Q_DEFAULT:
3697 case Q_OR:
3698 b0 = gen_ehostop(eaddr, Q_SRC);
3699 b1 = gen_ehostop(eaddr, Q_DST);
3700 gen_or(b0, b1);
3701 return b1;
3702 }
3703 abort();
3704 /* NOTREACHED */
3705 }
3706
3707 /*
3708 * Like gen_ehostop, but for DLT_FDDI
3709 */
3710 static struct block *
3711 gen_fhostop(eaddr, dir)
3712 register const u_char *eaddr;
3713 register int dir;
3714 {
3715 struct block *b0, *b1;
3716
3717 switch (dir) {
3718 case Q_SRC:
3719 #ifdef PCAP_FDDIPAD
3720 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3721 #else
3722 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3723 #endif
3724
3725 case Q_DST:
3726 #ifdef PCAP_FDDIPAD
3727 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3728 #else
3729 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3730 #endif
3731
3732 case Q_AND:
3733 b0 = gen_fhostop(eaddr, Q_SRC);
3734 b1 = gen_fhostop(eaddr, Q_DST);
3735 gen_and(b0, b1);
3736 return b1;
3737
3738 case Q_DEFAULT:
3739 case Q_OR:
3740 b0 = gen_fhostop(eaddr, Q_SRC);
3741 b1 = gen_fhostop(eaddr, Q_DST);
3742 gen_or(b0, b1);
3743 return b1;
3744 }
3745 abort();
3746 /* NOTREACHED */
3747 }
3748
3749 /*
3750 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3751 */
3752 static struct block *
3753 gen_thostop(eaddr, dir)
3754 register const u_char *eaddr;
3755 register int dir;
3756 {
3757 register struct block *b0, *b1;
3758
3759 switch (dir) {
3760 case Q_SRC:
3761 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3762
3763 case Q_DST:
3764 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3765
3766 case Q_AND:
3767 b0 = gen_thostop(eaddr, Q_SRC);
3768 b1 = gen_thostop(eaddr, Q_DST);
3769 gen_and(b0, b1);
3770 return b1;
3771
3772 case Q_DEFAULT:
3773 case Q_OR:
3774 b0 = gen_thostop(eaddr, Q_SRC);
3775 b1 = gen_thostop(eaddr, Q_DST);
3776 gen_or(b0, b1);
3777 return b1;
3778 }
3779 abort();
3780 /* NOTREACHED */
3781 }
3782
3783 /*
3784 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3785 * various 802.11 + radio headers.
3786 */
3787 static struct block *
3788 gen_wlanhostop(eaddr, dir)
3789 register const u_char *eaddr;
3790 register int dir;
3791 {
3792 register struct block *b0, *b1, *b2;
3793 register struct slist *s;
3794
3795 #ifdef ENABLE_WLAN_FILTERING_PATCH
3796 /*
3797 * TODO GV 20070613
3798 * We need to disable the optimizer because the optimizer is buggy
3799 * and wipes out some LD instructions generated by the below
3800 * code to validate the Frame Control bits
3801 */
3802 no_optimize = 1;
3803 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3804
3805 switch (dir) {
3806 case Q_SRC:
3807 /*
3808 * Oh, yuk.
3809 *
3810 * For control frames, there is no SA.
3811 *
3812 * For management frames, SA is at an
3813 * offset of 10 from the beginning of
3814 * the packet.
3815 *
3816 * For data frames, SA is at an offset
3817 * of 10 from the beginning of the packet
3818 * if From DS is clear, at an offset of
3819 * 16 from the beginning of the packet
3820 * if From DS is set and To DS is clear,
3821 * and an offset of 24 from the beginning
3822 * of the packet if From DS is set and To DS
3823 * is set.
3824 */
3825
3826 /*
3827 * Generate the tests to be done for data frames
3828 * with From DS set.
3829 *
3830 * First, check for To DS set, i.e. check "link[1] & 0x01".
3831 */
3832 s = gen_load_a(OR_LINK, 1, BPF_B);
3833 b1 = new_block(JMP(BPF_JSET));
3834 b1->s.k = 0x01; /* To DS */
3835 b1->stmts = s;
3836
3837 /*
3838 * If To DS is set, the SA is at 24.
3839 */
3840 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3841 gen_and(b1, b0);
3842
3843 /*
3844 * Now, check for To DS not set, i.e. check
3845 * "!(link[1] & 0x01)".
3846 */
3847 s = gen_load_a(OR_LINK, 1, BPF_B);
3848 b2 = new_block(JMP(BPF_JSET));
3849 b2->s.k = 0x01; /* To DS */
3850 b2->stmts = s;
3851 gen_not(b2);
3852
3853 /*
3854 * If To DS is not set, the SA is at 16.
3855 */
3856 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3857 gen_and(b2, b1);
3858
3859 /*
3860 * Now OR together the last two checks. That gives
3861 * the complete set of checks for data frames with
3862 * From DS set.
3863 */
3864 gen_or(b1, b0);
3865
3866 /*
3867 * Now check for From DS being set, and AND that with
3868 * the ORed-together checks.
3869 */
3870 s = gen_load_a(OR_LINK, 1, BPF_B);
3871 b1 = new_block(JMP(BPF_JSET));
3872 b1->s.k = 0x02; /* From DS */
3873 b1->stmts = s;
3874 gen_and(b1, b0);
3875
3876 /*
3877 * Now check for data frames with From DS not set.
3878 */
3879 s = gen_load_a(OR_LINK, 1, BPF_B);
3880 b2 = new_block(JMP(BPF_JSET));
3881 b2->s.k = 0x02; /* From DS */
3882 b2->stmts = s;
3883 gen_not(b2);
3884
3885 /*
3886 * If From DS isn't set, the SA is at 10.
3887 */
3888 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3889 gen_and(b2, b1);
3890
3891 /*
3892 * Now OR together the checks for data frames with
3893 * From DS not set and for data frames with From DS
3894 * set; that gives the checks done for data frames.
3895 */
3896 gen_or(b1, b0);
3897
3898 /*
3899 * Now check for a data frame.
3900 * I.e, check "link[0] & 0x08".
3901 */
3902 s = gen_load_a(OR_LINK, 0, BPF_B);
3903 b1 = new_block(JMP(BPF_JSET));
3904 b1->s.k = 0x08;
3905 b1->stmts = s;
3906
3907 /*
3908 * AND that with the checks done for data frames.
3909 */
3910 gen_and(b1, b0);
3911
3912 /*
3913 * If the high-order bit of the type value is 0, this
3914 * is a management frame.
3915 * I.e, check "!(link[0] & 0x08)".
3916 */
3917 s = gen_load_a(OR_LINK, 0, BPF_B);
3918 b2 = new_block(JMP(BPF_JSET));
3919 b2->s.k = 0x08;
3920 b2->stmts = s;
3921 gen_not(b2);
3922
3923 /*
3924 * For management frames, the SA is at 10.
3925 */
3926 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3927 gen_and(b2, b1);
3928
3929 /*
3930 * OR that with the checks done for data frames.
3931 * That gives the checks done for management and
3932 * data frames.
3933 */
3934 gen_or(b1, b0);
3935
3936 /*
3937 * If the low-order bit of the type value is 1,
3938 * this is either a control frame or a frame
3939 * with a reserved type, and thus not a
3940 * frame with an SA.
3941 *
3942 * I.e., check "!(link[0] & 0x04)".
3943 */
3944 s = gen_load_a(OR_LINK, 0, BPF_B);
3945 b1 = new_block(JMP(BPF_JSET));
3946 b1->s.k = 0x04;
3947 b1->stmts = s;
3948 gen_not(b1);
3949
3950 /*
3951 * AND that with the checks for data and management
3952 * frames.
3953 */
3954 gen_and(b1, b0);
3955 return b0;
3956
3957 case Q_DST:
3958 /*
3959 * Oh, yuk.
3960 *
3961 * For control frames, there is no DA.
3962 *
3963 * For management frames, DA is at an
3964 * offset of 4 from the beginning of
3965 * the packet.
3966 *
3967 * For data frames, DA is at an offset
3968 * of 4 from the beginning of the packet
3969 * if To DS is clear and at an offset of
3970 * 16 from the beginning of the packet
3971 * if To DS is set.
3972 */
3973
3974 /*
3975 * Generate the tests to be done for data frames.
3976 *
3977 * First, check for To DS set, i.e. "link[1] & 0x01".
3978 */
3979 s = gen_load_a(OR_LINK, 1, BPF_B);
3980 b1 = new_block(JMP(BPF_JSET));
3981 b1->s.k = 0x01; /* To DS */
3982 b1->stmts = s;
3983
3984 /*
3985 * If To DS is set, the DA is at 16.
3986 */
3987 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3988 gen_and(b1, b0);
3989
3990 /*
3991 * Now, check for To DS not set, i.e. check
3992 * "!(link[1] & 0x01)".
3993 */
3994 s = gen_load_a(OR_LINK, 1, BPF_B);
3995 b2 = new_block(JMP(BPF_JSET));
3996 b2->s.k = 0x01; /* To DS */
3997 b2->stmts = s;
3998 gen_not(b2);
3999
4000 /*
4001 * If To DS is not set, the DA is at 4.
4002 */
4003 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4004 gen_and(b2, b1);
4005
4006 /*
4007 * Now OR together the last two checks. That gives
4008 * the complete set of checks for data frames.
4009 */
4010 gen_or(b1, b0);
4011
4012 /*
4013 * Now check for a data frame.
4014 * I.e, check "link[0] & 0x08".
4015 */
4016 s = gen_load_a(OR_LINK, 0, BPF_B);
4017 b1 = new_block(JMP(BPF_JSET));
4018 b1->s.k = 0x08;
4019 b1->stmts = s;
4020
4021 /*
4022 * AND that with the checks done for data frames.
4023 */
4024 gen_and(b1, b0);
4025
4026 /*
4027 * If the high-order bit of the type value is 0, this
4028 * is a management frame.
4029 * I.e, check "!(link[0] & 0x08)".
4030 */
4031 s = gen_load_a(OR_LINK, 0, BPF_B);
4032 b2 = new_block(JMP(BPF_JSET));
4033 b2->s.k = 0x08;
4034 b2->stmts = s;
4035 gen_not(b2);
4036
4037 /*
4038 * For management frames, the DA is at 4.
4039 */
4040 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4041 gen_and(b2, b1);
4042
4043 /*
4044 * OR that with the checks done for data frames.
4045 * That gives the checks done for management and
4046 * data frames.
4047 */
4048 gen_or(b1, b0);
4049
4050 /*
4051 * If the low-order bit of the type value is 1,
4052 * this is either a control frame or a frame
4053 * with a reserved type, and thus not a
4054 * frame with an SA.
4055 *
4056 * I.e., check "!(link[0] & 0x04)".
4057 */
4058 s = gen_load_a(OR_LINK, 0, BPF_B);
4059 b1 = new_block(JMP(BPF_JSET));
4060 b1->s.k = 0x04;
4061 b1->stmts = s;
4062 gen_not(b1);
4063
4064 /*
4065 * AND that with the checks for data and management
4066 * frames.
4067 */
4068 gen_and(b1, b0);
4069 return b0;
4070
4071 /*
4072 * XXX - add RA, TA, and BSSID keywords?
4073 */
4074 case Q_ADDR1:
4075 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4076
4077 case Q_ADDR2:
4078 /*
4079 * Not present in CTS or ACK control frames.
4080 */
4081 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4082 IEEE80211_FC0_TYPE_MASK);
4083 gen_not(b0);
4084 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4085 IEEE80211_FC0_SUBTYPE_MASK);
4086 gen_not(b1);
4087 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4088 IEEE80211_FC0_SUBTYPE_MASK);
4089 gen_not(b2);
4090 gen_and(b1, b2);
4091 gen_or(b0, b2);
4092 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4093 gen_and(b2, b1);
4094 return b1;
4095
4096 case Q_ADDR3:
4097 /*
4098 * Not present in control frames.
4099 */
4100 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4101 IEEE80211_FC0_TYPE_MASK);
4102 gen_not(b0);
4103 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4104 gen_and(b0, b1);
4105 return b1;
4106
4107 case Q_ADDR4:
4108 /*
4109 * Present only if the direction mask has both "From DS"
4110 * and "To DS" set. Neither control frames nor management
4111 * frames should have both of those set, so we don't
4112 * check the frame type.
4113 */
4114 b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4115 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4116 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4117 gen_and(b0, b1);
4118 return b1;
4119
4120 case Q_AND:
4121 b0 = gen_wlanhostop(eaddr, Q_SRC);
4122 b1 = gen_wlanhostop(eaddr, Q_DST);
4123 gen_and(b0, b1);
4124 return b1;
4125
4126 case Q_DEFAULT:
4127 case Q_OR:
4128 b0 = gen_wlanhostop(eaddr, Q_SRC);
4129 b1 = gen_wlanhostop(eaddr, Q_DST);
4130 gen_or(b0, b1);
4131 return b1;
4132 }
4133 abort();
4134 /* NOTREACHED */
4135 }
4136
4137 /*
4138 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4139 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4140 * as the RFC states.)
4141 */
4142 static struct block *
4143 gen_ipfchostop(eaddr, dir)
4144 register const u_char *eaddr;
4145 register int dir;
4146 {
4147 register struct block *b0, *b1;
4148
4149 switch (dir) {
4150 case Q_SRC:
4151 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4152
4153 case Q_DST:
4154 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4155
4156 case Q_AND:
4157 b0 = gen_ipfchostop(eaddr, Q_SRC);
4158 b1 = gen_ipfchostop(eaddr, Q_DST);
4159 gen_and(b0, b1);
4160 return b1;
4161
4162 case Q_DEFAULT:
4163 case Q_OR:
4164 b0 = gen_ipfchostop(eaddr, Q_SRC);
4165 b1 = gen_ipfchostop(eaddr, Q_DST);
4166 gen_or(b0, b1);
4167 return b1;
4168 }
4169 abort();
4170 /* NOTREACHED */
4171 }
4172
4173 /*
4174 * This is quite tricky because there may be pad bytes in front of the
4175 * DECNET header, and then there are two possible data packet formats that
4176 * carry both src and dst addresses, plus 5 packet types in a format that
4177 * carries only the src node, plus 2 types that use a different format and
4178 * also carry just the src node.
4179 *
4180 * Yuck.
4181 *
4182 * Instead of doing those all right, we just look for data packets with
4183 * 0 or 1 bytes of padding. If you want to look at other packets, that
4184 * will require a lot more hacking.
4185 *
4186 * To add support for filtering on DECNET "areas" (network numbers)
4187 * one would want to add a "mask" argument to this routine. That would
4188 * make the filter even more inefficient, although one could be clever
4189 * and not generate masking instructions if the mask is 0xFFFF.
4190 */
4191 static struct block *
4192 gen_dnhostop(addr, dir)
4193 bpf_u_int32 addr;
4194 int dir;
4195 {
4196 struct block *b0, *b1, *b2, *tmp;
4197 u_int offset_lh; /* offset if long header is received */
4198 u_int offset_sh; /* offset if short header is received */
4199
4200 switch (dir) {
4201
4202 case Q_DST:
4203 offset_sh = 1; /* follows flags */
4204 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4205 break;
4206
4207 case Q_SRC:
4208 offset_sh = 3; /* follows flags, dstnode */
4209 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4210 break;
4211
4212 case Q_AND:
4213 /* Inefficient because we do our Calvinball dance twice */
4214 b0 = gen_dnhostop(addr, Q_SRC);
4215 b1 = gen_dnhostop(addr, Q_DST);
4216 gen_and(b0, b1);
4217 return b1;
4218
4219 case Q_OR:
4220 case Q_DEFAULT:
4221 /* Inefficient because we do our Calvinball dance twice */
4222 b0 = gen_dnhostop(addr, Q_SRC);
4223 b1 = gen_dnhostop(addr, Q_DST);
4224 gen_or(b0, b1);
4225 return b1;
4226
4227 case Q_ISO:
4228 bpf_error("ISO host filtering not implemented");
4229
4230 default:
4231 abort();
4232 }
4233 b0 = gen_linktype(ETHERTYPE_DN);
4234 /* Check for pad = 1, long header case */
4235 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4236 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4237 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4238 BPF_H, (bpf_int32)ntohs((u_short)addr));
4239 gen_and(tmp, b1);
4240 /* Check for pad = 0, long header case */
4241 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4242 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4243 gen_and(tmp, b2);
4244 gen_or(b2, b1);
4245 /* Check for pad = 1, short header case */
4246 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4247 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4248 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4249 gen_and(tmp, b2);
4250 gen_or(b2, b1);
4251 /* Check for pad = 0, short header case */
4252 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4253 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4254 gen_and(tmp, b2);
4255 gen_or(b2, b1);
4256
4257 /* Combine with test for linktype */
4258 gen_and(b0, b1);
4259 return b1;
4260 }
4261
4262 /*
4263 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4264 * test the bottom-of-stack bit, and then check the version number
4265 * field in the IP header.
4266 */
4267 static struct block *
4268 gen_mpls_linktype(proto)
4269 int proto;
4270 {
4271 struct block *b0, *b1;
4272
4273 switch (proto) {
4274
4275 case Q_IP:
4276 /* match the bottom-of-stack bit */
4277 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4278 /* match the IPv4 version number */
4279 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4280 gen_and(b0, b1);
4281 return b1;
4282
4283 case Q_IPV6:
4284 /* match the bottom-of-stack bit */
4285 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4286 /* match the IPv4 version number */
4287 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4288 gen_and(b0, b1);
4289 return b1;
4290
4291 default:
4292 abort();
4293 }
4294 }
4295
4296 static struct block *
4297 gen_host(addr, mask, proto, dir, type)
4298 bpf_u_int32 addr;
4299 bpf_u_int32 mask;
4300 int proto;
4301 int dir;
4302 int type;
4303 {
4304 struct block *b0, *b1;
4305 const char *typestr;
4306
4307 if (type == Q_NET)
4308 typestr = "net";
4309 else
4310 typestr = "host";
4311
4312 switch (proto) {
4313
4314 case Q_DEFAULT:
4315 b0 = gen_host(addr, mask, Q_IP, dir, type);
4316 /*
4317 * Only check for non-IPv4 addresses if we're not
4318 * checking MPLS-encapsulated packets.
4319 */
4320 if (label_stack_depth == 0) {
4321 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4322 gen_or(b0, b1);
4323 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4324 gen_or(b1, b0);
4325 }
4326 return b0;
4327
4328 case Q_IP:
4329 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4330
4331 case Q_RARP:
4332 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4333
4334 case Q_ARP:
4335 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4336
4337 case Q_TCP:
4338 bpf_error("'tcp' modifier applied to %s", typestr);
4339
4340 case Q_SCTP:
4341 bpf_error("'sctp' modifier applied to %s", typestr);
4342
4343 case Q_UDP:
4344 bpf_error("'udp' modifier applied to %s", typestr);
4345
4346 case Q_ICMP:
4347 bpf_error("'icmp' modifier applied to %s", typestr);
4348
4349 case Q_IGMP:
4350 bpf_error("'igmp' modifier applied to %s", typestr);
4351
4352 case Q_IGRP:
4353 bpf_error("'igrp' modifier applied to %s", typestr);
4354
4355 case Q_PIM:
4356 bpf_error("'pim' modifier applied to %s", typestr);
4357
4358 case Q_VRRP:
4359 bpf_error("'vrrp' modifier applied to %s", typestr);
4360
4361 case Q_ATALK:
4362 bpf_error("ATALK host filtering not implemented");
4363
4364 case Q_AARP:
4365 bpf_error("AARP host filtering not implemented");
4366
4367 case Q_DECNET:
4368 return gen_dnhostop(addr, dir);
4369
4370 case Q_SCA:
4371 bpf_error("SCA host filtering not implemented");
4372
4373 case Q_LAT:
4374 bpf_error("LAT host filtering not implemented");
4375
4376 case Q_MOPDL:
4377 bpf_error("MOPDL host filtering not implemented");
4378
4379 case Q_MOPRC:
4380 bpf_error("MOPRC host filtering not implemented");
4381
4382 #ifdef INET6
4383 case Q_IPV6:
4384 bpf_error("'ip6' modifier applied to ip host");
4385
4386 case Q_ICMPV6:
4387 bpf_error("'icmp6' modifier applied to %s", typestr);
4388 #endif /* INET6 */
4389
4390 case Q_AH:
4391 bpf_error("'ah' modifier applied to %s", typestr);
4392
4393 case Q_ESP:
4394 bpf_error("'esp' modifier applied to %s", typestr);
4395
4396 case Q_ISO:
4397 bpf_error("ISO host filtering not implemented");
4398
4399 case Q_ESIS:
4400 bpf_error("'esis' modifier applied to %s", typestr);
4401
4402 case Q_ISIS:
4403 bpf_error("'isis' modifier applied to %s", typestr);
4404
4405 case Q_CLNP:
4406 bpf_error("'clnp' modifier applied to %s", typestr);
4407
4408 case Q_STP:
4409 bpf_error("'stp' modifier applied to %s", typestr);
4410
4411 case Q_IPX:
4412 bpf_error("IPX host filtering not implemented");
4413
4414 case Q_NETBEUI:
4415 bpf_error("'netbeui' modifier applied to %s", typestr);
4416
4417 case Q_RADIO:
4418 bpf_error("'radio' modifier applied to %s", typestr);
4419
4420 default:
4421 abort();
4422 }
4423 /* NOTREACHED */
4424 }
4425
4426 #ifdef INET6
4427 static struct block *
4428 gen_host6(addr, mask, proto, dir, type)
4429 struct in6_addr *addr;
4430 struct in6_addr *mask;
4431 int proto;
4432 int dir;
4433 int type;
4434 {
4435 const char *typestr;
4436
4437 if (type == Q_NET)
4438 typestr = "net";
4439 else
4440 typestr = "host";
4441
4442 switch (proto) {
4443
4444 case Q_DEFAULT:
4445 return gen_host6(addr, mask, Q_IPV6, dir, type);
4446
4447 case Q_IP:
4448 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4449
4450 case Q_RARP:
4451 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4452
4453 case Q_ARP:
4454 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4455
4456 case Q_SCTP:
4457 bpf_error("'sctp' modifier applied to %s", typestr);
4458
4459 case Q_TCP:
4460 bpf_error("'tcp' modifier applied to %s", typestr);
4461
4462 case Q_UDP:
4463 bpf_error("'udp' modifier applied to %s", typestr);
4464
4465 case Q_ICMP:
4466 bpf_error("'icmp' modifier applied to %s", typestr);
4467
4468 case Q_IGMP:
4469 bpf_error("'igmp' modifier applied to %s", typestr);
4470
4471 case Q_IGRP:
4472 bpf_error("'igrp' modifier applied to %s", typestr);
4473
4474 case Q_PIM:
4475 bpf_error("'pim' modifier applied to %s", typestr);
4476
4477 case Q_VRRP:
4478 bpf_error("'vrrp' modifier applied to %s", typestr);
4479
4480 case Q_ATALK:
4481 bpf_error("ATALK host filtering not implemented");
4482
4483 case Q_AARP:
4484 bpf_error("AARP host filtering not implemented");
4485
4486 case Q_DECNET:
4487 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4488
4489 case Q_SCA:
4490 bpf_error("SCA host filtering not implemented");
4491
4492 case Q_LAT:
4493 bpf_error("LAT host filtering not implemented");
4494
4495 case Q_MOPDL:
4496 bpf_error("MOPDL host filtering not implemented");
4497
4498 case Q_MOPRC:
4499 bpf_error("MOPRC host filtering not implemented");
4500
4501 case Q_IPV6:
4502 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4503
4504 case Q_ICMPV6:
4505 bpf_error("'icmp6' modifier applied to %s", typestr);
4506
4507 case Q_AH:
4508 bpf_error("'ah' modifier applied to %s", typestr);
4509
4510 case Q_ESP:
4511 bpf_error("'esp' modifier applied to %s", typestr);
4512
4513 case Q_ISO:
4514 bpf_error("ISO host filtering not implemented");
4515
4516 case Q_ESIS:
4517 bpf_error("'esis' modifier applied to %s", typestr);
4518
4519 case Q_ISIS:
4520 bpf_error("'isis' modifier applied to %s", typestr);
4521
4522 case Q_CLNP:
4523 bpf_error("'clnp' modifier applied to %s", typestr);
4524
4525 case Q_STP:
4526 bpf_error("'stp' modifier applied to %s", typestr);
4527
4528 case Q_IPX:
4529 bpf_error("IPX host filtering not implemented");
4530
4531 case Q_NETBEUI:
4532 bpf_error("'netbeui' modifier applied to %s", typestr);
4533
4534 case Q_RADIO:
4535 bpf_error("'radio' modifier applied to %s", typestr);
4536
4537 default:
4538 abort();
4539 }
4540 /* NOTREACHED */
4541 }
4542 #endif /*INET6*/
4543
4544 #ifndef INET6
4545 static struct block *
4546 gen_gateway(eaddr, alist, proto, dir)
4547 const u_char *eaddr;
4548 bpf_u_int32 **alist;
4549 int proto;
4550 int dir;
4551 {
4552 struct block *b0, *b1, *tmp;
4553
4554 if (dir != 0)
4555 bpf_error("direction applied to 'gateway'");
4556
4557 switch (proto) {
4558 case Q_DEFAULT:
4559 case Q_IP:
4560 case Q_ARP:
4561 case Q_RARP:
4562 switch (linktype) {
4563 case DLT_EN10MB:
4564 b0 = gen_ehostop(eaddr, Q_OR);
4565 break;
4566 case DLT_FDDI:
4567 b0 = gen_fhostop(eaddr, Q_OR);
4568 break;
4569 case DLT_IEEE802:
4570 b0 = gen_thostop(eaddr, Q_OR);
4571 break;
4572 case DLT_IEEE802_11:
4573 case DLT_PRISM_HEADER:
4574 case DLT_IEEE802_11_RADIO_AVS:
4575 case DLT_IEEE802_11_RADIO:
4576 case DLT_PPI:
4577 b0 = gen_wlanhostop(eaddr, Q_OR);
4578 break;
4579 case DLT_SUNATM:
4580 if (!is_lane)
4581 bpf_error(
4582 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4583 /*
4584 * Check that the packet doesn't begin with an
4585 * LE Control marker. (We've already generated
4586 * a test for LANE.)
4587 */
4588 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4589 BPF_H, 0xFF00);
4590 gen_not(b1);
4591
4592 /*
4593 * Now check the MAC address.
4594 */
4595 b0 = gen_ehostop(eaddr, Q_OR);
4596 gen_and(b1, b0);
4597 break;
4598 case DLT_IP_OVER_FC:
4599 b0 = gen_ipfchostop(eaddr, Q_OR);
4600 break;
4601 default:
4602 bpf_error(
4603 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4604 }
4605 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4606 while (*alist) {
4607 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4608 Q_HOST);
4609 gen_or(b1, tmp);
4610 b1 = tmp;
4611 }
4612 gen_not(b1);
4613 gen_and(b0, b1);
4614 return b1;
4615 }
4616 bpf_error("illegal modifier of 'gateway'");
4617 /* NOTREACHED */
4618 }
4619 #endif
4620
4621 struct block *
4622 gen_proto_abbrev(proto)
4623 int proto;
4624 {
4625 struct block *b0;
4626 struct block *b1;
4627
4628 switch (proto) {
4629
4630 case Q_SCTP:
4631 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4632 #ifdef INET6
4633 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4634 gen_or(b0, b1);
4635 #endif
4636 break;
4637
4638 case Q_TCP:
4639 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4640 #ifdef INET6
4641 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4642 gen_or(b0, b1);
4643 #endif
4644 break;
4645
4646 case Q_UDP:
4647 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4648 #ifdef INET6
4649 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4650 gen_or(b0, b1);
4651 #endif
4652 break;
4653
4654 case Q_ICMP:
4655 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4656 break;
4657
4658 #ifndef IPPROTO_IGMP
4659 #define IPPROTO_IGMP 2
4660 #endif
4661
4662 case Q_IGMP:
4663 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4664 break;
4665
4666 #ifndef IPPROTO_IGRP
4667 #define IPPROTO_IGRP 9
4668 #endif
4669 case Q_IGRP:
4670 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4671 break;
4672
4673 #ifndef IPPROTO_PIM
4674 #define IPPROTO_PIM 103
4675 #endif
4676
4677 case Q_PIM:
4678 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4679 #ifdef INET6
4680 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4681 gen_or(b0, b1);
4682 #endif
4683 break;
4684
4685 #ifndef IPPROTO_VRRP
4686 #define IPPROTO_VRRP 112
4687 #endif
4688
4689 case Q_VRRP:
4690 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4691 break;
4692
4693 case Q_IP:
4694 b1 = gen_linktype(ETHERTYPE_IP);
4695 break;
4696
4697 case Q_ARP:
4698 b1 = gen_linktype(ETHERTYPE_ARP);
4699 break;
4700
4701 case Q_RARP:
4702 b1 = gen_linktype(ETHERTYPE_REVARP);
4703 break;
4704
4705 case Q_LINK:
4706 bpf_error("link layer applied in wrong context");
4707
4708 case Q_ATALK:
4709 b1 = gen_linktype(ETHERTYPE_ATALK);
4710 break;
4711
4712 case Q_AARP:
4713 b1 = gen_linktype(ETHERTYPE_AARP);
4714 break;
4715
4716 case Q_DECNET:
4717 b1 = gen_linktype(ETHERTYPE_DN);
4718 break;
4719
4720 case Q_SCA:
4721 b1 = gen_linktype(ETHERTYPE_SCA);
4722 break;
4723
4724 case Q_LAT:
4725 b1 = gen_linktype(ETHERTYPE_LAT);
4726 break;
4727
4728 case Q_MOPDL:
4729 b1 = gen_linktype(ETHERTYPE_MOPDL);
4730 break;
4731
4732 case Q_MOPRC:
4733 b1 = gen_linktype(ETHERTYPE_MOPRC);
4734 break;
4735
4736 #ifdef INET6
4737 case Q_IPV6:
4738 b1 = gen_linktype(ETHERTYPE_IPV6);
4739 break;
4740
4741 #ifndef IPPROTO_ICMPV6
4742 #define IPPROTO_ICMPV6 58
4743 #endif
4744 case Q_ICMPV6:
4745 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4746 break;
4747 #endif /* INET6 */
4748
4749 #ifndef IPPROTO_AH
4750 #define IPPROTO_AH 51
4751 #endif
4752 case Q_AH:
4753 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4754 #ifdef INET6
4755 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4756 gen_or(b0, b1);
4757 #endif
4758 break;
4759
4760 #ifndef IPPROTO_ESP
4761 #define IPPROTO_ESP 50
4762 #endif
4763 case Q_ESP:
4764 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4765 #ifdef INET6
4766 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4767 gen_or(b0, b1);
4768 #endif
4769 break;
4770
4771 case Q_ISO:
4772 b1 = gen_linktype(LLCSAP_ISONS);
4773 break;
4774
4775 case Q_ESIS:
4776 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4777 break;
4778
4779 case Q_ISIS:
4780 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4781 break;
4782
4783 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4784 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4785 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4786 gen_or(b0, b1);
4787 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4788 gen_or(b0, b1);
4789 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4790 gen_or(b0, b1);
4791 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4792 gen_or(b0, b1);
4793 break;
4794
4795 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4796 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4797 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4798 gen_or(b0, b1);
4799 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4800 gen_or(b0, b1);
4801 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4802 gen_or(b0, b1);
4803 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4804 gen_or(b0, b1);
4805 break;
4806
4807 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4808 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4809 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4810 gen_or(b0, b1);
4811 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4812 gen_or(b0, b1);
4813 break;
4814
4815 case Q_ISIS_LSP:
4816 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4817 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4818 gen_or(b0, b1);
4819 break;
4820
4821 case Q_ISIS_SNP:
4822 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4823 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4824 gen_or(b0, b1);
4825 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4826 gen_or(b0, b1);
4827 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4828 gen_or(b0, b1);
4829 break;
4830
4831 case Q_ISIS_CSNP:
4832 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4833 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4834 gen_or(b0, b1);
4835 break;
4836
4837 case Q_ISIS_PSNP:
4838 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4839 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4840 gen_or(b0, b1);
4841 break;
4842
4843 case Q_CLNP:
4844 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4845 break;
4846
4847 case Q_STP:
4848 b1 = gen_linktype(LLCSAP_8021D);
4849 break;
4850
4851 case Q_IPX:
4852 b1 = gen_linktype(LLCSAP_IPX);
4853 break;
4854
4855 case Q_NETBEUI:
4856 b1 = gen_linktype(LLCSAP_NETBEUI);
4857 break;
4858
4859 case Q_RADIO:
4860 bpf_error("'radio' is not a valid protocol type");
4861
4862 default:
4863 abort();
4864 }
4865 return b1;
4866 }
4867
4868 static struct block *
4869 gen_ipfrag()
4870 {
4871 struct slist *s;
4872 struct block *b;
4873
4874 /* not ip frag */
4875 s = gen_load_a(OR_NET, 6, BPF_H);
4876 b = new_block(JMP(BPF_JSET));
4877 b->s.k = 0x1fff;
4878 b->stmts = s;
4879 gen_not(b);
4880
4881 return b;
4882 }
4883
4884 /*
4885 * Generate a comparison to a port value in the transport-layer header
4886 * at the specified offset from the beginning of that header.
4887 *
4888 * XXX - this handles a variable-length prefix preceding the link-layer
4889 * header, such as the radiotap or AVS radio prefix, but doesn't handle
4890 * variable-length link-layer headers (such as Token Ring or 802.11
4891 * headers).
4892 */
4893 static struct block *
4894 gen_portatom(off, v)
4895 int off;
4896 bpf_int32 v;
4897 {
4898 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
4899 }
4900
4901 #ifdef INET6
4902 static struct block *
4903 gen_portatom6(off, v)
4904 int off;
4905 bpf_int32 v;
4906 {
4907 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
4908 }
4909 #endif/*INET6*/
4910
4911 struct block *
4912 gen_portop(port, proto, dir)
4913 int port, proto, dir;
4914 {
4915 struct block *b0, *b1, *tmp;
4916
4917 /* ip proto 'proto' */
4918 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4919 b0 = gen_ipfrag();
4920 gen_and(tmp, b0);
4921
4922 switch (dir) {
4923 case Q_SRC:
4924 b1 = gen_portatom(0, (bpf_int32)port);
4925 break;
4926
4927 case Q_DST:
4928 b1 = gen_portatom(2, (bpf_int32)port);
4929 break;
4930
4931 case Q_OR:
4932 case Q_DEFAULT:
4933 tmp = gen_portatom(0, (bpf_int32)port);
4934 b1 = gen_portatom(2, (bpf_int32)port);
4935 gen_or(tmp, b1);
4936 break;
4937
4938 case Q_AND:
4939 tmp = gen_portatom(0, (bpf_int32)port);
4940 b1 = gen_portatom(2, (bpf_int32)port);
4941 gen_and(tmp, b1);
4942 break;
4943
4944 default:
4945 abort();
4946 }
4947 gen_and(b0, b1);
4948
4949 return b1;
4950 }
4951
4952 static struct block *
4953 gen_port(port, ip_proto, dir)
4954 int port;
4955 int ip_proto;
4956 int dir;
4957 {
4958 struct block *b0, *b1, *tmp;
4959
4960 /*
4961 * ether proto ip
4962 *
4963 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4964 * not LLC encapsulation with LLCSAP_IP.
4965 *
4966 * For IEEE 802 networks - which includes 802.5 token ring
4967 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4968 * says that SNAP encapsulation is used, not LLC encapsulation
4969 * with LLCSAP_IP.
4970 *
4971 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4972 * RFC 2225 say that SNAP encapsulation is used, not LLC
4973 * encapsulation with LLCSAP_IP.
4974 *
4975 * So we always check for ETHERTYPE_IP.
4976 */
4977 b0 = gen_linktype(ETHERTYPE_IP);
4978
4979 switch (ip_proto) {
4980 case IPPROTO_UDP:
4981 case IPPROTO_TCP:
4982 case IPPROTO_SCTP:
4983 b1 = gen_portop(port, ip_proto, dir);
4984 break;
4985
4986 case PROTO_UNDEF:
4987 tmp = gen_portop(port, IPPROTO_TCP, dir);
4988 b1 = gen_portop(port, IPPROTO_UDP, dir);
4989 gen_or(tmp, b1);
4990 tmp = gen_portop(port, IPPROTO_SCTP, dir);
4991 gen_or(tmp, b1);
4992 break;
4993
4994 default:
4995 abort();
4996 }
4997 gen_and(b0, b1);
4998 return b1;
4999 }
5000
5001 #ifdef INET6
5002 struct block *
5003 gen_portop6(port, proto, dir)
5004 int port, proto, dir;
5005 {
5006 struct block *b0, *b1, *tmp;
5007
5008 /* ip6 proto 'proto' */
5009 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5010
5011 switch (dir) {
5012 case Q_SRC:
5013 b1 = gen_portatom6(0, (bpf_int32)port);
5014 break;
5015
5016 case Q_DST:
5017 b1 = gen_portatom6(2, (bpf_int32)port);
5018 break;
5019
5020 case Q_OR:
5021 case Q_DEFAULT:
5022 tmp = gen_portatom6(0, (bpf_int32)port);
5023 b1 = gen_portatom6(2, (bpf_int32)port);
5024 gen_or(tmp, b1);
5025 break;
5026
5027 case Q_AND:
5028 tmp = gen_portatom6(0, (bpf_int32)port);
5029 b1 = gen_portatom6(2, (bpf_int32)port);
5030 gen_and(tmp, b1);
5031 break;
5032
5033 default:
5034 abort();
5035 }
5036 gen_and(b0, b1);
5037
5038 return b1;
5039 }
5040
5041 static struct block *
5042 gen_port6(port, ip_proto, dir)
5043 int port;
5044 int ip_proto;
5045 int dir;
5046 {
5047 struct block *b0, *b1, *tmp;
5048
5049 /* link proto ip6 */
5050 b0 = gen_linktype(ETHERTYPE_IPV6);
5051
5052 switch (ip_proto) {
5053 case IPPROTO_UDP:
5054 case IPPROTO_TCP:
5055 case IPPROTO_SCTP:
5056 b1 = gen_portop6(port, ip_proto, dir);
5057 break;
5058
5059 case PROTO_UNDEF:
5060 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5061 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5062 gen_or(tmp, b1);
5063 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5064 gen_or(tmp, b1);
5065 break;
5066
5067 default:
5068 abort();
5069 }
5070 gen_and(b0, b1);
5071 return b1;
5072 }
5073 #endif /* INET6 */
5074
5075 /* gen_portrange code */
5076 static struct block *
5077 gen_portrangeatom(off, v1, v2)
5078 int off;
5079 bpf_int32 v1, v2;
5080 {
5081 struct block *b1, *b2;
5082
5083 if (v1 > v2) {
5084 /*
5085 * Reverse the order of the ports, so v1 is the lower one.
5086 */
5087 bpf_int32 vtemp;
5088
5089 vtemp = v1;
5090 v1 = v2;
5091 v2 = vtemp;
5092 }
5093
5094 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5095 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5096
5097 gen_and(b1, b2);
5098
5099 return b2;
5100 }
5101
5102 struct block *
5103 gen_portrangeop(port1, port2, proto, dir)
5104 int port1, port2;
5105 int proto;
5106 int dir;
5107 {
5108 struct block *b0, *b1, *tmp;
5109
5110 /* ip proto 'proto' */
5111 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5112 b0 = gen_ipfrag();
5113 gen_and(tmp, b0);
5114
5115 switch (dir) {
5116 case Q_SRC:
5117 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5118 break;
5119
5120 case Q_DST:
5121 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5122 break;
5123
5124 case Q_OR:
5125 case Q_DEFAULT:
5126 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5127 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5128 gen_or(tmp, b1);
5129 break;
5130
5131 case Q_AND:
5132 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5133 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5134 gen_and(tmp, b1);
5135 break;
5136
5137 default:
5138 abort();
5139 }
5140 gen_and(b0, b1);
5141
5142 return b1;
5143 }
5144
5145 static struct block *
5146 gen_portrange(port1, port2, ip_proto, dir)
5147 int port1, port2;
5148 int ip_proto;
5149 int dir;
5150 {
5151 struct block *b0, *b1, *tmp;
5152
5153 /* link proto ip */
5154 b0 = gen_linktype(ETHERTYPE_IP);
5155
5156 switch (ip_proto) {
5157 case IPPROTO_UDP:
5158 case IPPROTO_TCP:
5159 case IPPROTO_SCTP:
5160 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5161 break;
5162
5163 case PROTO_UNDEF:
5164 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5165 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5166 gen_or(tmp, b1);
5167 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5168 gen_or(tmp, b1);
5169 break;
5170
5171 default:
5172 abort();
5173 }
5174 gen_and(b0, b1);
5175 return b1;
5176 }
5177
5178 #ifdef INET6
5179 static struct block *
5180 gen_portrangeatom6(off, v1, v2)
5181 int off;
5182 bpf_int32 v1, v2;
5183 {
5184 struct block *b1, *b2;
5185
5186 if (v1 > v2) {
5187 /*
5188 * Reverse the order of the ports, so v1 is the lower one.
5189 */
5190 bpf_int32 vtemp;
5191
5192 vtemp = v1;
5193 v1 = v2;
5194 v2 = vtemp;
5195 }
5196
5197 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5198 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5199
5200 gen_and(b1, b2);
5201
5202 return b2;
5203 }
5204
5205 struct block *
5206 gen_portrangeop6(port1, port2, proto, dir)
5207 int port1, port2;
5208 int proto;
5209 int dir;
5210 {
5211 struct block *b0, *b1, *tmp;
5212
5213 /* ip6 proto 'proto' */
5214 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5215
5216 switch (dir) {
5217 case Q_SRC:
5218 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5219 break;
5220
5221 case Q_DST:
5222 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5223 break;
5224
5225 case Q_OR:
5226 case Q_DEFAULT:
5227 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5228 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5229 gen_or(tmp, b1);
5230 break;
5231
5232 case Q_AND:
5233 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5234 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5235 gen_and(tmp, b1);
5236 break;
5237
5238 default:
5239 abort();
5240 }
5241 gen_and(b0, b1);
5242
5243 return b1;
5244 }
5245
5246 static struct block *
5247 gen_portrange6(port1, port2, ip_proto, dir)
5248 int port1, port2;
5249 int ip_proto;
5250 int dir;
5251 {
5252 struct block *b0, *b1, *tmp;
5253
5254 /* link proto ip6 */
5255 b0 = gen_linktype(ETHERTYPE_IPV6);
5256
5257 switch (ip_proto) {
5258 case IPPROTO_UDP:
5259 case IPPROTO_TCP:
5260 case IPPROTO_SCTP:
5261 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5262 break;
5263
5264 case PROTO_UNDEF:
5265 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5266 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5267 gen_or(tmp, b1);
5268 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5269 gen_or(tmp, b1);
5270 break;
5271
5272 default:
5273 abort();
5274 }
5275 gen_and(b0, b1);
5276 return b1;
5277 }
5278 #endif /* INET6 */
5279
5280 static int
5281 lookup_proto(name, proto)
5282 register const char *name;
5283 register int proto;
5284 {
5285 register int v;
5286
5287 switch (proto) {
5288
5289 case Q_DEFAULT:
5290 case Q_IP:
5291 case Q_IPV6:
5292 v = pcap_nametoproto(name);
5293 if (v == PROTO_UNDEF)
5294 bpf_error("unknown ip proto '%s'", name);
5295 break;
5296
5297 case Q_LINK:
5298 /* XXX should look up h/w protocol type based on linktype */
5299 v = pcap_nametoeproto(name);
5300 if (v == PROTO_UNDEF) {
5301 v = pcap_nametollc(name);
5302 if (v == PROTO_UNDEF)
5303 bpf_error("unknown ether proto '%s'", name);
5304 }
5305 break;
5306
5307 case Q_ISO:
5308 if (strcmp(name, "esis") == 0)
5309 v = ISO9542_ESIS;
5310 else if (strcmp(name, "isis") == 0)
5311 v = ISO10589_ISIS;
5312 else if (strcmp(name, "clnp") == 0)
5313 v = ISO8473_CLNP;
5314 else
5315 bpf_error("unknown osi proto '%s'", name);
5316 break;
5317
5318 default:
5319 v = PROTO_UNDEF;
5320 break;
5321 }
5322 return v;
5323 }
5324
5325 #if 0
5326 struct stmt *
5327 gen_joinsp(s, n)
5328 struct stmt **s;
5329 int n;
5330 {
5331 return NULL;
5332 }
5333 #endif
5334
5335 static struct block *
5336 gen_protochain(v, proto, dir)
5337 int v;
5338 int proto;
5339 int dir;
5340 {
5341 #ifdef NO_PROTOCHAIN
5342 return gen_proto(v, proto, dir);
5343 #else
5344 struct block *b0, *b;
5345 struct slist *s[100];
5346 int fix2, fix3, fix4, fix5;
5347 int ahcheck, again, end;
5348 int i, max;
5349 int reg2 = alloc_reg();
5350
5351 memset(s, 0, sizeof(s));
5352 fix2 = fix3 = fix4 = fix5 = 0;
5353
5354 switch (proto) {
5355 case Q_IP:
5356 case Q_IPV6:
5357 break;
5358 case Q_DEFAULT:
5359 b0 = gen_protochain(v, Q_IP, dir);
5360 b = gen_protochain(v, Q_IPV6, dir);
5361 gen_or(b0, b);
5362 return b;
5363 default:
5364 bpf_error("bad protocol applied for 'protochain'");
5365 /*NOTREACHED*/
5366 }
5367
5368 /*
5369 * We don't handle variable-length prefixes before the link-layer
5370 * header, or variable-length link-layer headers, here yet.
5371 * We might want to add BPF instructions to do the protochain
5372 * work, to simplify that and, on platforms that have a BPF
5373 * interpreter with the new instructions, let the filtering
5374 * be done in the kernel. (We already require a modified BPF
5375 * engine to do the protochain stuff, to support backward
5376 * branches, and backward branch support is unlikely to appear
5377 * in kernel BPF engines.)
5378 */
5379 switch (linktype) {
5380
5381 case DLT_IEEE802_11:
5382 case DLT_PRISM_HEADER:
5383 case DLT_IEEE802_11_RADIO_AVS:
5384 case DLT_IEEE802_11_RADIO:
5385 case DLT_PPI:
5386 bpf_error("'protochain' not supported with 802.11");
5387 }
5388
5389 no_optimize = 1; /*this code is not compatible with optimzer yet */
5390
5391 /*
5392 * s[0] is a dummy entry to protect other BPF insn from damage
5393 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5394 * hard to find interdependency made by jump table fixup.
5395 */
5396 i = 0;
5397 s[i] = new_stmt(0); /*dummy*/
5398 i++;
5399
5400 switch (proto) {
5401 case Q_IP:
5402 b0 = gen_linktype(ETHERTYPE_IP);
5403
5404 /* A = ip->ip_p */
5405 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5406 s[i]->s.k = off_macpl + off_nl + 9;
5407 i++;
5408 /* X = ip->ip_hl << 2 */
5409 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5410 s[i]->s.k = off_macpl + off_nl;
5411 i++;
5412 break;
5413 #ifdef INET6
5414 case Q_IPV6:
5415 b0 = gen_linktype(ETHERTYPE_IPV6);
5416
5417 /* A = ip6->ip_nxt */
5418 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5419 s[i]->s.k = off_macpl + off_nl + 6;
5420 i++;
5421 /* X = sizeof(struct ip6_hdr) */
5422 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5423 s[i]->s.k = 40;
5424 i++;
5425 break;
5426 #endif
5427 default:
5428 bpf_error("unsupported proto to gen_protochain");
5429 /*NOTREACHED*/
5430 }
5431
5432 /* again: if (A == v) goto end; else fall through; */
5433 again = i;
5434 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5435 s[i]->s.k = v;
5436 s[i]->s.jt = NULL; /*later*/
5437 s[i]->s.jf = NULL; /*update in next stmt*/
5438 fix5 = i;
5439 i++;
5440
5441 #ifndef IPPROTO_NONE
5442 #define IPPROTO_NONE 59
5443 #endif
5444 /* if (A == IPPROTO_NONE) goto end */
5445 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5446 s[i]->s.jt = NULL; /*later*/
5447 s[i]->s.jf = NULL; /*update in next stmt*/
5448 s[i]->s.k = IPPROTO_NONE;
5449 s[fix5]->s.jf = s[i];
5450 fix2 = i;
5451 i++;
5452
5453 #ifdef INET6
5454 if (proto == Q_IPV6) {
5455 int v6start, v6end, v6advance, j;
5456
5457 v6start = i;
5458 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5459 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5460 s[i]->s.jt = NULL; /*later*/
5461 s[i]->s.jf = NULL; /*update in next stmt*/
5462 s[i]->s.k = IPPROTO_HOPOPTS;
5463 s[fix2]->s.jf = s[i];
5464 i++;
5465 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5466 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5467 s[i]->s.jt = NULL; /*later*/
5468 s[i]->s.jf = NULL; /*update in next stmt*/
5469 s[i]->s.k = IPPROTO_DSTOPTS;
5470 i++;
5471 /* if (A == IPPROTO_ROUTING) goto v6advance */
5472 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5473 s[i]->s.jt = NULL; /*later*/
5474 s[i]->s.jf = NULL; /*update in next stmt*/
5475 s[i]->s.k = IPPROTO_ROUTING;
5476 i++;
5477 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5478 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5479 s[i]->s.jt = NULL; /*later*/
5480 s[i]->s.jf = NULL; /*later*/
5481 s[i]->s.k = IPPROTO_FRAGMENT;
5482 fix3 = i;
5483 v6end = i;
5484 i++;
5485
5486 /* v6advance: */
5487 v6advance = i;
5488
5489 /*
5490 * in short,
5491 * A = P[X];
5492 * X = X + (P[X + 1] + 1) * 8;
5493 */
5494 /* A = X */
5495 s[i] = new_stmt(BPF_MISC|BPF_TXA);
5496 i++;
5497 /* A = P[X + packet head] */
5498 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5499 s[i]->s.k = off_macpl + off_nl;
5500 i++;
5501 /* MEM[reg2] = A */
5502 s[i] = new_stmt(BPF_ST);
5503 s[i]->s.k = reg2;
5504 i++;
5505 /* A = X */
5506 s[i] = new_stmt(BPF_MISC|BPF_TXA);
5507 i++;
5508 /* A += 1 */
5509 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5510 s[i]->s.k = 1;
5511 i++;
5512 /* X = A */
5513 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5514 i++;
5515 /* A = P[X + packet head]; */
5516 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5517 s[i]->s.k = off_macpl + off_nl;
5518 i++;
5519 /* A += 1 */
5520 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5521 s[i]->s.k = 1;
5522 i++;
5523 /* A *= 8 */
5524 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5525 s[i]->s.k = 8;
5526 i++;
5527 /* X = A; */
5528 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5529 i++;
5530 /* A = MEM[reg2] */
5531 s[i] = new_stmt(BPF_LD|BPF_MEM);
5532 s[i]->s.k = reg2;
5533 i++;
5534
5535 /* goto again; (must use BPF_JA for backward jump) */
5536 s[i] = new_stmt(BPF_JMP|BPF_JA);
5537 s[i]->s.k = again - i - 1;
5538 s[i - 1]->s.jf = s[i];
5539 i++;
5540
5541 /* fixup */
5542 for (j = v6start; j <= v6end; j++)
5543 s[j]->s.jt = s[v6advance];
5544 } else
5545 #endif
5546 {
5547 /* nop */
5548 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5549 s[i]->s.k = 0;
5550 s[fix2]->s.jf = s[i];
5551 i++;
5552 }
5553
5554 /* ahcheck: */
5555 ahcheck = i;
5556 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5557 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5558 s[i]->s.jt = NULL; /*later*/
5559 s[i]->s.jf = NULL; /*later*/
5560 s[i]->s.k = IPPROTO_AH;
5561 if (fix3)
5562 s[fix3]->s.jf = s[ahcheck];
5563 fix4 = i;
5564 i++;
5565
5566 /*
5567 * in short,
5568 * A = P[X];
5569 * X = X + (P[X + 1] + 2) * 4;
5570 */
5571 /* A = X */
5572 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5573 i++;
5574 /* A = P[X + packet head]; */
5575 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5576 s[i]->s.k = off_macpl + off_nl;
5577 i++;
5578 /* MEM[reg2] = A */
5579 s[i] = new_stmt(BPF_ST);
5580 s[i]->s.k = reg2;
5581 i++;
5582 /* A = X */
5583 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5584 i++;
5585 /* A += 1 */
5586 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5587 s[i]->s.k = 1;
5588 i++;
5589 /* X = A */
5590 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5591 i++;
5592 /* A = P[X + packet head] */
5593 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5594 s[i]->s.k = off_macpl + off_nl;
5595 i++;
5596 /* A += 2 */
5597 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5598 s[i]->s.k = 2;
5599 i++;
5600 /* A *= 4 */
5601 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5602 s[i]->s.k = 4;
5603 i++;
5604 /* X = A; */
5605 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5606 i++;
5607 /* A = MEM[reg2] */
5608 s[i] = new_stmt(BPF_LD|BPF_MEM);
5609 s[i]->s.k = reg2;
5610 i++;
5611
5612 /* goto again; (must use BPF_JA for backward jump) */
5613 s[i] = new_stmt(BPF_JMP|BPF_JA);
5614 s[i]->s.k = again - i - 1;
5615 i++;
5616
5617 /* end: nop */
5618 end = i;
5619 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5620 s[i]->s.k = 0;
5621 s[fix2]->s.jt = s[end];
5622 s[fix4]->s.jf = s[end];
5623 s[fix5]->s.jt = s[end];
5624 i++;
5625
5626 /*
5627 * make slist chain
5628 */
5629 max = i;
5630 for (i = 0; i < max - 1; i++)
5631 s[i]->next = s[i + 1];
5632 s[max - 1]->next = NULL;
5633
5634 /*
5635 * emit final check
5636 */
5637 b = new_block(JMP(BPF_JEQ));
5638 b->stmts = s[1]; /*remember, s[0] is dummy*/
5639 b->s.k = v;
5640
5641 free_reg(reg2);
5642
5643 gen_and(b0, b);
5644 return b;
5645 #endif
5646 }
5647
5648 static struct block *
5649 gen_check_802_11_data_frame()
5650 {
5651 struct slist *s;
5652 struct block *b0, *b1;
5653
5654 /*
5655 * A data frame has the 0x08 bit (b3) in the frame control field set
5656 * and the 0x04 bit (b2) clear.
5657 */
5658 s = gen_load_a(OR_LINK, 0, BPF_B);
5659 b0 = new_block(JMP(BPF_JSET));
5660 b0->s.k = 0x08;
5661 b0->stmts = s;
5662
5663 s = gen_load_a(OR_LINK, 0, BPF_B);
5664 b1 = new_block(JMP(BPF_JSET));
5665 b1->s.k = 0x04;
5666 b1->stmts = s;
5667 gen_not(b1);
5668
5669 gen_and(b1, b0);
5670
5671 return b0;
5672 }
5673
5674 /*
5675 * Generate code that checks whether the packet is a packet for protocol
5676 * <proto> and whether the type field in that protocol's header has
5677 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5678 * IP packet and checks the protocol number in the IP header against <v>.
5679 *
5680 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5681 * against Q_IP and Q_IPV6.
5682 */
5683 static struct block *
5684 gen_proto(v, proto, dir)
5685 int v;
5686 int proto;
5687 int dir;
5688 {
5689 struct block *b0, *b1;
5690
5691 if (dir != Q_DEFAULT)
5692 bpf_error("direction applied to 'proto'");
5693
5694 switch (proto) {
5695 case Q_DEFAULT:
5696 #ifdef INET6
5697 b0 = gen_proto(v, Q_IP, dir);
5698 b1 = gen_proto(v, Q_IPV6, dir);
5699 gen_or(b0, b1);
5700 return b1;
5701 #else
5702 /*FALLTHROUGH*/
5703 #endif
5704 case Q_IP:
5705 /*
5706 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5707 * not LLC encapsulation with LLCSAP_IP.
5708 *
5709 * For IEEE 802 networks - which includes 802.5 token ring
5710 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5711 * says that SNAP encapsulation is used, not LLC encapsulation
5712 * with LLCSAP_IP.
5713 *
5714 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5715 * RFC 2225 say that SNAP encapsulation is used, not LLC
5716 * encapsulation with LLCSAP_IP.
5717 *
5718 * So we always check for ETHERTYPE_IP.
5719 */
5720 b0 = gen_linktype(ETHERTYPE_IP);
5721 #ifndef CHASE_CHAIN
5722 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
5723 #else
5724 b1 = gen_protochain(v, Q_IP);
5725 #endif
5726 gen_and(b0, b1);
5727 return b1;
5728
5729 case Q_ISO:
5730 switch (linktype) {
5731
5732 case DLT_FRELAY:
5733 /*
5734 * Frame Relay packets typically have an OSI
5735 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5736 * generates code to check for all the OSI
5737 * NLPIDs, so calling it and then adding a check
5738 * for the particular NLPID for which we're
5739 * looking is bogus, as we can just check for
5740 * the NLPID.
5741 *
5742 * What we check for is the NLPID and a frame
5743 * control field value of UI, i.e. 0x03 followed
5744 * by the NLPID.
5745 *
5746 * XXX - assumes a 2-byte Frame Relay header with
5747 * DLCI and flags. What if the address is longer?
5748 *
5749 * XXX - what about SNAP-encapsulated frames?
5750 */
5751 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
5752 /*NOTREACHED*/
5753 break;
5754
5755 case DLT_C_HDLC:
5756 /*
5757 * Cisco uses an Ethertype lookalike - for OSI,
5758 * it's 0xfefe.
5759 */
5760 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5761 /* OSI in C-HDLC is stuffed with a fudge byte */
5762 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
5763 gen_and(b0, b1);
5764 return b1;
5765
5766 default:
5767 b0 = gen_linktype(LLCSAP_ISONS);
5768 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
5769 gen_and(b0, b1);
5770 return b1;
5771 }
5772
5773 case Q_ISIS:
5774 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5775 /*
5776 * 4 is the offset of the PDU type relative to the IS-IS
5777 * header.
5778 */
5779 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
5780 gen_and(b0, b1);
5781 return b1;
5782
5783 case Q_ARP:
5784 bpf_error("arp does not encapsulate another protocol");
5785 /* NOTREACHED */
5786
5787 case Q_RARP:
5788 bpf_error("rarp does not encapsulate another protocol");
5789 /* NOTREACHED */
5790
5791 case Q_ATALK:
5792 bpf_error("atalk encapsulation is not specifiable");
5793 /* NOTREACHED */
5794
5795 case Q_DECNET:
5796 bpf_error("decnet encapsulation is not specifiable");
5797 /* NOTREACHED */
5798
5799 case Q_SCA:
5800 bpf_error("sca does not encapsulate another protocol");
5801 /* NOTREACHED */
5802
5803 case Q_LAT:
5804 bpf_error("lat does not encapsulate another protocol");
5805 /* NOTREACHED */
5806
5807 case Q_MOPRC:
5808 bpf_error("moprc does not encapsulate another protocol");
5809 /* NOTREACHED */
5810
5811 case Q_MOPDL:
5812 bpf_error("mopdl does not encapsulate another protocol");
5813 /* NOTREACHED */
5814
5815 case Q_LINK:
5816 return gen_linktype(v);
5817
5818 case Q_UDP:
5819 bpf_error("'udp proto' is bogus");
5820 /* NOTREACHED */
5821
5822 case Q_TCP:
5823 bpf_error("'tcp proto' is bogus");
5824 /* NOTREACHED */
5825
5826 case Q_SCTP:
5827 bpf_error("'sctp proto' is bogus");
5828 /* NOTREACHED */
5829
5830 case Q_ICMP:
5831 bpf_error("'icmp proto' is bogus");
5832 /* NOTREACHED */
5833
5834 case Q_IGMP:
5835 bpf_error("'igmp proto' is bogus");
5836 /* NOTREACHED */
5837
5838 case Q_IGRP:
5839 bpf_error("'igrp proto' is bogus");
5840 /* NOTREACHED */
5841
5842 case Q_PIM:
5843 bpf_error("'pim proto' is bogus");
5844 /* NOTREACHED */
5845
5846 case Q_VRRP:
5847 bpf_error("'vrrp proto' is bogus");
5848 /* NOTREACHED */
5849
5850 #ifdef INET6
5851 case Q_IPV6:
5852 b0 = gen_linktype(ETHERTYPE_IPV6);
5853 #ifndef CHASE_CHAIN
5854 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
5855 #else
5856 b1 = gen_protochain(v, Q_IPV6);
5857 #endif
5858 gen_and(b0, b1);
5859 return b1;
5860
5861 case Q_ICMPV6:
5862 bpf_error("'icmp6 proto' is bogus");
5863 #endif /* INET6 */
5864
5865 case Q_AH:
5866 bpf_error("'ah proto' is bogus");
5867
5868 case Q_ESP:
5869 bpf_error("'ah proto' is bogus");
5870
5871 case Q_STP:
5872 bpf_error("'stp proto' is bogus");
5873
5874 case Q_IPX:
5875 bpf_error("'ipx proto' is bogus");
5876
5877 case Q_NETBEUI:
5878 bpf_error("'netbeui proto' is bogus");
5879
5880 case Q_RADIO:
5881 bpf_error("'radio proto' is bogus");
5882
5883 default:
5884 abort();
5885 /* NOTREACHED */
5886 }
5887 /* NOTREACHED */
5888 }
5889
5890 struct block *
5891 gen_scode(name, q)
5892 register const char *name;
5893 struct qual q;
5894 {
5895 int proto = q.proto;
5896 int dir = q.dir;
5897 int tproto;
5898 u_char *eaddr;
5899 bpf_u_int32 mask, addr;
5900 #ifndef INET6
5901 bpf_u_int32 **alist;
5902 #else
5903 int tproto6;
5904 struct sockaddr_in *sin4;
5905 struct sockaddr_in6 *sin6;
5906 struct addrinfo *res, *res0;
5907 struct in6_addr mask128;
5908 #endif /*INET6*/
5909 struct block *b, *tmp;
5910 int port, real_proto;
5911 int port1, port2;
5912
5913 switch (q.addr) {
5914
5915 case Q_NET:
5916 addr = pcap_nametonetaddr(name);
5917 if (addr == 0)
5918 bpf_error("unknown network '%s'", name);
5919 /* Left justify network addr and calculate its network mask */
5920 mask = 0xffffffff;
5921 while (addr && (addr & 0xff000000) == 0) {
5922 addr <<= 8;
5923 mask <<= 8;
5924 }
5925 return gen_host(addr, mask, proto, dir, q.addr);
5926
5927 case Q_DEFAULT:
5928 case Q_HOST:
5929 if (proto == Q_LINK) {
5930 switch (linktype) {
5931
5932 case DLT_EN10MB:
5933 eaddr = pcap_ether_hostton(name);
5934 if (eaddr == NULL)
5935 bpf_error(
5936 "unknown ether host '%s'", name);
5937 b = gen_ehostop(eaddr, dir);
5938 free(eaddr);
5939 return b;
5940
5941 case DLT_FDDI:
5942 eaddr = pcap_ether_hostton(name);
5943 if (eaddr == NULL)
5944 bpf_error(
5945 "unknown FDDI host '%s'", name);
5946 b = gen_fhostop(eaddr, dir);
5947 free(eaddr);
5948 return b;
5949
5950 case DLT_IEEE802:
5951 eaddr = pcap_ether_hostton(name);
5952 if (eaddr == NULL)
5953 bpf_error(
5954 "unknown token ring host '%s'", name);
5955 b = gen_thostop(eaddr, dir);
5956 free(eaddr);
5957 return b;
5958
5959 case DLT_IEEE802_11:
5960 case DLT_PRISM_HEADER:
5961 case DLT_IEEE802_11_RADIO_AVS:
5962 case DLT_IEEE802_11_RADIO:
5963 case DLT_PPI:
5964 eaddr = pcap_ether_hostton(name);
5965 if (eaddr == NULL)
5966 bpf_error(
5967 "unknown 802.11 host '%s'", name);
5968 b = gen_wlanhostop(eaddr, dir);
5969 free(eaddr);
5970 return b;
5971
5972 case DLT_IP_OVER_FC:
5973 eaddr = pcap_ether_hostton(name);
5974 if (eaddr == NULL)
5975 bpf_error(
5976 "unknown Fibre Channel host '%s'", name);
5977 b = gen_ipfchostop(eaddr, dir);
5978 free(eaddr);
5979 return b;
5980
5981 case DLT_SUNATM:
5982 if (!is_lane)
5983 break;
5984
5985 /*
5986 * Check that the packet doesn't begin
5987 * with an LE Control marker. (We've
5988 * already generated a test for LANE.)
5989 */
5990 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
5991 BPF_H, 0xFF00);
5992 gen_not(tmp);
5993
5994 eaddr = pcap_ether_hostton(name);
5995 if (eaddr == NULL)
5996 bpf_error(
5997 "unknown ether host '%s'", name);
5998 b = gen_ehostop(eaddr, dir);
5999 gen_and(tmp, b);
6000 free(eaddr);
6001 return b;
6002 }
6003
6004 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6005 } else if (proto == Q_DECNET) {
6006 unsigned short dn_addr = __pcap_nametodnaddr(name);
6007 /*
6008 * I don't think DECNET hosts can be multihomed, so
6009 * there is no need to build up a list of addresses
6010 */
6011 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6012 } else {
6013 #ifndef INET6
6014 alist = pcap_nametoaddr(name);
6015 if (alist == NULL || *alist == NULL)
6016 bpf_error("unknown host '%s'", name);
6017 tproto = proto;
6018 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
6019 tproto = Q_IP;
6020 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6021 while (*alist) {
6022 tmp = gen_host(**alist++, 0xffffffff,
6023 tproto, dir, q.addr);
6024 gen_or(b, tmp);
6025 b = tmp;
6026 }
6027 return b;
6028 #else
6029 memset(&mask128, 0xff, sizeof(mask128));
6030 res0 = res = pcap_nametoaddrinfo(name);
6031 if (res == NULL)
6032 bpf_error("unknown host '%s'", name);
6033 ai = res;
6034 b = tmp = NULL;
6035 tproto = tproto6 = proto;
6036 if (off_linktype == -1 && tproto == Q_DEFAULT) {
6037 tproto = Q_IP;
6038 tproto6 = Q_IPV6;
6039 }
6040 for (res = res0; res; res = res->ai_next) {
6041 switch (res->ai_family) {
6042 case AF_INET:
6043 if (tproto == Q_IPV6)
6044 continue;
6045
6046 sin4 = (struct sockaddr_in *)
6047 res->ai_addr;
6048 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6049 0xffffffff, tproto, dir, q.addr);
6050 break;
6051 case AF_INET6:
6052 if (tproto6 == Q_IP)
6053 continue;
6054
6055 sin6 = (struct sockaddr_in6 *)
6056 res->ai_addr;
6057 tmp = gen_host6(&sin6->sin6_addr,
6058 &mask128, tproto6, dir, q.addr);
6059 break;
6060 default:
6061 continue;
6062 }
6063 if (b)
6064 gen_or(b, tmp);
6065 b = tmp;
6066 }
6067 ai = NULL;
6068 freeaddrinfo(res0);
6069 if (b == NULL) {
6070 bpf_error("unknown host '%s'%s", name,
6071 (proto == Q_DEFAULT)
6072 ? ""
6073 : " for specified address family");
6074 }
6075 return b;
6076 #endif /*INET6*/
6077 }
6078
6079 case Q_PORT:
6080 if (proto != Q_DEFAULT &&
6081 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6082 bpf_error("illegal qualifier of 'port'");
6083 if (pcap_nametoport(name, &port, &real_proto) == 0)
6084 bpf_error("unknown port '%s'", name);
6085 if (proto == Q_UDP) {
6086 if (real_proto == IPPROTO_TCP)
6087 bpf_error("port '%s' is tcp", name);
6088 else if (real_proto == IPPROTO_SCTP)
6089 bpf_error("port '%s' is sctp", name);
6090 else
6091 /* override PROTO_UNDEF */
6092 real_proto = IPPROTO_UDP;
6093 }
6094 if (proto == Q_TCP) {
6095 if (real_proto == IPPROTO_UDP)
6096 bpf_error("port '%s' is udp", name);
6097
6098 else if (real_proto == IPPROTO_SCTP)
6099 bpf_error("port '%s' is sctp", name);
6100 else
6101 /* override PROTO_UNDEF */
6102 real_proto = IPPROTO_TCP;
6103 }
6104 if (proto == Q_SCTP) {
6105 if (real_proto == IPPROTO_UDP)
6106 bpf_error("port '%s' is udp", name);
6107
6108 else if (real_proto == IPPROTO_TCP)
6109 bpf_error("port '%s' is tcp", name);
6110 else
6111 /* override PROTO_UNDEF */
6112 real_proto = IPPROTO_SCTP;
6113 }
6114 #ifndef INET6
6115 return gen_port(port, real_proto, dir);
6116 #else
6117 b = gen_port(port, real_proto, dir);
6118 gen_or(gen_port6(port, real_proto, dir), b);
6119 return b;
6120 #endif /* INET6 */
6121
6122 case Q_PORTRANGE:
6123 if (proto != Q_DEFAULT &&
6124 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6125 bpf_error("illegal qualifier of 'portrange'");
6126 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6127 bpf_error("unknown port in range '%s'", name);
6128 if (proto == Q_UDP) {
6129 if (real_proto == IPPROTO_TCP)
6130 bpf_error("port in range '%s' is tcp", name);
6131 else if (real_proto == IPPROTO_SCTP)
6132 bpf_error("port in range '%s' is sctp", name);
6133 else
6134 /* override PROTO_UNDEF */
6135 real_proto = IPPROTO_UDP;
6136 }
6137 if (proto == Q_TCP) {
6138 if (real_proto == IPPROTO_UDP)
6139 bpf_error("port in range '%s' is udp", name);
6140 else if (real_proto == IPPROTO_SCTP)
6141 bpf_error("port in range '%s' is sctp", name);
6142 else
6143 /* override PROTO_UNDEF */
6144 real_proto = IPPROTO_TCP;
6145 }
6146 if (proto == Q_SCTP) {
6147 if (real_proto == IPPROTO_UDP)
6148 bpf_error("port in range '%s' is udp", name);
6149 else if (real_proto == IPPROTO_TCP)
6150 bpf_error("port in range '%s' is tcp", name);
6151 else
6152 /* override PROTO_UNDEF */
6153 real_proto = IPPROTO_SCTP;
6154 }
6155 #ifndef INET6
6156 return gen_portrange(port1, port2, real_proto, dir);
6157 #else
6158 b = gen_portrange(port1, port2, real_proto, dir);
6159 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6160 return b;
6161 #endif /* INET6 */
6162
6163 case Q_GATEWAY:
6164 #ifndef INET6
6165 eaddr = pcap_ether_hostton(name);
6166 if (eaddr == NULL)
6167 bpf_error("unknown ether host: %s", name);
6168
6169 alist = pcap_nametoaddr(name);
6170 if (alist == NULL || *alist == NULL)
6171 bpf_error("unknown host '%s'", name);
6172 b = gen_gateway(eaddr, alist, proto, dir);
6173 free(eaddr);
6174 return b;
6175 #else
6176 bpf_error("'gateway' not supported in this configuration");
6177 #endif /*INET6*/
6178
6179 case Q_PROTO:
6180 real_proto = lookup_proto(name, proto);
6181 if (real_proto >= 0)
6182 return gen_proto(real_proto, proto, dir);
6183 else
6184 bpf_error("unknown protocol: %s", name);
6185
6186 case Q_PROTOCHAIN:
6187 real_proto = lookup_proto(name, proto);
6188 if (real_proto >= 0)
6189 return gen_protochain(real_proto, proto, dir);
6190 else
6191 bpf_error("unknown protocol: %s", name);
6192
6193 case Q_UNDEF:
6194 syntax();
6195 /* NOTREACHED */
6196 }
6197 abort();
6198 /* NOTREACHED */
6199 }
6200
6201 struct block *
6202 gen_mcode(s1, s2, masklen, q)
6203 register const char *s1, *s2;
6204 register int masklen;
6205 struct qual q;
6206 {
6207 register int nlen, mlen;
6208 bpf_u_int32 n, m;
6209
6210 nlen = __pcap_atoin(s1, &n);
6211 /* Promote short ipaddr */
6212 n <<= 32 - nlen;
6213
6214 if (s2 != NULL) {
6215 mlen = __pcap_atoin(s2, &m);
6216 /* Promote short ipaddr */
6217 m <<= 32 - mlen;
6218 if ((n & ~m) != 0)
6219 bpf_error("non-network bits set in \"%s mask %s\"",
6220 s1, s2);
6221 } else {
6222 /* Convert mask len to mask */
6223 if (masklen > 32)
6224 bpf_error("mask length must be <= 32");
6225 if (masklen == 0) {
6226 /*
6227 * X << 32 is not guaranteed by C to be 0; it's
6228 * undefined.
6229 */
6230 m = 0;
6231 } else
6232 m = 0xffffffff << (32 - masklen);
6233 if ((n & ~m) != 0)
6234 bpf_error("non-network bits set in \"%s/%d\"",
6235 s1, masklen);
6236 }
6237
6238 switch (q.addr) {
6239
6240 case Q_NET:
6241 return gen_host(n, m, q.proto, q.dir, q.addr);
6242
6243 default:
6244 bpf_error("Mask syntax for networks only");
6245 /* NOTREACHED */
6246 }
6247 /* NOTREACHED */
6248 return NULL;
6249 }
6250
6251 struct block *
6252 gen_ncode(s, v, q)
6253 register const char *s;
6254 bpf_u_int32 v;
6255 struct qual q;
6256 {
6257 bpf_u_int32 mask;
6258 int proto = q.proto;
6259 int dir = q.dir;
6260 register int vlen;
6261
6262 if (s == NULL)
6263 vlen = 32;
6264 else if (q.proto == Q_DECNET)
6265 vlen = __pcap_atodn(s, &v);
6266 else
6267 vlen = __pcap_atoin(s, &v);
6268
6269 switch (q.addr) {
6270
6271 case Q_DEFAULT:
6272 case Q_HOST:
6273 case Q_NET:
6274 if (proto == Q_DECNET)
6275 return gen_host(v, 0, proto, dir, q.addr);
6276 else if (proto == Q_LINK) {
6277 bpf_error("illegal link layer address");
6278 } else {
6279 mask = 0xffffffff;
6280 if (s == NULL && q.addr == Q_NET) {
6281 /* Promote short net number */
6282 while (v && (v & 0xff000000) == 0) {
6283 v <<= 8;
6284 mask <<= 8;
6285 }
6286 } else {
6287 /* Promote short ipaddr */
6288 v <<= 32 - vlen;
6289 mask <<= 32 - vlen;
6290 }
6291 return gen_host(v, mask, proto, dir, q.addr);
6292 }
6293
6294 case Q_PORT:
6295 if (proto == Q_UDP)
6296 proto = IPPROTO_UDP;
6297 else if (proto == Q_TCP)
6298 proto = IPPROTO_TCP;
6299 else if (proto == Q_SCTP)
6300 proto = IPPROTO_SCTP;
6301 else if (proto == Q_DEFAULT)
6302 proto = PROTO_UNDEF;
6303 else
6304 bpf_error("illegal qualifier of 'port'");
6305
6306 #ifndef INET6
6307 return gen_port((int)v, proto, dir);
6308 #else
6309 {
6310 struct block *b;
6311 b = gen_port((int)v, proto, dir);
6312 gen_or(gen_port6((int)v, proto, dir), b);
6313 return b;
6314 }
6315 #endif /* INET6 */
6316
6317 case Q_PORTRANGE:
6318 if (proto == Q_UDP)
6319 proto = IPPROTO_UDP;
6320 else if (proto == Q_TCP)
6321 proto = IPPROTO_TCP;
6322 else if (proto == Q_SCTP)
6323 proto = IPPROTO_SCTP;
6324 else if (proto == Q_DEFAULT)
6325 proto = PROTO_UNDEF;
6326 else
6327 bpf_error("illegal qualifier of 'portrange'");
6328
6329 #ifndef INET6
6330 return gen_portrange((int)v, (int)v, proto, dir);
6331 #else
6332 {
6333 struct block *b;
6334 b = gen_portrange((int)v, (int)v, proto, dir);
6335 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6336 return b;
6337 }
6338 #endif /* INET6 */
6339
6340 case Q_GATEWAY:
6341 bpf_error("'gateway' requires a name");
6342 /* NOTREACHED */
6343
6344 case Q_PROTO:
6345 return gen_proto((int)v, proto, dir);
6346
6347 case Q_PROTOCHAIN:
6348 return gen_protochain((int)v, proto, dir);
6349
6350 case Q_UNDEF:
6351 syntax();
6352 /* NOTREACHED */
6353
6354 default:
6355 abort();
6356 /* NOTREACHED */
6357 }
6358 /* NOTREACHED */
6359 }
6360
6361 #ifdef INET6
6362 struct block *
6363 gen_mcode6(s1, s2, masklen, q)
6364 register const char *s1, *s2;
6365 register int masklen;
6366 struct qual q;
6367 {
6368 struct addrinfo *res;
6369 struct in6_addr *addr;
6370 struct in6_addr mask;
6371 struct block *b;
6372 u_int32_t *a, *m;
6373
6374 if (s2)
6375 bpf_error("no mask %s supported", s2);
6376
6377 res = pcap_nametoaddrinfo(s1);
6378 if (!res)
6379 bpf_error("invalid ip6 address %s", s1);
6380 ai = res;
6381 if (res->ai_next)
6382 bpf_error("%s resolved to multiple address", s1);
6383 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6384
6385 if (sizeof(mask) * 8 < masklen)
6386 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6387 memset(&mask, 0, sizeof(mask));
6388 memset(&mask, 0xff, masklen / 8);
6389 if (masklen % 8) {
6390 mask.s6_addr[masklen / 8] =
6391 (0xff << (8 - masklen % 8)) & 0xff;
6392 }
6393
6394 a = (u_int32_t *)addr;
6395 m = (u_int32_t *)&mask;
6396 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6397 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6398 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6399 }
6400
6401 switch (q.addr) {
6402
6403 case Q_DEFAULT:
6404 case Q_HOST:
6405 if (masklen != 128)
6406 bpf_error("Mask syntax for networks only");
6407 /* FALLTHROUGH */
6408
6409 case Q_NET:
6410 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6411 ai = NULL;
6412 freeaddrinfo(res);
6413 return b;
6414
6415 default:
6416 bpf_error("invalid qualifier against IPv6 address");
6417 /* NOTREACHED */
6418 }
6419 return NULL;
6420 }
6421 #endif /*INET6*/
6422
6423 struct block *
6424 gen_ecode(eaddr, q)
6425 register const u_char *eaddr;
6426 struct qual q;
6427 {
6428 struct block *b, *tmp;
6429
6430 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6431 switch (linktype) {
6432 case DLT_EN10MB:
6433 return gen_ehostop(eaddr, (int)q.dir);
6434 case DLT_FDDI:
6435 return gen_fhostop(eaddr, (int)q.dir);
6436 case DLT_IEEE802:
6437 return gen_thostop(eaddr, (int)q.dir);
6438 case DLT_IEEE802_11:
6439 case DLT_PRISM_HEADER:
6440 case DLT_IEEE802_11_RADIO_AVS:
6441 case DLT_IEEE802_11_RADIO:
6442 case DLT_PPI:
6443 return gen_wlanhostop(eaddr, (int)q.dir);
6444 case DLT_SUNATM:
6445 if (is_lane) {
6446 /*
6447 * Check that the packet doesn't begin with an
6448 * LE Control marker. (We've already generated
6449 * a test for LANE.)
6450 */
6451 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6452 0xFF00);
6453 gen_not(tmp);
6454
6455 /*
6456 * Now check the MAC address.
6457 */
6458 b = gen_ehostop(eaddr, (int)q.dir);
6459 gen_and(tmp, b);
6460 return b;
6461 }
6462 break;
6463 case DLT_IP_OVER_FC:
6464 return gen_ipfchostop(eaddr, (int)q.dir);
6465 default:
6466 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6467 break;
6468 }
6469 }
6470 bpf_error("ethernet address used in non-ether expression");
6471 /* NOTREACHED */
6472 return NULL;
6473 }
6474
6475 void
6476 sappend(s0, s1)
6477 struct slist *s0, *s1;
6478 {
6479 /*
6480 * This is definitely not the best way to do this, but the
6481 * lists will rarely get long.
6482 */
6483 while (s0->next)
6484 s0 = s0->next;
6485 s0->next = s1;
6486 }
6487
6488 static struct slist *
6489 xfer_to_x(a)
6490 struct arth *a;
6491 {
6492 struct slist *s;
6493
6494 s = new_stmt(BPF_LDX|BPF_MEM);
6495 s->s.k = a->regno;
6496 return s;
6497 }
6498
6499 static struct slist *
6500 xfer_to_a(a)
6501 struct arth *a;
6502 {
6503 struct slist *s;
6504
6505 s = new_stmt(BPF_LD|BPF_MEM);
6506 s->s.k = a->regno;
6507 return s;
6508 }
6509
6510 /*
6511 * Modify "index" to use the value stored into its register as an
6512 * offset relative to the beginning of the header for the protocol
6513 * "proto", and allocate a register and put an item "size" bytes long
6514 * (1, 2, or 4) at that offset into that register, making it the register
6515 * for "index".
6516 */
6517 struct arth *
6518 gen_load(proto, inst, size)
6519 int proto;
6520 struct arth *inst;
6521 int size;
6522 {
6523 struct slist *s, *tmp;
6524 struct block *b;
6525 int regno = alloc_reg();
6526
6527 free_reg(inst->regno);
6528 switch (size) {
6529
6530 default:
6531 bpf_error("data size must be 1, 2, or 4");
6532
6533 case 1:
6534 size = BPF_B;
6535 break;
6536
6537 case 2:
6538 size = BPF_H;
6539 break;
6540
6541 case 4:
6542 size = BPF_W;
6543 break;
6544 }
6545 switch (proto) {
6546 default:
6547 bpf_error("unsupported index operation");
6548
6549 case Q_RADIO:
6550 /*
6551 * The offset is relative to the beginning of the packet
6552 * data, if we have a radio header. (If we don't, this
6553 * is an error.)
6554 */
6555 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6556 linktype != DLT_IEEE802_11_RADIO &&
6557 linktype != DLT_PRISM_HEADER)
6558 bpf_error("radio information not present in capture");
6559
6560 /*
6561 * Load into the X register the offset computed into the
6562 * register specifed by "index".
6563 */
6564 s = xfer_to_x(inst);
6565
6566 /*
6567 * Load the item at that offset.
6568 */
6569 tmp = new_stmt(BPF_LD|BPF_IND|size);
6570 sappend(s, tmp);
6571 sappend(inst->s, s);
6572 break;
6573
6574 case Q_LINK:
6575 /*
6576 * The offset is relative to the beginning of
6577 * the link-layer header.
6578 *
6579 * XXX - what about ATM LANE? Should the index be
6580 * relative to the beginning of the AAL5 frame, so
6581 * that 0 refers to the beginning of the LE Control
6582 * field, or relative to the beginning of the LAN
6583 * frame, so that 0 refers, for Ethernet LANE, to
6584 * the beginning of the destination address?
6585 */
6586 s = gen_llprefixlen();
6587
6588 /*
6589 * If "s" is non-null, it has code to arrange that the
6590 * X register contains the length of the prefix preceding
6591 * the link-layer header. Add to it the offset computed
6592 * into the register specified by "index", and move that
6593 * into the X register. Otherwise, just load into the X
6594 * register the offset computed into the register specifed
6595 * by "index".
6596 */
6597 if (s != NULL) {
6598 sappend(s, xfer_to_a(inst));
6599 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6600 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6601 } else
6602 s = xfer_to_x(inst);
6603
6604 /*
6605 * Load the item at the sum of the offset we've put in the
6606 * X register and the offset of the start of the link
6607 * layer header (which is 0 if the radio header is
6608 * variable-length; that header length is what we put
6609 * into the X register and then added to the index).
6610 */
6611 tmp = new_stmt(BPF_LD|BPF_IND|size);
6612 tmp->s.k = off_ll;
6613 sappend(s, tmp);
6614 sappend(inst->s, s);
6615 break;
6616
6617 case Q_IP:
6618 case Q_ARP:
6619 case Q_RARP:
6620 case Q_ATALK:
6621 case Q_DECNET:
6622 case Q_SCA:
6623 case Q_LAT:
6624 case Q_MOPRC:
6625 case Q_MOPDL:
6626 #ifdef INET6
6627 case Q_IPV6:
6628 #endif
6629 /*
6630 * The offset is relative to the beginning of
6631 * the network-layer header.
6632 * XXX - are there any cases where we want
6633 * off_nl_nosnap?
6634 */
6635 s = gen_off_macpl();
6636
6637 /*
6638 * If "s" is non-null, it has code to arrange that the
6639 * X register contains the offset of the MAC-layer
6640 * payload. Add to it the offset computed into the
6641 * register specified by "index", and move that into
6642 * the X register. Otherwise, just load into the X
6643 * register the offset computed into the register specifed
6644 * by "index".
6645 */
6646 if (s != NULL) {
6647 sappend(s, xfer_to_a(inst));
6648 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6649 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6650 } else
6651 s = xfer_to_x(inst);
6652
6653 /*
6654 * Load the item at the sum of the offset we've put in the
6655 * X register, the offset of the start of the network
6656 * layer header from the beginning of the MAC-layer
6657 * payload, and the purported offset of the start of the
6658 * MAC-layer payload (which might be 0 if there's a
6659 * variable-length prefix before the link-layer header
6660 * or the link-layer header itself is variable-length;
6661 * the variable-length offset of the start of the
6662 * MAC-layer payload is what we put into the X register
6663 * and then added to the index).
6664 */
6665 tmp = new_stmt(BPF_LD|BPF_IND|size);
6666 tmp->s.k = off_macpl + off_nl;
6667 sappend(s, tmp);
6668 sappend(inst->s, s);
6669
6670 /*
6671 * Do the computation only if the packet contains
6672 * the protocol in question.
6673 */
6674 b = gen_proto_abbrev(proto);
6675 if (inst->b)
6676 gen_and(inst->b, b);
6677 inst->b = b;
6678 break;
6679
6680 case Q_SCTP:
6681 case Q_TCP:
6682 case Q_UDP:
6683 case Q_ICMP:
6684 case Q_IGMP:
6685 case Q_IGRP:
6686 case Q_PIM:
6687 case Q_VRRP:
6688 /*
6689 * The offset is relative to the beginning of
6690 * the transport-layer header.
6691 *
6692 * Load the X register with the length of the IPv4 header
6693 * (plus the offset of the link-layer header, if it's
6694 * a variable-length header), in bytes.
6695 *
6696 * XXX - are there any cases where we want
6697 * off_nl_nosnap?
6698 * XXX - we should, if we're built with
6699 * IPv6 support, generate code to load either
6700 * IPv4, IPv6, or both, as appropriate.
6701 */
6702 s = gen_loadx_iphdrlen();
6703
6704 /*
6705 * The X register now contains the sum of the length
6706 * of any variable-length header preceding the link-layer
6707 * header, any variable-length link-layer header, and the
6708 * length of the network-layer header.
6709 *
6710 * Load into the A register the offset relative to
6711 * the beginning of the transport layer header,
6712 * add the X register to that, move that to the
6713 * X register, and load with an offset from the
6714 * X register equal to the offset of the network
6715 * layer header relative to the beginning of
6716 * the MAC-layer payload plus the fixed-length
6717 * portion of the offset of the MAC-layer payload
6718 * from the beginning of the raw packet data.
6719 */
6720 sappend(s, xfer_to_a(inst));
6721 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6722 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6723 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6724 tmp->s.k = off_macpl + off_nl;
6725 sappend(inst->s, s);
6726
6727 /*
6728 * Do the computation only if the packet contains
6729 * the protocol in question - which is true only
6730 * if this is an IP datagram and is the first or
6731 * only fragment of that datagram.
6732 */
6733 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6734 if (inst->b)
6735 gen_and(inst->b, b);
6736 #ifdef INET6
6737 gen_and(gen_proto_abbrev(Q_IP), b);
6738 #endif
6739 inst->b = b;
6740 break;
6741 #ifdef INET6
6742 case Q_ICMPV6:
6743 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6744 /*NOTREACHED*/
6745 #endif
6746 }
6747 inst->regno = regno;
6748 s = new_stmt(BPF_ST);
6749 s->s.k = regno;
6750 sappend(inst->s, s);
6751
6752 return inst;
6753 }
6754
6755 struct block *
6756 gen_relation(code, a0, a1, reversed)
6757 int code;
6758 struct arth *a0, *a1;
6759 int reversed;
6760 {
6761 struct slist *s0, *s1, *s2;
6762 struct block *b, *tmp;
6763
6764 s0 = xfer_to_x(a1);
6765 s1 = xfer_to_a(a0);
6766 if (code == BPF_JEQ) {
6767 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6768 b = new_block(JMP(code));
6769 sappend(s1, s2);
6770 }
6771 else
6772 b = new_block(BPF_JMP|code|BPF_X);
6773 if (reversed)
6774 gen_not(b);
6775
6776 sappend(s0, s1);
6777 sappend(a1->s, s0);
6778 sappend(a0->s, a1->s);
6779
6780 b->stmts = a0->s;
6781
6782 free_reg(a0->regno);
6783 free_reg(a1->regno);
6784
6785 /* 'and' together protocol checks */
6786 if (a0->b) {
6787 if (a1->b) {
6788 gen_and(a0->b, tmp = a1->b);
6789 }
6790 else
6791 tmp = a0->b;
6792 } else
6793 tmp = a1->b;
6794
6795 if (tmp)
6796 gen_and(tmp, b);
6797
6798 return b;
6799 }
6800
6801 struct arth *
6802 gen_loadlen()
6803 {
6804 int regno = alloc_reg();
6805 struct arth *a = (struct arth *)newchunk(sizeof(*a));
6806 struct slist *s;
6807
6808 s = new_stmt(BPF_LD|BPF_LEN);
6809 s->next = new_stmt(BPF_ST);
6810 s->next->s.k = regno;
6811 a->s = s;
6812 a->regno = regno;
6813
6814 return a;
6815 }
6816
6817 struct arth *
6818 gen_loadi(val)
6819 int val;
6820 {
6821 struct arth *a;
6822 struct slist *s;
6823 int reg;
6824
6825 a = (struct arth *)newchunk(sizeof(*a));
6826
6827 reg = alloc_reg();
6828
6829 s = new_stmt(BPF_LD|BPF_IMM);
6830 s->s.k = val;
6831 s->next = new_stmt(BPF_ST);
6832 s->next->s.k = reg;
6833 a->s = s;
6834 a->regno = reg;
6835
6836 return a;
6837 }
6838
6839 struct arth *
6840 gen_neg(a)
6841 struct arth *a;
6842 {
6843 struct slist *s;
6844
6845 s = xfer_to_a(a);
6846 sappend(a->s, s);
6847 s = new_stmt(BPF_ALU|BPF_NEG);
6848 s->s.k = 0;
6849 sappend(a->s, s);
6850 s = new_stmt(BPF_ST);
6851 s->s.k = a->regno;
6852 sappend(a->s, s);
6853
6854 return a;
6855 }
6856
6857 struct arth *
6858 gen_arth(code, a0, a1)
6859 int code;
6860 struct arth *a0, *a1;
6861 {
6862 struct slist *s0, *s1, *s2;
6863
6864 s0 = xfer_to_x(a1);
6865 s1 = xfer_to_a(a0);
6866 s2 = new_stmt(BPF_ALU|BPF_X|code);
6867
6868 sappend(s1, s2);
6869 sappend(s0, s1);
6870 sappend(a1->s, s0);
6871 sappend(a0->s, a1->s);
6872
6873 free_reg(a0->regno);
6874 free_reg(a1->regno);
6875
6876 s0 = new_stmt(BPF_ST);
6877 a0->regno = s0->s.k = alloc_reg();
6878 sappend(a0->s, s0);
6879
6880 return a0;
6881 }
6882
6883 /*
6884 * Here we handle simple allocation of the scratch registers.
6885 * If too many registers are alloc'd, the allocator punts.
6886 */
6887 static int regused[BPF_MEMWORDS];
6888 static int curreg;
6889
6890 /*
6891 * Initialize the table of used registers and the current register.
6892 */
6893 static void
6894 init_regs()
6895 {
6896 curreg = 0;
6897 memset(regused, 0, sizeof regused);
6898 }
6899
6900 /*
6901 * Return the next free register.
6902 */
6903 static int
6904 alloc_reg()
6905 {
6906 int n = BPF_MEMWORDS;
6907
6908 while (--n >= 0) {
6909 if (regused[curreg])
6910 curreg = (curreg + 1) % BPF_MEMWORDS;
6911 else {
6912 regused[curreg] = 1;
6913 return curreg;
6914 }
6915 }
6916 bpf_error("too many registers needed to evaluate expression");
6917 /* NOTREACHED */
6918 return 0;
6919 }
6920
6921 /*
6922 * Return a register to the table so it can
6923 * be used later.
6924 */
6925 static void
6926 free_reg(n)
6927 int n;
6928 {
6929 regused[n] = 0;
6930 }
6931
6932 static struct block *
6933 gen_len(jmp, n)
6934 int jmp, n;
6935 {
6936 struct slist *s;
6937 struct block *b;
6938
6939 s = new_stmt(BPF_LD|BPF_LEN);
6940 b = new_block(JMP(jmp));
6941 b->stmts = s;
6942 b->s.k = n;
6943
6944 return b;
6945 }
6946
6947 struct block *
6948 gen_greater(n)
6949 int n;
6950 {
6951 return gen_len(BPF_JGE, n);
6952 }
6953
6954 /*
6955 * Actually, this is less than or equal.
6956 */
6957 struct block *
6958 gen_less(n)
6959 int n;
6960 {
6961 struct block *b;
6962
6963 b = gen_len(BPF_JGT, n);
6964 gen_not(b);
6965
6966 return b;
6967 }
6968
6969 /*
6970 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
6971 * the beginning of the link-layer header.
6972 * XXX - that means you can't test values in the radiotap header, but
6973 * as that header is difficult if not impossible to parse generally
6974 * without a loop, that might not be a severe problem. A new keyword
6975 * "radio" could be added for that, although what you'd really want
6976 * would be a way of testing particular radio header values, which
6977 * would generate code appropriate to the radio header in question.
6978 */
6979 struct block *
6980 gen_byteop(op, idx, val)
6981 int op, idx, val;
6982 {
6983 struct block *b;
6984 struct slist *s;
6985
6986 switch (op) {
6987 default:
6988 abort();
6989
6990 case '=':
6991 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6992
6993 case '<':
6994 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6995 return b;
6996
6997 case '>':
6998 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6999 return b;
7000
7001 case '|':
7002 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7003 break;
7004
7005 case '&':
7006 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7007 break;
7008 }
7009 s->s.k = val;
7010 b = new_block(JMP(BPF_JEQ));
7011 b->stmts = s;
7012 gen_not(b);
7013
7014 return b;
7015 }
7016
7017 static u_char abroadcast[] = { 0x0 };
7018
7019 struct block *
7020 gen_broadcast(proto)
7021 int proto;
7022 {
7023 bpf_u_int32 hostmask;
7024 struct block *b0, *b1, *b2;
7025 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7026
7027 switch (proto) {
7028
7029 case Q_DEFAULT:
7030 case Q_LINK:
7031 switch (linktype) {
7032 case DLT_ARCNET:
7033 case DLT_ARCNET_LINUX:
7034 return gen_ahostop(abroadcast, Q_DST);
7035 case DLT_EN10MB:
7036 return gen_ehostop(ebroadcast, Q_DST);
7037 case DLT_FDDI:
7038 return gen_fhostop(ebroadcast, Q_DST);
7039 case DLT_IEEE802:
7040 return gen_thostop(ebroadcast, Q_DST);
7041 case DLT_IEEE802_11:
7042 case DLT_PRISM_HEADER:
7043 case DLT_IEEE802_11_RADIO_AVS:
7044 case DLT_IEEE802_11_RADIO:
7045 case DLT_PPI:
7046 return gen_wlanhostop(ebroadcast, Q_DST);
7047 case DLT_IP_OVER_FC:
7048 return gen_ipfchostop(ebroadcast, Q_DST);
7049 case DLT_SUNATM:
7050 if (is_lane) {
7051 /*
7052 * Check that the packet doesn't begin with an
7053 * LE Control marker. (We've already generated
7054 * a test for LANE.)
7055 */
7056 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7057 BPF_H, 0xFF00);
7058 gen_not(b1);
7059
7060 /*
7061 * Now check the MAC address.
7062 */
7063 b0 = gen_ehostop(ebroadcast, Q_DST);
7064 gen_and(b1, b0);
7065 return b0;
7066 }
7067 break;
7068 default:
7069 bpf_error("not a broadcast link");
7070 }
7071 break;
7072
7073 case Q_IP:
7074 b0 = gen_linktype(ETHERTYPE_IP);
7075 hostmask = ~netmask;
7076 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7077 b2 = gen_mcmp(OR_NET, 16, BPF_W,
7078 (bpf_int32)(~0 & hostmask), hostmask);
7079 gen_or(b1, b2);
7080 gen_and(b0, b2);
7081 return b2;
7082 }
7083 bpf_error("only link-layer/IP broadcast filters supported");
7084 /* NOTREACHED */
7085 return NULL;
7086 }
7087
7088 /*
7089 * Generate code to test the low-order bit of a MAC address (that's
7090 * the bottom bit of the *first* byte).
7091 */
7092 static struct block *
7093 gen_mac_multicast(offset)
7094 int offset;
7095 {
7096 register struct block *b0;
7097 register struct slist *s;
7098
7099 /* link[offset] & 1 != 0 */
7100 s = gen_load_a(OR_LINK, offset, BPF_B);
7101 b0 = new_block(JMP(BPF_JSET));
7102 b0->s.k = 1;
7103 b0->stmts = s;
7104 return b0;
7105 }
7106
7107 struct block *
7108 gen_multicast(proto)
7109 int proto;
7110 {
7111 register struct block *b0, *b1, *b2;
7112 register struct slist *s;
7113
7114 switch (proto) {
7115
7116 case Q_DEFAULT:
7117 case Q_LINK:
7118 switch (linktype) {
7119 case DLT_ARCNET:
7120 case DLT_ARCNET_LINUX:
7121 /* all ARCnet multicasts use the same address */
7122 return gen_ahostop(abroadcast, Q_DST);
7123 case DLT_EN10MB:
7124 /* ether[0] & 1 != 0 */
7125 return gen_mac_multicast(0);
7126 case DLT_FDDI:
7127 /*
7128 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7129 *
7130 * XXX - was that referring to bit-order issues?
7131 */
7132 /* fddi[1] & 1 != 0 */
7133 return gen_mac_multicast(1);
7134 case DLT_IEEE802:
7135 /* tr[2] & 1 != 0 */
7136 return gen_mac_multicast(2);
7137 case DLT_IEEE802_11:
7138 case DLT_PRISM_HEADER:
7139 case DLT_IEEE802_11_RADIO_AVS:
7140 case DLT_IEEE802_11_RADIO:
7141 case DLT_PPI:
7142 /*
7143 * Oh, yuk.
7144 *
7145 * For control frames, there is no DA.
7146 *
7147 * For management frames, DA is at an
7148 * offset of 4 from the beginning of
7149 * the packet.
7150 *
7151 * For data frames, DA is at an offset
7152 * of 4 from the beginning of the packet
7153 * if To DS is clear and at an offset of
7154 * 16 from the beginning of the packet
7155 * if To DS is set.
7156 */
7157
7158 /*
7159 * Generate the tests to be done for data frames.
7160 *
7161 * First, check for To DS set, i.e. "link[1] & 0x01".
7162 */
7163 s = gen_load_a(OR_LINK, 1, BPF_B);
7164 b1 = new_block(JMP(BPF_JSET));
7165 b1->s.k = 0x01; /* To DS */
7166 b1->stmts = s;
7167
7168 /*
7169 * If To DS is set, the DA is at 16.
7170 */
7171 b0 = gen_mac_multicast(16);
7172 gen_and(b1, b0);
7173
7174 /*
7175 * Now, check for To DS not set, i.e. check
7176 * "!(link[1] & 0x01)".
7177 */
7178 s = gen_load_a(OR_LINK, 1, BPF_B);
7179 b2 = new_block(JMP(BPF_JSET));
7180 b2->s.k = 0x01; /* To DS */
7181 b2->stmts = s;
7182 gen_not(b2);
7183
7184 /*
7185 * If To DS is not set, the DA is at 4.
7186 */
7187 b1 = gen_mac_multicast(4);
7188 gen_and(b2, b1);
7189
7190 /*
7191 * Now OR together the last two checks. That gives
7192 * the complete set of checks for data frames.
7193 */
7194 gen_or(b1, b0);
7195
7196 /*
7197 * Now check for a data frame.
7198 * I.e, check "link[0] & 0x08".
7199 */
7200 s = gen_load_a(OR_LINK, 0, BPF_B);
7201 b1 = new_block(JMP(BPF_JSET));
7202 b1->s.k = 0x08;
7203 b1->stmts = s;
7204
7205 /*
7206 * AND that with the checks done for data frames.
7207 */
7208 gen_and(b1, b0);
7209
7210 /*
7211 * If the high-order bit of the type value is 0, this
7212 * is a management frame.
7213 * I.e, check "!(link[0] & 0x08)".
7214 */
7215 s = gen_load_a(OR_LINK, 0, BPF_B);
7216 b2 = new_block(JMP(BPF_JSET));
7217 b2->s.k = 0x08;
7218 b2->stmts = s;
7219 gen_not(b2);
7220
7221 /*
7222 * For management frames, the DA is at 4.
7223 */
7224 b1 = gen_mac_multicast(4);
7225 gen_and(b2, b1);
7226
7227 /*
7228 * OR that with the checks done for data frames.
7229 * That gives the checks done for management and
7230 * data frames.
7231 */
7232 gen_or(b1, b0);
7233
7234 /*
7235 * If the low-order bit of the type value is 1,
7236 * this is either a control frame or a frame
7237 * with a reserved type, and thus not a
7238 * frame with an SA.
7239 *
7240 * I.e., check "!(link[0] & 0x04)".
7241 */
7242 s = gen_load_a(OR_LINK, 0, BPF_B);
7243 b1 = new_block(JMP(BPF_JSET));
7244 b1->s.k = 0x04;
7245 b1->stmts = s;
7246 gen_not(b1);
7247
7248 /*
7249 * AND that with the checks for data and management
7250 * frames.
7251 */
7252 gen_and(b1, b0);
7253 return b0;
7254 case DLT_IP_OVER_FC:
7255 b0 = gen_mac_multicast(2);
7256 return b0;
7257 case DLT_SUNATM:
7258 if (is_lane) {
7259 /*
7260 * Check that the packet doesn't begin with an
7261 * LE Control marker. (We've already generated
7262 * a test for LANE.)
7263 */
7264 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7265 BPF_H, 0xFF00);
7266 gen_not(b1);
7267
7268 /* ether[off_mac] & 1 != 0 */
7269 b0 = gen_mac_multicast(off_mac);
7270 gen_and(b1, b0);
7271 return b0;
7272 }
7273 break;
7274 default:
7275 break;
7276 }
7277 /* Link not known to support multicasts */
7278 break;
7279
7280 case Q_IP:
7281 b0 = gen_linktype(ETHERTYPE_IP);
7282 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7283 gen_and(b0, b1);
7284 return b1;
7285
7286 #ifdef INET6
7287 case Q_IPV6:
7288 b0 = gen_linktype(ETHERTYPE_IPV6);
7289 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7290 gen_and(b0, b1);
7291 return b1;
7292 #endif /* INET6 */
7293 }
7294 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7295 /* NOTREACHED */
7296 return NULL;
7297 }
7298
7299 /*
7300 * generate command for inbound/outbound. It's here so we can
7301 * make it link-type specific. 'dir' = 0 implies "inbound",
7302 * = 1 implies "outbound".
7303 */
7304 struct block *
7305 gen_inbound(dir)
7306 int dir;
7307 {
7308 register struct block *b0;
7309
7310 /*
7311 * Only some data link types support inbound/outbound qualifiers.
7312 */
7313 switch (linktype) {
7314 case DLT_SLIP:
7315 b0 = gen_relation(BPF_JEQ,
7316 gen_load(Q_LINK, gen_loadi(0), 1),
7317 gen_loadi(0),
7318 dir);
7319 break;
7320
7321 case DLT_LINUX_SLL:
7322 if (dir) {
7323 /*
7324 * Match packets sent by this machine.
7325 */
7326 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7327 } else {
7328 /*
7329 * Match packets sent to this machine.
7330 * (No broadcast or multicast packets, or
7331 * packets sent to some other machine and
7332 * received promiscuously.)
7333 *
7334 * XXX - packets sent to other machines probably
7335 * shouldn't be matched, but what about broadcast
7336 * or multicast packets we received?
7337 */
7338 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
7339 }
7340 break;
7341
7342 #ifdef HAVE_NET_PFVAR_H
7343 case DLT_PFLOG:
7344 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7345 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7346 break;
7347 #endif
7348
7349 case DLT_PPP_PPPD:
7350 if (dir) {
7351 /* match outgoing packets */
7352 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7353 } else {
7354 /* match incoming packets */
7355 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7356 }
7357 break;
7358
7359 case DLT_JUNIPER_MFR:
7360 case DLT_JUNIPER_MLFR:
7361 case DLT_JUNIPER_MLPPP:
7362 case DLT_JUNIPER_ATM1:
7363 case DLT_JUNIPER_ATM2:
7364 case DLT_JUNIPER_PPPOE:
7365 case DLT_JUNIPER_PPPOE_ATM:
7366 case DLT_JUNIPER_GGSN:
7367 case DLT_JUNIPER_ES:
7368 case DLT_JUNIPER_MONITOR:
7369 case DLT_JUNIPER_SERVICES:
7370 case DLT_JUNIPER_ETHER:
7371 case DLT_JUNIPER_PPP:
7372 case DLT_JUNIPER_FRELAY:
7373 case DLT_JUNIPER_CHDLC:
7374 case DLT_JUNIPER_VP:
7375 case DLT_JUNIPER_ST:
7376 case DLT_JUNIPER_ISM:
7377 /* juniper flags (including direction) are stored
7378 * the byte after the 3-byte magic number */
7379 if (dir) {
7380 /* match outgoing packets */
7381 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7382 } else {
7383 /* match incoming packets */
7384 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7385 }
7386 break;
7387
7388 default:
7389 bpf_error("inbound/outbound not supported on linktype %d",
7390 linktype);
7391 b0 = NULL;
7392 /* NOTREACHED */
7393 }
7394 return (b0);
7395 }
7396
7397 #ifdef HAVE_NET_PFVAR_H
7398 /* PF firewall log matched interface */
7399 struct block *
7400 gen_pf_ifname(const char *ifname)
7401 {
7402 struct block *b0;
7403 u_int len, off;
7404
7405 if (linktype != DLT_PFLOG) {
7406 bpf_error("ifname supported only on PF linktype");
7407 /* NOTREACHED */
7408 }
7409 len = sizeof(((struct pfloghdr *)0)->ifname);
7410 off = offsetof(struct pfloghdr, ifname);
7411 if (strlen(ifname) >= len) {
7412 bpf_error("ifname interface names can only be %d characters",
7413 len-1);
7414 /* NOTREACHED */
7415 }
7416 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7417 return (b0);
7418 }
7419
7420 /* PF firewall log ruleset name */
7421 struct block *
7422 gen_pf_ruleset(char *ruleset)
7423 {
7424 struct block *b0;
7425
7426 if (linktype != DLT_PFLOG) {
7427 bpf_error("ruleset supported only on PF linktype");
7428 /* NOTREACHED */
7429 }
7430
7431 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7432 bpf_error("ruleset names can only be %ld characters",
7433 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7434 /* NOTREACHED */
7435 }
7436
7437 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7438 strlen(ruleset), (const u_char *)ruleset);
7439 return (b0);
7440 }
7441
7442 /* PF firewall log rule number */
7443 struct block *
7444 gen_pf_rnr(int rnr)
7445 {
7446 struct block *b0;
7447
7448 if (linktype != DLT_PFLOG) {
7449 bpf_error("rnr supported only on PF linktype");
7450 /* NOTREACHED */
7451 }
7452
7453 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7454 (bpf_int32)rnr);
7455 return (b0);
7456 }
7457
7458 /* PF firewall log sub-rule number */
7459 struct block *
7460 gen_pf_srnr(int srnr)
7461 {
7462 struct block *b0;
7463
7464 if (linktype != DLT_PFLOG) {
7465 bpf_error("srnr supported only on PF linktype");
7466 /* NOTREACHED */
7467 }
7468
7469 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7470 (bpf_int32)srnr);
7471 return (b0);
7472 }
7473
7474 /* PF firewall log reason code */
7475 struct block *
7476 gen_pf_reason(int reason)
7477 {
7478 struct block *b0;
7479
7480 if (linktype != DLT_PFLOG) {
7481 bpf_error("reason supported only on PF linktype");
7482 /* NOTREACHED */
7483 }
7484
7485 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7486 (bpf_int32)reason);
7487 return (b0);
7488 }
7489
7490 /* PF firewall log action */
7491 struct block *
7492 gen_pf_action(int action)
7493 {
7494 struct block *b0;
7495
7496 if (linktype != DLT_PFLOG) {
7497 bpf_error("action supported only on PF linktype");
7498 /* NOTREACHED */
7499 }
7500
7501 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7502 (bpf_int32)action);
7503 return (b0);
7504 }
7505 #else /* !HAVE_NET_PFVAR_H */
7506 struct block *
7507 gen_pf_ifname(const char *ifname)
7508 {
7509 bpf_error("libpcap was compiled without pf support");
7510 /* NOTREACHED */
7511 return (NULL);
7512 }
7513
7514 struct block *
7515 gen_pf_ruleset(char *ruleset)
7516 {
7517 bpf_error("libpcap was compiled on a machine without pf support");
7518 /* NOTREACHED */
7519 return (NULL);
7520 }
7521
7522 struct block *
7523 gen_pf_rnr(int rnr)
7524 {
7525 bpf_error("libpcap was compiled on a machine without pf support");
7526 /* NOTREACHED */
7527 return (NULL);
7528 }
7529
7530 struct block *
7531 gen_pf_srnr(int srnr)
7532 {
7533 bpf_error("libpcap was compiled on a machine without pf support");
7534 /* NOTREACHED */
7535 return (NULL);
7536 }
7537
7538 struct block *
7539 gen_pf_reason(int reason)
7540 {
7541 bpf_error("libpcap was compiled on a machine without pf support");
7542 /* NOTREACHED */
7543 return (NULL);
7544 }
7545
7546 struct block *
7547 gen_pf_action(int action)
7548 {
7549 bpf_error("libpcap was compiled on a machine without pf support");
7550 /* NOTREACHED */
7551 return (NULL);
7552 }
7553 #endif /* HAVE_NET_PFVAR_H */
7554
7555 /* IEEE 802.11 wireless header */
7556 struct block *
7557 gen_p80211_type(int type, int mask)
7558 {
7559 struct block *b0;
7560
7561 switch (linktype) {
7562
7563 case DLT_IEEE802_11:
7564 case DLT_PRISM_HEADER:
7565 case DLT_IEEE802_11_RADIO_AVS:
7566 case DLT_IEEE802_11_RADIO:
7567 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7568 (bpf_int32)mask);
7569 break;
7570
7571 default:
7572 bpf_error("802.11 link-layer types supported only on 802.11");
7573 /* NOTREACHED */
7574 }
7575
7576 return (b0);
7577 }
7578
7579 struct block *
7580 gen_p80211_fcdir(int fcdir)
7581 {
7582 struct block *b0;
7583
7584 switch (linktype) {
7585
7586 case DLT_IEEE802_11:
7587 case DLT_PRISM_HEADER:
7588 case DLT_IEEE802_11_RADIO_AVS:
7589 case DLT_IEEE802_11_RADIO:
7590 break;
7591
7592 default:
7593 bpf_error("frame direction supported only with 802.11 headers");
7594 /* NOTREACHED */
7595 }
7596
7597 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7598 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7599
7600 return (b0);
7601 }
7602
7603 struct block *
7604 gen_acode(eaddr, q)
7605 register const u_char *eaddr;
7606 struct qual q;
7607 {
7608 switch (linktype) {
7609
7610 case DLT_ARCNET:
7611 case DLT_ARCNET_LINUX:
7612 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7613 q.proto == Q_LINK)
7614 return (gen_ahostop(eaddr, (int)q.dir));
7615 else {
7616 bpf_error("ARCnet address used in non-arc expression");
7617 /* NOTREACHED */
7618 }
7619 break;
7620
7621 default:
7622 bpf_error("aid supported only on ARCnet");
7623 /* NOTREACHED */
7624 }
7625 bpf_error("ARCnet address used in non-arc expression");
7626 /* NOTREACHED */
7627 return NULL;
7628 }
7629
7630 static struct block *
7631 gen_ahostop(eaddr, dir)
7632 register const u_char *eaddr;
7633 register int dir;
7634 {
7635 register struct block *b0, *b1;
7636
7637 switch (dir) {
7638 /* src comes first, different from Ethernet */
7639 case Q_SRC:
7640 return gen_bcmp(OR_LINK, 0, 1, eaddr);
7641
7642 case Q_DST:
7643 return gen_bcmp(OR_LINK, 1, 1, eaddr);
7644
7645 case Q_AND:
7646 b0 = gen_ahostop(eaddr, Q_SRC);
7647 b1 = gen_ahostop(eaddr, Q_DST);
7648 gen_and(b0, b1);
7649 return b1;
7650
7651 case Q_DEFAULT:
7652 case Q_OR:
7653 b0 = gen_ahostop(eaddr, Q_SRC);
7654 b1 = gen_ahostop(eaddr, Q_DST);
7655 gen_or(b0, b1);
7656 return b1;
7657 }
7658 abort();
7659 /* NOTREACHED */
7660 }
7661
7662 /*
7663 * support IEEE 802.1Q VLAN trunk over ethernet
7664 */
7665 struct block *
7666 gen_vlan(vlan_num)
7667 int vlan_num;
7668 {
7669 struct block *b0, *b1;
7670
7671 /* can't check for VLAN-encapsulated packets inside MPLS */
7672 if (label_stack_depth > 0)
7673 bpf_error("no VLAN match after MPLS");
7674
7675 /*
7676 * Check for a VLAN packet, and then change the offsets to point
7677 * to the type and data fields within the VLAN packet. Just
7678 * increment the offsets, so that we can support a hierarchy, e.g.
7679 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7680 * VLAN 100.
7681 *
7682 * XXX - this is a bit of a kludge. If we were to split the
7683 * compiler into a parser that parses an expression and
7684 * generates an expression tree, and a code generator that
7685 * takes an expression tree (which could come from our
7686 * parser or from some other parser) and generates BPF code,
7687 * we could perhaps make the offsets parameters of routines
7688 * and, in the handler for an "AND" node, pass to subnodes
7689 * other than the VLAN node the adjusted offsets.
7690 *
7691 * This would mean that "vlan" would, instead of changing the
7692 * behavior of *all* tests after it, change only the behavior
7693 * of tests ANDed with it. That would change the documented
7694 * semantics of "vlan", which might break some expressions.
7695 * However, it would mean that "(vlan and ip) or ip" would check
7696 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7697 * checking only for VLAN-encapsulated IP, so that could still
7698 * be considered worth doing; it wouldn't break expressions
7699 * that are of the form "vlan and ..." or "vlan N and ...",
7700 * which I suspect are the most common expressions involving
7701 * "vlan". "vlan or ..." doesn't necessarily do what the user
7702 * would really want, now, as all the "or ..." tests would
7703 * be done assuming a VLAN, even though the "or" could be viewed
7704 * as meaning "or, if this isn't a VLAN packet...".
7705 */
7706 orig_nl = off_nl;
7707
7708 switch (linktype) {
7709
7710 case DLT_EN10MB:
7711 /* check for VLAN */
7712 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7713 (bpf_int32)ETHERTYPE_8021Q);
7714
7715 /* If a specific VLAN is requested, check VLAN id */
7716 if (vlan_num >= 0) {
7717 b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
7718 (bpf_int32)vlan_num, 0x0fff);
7719 gen_and(b0, b1);
7720 b0 = b1;
7721 }
7722
7723 off_macpl += 4;
7724 off_linktype += 4;
7725 #if 0
7726 off_nl_nosnap += 4;
7727 off_nl += 4;
7728 #endif
7729 break;
7730
7731 default:
7732 bpf_error("no VLAN support for data link type %d",
7733 linktype);
7734 /*NOTREACHED*/
7735 }
7736
7737 return (b0);
7738 }
7739
7740 /*
7741 * support for MPLS
7742 */
7743 struct block *
7744 gen_mpls(label_num)
7745 int label_num;
7746 {
7747 struct block *b0,*b1;
7748
7749 /*
7750 * Change the offsets to point to the type and data fields within
7751 * the MPLS packet. Just increment the offsets, so that we
7752 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
7753 * capture packets with an outer label of 100000 and an inner
7754 * label of 1024.
7755 *
7756 * XXX - this is a bit of a kludge. See comments in gen_vlan().
7757 */
7758 orig_nl = off_nl;
7759
7760 if (label_stack_depth > 0) {
7761 /* just match the bottom-of-stack bit clear */
7762 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
7763 } else {
7764 /*
7765 * Indicate that we're checking MPLS-encapsulated headers,
7766 * to make sure higher level code generators don't try to
7767 * match against IP-related protocols such as Q_ARP, Q_RARP
7768 * etc.
7769 */
7770 switch (linktype) {
7771
7772 case DLT_C_HDLC: /* fall through */
7773 case DLT_EN10MB:
7774 b0 = gen_linktype(ETHERTYPE_MPLS);
7775 break;
7776
7777 case DLT_PPP:
7778 b0 = gen_linktype(PPP_MPLS_UCAST);
7779 break;
7780
7781 /* FIXME add other DLT_s ...
7782 * for Frame-Relay/and ATM this may get messy due to SNAP headers
7783 * leave it for now */
7784
7785 default:
7786 bpf_error("no MPLS support for data link type %d",
7787 linktype);
7788 b0 = NULL;
7789 /*NOTREACHED*/
7790 break;
7791 }
7792 }
7793
7794 /* If a specific MPLS label is requested, check it */
7795 if (label_num >= 0) {
7796 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
7797 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
7798 0xfffff000); /* only compare the first 20 bits */
7799 gen_and(b0, b1);
7800 b0 = b1;
7801 }
7802
7803 off_nl_nosnap += 4;
7804 off_nl += 4;
7805 label_stack_depth++;
7806 return (b0);
7807 }
7808
7809 /*
7810 * Support PPPOE discovery and session.
7811 */
7812 struct block *
7813 gen_pppoed()
7814 {
7815 /* check for PPPoE discovery */
7816 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
7817 }
7818
7819 struct block *
7820 gen_pppoes()
7821 {
7822 struct block *b0;
7823
7824 /*
7825 * Test against the PPPoE session link-layer type.
7826 */
7827 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
7828
7829 /*
7830 * Change the offsets to point to the type and data fields within
7831 * the PPP packet, and note that this is PPPoE rather than
7832 * raw PPP.
7833 *
7834 * XXX - this is a bit of a kludge. If we were to split the
7835 * compiler into a parser that parses an expression and
7836 * generates an expression tree, and a code generator that
7837 * takes an expression tree (which could come from our
7838 * parser or from some other parser) and generates BPF code,
7839 * we could perhaps make the offsets parameters of routines
7840 * and, in the handler for an "AND" node, pass to subnodes
7841 * other than the PPPoE node the adjusted offsets.
7842 *
7843 * This would mean that "pppoes" would, instead of changing the
7844 * behavior of *all* tests after it, change only the behavior
7845 * of tests ANDed with it. That would change the documented
7846 * semantics of "pppoes", which might break some expressions.
7847 * However, it would mean that "(pppoes and ip) or ip" would check
7848 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7849 * checking only for VLAN-encapsulated IP, so that could still
7850 * be considered worth doing; it wouldn't break expressions
7851 * that are of the form "pppoes and ..." which I suspect are the
7852 * most common expressions involving "pppoes". "pppoes or ..."
7853 * doesn't necessarily do what the user would really want, now,
7854 * as all the "or ..." tests would be done assuming PPPoE, even
7855 * though the "or" could be viewed as meaning "or, if this isn't
7856 * a PPPoE packet...".
7857 */
7858 orig_linktype = off_linktype; /* save original values */
7859 orig_nl = off_nl;
7860 is_pppoes = 1;
7861
7862 /*
7863 * The "network-layer" protocol is PPPoE, which has a 6-byte
7864 * PPPoE header, followed by a PPP packet.
7865 *
7866 * There is no HDLC encapsulation for the PPP packet (it's
7867 * encapsulated in PPPoES instead), so the link-layer type
7868 * starts at the first byte of the PPP packet. For PPPoE,
7869 * that offset is relative to the beginning of the total
7870 * link-layer payload, including any 802.2 LLC header, so
7871 * it's 6 bytes past off_nl.
7872 */
7873 off_linktype = off_nl + 6;
7874
7875 /*
7876 * The network-layer offsets are relative to the beginning
7877 * of the MAC-layer payload; that's past the 6-byte
7878 * PPPoE header and the 2-byte PPP header.
7879 */
7880 off_nl = 6+2;
7881 off_nl_nosnap = 6+2;
7882
7883 return b0;
7884 }
7885
7886 struct block *
7887 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
7888 int atmfield;
7889 bpf_int32 jvalue;
7890 bpf_u_int32 jtype;
7891 int reverse;
7892 {
7893 struct block *b0;
7894
7895 switch (atmfield) {
7896
7897 case A_VPI:
7898 if (!is_atm)
7899 bpf_error("'vpi' supported only on raw ATM");
7900 if (off_vpi == (u_int)-1)
7901 abort();
7902 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
7903 reverse, jvalue);
7904 break;
7905
7906 case A_VCI:
7907 if (!is_atm)
7908 bpf_error("'vci' supported only on raw ATM");
7909 if (off_vci == (u_int)-1)
7910 abort();
7911 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
7912 reverse, jvalue);
7913 break;
7914
7915 case A_PROTOTYPE:
7916 if (off_proto == (u_int)-1)
7917 abort(); /* XXX - this isn't on FreeBSD */
7918 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
7919 reverse, jvalue);
7920 break;
7921
7922 case A_MSGTYPE:
7923 if (off_payload == (u_int)-1)
7924 abort();
7925 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
7926 0xffffffff, jtype, reverse, jvalue);
7927 break;
7928
7929 case A_CALLREFTYPE:
7930 if (!is_atm)
7931 bpf_error("'callref' supported only on raw ATM");
7932 if (off_proto == (u_int)-1)
7933 abort();
7934 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
7935 jtype, reverse, jvalue);
7936 break;
7937
7938 default:
7939 abort();
7940 }
7941 return b0;
7942 }
7943
7944 struct block *
7945 gen_atmtype_abbrev(type)
7946 int type;
7947 {
7948 struct block *b0, *b1;
7949
7950 switch (type) {
7951
7952 case A_METAC:
7953 /* Get all packets in Meta signalling Circuit */
7954 if (!is_atm)
7955 bpf_error("'metac' supported only on raw ATM");
7956 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7957 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
7958 gen_and(b0, b1);
7959 break;
7960
7961 case A_BCC:
7962 /* Get all packets in Broadcast Circuit*/
7963 if (!is_atm)
7964 bpf_error("'bcc' supported only on raw ATM");
7965 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7966 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
7967 gen_and(b0, b1);
7968 break;
7969
7970 case A_OAMF4SC:
7971 /* Get all cells in Segment OAM F4 circuit*/
7972 if (!is_atm)
7973 bpf_error("'oam4sc' supported only on raw ATM");
7974 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7975 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
7976 gen_and(b0, b1);
7977 break;
7978
7979 case A_OAMF4EC:
7980 /* Get all cells in End-to-End OAM F4 Circuit*/
7981 if (!is_atm)
7982 bpf_error("'oam4ec' supported only on raw ATM");
7983 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7984 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
7985 gen_and(b0, b1);
7986 break;
7987
7988 case A_SC:
7989 /* Get all packets in connection Signalling Circuit */
7990 if (!is_atm)
7991 bpf_error("'sc' supported only on raw ATM");
7992 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7993 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
7994 gen_and(b0, b1);
7995 break;
7996
7997 case A_ILMIC:
7998 /* Get all packets in ILMI Circuit */
7999 if (!is_atm)
8000 bpf_error("'ilmic' supported only on raw ATM");
8001 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8002 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8003 gen_and(b0, b1);
8004 break;
8005
8006 case A_LANE:
8007 /* Get all LANE packets */
8008 if (!is_atm)
8009 bpf_error("'lane' supported only on raw ATM");
8010 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8011
8012 /*
8013 * Arrange that all subsequent tests assume LANE
8014 * rather than LLC-encapsulated packets, and set
8015 * the offsets appropriately for LANE-encapsulated
8016 * Ethernet.
8017 *
8018 * "off_mac" is the offset of the Ethernet header,
8019 * which is 2 bytes past the ATM pseudo-header
8020 * (skipping the pseudo-header and 2-byte LE Client
8021 * field). The other offsets are Ethernet offsets
8022 * relative to "off_mac".
8023 */
8024 is_lane = 1;
8025 off_mac = off_payload + 2; /* MAC header */
8026 off_linktype = off_mac + 12;
8027 off_macpl = off_mac + 14; /* Ethernet */
8028 off_nl = 0; /* Ethernet II */
8029 off_nl_nosnap = 3; /* 802.3+802.2 */
8030 break;
8031
8032 case A_LLC:
8033 /* Get all LLC-encapsulated packets */
8034 if (!is_atm)
8035 bpf_error("'llc' supported only on raw ATM");
8036 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8037 is_lane = 0;
8038 break;
8039
8040 default:
8041 abort();
8042 }
8043 return b1;
8044 }
8045
8046 /*
8047 * Filtering for MTP2 messages based on li value
8048 * FISU, length is null
8049 * LSSU, length is 1 or 2
8050 * MSU, length is 3 or more
8051 */
8052 struct block *
8053 gen_mtp2type_abbrev(type)
8054 int type;
8055 {
8056 struct block *b0, *b1;
8057
8058 switch (type) {
8059
8060 case M_FISU:
8061 if ( (linktype != DLT_MTP2) &&
8062 (linktype != DLT_ERF) &&
8063 (linktype != DLT_MTP2_WITH_PHDR) )
8064 bpf_error("'fisu' supported only on MTP2");
8065 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8066 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8067 break;
8068
8069 case M_LSSU:
8070 if ( (linktype != DLT_MTP2) &&
8071 (linktype != DLT_ERF) &&
8072 (linktype != DLT_MTP2_WITH_PHDR) )
8073 bpf_error("'lssu' supported only on MTP2");
8074 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8075 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8076 gen_and(b1, b0);
8077 break;
8078
8079 case M_MSU:
8080 if ( (linktype != DLT_MTP2) &&
8081 (linktype != DLT_ERF) &&
8082 (linktype != DLT_MTP2_WITH_PHDR) )
8083 bpf_error("'msu' supported only on MTP2");
8084 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8085 break;
8086
8087 default:
8088 abort();
8089 }
8090 return b0;
8091 }
8092
8093 struct block *
8094 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8095 int mtp3field;
8096 bpf_u_int32 jvalue;
8097 bpf_u_int32 jtype;
8098 int reverse;
8099 {
8100 struct block *b0;
8101 bpf_u_int32 val1 , val2 , val3;
8102
8103 switch (mtp3field) {
8104
8105 case M_SIO:
8106 if (off_sio == (u_int)-1)
8107 bpf_error("'sio' supported only on SS7");
8108 /* sio coded on 1 byte so max value 255 */
8109 if(jvalue > 255)
8110 bpf_error("sio value %u too big; max value = 255",
8111 jvalue);
8112 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
8113 (u_int)jtype, reverse, (u_int)jvalue);
8114 break;
8115
8116 case M_OPC:
8117 if (off_opc == (u_int)-1)
8118 bpf_error("'opc' supported only on SS7");
8119 /* opc coded on 14 bits so max value 16383 */
8120 if (jvalue > 16383)
8121 bpf_error("opc value %u too big; max value = 16383",
8122 jvalue);
8123 /* the following instructions are made to convert jvalue
8124 * to the form used to write opc in an ss7 message*/
8125 val1 = jvalue & 0x00003c00;
8126 val1 = val1 >>10;
8127 val2 = jvalue & 0x000003fc;
8128 val2 = val2 <<6;
8129 val3 = jvalue & 0x00000003;
8130 val3 = val3 <<22;
8131 jvalue = val1 + val2 + val3;
8132 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
8133 (u_int)jtype, reverse, (u_int)jvalue);
8134 break;
8135
8136 case M_DPC:
8137 if (off_dpc == (u_int)-1)
8138 bpf_error("'dpc' supported only on SS7");
8139 /* dpc coded on 14 bits so max value 16383 */
8140 if (jvalue > 16383)
8141 bpf_error("dpc value %u too big; max value = 16383",
8142 jvalue);
8143 /* the following instructions are made to convert jvalue
8144 * to the forme used to write dpc in an ss7 message*/
8145 val1 = jvalue & 0x000000ff;
8146 val1 = val1 << 24;
8147 val2 = jvalue & 0x00003f00;
8148 val2 = val2 << 8;
8149 jvalue = val1 + val2;
8150 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
8151 (u_int)jtype, reverse, (u_int)jvalue);
8152 break;
8153
8154 case M_SLS:
8155 if (off_sls == (u_int)-1)
8156 bpf_error("'sls' supported only on SS7");
8157 /* sls coded on 4 bits so max value 15 */
8158 if (jvalue > 15)
8159 bpf_error("sls value %u too big; max value = 15",
8160 jvalue);
8161 /* the following instruction is made to convert jvalue
8162 * to the forme used to write sls in an ss7 message*/
8163 jvalue = jvalue << 4;
8164 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
8165 (u_int)jtype,reverse, (u_int)jvalue);
8166 break;
8167
8168 default:
8169 abort();
8170 }
8171 return b0;
8172 }
8173
8174 static struct block *
8175 gen_msg_abbrev(type)
8176 int type;
8177 {
8178 struct block *b1;
8179
8180 /*
8181 * Q.2931 signalling protocol messages for handling virtual circuits
8182 * establishment and teardown
8183 */
8184 switch (type) {
8185
8186 case A_SETUP:
8187 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8188 break;
8189
8190 case A_CALLPROCEED:
8191 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8192 break;
8193
8194 case A_CONNECT:
8195 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8196 break;
8197
8198 case A_CONNECTACK:
8199 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8200 break;
8201
8202 case A_RELEASE:
8203 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8204 break;
8205
8206 case A_RELEASE_DONE:
8207 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8208 break;
8209
8210 default:
8211 abort();
8212 }
8213 return b1;
8214 }
8215
8216 struct block *
8217 gen_atmmulti_abbrev(type)
8218 int type;
8219 {
8220 struct block *b0, *b1;
8221
8222 switch (type) {
8223
8224 case A_OAM:
8225 if (!is_atm)
8226 bpf_error("'oam' supported only on raw ATM");
8227 b1 = gen_atmmulti_abbrev(A_OAMF4);
8228 break;
8229
8230 case A_OAMF4:
8231 if (!is_atm)
8232 bpf_error("'oamf4' supported only on raw ATM");
8233 /* OAM F4 type */
8234 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8235 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8236 gen_or(b0, b1);
8237 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8238 gen_and(b0, b1);
8239 break;
8240
8241 case A_CONNECTMSG:
8242 /*
8243 * Get Q.2931 signalling messages for switched
8244 * virtual connection
8245 */
8246 if (!is_atm)
8247 bpf_error("'connectmsg' supported only on raw ATM");
8248 b0 = gen_msg_abbrev(A_SETUP);
8249 b1 = gen_msg_abbrev(A_CALLPROCEED);
8250 gen_or(b0, b1);
8251 b0 = gen_msg_abbrev(A_CONNECT);
8252 gen_or(b0, b1);
8253 b0 = gen_msg_abbrev(A_CONNECTACK);
8254 gen_or(b0, b1);
8255 b0 = gen_msg_abbrev(A_RELEASE);
8256 gen_or(b0, b1);
8257 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8258 gen_or(b0, b1);
8259 b0 = gen_atmtype_abbrev(A_SC);
8260 gen_and(b0, b1);
8261 break;
8262
8263 case A_METACONNECT:
8264 if (!is_atm)
8265 bpf_error("'metaconnect' supported only on raw ATM");
8266 b0 = gen_msg_abbrev(A_SETUP);
8267 b1 = gen_msg_abbrev(A_CALLPROCEED);
8268 gen_or(b0, b1);
8269 b0 = gen_msg_abbrev(A_CONNECT);
8270 gen_or(b0, b1);
8271 b0 = gen_msg_abbrev(A_RELEASE);
8272 gen_or(b0, b1);
8273 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8274 gen_or(b0, b1);
8275 b0 = gen_atmtype_abbrev(A_METAC);
8276 gen_and(b0, b1);
8277 break;
8278
8279 default:
8280 abort();
8281 }
8282 return b1;
8283 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism