]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Declare "bpf_error()" as "__attribute__((noreturn))" to squelch some
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.4 2005-04-18 22:40:14 guy Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #endif /* WIN32 */
37
38 /*
39 * XXX - why was this included even on UNIX?
40 */
41 #ifdef __MINGW32__
42 #include "IP6_misc.h"
43 #endif
44
45 #ifndef WIN32
46
47 #ifdef __NetBSD__
48 #include <sys/param.h>
49 #endif
50
51 #include <netinet/in.h>
52
53 #endif /* WIN32 */
54
55 #include <stdlib.h>
56 #include <string.h>
57 #include <memory.h>
58 #include <setjmp.h>
59 #include <stdarg.h>
60
61 #ifdef MSDOS
62 #include "pcap-dos.h"
63 #endif
64
65 #include "pcap-int.h"
66
67 #include "ethertype.h"
68 #include "nlpid.h"
69 #include "llc.h"
70 #include "gencode.h"
71 #include "atmuni31.h"
72 #include "sunatmpos.h"
73 #include "ppp.h"
74 #include "sll.h"
75 #include "arcnet.h"
76 #include "pf.h"
77 #ifndef offsetof
78 #define offsetof(s, e) ((size_t)&((s *)0)->e)
79 #endif
80 #ifdef INET6
81 #ifndef WIN32
82 #include <netdb.h> /* for "struct addrinfo" */
83 #endif /* WIN32 */
84 #endif /*INET6*/
85 #include <pcap-namedb.h>
86
87 #define ETHERMTU 1500
88
89 #ifndef IPPROTO_SCTP
90 #define IPPROTO_SCTP 132
91 #endif
92
93 #ifdef HAVE_OS_PROTO_H
94 #include "os-proto.h"
95 #endif
96
97 #define JMP(c) ((c)|BPF_JMP|BPF_K)
98
99 /* Locals */
100 static jmp_buf top_ctx;
101 static pcap_t *bpf_pcap;
102
103 /* Hack for updating VLAN, MPLS offsets. */
104 static u_int orig_linktype = -1U, orig_nl = -1U, orig_nl_nosnap = -1U;
105
106 /* XXX */
107 #ifdef PCAP_FDDIPAD
108 static int pcap_fddipad;
109 #endif
110
111 void bpf_error(const char *fmt, ...) __attribute__((noreturn));
112
113 /* VARARGS */
114 void
115 bpf_error(const char *fmt, ...)
116 {
117 va_list ap;
118
119 va_start(ap, fmt);
120 if (bpf_pcap != NULL)
121 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
122 fmt, ap);
123 va_end(ap);
124 longjmp(top_ctx, 1);
125 /* NOTREACHED */
126 }
127
128 static void init_linktype(pcap_t *);
129
130 static int alloc_reg(void);
131 static void free_reg(int);
132
133 static struct block *root;
134
135 /*
136 * We divy out chunks of memory rather than call malloc each time so
137 * we don't have to worry about leaking memory. It's probably
138 * not a big deal if all this memory was wasted but if this ever
139 * goes into a library that would probably not be a good idea.
140 *
141 * XXX - this *is* in a library....
142 */
143 #define NCHUNKS 16
144 #define CHUNK0SIZE 1024
145 struct chunk {
146 u_int n_left;
147 void *m;
148 };
149
150 static struct chunk chunks[NCHUNKS];
151 static int cur_chunk;
152
153 static void *newchunk(u_int);
154 static void freechunks(void);
155 static inline struct block *new_block(int);
156 static inline struct slist *new_stmt(int);
157 static struct block *gen_retblk(int);
158 static inline void syntax(void);
159
160 static void backpatch(struct block *, struct block *);
161 static void merge(struct block *, struct block *);
162 static struct block *gen_cmp(u_int, u_int, bpf_int32);
163 static struct block *gen_cmp_gt(u_int, u_int, bpf_int32);
164 static struct block *gen_mcmp(u_int, u_int, bpf_int32, bpf_u_int32);
165 static struct block *gen_bcmp(u_int, u_int, const u_char *);
166 static struct block *gen_ncmp(bpf_u_int32, bpf_u_int32, bpf_u_int32,
167 bpf_u_int32, bpf_u_int32, int);
168 static struct block *gen_uncond(int);
169 static inline struct block *gen_true(void);
170 static inline struct block *gen_false(void);
171 static struct block *gen_ether_linktype(int);
172 static struct block *gen_linux_sll_linktype(int);
173 static struct block *gen_linktype(int);
174 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
175 static struct block *gen_llc_linktype(int);
176 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
177 #ifdef INET6
178 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
179 #endif
180 static struct block *gen_ahostop(const u_char *, int);
181 static struct block *gen_ehostop(const u_char *, int);
182 static struct block *gen_fhostop(const u_char *, int);
183 static struct block *gen_thostop(const u_char *, int);
184 static struct block *gen_wlanhostop(const u_char *, int);
185 static struct block *gen_ipfchostop(const u_char *, int);
186 static struct block *gen_dnhostop(bpf_u_int32, int, u_int);
187 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
188 #ifdef INET6
189 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
190 #endif
191 #ifndef INET6
192 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
193 #endif
194 static struct block *gen_ipfrag(void);
195 static struct block *gen_portatom(int, bpf_int32);
196 #ifdef INET6
197 static struct block *gen_portatom6(int, bpf_int32);
198 #endif
199 struct block *gen_portop(int, int, int);
200 static struct block *gen_port(int, int, int);
201 #ifdef INET6
202 struct block *gen_portop6(int, int, int);
203 static struct block *gen_port6(int, int, int);
204 #endif
205 static int lookup_proto(const char *, int);
206 static struct block *gen_protochain(int, int, int);
207 static struct block *gen_proto(int, int, int);
208 static struct slist *xfer_to_x(struct arth *);
209 static struct slist *xfer_to_a(struct arth *);
210 static struct block *gen_mac_multicast(int);
211 static struct block *gen_len(int, int);
212
213 static struct block *gen_msg_abbrev(int type);
214
215 static void *
216 newchunk(n)
217 u_int n;
218 {
219 struct chunk *cp;
220 int k;
221 size_t size;
222
223 #ifndef __NetBSD__
224 /* XXX Round up to nearest long. */
225 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
226 #else
227 /* XXX Round up to structure boundary. */
228 n = ALIGN(n);
229 #endif
230
231 cp = &chunks[cur_chunk];
232 if (n > cp->n_left) {
233 ++cp, k = ++cur_chunk;
234 if (k >= NCHUNKS)
235 bpf_error("out of memory");
236 size = CHUNK0SIZE << k;
237 cp->m = (void *)malloc(size);
238 if (cp->m == NULL)
239 bpf_error("out of memory");
240 memset((char *)cp->m, 0, size);
241 cp->n_left = size;
242 if (n > size)
243 bpf_error("out of memory");
244 }
245 cp->n_left -= n;
246 return (void *)((char *)cp->m + cp->n_left);
247 }
248
249 static void
250 freechunks()
251 {
252 int i;
253
254 cur_chunk = 0;
255 for (i = 0; i < NCHUNKS; ++i)
256 if (chunks[i].m != NULL) {
257 free(chunks[i].m);
258 chunks[i].m = NULL;
259 }
260 }
261
262 /*
263 * A strdup whose allocations are freed after code generation is over.
264 */
265 char *
266 sdup(s)
267 register const char *s;
268 {
269 int n = strlen(s) + 1;
270 char *cp = newchunk(n);
271
272 strlcpy(cp, s, n);
273 return (cp);
274 }
275
276 static inline struct block *
277 new_block(code)
278 int code;
279 {
280 struct block *p;
281
282 p = (struct block *)newchunk(sizeof(*p));
283 p->s.code = code;
284 p->head = p;
285
286 return p;
287 }
288
289 static inline struct slist *
290 new_stmt(code)
291 int code;
292 {
293 struct slist *p;
294
295 p = (struct slist *)newchunk(sizeof(*p));
296 p->s.code = code;
297
298 return p;
299 }
300
301 static struct block *
302 gen_retblk(v)
303 int v;
304 {
305 struct block *b = new_block(BPF_RET|BPF_K);
306
307 b->s.k = v;
308 return b;
309 }
310
311 static inline void
312 syntax()
313 {
314 bpf_error("syntax error in filter expression");
315 }
316
317 static bpf_u_int32 netmask;
318 static int snaplen;
319 int no_optimize;
320
321 int
322 pcap_compile(pcap_t *p, struct bpf_program *program,
323 char *buf, int optimize, bpf_u_int32 mask)
324 {
325 extern int n_errors;
326 int len;
327
328 no_optimize = 0;
329 n_errors = 0;
330 root = NULL;
331 bpf_pcap = p;
332 if (setjmp(top_ctx)) {
333 lex_cleanup();
334 freechunks();
335 return (-1);
336 }
337
338 netmask = mask;
339
340 snaplen = pcap_snapshot(p);
341 if (snaplen == 0) {
342 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
343 "snaplen of 0 rejects all packets");
344 return -1;
345 }
346
347 lex_init(buf ? buf : "");
348 init_linktype(p);
349 (void)pcap_parse();
350
351 if (n_errors)
352 syntax();
353
354 if (root == NULL)
355 root = gen_retblk(snaplen);
356
357 if (optimize && !no_optimize) {
358 bpf_optimize(&root);
359 if (root == NULL ||
360 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
361 bpf_error("expression rejects all packets");
362 }
363 program->bf_insns = icode_to_fcode(root, &len);
364 program->bf_len = len;
365
366 lex_cleanup();
367 freechunks();
368 return (0);
369 }
370
371 /*
372 * entry point for using the compiler with no pcap open
373 * pass in all the stuff that is needed explicitly instead.
374 */
375 int
376 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
377 struct bpf_program *program,
378 char *buf, int optimize, bpf_u_int32 mask)
379 {
380 pcap_t *p;
381 int ret;
382
383 p = pcap_open_dead(linktype_arg, snaplen_arg);
384 if (p == NULL)
385 return (-1);
386 ret = pcap_compile(p, program, buf, optimize, mask);
387 pcap_close(p);
388 return (ret);
389 }
390
391 /*
392 * Clean up a "struct bpf_program" by freeing all the memory allocated
393 * in it.
394 */
395 void
396 pcap_freecode(struct bpf_program *program)
397 {
398 program->bf_len = 0;
399 if (program->bf_insns != NULL) {
400 free((char *)program->bf_insns);
401 program->bf_insns = NULL;
402 }
403 }
404
405 /*
406 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
407 * which of the jt and jf fields has been resolved and which is a pointer
408 * back to another unresolved block (or nil). At least one of the fields
409 * in each block is already resolved.
410 */
411 static void
412 backpatch(list, target)
413 struct block *list, *target;
414 {
415 struct block *next;
416
417 while (list) {
418 if (!list->sense) {
419 next = JT(list);
420 JT(list) = target;
421 } else {
422 next = JF(list);
423 JF(list) = target;
424 }
425 list = next;
426 }
427 }
428
429 /*
430 * Merge the lists in b0 and b1, using the 'sense' field to indicate
431 * which of jt and jf is the link.
432 */
433 static void
434 merge(b0, b1)
435 struct block *b0, *b1;
436 {
437 register struct block **p = &b0;
438
439 /* Find end of list. */
440 while (*p)
441 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
442
443 /* Concatenate the lists. */
444 *p = b1;
445 }
446
447 void
448 finish_parse(p)
449 struct block *p;
450 {
451 backpatch(p, gen_retblk(snaplen));
452 p->sense = !p->sense;
453 backpatch(p, gen_retblk(0));
454 root = p->head;
455 }
456
457 void
458 gen_and(b0, b1)
459 struct block *b0, *b1;
460 {
461 backpatch(b0, b1->head);
462 b0->sense = !b0->sense;
463 b1->sense = !b1->sense;
464 merge(b1, b0);
465 b1->sense = !b1->sense;
466 b1->head = b0->head;
467 }
468
469 void
470 gen_or(b0, b1)
471 struct block *b0, *b1;
472 {
473 b0->sense = !b0->sense;
474 backpatch(b0, b1->head);
475 b0->sense = !b0->sense;
476 merge(b1, b0);
477 b1->head = b0->head;
478 }
479
480 void
481 gen_not(b)
482 struct block *b;
483 {
484 b->sense = !b->sense;
485 }
486
487 static struct block *
488 gen_cmp(offset, size, v)
489 u_int offset, size;
490 bpf_int32 v;
491 {
492 struct slist *s;
493 struct block *b;
494
495 s = new_stmt(BPF_LD|BPF_ABS|size);
496 s->s.k = offset;
497
498 b = new_block(JMP(BPF_JEQ));
499 b->stmts = s;
500 b->s.k = v;
501
502 return b;
503 }
504
505 static struct block *
506 gen_cmp_gt(offset, size, v)
507 u_int offset, size;
508 bpf_int32 v;
509 {
510 struct slist *s;
511 struct block *b;
512
513 s = new_stmt(BPF_LD|BPF_ABS|size);
514 s->s.k = offset;
515
516 b = new_block(JMP(BPF_JGT));
517 b->stmts = s;
518 b->s.k = v;
519
520 return b;
521 }
522
523 static struct block *
524 gen_mcmp(offset, size, v, mask)
525 u_int offset, size;
526 bpf_int32 v;
527 bpf_u_int32 mask;
528 {
529 struct block *b = gen_cmp(offset, size, v);
530 struct slist *s;
531
532 if (mask != 0xffffffff) {
533 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
534 s->s.k = mask;
535 b->stmts->next = s;
536 }
537 return b;
538 }
539
540 static struct block *
541 gen_bcmp(offset, size, v)
542 register u_int offset, size;
543 register const u_char *v;
544 {
545 register struct block *b, *tmp;
546
547 b = NULL;
548 while (size >= 4) {
549 register const u_char *p = &v[size - 4];
550 bpf_int32 w = ((bpf_int32)p[0] << 24) |
551 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
552
553 tmp = gen_cmp(offset + size - 4, BPF_W, w);
554 if (b != NULL)
555 gen_and(b, tmp);
556 b = tmp;
557 size -= 4;
558 }
559 while (size >= 2) {
560 register const u_char *p = &v[size - 2];
561 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
562
563 tmp = gen_cmp(offset + size - 2, BPF_H, w);
564 if (b != NULL)
565 gen_and(b, tmp);
566 b = tmp;
567 size -= 2;
568 }
569 if (size > 0) {
570 tmp = gen_cmp(offset, BPF_B, (bpf_int32)v[0]);
571 if (b != NULL)
572 gen_and(b, tmp);
573 b = tmp;
574 }
575 return b;
576 }
577
578 static struct block *
579 gen_ncmp(datasize, offset, mask, jtype, jvalue, reverse)
580 bpf_u_int32 datasize, offset, mask, jtype, jvalue;
581 int reverse;
582 {
583 struct slist *s;
584 struct block *b;
585
586 s = new_stmt(BPF_LD|datasize|BPF_ABS);
587 s->s.k = offset;
588
589 if (mask != 0xffffffff) {
590 s->next = new_stmt(BPF_ALU|BPF_AND|BPF_K);
591 s->next->s.k = mask;
592 }
593
594 b = new_block(JMP(jtype));
595 b->stmts = s;
596 b->s.k = jvalue;
597 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
598 gen_not(b);
599 return b;
600 }
601
602 /*
603 * Various code constructs need to know the layout of the data link
604 * layer. These variables give the necessary offsets.
605 */
606
607 /*
608 * This is the offset of the beginning of the MAC-layer header.
609 * It's usually 0, except for ATM LANE.
610 */
611 static u_int off_mac;
612
613 /*
614 * "off_linktype" is the offset to information in the link-layer header
615 * giving the packet type.
616 *
617 * For Ethernet, it's the offset of the Ethernet type field.
618 *
619 * For link-layer types that always use 802.2 headers, it's the
620 * offset of the LLC header.
621 *
622 * For PPP, it's the offset of the PPP type field.
623 *
624 * For Cisco HDLC, it's the offset of the CHDLC type field.
625 *
626 * For BSD loopback, it's the offset of the AF_ value.
627 *
628 * For Linux cooked sockets, it's the offset of the type field.
629 *
630 * It's set to -1 for no encapsulation, in which case, IP is assumed.
631 */
632 static u_int off_linktype;
633
634 /*
635 * TRUE if the link layer includes an ATM pseudo-header.
636 */
637 static int is_atm = 0;
638
639 /*
640 * TRUE if "lane" appeared in the filter; it causes us to generate
641 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
642 */
643 static int is_lane = 0;
644
645 /*
646 * These are offsets for the ATM pseudo-header.
647 */
648 static u_int off_vpi;
649 static u_int off_vci;
650 static u_int off_proto;
651
652 /*
653 * This is the offset of the first byte after the ATM pseudo_header,
654 * or -1 if there is no ATM pseudo-header.
655 */
656 static u_int off_payload;
657
658 /*
659 * These are offsets to the beginning of the network-layer header.
660 *
661 * If the link layer never uses 802.2 LLC:
662 *
663 * "off_nl" and "off_nl_nosnap" are the same.
664 *
665 * If the link layer always uses 802.2 LLC:
666 *
667 * "off_nl" is the offset if there's a SNAP header following
668 * the 802.2 header;
669 *
670 * "off_nl_nosnap" is the offset if there's no SNAP header.
671 *
672 * If the link layer is Ethernet:
673 *
674 * "off_nl" is the offset if the packet is an Ethernet II packet
675 * (we assume no 802.3+802.2+SNAP);
676 *
677 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
678 * with an 802.2 header following it.
679 */
680 static u_int off_nl;
681 static u_int off_nl_nosnap;
682
683 static int linktype;
684
685 static void
686 init_linktype(p)
687 pcap_t *p;
688 {
689 linktype = pcap_datalink(p);
690 #ifdef PCAP_FDDIPAD
691 pcap_fddipad = p->fddipad;
692 #endif
693
694 /*
695 * Assume it's not raw ATM with a pseudo-header, for now.
696 */
697 off_mac = 0;
698 is_atm = 0;
699 is_lane = 0;
700 off_vpi = -1;
701 off_vci = -1;
702 off_proto = -1;
703 off_payload = -1;
704
705 orig_linktype = -1;
706 orig_nl = -1;
707 orig_nl_nosnap = -1;
708
709 switch (linktype) {
710
711 case DLT_ARCNET:
712 off_linktype = 2;
713 off_nl = 6; /* XXX in reality, variable! */
714 off_nl_nosnap = 6; /* no 802.2 LLC */
715 return;
716
717 case DLT_ARCNET_LINUX:
718 off_linktype = 4;
719 off_nl = 8; /* XXX in reality, variable! */
720 off_nl_nosnap = 8; /* no 802.2 LLC */
721 return;
722
723 case DLT_EN10MB:
724 off_linktype = 12;
725 off_nl = 14; /* Ethernet II */
726 off_nl_nosnap = 17; /* 802.3+802.2 */
727 return;
728
729 case DLT_SLIP:
730 /*
731 * SLIP doesn't have a link level type. The 16 byte
732 * header is hacked into our SLIP driver.
733 */
734 off_linktype = -1;
735 off_nl = 16;
736 off_nl_nosnap = 16; /* no 802.2 LLC */
737 return;
738
739 case DLT_SLIP_BSDOS:
740 /* XXX this may be the same as the DLT_PPP_BSDOS case */
741 off_linktype = -1;
742 /* XXX end */
743 off_nl = 24;
744 off_nl_nosnap = 24; /* no 802.2 LLC */
745 return;
746
747 case DLT_NULL:
748 case DLT_LOOP:
749 off_linktype = 0;
750 off_nl = 4;
751 off_nl_nosnap = 4; /* no 802.2 LLC */
752 return;
753
754 case DLT_ENC:
755 off_linktype = 0;
756 off_nl = 12;
757 off_nl_nosnap = 12; /* no 802.2 LLC */
758 return;
759
760 case DLT_PPP:
761 case DLT_PPP_PPPD:
762 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
763 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
764 off_linktype = 2;
765 off_nl = 4;
766 off_nl_nosnap = 4; /* no 802.2 LLC */
767 return;
768
769 case DLT_PPP_ETHER:
770 /*
771 * This does no include the Ethernet header, and
772 * only covers session state.
773 */
774 off_linktype = 6;
775 off_nl = 8;
776 off_nl_nosnap = 8; /* no 802.2 LLC */
777 return;
778
779 case DLT_PPP_BSDOS:
780 off_linktype = 5;
781 off_nl = 24;
782 off_nl_nosnap = 24; /* no 802.2 LLC */
783 return;
784
785 case DLT_FDDI:
786 /*
787 * FDDI doesn't really have a link-level type field.
788 * We set "off_linktype" to the offset of the LLC header.
789 *
790 * To check for Ethernet types, we assume that SSAP = SNAP
791 * is being used and pick out the encapsulated Ethernet type.
792 * XXX - should we generate code to check for SNAP?
793 */
794 off_linktype = 13;
795 #ifdef PCAP_FDDIPAD
796 off_linktype += pcap_fddipad;
797 #endif
798 off_nl = 21; /* FDDI+802.2+SNAP */
799 off_nl_nosnap = 16; /* FDDI+802.2 */
800 #ifdef PCAP_FDDIPAD
801 off_nl += pcap_fddipad;
802 off_nl_nosnap += pcap_fddipad;
803 #endif
804 return;
805
806 case DLT_IEEE802:
807 /*
808 * Token Ring doesn't really have a link-level type field.
809 * We set "off_linktype" to the offset of the LLC header.
810 *
811 * To check for Ethernet types, we assume that SSAP = SNAP
812 * is being used and pick out the encapsulated Ethernet type.
813 * XXX - should we generate code to check for SNAP?
814 *
815 * XXX - the header is actually variable-length.
816 * Some various Linux patched versions gave 38
817 * as "off_linktype" and 40 as "off_nl"; however,
818 * if a token ring packet has *no* routing
819 * information, i.e. is not source-routed, the correct
820 * values are 20 and 22, as they are in the vanilla code.
821 *
822 * A packet is source-routed iff the uppermost bit
823 * of the first byte of the source address, at an
824 * offset of 8, has the uppermost bit set. If the
825 * packet is source-routed, the total number of bytes
826 * of routing information is 2 plus bits 0x1F00 of
827 * the 16-bit value at an offset of 14 (shifted right
828 * 8 - figure out which byte that is).
829 */
830 off_linktype = 14;
831 off_nl = 22; /* Token Ring+802.2+SNAP */
832 off_nl_nosnap = 17; /* Token Ring+802.2 */
833 return;
834
835 case DLT_IEEE802_11:
836 /*
837 * 802.11 doesn't really have a link-level type field.
838 * We set "off_linktype" to the offset of the LLC header.
839 *
840 * To check for Ethernet types, we assume that SSAP = SNAP
841 * is being used and pick out the encapsulated Ethernet type.
842 * XXX - should we generate code to check for SNAP?
843 *
844 * XXX - the header is actually variable-length. We
845 * assume a 24-byte link-layer header, as appears in
846 * data frames in networks with no bridges. If the
847 * fromds and tods 802.11 header bits are both set,
848 * it's actually supposed to be 30 bytes.
849 */
850 off_linktype = 24;
851 off_nl = 32; /* 802.11+802.2+SNAP */
852 off_nl_nosnap = 27; /* 802.11+802.2 */
853 return;
854
855 case DLT_PRISM_HEADER:
856 /*
857 * Same as 802.11, but with an additional header before
858 * the 802.11 header, containing a bunch of additional
859 * information including radio-level information.
860 *
861 * The header is 144 bytes long.
862 *
863 * XXX - same variable-length header problem; at least
864 * the Prism header is fixed-length.
865 */
866 off_linktype = 144+24;
867 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */
868 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
869 return;
870
871 case DLT_IEEE802_11_RADIO_AVS:
872 /*
873 * Same as 802.11, but with an additional header before
874 * the 802.11 header, containing a bunch of additional
875 * information including radio-level information.
876 *
877 * The header is 64 bytes long, at least in its
878 * current incarnation.
879 *
880 * XXX - same variable-length header problem, only
881 * more so; this header is also variable-length,
882 * with the length being the 32-bit big-endian
883 * number at an offset of 4 from the beginning
884 * of the radio header.
885 */
886 off_linktype = 64+24;
887 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */
888 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */
889 return;
890
891 case DLT_IEEE802_11_RADIO:
892 /*
893 * Same as 802.11, but with an additional header before
894 * the 802.11 header, containing a bunch of additional
895 * information including radio-level information.
896 *
897 * XXX - same variable-length header problem, only
898 * even *more* so; this header is also variable-length,
899 * with the length being the 16-bit number at an offset
900 * of 2 from the beginning of the radio header, and it's
901 * device-dependent (different devices might supply
902 * different amounts of information), so we can't even
903 * assume a fixed length for the current version of the
904 * header.
905 *
906 * Therefore, currently, only raw "link[N:M]" filtering is
907 * supported.
908 */
909 off_linktype = -1;
910 off_nl = -1;
911 off_nl_nosnap = -1;
912 return;
913
914 case DLT_ATM_RFC1483:
915 case DLT_ATM_CLIP: /* Linux ATM defines this */
916 /*
917 * assume routed, non-ISO PDUs
918 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
919 */
920 off_linktype = 0;
921 off_nl = 8; /* 802.2+SNAP */
922 off_nl_nosnap = 3; /* 802.2 */
923 return;
924
925 case DLT_SUNATM:
926 /*
927 * Full Frontal ATM; you get AALn PDUs with an ATM
928 * pseudo-header.
929 */
930 is_atm = 1;
931 off_vpi = SUNATM_VPI_POS;
932 off_vci = SUNATM_VCI_POS;
933 off_proto = PROTO_POS;
934 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
935 off_payload = SUNATM_PKT_BEGIN_POS;
936 off_linktype = off_payload;
937 off_nl = off_payload+8; /* 802.2+SNAP */
938 off_nl_nosnap = off_payload+3; /* 802.2 */
939 return;
940
941 case DLT_RAW:
942 off_linktype = -1;
943 off_nl = 0;
944 off_nl_nosnap = 0; /* no 802.2 LLC */
945 return;
946
947 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
948 off_linktype = 14;
949 off_nl = 16;
950 off_nl_nosnap = 16; /* no 802.2 LLC */
951 return;
952
953 case DLT_LTALK:
954 /*
955 * LocalTalk does have a 1-byte type field in the LLAP header,
956 * but really it just indicates whether there is a "short" or
957 * "long" DDP packet following.
958 */
959 off_linktype = -1;
960 off_nl = 0;
961 off_nl_nosnap = 0; /* no 802.2 LLC */
962 return;
963
964 case DLT_IP_OVER_FC:
965 /*
966 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
967 * link-level type field. We set "off_linktype" to the
968 * offset of the LLC header.
969 *
970 * To check for Ethernet types, we assume that SSAP = SNAP
971 * is being used and pick out the encapsulated Ethernet type.
972 * XXX - should we generate code to check for SNAP? RFC
973 * 2625 says SNAP should be used.
974 */
975 off_linktype = 16;
976 off_nl = 24; /* IPFC+802.2+SNAP */
977 off_nl_nosnap = 19; /* IPFC+802.2 */
978 return;
979
980 case DLT_FRELAY:
981 /*
982 * XXX - we should set this to handle SNAP-encapsulated
983 * frames (NLPID of 0x80).
984 */
985 off_linktype = -1;
986 off_nl = 0;
987 off_nl_nosnap = 0; /* no 802.2 LLC */
988 return;
989
990 case DLT_APPLE_IP_OVER_IEEE1394:
991 off_linktype = 16;
992 off_nl = 18;
993 off_nl_nosnap = 18; /* no 802.2 LLC */
994 return;
995
996 case DLT_LINUX_IRDA:
997 /*
998 * Currently, only raw "link[N:M]" filtering is supported.
999 */
1000 off_linktype = -1;
1001 off_nl = -1;
1002 off_nl_nosnap = -1;
1003 return;
1004
1005 case DLT_DOCSIS:
1006 /*
1007 * Currently, only raw "link[N:M]" filtering is supported.
1008 */
1009 off_linktype = -1;
1010 off_nl = -1;
1011 off_nl_nosnap = -1;
1012 return;
1013
1014 case DLT_SYMANTEC_FIREWALL:
1015 off_linktype = 6;
1016 off_nl = 44; /* Ethernet II */
1017 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1018 return;
1019
1020 case DLT_PFLOG:
1021 off_linktype = 0;
1022 /* XXX read this from pf.h? */
1023 off_nl = PFLOG_HDRLEN;
1024 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */
1025 return;
1026
1027 case DLT_JUNIPER_MLFR:
1028 case DLT_JUNIPER_MLPPP:
1029 off_linktype = 4;
1030 off_nl = 4;
1031 off_nl_nosnap = -1; /* no 802.2 LLC */
1032 return;
1033
1034 case DLT_JUNIPER_ATM1:
1035 off_linktype = 4; /* in reality variable between 4-8 */
1036 off_nl = 4;
1037 off_nl_nosnap = 14;
1038 return;
1039
1040 case DLT_JUNIPER_ATM2:
1041 off_linktype = 8; /* in reality variable between 8-12 */
1042 off_nl = 8;
1043 off_nl_nosnap = 18;
1044 return;
1045
1046 #ifdef DLT_PFSYNC
1047 case DLT_PFSYNC:
1048 off_linktype = -1;
1049 off_nl = 4;
1050 off_nl_nosnap = 4;
1051 return;
1052 #endif
1053
1054 case DLT_LINUX_LAPD:
1055 /*
1056 * Currently, only raw "link[N:M]" filtering is supported.
1057 */
1058 off_linktype = -1;
1059 off_nl = -1;
1060 off_nl_nosnap = -1;
1061 return;
1062 }
1063 bpf_error("unknown data link type %d", linktype);
1064 /* NOTREACHED */
1065 }
1066
1067 static struct block *
1068 gen_uncond(rsense)
1069 int rsense;
1070 {
1071 struct block *b;
1072 struct slist *s;
1073
1074 s = new_stmt(BPF_LD|BPF_IMM);
1075 s->s.k = !rsense;
1076 b = new_block(JMP(BPF_JEQ));
1077 b->stmts = s;
1078
1079 return b;
1080 }
1081
1082 static inline struct block *
1083 gen_true()
1084 {
1085 return gen_uncond(1);
1086 }
1087
1088 static inline struct block *
1089 gen_false()
1090 {
1091 return gen_uncond(0);
1092 }
1093
1094 /*
1095 * Byte-swap a 32-bit number.
1096 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1097 * big-endian platforms.)
1098 */
1099 #define SWAPLONG(y) \
1100 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1101
1102 /*
1103 * Generate code to match a particular packet type.
1104 *
1105 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1106 * value, if <= ETHERMTU. We use that to determine whether to
1107 * match the type/length field or to check the type/length field for
1108 * a value <= ETHERMTU to see whether it's a type field and then do
1109 * the appropriate test.
1110 */
1111 static struct block *
1112 gen_ether_linktype(proto)
1113 register int proto;
1114 {
1115 struct block *b0, *b1;
1116
1117 switch (proto) {
1118
1119 case LLCSAP_ISONS:
1120 case LLCSAP_IP:
1121 case LLCSAP_NETBEUI:
1122 /*
1123 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1124 * so we check the DSAP and SSAP.
1125 *
1126 * LLCSAP_IP checks for IP-over-802.2, rather
1127 * than IP-over-Ethernet or IP-over-SNAP.
1128 *
1129 * XXX - should we check both the DSAP and the
1130 * SSAP, like this, or should we check just the
1131 * DSAP, as we do for other types <= ETHERMTU
1132 * (i.e., other SAP values)?
1133 */
1134 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1135 gen_not(b0);
1136 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1137 ((proto << 8) | proto));
1138 gen_and(b0, b1);
1139 return b1;
1140
1141 case LLCSAP_IPX:
1142 /*
1143 * Check for;
1144 *
1145 * Ethernet_II frames, which are Ethernet
1146 * frames with a frame type of ETHERTYPE_IPX;
1147 *
1148 * Ethernet_802.3 frames, which are 802.3
1149 * frames (i.e., the type/length field is
1150 * a length field, <= ETHERMTU, rather than
1151 * a type field) with the first two bytes
1152 * after the Ethernet/802.3 header being
1153 * 0xFFFF;
1154 *
1155 * Ethernet_802.2 frames, which are 802.3
1156 * frames with an 802.2 LLC header and
1157 * with the IPX LSAP as the DSAP in the LLC
1158 * header;
1159 *
1160 * Ethernet_SNAP frames, which are 802.3
1161 * frames with an LLC header and a SNAP
1162 * header and with an OUI of 0x000000
1163 * (encapsulated Ethernet) and a protocol
1164 * ID of ETHERTYPE_IPX in the SNAP header.
1165 *
1166 * XXX - should we generate the same code both
1167 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1168 */
1169
1170 /*
1171 * This generates code to check both for the
1172 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1173 */
1174 b0 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)LLCSAP_IPX);
1175 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)0xFFFF);
1176 gen_or(b0, b1);
1177
1178 /*
1179 * Now we add code to check for SNAP frames with
1180 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1181 */
1182 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1183 gen_or(b0, b1);
1184
1185 /*
1186 * Now we generate code to check for 802.3
1187 * frames in general.
1188 */
1189 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1190 gen_not(b0);
1191
1192 /*
1193 * Now add the check for 802.3 frames before the
1194 * check for Ethernet_802.2 and Ethernet_802.3,
1195 * as those checks should only be done on 802.3
1196 * frames, not on Ethernet frames.
1197 */
1198 gen_and(b0, b1);
1199
1200 /*
1201 * Now add the check for Ethernet_II frames, and
1202 * do that before checking for the other frame
1203 * types.
1204 */
1205 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1206 gen_or(b0, b1);
1207 return b1;
1208
1209 case ETHERTYPE_ATALK:
1210 case ETHERTYPE_AARP:
1211 /*
1212 * EtherTalk (AppleTalk protocols on Ethernet link
1213 * layer) may use 802.2 encapsulation.
1214 */
1215
1216 /*
1217 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1218 * we check for an Ethernet type field less than
1219 * 1500, which means it's an 802.3 length field.
1220 */
1221 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1222 gen_not(b0);
1223
1224 /*
1225 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1226 * SNAP packets with an organization code of
1227 * 0x080007 (Apple, for Appletalk) and a protocol
1228 * type of ETHERTYPE_ATALK (Appletalk).
1229 *
1230 * 802.2-encapsulated ETHERTYPE_AARP packets are
1231 * SNAP packets with an organization code of
1232 * 0x000000 (encapsulated Ethernet) and a protocol
1233 * type of ETHERTYPE_AARP (Appletalk ARP).
1234 */
1235 if (proto == ETHERTYPE_ATALK)
1236 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1237 else /* proto == ETHERTYPE_AARP */
1238 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1239 gen_and(b0, b1);
1240
1241 /*
1242 * Check for Ethernet encapsulation (Ethertalk
1243 * phase 1?); we just check for the Ethernet
1244 * protocol type.
1245 */
1246 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1247
1248 gen_or(b0, b1);
1249 return b1;
1250
1251 default:
1252 if (proto <= ETHERMTU) {
1253 /*
1254 * This is an LLC SAP value, so the frames
1255 * that match would be 802.2 frames.
1256 * Check that the frame is an 802.2 frame
1257 * (i.e., that the length/type field is
1258 * a length field, <= ETHERMTU) and
1259 * then check the DSAP.
1260 */
1261 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1262 gen_not(b0);
1263 b1 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)proto);
1264 gen_and(b0, b1);
1265 return b1;
1266 } else {
1267 /*
1268 * This is an Ethernet type, so compare
1269 * the length/type field with it (if
1270 * the frame is an 802.2 frame, the length
1271 * field will be <= ETHERMTU, and, as
1272 * "proto" is > ETHERMTU, this test
1273 * will fail and the frame won't match,
1274 * which is what we want).
1275 */
1276 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1277 }
1278 }
1279 }
1280
1281 /*
1282 * Generate code to match a particular packet type.
1283 *
1284 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1285 * value, if <= ETHERMTU. We use that to determine whether to
1286 * match the type field or to check the type field for the special
1287 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1288 */
1289 static struct block *
1290 gen_linux_sll_linktype(proto)
1291 register int proto;
1292 {
1293 struct block *b0, *b1;
1294
1295 switch (proto) {
1296
1297 case LLCSAP_ISONS:
1298 case LLCSAP_IP:
1299 case LLCSAP_NETBEUI:
1300 /*
1301 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1302 * so we check the DSAP and SSAP.
1303 *
1304 * LLCSAP_IP checks for IP-over-802.2, rather
1305 * than IP-over-Ethernet or IP-over-SNAP.
1306 *
1307 * XXX - should we check both the DSAP and the
1308 * SSAP, like this, or should we check just the
1309 * DSAP, as we do for other types <= ETHERMTU
1310 * (i.e., other SAP values)?
1311 */
1312 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1313 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1314 ((proto << 8) | proto));
1315 gen_and(b0, b1);
1316 return b1;
1317
1318 case LLCSAP_IPX:
1319 /*
1320 * Ethernet_II frames, which are Ethernet
1321 * frames with a frame type of ETHERTYPE_IPX;
1322 *
1323 * Ethernet_802.3 frames, which have a frame
1324 * type of LINUX_SLL_P_802_3;
1325 *
1326 * Ethernet_802.2 frames, which are 802.3
1327 * frames with an 802.2 LLC header (i.e, have
1328 * a frame type of LINUX_SLL_P_802_2) and
1329 * with the IPX LSAP as the DSAP in the LLC
1330 * header;
1331 *
1332 * Ethernet_SNAP frames, which are 802.3
1333 * frames with an LLC header and a SNAP
1334 * header and with an OUI of 0x000000
1335 * (encapsulated Ethernet) and a protocol
1336 * ID of ETHERTYPE_IPX in the SNAP header.
1337 *
1338 * First, do the checks on LINUX_SLL_P_802_2
1339 * frames; generate the check for either
1340 * Ethernet_802.2 or Ethernet_SNAP frames, and
1341 * then put a check for LINUX_SLL_P_802_2 frames
1342 * before it.
1343 */
1344 b0 = gen_cmp(off_linktype + 2, BPF_B,
1345 (bpf_int32)LLCSAP_IPX);
1346 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1347 off_linktype + 2);
1348 gen_or(b0, b1);
1349 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1350 gen_and(b0, b1);
1351
1352 /*
1353 * Now check for 802.3 frames and OR that with
1354 * the previous test.
1355 */
1356 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_3);
1357 gen_or(b0, b1);
1358
1359 /*
1360 * Now add the check for Ethernet_II frames, and
1361 * do that before checking for the other frame
1362 * types.
1363 */
1364 b0 = gen_cmp(off_linktype, BPF_H,
1365 (bpf_int32)ETHERTYPE_IPX);
1366 gen_or(b0, b1);
1367 return b1;
1368
1369 case ETHERTYPE_ATALK:
1370 case ETHERTYPE_AARP:
1371 /*
1372 * EtherTalk (AppleTalk protocols on Ethernet link
1373 * layer) may use 802.2 encapsulation.
1374 */
1375
1376 /*
1377 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1378 * we check for the 802.2 protocol type in the
1379 * "Ethernet type" field.
1380 */
1381 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1382
1383 /*
1384 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1385 * SNAP packets with an organization code of
1386 * 0x080007 (Apple, for Appletalk) and a protocol
1387 * type of ETHERTYPE_ATALK (Appletalk).
1388 *
1389 * 802.2-encapsulated ETHERTYPE_AARP packets are
1390 * SNAP packets with an organization code of
1391 * 0x000000 (encapsulated Ethernet) and a protocol
1392 * type of ETHERTYPE_AARP (Appletalk ARP).
1393 */
1394 if (proto == ETHERTYPE_ATALK)
1395 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1396 off_linktype + 2);
1397 else /* proto == ETHERTYPE_AARP */
1398 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1399 off_linktype + 2);
1400 gen_and(b0, b1);
1401
1402 /*
1403 * Check for Ethernet encapsulation (Ethertalk
1404 * phase 1?); we just check for the Ethernet
1405 * protocol type.
1406 */
1407 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1408
1409 gen_or(b0, b1);
1410 return b1;
1411
1412 default:
1413 if (proto <= ETHERMTU) {
1414 /*
1415 * This is an LLC SAP value, so the frames
1416 * that match would be 802.2 frames.
1417 * Check for the 802.2 protocol type
1418 * in the "Ethernet type" field, and
1419 * then check the DSAP.
1420 */
1421 b0 = gen_cmp(off_linktype, BPF_H,
1422 LINUX_SLL_P_802_2);
1423 b1 = gen_cmp(off_linktype + 2, BPF_B,
1424 (bpf_int32)proto);
1425 gen_and(b0, b1);
1426 return b1;
1427 } else {
1428 /*
1429 * This is an Ethernet type, so compare
1430 * the length/type field with it (if
1431 * the frame is an 802.2 frame, the length
1432 * field will be <= ETHERMTU, and, as
1433 * "proto" is > ETHERMTU, this test
1434 * will fail and the frame won't match,
1435 * which is what we want).
1436 */
1437 return gen_cmp(off_linktype, BPF_H,
1438 (bpf_int32)proto);
1439 }
1440 }
1441 }
1442
1443 /*
1444 * Generate code to match a particular packet type by matching the
1445 * link-layer type field or fields in the 802.2 LLC header.
1446 *
1447 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1448 * value, if <= ETHERMTU.
1449 */
1450 static struct block *
1451 gen_linktype(proto)
1452 register int proto;
1453 {
1454 struct block *b0, *b1, *b2;
1455
1456 switch (linktype) {
1457
1458 case DLT_EN10MB:
1459 return gen_ether_linktype(proto);
1460 /*NOTREACHED*/
1461 break;
1462
1463 case DLT_C_HDLC:
1464 switch (proto) {
1465
1466 case LLCSAP_ISONS:
1467 proto = (proto << 8 | LLCSAP_ISONS);
1468 /* fall through */
1469
1470 default:
1471 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1472 /*NOTREACHED*/
1473 break;
1474 }
1475 break;
1476
1477 case DLT_IEEE802_11:
1478 case DLT_PRISM_HEADER:
1479 case DLT_IEEE802_11_RADIO:
1480 case DLT_FDDI:
1481 case DLT_IEEE802:
1482 case DLT_ATM_RFC1483:
1483 case DLT_ATM_CLIP:
1484 case DLT_IP_OVER_FC:
1485 return gen_llc_linktype(proto);
1486 /*NOTREACHED*/
1487 break;
1488
1489 case DLT_SUNATM:
1490 /*
1491 * If "is_lane" is set, check for a LANE-encapsulated
1492 * version of this protocol, otherwise check for an
1493 * LLC-encapsulated version of this protocol.
1494 *
1495 * We assume LANE means Ethernet, not Token Ring.
1496 */
1497 if (is_lane) {
1498 /*
1499 * Check that the packet doesn't begin with an
1500 * LE Control marker. (We've already generated
1501 * a test for LANE.)
1502 */
1503 b0 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
1504 gen_not(b0);
1505
1506 /*
1507 * Now generate an Ethernet test.
1508 */
1509 b1 = gen_ether_linktype(proto);
1510 gen_and(b0, b1);
1511 return b1;
1512 } else {
1513 /*
1514 * Check for LLC encapsulation and then check the
1515 * protocol.
1516 */
1517 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1518 b1 = gen_llc_linktype(proto);
1519 gen_and(b0, b1);
1520 return b1;
1521 }
1522 /*NOTREACHED*/
1523 break;
1524
1525 case DLT_LINUX_SLL:
1526 return gen_linux_sll_linktype(proto);
1527 /*NOTREACHED*/
1528 break;
1529
1530 case DLT_SLIP:
1531 case DLT_SLIP_BSDOS:
1532 case DLT_RAW:
1533 /*
1534 * These types don't provide any type field; packets
1535 * are always IP.
1536 *
1537 * XXX - for IPv4, check for a version number of 4, and,
1538 * for IPv6, check for a version number of 6?
1539 */
1540 switch (proto) {
1541
1542 case ETHERTYPE_IP:
1543 #ifdef INET6
1544 case ETHERTYPE_IPV6:
1545 #endif
1546 return gen_true(); /* always true */
1547
1548 default:
1549 return gen_false(); /* always false */
1550 }
1551 /*NOTREACHED*/
1552 break;
1553
1554 case DLT_PPP:
1555 case DLT_PPP_PPPD:
1556 case DLT_PPP_SERIAL:
1557 case DLT_PPP_ETHER:
1558 /*
1559 * We use Ethernet protocol types inside libpcap;
1560 * map them to the corresponding PPP protocol types.
1561 */
1562 switch (proto) {
1563
1564 case ETHERTYPE_IP:
1565 proto = PPP_IP;
1566 break;
1567
1568 #ifdef INET6
1569 case ETHERTYPE_IPV6:
1570 proto = PPP_IPV6;
1571 break;
1572 #endif
1573
1574 case ETHERTYPE_DN:
1575 proto = PPP_DECNET;
1576 break;
1577
1578 case ETHERTYPE_ATALK:
1579 proto = PPP_APPLE;
1580 break;
1581
1582 case ETHERTYPE_NS:
1583 proto = PPP_NS;
1584 break;
1585
1586 case LLCSAP_ISONS:
1587 proto = PPP_OSI;
1588 break;
1589
1590 case LLCSAP_8021D:
1591 /*
1592 * I'm assuming the "Bridging PDU"s that go
1593 * over PPP are Spanning Tree Protocol
1594 * Bridging PDUs.
1595 */
1596 proto = PPP_BRPDU;
1597 break;
1598
1599 case LLCSAP_IPX:
1600 proto = PPP_IPX;
1601 break;
1602 }
1603 break;
1604
1605 case DLT_PPP_BSDOS:
1606 /*
1607 * We use Ethernet protocol types inside libpcap;
1608 * map them to the corresponding PPP protocol types.
1609 */
1610 switch (proto) {
1611
1612 case ETHERTYPE_IP:
1613 b0 = gen_cmp(off_linktype, BPF_H, PPP_IP);
1614 b1 = gen_cmp(off_linktype, BPF_H, PPP_VJC);
1615 gen_or(b0, b1);
1616 b0 = gen_cmp(off_linktype, BPF_H, PPP_VJNC);
1617 gen_or(b1, b0);
1618 return b0;
1619
1620 #ifdef INET6
1621 case ETHERTYPE_IPV6:
1622 proto = PPP_IPV6;
1623 /* more to go? */
1624 break;
1625 #endif
1626
1627 case ETHERTYPE_DN:
1628 proto = PPP_DECNET;
1629 break;
1630
1631 case ETHERTYPE_ATALK:
1632 proto = PPP_APPLE;
1633 break;
1634
1635 case ETHERTYPE_NS:
1636 proto = PPP_NS;
1637 break;
1638
1639 case LLCSAP_ISONS:
1640 proto = PPP_OSI;
1641 break;
1642
1643 case LLCSAP_8021D:
1644 /*
1645 * I'm assuming the "Bridging PDU"s that go
1646 * over PPP are Spanning Tree Protocol
1647 * Bridging PDUs.
1648 */
1649 proto = PPP_BRPDU;
1650 break;
1651
1652 case LLCSAP_IPX:
1653 proto = PPP_IPX;
1654 break;
1655 }
1656 break;
1657
1658 case DLT_NULL:
1659 case DLT_LOOP:
1660 case DLT_ENC:
1661 /*
1662 * For DLT_NULL, the link-layer header is a 32-bit
1663 * word containing an AF_ value in *host* byte order,
1664 * and for DLT_ENC, the link-layer header begins
1665 * with a 32-bit work containing an AF_ value in
1666 * host byte order.
1667 *
1668 * In addition, if we're reading a saved capture file,
1669 * the host byte order in the capture may not be the
1670 * same as the host byte order on this machine.
1671 *
1672 * For DLT_LOOP, the link-layer header is a 32-bit
1673 * word containing an AF_ value in *network* byte order.
1674 *
1675 * XXX - AF_ values may, unfortunately, be platform-
1676 * dependent; for example, FreeBSD's AF_INET6 is 24
1677 * whilst NetBSD's and OpenBSD's is 26.
1678 *
1679 * This means that, when reading a capture file, just
1680 * checking for our AF_INET6 value won't work if the
1681 * capture file came from another OS.
1682 */
1683 switch (proto) {
1684
1685 case ETHERTYPE_IP:
1686 proto = AF_INET;
1687 break;
1688
1689 #ifdef INET6
1690 case ETHERTYPE_IPV6:
1691 proto = AF_INET6;
1692 break;
1693 #endif
1694
1695 default:
1696 /*
1697 * Not a type on which we support filtering.
1698 * XXX - support those that have AF_ values
1699 * #defined on this platform, at least?
1700 */
1701 return gen_false();
1702 }
1703
1704 if (linktype == DLT_NULL || linktype == DLT_ENC) {
1705 /*
1706 * The AF_ value is in host byte order, but
1707 * the BPF interpreter will convert it to
1708 * network byte order.
1709 *
1710 * If this is a save file, and it's from a
1711 * machine with the opposite byte order to
1712 * ours, we byte-swap the AF_ value.
1713 *
1714 * Then we run it through "htonl()", and
1715 * generate code to compare against the result.
1716 */
1717 if (bpf_pcap->sf.rfile != NULL &&
1718 bpf_pcap->sf.swapped)
1719 proto = SWAPLONG(proto);
1720 proto = htonl(proto);
1721 }
1722 return (gen_cmp(0, BPF_W, (bpf_int32)proto));
1723
1724 case DLT_PFLOG:
1725 /*
1726 * af field is host byte order in contrast to the rest of
1727 * the packet.
1728 */
1729 if (proto == ETHERTYPE_IP)
1730 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1731 (bpf_int32)AF_INET));
1732 #ifdef INET6
1733 else if (proto == ETHERTYPE_IPV6)
1734 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1735 (bpf_int32)AF_INET6));
1736 #endif /* INET6 */
1737 else
1738 return gen_false();
1739 /*NOTREACHED*/
1740 break;
1741
1742 case DLT_ARCNET:
1743 case DLT_ARCNET_LINUX:
1744 /*
1745 * XXX should we check for first fragment if the protocol
1746 * uses PHDS?
1747 */
1748 switch (proto) {
1749
1750 default:
1751 return gen_false();
1752
1753 #ifdef INET6
1754 case ETHERTYPE_IPV6:
1755 return (gen_cmp(off_linktype, BPF_B,
1756 (bpf_int32)ARCTYPE_INET6));
1757 #endif /* INET6 */
1758
1759 case ETHERTYPE_IP:
1760 b0 = gen_cmp(off_linktype, BPF_B,
1761 (bpf_int32)ARCTYPE_IP);
1762 b1 = gen_cmp(off_linktype, BPF_B,
1763 (bpf_int32)ARCTYPE_IP_OLD);
1764 gen_or(b0, b1);
1765 return (b1);
1766
1767 case ETHERTYPE_ARP:
1768 b0 = gen_cmp(off_linktype, BPF_B,
1769 (bpf_int32)ARCTYPE_ARP);
1770 b1 = gen_cmp(off_linktype, BPF_B,
1771 (bpf_int32)ARCTYPE_ARP_OLD);
1772 gen_or(b0, b1);
1773 return (b1);
1774
1775 case ETHERTYPE_REVARP:
1776 return (gen_cmp(off_linktype, BPF_B,
1777 (bpf_int32)ARCTYPE_REVARP));
1778
1779 case ETHERTYPE_ATALK:
1780 return (gen_cmp(off_linktype, BPF_B,
1781 (bpf_int32)ARCTYPE_ATALK));
1782 }
1783 /*NOTREACHED*/
1784 break;
1785
1786 case DLT_LTALK:
1787 switch (proto) {
1788 case ETHERTYPE_ATALK:
1789 return gen_true();
1790 default:
1791 return gen_false();
1792 }
1793 /*NOTREACHED*/
1794 break;
1795
1796 case DLT_FRELAY:
1797 /*
1798 * XXX - assumes a 2-byte Frame Relay header with
1799 * DLCI and flags. What if the address is longer?
1800 */
1801 switch (proto) {
1802
1803 case ETHERTYPE_IP:
1804 /*
1805 * Check for the special NLPID for IP.
1806 */
1807 return gen_cmp(2, BPF_H, (0x03<<8) | 0xcc);
1808
1809 #ifdef INET6
1810 case ETHERTYPE_IPV6:
1811 /*
1812 * Check for the special NLPID for IPv6.
1813 */
1814 return gen_cmp(2, BPF_H, (0x03<<8) | 0x8e);
1815 #endif
1816
1817 case LLCSAP_ISONS:
1818 /*
1819 * Check for several OSI protocols.
1820 *
1821 * Frame Relay packets typically have an OSI
1822 * NLPID at the beginning; we check for each
1823 * of them.
1824 *
1825 * What we check for is the NLPID and a frame
1826 * control field of UI, i.e. 0x03 followed
1827 * by the NLPID.
1828 */
1829 b0 = gen_cmp(2, BPF_H, (0x03<<8) | ISO8473_CLNP);
1830 b1 = gen_cmp(2, BPF_H, (0x03<<8) | ISO9542_ESIS);
1831 b2 = gen_cmp(2, BPF_H, (0x03<<8) | ISO10589_ISIS);
1832 gen_or(b1, b2);
1833 gen_or(b0, b2);
1834 return b2;
1835
1836 default:
1837 return gen_false();
1838 }
1839 /*NOTREACHED*/
1840 break;
1841
1842 case DLT_JUNIPER_MLFR:
1843 case DLT_JUNIPER_MLPPP:
1844 case DLT_JUNIPER_ATM1:
1845 case DLT_JUNIPER_ATM2:
1846 /* just lets verify the magic number for now -
1847 * on ATM we may have up to 6 different encapsulations on the wire
1848 * and need a lot of heuristics to figure out that the payload
1849 * might be;
1850 *
1851 * FIXME encapsulation specific BPF_ filters
1852 */
1853 return gen_mcmp(0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
1854
1855 case DLT_LINUX_IRDA:
1856 bpf_error("IrDA link-layer type filtering not implemented");
1857
1858 case DLT_DOCSIS:
1859 bpf_error("DOCSIS link-layer type filtering not implemented");
1860
1861 case DLT_LINUX_LAPD:
1862 bpf_error("LAPD link-layer type filtering not implemented");
1863 }
1864
1865 /*
1866 * All the types that have no encapsulation should either be
1867 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
1868 * all packets are IP packets, or should be handled in some
1869 * special case, if none of them are (if some are and some
1870 * aren't, the lack of encapsulation is a problem, as we'd
1871 * have to find some other way of determining the packet type).
1872 *
1873 * Therefore, if "off_linktype" is -1, there's an error.
1874 */
1875 if (off_linktype == (u_int)-1)
1876 abort();
1877
1878 /*
1879 * Any type not handled above should always have an Ethernet
1880 * type at an offset of "off_linktype". (PPP is partially
1881 * handled above - the protocol type is mapped from the
1882 * Ethernet and LLC types we use internally to the corresponding
1883 * PPP type - but the PPP type is always specified by a value
1884 * at "off_linktype", so we don't have to do the code generation
1885 * above.)
1886 */
1887 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1888 }
1889
1890 /*
1891 * Check for an LLC SNAP packet with a given organization code and
1892 * protocol type; we check the entire contents of the 802.2 LLC and
1893 * snap headers, checking for DSAP and SSAP of SNAP and a control
1894 * field of 0x03 in the LLC header, and for the specified organization
1895 * code and protocol type in the SNAP header.
1896 */
1897 static struct block *
1898 gen_snap(orgcode, ptype, offset)
1899 bpf_u_int32 orgcode;
1900 bpf_u_int32 ptype;
1901 u_int offset;
1902 {
1903 u_char snapblock[8];
1904
1905 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
1906 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
1907 snapblock[2] = 0x03; /* control = UI */
1908 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
1909 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
1910 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
1911 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
1912 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
1913 return gen_bcmp(offset, 8, snapblock);
1914 }
1915
1916 /*
1917 * Generate code to match a particular packet type, for link-layer types
1918 * using 802.2 LLC headers.
1919 *
1920 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
1921 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
1922 *
1923 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1924 * value, if <= ETHERMTU. We use that to determine whether to
1925 * match the DSAP or both DSAP and LSAP or to check the OUI and
1926 * protocol ID in a SNAP header.
1927 */
1928 static struct block *
1929 gen_llc_linktype(proto)
1930 int proto;
1931 {
1932 /*
1933 * XXX - handle token-ring variable-length header.
1934 */
1935 switch (proto) {
1936
1937 case LLCSAP_IP:
1938 case LLCSAP_ISONS:
1939 case LLCSAP_NETBEUI:
1940 /*
1941 * XXX - should we check both the DSAP and the
1942 * SSAP, like this, or should we check just the
1943 * DSAP, as we do for other types <= ETHERMTU
1944 * (i.e., other SAP values)?
1945 */
1946 return gen_cmp(off_linktype, BPF_H, (long)
1947 ((proto << 8) | proto));
1948
1949 case LLCSAP_IPX:
1950 /*
1951 * XXX - are there ever SNAP frames for IPX on
1952 * non-Ethernet 802.x networks?
1953 */
1954 return gen_cmp(off_linktype, BPF_B, (bpf_int32)LLCSAP_IPX);
1955
1956 case ETHERTYPE_ATALK:
1957 /*
1958 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1959 * SNAP packets with an organization code of
1960 * 0x080007 (Apple, for Appletalk) and a protocol
1961 * type of ETHERTYPE_ATALK (Appletalk).
1962 *
1963 * XXX - check for an organization code of
1964 * encapsulated Ethernet as well?
1965 */
1966 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
1967
1968 default:
1969 /*
1970 * XXX - we don't have to check for IPX 802.3
1971 * here, but should we check for the IPX Ethertype?
1972 */
1973 if (proto <= ETHERMTU) {
1974 /*
1975 * This is an LLC SAP value, so check
1976 * the DSAP.
1977 */
1978 return gen_cmp(off_linktype, BPF_B, (bpf_int32)proto);
1979 } else {
1980 /*
1981 * This is an Ethernet type; we assume that it's
1982 * unlikely that it'll appear in the right place
1983 * at random, and therefore check only the
1984 * location that would hold the Ethernet type
1985 * in a SNAP frame with an organization code of
1986 * 0x000000 (encapsulated Ethernet).
1987 *
1988 * XXX - if we were to check for the SNAP DSAP and
1989 * LSAP, as per XXX, and were also to check for an
1990 * organization code of 0x000000 (encapsulated
1991 * Ethernet), we'd do
1992 *
1993 * return gen_snap(0x000000, proto,
1994 * off_linktype);
1995 *
1996 * here; for now, we don't, as per the above.
1997 * I don't know whether it's worth the extra CPU
1998 * time to do the right check or not.
1999 */
2000 return gen_cmp(off_linktype+6, BPF_H, (bpf_int32)proto);
2001 }
2002 }
2003 }
2004
2005 static struct block *
2006 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
2007 bpf_u_int32 addr;
2008 bpf_u_int32 mask;
2009 int dir, proto;
2010 u_int src_off, dst_off;
2011 {
2012 struct block *b0, *b1;
2013 u_int offset;
2014
2015 switch (dir) {
2016
2017 case Q_SRC:
2018 offset = src_off;
2019 break;
2020
2021 case Q_DST:
2022 offset = dst_off;
2023 break;
2024
2025 case Q_AND:
2026 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2027 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2028 gen_and(b0, b1);
2029 return b1;
2030
2031 case Q_OR:
2032 case Q_DEFAULT:
2033 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2034 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2035 gen_or(b0, b1);
2036 return b1;
2037
2038 default:
2039 abort();
2040 }
2041 b0 = gen_linktype(proto);
2042 b1 = gen_mcmp(offset, BPF_W, (bpf_int32)addr, mask);
2043 gen_and(b0, b1);
2044 return b1;
2045 }
2046
2047 #ifdef INET6
2048 static struct block *
2049 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2050 struct in6_addr *addr;
2051 struct in6_addr *mask;
2052 int dir, proto;
2053 u_int src_off, dst_off;
2054 {
2055 struct block *b0, *b1;
2056 u_int offset;
2057 u_int32_t *a, *m;
2058
2059 switch (dir) {
2060
2061 case Q_SRC:
2062 offset = src_off;
2063 break;
2064
2065 case Q_DST:
2066 offset = dst_off;
2067 break;
2068
2069 case Q_AND:
2070 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2071 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2072 gen_and(b0, b1);
2073 return b1;
2074
2075 case Q_OR:
2076 case Q_DEFAULT:
2077 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2078 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2079 gen_or(b0, b1);
2080 return b1;
2081
2082 default:
2083 abort();
2084 }
2085 /* this order is important */
2086 a = (u_int32_t *)addr;
2087 m = (u_int32_t *)mask;
2088 b1 = gen_mcmp(offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2089 b0 = gen_mcmp(offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2090 gen_and(b0, b1);
2091 b0 = gen_mcmp(offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2092 gen_and(b0, b1);
2093 b0 = gen_mcmp(offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2094 gen_and(b0, b1);
2095 b0 = gen_linktype(proto);
2096 gen_and(b0, b1);
2097 return b1;
2098 }
2099 #endif /*INET6*/
2100
2101 static struct block *
2102 gen_ehostop(eaddr, dir)
2103 register const u_char *eaddr;
2104 register int dir;
2105 {
2106 register struct block *b0, *b1;
2107
2108 switch (dir) {
2109 case Q_SRC:
2110 return gen_bcmp(off_mac + 6, 6, eaddr);
2111
2112 case Q_DST:
2113 return gen_bcmp(off_mac + 0, 6, eaddr);
2114
2115 case Q_AND:
2116 b0 = gen_ehostop(eaddr, Q_SRC);
2117 b1 = gen_ehostop(eaddr, Q_DST);
2118 gen_and(b0, b1);
2119 return b1;
2120
2121 case Q_DEFAULT:
2122 case Q_OR:
2123 b0 = gen_ehostop(eaddr, Q_SRC);
2124 b1 = gen_ehostop(eaddr, Q_DST);
2125 gen_or(b0, b1);
2126 return b1;
2127 }
2128 abort();
2129 /* NOTREACHED */
2130 }
2131
2132 /*
2133 * Like gen_ehostop, but for DLT_FDDI
2134 */
2135 static struct block *
2136 gen_fhostop(eaddr, dir)
2137 register const u_char *eaddr;
2138 register int dir;
2139 {
2140 struct block *b0, *b1;
2141
2142 switch (dir) {
2143 case Q_SRC:
2144 #ifdef PCAP_FDDIPAD
2145 return gen_bcmp(6 + 1 + pcap_fddipad, 6, eaddr);
2146 #else
2147 return gen_bcmp(6 + 1, 6, eaddr);
2148 #endif
2149
2150 case Q_DST:
2151 #ifdef PCAP_FDDIPAD
2152 return gen_bcmp(0 + 1 + pcap_fddipad, 6, eaddr);
2153 #else
2154 return gen_bcmp(0 + 1, 6, eaddr);
2155 #endif
2156
2157 case Q_AND:
2158 b0 = gen_fhostop(eaddr, Q_SRC);
2159 b1 = gen_fhostop(eaddr, Q_DST);
2160 gen_and(b0, b1);
2161 return b1;
2162
2163 case Q_DEFAULT:
2164 case Q_OR:
2165 b0 = gen_fhostop(eaddr, Q_SRC);
2166 b1 = gen_fhostop(eaddr, Q_DST);
2167 gen_or(b0, b1);
2168 return b1;
2169 }
2170 abort();
2171 /* NOTREACHED */
2172 }
2173
2174 /*
2175 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2176 */
2177 static struct block *
2178 gen_thostop(eaddr, dir)
2179 register const u_char *eaddr;
2180 register int dir;
2181 {
2182 register struct block *b0, *b1;
2183
2184 switch (dir) {
2185 case Q_SRC:
2186 return gen_bcmp(8, 6, eaddr);
2187
2188 case Q_DST:
2189 return gen_bcmp(2, 6, eaddr);
2190
2191 case Q_AND:
2192 b0 = gen_thostop(eaddr, Q_SRC);
2193 b1 = gen_thostop(eaddr, Q_DST);
2194 gen_and(b0, b1);
2195 return b1;
2196
2197 case Q_DEFAULT:
2198 case Q_OR:
2199 b0 = gen_thostop(eaddr, Q_SRC);
2200 b1 = gen_thostop(eaddr, Q_DST);
2201 gen_or(b0, b1);
2202 return b1;
2203 }
2204 abort();
2205 /* NOTREACHED */
2206 }
2207
2208 /*
2209 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2210 */
2211 static struct block *
2212 gen_wlanhostop(eaddr, dir)
2213 register const u_char *eaddr;
2214 register int dir;
2215 {
2216 register struct block *b0, *b1, *b2;
2217 register struct slist *s;
2218
2219 switch (dir) {
2220 case Q_SRC:
2221 /*
2222 * Oh, yuk.
2223 *
2224 * For control frames, there is no SA.
2225 *
2226 * For management frames, SA is at an
2227 * offset of 10 from the beginning of
2228 * the packet.
2229 *
2230 * For data frames, SA is at an offset
2231 * of 10 from the beginning of the packet
2232 * if From DS is clear, at an offset of
2233 * 16 from the beginning of the packet
2234 * if From DS is set and To DS is clear,
2235 * and an offset of 24 from the beginning
2236 * of the packet if From DS is set and To DS
2237 * is set.
2238 */
2239
2240 /*
2241 * Generate the tests to be done for data frames
2242 * with From DS set.
2243 *
2244 * First, check for To DS set, i.e. check "link[1] & 0x01".
2245 */
2246 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2247 s->s.k = 1;
2248 b1 = new_block(JMP(BPF_JSET));
2249 b1->s.k = 0x01; /* To DS */
2250 b1->stmts = s;
2251
2252 /*
2253 * If To DS is set, the SA is at 24.
2254 */
2255 b0 = gen_bcmp(24, 6, eaddr);
2256 gen_and(b1, b0);
2257
2258 /*
2259 * Now, check for To DS not set, i.e. check
2260 * "!(link[1] & 0x01)".
2261 */
2262 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2263 s->s.k = 1;
2264 b2 = new_block(JMP(BPF_JSET));
2265 b2->s.k = 0x01; /* To DS */
2266 b2->stmts = s;
2267 gen_not(b2);
2268
2269 /*
2270 * If To DS is not set, the SA is at 16.
2271 */
2272 b1 = gen_bcmp(16, 6, eaddr);
2273 gen_and(b2, b1);
2274
2275 /*
2276 * Now OR together the last two checks. That gives
2277 * the complete set of checks for data frames with
2278 * From DS set.
2279 */
2280 gen_or(b1, b0);
2281
2282 /*
2283 * Now check for From DS being set, and AND that with
2284 * the ORed-together checks.
2285 */
2286 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2287 s->s.k = 1;
2288 b1 = new_block(JMP(BPF_JSET));
2289 b1->s.k = 0x02; /* From DS */
2290 b1->stmts = s;
2291 gen_and(b1, b0);
2292
2293 /*
2294 * Now check for data frames with From DS not set.
2295 */
2296 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2297 s->s.k = 1;
2298 b2 = new_block(JMP(BPF_JSET));
2299 b2->s.k = 0x02; /* From DS */
2300 b2->stmts = s;
2301 gen_not(b2);
2302
2303 /*
2304 * If From DS isn't set, the SA is at 10.
2305 */
2306 b1 = gen_bcmp(10, 6, eaddr);
2307 gen_and(b2, b1);
2308
2309 /*
2310 * Now OR together the checks for data frames with
2311 * From DS not set and for data frames with From DS
2312 * set; that gives the checks done for data frames.
2313 */
2314 gen_or(b1, b0);
2315
2316 /*
2317 * Now check for a data frame.
2318 * I.e, check "link[0] & 0x08".
2319 */
2320 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2321 s->s.k = 0;
2322 b1 = new_block(JMP(BPF_JSET));
2323 b1->s.k = 0x08;
2324 b1->stmts = s;
2325
2326 /*
2327 * AND that with the checks done for data frames.
2328 */
2329 gen_and(b1, b0);
2330
2331 /*
2332 * If the high-order bit of the type value is 0, this
2333 * is a management frame.
2334 * I.e, check "!(link[0] & 0x08)".
2335 */
2336 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2337 s->s.k = 0;
2338 b2 = new_block(JMP(BPF_JSET));
2339 b2->s.k = 0x08;
2340 b2->stmts = s;
2341 gen_not(b2);
2342
2343 /*
2344 * For management frames, the SA is at 10.
2345 */
2346 b1 = gen_bcmp(10, 6, eaddr);
2347 gen_and(b2, b1);
2348
2349 /*
2350 * OR that with the checks done for data frames.
2351 * That gives the checks done for management and
2352 * data frames.
2353 */
2354 gen_or(b1, b0);
2355
2356 /*
2357 * If the low-order bit of the type value is 1,
2358 * this is either a control frame or a frame
2359 * with a reserved type, and thus not a
2360 * frame with an SA.
2361 *
2362 * I.e., check "!(link[0] & 0x04)".
2363 */
2364 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2365 s->s.k = 0;
2366 b1 = new_block(JMP(BPF_JSET));
2367 b1->s.k = 0x04;
2368 b1->stmts = s;
2369 gen_not(b1);
2370
2371 /*
2372 * AND that with the checks for data and management
2373 * frames.
2374 */
2375 gen_and(b1, b0);
2376 return b0;
2377
2378 case Q_DST:
2379 /*
2380 * Oh, yuk.
2381 *
2382 * For control frames, there is no DA.
2383 *
2384 * For management frames, DA is at an
2385 * offset of 4 from the beginning of
2386 * the packet.
2387 *
2388 * For data frames, DA is at an offset
2389 * of 4 from the beginning of the packet
2390 * if To DS is clear and at an offset of
2391 * 16 from the beginning of the packet
2392 * if To DS is set.
2393 */
2394
2395 /*
2396 * Generate the tests to be done for data frames.
2397 *
2398 * First, check for To DS set, i.e. "link[1] & 0x01".
2399 */
2400 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2401 s->s.k = 1;
2402 b1 = new_block(JMP(BPF_JSET));
2403 b1->s.k = 0x01; /* To DS */
2404 b1->stmts = s;
2405
2406 /*
2407 * If To DS is set, the DA is at 16.
2408 */
2409 b0 = gen_bcmp(16, 6, eaddr);
2410 gen_and(b1, b0);
2411
2412 /*
2413 * Now, check for To DS not set, i.e. check
2414 * "!(link[1] & 0x01)".
2415 */
2416 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2417 s->s.k = 1;
2418 b2 = new_block(JMP(BPF_JSET));
2419 b2->s.k = 0x01; /* To DS */
2420 b2->stmts = s;
2421 gen_not(b2);
2422
2423 /*
2424 * If To DS is not set, the DA is at 4.
2425 */
2426 b1 = gen_bcmp(4, 6, eaddr);
2427 gen_and(b2, b1);
2428
2429 /*
2430 * Now OR together the last two checks. That gives
2431 * the complete set of checks for data frames.
2432 */
2433 gen_or(b1, b0);
2434
2435 /*
2436 * Now check for a data frame.
2437 * I.e, check "link[0] & 0x08".
2438 */
2439 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2440 s->s.k = 0;
2441 b1 = new_block(JMP(BPF_JSET));
2442 b1->s.k = 0x08;
2443 b1->stmts = s;
2444
2445 /*
2446 * AND that with the checks done for data frames.
2447 */
2448 gen_and(b1, b0);
2449
2450 /*
2451 * If the high-order bit of the type value is 0, this
2452 * is a management frame.
2453 * I.e, check "!(link[0] & 0x08)".
2454 */
2455 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2456 s->s.k = 0;
2457 b2 = new_block(JMP(BPF_JSET));
2458 b2->s.k = 0x08;
2459 b2->stmts = s;
2460 gen_not(b2);
2461
2462 /*
2463 * For management frames, the DA is at 4.
2464 */
2465 b1 = gen_bcmp(4, 6, eaddr);
2466 gen_and(b2, b1);
2467
2468 /*
2469 * OR that with the checks done for data frames.
2470 * That gives the checks done for management and
2471 * data frames.
2472 */
2473 gen_or(b1, b0);
2474
2475 /*
2476 * If the low-order bit of the type value is 1,
2477 * this is either a control frame or a frame
2478 * with a reserved type, and thus not a
2479 * frame with an SA.
2480 *
2481 * I.e., check "!(link[0] & 0x04)".
2482 */
2483 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2484 s->s.k = 0;
2485 b1 = new_block(JMP(BPF_JSET));
2486 b1->s.k = 0x04;
2487 b1->stmts = s;
2488 gen_not(b1);
2489
2490 /*
2491 * AND that with the checks for data and management
2492 * frames.
2493 */
2494 gen_and(b1, b0);
2495 return b0;
2496
2497 case Q_AND:
2498 b0 = gen_wlanhostop(eaddr, Q_SRC);
2499 b1 = gen_wlanhostop(eaddr, Q_DST);
2500 gen_and(b0, b1);
2501 return b1;
2502
2503 case Q_DEFAULT:
2504 case Q_OR:
2505 b0 = gen_wlanhostop(eaddr, Q_SRC);
2506 b1 = gen_wlanhostop(eaddr, Q_DST);
2507 gen_or(b0, b1);
2508 return b1;
2509 }
2510 abort();
2511 /* NOTREACHED */
2512 }
2513
2514 /*
2515 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2516 * (We assume that the addresses are IEEE 48-bit MAC addresses,
2517 * as the RFC states.)
2518 */
2519 static struct block *
2520 gen_ipfchostop(eaddr, dir)
2521 register const u_char *eaddr;
2522 register int dir;
2523 {
2524 register struct block *b0, *b1;
2525
2526 switch (dir) {
2527 case Q_SRC:
2528 return gen_bcmp(10, 6, eaddr);
2529
2530 case Q_DST:
2531 return gen_bcmp(2, 6, eaddr);
2532
2533 case Q_AND:
2534 b0 = gen_ipfchostop(eaddr, Q_SRC);
2535 b1 = gen_ipfchostop(eaddr, Q_DST);
2536 gen_and(b0, b1);
2537 return b1;
2538
2539 case Q_DEFAULT:
2540 case Q_OR:
2541 b0 = gen_ipfchostop(eaddr, Q_SRC);
2542 b1 = gen_ipfchostop(eaddr, Q_DST);
2543 gen_or(b0, b1);
2544 return b1;
2545 }
2546 abort();
2547 /* NOTREACHED */
2548 }
2549
2550 /*
2551 * This is quite tricky because there may be pad bytes in front of the
2552 * DECNET header, and then there are two possible data packet formats that
2553 * carry both src and dst addresses, plus 5 packet types in a format that
2554 * carries only the src node, plus 2 types that use a different format and
2555 * also carry just the src node.
2556 *
2557 * Yuck.
2558 *
2559 * Instead of doing those all right, we just look for data packets with
2560 * 0 or 1 bytes of padding. If you want to look at other packets, that
2561 * will require a lot more hacking.
2562 *
2563 * To add support for filtering on DECNET "areas" (network numbers)
2564 * one would want to add a "mask" argument to this routine. That would
2565 * make the filter even more inefficient, although one could be clever
2566 * and not generate masking instructions if the mask is 0xFFFF.
2567 */
2568 static struct block *
2569 gen_dnhostop(addr, dir, base_off)
2570 bpf_u_int32 addr;
2571 int dir;
2572 u_int base_off;
2573 {
2574 struct block *b0, *b1, *b2, *tmp;
2575 u_int offset_lh; /* offset if long header is received */
2576 u_int offset_sh; /* offset if short header is received */
2577
2578 switch (dir) {
2579
2580 case Q_DST:
2581 offset_sh = 1; /* follows flags */
2582 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
2583 break;
2584
2585 case Q_SRC:
2586 offset_sh = 3; /* follows flags, dstnode */
2587 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
2588 break;
2589
2590 case Q_AND:
2591 /* Inefficient because we do our Calvinball dance twice */
2592 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2593 b1 = gen_dnhostop(addr, Q_DST, base_off);
2594 gen_and(b0, b1);
2595 return b1;
2596
2597 case Q_OR:
2598 case Q_DEFAULT:
2599 /* Inefficient because we do our Calvinball dance twice */
2600 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2601 b1 = gen_dnhostop(addr, Q_DST, base_off);
2602 gen_or(b0, b1);
2603 return b1;
2604
2605 case Q_ISO:
2606 bpf_error("ISO host filtering not implemented");
2607
2608 default:
2609 abort();
2610 }
2611 b0 = gen_linktype(ETHERTYPE_DN);
2612 /* Check for pad = 1, long header case */
2613 tmp = gen_mcmp(base_off + 2, BPF_H,
2614 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
2615 b1 = gen_cmp(base_off + 2 + 1 + offset_lh,
2616 BPF_H, (bpf_int32)ntohs(addr));
2617 gen_and(tmp, b1);
2618 /* Check for pad = 0, long header case */
2619 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
2620 b2 = gen_cmp(base_off + 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
2621 gen_and(tmp, b2);
2622 gen_or(b2, b1);
2623 /* Check for pad = 1, short header case */
2624 tmp = gen_mcmp(base_off + 2, BPF_H,
2625 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
2626 b2 = gen_cmp(base_off + 2 + 1 + offset_sh,
2627 BPF_H, (bpf_int32)ntohs(addr));
2628 gen_and(tmp, b2);
2629 gen_or(b2, b1);
2630 /* Check for pad = 0, short header case */
2631 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
2632 b2 = gen_cmp(base_off + 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
2633 gen_and(tmp, b2);
2634 gen_or(b2, b1);
2635
2636 /* Combine with test for linktype */
2637 gen_and(b0, b1);
2638 return b1;
2639 }
2640
2641 static struct block *
2642 gen_host(addr, mask, proto, dir)
2643 bpf_u_int32 addr;
2644 bpf_u_int32 mask;
2645 int proto;
2646 int dir;
2647 {
2648 struct block *b0, *b1;
2649
2650 switch (proto) {
2651
2652 case Q_DEFAULT:
2653 b0 = gen_host(addr, mask, Q_IP, dir);
2654 if (off_linktype != (u_int)-1) {
2655 b1 = gen_host(addr, mask, Q_ARP, dir);
2656 gen_or(b0, b1);
2657 b0 = gen_host(addr, mask, Q_RARP, dir);
2658 gen_or(b1, b0);
2659 }
2660 return b0;
2661
2662 case Q_IP:
2663 return gen_hostop(addr, mask, dir, ETHERTYPE_IP,
2664 off_nl + 12, off_nl + 16);
2665
2666 case Q_RARP:
2667 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP,
2668 off_nl + 14, off_nl + 24);
2669
2670 case Q_ARP:
2671 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP,
2672 off_nl + 14, off_nl + 24);
2673
2674 case Q_TCP:
2675 bpf_error("'tcp' modifier applied to host");
2676
2677 case Q_SCTP:
2678 bpf_error("'sctp' modifier applied to host");
2679
2680 case Q_UDP:
2681 bpf_error("'udp' modifier applied to host");
2682
2683 case Q_ICMP:
2684 bpf_error("'icmp' modifier applied to host");
2685
2686 case Q_IGMP:
2687 bpf_error("'igmp' modifier applied to host");
2688
2689 case Q_IGRP:
2690 bpf_error("'igrp' modifier applied to host");
2691
2692 case Q_PIM:
2693 bpf_error("'pim' modifier applied to host");
2694
2695 case Q_VRRP:
2696 bpf_error("'vrrp' modifier applied to host");
2697
2698 case Q_ATALK:
2699 bpf_error("ATALK host filtering not implemented");
2700
2701 case Q_AARP:
2702 bpf_error("AARP host filtering not implemented");
2703
2704 case Q_DECNET:
2705 return gen_dnhostop(addr, dir, off_nl);
2706
2707 case Q_SCA:
2708 bpf_error("SCA host filtering not implemented");
2709
2710 case Q_LAT:
2711 bpf_error("LAT host filtering not implemented");
2712
2713 case Q_MOPDL:
2714 bpf_error("MOPDL host filtering not implemented");
2715
2716 case Q_MOPRC:
2717 bpf_error("MOPRC host filtering not implemented");
2718
2719 #ifdef INET6
2720 case Q_IPV6:
2721 bpf_error("'ip6' modifier applied to ip host");
2722
2723 case Q_ICMPV6:
2724 bpf_error("'icmp6' modifier applied to host");
2725 #endif /* INET6 */
2726
2727 case Q_AH:
2728 bpf_error("'ah' modifier applied to host");
2729
2730 case Q_ESP:
2731 bpf_error("'esp' modifier applied to host");
2732
2733 case Q_ISO:
2734 bpf_error("ISO host filtering not implemented");
2735
2736 case Q_ESIS:
2737 bpf_error("'esis' modifier applied to host");
2738
2739 case Q_ISIS:
2740 bpf_error("'isis' modifier applied to host");
2741
2742 case Q_CLNP:
2743 bpf_error("'clnp' modifier applied to host");
2744
2745 case Q_STP:
2746 bpf_error("'stp' modifier applied to host");
2747
2748 case Q_IPX:
2749 bpf_error("IPX host filtering not implemented");
2750
2751 case Q_NETBEUI:
2752 bpf_error("'netbeui' modifier applied to host");
2753
2754 default:
2755 abort();
2756 }
2757 /* NOTREACHED */
2758 }
2759
2760 #ifdef INET6
2761 static struct block *
2762 gen_host6(addr, mask, proto, dir)
2763 struct in6_addr *addr;
2764 struct in6_addr *mask;
2765 int proto;
2766 int dir;
2767 {
2768 switch (proto) {
2769
2770 case Q_DEFAULT:
2771 return gen_host6(addr, mask, Q_IPV6, dir);
2772
2773 case Q_IP:
2774 bpf_error("'ip' modifier applied to ip6 host");
2775
2776 case Q_RARP:
2777 bpf_error("'rarp' modifier applied to ip6 host");
2778
2779 case Q_ARP:
2780 bpf_error("'arp' modifier applied to ip6 host");
2781
2782 case Q_SCTP:
2783 bpf_error("'sctp' modifier applied to host");
2784
2785 case Q_TCP:
2786 bpf_error("'tcp' modifier applied to host");
2787
2788 case Q_UDP:
2789 bpf_error("'udp' modifier applied to host");
2790
2791 case Q_ICMP:
2792 bpf_error("'icmp' modifier applied to host");
2793
2794 case Q_IGMP:
2795 bpf_error("'igmp' modifier applied to host");
2796
2797 case Q_IGRP:
2798 bpf_error("'igrp' modifier applied to host");
2799
2800 case Q_PIM:
2801 bpf_error("'pim' modifier applied to host");
2802
2803 case Q_VRRP:
2804 bpf_error("'vrrp' modifier applied to host");
2805
2806 case Q_ATALK:
2807 bpf_error("ATALK host filtering not implemented");
2808
2809 case Q_AARP:
2810 bpf_error("AARP host filtering not implemented");
2811
2812 case Q_DECNET:
2813 bpf_error("'decnet' modifier applied to ip6 host");
2814
2815 case Q_SCA:
2816 bpf_error("SCA host filtering not implemented");
2817
2818 case Q_LAT:
2819 bpf_error("LAT host filtering not implemented");
2820
2821 case Q_MOPDL:
2822 bpf_error("MOPDL host filtering not implemented");
2823
2824 case Q_MOPRC:
2825 bpf_error("MOPRC host filtering not implemented");
2826
2827 case Q_IPV6:
2828 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6,
2829 off_nl + 8, off_nl + 24);
2830
2831 case Q_ICMPV6:
2832 bpf_error("'icmp6' modifier applied to host");
2833
2834 case Q_AH:
2835 bpf_error("'ah' modifier applied to host");
2836
2837 case Q_ESP:
2838 bpf_error("'esp' modifier applied to host");
2839
2840 case Q_ISO:
2841 bpf_error("ISO host filtering not implemented");
2842
2843 case Q_ESIS:
2844 bpf_error("'esis' modifier applied to host");
2845
2846 case Q_ISIS:
2847 bpf_error("'isis' modifier applied to host");
2848
2849 case Q_CLNP:
2850 bpf_error("'clnp' modifier applied to host");
2851
2852 case Q_STP:
2853 bpf_error("'stp' modifier applied to host");
2854
2855 case Q_IPX:
2856 bpf_error("IPX host filtering not implemented");
2857
2858 case Q_NETBEUI:
2859 bpf_error("'netbeui' modifier applied to host");
2860
2861 default:
2862 abort();
2863 }
2864 /* NOTREACHED */
2865 }
2866 #endif /*INET6*/
2867
2868 #ifndef INET6
2869 static struct block *
2870 gen_gateway(eaddr, alist, proto, dir)
2871 const u_char *eaddr;
2872 bpf_u_int32 **alist;
2873 int proto;
2874 int dir;
2875 {
2876 struct block *b0, *b1, *tmp;
2877
2878 if (dir != 0)
2879 bpf_error("direction applied to 'gateway'");
2880
2881 switch (proto) {
2882 case Q_DEFAULT:
2883 case Q_IP:
2884 case Q_ARP:
2885 case Q_RARP:
2886 if (linktype == DLT_EN10MB)
2887 b0 = gen_ehostop(eaddr, Q_OR);
2888 else if (linktype == DLT_FDDI)
2889 b0 = gen_fhostop(eaddr, Q_OR);
2890 else if (linktype == DLT_IEEE802)
2891 b0 = gen_thostop(eaddr, Q_OR);
2892 else if (linktype == DLT_IEEE802_11)
2893 b0 = gen_wlanhostop(eaddr, Q_OR);
2894 else if (linktype == DLT_SUNATM && is_lane) {
2895 /*
2896 * Check that the packet doesn't begin with an
2897 * LE Control marker. (We've already generated
2898 * a test for LANE.)
2899 */
2900 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
2901 gen_not(b1);
2902
2903 /*
2904 * Now check the MAC address.
2905 */
2906 b0 = gen_ehostop(eaddr, Q_OR);
2907 gen_and(b1, b0);
2908 } else if (linktype == DLT_IP_OVER_FC)
2909 b0 = gen_ipfchostop(eaddr, Q_OR);
2910 else
2911 bpf_error(
2912 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
2913
2914 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2915 while (*alist) {
2916 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2917 gen_or(b1, tmp);
2918 b1 = tmp;
2919 }
2920 gen_not(b1);
2921 gen_and(b0, b1);
2922 return b1;
2923 }
2924 bpf_error("illegal modifier of 'gateway'");
2925 /* NOTREACHED */
2926 }
2927 #endif
2928
2929 struct block *
2930 gen_proto_abbrev(proto)
2931 int proto;
2932 {
2933 struct block *b0;
2934 struct block *b1;
2935
2936 switch (proto) {
2937
2938 case Q_SCTP:
2939 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
2940 #ifdef INET6
2941 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
2942 gen_or(b0, b1);
2943 #endif
2944 break;
2945
2946 case Q_TCP:
2947 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
2948 #ifdef INET6
2949 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
2950 gen_or(b0, b1);
2951 #endif
2952 break;
2953
2954 case Q_UDP:
2955 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
2956 #ifdef INET6
2957 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
2958 gen_or(b0, b1);
2959 #endif
2960 break;
2961
2962 case Q_ICMP:
2963 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
2964 break;
2965
2966 #ifndef IPPROTO_IGMP
2967 #define IPPROTO_IGMP 2
2968 #endif
2969
2970 case Q_IGMP:
2971 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
2972 break;
2973
2974 #ifndef IPPROTO_IGRP
2975 #define IPPROTO_IGRP 9
2976 #endif
2977 case Q_IGRP:
2978 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
2979 break;
2980
2981 #ifndef IPPROTO_PIM
2982 #define IPPROTO_PIM 103
2983 #endif
2984
2985 case Q_PIM:
2986 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
2987 #ifdef INET6
2988 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
2989 gen_or(b0, b1);
2990 #endif
2991 break;
2992
2993 #ifndef IPPROTO_VRRP
2994 #define IPPROTO_VRRP 112
2995 #endif
2996
2997 case Q_VRRP:
2998 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
2999 break;
3000
3001 case Q_IP:
3002 b1 = gen_linktype(ETHERTYPE_IP);
3003 break;
3004
3005 case Q_ARP:
3006 b1 = gen_linktype(ETHERTYPE_ARP);
3007 break;
3008
3009 case Q_RARP:
3010 b1 = gen_linktype(ETHERTYPE_REVARP);
3011 break;
3012
3013 case Q_LINK:
3014 bpf_error("link layer applied in wrong context");
3015
3016 case Q_ATALK:
3017 b1 = gen_linktype(ETHERTYPE_ATALK);
3018 break;
3019
3020 case Q_AARP:
3021 b1 = gen_linktype(ETHERTYPE_AARP);
3022 break;
3023
3024 case Q_DECNET:
3025 b1 = gen_linktype(ETHERTYPE_DN);
3026 break;
3027
3028 case Q_SCA:
3029 b1 = gen_linktype(ETHERTYPE_SCA);
3030 break;
3031
3032 case Q_LAT:
3033 b1 = gen_linktype(ETHERTYPE_LAT);
3034 break;
3035
3036 case Q_MOPDL:
3037 b1 = gen_linktype(ETHERTYPE_MOPDL);
3038 break;
3039
3040 case Q_MOPRC:
3041 b1 = gen_linktype(ETHERTYPE_MOPRC);
3042 break;
3043
3044 #ifdef INET6
3045 case Q_IPV6:
3046 b1 = gen_linktype(ETHERTYPE_IPV6);
3047 break;
3048
3049 #ifndef IPPROTO_ICMPV6
3050 #define IPPROTO_ICMPV6 58
3051 #endif
3052 case Q_ICMPV6:
3053 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3054 break;
3055 #endif /* INET6 */
3056
3057 #ifndef IPPROTO_AH
3058 #define IPPROTO_AH 51
3059 #endif
3060 case Q_AH:
3061 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3062 #ifdef INET6
3063 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3064 gen_or(b0, b1);
3065 #endif
3066 break;
3067
3068 #ifndef IPPROTO_ESP
3069 #define IPPROTO_ESP 50
3070 #endif
3071 case Q_ESP:
3072 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3073 #ifdef INET6
3074 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3075 gen_or(b0, b1);
3076 #endif
3077 break;
3078
3079 case Q_ISO:
3080 b1 = gen_linktype(LLCSAP_ISONS);
3081 break;
3082
3083 case Q_ESIS:
3084 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3085 break;
3086
3087 case Q_ISIS:
3088 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3089 break;
3090
3091 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3092 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3093 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3094 gen_or(b0, b1);
3095 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3096 gen_or(b0, b1);
3097 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3098 gen_or(b0, b1);
3099 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3100 gen_or(b0, b1);
3101 break;
3102
3103 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3104 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3105 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3106 gen_or(b0, b1);
3107 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3108 gen_or(b0, b1);
3109 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3110 gen_or(b0, b1);
3111 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3112 gen_or(b0, b1);
3113 break;
3114
3115 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3116 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3117 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3118 gen_or(b0, b1);
3119 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3120 gen_or(b0, b1);
3121 break;
3122
3123 case Q_ISIS_LSP:
3124 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3125 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3126 gen_or(b0, b1);
3127 break;
3128
3129 case Q_ISIS_SNP:
3130 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3131 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3132 gen_or(b0, b1);
3133 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3134 gen_or(b0, b1);
3135 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3136 gen_or(b0, b1);
3137 break;
3138
3139 case Q_ISIS_CSNP:
3140 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3141 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3142 gen_or(b0, b1);
3143 break;
3144
3145 case Q_ISIS_PSNP:
3146 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3147 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3148 gen_or(b0, b1);
3149 break;
3150
3151 case Q_CLNP:
3152 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3153 break;
3154
3155 case Q_STP:
3156 b1 = gen_linktype(LLCSAP_8021D);
3157 break;
3158
3159 case Q_IPX:
3160 b1 = gen_linktype(LLCSAP_IPX);
3161 break;
3162
3163 case Q_NETBEUI:
3164 b1 = gen_linktype(LLCSAP_NETBEUI);
3165 break;
3166
3167 default:
3168 abort();
3169 }
3170 return b1;
3171 }
3172
3173 static struct block *
3174 gen_ipfrag()
3175 {
3176 struct slist *s;
3177 struct block *b;
3178
3179 /* not ip frag */
3180 s = new_stmt(BPF_LD|BPF_H|BPF_ABS);
3181 s->s.k = off_nl + 6;
3182 b = new_block(JMP(BPF_JSET));
3183 b->s.k = 0x1fff;
3184 b->stmts = s;
3185 gen_not(b);
3186
3187 return b;
3188 }
3189
3190 static struct block *
3191 gen_portatom(off, v)
3192 int off;
3193 bpf_int32 v;
3194 {
3195 struct slist *s;
3196 struct block *b;
3197
3198 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3199 s->s.k = off_nl;
3200
3201 s->next = new_stmt(BPF_LD|BPF_IND|BPF_H);
3202 s->next->s.k = off_nl + off;
3203
3204 b = new_block(JMP(BPF_JEQ));
3205 b->stmts = s;
3206 b->s.k = v;
3207
3208 return b;
3209 }
3210
3211 #ifdef INET6
3212 static struct block *
3213 gen_portatom6(off, v)
3214 int off;
3215 bpf_int32 v;
3216 {
3217 return gen_cmp(off_nl + 40 + off, BPF_H, v);
3218 }
3219 #endif/*INET6*/
3220
3221 struct block *
3222 gen_portop(port, proto, dir)
3223 int port, proto, dir;
3224 {
3225 struct block *b0, *b1, *tmp;
3226
3227 /* ip proto 'proto' */
3228 tmp = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)proto);
3229 b0 = gen_ipfrag();
3230 gen_and(tmp, b0);
3231
3232 switch (dir) {
3233 case Q_SRC:
3234 b1 = gen_portatom(0, (bpf_int32)port);
3235 break;
3236
3237 case Q_DST:
3238 b1 = gen_portatom(2, (bpf_int32)port);
3239 break;
3240
3241 case Q_OR:
3242 case Q_DEFAULT:
3243 tmp = gen_portatom(0, (bpf_int32)port);
3244 b1 = gen_portatom(2, (bpf_int32)port);
3245 gen_or(tmp, b1);
3246 break;
3247
3248 case Q_AND:
3249 tmp = gen_portatom(0, (bpf_int32)port);
3250 b1 = gen_portatom(2, (bpf_int32)port);
3251 gen_and(tmp, b1);
3252 break;
3253
3254 default:
3255 abort();
3256 }
3257 gen_and(b0, b1);
3258
3259 return b1;
3260 }
3261
3262 static struct block *
3263 gen_port(port, ip_proto, dir)
3264 int port;
3265 int ip_proto;
3266 int dir;
3267 {
3268 struct block *b0, *b1, *tmp;
3269
3270 /*
3271 * ether proto ip
3272 *
3273 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3274 * not LLC encapsulation with LLCSAP_IP.
3275 *
3276 * For IEEE 802 networks - which includes 802.5 token ring
3277 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3278 * says that SNAP encapsulation is used, not LLC encapsulation
3279 * with LLCSAP_IP.
3280 *
3281 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3282 * RFC 2225 say that SNAP encapsulation is used, not LLC
3283 * encapsulation with LLCSAP_IP.
3284 *
3285 * So we always check for ETHERTYPE_IP.
3286 */
3287 b0 = gen_linktype(ETHERTYPE_IP);
3288
3289 switch (ip_proto) {
3290 case IPPROTO_UDP:
3291 case IPPROTO_TCP:
3292 case IPPROTO_SCTP:
3293 b1 = gen_portop(port, ip_proto, dir);
3294 break;
3295
3296 case PROTO_UNDEF:
3297 tmp = gen_portop(port, IPPROTO_TCP, dir);
3298 b1 = gen_portop(port, IPPROTO_UDP, dir);
3299 gen_or(tmp, b1);
3300 tmp = gen_portop(port, IPPROTO_SCTP, dir);
3301 gen_or(tmp, b1);
3302 break;
3303
3304 default:
3305 abort();
3306 }
3307 gen_and(b0, b1);
3308 return b1;
3309 }
3310
3311 #ifdef INET6
3312 struct block *
3313 gen_portop6(port, proto, dir)
3314 int port, proto, dir;
3315 {
3316 struct block *b0, *b1, *tmp;
3317
3318 /* ip proto 'proto' */
3319 b0 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)proto);
3320
3321 switch (dir) {
3322 case Q_SRC:
3323 b1 = gen_portatom6(0, (bpf_int32)port);
3324 break;
3325
3326 case Q_DST:
3327 b1 = gen_portatom6(2, (bpf_int32)port);
3328 break;
3329
3330 case Q_OR:
3331 case Q_DEFAULT:
3332 tmp = gen_portatom6(0, (bpf_int32)port);
3333 b1 = gen_portatom6(2, (bpf_int32)port);
3334 gen_or(tmp, b1);
3335 break;
3336
3337 case Q_AND:
3338 tmp = gen_portatom6(0, (bpf_int32)port);
3339 b1 = gen_portatom6(2, (bpf_int32)port);
3340 gen_and(tmp, b1);
3341 break;
3342
3343 default:
3344 abort();
3345 }
3346 gen_and(b0, b1);
3347
3348 return b1;
3349 }
3350
3351 static struct block *
3352 gen_port6(port, ip_proto, dir)
3353 int port;
3354 int ip_proto;
3355 int dir;
3356 {
3357 struct block *b0, *b1, *tmp;
3358
3359 /* ether proto ip */
3360 b0 = gen_linktype(ETHERTYPE_IPV6);
3361
3362 switch (ip_proto) {
3363 case IPPROTO_UDP:
3364 case IPPROTO_TCP:
3365 case IPPROTO_SCTP:
3366 b1 = gen_portop6(port, ip_proto, dir);
3367 break;
3368
3369 case PROTO_UNDEF:
3370 tmp = gen_portop6(port, IPPROTO_TCP, dir);
3371 b1 = gen_portop6(port, IPPROTO_UDP, dir);
3372 gen_or(tmp, b1);
3373 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3374 gen_or(tmp, b1);
3375 break;
3376
3377 default:
3378 abort();
3379 }
3380 gen_and(b0, b1);
3381 return b1;
3382 }
3383 #endif /* INET6 */
3384
3385 static int
3386 lookup_proto(name, proto)
3387 register const char *name;
3388 register int proto;
3389 {
3390 register int v;
3391
3392 switch (proto) {
3393
3394 case Q_DEFAULT:
3395 case Q_IP:
3396 case Q_IPV6:
3397 v = pcap_nametoproto(name);
3398 if (v == PROTO_UNDEF)
3399 bpf_error("unknown ip proto '%s'", name);
3400 break;
3401
3402 case Q_LINK:
3403 /* XXX should look up h/w protocol type based on linktype */
3404 v = pcap_nametoeproto(name);
3405 if (v == PROTO_UNDEF) {
3406 v = pcap_nametollc(name);
3407 if (v == PROTO_UNDEF)
3408 bpf_error("unknown ether proto '%s'", name);
3409 }
3410 break;
3411
3412 case Q_ISO:
3413 if (strcmp(name, "esis") == 0)
3414 v = ISO9542_ESIS;
3415 else if (strcmp(name, "isis") == 0)
3416 v = ISO10589_ISIS;
3417 else if (strcmp(name, "clnp") == 0)
3418 v = ISO8473_CLNP;
3419 else
3420 bpf_error("unknown osi proto '%s'", name);
3421 break;
3422
3423 default:
3424 v = PROTO_UNDEF;
3425 break;
3426 }
3427 return v;
3428 }
3429
3430 #if 0
3431 struct stmt *
3432 gen_joinsp(s, n)
3433 struct stmt **s;
3434 int n;
3435 {
3436 return NULL;
3437 }
3438 #endif
3439
3440 static struct block *
3441 gen_protochain(v, proto, dir)
3442 int v;
3443 int proto;
3444 int dir;
3445 {
3446 #ifdef NO_PROTOCHAIN
3447 return gen_proto(v, proto, dir);
3448 #else
3449 struct block *b0, *b;
3450 struct slist *s[100];
3451 int fix2, fix3, fix4, fix5;
3452 int ahcheck, again, end;
3453 int i, max;
3454 int reg2 = alloc_reg();
3455
3456 memset(s, 0, sizeof(s));
3457 fix2 = fix3 = fix4 = fix5 = 0;
3458
3459 switch (proto) {
3460 case Q_IP:
3461 case Q_IPV6:
3462 break;
3463 case Q_DEFAULT:
3464 b0 = gen_protochain(v, Q_IP, dir);
3465 b = gen_protochain(v, Q_IPV6, dir);
3466 gen_or(b0, b);
3467 return b;
3468 default:
3469 bpf_error("bad protocol applied for 'protochain'");
3470 /*NOTREACHED*/
3471 }
3472
3473 no_optimize = 1; /*this code is not compatible with optimzer yet */
3474
3475 /*
3476 * s[0] is a dummy entry to protect other BPF insn from damage
3477 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
3478 * hard to find interdependency made by jump table fixup.
3479 */
3480 i = 0;
3481 s[i] = new_stmt(0); /*dummy*/
3482 i++;
3483
3484 switch (proto) {
3485 case Q_IP:
3486 b0 = gen_linktype(ETHERTYPE_IP);
3487
3488 /* A = ip->ip_p */
3489 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3490 s[i]->s.k = off_nl + 9;
3491 i++;
3492 /* X = ip->ip_hl << 2 */
3493 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3494 s[i]->s.k = off_nl;
3495 i++;
3496 break;
3497 #ifdef INET6
3498 case Q_IPV6:
3499 b0 = gen_linktype(ETHERTYPE_IPV6);
3500
3501 /* A = ip6->ip_nxt */
3502 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3503 s[i]->s.k = off_nl + 6;
3504 i++;
3505 /* X = sizeof(struct ip6_hdr) */
3506 s[i] = new_stmt(BPF_LDX|BPF_IMM);
3507 s[i]->s.k = 40;
3508 i++;
3509 break;
3510 #endif
3511 default:
3512 bpf_error("unsupported proto to gen_protochain");
3513 /*NOTREACHED*/
3514 }
3515
3516 /* again: if (A == v) goto end; else fall through; */
3517 again = i;
3518 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3519 s[i]->s.k = v;
3520 s[i]->s.jt = NULL; /*later*/
3521 s[i]->s.jf = NULL; /*update in next stmt*/
3522 fix5 = i;
3523 i++;
3524
3525 #ifndef IPPROTO_NONE
3526 #define IPPROTO_NONE 59
3527 #endif
3528 /* if (A == IPPROTO_NONE) goto end */
3529 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3530 s[i]->s.jt = NULL; /*later*/
3531 s[i]->s.jf = NULL; /*update in next stmt*/
3532 s[i]->s.k = IPPROTO_NONE;
3533 s[fix5]->s.jf = s[i];
3534 fix2 = i;
3535 i++;
3536
3537 #ifdef INET6
3538 if (proto == Q_IPV6) {
3539 int v6start, v6end, v6advance, j;
3540
3541 v6start = i;
3542 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
3543 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3544 s[i]->s.jt = NULL; /*later*/
3545 s[i]->s.jf = NULL; /*update in next stmt*/
3546 s[i]->s.k = IPPROTO_HOPOPTS;
3547 s[fix2]->s.jf = s[i];
3548 i++;
3549 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
3550 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3551 s[i]->s.jt = NULL; /*later*/
3552 s[i]->s.jf = NULL; /*update in next stmt*/
3553 s[i]->s.k = IPPROTO_DSTOPTS;
3554 i++;
3555 /* if (A == IPPROTO_ROUTING) goto v6advance */
3556 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3557 s[i]->s.jt = NULL; /*later*/
3558 s[i]->s.jf = NULL; /*update in next stmt*/
3559 s[i]->s.k = IPPROTO_ROUTING;
3560 i++;
3561 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
3562 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3563 s[i]->s.jt = NULL; /*later*/
3564 s[i]->s.jf = NULL; /*later*/
3565 s[i]->s.k = IPPROTO_FRAGMENT;
3566 fix3 = i;
3567 v6end = i;
3568 i++;
3569
3570 /* v6advance: */
3571 v6advance = i;
3572
3573 /*
3574 * in short,
3575 * A = P[X];
3576 * X = X + (P[X + 1] + 1) * 8;
3577 */
3578 /* A = X */
3579 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3580 i++;
3581 /* A = P[X + packet head] */
3582 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3583 s[i]->s.k = off_nl;
3584 i++;
3585 /* MEM[reg2] = A */
3586 s[i] = new_stmt(BPF_ST);
3587 s[i]->s.k = reg2;
3588 i++;
3589 /* A = X */
3590 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3591 i++;
3592 /* A += 1 */
3593 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3594 s[i]->s.k = 1;
3595 i++;
3596 /* X = A */
3597 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3598 i++;
3599 /* A = P[X + packet head]; */
3600 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3601 s[i]->s.k = off_nl;
3602 i++;
3603 /* A += 1 */
3604 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3605 s[i]->s.k = 1;
3606 i++;
3607 /* A *= 8 */
3608 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3609 s[i]->s.k = 8;
3610 i++;
3611 /* X = A; */
3612 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3613 i++;
3614 /* A = MEM[reg2] */
3615 s[i] = new_stmt(BPF_LD|BPF_MEM);
3616 s[i]->s.k = reg2;
3617 i++;
3618
3619 /* goto again; (must use BPF_JA for backward jump) */
3620 s[i] = new_stmt(BPF_JMP|BPF_JA);
3621 s[i]->s.k = again - i - 1;
3622 s[i - 1]->s.jf = s[i];
3623 i++;
3624
3625 /* fixup */
3626 for (j = v6start; j <= v6end; j++)
3627 s[j]->s.jt = s[v6advance];
3628 } else
3629 #endif
3630 {
3631 /* nop */
3632 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3633 s[i]->s.k = 0;
3634 s[fix2]->s.jf = s[i];
3635 i++;
3636 }
3637
3638 /* ahcheck: */
3639 ahcheck = i;
3640 /* if (A == IPPROTO_AH) then fall through; else goto end; */
3641 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3642 s[i]->s.jt = NULL; /*later*/
3643 s[i]->s.jf = NULL; /*later*/
3644 s[i]->s.k = IPPROTO_AH;
3645 if (fix3)
3646 s[fix3]->s.jf = s[ahcheck];
3647 fix4 = i;
3648 i++;
3649
3650 /*
3651 * in short,
3652 * A = P[X];
3653 * X = X + (P[X + 1] + 2) * 4;
3654 */
3655 /* A = X */
3656 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3657 i++;
3658 /* A = P[X + packet head]; */
3659 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3660 s[i]->s.k = off_nl;
3661 i++;
3662 /* MEM[reg2] = A */
3663 s[i] = new_stmt(BPF_ST);
3664 s[i]->s.k = reg2;
3665 i++;
3666 /* A = X */
3667 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3668 i++;
3669 /* A += 1 */
3670 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3671 s[i]->s.k = 1;
3672 i++;
3673 /* X = A */
3674 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3675 i++;
3676 /* A = P[X + packet head] */
3677 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3678 s[i]->s.k = off_nl;
3679 i++;
3680 /* A += 2 */
3681 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3682 s[i]->s.k = 2;
3683 i++;
3684 /* A *= 4 */
3685 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3686 s[i]->s.k = 4;
3687 i++;
3688 /* X = A; */
3689 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3690 i++;
3691 /* A = MEM[reg2] */
3692 s[i] = new_stmt(BPF_LD|BPF_MEM);
3693 s[i]->s.k = reg2;
3694 i++;
3695
3696 /* goto again; (must use BPF_JA for backward jump) */
3697 s[i] = new_stmt(BPF_JMP|BPF_JA);
3698 s[i]->s.k = again - i - 1;
3699 i++;
3700
3701 /* end: nop */
3702 end = i;
3703 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3704 s[i]->s.k = 0;
3705 s[fix2]->s.jt = s[end];
3706 s[fix4]->s.jf = s[end];
3707 s[fix5]->s.jt = s[end];
3708 i++;
3709
3710 /*
3711 * make slist chain
3712 */
3713 max = i;
3714 for (i = 0; i < max - 1; i++)
3715 s[i]->next = s[i + 1];
3716 s[max - 1]->next = NULL;
3717
3718 /*
3719 * emit final check
3720 */
3721 b = new_block(JMP(BPF_JEQ));
3722 b->stmts = s[1]; /*remember, s[0] is dummy*/
3723 b->s.k = v;
3724
3725 free_reg(reg2);
3726
3727 gen_and(b0, b);
3728 return b;
3729 #endif
3730 }
3731
3732 /*
3733 * Generate code that checks whether the packet is a packet for protocol
3734 * <proto> and whether the type field in that protocol's header has
3735 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
3736 * IP packet and checks the protocol number in the IP header against <v>.
3737 *
3738 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
3739 * against Q_IP and Q_IPV6.
3740 */
3741 static struct block *
3742 gen_proto(v, proto, dir)
3743 int v;
3744 int proto;
3745 int dir;
3746 {
3747 struct block *b0, *b1;
3748
3749 if (dir != Q_DEFAULT)
3750 bpf_error("direction applied to 'proto'");
3751
3752 switch (proto) {
3753 case Q_DEFAULT:
3754 #ifdef INET6
3755 b0 = gen_proto(v, Q_IP, dir);
3756 b1 = gen_proto(v, Q_IPV6, dir);
3757 gen_or(b0, b1);
3758 return b1;
3759 #else
3760 /*FALLTHROUGH*/
3761 #endif
3762 case Q_IP:
3763 /*
3764 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3765 * not LLC encapsulation with LLCSAP_IP.
3766 *
3767 * For IEEE 802 networks - which includes 802.5 token ring
3768 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3769 * says that SNAP encapsulation is used, not LLC encapsulation
3770 * with LLCSAP_IP.
3771 *
3772 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3773 * RFC 2225 say that SNAP encapsulation is used, not LLC
3774 * encapsulation with LLCSAP_IP.
3775 *
3776 * So we always check for ETHERTYPE_IP.
3777 */
3778 b0 = gen_linktype(ETHERTYPE_IP);
3779 #ifndef CHASE_CHAIN
3780 b1 = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)v);
3781 #else
3782 b1 = gen_protochain(v, Q_IP);
3783 #endif
3784 gen_and(b0, b1);
3785 return b1;
3786
3787 case Q_ISO:
3788 switch (linktype) {
3789
3790 case DLT_FRELAY:
3791 /*
3792 * Frame Relay packets typically have an OSI
3793 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
3794 * generates code to check for all the OSI
3795 * NLPIDs, so calling it and then adding a check
3796 * for the particular NLPID for which we're
3797 * looking is bogus, as we can just check for
3798 * the NLPID.
3799 *
3800 * What we check for is the NLPID and a frame
3801 * control field value of UI, i.e. 0x03 followed
3802 * by the NLPID.
3803 *
3804 * XXX - assumes a 2-byte Frame Relay header with
3805 * DLCI and flags. What if the address is longer?
3806 *
3807 * XXX - what about SNAP-encapsulated frames?
3808 */
3809 return gen_cmp(2, BPF_H, (0x03<<8) | v);
3810 /*NOTREACHED*/
3811 break;
3812
3813 case DLT_C_HDLC:
3814 /*
3815 * Cisco uses an Ethertype lookalike - for OSI,
3816 * it's 0xfefe.
3817 */
3818 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
3819 /* OSI in C-HDLC is stuffed with a fudge byte */
3820 b1 = gen_cmp(off_nl_nosnap+1, BPF_B, (long)v);
3821 gen_and(b0, b1);
3822 return b1;
3823
3824 default:
3825 b0 = gen_linktype(LLCSAP_ISONS);
3826 b1 = gen_cmp(off_nl_nosnap, BPF_B, (long)v);
3827 gen_and(b0, b1);
3828 return b1;
3829 }
3830
3831 case Q_ISIS:
3832 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3833 /*
3834 * 4 is the offset of the PDU type relative to the IS-IS
3835 * header.
3836 */
3837 b1 = gen_cmp(off_nl_nosnap+4, BPF_B, (long)v);
3838 gen_and(b0, b1);
3839 return b1;
3840
3841 case Q_ARP:
3842 bpf_error("arp does not encapsulate another protocol");
3843 /* NOTREACHED */
3844
3845 case Q_RARP:
3846 bpf_error("rarp does not encapsulate another protocol");
3847 /* NOTREACHED */
3848
3849 case Q_ATALK:
3850 bpf_error("atalk encapsulation is not specifiable");
3851 /* NOTREACHED */
3852
3853 case Q_DECNET:
3854 bpf_error("decnet encapsulation is not specifiable");
3855 /* NOTREACHED */
3856
3857 case Q_SCA:
3858 bpf_error("sca does not encapsulate another protocol");
3859 /* NOTREACHED */
3860
3861 case Q_LAT:
3862 bpf_error("lat does not encapsulate another protocol");
3863 /* NOTREACHED */
3864
3865 case Q_MOPRC:
3866 bpf_error("moprc does not encapsulate another protocol");
3867 /* NOTREACHED */
3868
3869 case Q_MOPDL:
3870 bpf_error("mopdl does not encapsulate another protocol");
3871 /* NOTREACHED */
3872
3873 case Q_LINK:
3874 return gen_linktype(v);
3875
3876 case Q_UDP:
3877 bpf_error("'udp proto' is bogus");
3878 /* NOTREACHED */
3879
3880 case Q_TCP:
3881 bpf_error("'tcp proto' is bogus");
3882 /* NOTREACHED */
3883
3884 case Q_SCTP:
3885 bpf_error("'sctp proto' is bogus");
3886 /* NOTREACHED */
3887
3888 case Q_ICMP:
3889 bpf_error("'icmp proto' is bogus");
3890 /* NOTREACHED */
3891
3892 case Q_IGMP:
3893 bpf_error("'igmp proto' is bogus");
3894 /* NOTREACHED */
3895
3896 case Q_IGRP:
3897 bpf_error("'igrp proto' is bogus");
3898 /* NOTREACHED */
3899
3900 case Q_PIM:
3901 bpf_error("'pim proto' is bogus");
3902 /* NOTREACHED */
3903
3904 case Q_VRRP:
3905 bpf_error("'vrrp proto' is bogus");
3906 /* NOTREACHED */
3907
3908 #ifdef INET6
3909 case Q_IPV6:
3910 b0 = gen_linktype(ETHERTYPE_IPV6);
3911 #ifndef CHASE_CHAIN
3912 b1 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)v);
3913 #else
3914 b1 = gen_protochain(v, Q_IPV6);
3915 #endif
3916 gen_and(b0, b1);
3917 return b1;
3918
3919 case Q_ICMPV6:
3920 bpf_error("'icmp6 proto' is bogus");
3921 #endif /* INET6 */
3922
3923 case Q_AH:
3924 bpf_error("'ah proto' is bogus");
3925
3926 case Q_ESP:
3927 bpf_error("'ah proto' is bogus");
3928
3929 case Q_STP:
3930 bpf_error("'stp proto' is bogus");
3931
3932 case Q_IPX:
3933 bpf_error("'ipx proto' is bogus");
3934
3935 case Q_NETBEUI:
3936 bpf_error("'netbeui proto' is bogus");
3937
3938 default:
3939 abort();
3940 /* NOTREACHED */
3941 }
3942 /* NOTREACHED */
3943 }
3944
3945 struct block *
3946 gen_scode(name, q)
3947 register const char *name;
3948 struct qual q;
3949 {
3950 int proto = q.proto;
3951 int dir = q.dir;
3952 int tproto;
3953 u_char *eaddr;
3954 bpf_u_int32 mask, addr;
3955 #ifndef INET6
3956 bpf_u_int32 **alist;
3957 #else
3958 int tproto6;
3959 struct sockaddr_in *sin;
3960 struct sockaddr_in6 *sin6;
3961 struct addrinfo *res, *res0;
3962 struct in6_addr mask128;
3963 #endif /*INET6*/
3964 struct block *b, *tmp;
3965 int port, real_proto;
3966
3967 switch (q.addr) {
3968
3969 case Q_NET:
3970 addr = pcap_nametonetaddr(name);
3971 if (addr == 0)
3972 bpf_error("unknown network '%s'", name);
3973 /* Left justify network addr and calculate its network mask */
3974 mask = 0xffffffff;
3975 while (addr && (addr & 0xff000000) == 0) {
3976 addr <<= 8;
3977 mask <<= 8;
3978 }
3979 return gen_host(addr, mask, proto, dir);
3980
3981 case Q_DEFAULT:
3982 case Q_HOST:
3983 if (proto == Q_LINK) {
3984 switch (linktype) {
3985
3986 case DLT_EN10MB:
3987 eaddr = pcap_ether_hostton(name);
3988 if (eaddr == NULL)
3989 bpf_error(
3990 "unknown ether host '%s'", name);
3991 b = gen_ehostop(eaddr, dir);
3992 free(eaddr);
3993 return b;
3994
3995 case DLT_FDDI:
3996 eaddr = pcap_ether_hostton(name);
3997 if (eaddr == NULL)
3998 bpf_error(
3999 "unknown FDDI host '%s'", name);
4000 b = gen_fhostop(eaddr, dir);
4001 free(eaddr);
4002 return b;
4003
4004 case DLT_IEEE802:
4005 eaddr = pcap_ether_hostton(name);
4006 if (eaddr == NULL)
4007 bpf_error(
4008 "unknown token ring host '%s'", name);
4009 b = gen_thostop(eaddr, dir);
4010 free(eaddr);
4011 return b;
4012
4013 case DLT_IEEE802_11:
4014 eaddr = pcap_ether_hostton(name);
4015 if (eaddr == NULL)
4016 bpf_error(
4017 "unknown 802.11 host '%s'", name);
4018 b = gen_wlanhostop(eaddr, dir);
4019 free(eaddr);
4020 return b;
4021
4022 case DLT_IP_OVER_FC:
4023 eaddr = pcap_ether_hostton(name);
4024 if (eaddr == NULL)
4025 bpf_error(
4026 "unknown Fibre Channel host '%s'", name);
4027 b = gen_ipfchostop(eaddr, dir);
4028 free(eaddr);
4029 return b;
4030
4031 case DLT_SUNATM:
4032 if (!is_lane)
4033 break;
4034
4035 /*
4036 * Check that the packet doesn't begin
4037 * with an LE Control marker. (We've
4038 * already generated a test for LANE.)
4039 */
4040 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H,
4041 0xFF00);
4042 gen_not(tmp);
4043
4044 eaddr = pcap_ether_hostton(name);
4045 if (eaddr == NULL)
4046 bpf_error(
4047 "unknown ether host '%s'", name);
4048 b = gen_ehostop(eaddr, dir);
4049 gen_and(tmp, b);
4050 free(eaddr);
4051 return b;
4052 }
4053
4054 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
4055 } else if (proto == Q_DECNET) {
4056 unsigned short dn_addr = __pcap_nametodnaddr(name);
4057 /*
4058 * I don't think DECNET hosts can be multihomed, so
4059 * there is no need to build up a list of addresses
4060 */
4061 return (gen_host(dn_addr, 0, proto, dir));
4062 } else {
4063 #ifndef INET6
4064 alist = pcap_nametoaddr(name);
4065 if (alist == NULL || *alist == NULL)
4066 bpf_error("unknown host '%s'", name);
4067 tproto = proto;
4068 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
4069 tproto = Q_IP;
4070 b = gen_host(**alist++, 0xffffffff, tproto, dir);
4071 while (*alist) {
4072 tmp = gen_host(**alist++, 0xffffffff,
4073 tproto, dir);
4074 gen_or(b, tmp);
4075 b = tmp;
4076 }
4077 return b;
4078 #else
4079 memset(&mask128, 0xff, sizeof(mask128));
4080 res0 = res = pcap_nametoaddrinfo(name);
4081 if (res == NULL)
4082 bpf_error("unknown host '%s'", name);
4083 b = tmp = NULL;
4084 tproto = tproto6 = proto;
4085 if (off_linktype == -1 && tproto == Q_DEFAULT) {
4086 tproto = Q_IP;
4087 tproto6 = Q_IPV6;
4088 }
4089 for (res = res0; res; res = res->ai_next) {
4090 switch (res->ai_family) {
4091 case AF_INET:
4092 if (tproto == Q_IPV6)
4093 continue;
4094
4095 sin = (struct sockaddr_in *)
4096 res->ai_addr;
4097 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
4098 0xffffffff, tproto, dir);
4099 break;
4100 case AF_INET6:
4101 if (tproto6 == Q_IP)
4102 continue;
4103
4104 sin6 = (struct sockaddr_in6 *)
4105 res->ai_addr;
4106 tmp = gen_host6(&sin6->sin6_addr,
4107 &mask128, tproto6, dir);
4108 break;
4109 default:
4110 continue;
4111 }
4112 if (b)
4113 gen_or(b, tmp);
4114 b = tmp;
4115 }
4116 freeaddrinfo(res0);
4117 if (b == NULL) {
4118 bpf_error("unknown host '%s'%s", name,
4119 (proto == Q_DEFAULT)
4120 ? ""
4121 : " for specified address family");
4122 }
4123 return b;
4124 #endif /*INET6*/
4125 }
4126
4127 case Q_PORT:
4128 if (proto != Q_DEFAULT &&
4129 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4130 bpf_error("illegal qualifier of 'port'");
4131 if (pcap_nametoport(name, &port, &real_proto) == 0)
4132 bpf_error("unknown port '%s'", name);
4133 if (proto == Q_UDP) {
4134 if (real_proto == IPPROTO_TCP)
4135 bpf_error("port '%s' is tcp", name);
4136 else if (real_proto == IPPROTO_SCTP)
4137 bpf_error("port '%s' is sctp", name);
4138 else
4139 /* override PROTO_UNDEF */
4140 real_proto = IPPROTO_UDP;
4141 }
4142 if (proto == Q_TCP) {
4143 if (real_proto == IPPROTO_UDP)
4144 bpf_error("port '%s' is udp", name);
4145
4146 else if (real_proto == IPPROTO_SCTP)
4147 bpf_error("port '%s' is sctp", name);
4148 else
4149 /* override PROTO_UNDEF */
4150 real_proto = IPPROTO_TCP;
4151 }
4152 if (proto == Q_SCTP) {
4153 if (real_proto == IPPROTO_UDP)
4154 bpf_error("port '%s' is udp", name);
4155
4156 else if (real_proto == IPPROTO_TCP)
4157 bpf_error("port '%s' is tcp", name);
4158 else
4159 /* override PROTO_UNDEF */
4160 real_proto = IPPROTO_SCTP;
4161 }
4162 #ifndef INET6
4163 return gen_port(port, real_proto, dir);
4164 #else
4165 {
4166 struct block *b;
4167 b = gen_port(port, real_proto, dir);
4168 gen_or(gen_port6(port, real_proto, dir), b);
4169 return b;
4170 }
4171 #endif /* INET6 */
4172
4173 case Q_GATEWAY:
4174 #ifndef INET6
4175 eaddr = pcap_ether_hostton(name);
4176 if (eaddr == NULL)
4177 bpf_error("unknown ether host: %s", name);
4178
4179 alist = pcap_nametoaddr(name);
4180 if (alist == NULL || *alist == NULL)
4181 bpf_error("unknown host '%s'", name);
4182 b = gen_gateway(eaddr, alist, proto, dir);
4183 free(eaddr);
4184 return b;
4185 #else
4186 bpf_error("'gateway' not supported in this configuration");
4187 #endif /*INET6*/
4188
4189 case Q_PROTO:
4190 real_proto = lookup_proto(name, proto);
4191 if (real_proto >= 0)
4192 return gen_proto(real_proto, proto, dir);
4193 else
4194 bpf_error("unknown protocol: %s", name);
4195
4196 case Q_PROTOCHAIN:
4197 real_proto = lookup_proto(name, proto);
4198 if (real_proto >= 0)
4199 return gen_protochain(real_proto, proto, dir);
4200 else
4201 bpf_error("unknown protocol: %s", name);
4202
4203
4204 case Q_UNDEF:
4205 syntax();
4206 /* NOTREACHED */
4207 }
4208 abort();
4209 /* NOTREACHED */
4210 }
4211
4212 struct block *
4213 gen_mcode(s1, s2, masklen, q)
4214 register const char *s1, *s2;
4215 register int masklen;
4216 struct qual q;
4217 {
4218 register int nlen, mlen;
4219 bpf_u_int32 n, m;
4220
4221 nlen = __pcap_atoin(s1, &n);
4222 /* Promote short ipaddr */
4223 n <<= 32 - nlen;
4224
4225 if (s2 != NULL) {
4226 mlen = __pcap_atoin(s2, &m);
4227 /* Promote short ipaddr */
4228 m <<= 32 - mlen;
4229 if ((n & ~m) != 0)
4230 bpf_error("non-network bits set in \"%s mask %s\"",
4231 s1, s2);
4232 } else {
4233 /* Convert mask len to mask */
4234 if (masklen > 32)
4235 bpf_error("mask length must be <= 32");
4236 m = 0xffffffff << (32 - masklen);
4237 if ((n & ~m) != 0)
4238 bpf_error("non-network bits set in \"%s/%d\"",
4239 s1, masklen);
4240 }
4241
4242 switch (q.addr) {
4243
4244 case Q_NET:
4245 return gen_host(n, m, q.proto, q.dir);
4246
4247 default:
4248 bpf_error("Mask syntax for networks only");
4249 /* NOTREACHED */
4250 }
4251 /* NOTREACHED */
4252 }
4253
4254 struct block *
4255 gen_ncode(s, v, q)
4256 register const char *s;
4257 bpf_u_int32 v;
4258 struct qual q;
4259 {
4260 bpf_u_int32 mask;
4261 int proto = q.proto;
4262 int dir = q.dir;
4263 register int vlen;
4264
4265 if (s == NULL)
4266 vlen = 32;
4267 else if (q.proto == Q_DECNET)
4268 vlen = __pcap_atodn(s, &v);
4269 else
4270 vlen = __pcap_atoin(s, &v);
4271
4272 switch (q.addr) {
4273
4274 case Q_DEFAULT:
4275 case Q_HOST:
4276 case Q_NET:
4277 if (proto == Q_DECNET)
4278 return gen_host(v, 0, proto, dir);
4279 else if (proto == Q_LINK) {
4280 bpf_error("illegal link layer address");
4281 } else {
4282 mask = 0xffffffff;
4283 if (s == NULL && q.addr == Q_NET) {
4284 /* Promote short net number */
4285 while (v && (v & 0xff000000) == 0) {
4286 v <<= 8;
4287 mask <<= 8;
4288 }
4289 } else {
4290 /* Promote short ipaddr */
4291 v <<= 32 - vlen;
4292 mask <<= 32 - vlen;
4293 }
4294 return gen_host(v, mask, proto, dir);
4295 }
4296
4297 case Q_PORT:
4298 if (proto == Q_UDP)
4299 proto = IPPROTO_UDP;
4300 else if (proto == Q_TCP)
4301 proto = IPPROTO_TCP;
4302 else if (proto == Q_SCTP)
4303 proto = IPPROTO_SCTP;
4304 else if (proto == Q_DEFAULT)
4305 proto = PROTO_UNDEF;
4306 else
4307 bpf_error("illegal qualifier of 'port'");
4308
4309 #ifndef INET6
4310 return gen_port((int)v, proto, dir);
4311 #else
4312 {
4313 struct block *b;
4314 b = gen_port((int)v, proto, dir);
4315 gen_or(gen_port6((int)v, proto, dir), b);
4316 return b;
4317 }
4318 #endif /* INET6 */
4319
4320 case Q_GATEWAY:
4321 bpf_error("'gateway' requires a name");
4322 /* NOTREACHED */
4323
4324 case Q_PROTO:
4325 return gen_proto((int)v, proto, dir);
4326
4327 case Q_PROTOCHAIN:
4328 return gen_protochain((int)v, proto, dir);
4329
4330 case Q_UNDEF:
4331 syntax();
4332 /* NOTREACHED */
4333
4334 default:
4335 abort();
4336 /* NOTREACHED */
4337 }
4338 /* NOTREACHED */
4339 }
4340
4341 #ifdef INET6
4342 struct block *
4343 gen_mcode6(s1, s2, masklen, q)
4344 register const char *s1, *s2;
4345 register int masklen;
4346 struct qual q;
4347 {
4348 struct addrinfo *res;
4349 struct in6_addr *addr;
4350 struct in6_addr mask;
4351 struct block *b;
4352 u_int32_t *a, *m;
4353
4354 if (s2)
4355 bpf_error("no mask %s supported", s2);
4356
4357 res = pcap_nametoaddrinfo(s1);
4358 if (!res)
4359 bpf_error("invalid ip6 address %s", s1);
4360 if (res->ai_next)
4361 bpf_error("%s resolved to multiple address", s1);
4362 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
4363
4364 if (sizeof(mask) * 8 < masklen)
4365 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
4366 memset(&mask, 0, sizeof(mask));
4367 memset(&mask, 0xff, masklen / 8);
4368 if (masklen % 8) {
4369 mask.s6_addr[masklen / 8] =
4370 (0xff << (8 - masklen % 8)) & 0xff;
4371 }
4372
4373 a = (u_int32_t *)addr;
4374 m = (u_int32_t *)&mask;
4375 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
4376 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
4377 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
4378 }
4379
4380 switch (q.addr) {
4381
4382 case Q_DEFAULT:
4383 case Q_HOST:
4384 if (masklen != 128)
4385 bpf_error("Mask syntax for networks only");
4386 /* FALLTHROUGH */
4387
4388 case Q_NET:
4389 b = gen_host6(addr, &mask, q.proto, q.dir);
4390 freeaddrinfo(res);
4391 return b;
4392
4393 default:
4394 bpf_error("invalid qualifier against IPv6 address");
4395 /* NOTREACHED */
4396 }
4397 }
4398 #endif /*INET6*/
4399
4400 struct block *
4401 gen_ecode(eaddr, q)
4402 register const u_char *eaddr;
4403 struct qual q;
4404 {
4405 struct block *b, *tmp;
4406
4407 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
4408 if (linktype == DLT_EN10MB)
4409 return gen_ehostop(eaddr, (int)q.dir);
4410 if (linktype == DLT_FDDI)
4411 return gen_fhostop(eaddr, (int)q.dir);
4412 if (linktype == DLT_IEEE802)
4413 return gen_thostop(eaddr, (int)q.dir);
4414 if (linktype == DLT_IEEE802_11)
4415 return gen_wlanhostop(eaddr, (int)q.dir);
4416 if (linktype == DLT_SUNATM && is_lane) {
4417 /*
4418 * Check that the packet doesn't begin with an
4419 * LE Control marker. (We've already generated
4420 * a test for LANE.)
4421 */
4422 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4423 gen_not(tmp);
4424
4425 /*
4426 * Now check the MAC address.
4427 */
4428 b = gen_ehostop(eaddr, (int)q.dir);
4429 gen_and(tmp, b);
4430 return b;
4431 }
4432 if (linktype == DLT_IP_OVER_FC)
4433 return gen_ipfchostop(eaddr, (int)q.dir);
4434 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4435 }
4436 bpf_error("ethernet address used in non-ether expression");
4437 /* NOTREACHED */
4438 }
4439
4440 void
4441 sappend(s0, s1)
4442 struct slist *s0, *s1;
4443 {
4444 /*
4445 * This is definitely not the best way to do this, but the
4446 * lists will rarely get long.
4447 */
4448 while (s0->next)
4449 s0 = s0->next;
4450 s0->next = s1;
4451 }
4452
4453 static struct slist *
4454 xfer_to_x(a)
4455 struct arth *a;
4456 {
4457 struct slist *s;
4458
4459 s = new_stmt(BPF_LDX|BPF_MEM);
4460 s->s.k = a->regno;
4461 return s;
4462 }
4463
4464 static struct slist *
4465 xfer_to_a(a)
4466 struct arth *a;
4467 {
4468 struct slist *s;
4469
4470 s = new_stmt(BPF_LD|BPF_MEM);
4471 s->s.k = a->regno;
4472 return s;
4473 }
4474
4475 struct arth *
4476 gen_load(proto, index, size)
4477 int proto;
4478 struct arth *index;
4479 int size;
4480 {
4481 struct slist *s, *tmp;
4482 struct block *b;
4483 int regno = alloc_reg();
4484
4485 free_reg(index->regno);
4486 switch (size) {
4487
4488 default:
4489 bpf_error("data size must be 1, 2, or 4");
4490
4491 case 1:
4492 size = BPF_B;
4493 break;
4494
4495 case 2:
4496 size = BPF_H;
4497 break;
4498
4499 case 4:
4500 size = BPF_W;
4501 break;
4502 }
4503 switch (proto) {
4504 default:
4505 bpf_error("unsupported index operation");
4506
4507 case Q_LINK:
4508 /*
4509 * XXX - what about ATM LANE? Should the index be
4510 * relative to the beginning of the AAL5 frame, so
4511 * that 0 refers to the beginning of the LE Control
4512 * field, or relative to the beginning of the LAN
4513 * frame, so that 0 refers, for Ethernet LANE, to
4514 * the beginning of the destination address?
4515 */
4516 s = xfer_to_x(index);
4517 tmp = new_stmt(BPF_LD|BPF_IND|size);
4518 sappend(s, tmp);
4519 sappend(index->s, s);
4520 break;
4521
4522 case Q_IP:
4523 case Q_ARP:
4524 case Q_RARP:
4525 case Q_ATALK:
4526 case Q_DECNET:
4527 case Q_SCA:
4528 case Q_LAT:
4529 case Q_MOPRC:
4530 case Q_MOPDL:
4531 #ifdef INET6
4532 case Q_IPV6:
4533 #endif
4534 /* XXX Note that we assume a fixed link header here. */
4535 s = xfer_to_x(index);
4536 tmp = new_stmt(BPF_LD|BPF_IND|size);
4537 tmp->s.k = off_nl;
4538 sappend(s, tmp);
4539 sappend(index->s, s);
4540
4541 b = gen_proto_abbrev(proto);
4542 if (index->b)
4543 gen_and(index->b, b);
4544 index->b = b;
4545 break;
4546
4547 case Q_SCTP:
4548 case Q_TCP:
4549 case Q_UDP:
4550 case Q_ICMP:
4551 case Q_IGMP:
4552 case Q_IGRP:
4553 case Q_PIM:
4554 case Q_VRRP:
4555 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4556 s->s.k = off_nl;
4557 sappend(s, xfer_to_a(index));
4558 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
4559 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
4560 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
4561 tmp->s.k = off_nl;
4562 sappend(index->s, s);
4563
4564 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
4565 if (index->b)
4566 gen_and(index->b, b);
4567 #ifdef INET6
4568 gen_and(gen_proto_abbrev(Q_IP), b);
4569 #endif
4570 index->b = b;
4571 break;
4572 #ifdef INET6
4573 case Q_ICMPV6:
4574 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
4575 /*NOTREACHED*/
4576 #endif
4577 }
4578 index->regno = regno;
4579 s = new_stmt(BPF_ST);
4580 s->s.k = regno;
4581 sappend(index->s, s);
4582
4583 return index;
4584 }
4585
4586 struct block *
4587 gen_relation(code, a0, a1, reversed)
4588 int code;
4589 struct arth *a0, *a1;
4590 int reversed;
4591 {
4592 struct slist *s0, *s1, *s2;
4593 struct block *b, *tmp;
4594
4595 s0 = xfer_to_x(a1);
4596 s1 = xfer_to_a(a0);
4597 if (code == BPF_JEQ) {
4598 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
4599 b = new_block(JMP(code));
4600 sappend(s1, s2);
4601 }
4602 else
4603 b = new_block(BPF_JMP|code|BPF_X);
4604 if (reversed)
4605 gen_not(b);
4606
4607 sappend(s0, s1);
4608 sappend(a1->s, s0);
4609 sappend(a0->s, a1->s);
4610
4611 b->stmts = a0->s;
4612
4613 free_reg(a0->regno);
4614 free_reg(a1->regno);
4615
4616 /* 'and' together protocol checks */
4617 if (a0->b) {
4618 if (a1->b) {
4619 gen_and(a0->b, tmp = a1->b);
4620 }
4621 else
4622 tmp = a0->b;
4623 } else
4624 tmp = a1->b;
4625
4626 if (tmp)
4627 gen_and(tmp, b);
4628
4629 return b;
4630 }
4631
4632 struct arth *
4633 gen_loadlen()
4634 {
4635 int regno = alloc_reg();
4636 struct arth *a = (struct arth *)newchunk(sizeof(*a));
4637 struct slist *s;
4638
4639 s = new_stmt(BPF_LD|BPF_LEN);
4640 s->next = new_stmt(BPF_ST);
4641 s->next->s.k = regno;
4642 a->s = s;
4643 a->regno = regno;
4644
4645 return a;
4646 }
4647
4648 struct arth *
4649 gen_loadi(val)
4650 int val;
4651 {
4652 struct arth *a;
4653 struct slist *s;
4654 int reg;
4655
4656 a = (struct arth *)newchunk(sizeof(*a));
4657
4658 reg = alloc_reg();
4659
4660 s = new_stmt(BPF_LD|BPF_IMM);
4661 s->s.k = val;
4662 s->next = new_stmt(BPF_ST);
4663 s->next->s.k = reg;
4664 a->s = s;
4665 a->regno = reg;
4666
4667 return a;
4668 }
4669
4670 struct arth *
4671 gen_neg(a)
4672 struct arth *a;
4673 {
4674 struct slist *s;
4675
4676 s = xfer_to_a(a);
4677 sappend(a->s, s);
4678 s = new_stmt(BPF_ALU|BPF_NEG);
4679 s->s.k = 0;
4680 sappend(a->s, s);
4681 s = new_stmt(BPF_ST);
4682 s->s.k = a->regno;
4683 sappend(a->s, s);
4684
4685 return a;
4686 }
4687
4688 struct arth *
4689 gen_arth(code, a0, a1)
4690 int code;
4691 struct arth *a0, *a1;
4692 {
4693 struct slist *s0, *s1, *s2;
4694
4695 s0 = xfer_to_x(a1);
4696 s1 = xfer_to_a(a0);
4697 s2 = new_stmt(BPF_ALU|BPF_X|code);
4698
4699 sappend(s1, s2);
4700 sappend(s0, s1);
4701 sappend(a1->s, s0);
4702 sappend(a0->s, a1->s);
4703
4704 free_reg(a0->regno);
4705 free_reg(a1->regno);
4706
4707 s0 = new_stmt(BPF_ST);
4708 a0->regno = s0->s.k = alloc_reg();
4709 sappend(a0->s, s0);
4710
4711 return a0;
4712 }
4713
4714 /*
4715 * Here we handle simple allocation of the scratch registers.
4716 * If too many registers are alloc'd, the allocator punts.
4717 */
4718 static int regused[BPF_MEMWORDS];
4719 static int curreg;
4720
4721 /*
4722 * Return the next free register.
4723 */
4724 static int
4725 alloc_reg()
4726 {
4727 int n = BPF_MEMWORDS;
4728
4729 while (--n >= 0) {
4730 if (regused[curreg])
4731 curreg = (curreg + 1) % BPF_MEMWORDS;
4732 else {
4733 regused[curreg] = 1;
4734 return curreg;
4735 }
4736 }
4737 bpf_error("too many registers needed to evaluate expression");
4738 /* NOTREACHED */
4739 }
4740
4741 /*
4742 * Return a register to the table so it can
4743 * be used later.
4744 */
4745 static void
4746 free_reg(n)
4747 int n;
4748 {
4749 regused[n] = 0;
4750 }
4751
4752 static struct block *
4753 gen_len(jmp, n)
4754 int jmp, n;
4755 {
4756 struct slist *s;
4757 struct block *b;
4758
4759 s = new_stmt(BPF_LD|BPF_LEN);
4760 b = new_block(JMP(jmp));
4761 b->stmts = s;
4762 b->s.k = n;
4763
4764 return b;
4765 }
4766
4767 struct block *
4768 gen_greater(n)
4769 int n;
4770 {
4771 return gen_len(BPF_JGE, n);
4772 }
4773
4774 /*
4775 * Actually, this is less than or equal.
4776 */
4777 struct block *
4778 gen_less(n)
4779 int n;
4780 {
4781 struct block *b;
4782
4783 b = gen_len(BPF_JGT, n);
4784 gen_not(b);
4785
4786 return b;
4787 }
4788
4789 struct block *
4790 gen_byteop(op, idx, val)
4791 int op, idx, val;
4792 {
4793 struct block *b;
4794 struct slist *s;
4795
4796 switch (op) {
4797 default:
4798 abort();
4799
4800 case '=':
4801 return gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4802
4803 case '<':
4804 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4805 b->s.code = JMP(BPF_JGE);
4806 gen_not(b);
4807 return b;
4808
4809 case '>':
4810 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4811 b->s.code = JMP(BPF_JGT);
4812 return b;
4813
4814 case '|':
4815 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
4816 break;
4817
4818 case '&':
4819 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
4820 break;
4821 }
4822 s->s.k = val;
4823 b = new_block(JMP(BPF_JEQ));
4824 b->stmts = s;
4825 gen_not(b);
4826
4827 return b;
4828 }
4829
4830 static u_char abroadcast[] = { 0x0 };
4831
4832 struct block *
4833 gen_broadcast(proto)
4834 int proto;
4835 {
4836 bpf_u_int32 hostmask;
4837 struct block *b0, *b1, *b2;
4838 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
4839
4840 switch (proto) {
4841
4842 case Q_DEFAULT:
4843 case Q_LINK:
4844 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4845 return gen_ahostop(abroadcast, Q_DST);
4846 if (linktype == DLT_EN10MB)
4847 return gen_ehostop(ebroadcast, Q_DST);
4848 if (linktype == DLT_FDDI)
4849 return gen_fhostop(ebroadcast, Q_DST);
4850 if (linktype == DLT_IEEE802)
4851 return gen_thostop(ebroadcast, Q_DST);
4852 if (linktype == DLT_IEEE802_11)
4853 return gen_wlanhostop(ebroadcast, Q_DST);
4854 if (linktype == DLT_IP_OVER_FC)
4855 return gen_ipfchostop(ebroadcast, Q_DST);
4856 if (linktype == DLT_SUNATM && is_lane) {
4857 /*
4858 * Check that the packet doesn't begin with an
4859 * LE Control marker. (We've already generated
4860 * a test for LANE.)
4861 */
4862 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4863 gen_not(b1);
4864
4865 /*
4866 * Now check the MAC address.
4867 */
4868 b0 = gen_ehostop(ebroadcast, Q_DST);
4869 gen_and(b1, b0);
4870 return b0;
4871 }
4872 bpf_error("not a broadcast link");
4873 break;
4874
4875 case Q_IP:
4876 b0 = gen_linktype(ETHERTYPE_IP);
4877 hostmask = ~netmask;
4878 b1 = gen_mcmp(off_nl + 16, BPF_W, (bpf_int32)0, hostmask);
4879 b2 = gen_mcmp(off_nl + 16, BPF_W,
4880 (bpf_int32)(~0 & hostmask), hostmask);
4881 gen_or(b1, b2);
4882 gen_and(b0, b2);
4883 return b2;
4884 }
4885 bpf_error("only link-layer/IP broadcast filters supported");
4886 /* NOTREACHED */
4887 }
4888
4889 /*
4890 * Generate code to test the low-order bit of a MAC address (that's
4891 * the bottom bit of the *first* byte).
4892 */
4893 static struct block *
4894 gen_mac_multicast(offset)
4895 int offset;
4896 {
4897 register struct block *b0;
4898 register struct slist *s;
4899
4900 /* link[offset] & 1 != 0 */
4901 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4902 s->s.k = offset;
4903 b0 = new_block(JMP(BPF_JSET));
4904 b0->s.k = 1;
4905 b0->stmts = s;
4906 return b0;
4907 }
4908
4909 struct block *
4910 gen_multicast(proto)
4911 int proto;
4912 {
4913 register struct block *b0, *b1, *b2;
4914 register struct slist *s;
4915
4916 switch (proto) {
4917
4918 case Q_DEFAULT:
4919 case Q_LINK:
4920 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4921 /* all ARCnet multicasts use the same address */
4922 return gen_ahostop(abroadcast, Q_DST);
4923
4924 if (linktype == DLT_EN10MB) {
4925 /* ether[0] & 1 != 0 */
4926 return gen_mac_multicast(0);
4927 }
4928
4929 if (linktype == DLT_FDDI) {
4930 /*
4931 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
4932 *
4933 * XXX - was that referring to bit-order issues?
4934 */
4935 /* fddi[1] & 1 != 0 */
4936 return gen_mac_multicast(1);
4937 }
4938
4939 if (linktype == DLT_IEEE802) {
4940 /* tr[2] & 1 != 0 */
4941 return gen_mac_multicast(2);
4942 }
4943
4944 if (linktype == DLT_IEEE802_11) {
4945 /*
4946 * Oh, yuk.
4947 *
4948 * For control frames, there is no DA.
4949 *
4950 * For management frames, DA is at an
4951 * offset of 4 from the beginning of
4952 * the packet.
4953 *
4954 * For data frames, DA is at an offset
4955 * of 4 from the beginning of the packet
4956 * if To DS is clear and at an offset of
4957 * 16 from the beginning of the packet
4958 * if To DS is set.
4959 */
4960
4961 /*
4962 * Generate the tests to be done for data frames.
4963 *
4964 * First, check for To DS set, i.e. "link[1] & 0x01".
4965 */
4966 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4967 s->s.k = 1;
4968 b1 = new_block(JMP(BPF_JSET));
4969 b1->s.k = 0x01; /* To DS */
4970 b1->stmts = s;
4971
4972 /*
4973 * If To DS is set, the DA is at 16.
4974 */
4975 b0 = gen_mac_multicast(16);
4976 gen_and(b1, b0);
4977
4978 /*
4979 * Now, check for To DS not set, i.e. check
4980 * "!(link[1] & 0x01)".
4981 */
4982 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4983 s->s.k = 1;
4984 b2 = new_block(JMP(BPF_JSET));
4985 b2->s.k = 0x01; /* To DS */
4986 b2->stmts = s;
4987 gen_not(b2);
4988
4989 /*
4990 * If To DS is not set, the DA is at 4.
4991 */
4992 b1 = gen_mac_multicast(4);
4993 gen_and(b2, b1);
4994
4995 /*
4996 * Now OR together the last two checks. That gives
4997 * the complete set of checks for data frames.
4998 */
4999 gen_or(b1, b0);
5000
5001 /*
5002 * Now check for a data frame.
5003 * I.e, check "link[0] & 0x08".
5004 */
5005 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
5006 s->s.k = 0;
5007 b1 = new_block(JMP(BPF_JSET));
5008 b1->s.k = 0x08;
5009 b1->stmts = s;
5010
5011 /*
5012 * AND that with the checks done for data frames.
5013 */
5014 gen_and(b1, b0);
5015
5016 /*
5017 * If the high-order bit of the type value is 0, this
5018 * is a management frame.
5019 * I.e, check "!(link[0] & 0x08)".
5020 */
5021 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
5022 s->s.k = 0;
5023 b2 = new_block(JMP(BPF_JSET));
5024 b2->s.k = 0x08;
5025 b2->stmts = s;
5026 gen_not(b2);
5027
5028 /*
5029 * For management frames, the DA is at 4.
5030 */
5031 b1 = gen_mac_multicast(4);
5032 gen_and(b2, b1);
5033
5034 /*
5035 * OR that with the checks done for data frames.
5036 * That gives the checks done for management and
5037 * data frames.
5038 */
5039 gen_or(b1, b0);
5040
5041 /*
5042 * If the low-order bit of the type value is 1,
5043 * this is either a control frame or a frame
5044 * with a reserved type, and thus not a
5045 * frame with an SA.
5046 *
5047 * I.e., check "!(link[0] & 0x04)".
5048 */
5049 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
5050 s->s.k = 0;
5051 b1 = new_block(JMP(BPF_JSET));
5052 b1->s.k = 0x04;
5053 b1->stmts = s;
5054 gen_not(b1);
5055
5056 /*
5057 * AND that with the checks for data and management
5058 * frames.
5059 */
5060 gen_and(b1, b0);
5061 return b0;
5062 }
5063
5064 if (linktype == DLT_IP_OVER_FC) {
5065 b0 = gen_mac_multicast(2);
5066 return b0;
5067 }
5068
5069 if (linktype == DLT_SUNATM && is_lane) {
5070 /*
5071 * Check that the packet doesn't begin with an
5072 * LE Control marker. (We've already generated
5073 * a test for LANE.)
5074 */
5075 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
5076 gen_not(b1);
5077
5078 /* ether[off_mac] & 1 != 0 */
5079 b0 = gen_mac_multicast(off_mac);
5080 gen_and(b1, b0);
5081 return b0;
5082 }
5083
5084 /* Link not known to support multicasts */
5085 break;
5086
5087 case Q_IP:
5088 b0 = gen_linktype(ETHERTYPE_IP);
5089 b1 = gen_cmp(off_nl + 16, BPF_B, (bpf_int32)224);
5090 b1->s.code = JMP(BPF_JGE);
5091 gen_and(b0, b1);
5092 return b1;
5093
5094 #ifdef INET6
5095 case Q_IPV6:
5096 b0 = gen_linktype(ETHERTYPE_IPV6);
5097 b1 = gen_cmp(off_nl + 24, BPF_B, (bpf_int32)255);
5098 gen_and(b0, b1);
5099 return b1;
5100 #endif /* INET6 */
5101 }
5102 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
5103 /* NOTREACHED */
5104 }
5105
5106 /*
5107 * generate command for inbound/outbound. It's here so we can
5108 * make it link-type specific. 'dir' = 0 implies "inbound",
5109 * = 1 implies "outbound".
5110 */
5111 struct block *
5112 gen_inbound(dir)
5113 int dir;
5114 {
5115 register struct block *b0;
5116
5117 /*
5118 * Only some data link types support inbound/outbound qualifiers.
5119 */
5120 switch (linktype) {
5121 case DLT_SLIP:
5122 b0 = gen_relation(BPF_JEQ,
5123 gen_load(Q_LINK, gen_loadi(0), 1),
5124 gen_loadi(0),
5125 dir);
5126 break;
5127
5128 case DLT_LINUX_SLL:
5129 if (dir) {
5130 /*
5131 * Match packets sent by this machine.
5132 */
5133 b0 = gen_cmp(0, BPF_H, LINUX_SLL_OUTGOING);
5134 } else {
5135 /*
5136 * Match packets sent to this machine.
5137 * (No broadcast or multicast packets, or
5138 * packets sent to some other machine and
5139 * received promiscuously.)
5140 *
5141 * XXX - packets sent to other machines probably
5142 * shouldn't be matched, but what about broadcast
5143 * or multicast packets we received?
5144 */
5145 b0 = gen_cmp(0, BPF_H, LINUX_SLL_HOST);
5146 }
5147 break;
5148
5149 case DLT_PFLOG:
5150 b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_B,
5151 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
5152 break;
5153
5154 case DLT_PPP_PPPD:
5155 if (dir) {
5156 /* match outgoing packets */
5157 b0 = gen_cmp(0, BPF_B, PPP_PPPD_OUT);
5158 } else {
5159 /* match incoming packets */
5160 b0 = gen_cmp(0, BPF_B, PPP_PPPD_IN);
5161 }
5162 break;
5163
5164 case DLT_JUNIPER_MLFR:
5165 case DLT_JUNIPER_MLPPP:
5166 case DLT_JUNIPER_ATM1:
5167 case DLT_JUNIPER_ATM2:
5168 /* juniper flags (including direction) are stored
5169 * the byte after the 3-byte magic number */
5170 if (dir) {
5171 /* match outgoing packets */
5172 b0 = gen_mcmp(3, BPF_B, 0, 0x01);
5173 } else {
5174 /* match incoming packets */
5175 b0 = gen_mcmp(3, BPF_B, 1, 0x01);
5176 }
5177 break;
5178
5179 default:
5180 bpf_error("inbound/outbound not supported on linktype %d",
5181 linktype);
5182 b0 = NULL;
5183 /* NOTREACHED */
5184 }
5185 return (b0);
5186 }
5187
5188 /* PF firewall log matched interface */
5189 struct block *
5190 gen_pf_ifname(const char *ifname)
5191 {
5192 struct block *b0;
5193 u_int len, off;
5194
5195 if (linktype == DLT_PFLOG) {
5196 len = sizeof(((struct pfloghdr *)0)->ifname);
5197 off = offsetof(struct pfloghdr, ifname);
5198 } else {
5199 bpf_error("ifname not supported on linktype 0x%x", linktype);
5200 /* NOTREACHED */
5201 }
5202 if (strlen(ifname) >= len) {
5203 bpf_error("ifname interface names can only be %d characters",
5204 len-1);
5205 /* NOTREACHED */
5206 }
5207 b0 = gen_bcmp(off, strlen(ifname), (const u_char *)ifname);
5208 return (b0);
5209 }
5210
5211 /* PF firewall log matched interface */
5212 struct block *
5213 gen_pf_ruleset(char *ruleset)
5214 {
5215 struct block *b0;
5216
5217 if (linktype != DLT_PFLOG) {
5218 bpf_error("ruleset not supported on linktype 0x%x", linktype);
5219 /* NOTREACHED */
5220 }
5221 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
5222 bpf_error("ruleset names can only be %ld characters",
5223 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
5224 /* NOTREACHED */
5225 }
5226 b0 = gen_bcmp(offsetof(struct pfloghdr, ruleset),
5227 strlen(ruleset), (const u_char *)ruleset);
5228 return (b0);
5229 }
5230
5231 /* PF firewall log rule number */
5232 struct block *
5233 gen_pf_rnr(int rnr)
5234 {
5235 struct block *b0;
5236
5237 if (linktype == DLT_PFLOG) {
5238 b0 = gen_cmp(offsetof(struct pfloghdr, rulenr), BPF_W,
5239 (bpf_int32)rnr);
5240 } else {
5241 bpf_error("rnr not supported on linktype 0x%x", linktype);
5242 /* NOTREACHED */
5243 }
5244
5245 return (b0);
5246 }
5247
5248 /* PF firewall log sub-rule number */
5249 struct block *
5250 gen_pf_srnr(int srnr)
5251 {
5252 struct block *b0;
5253
5254 if (linktype != DLT_PFLOG) {
5255 bpf_error("srnr not supported on linktype 0x%x", linktype);
5256 /* NOTREACHED */
5257 }
5258
5259 b0 = gen_cmp(offsetof(struct pfloghdr, subrulenr), BPF_W,
5260 (bpf_int32)srnr);
5261 return (b0);
5262 }
5263
5264 /* PF firewall log reason code */
5265 struct block *
5266 gen_pf_reason(int reason)
5267 {
5268 struct block *b0;
5269
5270 if (linktype == DLT_PFLOG) {
5271 b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_B,
5272 (bpf_int32)reason);
5273 } else {
5274 bpf_error("reason not supported on linktype 0x%x", linktype);
5275 /* NOTREACHED */
5276 }
5277
5278 return (b0);
5279 }
5280
5281 /* PF firewall log action */
5282 struct block *
5283 gen_pf_action(int action)
5284 {
5285 struct block *b0;
5286
5287 if (linktype == DLT_PFLOG) {
5288 b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_B,
5289 (bpf_int32)action);
5290 } else {
5291 bpf_error("action not supported on linktype 0x%x", linktype);
5292 /* NOTREACHED */
5293 }
5294
5295 return (b0);
5296 }
5297
5298 struct block *
5299 gen_acode(eaddr, q)
5300 register const u_char *eaddr;
5301 struct qual q;
5302 {
5303 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5304 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5305 return gen_ahostop(eaddr, (int)q.dir);
5306 }
5307 bpf_error("ARCnet address used in non-arc expression");
5308 /* NOTREACHED */
5309 }
5310
5311 static struct block *
5312 gen_ahostop(eaddr, dir)
5313 register const u_char *eaddr;
5314 register int dir;
5315 {
5316 register struct block *b0, *b1;
5317
5318 switch (dir) {
5319 /* src comes first, different from Ethernet */
5320 case Q_SRC:
5321 return gen_bcmp(0, 1, eaddr);
5322
5323 case Q_DST:
5324 return gen_bcmp(1, 1, eaddr);
5325
5326 case Q_AND:
5327 b0 = gen_ahostop(eaddr, Q_SRC);
5328 b1 = gen_ahostop(eaddr, Q_DST);
5329 gen_and(b0, b1);
5330 return b1;
5331
5332 case Q_DEFAULT:
5333 case Q_OR:
5334 b0 = gen_ahostop(eaddr, Q_SRC);
5335 b1 = gen_ahostop(eaddr, Q_DST);
5336 gen_or(b0, b1);
5337 return b1;
5338 }
5339 abort();
5340 /* NOTREACHED */
5341 }
5342
5343 /*
5344 * support IEEE 802.1Q VLAN trunk over ethernet
5345 */
5346 struct block *
5347 gen_vlan(vlan_num)
5348 int vlan_num;
5349 {
5350 struct block *b0;
5351
5352 /*
5353 * Change the offsets to point to the type and data fields within
5354 * the VLAN packet. Just increment the offsets, so that we
5355 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to
5356 * capture VLAN 200 encapsulated within VLAN 100.
5357 *
5358 * XXX - this is a bit of a kludge. If we were to split the
5359 * compiler into a parser that parses an expression and
5360 * generates an expression tree, and a code generator that
5361 * takes an expression tree (which could come from our
5362 * parser or from some other parser) and generates BPF code,
5363 * we could perhaps make the offsets parameters of routines
5364 * and, in the handler for an "AND" node, pass to subnodes
5365 * other than the VLAN node the adjusted offsets.
5366 *
5367 * This would mean that "vlan" would, instead of changing the
5368 * behavior of *all* tests after it, change only the behavior
5369 * of tests ANDed with it. That would change the documented
5370 * semantics of "vlan", which might break some expressions.
5371 * However, it would mean that "(vlan and ip) or ip" would check
5372 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
5373 * checking only for VLAN-encapsulated IP, so that could still
5374 * be considered worth doing; it wouldn't break expressions
5375 * that are of the form "vlan and ..." or "vlan N and ...",
5376 * which I suspect are the most common expressions involving
5377 * "vlan". "vlan or ..." doesn't necessarily do what the user
5378 * would really want, now, as all the "or ..." tests would
5379 * be done assuming a VLAN, even though the "or" could be viewed
5380 * as meaning "or, if this isn't a VLAN packet...".
5381 */
5382 orig_linktype = off_linktype; /* save original values */
5383 orig_nl = off_nl;
5384 orig_nl_nosnap = off_nl_nosnap;
5385
5386 switch (linktype) {
5387
5388 case DLT_EN10MB:
5389 off_linktype += 4;
5390 off_nl_nosnap += 4;
5391 off_nl += 4;
5392 break;
5393
5394 default:
5395 bpf_error("no VLAN support for data link type %d",
5396 linktype);
5397 /*NOTREACHED*/
5398 }
5399
5400 /* check for VLAN */
5401 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
5402
5403 /* If a specific VLAN is requested, check VLAN id */
5404 if (vlan_num >= 0) {
5405 struct block *b1;
5406
5407 b1 = gen_mcmp(orig_nl, BPF_H, (bpf_int32)vlan_num, 0x0fff);
5408 gen_and(b0, b1);
5409 b0 = b1;
5410 }
5411
5412 return (b0);
5413 }
5414
5415 /*
5416 * support for MPLS
5417 */
5418 struct block *
5419 gen_mpls(label_num)
5420 int label_num;
5421 {
5422 struct block *b0;
5423
5424 /*
5425 * Change the offsets to point to the type and data fields within
5426 * the MPLS packet. Just increment the offsets, so that we
5427 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
5428 * capture packets with an outer label of 100000 and an inner
5429 * label of 1024.
5430 *
5431 * XXX - this is a bit of a kludge. See comments in gen_vlan().
5432 */
5433 orig_linktype = off_linktype; /* save original values */
5434 orig_nl = off_nl;
5435 orig_nl_nosnap = off_nl_nosnap;
5436
5437 switch (linktype) {
5438
5439 case DLT_C_HDLC: /* fall through */
5440 case DLT_EN10MB:
5441 off_linktype += 4;
5442 off_nl_nosnap += 4;
5443 off_nl += 4;
5444
5445 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
5446 break;
5447
5448 case DLT_PPP:
5449 off_linktype += 4;
5450 off_nl_nosnap += 4;
5451 off_nl += 4;
5452
5453 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)PPP_MPLS_UCAST);
5454 break;
5455
5456 /* FIXME add other DLT_s ...
5457 * for Frame-Relay/and ATM this may get messy due to SNAP headers
5458 * leave it for now */
5459
5460 default:
5461 bpf_error("no MPLS support for data link type %d",
5462 linktype);
5463 b0 = NULL;
5464 /*NOTREACHED*/
5465 break;
5466 }
5467
5468 /* If a specific MPLS label is requested, check it */
5469 if (label_num >= 0) {
5470 struct block *b1;
5471
5472 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
5473 b1 = gen_mcmp(orig_nl, BPF_W, (bpf_int32)label_num, 0xfffff000); /* only compare the first 20 bits */
5474 gen_and(b0, b1);
5475 b0 = b1;
5476 }
5477
5478 return (b0);
5479 }
5480
5481 struct block *
5482 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
5483 int atmfield;
5484 bpf_u_int32 jvalue;
5485 bpf_u_int32 jtype;
5486 int reverse;
5487 {
5488 struct block *b0;
5489
5490 switch (atmfield) {
5491
5492 case A_VPI:
5493 if (!is_atm)
5494 bpf_error("'vpi' supported only on raw ATM");
5495 if (off_vpi == (u_int)-1)
5496 abort();
5497 b0 = gen_ncmp(BPF_B, off_vpi, 0xffffffff, (u_int)jtype,
5498 (u_int)jvalue, reverse);
5499 break;
5500
5501 case A_VCI:
5502 if (!is_atm)
5503 bpf_error("'vci' supported only on raw ATM");
5504 if (off_vci == (u_int)-1)
5505 abort();
5506 b0 = gen_ncmp(BPF_H, off_vci, 0xffffffff, (u_int)jtype,
5507 (u_int)jvalue, reverse);
5508 break;
5509
5510 case A_PROTOTYPE:
5511 if (off_proto == (u_int)-1)
5512 abort(); /* XXX - this isn't on FreeBSD */
5513 b0 = gen_ncmp(BPF_B, off_proto, 0x0f, (u_int)jtype,
5514 (u_int)jvalue, reverse);
5515 break;
5516
5517 case A_MSGTYPE:
5518 if (off_payload == (u_int)-1)
5519 abort();
5520 b0 = gen_ncmp(BPF_B, off_payload + MSG_TYPE_POS, 0xffffffff,
5521 (u_int)jtype, (u_int)jvalue, reverse);
5522 break;
5523
5524 case A_CALLREFTYPE:
5525 if (!is_atm)
5526 bpf_error("'callref' supported only on raw ATM");
5527 if (off_proto == (u_int)-1)
5528 abort();
5529 b0 = gen_ncmp(BPF_B, off_proto, 0xffffffff, (u_int)jtype,
5530 (u_int)jvalue, reverse);
5531 break;
5532
5533 default:
5534 abort();
5535 }
5536 return b0;
5537 }
5538
5539 struct block *
5540 gen_atmtype_abbrev(type)
5541 int type;
5542 {
5543 struct block *b0, *b1;
5544
5545 switch (type) {
5546
5547 case A_METAC:
5548 /* Get all packets in Meta signalling Circuit */
5549 if (!is_atm)
5550 bpf_error("'metac' supported only on raw ATM");
5551 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5552 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
5553 gen_and(b0, b1);
5554 break;
5555
5556 case A_BCC:
5557 /* Get all packets in Broadcast Circuit*/
5558 if (!is_atm)
5559 bpf_error("'bcc' supported only on raw ATM");
5560 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5561 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
5562 gen_and(b0, b1);
5563 break;
5564
5565 case A_OAMF4SC:
5566 /* Get all cells in Segment OAM F4 circuit*/
5567 if (!is_atm)
5568 bpf_error("'oam4sc' supported only on raw ATM");
5569 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5570 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5571 gen_and(b0, b1);
5572 break;
5573
5574 case A_OAMF4EC:
5575 /* Get all cells in End-to-End OAM F4 Circuit*/
5576 if (!is_atm)
5577 bpf_error("'oam4ec' supported only on raw ATM");
5578 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5579 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5580 gen_and(b0, b1);
5581 break;
5582
5583 case A_SC:
5584 /* Get all packets in connection Signalling Circuit */
5585 if (!is_atm)
5586 bpf_error("'sc' supported only on raw ATM");
5587 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5588 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
5589 gen_and(b0, b1);
5590 break;
5591
5592 case A_ILMIC:
5593 /* Get all packets in ILMI Circuit */
5594 if (!is_atm)
5595 bpf_error("'ilmic' supported only on raw ATM");
5596 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5597 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
5598 gen_and(b0, b1);
5599 break;
5600
5601 case A_LANE:
5602 /* Get all LANE packets */
5603 if (!is_atm)
5604 bpf_error("'lane' supported only on raw ATM");
5605 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
5606
5607 /*
5608 * Arrange that all subsequent tests assume LANE
5609 * rather than LLC-encapsulated packets, and set
5610 * the offsets appropriately for LANE-encapsulated
5611 * Ethernet.
5612 *
5613 * "off_mac" is the offset of the Ethernet header,
5614 * which is 2 bytes past the ATM pseudo-header
5615 * (skipping the pseudo-header and 2-byte LE Client
5616 * field). The other offsets are Ethernet offsets
5617 * relative to "off_mac".
5618 */
5619 is_lane = 1;
5620 off_mac = off_payload + 2; /* MAC header */
5621 off_linktype = off_mac + 12;
5622 off_nl = off_mac + 14; /* Ethernet II */
5623 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
5624 break;
5625
5626 case A_LLC:
5627 /* Get all LLC-encapsulated packets */
5628 if (!is_atm)
5629 bpf_error("'llc' supported only on raw ATM");
5630 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
5631 is_lane = 0;
5632 break;
5633
5634 default:
5635 abort();
5636 }
5637 return b1;
5638 }
5639
5640
5641 static struct block *
5642 gen_msg_abbrev(type)
5643 int type;
5644 {
5645 struct block *b1;
5646
5647 /*
5648 * Q.2931 signalling protocol messages for handling virtual circuits
5649 * establishment and teardown
5650 */
5651 switch (type) {
5652
5653 case A_SETUP:
5654 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
5655 break;
5656
5657 case A_CALLPROCEED:
5658 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
5659 break;
5660
5661 case A_CONNECT:
5662 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
5663 break;
5664
5665 case A_CONNECTACK:
5666 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
5667 break;
5668
5669 case A_RELEASE:
5670 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
5671 break;
5672
5673 case A_RELEASE_DONE:
5674 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
5675 break;
5676
5677 default:
5678 abort();
5679 }
5680 return b1;
5681 }
5682
5683 struct block *
5684 gen_atmmulti_abbrev(type)
5685 int type;
5686 {
5687 struct block *b0, *b1;
5688
5689 switch (type) {
5690
5691 case A_OAM:
5692 if (!is_atm)
5693 bpf_error("'oam' supported only on raw ATM");
5694 b1 = gen_atmmulti_abbrev(A_OAMF4);
5695 break;
5696
5697 case A_OAMF4:
5698 if (!is_atm)
5699 bpf_error("'oamf4' supported only on raw ATM");
5700 /* OAM F4 type */
5701 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5702 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5703 gen_or(b0, b1);
5704 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5705 gen_and(b0, b1);
5706 break;
5707
5708 case A_CONNECTMSG:
5709 /*
5710 * Get Q.2931 signalling messages for switched
5711 * virtual connection
5712 */
5713 if (!is_atm)
5714 bpf_error("'connectmsg' supported only on raw ATM");
5715 b0 = gen_msg_abbrev(A_SETUP);
5716 b1 = gen_msg_abbrev(A_CALLPROCEED);
5717 gen_or(b0, b1);
5718 b0 = gen_msg_abbrev(A_CONNECT);
5719 gen_or(b0, b1);
5720 b0 = gen_msg_abbrev(A_CONNECTACK);
5721 gen_or(b0, b1);
5722 b0 = gen_msg_abbrev(A_RELEASE);
5723 gen_or(b0, b1);
5724 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5725 gen_or(b0, b1);
5726 b0 = gen_atmtype_abbrev(A_SC);
5727 gen_and(b0, b1);
5728 break;
5729
5730 case A_METACONNECT:
5731 if (!is_atm)
5732 bpf_error("'metaconnect' supported only on raw ATM");
5733 b0 = gen_msg_abbrev(A_SETUP);
5734 b1 = gen_msg_abbrev(A_CALLPROCEED);
5735 gen_or(b0, b1);
5736 b0 = gen_msg_abbrev(A_CONNECT);
5737 gen_or(b0, b1);
5738 b0 = gen_msg_abbrev(A_RELEASE);
5739 gen_or(b0, b1);
5740 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5741 gen_or(b0, b1);
5742 b0 = gen_atmtype_abbrev(A_METAC);
5743 gen_and(b0, b1);
5744 break;
5745
5746 default:
5747 abort();
5748 }
5749 return b1;
5750 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism