1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 *
22 * $FreeBSD: stable/9/contrib/libpcap/gencode.c 252281 2013-06-27 00:31:21Z delphij $
23 */
24 #ifndef lint
25 static const char rcsid[] _U_ =
26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #ifdef WIN32
34 #include <pcap-stdinc.h>
35 #else /* WIN32 */
36 #if HAVE_INTTYPES_H
37 #include <inttypes.h>
38 #elif HAVE_STDINT_H
39 #include <stdint.h>
40 #endif
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
43 #endif
44 #include <sys/types.h>
45 #include <sys/socket.h>
46 #endif /* WIN32 */
47
48 /*
49 * XXX - why was this included even on UNIX?
50 */
51 #ifdef __MINGW32__
52 #include "ip6_misc.h"
53 #endif
54
55 #ifndef WIN32
56
57 #ifdef __NetBSD__
58 #include <sys/param.h>
59 #endif
60
61 #include <netinet/in.h>
62 #include <arpa/inet.h>
63
64 #endif /* WIN32 */
65
66 #include <stdlib.h>
67 #include <string.h>
68 #include <memory.h>
69 #include <setjmp.h>
70 #include <stdarg.h>
71
72 #ifdef MSDOS
73 #include "pcap-dos.h"
74 #endif
75
76 #include "pcap-int.h"
77
78 #include "ethertype.h"
79 #include "nlpid.h"
80 #include "llc.h"
81 #include "gencode.h"
82 #include "ieee80211.h"
83 #include "atmuni31.h"
84 #include "sunatmpos.h"
85 #include "ppp.h"
86 #include "pcap/sll.h"
87 #include "pcap/ipnet.h"
88 #include "arcnet.h"
89 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
90 #include <linux/types.h>
91 #include <linux/if_packet.h>
92 #include <linux/filter.h>
93 #endif
94 #ifdef HAVE_NET_PFVAR_H
95 #include <sys/socket.h>
96 #include <net/if.h>
97 #include <net/pfvar.h>
98 #include <net/if_pflog.h>
99 #endif
100 #ifndef offsetof
101 #define offsetof(s, e) ((size_t)&((s *)0)->e)
102 #endif
103 #ifdef INET6
104 #ifndef WIN32
105 #include <netdb.h> /* for "struct addrinfo" */
106 #endif /* WIN32 */
107 #endif /*INET6*/
108 #include <pcap/namedb.h>
109
110 #define ETHERMTU 1500
111
112 #ifndef IPPROTO_HOPOPTS
113 #define IPPROTO_HOPOPTS 0
114 #endif
115 #ifndef IPPROTO_ROUTING
116 #define IPPROTO_ROUTING 43
117 #endif
118 #ifndef IPPROTO_FRAGMENT
119 #define IPPROTO_FRAGMENT 44
120 #endif
121 #ifndef IPPROTO_DSTOPTS
122 #define IPPROTO_DSTOPTS 60
123 #endif
124 #ifndef IPPROTO_SCTP
125 #define IPPROTO_SCTP 132
126 #endif
127
128 #ifdef HAVE_OS_PROTO_H
129 #include "os-proto.h"
130 #endif
131
132 #define JMP(c) ((c)|BPF_JMP|BPF_K)
133
134 /* Locals */
135 static jmp_buf top_ctx;
136 static pcap_t *bpf_pcap;
137
138 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
139 #ifdef WIN32
140 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
141 #else
142 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
143 #endif
144
145 /* XXX */
146 #ifdef PCAP_FDDIPAD
147 static int pcap_fddipad;
148 #endif
149
150 /* VARARGS */
151 void
bpf_error(const char * fmt,...)152 bpf_error(const char *fmt, ...)
153 {
154 va_list ap;
155
156 va_start(ap, fmt);
157 if (bpf_pcap != NULL)
158 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
159 fmt, ap);
160 va_end(ap);
161 longjmp(top_ctx, 1);
162 /* NOTREACHED */
163 }
164
165 static void init_linktype(pcap_t *);
166
167 static void init_regs(void);
168 static int alloc_reg(void);
169 static void free_reg(int);
170
171 static struct block *root;
172
173 /*
174 * Value passed to gen_load_a() to indicate what the offset argument
175 * is relative to.
176 */
177 enum e_offrel {
178 OR_PACKET, /* relative to the beginning of the packet */
179 OR_LINK, /* relative to the beginning of the link-layer header */
180 OR_MACPL, /* relative to the end of the MAC-layer header */
181 OR_NET, /* relative to the network-layer header */
182 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
183 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
184 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
185 };
186
187 #ifdef INET6
188 /*
189 * As errors are handled by a longjmp, anything allocated must be freed
190 * in the longjmp handler, so it must be reachable from that handler.
191 * One thing that's allocated is the result of pcap_nametoaddrinfo();
192 * it must be freed with freeaddrinfo(). This variable points to any
193 * addrinfo structure that would need to be freed.
194 */
195 static struct addrinfo *ai;
196 #endif
197
198 /*
199 * We divy out chunks of memory rather than call malloc each time so
200 * we don't have to worry about leaking memory. It's probably
201 * not a big deal if all this memory was wasted but if this ever
202 * goes into a library that would probably not be a good idea.
203 *
204 * XXX - this *is* in a library....
205 */
206 #define NCHUNKS 16
207 #define CHUNK0SIZE 1024
208 struct chunk {
209 u_int n_left;
210 void *m;
211 };
212
213 static struct chunk chunks[NCHUNKS];
214 static int cur_chunk;
215
216 static void *newchunk(u_int);
217 static void freechunks(void);
218 static inline struct block *new_block(int);
219 static inline struct slist *new_stmt(int);
220 static struct block *gen_retblk(int);
221 static inline void syntax(void);
222
223 static void backpatch(struct block *, struct block *);
224 static void merge(struct block *, struct block *);
225 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
226 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
227 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
228 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
229 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
230 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
231 bpf_u_int32);
232 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
233 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
234 bpf_u_int32, bpf_u_int32, int, bpf_int32);
235 static struct slist *gen_load_llrel(u_int, u_int);
236 static struct slist *gen_load_macplrel(u_int, u_int);
237 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
238 static struct slist *gen_loadx_iphdrlen(void);
239 static struct block *gen_uncond(int);
240 static inline struct block *gen_true(void);
241 static inline struct block *gen_false(void);
242 static struct block *gen_ether_linktype(int);
243 static struct block *gen_ipnet_linktype(int);
244 static struct block *gen_linux_sll_linktype(int);
245 static struct slist *gen_load_prism_llprefixlen(void);
246 static struct slist *gen_load_avs_llprefixlen(void);
247 static struct slist *gen_load_radiotap_llprefixlen(void);
248 static struct slist *gen_load_ppi_llprefixlen(void);
249 static void insert_compute_vloffsets(struct block *);
250 static struct slist *gen_llprefixlen(void);
251 static struct slist *gen_off_macpl(void);
252 static int ethertype_to_ppptype(int);
253 static struct block *gen_linktype(int);
254 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
255 static struct block *gen_llc_linktype(int);
256 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
257 #ifdef INET6
258 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
259 #endif
260 static struct block *gen_ahostop(const u_char *, int);
261 static struct block *gen_ehostop(const u_char *, int);
262 static struct block *gen_fhostop(const u_char *, int);
263 static struct block *gen_thostop(const u_char *, int);
264 static struct block *gen_wlanhostop(const u_char *, int);
265 static struct block *gen_ipfchostop(const u_char *, int);
266 static struct block *gen_dnhostop(bpf_u_int32, int);
267 static struct block *gen_mpls_linktype(int);
268 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
269 #ifdef INET6
270 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
271 #endif
272 #ifndef INET6
273 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
274 #endif
275 static struct block *gen_ipfrag(void);
276 static struct block *gen_portatom(int, bpf_int32);
277 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
278 static struct block *gen_portatom6(int, bpf_int32);
279 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
280 struct block *gen_portop(int, int, int);
281 static struct block *gen_port(int, int, int);
282 struct block *gen_portrangeop(int, int, int, int);
283 static struct block *gen_portrange(int, int, int, int);
284 struct block *gen_portop6(int, int, int);
285 static struct block *gen_port6(int, int, int);
286 struct block *gen_portrangeop6(int, int, int, int);
287 static struct block *gen_portrange6(int, int, int, int);
288 static int lookup_proto(const char *, int);
289 static struct block *gen_protochain(int, int, int);
290 static struct block *gen_proto(int, int, int);
291 static struct slist *xfer_to_x(struct arth *);
292 static struct slist *xfer_to_a(struct arth *);
293 static struct block *gen_mac_multicast(int);
294 static struct block *gen_len(int, int);
295 static struct block *gen_check_802_11_data_frame(void);
296
297 static struct block *gen_ppi_dlt_check(void);
298 static struct block *gen_msg_abbrev(int type);
299
300 static void *
newchunk(n)301 newchunk(n)
302 u_int n;
303 {
304 struct chunk *cp;
305 int k;
306 size_t size;
307
308 #ifndef __NetBSD__
309 /* XXX Round up to nearest long. */
310 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
311 #else
312 /* XXX Round up to structure boundary. */
313 n = ALIGN(n);
314 #endif
315
316 cp = &chunks[cur_chunk];
317 if (n > cp->n_left) {
318 ++cp, k = ++cur_chunk;
319 if (k >= NCHUNKS)
320 bpf_error("out of memory");
321 size = CHUNK0SIZE << k;
322 cp->m = (void *)malloc(size);
323 if (cp->m == NULL)
324 bpf_error("out of memory");
325 memset((char *)cp->m, 0, size);
326 cp->n_left = size;
327 if (n > size)
328 bpf_error("out of memory");
329 }
330 cp->n_left -= n;
331 return (void *)((char *)cp->m + cp->n_left);
332 }
333
334 static void
freechunks()335 freechunks()
336 {
337 int i;
338
339 cur_chunk = 0;
340 for (i = 0; i < NCHUNKS; ++i)
341 if (chunks[i].m != NULL) {
342 free(chunks[i].m);
343 chunks[i].m = NULL;
344 }
345 }
346
347 /*
348 * A strdup whose allocations are freed after code generation is over.
349 */
350 char *
sdup(s)351 sdup(s)
352 register const char *s;
353 {
354 int n = strlen(s) + 1;
355 char *cp = newchunk(n);
356
357 strlcpy(cp, s, n);
358 return (cp);
359 }
360
361 static inline struct block *
new_block(code)362 new_block(code)
363 int code;
364 {
365 struct block *p;
366
367 p = (struct block *)newchunk(sizeof(*p));
368 p->s.code = code;
369 p->head = p;
370
371 return p;
372 }
373
374 static inline struct slist *
new_stmt(code)375 new_stmt(code)
376 int code;
377 {
378 struct slist *p;
379
380 p = (struct slist *)newchunk(sizeof(*p));
381 p->s.code = code;
382
383 return p;
384 }
385
386 static struct block *
gen_retblk(v)387 gen_retblk(v)
388 int v;
389 {
390 struct block *b = new_block(BPF_RET|BPF_K);
391
392 b->s.k = v;
393 return b;
394 }
395
396 static inline void
syntax()397 syntax()
398 {
399 bpf_error("syntax error in filter expression");
400 }
401
402 static bpf_u_int32 netmask;
403 static int snaplen;
404 int no_optimize;
405 #ifdef WIN32
406 static int
407 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
408 const char *buf, int optimize, bpf_u_int32 mask);
409
410 int
pcap_compile(pcap_t * p,struct bpf_program * program,const char * buf,int optimize,bpf_u_int32 mask)411 pcap_compile(pcap_t *p, struct bpf_program *program,
412 const char *buf, int optimize, bpf_u_int32 mask)
413 {
414 int result;
415
416 EnterCriticalSection(&g_PcapCompileCriticalSection);
417
418 result = pcap_compile_unsafe(p, program, buf, optimize, mask);
419
420 LeaveCriticalSection(&g_PcapCompileCriticalSection);
421
422 return result;
423 }
424
425 static int
pcap_compile_unsafe(pcap_t * p,struct bpf_program * program,const char * buf,int optimize,bpf_u_int32 mask)426 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
427 const char *buf, int optimize, bpf_u_int32 mask)
428 #else /* WIN32 */
429 int
430 pcap_compile(pcap_t *p, struct bpf_program *program,
431 const char *buf, int optimize, bpf_u_int32 mask)
432 #endif /* WIN32 */
433 {
434 extern int n_errors;
435 const char * volatile xbuf = buf;
436 u_int len;
437
438 /*
439 * If this pcap_t hasn't been activated, it doesn't have a
440 * link-layer type, so we can't use it.
441 */
442 if (!p->activated) {
443 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
444 "not-yet-activated pcap_t passed to pcap_compile");
445 return (-1);
446 }
447 no_optimize = 0;
448 n_errors = 0;
449 root = NULL;
450 bpf_pcap = p;
451 init_regs();
452 if (setjmp(top_ctx)) {
453 #ifdef INET6
454 if (ai != NULL) {
455 freeaddrinfo(ai);
456 ai = NULL;
457 }
458 #endif
459 lex_cleanup();
460 freechunks();
461 return (-1);
462 }
463
464 netmask = mask;
465
466 snaplen = pcap_snapshot(p);
467 if (snaplen == 0) {
468 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
469 "snaplen of 0 rejects all packets");
470 return -1;
471 }
472
473 lex_init(xbuf ? xbuf : "");
474 init_linktype(p);
475 (void)pcap_parse();
476
477 if (n_errors)
478 syntax();
479
480 if (root == NULL)
481 root = gen_retblk(snaplen);
482
483 if (optimize && !no_optimize) {
484 bpf_optimize(&root);
485 if (root == NULL ||
486 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
487 bpf_error("expression rejects all packets");
488 }
489 program->bf_insns = icode_to_fcode(root, &len);
490 program->bf_len = len;
491
492 lex_cleanup();
493 freechunks();
494 return (0);
495 }
496
497 /*
498 * entry point for using the compiler with no pcap open
499 * pass in all the stuff that is needed explicitly instead.
500 */
501 int
pcap_compile_nopcap(int snaplen_arg,int linktype_arg,struct bpf_program * program,const char * buf,int optimize,bpf_u_int32 mask)502 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
503 struct bpf_program *program,
504 const char *buf, int optimize, bpf_u_int32 mask)
505 {
506 pcap_t *p;
507 int ret;
508
509 p = pcap_open_dead(linktype_arg, snaplen_arg);
510 if (p == NULL)
511 return (-1);
512 ret = pcap_compile(p, program, buf, optimize, mask);
513 pcap_close(p);
514 return (ret);
515 }
516
517 /*
518 * Clean up a "struct bpf_program" by freeing all the memory allocated
519 * in it.
520 */
521 void
pcap_freecode(struct bpf_program * program)522 pcap_freecode(struct bpf_program *program)
523 {
524 program->bf_len = 0;
525 if (program->bf_insns != NULL) {
526 free((char *)program->bf_insns);
527 program->bf_insns = NULL;
528 }
529 }
530
531 /*
532 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
533 * which of the jt and jf fields has been resolved and which is a pointer
534 * back to another unresolved block (or nil). At least one of the fields
535 * in each block is already resolved.
536 */
537 static void
backpatch(list,target)538 backpatch(list, target)
539 struct block *list, *target;
540 {
541 struct block *next;
542
543 while (list) {
544 if (!list->sense) {
545 next = JT(list);
546 JT(list) = target;
547 } else {
548 next = JF(list);
549 JF(list) = target;
550 }
551 list = next;
552 }
553 }
554
555 /*
556 * Merge the lists in b0 and b1, using the 'sense' field to indicate
557 * which of jt and jf is the link.
558 */
559 static void
merge(b0,b1)560 merge(b0, b1)
561 struct block *b0, *b1;
562 {
563 register struct block **p = &b0;
564
565 /* Find end of list. */
566 while (*p)
567 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
568
569 /* Concatenate the lists. */
570 *p = b1;
571 }
572
573 void
finish_parse(p)574 finish_parse(p)
575 struct block *p;
576 {
577 struct block *ppi_dlt_check;
578
579 /*
580 * Insert before the statements of the first (root) block any
581 * statements needed to load the lengths of any variable-length
582 * headers into registers.
583 *
584 * XXX - a fancier strategy would be to insert those before the
585 * statements of all blocks that use those lengths and that
586 * have no predecessors that use them, so that we only compute
587 * the lengths if we need them. There might be even better
588 * approaches than that.
589 *
590 * However, those strategies would be more complicated, and
591 * as we don't generate code to compute a length if the
592 * program has no tests that use the length, and as most
593 * tests will probably use those lengths, we would just
594 * postpone computing the lengths so that it's not done
595 * for tests that fail early, and it's not clear that's
596 * worth the effort.
597 */
598 insert_compute_vloffsets(p->head);
599
600 /*
601 * For DLT_PPI captures, generate a check of the per-packet
602 * DLT value to make sure it's DLT_IEEE802_11.
603 */
604 ppi_dlt_check = gen_ppi_dlt_check();
605 if (ppi_dlt_check != NULL)
606 gen_and(ppi_dlt_check, p);
607
608 backpatch(p, gen_retblk(snaplen));
609 p->sense = !p->sense;
610 backpatch(p, gen_retblk(0));
611 root = p->head;
612 }
613
614 void
gen_and(b0,b1)615 gen_and(b0, b1)
616 struct block *b0, *b1;
617 {
618 backpatch(b0, b1->head);
619 b0->sense = !b0->sense;
620 b1->sense = !b1->sense;
621 merge(b1, b0);
622 b1->sense = !b1->sense;
623 b1->head = b0->head;
624 }
625
626 void
gen_or(b0,b1)627 gen_or(b0, b1)
628 struct block *b0, *b1;
629 {
630 b0->sense = !b0->sense;
631 backpatch(b0, b1->head);
632 b0->sense = !b0->sense;
633 merge(b1, b0);
634 b1->head = b0->head;
635 }
636
637 void
gen_not(b)638 gen_not(b)
639 struct block *b;
640 {
641 b->sense = !b->sense;
642 }
643
644 static struct block *
gen_cmp(offrel,offset,size,v)645 gen_cmp(offrel, offset, size, v)
646 enum e_offrel offrel;
647 u_int offset, size;
648 bpf_int32 v;
649 {
650 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
651 }
652
653 static struct block *
gen_cmp_gt(offrel,offset,size,v)654 gen_cmp_gt(offrel, offset, size, v)
655 enum e_offrel offrel;
656 u_int offset, size;
657 bpf_int32 v;
658 {
659 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
660 }
661
662 static struct block *
gen_cmp_ge(offrel,offset,size,v)663 gen_cmp_ge(offrel, offset, size, v)
664 enum e_offrel offrel;
665 u_int offset, size;
666 bpf_int32 v;
667 {
668 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
669 }
670
671 static struct block *
gen_cmp_lt(offrel,offset,size,v)672 gen_cmp_lt(offrel, offset, size, v)
673 enum e_offrel offrel;
674 u_int offset, size;
675 bpf_int32 v;
676 {
677 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
678 }
679
680 static struct block *
gen_cmp_le(offrel,offset,size,v)681 gen_cmp_le(offrel, offset, size, v)
682 enum e_offrel offrel;
683 u_int offset, size;
684 bpf_int32 v;
685 {
686 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
687 }
688
689 static struct block *
gen_mcmp(offrel,offset,size,v,mask)690 gen_mcmp(offrel, offset, size, v, mask)
691 enum e_offrel offrel;
692 u_int offset, size;
693 bpf_int32 v;
694 bpf_u_int32 mask;
695 {
696 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
697 }
698
699 static struct block *
gen_bcmp(offrel,offset,size,v)700 gen_bcmp(offrel, offset, size, v)
701 enum e_offrel offrel;
702 register u_int offset, size;
703 register const u_char *v;
704 {
705 register struct block *b, *tmp;
706
707 b = NULL;
708 while (size >= 4) {
709 register const u_char *p = &v[size - 4];
710 bpf_int32 w = ((bpf_int32)p[0] << 24) |
711 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
712
713 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
714 if (b != NULL)
715 gen_and(b, tmp);
716 b = tmp;
717 size -= 4;
718 }
719 while (size >= 2) {
720 register const u_char *p = &v[size - 2];
721 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
722
723 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
724 if (b != NULL)
725 gen_and(b, tmp);
726 b = tmp;
727 size -= 2;
728 }
729 if (size > 0) {
730 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
731 if (b != NULL)
732 gen_and(b, tmp);
733 b = tmp;
734 }
735 return b;
736 }
737
738 /*
739 * AND the field of size "size" at offset "offset" relative to the header
740 * specified by "offrel" with "mask", and compare it with the value "v"
741 * with the test specified by "jtype"; if "reverse" is true, the test
742 * should test the opposite of "jtype".
743 */
744 static struct block *
gen_ncmp(offrel,offset,size,mask,jtype,reverse,v)745 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
746 enum e_offrel offrel;
747 bpf_int32 v;
748 bpf_u_int32 offset, size, mask, jtype;
749 int reverse;
750 {
751 struct slist *s, *s2;
752 struct block *b;
753
754 s = gen_load_a(offrel, offset, size);
755
756 if (mask != 0xffffffff) {
757 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
758 s2->s.k = mask;
759 sappend(s, s2);
760 }
761
762 b = new_block(JMP(jtype));
763 b->stmts = s;
764 b->s.k = v;
765 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
766 gen_not(b);
767 return b;
768 }
769
770 /*
771 * Various code constructs need to know the layout of the data link
772 * layer. These variables give the necessary offsets from the beginning
773 * of the packet data.
774 */
775
776 /*
777 * This is the offset of the beginning of the link-layer header from
778 * the beginning of the raw packet data.
779 *
780 * It's usually 0, except for 802.11 with a fixed-length radio header.
781 * (For 802.11 with a variable-length radio header, we have to generate
782 * code to compute that offset; off_ll is 0 in that case.)
783 */
784 static u_int off_ll;
785
786 /*
787 * If there's a variable-length header preceding the link-layer header,
788 * "reg_off_ll" is the register number for a register containing the
789 * length of that header, and therefore the offset of the link-layer
790 * header from the beginning of the raw packet data. Otherwise,
791 * "reg_off_ll" is -1.
792 */
793 static int reg_off_ll;
794
795 /*
796 * This is the offset of the beginning of the MAC-layer header from
797 * the beginning of the link-layer header.
798 * It's usually 0, except for ATM LANE, where it's the offset, relative
799 * to the beginning of the raw packet data, of the Ethernet header, and
800 * for Ethernet with various additional information.
801 */
802 static u_int off_mac;
803
804 /*
805 * This is the offset of the beginning of the MAC-layer payload,
806 * from the beginning of the raw packet data.
807 *
808 * I.e., it's the sum of the length of the link-layer header (without,
809 * for example, any 802.2 LLC header, so it's the MAC-layer
810 * portion of that header), plus any prefix preceding the
811 * link-layer header.
812 */
813 static u_int off_macpl;
814
815 /*
816 * This is 1 if the offset of the beginning of the MAC-layer payload
817 * from the beginning of the link-layer header is variable-length.
818 */
819 static int off_macpl_is_variable;
820
821 /*
822 * If the link layer has variable_length headers, "reg_off_macpl"
823 * is the register number for a register containing the length of the
824 * link-layer header plus the length of any variable-length header
825 * preceding the link-layer header. Otherwise, "reg_off_macpl"
826 * is -1.
827 */
828 static int reg_off_macpl;
829
830 /*
831 * "off_linktype" is the offset to information in the link-layer header
832 * giving the packet type. This offset is relative to the beginning
833 * of the link-layer header (i.e., it doesn't include off_ll).
834 *
835 * For Ethernet, it's the offset of the Ethernet type field.
836 *
837 * For link-layer types that always use 802.2 headers, it's the
838 * offset of the LLC header.
839 *
840 * For PPP, it's the offset of the PPP type field.
841 *
842 * For Cisco HDLC, it's the offset of the CHDLC type field.
843 *
844 * For BSD loopback, it's the offset of the AF_ value.
845 *
846 * For Linux cooked sockets, it's the offset of the type field.
847 *
848 * It's set to -1 for no encapsulation, in which case, IP is assumed.
849 */
850 static u_int off_linktype;
851
852 /*
853 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
854 * checks to check the PPP header, assumed to follow a LAN-style link-
855 * layer header and a PPPoE session header.
856 */
857 static int is_pppoes = 0;
858
859 /*
860 * TRUE if the link layer includes an ATM pseudo-header.
861 */
862 static int is_atm = 0;
863
864 /*
865 * TRUE if "lane" appeared in the filter; it causes us to generate
866 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
867 */
868 static int is_lane = 0;
869
870 /*
871 * These are offsets for the ATM pseudo-header.
872 */
873 static u_int off_vpi;
874 static u_int off_vci;
875 static u_int off_proto;
876
877 /*
878 * These are offsets for the MTP2 fields.
879 */
880 static u_int off_li;
881
882 /*
883 * These are offsets for the MTP3 fields.
884 */
885 static u_int off_sio;
886 static u_int off_opc;
887 static u_int off_dpc;
888 static u_int off_sls;
889
890 /*
891 * This is the offset of the first byte after the ATM pseudo_header,
892 * or -1 if there is no ATM pseudo-header.
893 */
894 static u_int off_payload;
895
896 /*
897 * These are offsets to the beginning of the network-layer header.
898 * They are relative to the beginning of the MAC-layer payload (i.e.,
899 * they don't include off_ll or off_macpl).
900 *
901 * If the link layer never uses 802.2 LLC:
902 *
903 * "off_nl" and "off_nl_nosnap" are the same.
904 *
905 * If the link layer always uses 802.2 LLC:
906 *
907 * "off_nl" is the offset if there's a SNAP header following
908 * the 802.2 header;
909 *
910 * "off_nl_nosnap" is the offset if there's no SNAP header.
911 *
912 * If the link layer is Ethernet:
913 *
914 * "off_nl" is the offset if the packet is an Ethernet II packet
915 * (we assume no 802.3+802.2+SNAP);
916 *
917 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
918 * with an 802.2 header following it.
919 */
920 static u_int off_nl;
921 static u_int off_nl_nosnap;
922
923 static int linktype;
924
925 static void
init_linktype(p)926 init_linktype(p)
927 pcap_t *p;
928 {
929 linktype = pcap_datalink(p);
930 #ifdef PCAP_FDDIPAD
931 pcap_fddipad = p->fddipad;
932 #endif
933
934 /*
935 * Assume it's not raw ATM with a pseudo-header, for now.
936 */
937 off_mac = 0;
938 is_atm = 0;
939 is_lane = 0;
940 off_vpi = -1;
941 off_vci = -1;
942 off_proto = -1;
943 off_payload = -1;
944
945 /*
946 * And that we're not doing PPPoE.
947 */
948 is_pppoes = 0;
949
950 /*
951 * And assume we're not doing SS7.
952 */
953 off_li = -1;
954 off_sio = -1;
955 off_opc = -1;
956 off_dpc = -1;
957 off_sls = -1;
958
959 /*
960 * Also assume it's not 802.11.
961 */
962 off_ll = 0;
963 off_macpl = 0;
964 off_macpl_is_variable = 0;
965
966 orig_linktype = -1;
967 orig_nl = -1;
968 label_stack_depth = 0;
969
970 reg_off_ll = -1;
971 reg_off_macpl = -1;
972
973 switch (linktype) {
974
975 case DLT_ARCNET:
976 off_linktype = 2;
977 off_macpl = 6;
978 off_nl = 0; /* XXX in reality, variable! */
979 off_nl_nosnap = 0; /* no 802.2 LLC */
980 return;
981
982 case DLT_ARCNET_LINUX:
983 off_linktype = 4;
984 off_macpl = 8;
985 off_nl = 0; /* XXX in reality, variable! */
986 off_nl_nosnap = 0; /* no 802.2 LLC */
987 return;
988
989 case DLT_EN10MB:
990 off_linktype = 12;
991 off_macpl = 14; /* Ethernet header length */
992 off_nl = 0; /* Ethernet II */
993 off_nl_nosnap = 3; /* 802.3+802.2 */
994 return;
995
996 case DLT_SLIP:
997 /*
998 * SLIP doesn't have a link level type. The 16 byte
999 * header is hacked into our SLIP driver.
1000 */
1001 off_linktype = -1;
1002 off_macpl = 16;
1003 off_nl = 0;
1004 off_nl_nosnap = 0; /* no 802.2 LLC */
1005 return;
1006
1007 case DLT_SLIP_BSDOS:
1008 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1009 off_linktype = -1;
1010 /* XXX end */
1011 off_macpl = 24;
1012 off_nl = 0;
1013 off_nl_nosnap = 0; /* no 802.2 LLC */
1014 return;
1015
1016 case DLT_NULL:
1017 case DLT_LOOP:
1018 off_linktype = 0;
1019 off_macpl = 4;
1020 off_nl = 0;
1021 off_nl_nosnap = 0; /* no 802.2 LLC */
1022 return;
1023
1024 case DLT_ENC:
1025 off_linktype = 0;
1026 off_macpl = 12;
1027 off_nl = 0;
1028 off_nl_nosnap = 0; /* no 802.2 LLC */
1029 return;
1030
1031 case DLT_PPP:
1032 case DLT_PPP_PPPD:
1033 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1034 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1035 off_linktype = 2;
1036 off_macpl = 4;
1037 off_nl = 0;
1038 off_nl_nosnap = 0; /* no 802.2 LLC */
1039 return;
1040
1041 case DLT_PPP_ETHER:
1042 /*
1043 * This does no include the Ethernet header, and
1044 * only covers session state.
1045 */
1046 off_linktype = 6;
1047 off_macpl = 8;
1048 off_nl = 0;
1049 off_nl_nosnap = 0; /* no 802.2 LLC */
1050 return;
1051
1052 case DLT_PPP_BSDOS:
1053 off_linktype = 5;
1054 off_macpl = 24;
1055 off_nl = 0;
1056 off_nl_nosnap = 0; /* no 802.2 LLC */
1057 return;
1058
1059 case DLT_FDDI:
1060 /*
1061 * FDDI doesn't really have a link-level type field.
1062 * We set "off_linktype" to the offset of the LLC header.
1063 *
1064 * To check for Ethernet types, we assume that SSAP = SNAP
1065 * is being used and pick out the encapsulated Ethernet type.
1066 * XXX - should we generate code to check for SNAP?
1067 */
1068 off_linktype = 13;
1069 #ifdef PCAP_FDDIPAD
1070 off_linktype += pcap_fddipad;
1071 #endif
1072 off_macpl = 13; /* FDDI MAC header length */
1073 #ifdef PCAP_FDDIPAD
1074 off_macpl += pcap_fddipad;
1075 #endif
1076 off_nl = 8; /* 802.2+SNAP */
1077 off_nl_nosnap = 3; /* 802.2 */
1078 return;
1079
1080 case DLT_IEEE802:
1081 /*
1082 * Token Ring doesn't really have a link-level type field.
1083 * We set "off_linktype" to the offset of the LLC header.
1084 *
1085 * To check for Ethernet types, we assume that SSAP = SNAP
1086 * is being used and pick out the encapsulated Ethernet type.
1087 * XXX - should we generate code to check for SNAP?
1088 *
1089 * XXX - the header is actually variable-length.
1090 * Some various Linux patched versions gave 38
1091 * as "off_linktype" and 40 as "off_nl"; however,
1092 * if a token ring packet has *no* routing
1093 * information, i.e. is not source-routed, the correct
1094 * values are 20 and 22, as they are in the vanilla code.
1095 *
1096 * A packet is source-routed iff the uppermost bit
1097 * of the first byte of the source address, at an
1098 * offset of 8, has the uppermost bit set. If the
1099 * packet is source-routed, the total number of bytes
1100 * of routing information is 2 plus bits 0x1F00 of
1101 * the 16-bit value at an offset of 14 (shifted right
1102 * 8 - figure out which byte that is).
1103 */
1104 off_linktype = 14;
1105 off_macpl = 14; /* Token Ring MAC header length */
1106 off_nl = 8; /* 802.2+SNAP */
1107 off_nl_nosnap = 3; /* 802.2 */
1108 return;
1109
1110 case DLT_IEEE802_11:
1111 case DLT_PRISM_HEADER:
1112 case DLT_IEEE802_11_RADIO_AVS:
1113 case DLT_IEEE802_11_RADIO:
1114 /*
1115 * 802.11 doesn't really have a link-level type field.
1116 * We set "off_linktype" to the offset of the LLC header.
1117 *
1118 * To check for Ethernet types, we assume that SSAP = SNAP
1119 * is being used and pick out the encapsulated Ethernet type.
1120 * XXX - should we generate code to check for SNAP?
1121 *
1122 * We also handle variable-length radio headers here.
1123 * The Prism header is in theory variable-length, but in
1124 * practice it's always 144 bytes long. However, some
1125 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1126 * sometimes or always supply an AVS header, so we
1127 * have to check whether the radio header is a Prism
1128 * header or an AVS header, so, in practice, it's
1129 * variable-length.
1130 */
1131 off_linktype = 24;
1132 off_macpl = 0; /* link-layer header is variable-length */
1133 off_macpl_is_variable = 1;
1134 off_nl = 8; /* 802.2+SNAP */
1135 off_nl_nosnap = 3; /* 802.2 */
1136 return;
1137
1138 case DLT_PPI:
1139 /*
1140 * At the moment we treat PPI the same way that we treat
1141 * normal Radiotap encoded packets. The difference is in
1142 * the function that generates the code at the beginning
1143 * to compute the header length. Since this code generator
1144 * of PPI supports bare 802.11 encapsulation only (i.e.
1145 * the encapsulated DLT should be DLT_IEEE802_11) we
1146 * generate code to check for this too.
1147 */
1148 off_linktype = 24;
1149 off_macpl = 0; /* link-layer header is variable-length */
1150 off_macpl_is_variable = 1;
1151 off_nl = 8; /* 802.2+SNAP */
1152 off_nl_nosnap = 3; /* 802.2 */
1153 return;
1154
1155 case DLT_ATM_RFC1483:
1156 case DLT_ATM_CLIP: /* Linux ATM defines this */
1157 /*
1158 * assume routed, non-ISO PDUs
1159 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1160 *
1161 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1162 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1163 * latter would presumably be treated the way PPPoE
1164 * should be, so you can do "pppoe and udp port 2049"
1165 * or "pppoa and tcp port 80" and have it check for
1166 * PPPo{A,E} and a PPP protocol of IP and....
1167 */
1168 off_linktype = 0;
1169 off_macpl = 0; /* packet begins with LLC header */
1170 off_nl = 8; /* 802.2+SNAP */
1171 off_nl_nosnap = 3; /* 802.2 */
1172 return;
1173
1174 case DLT_SUNATM:
1175 /*
1176 * Full Frontal ATM; you get AALn PDUs with an ATM
1177 * pseudo-header.
1178 */
1179 is_atm = 1;
1180 off_vpi = SUNATM_VPI_POS;
1181 off_vci = SUNATM_VCI_POS;
1182 off_proto = PROTO_POS;
1183 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1184 off_payload = SUNATM_PKT_BEGIN_POS;
1185 off_linktype = off_payload;
1186 off_macpl = off_payload; /* if LLC-encapsulated */
1187 off_nl = 8; /* 802.2+SNAP */
1188 off_nl_nosnap = 3; /* 802.2 */
1189 return;
1190
1191 case DLT_RAW:
1192 case DLT_IPV4:
1193 case DLT_IPV6:
1194 off_linktype = -1;
1195 off_macpl = 0;
1196 off_nl = 0;
1197 off_nl_nosnap = 0; /* no 802.2 LLC */
1198 return;
1199
1200 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1201 off_linktype = 14;
1202 off_macpl = 16;
1203 off_nl = 0;
1204 off_nl_nosnap = 0; /* no 802.2 LLC */
1205 return;
1206
1207 case DLT_LTALK:
1208 /*
1209 * LocalTalk does have a 1-byte type field in the LLAP header,
1210 * but really it just indicates whether there is a "short" or
1211 * "long" DDP packet following.
1212 */
1213 off_linktype = -1;
1214 off_macpl = 0;
1215 off_nl = 0;
1216 off_nl_nosnap = 0; /* no 802.2 LLC */
1217 return;
1218
1219 case DLT_IP_OVER_FC:
1220 /*
1221 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1222 * link-level type field. We set "off_linktype" to the
1223 * offset of the LLC header.
1224 *
1225 * To check for Ethernet types, we assume that SSAP = SNAP
1226 * is being used and pick out the encapsulated Ethernet type.
1227 * XXX - should we generate code to check for SNAP? RFC
1228 * 2625 says SNAP should be used.
1229 */
1230 off_linktype = 16;
1231 off_macpl = 16;
1232 off_nl = 8; /* 802.2+SNAP */
1233 off_nl_nosnap = 3; /* 802.2 */
1234 return;
1235
1236 case DLT_FRELAY:
1237 /*
1238 * XXX - we should set this to handle SNAP-encapsulated
1239 * frames (NLPID of 0x80).
1240 */
1241 off_linktype = -1;
1242 off_macpl = 0;
1243 off_nl = 0;
1244 off_nl_nosnap = 0; /* no 802.2 LLC */
1245 return;
1246
1247 /*
1248 * the only BPF-interesting FRF.16 frames are non-control frames;
1249 * Frame Relay has a variable length link-layer
1250 * so lets start with offset 4 for now and increments later on (FIXME);
1251 */
1252 case DLT_MFR:
1253 off_linktype = -1;
1254 off_macpl = 0;
1255 off_nl = 4;
1256 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1257 return;
1258
1259 case DLT_APPLE_IP_OVER_IEEE1394:
1260 off_linktype = 16;
1261 off_macpl = 18;
1262 off_nl = 0;
1263 off_nl_nosnap = 0; /* no 802.2 LLC */
1264 return;
1265
1266 case DLT_SYMANTEC_FIREWALL:
1267 off_linktype = 6;
1268 off_macpl = 44;
1269 off_nl = 0; /* Ethernet II */
1270 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1271 return;
1272
1273 #ifdef HAVE_NET_PFVAR_H
1274 case DLT_PFLOG:
1275 off_linktype = 0;
1276 off_macpl = PFLOG_HDRLEN;
1277 off_nl = 0;
1278 off_nl_nosnap = 0; /* no 802.2 LLC */
1279 return;
1280 #endif
1281
1282 case DLT_JUNIPER_MFR:
1283 case DLT_JUNIPER_MLFR:
1284 case DLT_JUNIPER_MLPPP:
1285 case DLT_JUNIPER_PPP:
1286 case DLT_JUNIPER_CHDLC:
1287 case DLT_JUNIPER_FRELAY:
1288 off_linktype = 4;
1289 off_macpl = 4;
1290 off_nl = 0;
1291 off_nl_nosnap = -1; /* no 802.2 LLC */
1292 return;
1293
1294 case DLT_JUNIPER_ATM1:
1295 off_linktype = 4; /* in reality variable between 4-8 */
1296 off_macpl = 4; /* in reality variable between 4-8 */
1297 off_nl = 0;
1298 off_nl_nosnap = 10;
1299 return;
1300
1301 case DLT_JUNIPER_ATM2:
1302 off_linktype = 8; /* in reality variable between 8-12 */
1303 off_macpl = 8; /* in reality variable between 8-12 */
1304 off_nl = 0;
1305 off_nl_nosnap = 10;
1306 return;
1307
1308 /* frames captured on a Juniper PPPoE service PIC
1309 * contain raw ethernet frames */
1310 case DLT_JUNIPER_PPPOE:
1311 case DLT_JUNIPER_ETHER:
1312 off_macpl = 14;
1313 off_linktype = 16;
1314 off_nl = 18; /* Ethernet II */
1315 off_nl_nosnap = 21; /* 802.3+802.2 */
1316 return;
1317
1318 case DLT_JUNIPER_PPPOE_ATM:
1319 off_linktype = 4;
1320 off_macpl = 6;
1321 off_nl = 0;
1322 off_nl_nosnap = -1; /* no 802.2 LLC */
1323 return;
1324
1325 case DLT_JUNIPER_GGSN:
1326 off_linktype = 6;
1327 off_macpl = 12;
1328 off_nl = 0;
1329 off_nl_nosnap = -1; /* no 802.2 LLC */
1330 return;
1331
1332 case DLT_JUNIPER_ES:
1333 off_linktype = 6;
1334 off_macpl = -1; /* not really a network layer but raw IP addresses */
1335 off_nl = -1; /* not really a network layer but raw IP addresses */
1336 off_nl_nosnap = -1; /* no 802.2 LLC */
1337 return;
1338
1339 case DLT_JUNIPER_MONITOR:
1340 off_linktype = 12;
1341 off_macpl = 12;
1342 off_nl = 0; /* raw IP/IP6 header */
1343 off_nl_nosnap = -1; /* no 802.2 LLC */
1344 return;
1345
1346 case DLT_JUNIPER_SERVICES:
1347 off_linktype = 12;
1348 off_macpl = -1; /* L3 proto location dep. on cookie type */
1349 off_nl = -1; /* L3 proto location dep. on cookie type */
1350 off_nl_nosnap = -1; /* no 802.2 LLC */
1351 return;
1352
1353 case DLT_JUNIPER_VP:
1354 off_linktype = 18;
1355 off_macpl = -1;
1356 off_nl = -1;
1357 off_nl_nosnap = -1;
1358 return;
1359
1360 case DLT_JUNIPER_ST:
1361 off_linktype = 18;
1362 off_macpl = -1;
1363 off_nl = -1;
1364 off_nl_nosnap = -1;
1365 return;
1366
1367 case DLT_JUNIPER_ISM:
1368 off_linktype = 8;
1369 off_macpl = -1;
1370 off_nl = -1;
1371 off_nl_nosnap = -1;
1372 return;
1373
1374 case DLT_JUNIPER_VS:
1375 case DLT_JUNIPER_SRX_E2E:
1376 case DLT_JUNIPER_FIBRECHANNEL:
1377 case DLT_JUNIPER_ATM_CEMIC:
1378 off_linktype = 8;
1379 off_macpl = -1;
1380 off_nl = -1;
1381 off_nl_nosnap = -1;
1382 return;
1383
1384 case DLT_MTP2:
1385 off_li = 2;
1386 off_sio = 3;
1387 off_opc = 4;
1388 off_dpc = 4;
1389 off_sls = 7;
1390 off_linktype = -1;
1391 off_macpl = -1;
1392 off_nl = -1;
1393 off_nl_nosnap = -1;
1394 return;
1395
1396 case DLT_MTP2_WITH_PHDR:
1397 off_li = 6;
1398 off_sio = 7;
1399 off_opc = 8;
1400 off_dpc = 8;
1401 off_sls = 11;
1402 off_linktype = -1;
1403 off_macpl = -1;
1404 off_nl = -1;
1405 off_nl_nosnap = -1;
1406 return;
1407
1408 case DLT_ERF:
1409 off_li = 22;
1410 off_sio = 23;
1411 off_opc = 24;
1412 off_dpc = 24;
1413 off_sls = 27;
1414 off_linktype = -1;
1415 off_macpl = -1;
1416 off_nl = -1;
1417 off_nl_nosnap = -1;
1418 return;
1419
1420 case DLT_PFSYNC:
1421 off_linktype = -1;
1422 off_macpl = 4;
1423 off_nl = 0;
1424 off_nl_nosnap = 0;
1425 return;
1426
1427 case DLT_AX25_KISS:
1428 /*
1429 * Currently, only raw "link[N:M]" filtering is supported.
1430 */
1431 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1432 off_macpl = -1;
1433 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1434 off_nl_nosnap = -1; /* no 802.2 LLC */
1435 off_mac = 1; /* step over the kiss length byte */
1436 return;
1437
1438 case DLT_IPNET:
1439 off_linktype = 1;
1440 off_macpl = 24; /* ipnet header length */
1441 off_nl = 0;
1442 off_nl_nosnap = -1;
1443 return;
1444
1445 case DLT_NETANALYZER:
1446 off_mac = 4; /* MAC header is past 4-byte pseudo-header */
1447 off_linktype = 16; /* includes 4-byte pseudo-header */
1448 off_macpl = 18; /* pseudo-header+Ethernet header length */
1449 off_nl = 0; /* Ethernet II */
1450 off_nl_nosnap = 3; /* 802.3+802.2 */
1451 return;
1452
1453 case DLT_NETANALYZER_TRANSPARENT:
1454 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1455 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */
1456 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */
1457 off_nl = 0; /* Ethernet II */
1458 off_nl_nosnap = 3; /* 802.3+802.2 */
1459 return;
1460
1461 default:
1462 /*
1463 * For values in the range in which we've assigned new
1464 * DLT_ values, only raw "link[N:M]" filtering is supported.
1465 */
1466 if (linktype >= DLT_MATCHING_MIN &&
1467 linktype <= DLT_MATCHING_MAX) {
1468 off_linktype = -1;
1469 off_macpl = -1;
1470 off_nl = -1;
1471 off_nl_nosnap = -1;
1472 return;
1473 }
1474
1475 }
1476 bpf_error("unknown data link type %d", linktype);
1477 /* NOTREACHED */
1478 }
1479
1480 /*
1481 * Load a value relative to the beginning of the link-layer header.
1482 * The link-layer header doesn't necessarily begin at the beginning
1483 * of the packet data; there might be a variable-length prefix containing
1484 * radio information.
1485 */
1486 static struct slist *
gen_load_llrel(offset,size)1487 gen_load_llrel(offset, size)
1488 u_int offset, size;
1489 {
1490 struct slist *s, *s2;
1491
1492 s = gen_llprefixlen();
1493
1494 /*
1495 * If "s" is non-null, it has code to arrange that the X register
1496 * contains the length of the prefix preceding the link-layer
1497 * header.
1498 *
1499 * Otherwise, the length of the prefix preceding the link-layer
1500 * header is "off_ll".
1501 */
1502 if (s != NULL) {
1503 /*
1504 * There's a variable-length prefix preceding the
1505 * link-layer header. "s" points to a list of statements
1506 * that put the length of that prefix into the X register.
1507 * do an indirect load, to use the X register as an offset.
1508 */
1509 s2 = new_stmt(BPF_LD|BPF_IND|size);
1510 s2->s.k = offset;
1511 sappend(s, s2);
1512 } else {
1513 /*
1514 * There is no variable-length header preceding the
1515 * link-layer header; add in off_ll, which, if there's
1516 * a fixed-length header preceding the link-layer header,
1517 * is the length of that header.
1518 */
1519 s = new_stmt(BPF_LD|BPF_ABS|size);
1520 s->s.k = offset + off_ll;
1521 }
1522 return s;
1523 }
1524
1525 /*
1526 * Load a value relative to the beginning of the MAC-layer payload.
1527 */
1528 static struct slist *
gen_load_macplrel(offset,size)1529 gen_load_macplrel(offset, size)
1530 u_int offset, size;
1531 {
1532 struct slist *s, *s2;
1533
1534 s = gen_off_macpl();
1535
1536 /*
1537 * If s is non-null, the offset of the MAC-layer payload is
1538 * variable, and s points to a list of instructions that
1539 * arrange that the X register contains that offset.
1540 *
1541 * Otherwise, the offset of the MAC-layer payload is constant,
1542 * and is in off_macpl.
1543 */
1544 if (s != NULL) {
1545 /*
1546 * The offset of the MAC-layer payload is in the X
1547 * register. Do an indirect load, to use the X register
1548 * as an offset.
1549 */
1550 s2 = new_stmt(BPF_LD|BPF_IND|size);
1551 s2->s.k = offset;
1552 sappend(s, s2);
1553 } else {
1554 /*
1555 * The offset of the MAC-layer payload is constant,
1556 * and is in off_macpl; load the value at that offset
1557 * plus the specified offset.
1558 */
1559 s = new_stmt(BPF_LD|BPF_ABS|size);
1560 s->s.k = off_macpl + offset;
1561 }
1562 return s;
1563 }
1564
1565 /*
1566 * Load a value relative to the beginning of the specified header.
1567 */
1568 static struct slist *
gen_load_a(offrel,offset,size)1569 gen_load_a(offrel, offset, size)
1570 enum e_offrel offrel;
1571 u_int offset, size;
1572 {
1573 struct slist *s, *s2;
1574
1575 switch (offrel) {
1576
1577 case OR_PACKET:
1578 s = new_stmt(BPF_LD|BPF_ABS|size);
1579 s->s.k = offset;
1580 break;
1581
1582 case OR_LINK:
1583 s = gen_load_llrel(offset, size);
1584 break;
1585
1586 case OR_MACPL:
1587 s = gen_load_macplrel(offset, size);
1588 break;
1589
1590 case OR_NET:
1591 s = gen_load_macplrel(off_nl + offset, size);
1592 break;
1593
1594 case OR_NET_NOSNAP:
1595 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1596 break;
1597
1598 case OR_TRAN_IPV4:
1599 /*
1600 * Load the X register with the length of the IPv4 header
1601 * (plus the offset of the link-layer header, if it's
1602 * preceded by a variable-length header such as a radio
1603 * header), in bytes.
1604 */
1605 s = gen_loadx_iphdrlen();
1606
1607 /*
1608 * Load the item at {offset of the MAC-layer payload} +
1609 * {offset, relative to the start of the MAC-layer
1610 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1611 * {specified offset}.
1612 *
1613 * (If the offset of the MAC-layer payload is variable,
1614 * it's included in the value in the X register, and
1615 * off_macpl is 0.)
1616 */
1617 s2 = new_stmt(BPF_LD|BPF_IND|size);
1618 s2->s.k = off_macpl + off_nl + offset;
1619 sappend(s, s2);
1620 break;
1621
1622 case OR_TRAN_IPV6:
1623 s = gen_load_macplrel(off_nl + 40 + offset, size);
1624 break;
1625
1626 default:
1627 abort();
1628 return NULL;
1629 }
1630 return s;
1631 }
1632
1633 /*
1634 * Generate code to load into the X register the sum of the length of
1635 * the IPv4 header and any variable-length header preceding the link-layer
1636 * header.
1637 */
1638 static struct slist *
gen_loadx_iphdrlen()1639 gen_loadx_iphdrlen()
1640 {
1641 struct slist *s, *s2;
1642
1643 s = gen_off_macpl();
1644 if (s != NULL) {
1645 /*
1646 * There's a variable-length prefix preceding the
1647 * link-layer header, or the link-layer header is itself
1648 * variable-length. "s" points to a list of statements
1649 * that put the offset of the MAC-layer payload into
1650 * the X register.
1651 *
1652 * The 4*([k]&0xf) addressing mode can't be used, as we
1653 * don't have a constant offset, so we have to load the
1654 * value in question into the A register and add to it
1655 * the value from the X register.
1656 */
1657 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1658 s2->s.k = off_nl;
1659 sappend(s, s2);
1660 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1661 s2->s.k = 0xf;
1662 sappend(s, s2);
1663 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1664 s2->s.k = 2;
1665 sappend(s, s2);
1666
1667 /*
1668 * The A register now contains the length of the
1669 * IP header. We need to add to it the offset of
1670 * the MAC-layer payload, which is still in the X
1671 * register, and move the result into the X register.
1672 */
1673 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1674 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1675 } else {
1676 /*
1677 * There is no variable-length header preceding the
1678 * link-layer header, and the link-layer header is
1679 * fixed-length; load the length of the IPv4 header,
1680 * which is at an offset of off_nl from the beginning
1681 * of the MAC-layer payload, and thus at an offset
1682 * of off_mac_pl + off_nl from the beginning of the
1683 * raw packet data.
1684 */
1685 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1686 s->s.k = off_macpl + off_nl;
1687 }
1688 return s;
1689 }
1690
1691 static struct block *
gen_uncond(rsense)1692 gen_uncond(rsense)
1693 int rsense;
1694 {
1695 struct block *b;
1696 struct slist *s;
1697
1698 s = new_stmt(BPF_LD|BPF_IMM);
1699 s->s.k = !rsense;
1700 b = new_block(JMP(BPF_JEQ));
1701 b->stmts = s;
1702
1703 return b;
1704 }
1705
1706 static inline struct block *
gen_true()1707 gen_true()
1708 {
1709 return gen_uncond(1);
1710 }
1711
1712 static inline struct block *
gen_false()1713 gen_false()
1714 {
1715 return gen_uncond(0);
1716 }
1717
1718 /*
1719 * Byte-swap a 32-bit number.
1720 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1721 * big-endian platforms.)
1722 */
1723 #define SWAPLONG(y) \
1724 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1725
1726 /*
1727 * Generate code to match a particular packet type.
1728 *
1729 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1730 * value, if <= ETHERMTU. We use that to determine whether to
1731 * match the type/length field or to check the type/length field for
1732 * a value <= ETHERMTU to see whether it's a type field and then do
1733 * the appropriate test.
1734 */
1735 static struct block *
gen_ether_linktype(proto)1736 gen_ether_linktype(proto)
1737 register int proto;
1738 {
1739 struct block *b0, *b1;
1740
1741 switch (proto) {
1742
1743 case LLCSAP_ISONS:
1744 case LLCSAP_IP:
1745 case LLCSAP_NETBEUI:
1746 /*
1747 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1748 * so we check the DSAP and SSAP.
1749 *
1750 * LLCSAP_IP checks for IP-over-802.2, rather
1751 * than IP-over-Ethernet or IP-over-SNAP.
1752 *
1753 * XXX - should we check both the DSAP and the
1754 * SSAP, like this, or should we check just the
1755 * DSAP, as we do for other types <= ETHERMTU
1756 * (i.e., other SAP values)?
1757 */
1758 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1759 gen_not(b0);
1760 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1761 ((proto << 8) | proto));
1762 gen_and(b0, b1);
1763 return b1;
1764
1765 case LLCSAP_IPX:
1766 /*
1767 * Check for;
1768 *
1769 * Ethernet_II frames, which are Ethernet
1770 * frames with a frame type of ETHERTYPE_IPX;
1771 *
1772 * Ethernet_802.3 frames, which are 802.3
1773 * frames (i.e., the type/length field is
1774 * a length field, <= ETHERMTU, rather than
1775 * a type field) with the first two bytes
1776 * after the Ethernet/802.3 header being
1777 * 0xFFFF;
1778 *
1779 * Ethernet_802.2 frames, which are 802.3
1780 * frames with an 802.2 LLC header and
1781 * with the IPX LSAP as the DSAP in the LLC
1782 * header;
1783 *
1784 * Ethernet_SNAP frames, which are 802.3
1785 * frames with an LLC header and a SNAP
1786 * header and with an OUI of 0x000000
1787 * (encapsulated Ethernet) and a protocol
1788 * ID of ETHERTYPE_IPX in the SNAP header.
1789 *
1790 * XXX - should we generate the same code both
1791 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1792 */
1793
1794 /*
1795 * This generates code to check both for the
1796 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1797 */
1798 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1799 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1800 gen_or(b0, b1);
1801
1802 /*
1803 * Now we add code to check for SNAP frames with
1804 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1805 */
1806 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1807 gen_or(b0, b1);
1808
1809 /*
1810 * Now we generate code to check for 802.3
1811 * frames in general.
1812 */
1813 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1814 gen_not(b0);
1815
1816 /*
1817 * Now add the check for 802.3 frames before the
1818 * check for Ethernet_802.2 and Ethernet_802.3,
1819 * as those checks should only be done on 802.3
1820 * frames, not on Ethernet frames.
1821 */
1822 gen_and(b0, b1);
1823
1824 /*
1825 * Now add the check for Ethernet_II frames, and
1826 * do that before checking for the other frame
1827 * types.
1828 */
1829 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1830 (bpf_int32)ETHERTYPE_IPX);
1831 gen_or(b0, b1);
1832 return b1;
1833
1834 case ETHERTYPE_ATALK:
1835 case ETHERTYPE_AARP:
1836 /*
1837 * EtherTalk (AppleTalk protocols on Ethernet link
1838 * layer) may use 802.2 encapsulation.
1839 */
1840
1841 /*
1842 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1843 * we check for an Ethernet type field less than
1844 * 1500, which means it's an 802.3 length field.
1845 */
1846 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1847 gen_not(b0);
1848
1849 /*
1850 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1851 * SNAP packets with an organization code of
1852 * 0x080007 (Apple, for Appletalk) and a protocol
1853 * type of ETHERTYPE_ATALK (Appletalk).
1854 *
1855 * 802.2-encapsulated ETHERTYPE_AARP packets are
1856 * SNAP packets with an organization code of
1857 * 0x000000 (encapsulated Ethernet) and a protocol
1858 * type of ETHERTYPE_AARP (Appletalk ARP).
1859 */
1860 if (proto == ETHERTYPE_ATALK)
1861 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1862 else /* proto == ETHERTYPE_AARP */
1863 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1864 gen_and(b0, b1);
1865
1866 /*
1867 * Check for Ethernet encapsulation (Ethertalk
1868 * phase 1?); we just check for the Ethernet
1869 * protocol type.
1870 */
1871 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1872
1873 gen_or(b0, b1);
1874 return b1;
1875
1876 default:
1877 if (proto <= ETHERMTU) {
1878 /*
1879 * This is an LLC SAP value, so the frames
1880 * that match would be 802.2 frames.
1881 * Check that the frame is an 802.2 frame
1882 * (i.e., that the length/type field is
1883 * a length field, <= ETHERMTU) and
1884 * then check the DSAP.
1885 */
1886 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1887 gen_not(b0);
1888 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1889 (bpf_int32)proto);
1890 gen_and(b0, b1);
1891 return b1;
1892 } else {
1893 /*
1894 * This is an Ethernet type, so compare
1895 * the length/type field with it (if
1896 * the frame is an 802.2 frame, the length
1897 * field will be <= ETHERMTU, and, as
1898 * "proto" is > ETHERMTU, this test
1899 * will fail and the frame won't match,
1900 * which is what we want).
1901 */
1902 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1903 (bpf_int32)proto);
1904 }
1905 }
1906 }
1907
1908 /*
1909 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
1910 * or IPv6 then we have an error.
1911 */
1912 static struct block *
gen_ipnet_linktype(proto)1913 gen_ipnet_linktype(proto)
1914 register int proto;
1915 {
1916 switch (proto) {
1917
1918 case ETHERTYPE_IP:
1919 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1920 (bpf_int32)IPH_AF_INET);
1921 /* NOTREACHED */
1922
1923 case ETHERTYPE_IPV6:
1924 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1925 (bpf_int32)IPH_AF_INET6);
1926 /* NOTREACHED */
1927
1928 default:
1929 break;
1930 }
1931
1932 return gen_false();
1933 }
1934
1935 /*
1936 * Generate code to match a particular packet type.
1937 *
1938 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1939 * value, if <= ETHERMTU. We use that to determine whether to
1940 * match the type field or to check the type field for the special
1941 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1942 */
1943 static struct block *
gen_linux_sll_linktype(proto)1944 gen_linux_sll_linktype(proto)
1945 register int proto;
1946 {
1947 struct block *b0, *b1;
1948
1949 switch (proto) {
1950
1951 case LLCSAP_ISONS:
1952 case LLCSAP_IP:
1953 case LLCSAP_NETBEUI:
1954 /*
1955 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1956 * so we check the DSAP and SSAP.
1957 *
1958 * LLCSAP_IP checks for IP-over-802.2, rather
1959 * than IP-over-Ethernet or IP-over-SNAP.
1960 *
1961 * XXX - should we check both the DSAP and the
1962 * SSAP, like this, or should we check just the
1963 * DSAP, as we do for other types <= ETHERMTU
1964 * (i.e., other SAP values)?
1965 */
1966 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1967 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1968 ((proto << 8) | proto));
1969 gen_and(b0, b1);
1970 return b1;
1971
1972 case LLCSAP_IPX:
1973 /*
1974 * Ethernet_II frames, which are Ethernet
1975 * frames with a frame type of ETHERTYPE_IPX;
1976 *
1977 * Ethernet_802.3 frames, which have a frame
1978 * type of LINUX_SLL_P_802_3;
1979 *
1980 * Ethernet_802.2 frames, which are 802.3
1981 * frames with an 802.2 LLC header (i.e, have
1982 * a frame type of LINUX_SLL_P_802_2) and
1983 * with the IPX LSAP as the DSAP in the LLC
1984 * header;
1985 *
1986 * Ethernet_SNAP frames, which are 802.3
1987 * frames with an LLC header and a SNAP
1988 * header and with an OUI of 0x000000
1989 * (encapsulated Ethernet) and a protocol
1990 * ID of ETHERTYPE_IPX in the SNAP header.
1991 *
1992 * First, do the checks on LINUX_SLL_P_802_2
1993 * frames; generate the check for either
1994 * Ethernet_802.2 or Ethernet_SNAP frames, and
1995 * then put a check for LINUX_SLL_P_802_2 frames
1996 * before it.
1997 */
1998 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1999 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
2000 gen_or(b0, b1);
2001 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2002 gen_and(b0, b1);
2003
2004 /*
2005 * Now check for 802.3 frames and OR that with
2006 * the previous test.
2007 */
2008 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
2009 gen_or(b0, b1);
2010
2011 /*
2012 * Now add the check for Ethernet_II frames, and
2013 * do that before checking for the other frame
2014 * types.
2015 */
2016 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2017 (bpf_int32)ETHERTYPE_IPX);
2018 gen_or(b0, b1);
2019 return b1;
2020
2021 case ETHERTYPE_ATALK:
2022 case ETHERTYPE_AARP:
2023 /*
2024 * EtherTalk (AppleTalk protocols on Ethernet link
2025 * layer) may use 802.2 encapsulation.
2026 */
2027
2028 /*
2029 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2030 * we check for the 802.2 protocol type in the
2031 * "Ethernet type" field.
2032 */
2033 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2034
2035 /*
2036 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2037 * SNAP packets with an organization code of
2038 * 0x080007 (Apple, for Appletalk) and a protocol
2039 * type of ETHERTYPE_ATALK (Appletalk).
2040 *
2041 * 802.2-encapsulated ETHERTYPE_AARP packets are
2042 * SNAP packets with an organization code of
2043 * 0x000000 (encapsulated Ethernet) and a protocol
2044 * type of ETHERTYPE_AARP (Appletalk ARP).
2045 */
2046 if (proto == ETHERTYPE_ATALK)
2047 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2048 else /* proto == ETHERTYPE_AARP */
2049 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2050 gen_and(b0, b1);
2051
2052 /*
2053 * Check for Ethernet encapsulation (Ethertalk
2054 * phase 1?); we just check for the Ethernet
2055 * protocol type.
2056 */
2057 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2058
2059 gen_or(b0, b1);
2060 return b1;
2061
2062 default:
2063 if (proto <= ETHERMTU) {
2064 /*
2065 * This is an LLC SAP value, so the frames
2066 * that match would be 802.2 frames.
2067 * Check for the 802.2 protocol type
2068 * in the "Ethernet type" field, and
2069 * then check the DSAP.
2070 */
2071 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2072 LINUX_SLL_P_802_2);
2073 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2074 (bpf_int32)proto);
2075 gen_and(b0, b1);
2076 return b1;
2077 } else {
2078 /*
2079 * This is an Ethernet type, so compare
2080 * the length/type field with it (if
2081 * the frame is an 802.2 frame, the length
2082 * field will be <= ETHERMTU, and, as
2083 * "proto" is > ETHERMTU, this test
2084 * will fail and the frame won't match,
2085 * which is what we want).
2086 */
2087 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2088 (bpf_int32)proto);
2089 }
2090 }
2091 }
2092
2093 static struct slist *
gen_load_prism_llprefixlen()2094 gen_load_prism_llprefixlen()
2095 {
2096 struct slist *s1, *s2;
2097 struct slist *sjeq_avs_cookie;
2098 struct slist *sjcommon;
2099
2100 /*
2101 * This code is not compatible with the optimizer, as
2102 * we are generating jmp instructions within a normal
2103 * slist of instructions
2104 */
2105 no_optimize = 1;
2106
2107 /*
2108 * Generate code to load the length of the radio header into
2109 * the register assigned to hold that length, if one has been
2110 * assigned. (If one hasn't been assigned, no code we've
2111 * generated uses that prefix, so we don't need to generate any
2112 * code to load it.)
2113 *
2114 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2115 * or always use the AVS header rather than the Prism header.
2116 * We load a 4-byte big-endian value at the beginning of the
2117 * raw packet data, and see whether, when masked with 0xFFFFF000,
2118 * it's equal to 0x80211000. If so, that indicates that it's
2119 * an AVS header (the masked-out bits are the version number).
2120 * Otherwise, it's a Prism header.
2121 *
2122 * XXX - the Prism header is also, in theory, variable-length,
2123 * but no known software generates headers that aren't 144
2124 * bytes long.
2125 */
2126 if (reg_off_ll != -1) {
2127 /*
2128 * Load the cookie.
2129 */
2130 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2131 s1->s.k = 0;
2132
2133 /*
2134 * AND it with 0xFFFFF000.
2135 */
2136 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2137 s2->s.k = 0xFFFFF000;
2138 sappend(s1, s2);
2139
2140 /*
2141 * Compare with 0x80211000.
2142 */
2143 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2144 sjeq_avs_cookie->s.k = 0x80211000;
2145 sappend(s1, sjeq_avs_cookie);
2146
2147 /*
2148 * If it's AVS:
2149 *
2150 * The 4 bytes at an offset of 4 from the beginning of
2151 * the AVS header are the length of the AVS header.
2152 * That field is big-endian.
2153 */
2154 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2155 s2->s.k = 4;
2156 sappend(s1, s2);
2157 sjeq_avs_cookie->s.jt = s2;
2158
2159 /*
2160 * Now jump to the code to allocate a register
2161 * into which to save the header length and
2162 * store the length there. (The "jump always"
2163 * instruction needs to have the k field set;
2164 * it's added to the PC, so, as we're jumping
2165 * over a single instruction, it should be 1.)
2166 */
2167 sjcommon = new_stmt(JMP(BPF_JA));
2168 sjcommon->s.k = 1;
2169 sappend(s1, sjcommon);
2170
2171 /*
2172 * Now for the code that handles the Prism header.
2173 * Just load the length of the Prism header (144)
2174 * into the A register. Have the test for an AVS
2175 * header branch here if we don't have an AVS header.
2176 */
2177 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2178 s2->s.k = 144;
2179 sappend(s1, s2);
2180 sjeq_avs_cookie->s.jf = s2;
2181
2182 /*
2183 * Now allocate a register to hold that value and store
2184 * it. The code for the AVS header will jump here after
2185 * loading the length of the AVS header.
2186 */
2187 s2 = new_stmt(BPF_ST);
2188 s2->s.k = reg_off_ll;
2189 sappend(s1, s2);
2190 sjcommon->s.jf = s2;
2191
2192 /*
2193 * Now move it into the X register.
2194 */
2195 s2 = new_stmt(BPF_MISC|BPF_TAX);
2196 sappend(s1, s2);
2197
2198 return (s1);
2199 } else
2200 return (NULL);
2201 }
2202
2203 static struct slist *
gen_load_avs_llprefixlen()2204 gen_load_avs_llprefixlen()
2205 {
2206 struct slist *s1, *s2;
2207
2208 /*
2209 * Generate code to load the length of the AVS header into
2210 * the register assigned to hold that length, if one has been
2211 * assigned. (If one hasn't been assigned, no code we've
2212 * generated uses that prefix, so we don't need to generate any
2213 * code to load it.)
2214 */
2215 if (reg_off_ll != -1) {
2216 /*
2217 * The 4 bytes at an offset of 4 from the beginning of
2218 * the AVS header are the length of the AVS header.
2219 * That field is big-endian.
2220 */
2221 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2222 s1->s.k = 4;
2223
2224 /*
2225 * Now allocate a register to hold that value and store
2226 * it.
2227 */
2228 s2 = new_stmt(BPF_ST);
2229 s2->s.k = reg_off_ll;
2230 sappend(s1, s2);
2231
2232 /*
2233 * Now move it into the X register.
2234 */
2235 s2 = new_stmt(BPF_MISC|BPF_TAX);
2236 sappend(s1, s2);
2237
2238 return (s1);
2239 } else
2240 return (NULL);
2241 }
2242
2243 static struct slist *
gen_load_radiotap_llprefixlen()2244 gen_load_radiotap_llprefixlen()
2245 {
2246 struct slist *s1, *s2;
2247
2248 /*
2249 * Generate code to load the length of the radiotap header into
2250 * the register assigned to hold that length, if one has been
2251 * assigned. (If one hasn't been assigned, no code we've
2252 * generated uses that prefix, so we don't need to generate any
2253 * code to load it.)
2254 */
2255 if (reg_off_ll != -1) {
2256 /*
2257 * The 2 bytes at offsets of 2 and 3 from the beginning
2258 * of the radiotap header are the length of the radiotap
2259 * header; unfortunately, it's little-endian, so we have
2260 * to load it a byte at a time and construct the value.
2261 */
2262
2263 /*
2264 * Load the high-order byte, at an offset of 3, shift it
2265 * left a byte, and put the result in the X register.
2266 */
2267 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2268 s1->s.k = 3;
2269 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2270 sappend(s1, s2);
2271 s2->s.k = 8;
2272 s2 = new_stmt(BPF_MISC|BPF_TAX);
2273 sappend(s1, s2);
2274
2275 /*
2276 * Load the next byte, at an offset of 2, and OR the
2277 * value from the X register into it.
2278 */
2279 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2280 sappend(s1, s2);
2281 s2->s.k = 2;
2282 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2283 sappend(s1, s2);
2284
2285 /*
2286 * Now allocate a register to hold that value and store
2287 * it.
2288 */
2289 s2 = new_stmt(BPF_ST);
2290 s2->s.k = reg_off_ll;
2291 sappend(s1, s2);
2292
2293 /*
2294 * Now move it into the X register.
2295 */
2296 s2 = new_stmt(BPF_MISC|BPF_TAX);
2297 sappend(s1, s2);
2298
2299 return (s1);
2300 } else
2301 return (NULL);
2302 }
2303
2304 /*
2305 * At the moment we treat PPI as normal Radiotap encoded
2306 * packets. The difference is in the function that generates
2307 * the code at the beginning to compute the header length.
2308 * Since this code generator of PPI supports bare 802.11
2309 * encapsulation only (i.e. the encapsulated DLT should be
2310 * DLT_IEEE802_11) we generate code to check for this too;
2311 * that's done in finish_parse().
2312 */
2313 static struct slist *
gen_load_ppi_llprefixlen()2314 gen_load_ppi_llprefixlen()
2315 {
2316 struct slist *s1, *s2;
2317
2318 /*
2319 * Generate code to load the length of the radiotap header
2320 * into the register assigned to hold that length, if one has
2321 * been assigned.
2322 */
2323 if (reg_off_ll != -1) {
2324 /*
2325 * The 2 bytes at offsets of 2 and 3 from the beginning
2326 * of the radiotap header are the length of the radiotap
2327 * header; unfortunately, it's little-endian, so we have
2328 * to load it a byte at a time and construct the value.
2329 */
2330
2331 /*
2332 * Load the high-order byte, at an offset of 3, shift it
2333 * left a byte, and put the result in the X register.
2334 */
2335 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2336 s1->s.k = 3;
2337 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2338 sappend(s1, s2);
2339 s2->s.k = 8;
2340 s2 = new_stmt(BPF_MISC|BPF_TAX);
2341 sappend(s1, s2);
2342
2343 /*
2344 * Load the next byte, at an offset of 2, and OR the
2345 * value from the X register into it.
2346 */
2347 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2348 sappend(s1, s2);
2349 s2->s.k = 2;
2350 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2351 sappend(s1, s2);
2352
2353 /*
2354 * Now allocate a register to hold that value and store
2355 * it.
2356 */
2357 s2 = new_stmt(BPF_ST);
2358 s2->s.k = reg_off_ll;
2359 sappend(s1, s2);
2360
2361 /*
2362 * Now move it into the X register.
2363 */
2364 s2 = new_stmt(BPF_MISC|BPF_TAX);
2365 sappend(s1, s2);
2366
2367 return (s1);
2368 } else
2369 return (NULL);
2370 }
2371
2372 /*
2373 * Load a value relative to the beginning of the link-layer header after the 802.11
2374 * header, i.e. LLC_SNAP.
2375 * The link-layer header doesn't necessarily begin at the beginning
2376 * of the packet data; there might be a variable-length prefix containing
2377 * radio information.
2378 */
2379 static struct slist *
gen_load_802_11_header_len(struct slist * s,struct slist * snext)2380 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2381 {
2382 struct slist *s2;
2383 struct slist *sjset_data_frame_1;
2384 struct slist *sjset_data_frame_2;
2385 struct slist *sjset_qos;
2386 struct slist *sjset_radiotap_flags;
2387 struct slist *sjset_radiotap_tsft;
2388 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2389 struct slist *s_roundup;
2390
2391 if (reg_off_macpl == -1) {
2392 /*
2393 * No register has been assigned to the offset of
2394 * the MAC-layer payload, which means nobody needs
2395 * it; don't bother computing it - just return
2396 * what we already have.
2397 */
2398 return (s);
2399 }
2400
2401 /*
2402 * This code is not compatible with the optimizer, as
2403 * we are generating jmp instructions within a normal
2404 * slist of instructions
2405 */
2406 no_optimize = 1;
2407
2408 /*
2409 * If "s" is non-null, it has code to arrange that the X register
2410 * contains the length of the prefix preceding the link-layer
2411 * header.
2412 *
2413 * Otherwise, the length of the prefix preceding the link-layer
2414 * header is "off_ll".
2415 */
2416 if (s == NULL) {
2417 /*
2418 * There is no variable-length header preceding the
2419 * link-layer header.
2420 *
2421 * Load the length of the fixed-length prefix preceding
2422 * the link-layer header (if any) into the X register,
2423 * and store it in the reg_off_macpl register.
2424 * That length is off_ll.
2425 */
2426 s = new_stmt(BPF_LDX|BPF_IMM);
2427 s->s.k = off_ll;
2428 }
2429
2430 /*
2431 * The X register contains the offset of the beginning of the
2432 * link-layer header; add 24, which is the minimum length
2433 * of the MAC header for a data frame, to that, and store it
2434 * in reg_off_macpl, and then load the Frame Control field,
2435 * which is at the offset in the X register, with an indexed load.
2436 */
2437 s2 = new_stmt(BPF_MISC|BPF_TXA);
2438 sappend(s, s2);
2439 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2440 s2->s.k = 24;
2441 sappend(s, s2);
2442 s2 = new_stmt(BPF_ST);
2443 s2->s.k = reg_off_macpl;
2444 sappend(s, s2);
2445
2446 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2447 s2->s.k = 0;
2448 sappend(s, s2);
2449
2450 /*
2451 * Check the Frame Control field to see if this is a data frame;
2452 * a data frame has the 0x08 bit (b3) in that field set and the
2453 * 0x04 bit (b2) clear.
2454 */
2455 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2456 sjset_data_frame_1->s.k = 0x08;
2457 sappend(s, sjset_data_frame_1);
2458
2459 /*
2460 * If b3 is set, test b2, otherwise go to the first statement of
2461 * the rest of the program.
2462 */
2463 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2464 sjset_data_frame_2->s.k = 0x04;
2465 sappend(s, sjset_data_frame_2);
2466 sjset_data_frame_1->s.jf = snext;
2467
2468 /*
2469 * If b2 is not set, this is a data frame; test the QoS bit.
2470 * Otherwise, go to the first statement of the rest of the
2471 * program.
2472 */
2473 sjset_data_frame_2->s.jt = snext;
2474 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2475 sjset_qos->s.k = 0x80; /* QoS bit */
2476 sappend(s, sjset_qos);
2477
2478 /*
2479 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2480 * field.
2481 * Otherwise, go to the first statement of the rest of the
2482 * program.
2483 */
2484 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2485 s2->s.k = reg_off_macpl;
2486 sappend(s, s2);
2487 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2488 s2->s.k = 2;
2489 sappend(s, s2);
2490 s2 = new_stmt(BPF_ST);
2491 s2->s.k = reg_off_macpl;
2492 sappend(s, s2);
2493
2494 /*
2495 * If we have a radiotap header, look at it to see whether
2496 * there's Atheros padding between the MAC-layer header
2497 * and the payload.
2498 *
2499 * Note: all of the fields in the radiotap header are
2500 * little-endian, so we byte-swap all of the values
2501 * we test against, as they will be loaded as big-endian
2502 * values.
2503 */
2504 if (linktype == DLT_IEEE802_11_RADIO) {
2505 /*
2506 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2507 * in the presence flag?
2508 */
2509 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2510 s2->s.k = 4;
2511 sappend(s, s2);
2512
2513 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2514 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2515 sappend(s, sjset_radiotap_flags);
2516
2517 /*
2518 * If not, skip all of this.
2519 */
2520 sjset_radiotap_flags->s.jf = snext;
2521
2522 /*
2523 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2524 */
2525 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2526 new_stmt(JMP(BPF_JSET));
2527 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2528 sappend(s, sjset_radiotap_tsft);
2529
2530 /*
2531 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2532 * at an offset of 16 from the beginning of the raw packet
2533 * data (8 bytes for the radiotap header and 8 bytes for
2534 * the TSFT field).
2535 *
2536 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2537 * is set.
2538 */
2539 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2540 s2->s.k = 16;
2541 sappend(s, s2);
2542
2543 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2544 sjset_tsft_datapad->s.k = 0x20;
2545 sappend(s, sjset_tsft_datapad);
2546
2547 /*
2548 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2549 * at an offset of 8 from the beginning of the raw packet
2550 * data (8 bytes for the radiotap header).
2551 *
2552 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2553 * is set.
2554 */
2555 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2556 s2->s.k = 8;
2557 sappend(s, s2);
2558
2559 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2560 sjset_notsft_datapad->s.k = 0x20;
2561 sappend(s, sjset_notsft_datapad);
2562
2563 /*
2564 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2565 * set, round the length of the 802.11 header to
2566 * a multiple of 4. Do that by adding 3 and then
2567 * dividing by and multiplying by 4, which we do by
2568 * ANDing with ~3.
2569 */
2570 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2571 s_roundup->s.k = reg_off_macpl;
2572 sappend(s, s_roundup);
2573 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2574 s2->s.k = 3;
2575 sappend(s, s2);
2576 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2577 s2->s.k = ~3;
2578 sappend(s, s2);
2579 s2 = new_stmt(BPF_ST);
2580 s2->s.k = reg_off_macpl;
2581 sappend(s, s2);
2582
2583 sjset_tsft_datapad->s.jt = s_roundup;
2584 sjset_tsft_datapad->s.jf = snext;
2585 sjset_notsft_datapad->s.jt = s_roundup;
2586 sjset_notsft_datapad->s.jf = snext;
2587 } else
2588 sjset_qos->s.jf = snext;
2589
2590 return s;
2591 }
2592
2593 static void
insert_compute_vloffsets(b)2594 insert_compute_vloffsets(b)
2595 struct block *b;
2596 {
2597 struct slist *s;
2598
2599 /*
2600 * For link-layer types that have a variable-length header
2601 * preceding the link-layer header, generate code to load
2602 * the offset of the link-layer header into the register
2603 * assigned to that offset, if any.
2604 */
2605 switch (linktype) {
2606
2607 case DLT_PRISM_HEADER:
2608 s = gen_load_prism_llprefixlen();
2609 break;
2610
2611 case DLT_IEEE802_11_RADIO_AVS:
2612 s = gen_load_avs_llprefixlen();
2613 break;
2614
2615 case DLT_IEEE802_11_RADIO:
2616 s = gen_load_radiotap_llprefixlen();
2617 break;
2618
2619 case DLT_PPI:
2620 s = gen_load_ppi_llprefixlen();
2621 break;
2622
2623 default:
2624 s = NULL;
2625 break;
2626 }
2627
2628 /*
2629 * For link-layer types that have a variable-length link-layer
2630 * header, generate code to load the offset of the MAC-layer
2631 * payload into the register assigned to that offset, if any.
2632 */
2633 switch (linktype) {
2634
2635 case DLT_IEEE802_11:
2636 case DLT_PRISM_HEADER:
2637 case DLT_IEEE802_11_RADIO_AVS:
2638 case DLT_IEEE802_11_RADIO:
2639 case DLT_PPI:
2640 s = gen_load_802_11_header_len(s, b->stmts);
2641 break;
2642 }
2643
2644 /*
2645 * If we have any offset-loading code, append all the
2646 * existing statements in the block to those statements,
2647 * and make the resulting list the list of statements
2648 * for the block.
2649 */
2650 if (s != NULL) {
2651 sappend(s, b->stmts);
2652 b->stmts = s;
2653 }
2654 }
2655
2656 static struct block *
gen_ppi_dlt_check(void)2657 gen_ppi_dlt_check(void)
2658 {
2659 struct slist *s_load_dlt;
2660 struct block *b;
2661
2662 if (linktype == DLT_PPI)
2663 {
2664 /* Create the statements that check for the DLT
2665 */
2666 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2667 s_load_dlt->s.k = 4;
2668
2669 b = new_block(JMP(BPF_JEQ));
2670
2671 b->stmts = s_load_dlt;
2672 b->s.k = SWAPLONG(DLT_IEEE802_11);
2673 }
2674 else
2675 {
2676 b = NULL;
2677 }
2678
2679 return b;
2680 }
2681
2682 static struct slist *
gen_prism_llprefixlen(void)2683 gen_prism_llprefixlen(void)
2684 {
2685 struct slist *s;
2686
2687 if (reg_off_ll == -1) {
2688 /*
2689 * We haven't yet assigned a register for the length
2690 * of the radio header; allocate one.
2691 */
2692 reg_off_ll = alloc_reg();
2693 }
2694
2695 /*
2696 * Load the register containing the radio length
2697 * into the X register.
2698 */
2699 s = new_stmt(BPF_LDX|BPF_MEM);
2700 s->s.k = reg_off_ll;
2701 return s;
2702 }
2703
2704 static struct slist *
gen_avs_llprefixlen(void)2705 gen_avs_llprefixlen(void)
2706 {
2707 struct slist *s;
2708
2709 if (reg_off_ll == -1) {
2710 /*
2711 * We haven't yet assigned a register for the length
2712 * of the AVS header; allocate one.
2713 */
2714 reg_off_ll = alloc_reg();
2715 }
2716
2717 /*
2718 * Load the register containing the AVS length
2719 * into the X register.
2720 */
2721 s = new_stmt(BPF_LDX|BPF_MEM);
2722 s->s.k = reg_off_ll;
2723 return s;
2724 }
2725
2726 static struct slist *
gen_radiotap_llprefixlen(void)2727 gen_radiotap_llprefixlen(void)
2728 {
2729 struct slist *s;
2730
2731 if (reg_off_ll == -1) {
2732 /*
2733 * We haven't yet assigned a register for the length
2734 * of the radiotap header; allocate one.
2735 */
2736 reg_off_ll = alloc_reg();
2737 }
2738
2739 /*
2740 * Load the register containing the radiotap length
2741 * into the X register.
2742 */
2743 s = new_stmt(BPF_LDX|BPF_MEM);
2744 s->s.k = reg_off_ll;
2745 return s;
2746 }
2747
2748 /*
2749 * At the moment we treat PPI as normal Radiotap encoded
2750 * packets. The difference is in the function that generates
2751 * the code at the beginning to compute the header length.
2752 * Since this code generator of PPI supports bare 802.11
2753 * encapsulation only (i.e. the encapsulated DLT should be
2754 * DLT_IEEE802_11) we generate code to check for this too.
2755 */
2756 static struct slist *
gen_ppi_llprefixlen(void)2757 gen_ppi_llprefixlen(void)
2758 {
2759 struct slist *s;
2760
2761 if (reg_off_ll == -1) {
2762 /*
2763 * We haven't yet assigned a register for the length
2764 * of the radiotap header; allocate one.
2765 */
2766 reg_off_ll = alloc_reg();
2767 }
2768
2769 /*
2770 * Load the register containing the PPI length
2771 * into the X register.
2772 */
2773 s = new_stmt(BPF_LDX|BPF_MEM);
2774 s->s.k = reg_off_ll;
2775 return s;
2776 }
2777
2778 /*
2779 * Generate code to compute the link-layer header length, if necessary,
2780 * putting it into the X register, and to return either a pointer to a
2781 * "struct slist" for the list of statements in that code, or NULL if
2782 * no code is necessary.
2783 */
2784 static struct slist *
gen_llprefixlen(void)2785 gen_llprefixlen(void)
2786 {
2787 switch (linktype) {
2788
2789 case DLT_PRISM_HEADER:
2790 return gen_prism_llprefixlen();
2791
2792 case DLT_IEEE802_11_RADIO_AVS:
2793 return gen_avs_llprefixlen();
2794
2795 case DLT_IEEE802_11_RADIO:
2796 return gen_radiotap_llprefixlen();
2797
2798 case DLT_PPI:
2799 return gen_ppi_llprefixlen();
2800
2801 default:
2802 return NULL;
2803 }
2804 }
2805
2806 /*
2807 * Generate code to load the register containing the offset of the
2808 * MAC-layer payload into the X register; if no register for that offset
2809 * has been allocated, allocate it first.
2810 */
2811 static struct slist *
gen_off_macpl(void)2812 gen_off_macpl(void)
2813 {
2814 struct slist *s;
2815
2816 if (off_macpl_is_variable) {
2817 if (reg_off_macpl == -1) {
2818 /*
2819 * We haven't yet assigned a register for the offset
2820 * of the MAC-layer payload; allocate one.
2821 */
2822 reg_off_macpl = alloc_reg();
2823 }
2824
2825 /*
2826 * Load the register containing the offset of the MAC-layer
2827 * payload into the X register.
2828 */
2829 s = new_stmt(BPF_LDX|BPF_MEM);
2830 s->s.k = reg_off_macpl;
2831 return s;
2832 } else {
2833 /*
2834 * That offset isn't variable, so we don't need to
2835 * generate any code.
2836 */
2837 return NULL;
2838 }
2839 }
2840
2841 /*
2842 * Map an Ethernet type to the equivalent PPP type.
2843 */
2844 static int
ethertype_to_ppptype(proto)2845 ethertype_to_ppptype(proto)
2846 int proto;
2847 {
2848 switch (proto) {
2849
2850 case ETHERTYPE_IP:
2851 proto = PPP_IP;
2852 break;
2853
2854 case ETHERTYPE_IPV6:
2855 proto = PPP_IPV6;
2856 break;
2857
2858 case ETHERTYPE_DN:
2859 proto = PPP_DECNET;
2860 break;
2861
2862 case ETHERTYPE_ATALK:
2863 proto = PPP_APPLE;
2864 break;
2865
2866 case ETHERTYPE_NS:
2867 proto = PPP_NS;
2868 break;
2869
2870 case LLCSAP_ISONS:
2871 proto = PPP_OSI;
2872 break;
2873
2874 case LLCSAP_8021D:
2875 /*
2876 * I'm assuming the "Bridging PDU"s that go
2877 * over PPP are Spanning Tree Protocol
2878 * Bridging PDUs.
2879 */
2880 proto = PPP_BRPDU;
2881 break;
2882
2883 case LLCSAP_IPX:
2884 proto = PPP_IPX;
2885 break;
2886 }
2887 return (proto);
2888 }
2889
2890 /*
2891 * Generate code to match a particular packet type by matching the
2892 * link-layer type field or fields in the 802.2 LLC header.
2893 *
2894 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2895 * value, if <= ETHERMTU.
2896 */
2897 static struct block *
gen_linktype(proto)2898 gen_linktype(proto)
2899 register int proto;
2900 {
2901 struct block *b0, *b1, *b2;
2902
2903 /* are we checking MPLS-encapsulated packets? */
2904 if (label_stack_depth > 0) {
2905 switch (proto) {
2906 case ETHERTYPE_IP:
2907 case PPP_IP:
2908 /* FIXME add other L3 proto IDs */
2909 return gen_mpls_linktype(Q_IP);
2910
2911 case ETHERTYPE_IPV6:
2912 case PPP_IPV6:
2913 /* FIXME add other L3 proto IDs */
2914 return gen_mpls_linktype(Q_IPV6);
2915
2916 default:
2917 bpf_error("unsupported protocol over mpls");
2918 /* NOTREACHED */
2919 }
2920 }
2921
2922 /*
2923 * Are we testing PPPoE packets?
2924 */
2925 if (is_pppoes) {
2926 /*
2927 * The PPPoE session header is part of the
2928 * MAC-layer payload, so all references
2929 * should be relative to the beginning of
2930 * that payload.
2931 */
2932
2933 /*
2934 * We use Ethernet protocol types inside libpcap;
2935 * map them to the corresponding PPP protocol types.
2936 */
2937 proto = ethertype_to_ppptype(proto);
2938 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
2939 }
2940
2941 switch (linktype) {
2942
2943 case DLT_EN10MB:
2944 case DLT_NETANALYZER:
2945 case DLT_NETANALYZER_TRANSPARENT:
2946 return gen_ether_linktype(proto);
2947 /*NOTREACHED*/
2948 break;
2949
2950 case DLT_C_HDLC:
2951 switch (proto) {
2952
2953 case LLCSAP_ISONS:
2954 proto = (proto << 8 | LLCSAP_ISONS);
2955 /* fall through */
2956
2957 default:
2958 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2959 (bpf_int32)proto);
2960 /*NOTREACHED*/
2961 break;
2962 }
2963 break;
2964
2965 case DLT_IEEE802_11:
2966 case DLT_PRISM_HEADER:
2967 case DLT_IEEE802_11_RADIO_AVS:
2968 case DLT_IEEE802_11_RADIO:
2969 case DLT_PPI:
2970 /*
2971 * Check that we have a data frame.
2972 */
2973 b0 = gen_check_802_11_data_frame();
2974
2975 /*
2976 * Now check for the specified link-layer type.
2977 */
2978 b1 = gen_llc_linktype(proto);
2979 gen_and(b0, b1);
2980 return b1;
2981 /*NOTREACHED*/
2982 break;
2983
2984 case DLT_FDDI:
2985 /*
2986 * XXX - check for asynchronous frames, as per RFC 1103.
2987 */
2988 return gen_llc_linktype(proto);
2989 /*NOTREACHED*/
2990 break;
2991
2992 case DLT_IEEE802:
2993 /*
2994 * XXX - check for LLC PDUs, as per IEEE 802.5.
2995 */
2996 return gen_llc_linktype(proto);
2997 /*NOTREACHED*/
2998 break;
2999
3000 case DLT_ATM_RFC1483:
3001 case DLT_ATM_CLIP:
3002 case DLT_IP_OVER_FC:
3003 return gen_llc_linktype(proto);
3004 /*NOTREACHED*/
3005 break;
3006
3007 case DLT_SUNATM:
3008 /*
3009 * If "is_lane" is set, check for a LANE-encapsulated
3010 * version of this protocol, otherwise check for an
3011 * LLC-encapsulated version of this protocol.
3012 *
3013 * We assume LANE means Ethernet, not Token Ring.
3014 */
3015 if (is_lane) {
3016 /*
3017 * Check that the packet doesn't begin with an
3018 * LE Control marker. (We've already generated
3019 * a test for LANE.)
3020 */
3021 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3022 0xFF00);
3023 gen_not(b0);
3024
3025 /*
3026 * Now generate an Ethernet test.
3027 */
3028 b1 = gen_ether_linktype(proto);
3029 gen_and(b0, b1);
3030 return b1;
3031 } else {
3032 /*
3033 * Check for LLC encapsulation and then check the
3034 * protocol.
3035 */
3036 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3037 b1 = gen_llc_linktype(proto);
3038 gen_and(b0, b1);
3039 return b1;
3040 }
3041 /*NOTREACHED*/
3042 break;
3043
3044 case DLT_LINUX_SLL:
3045 return gen_linux_sll_linktype(proto);
3046 /*NOTREACHED*/
3047 break;
3048
3049 case DLT_SLIP:
3050 case DLT_SLIP_BSDOS:
3051 case DLT_RAW:
3052 /*
3053 * These types don't provide any type field; packets
3054 * are always IPv4 or IPv6.
3055 *
3056 * XXX - for IPv4, check for a version number of 4, and,
3057 * for IPv6, check for a version number of 6?
3058 */
3059 switch (proto) {
3060
3061 case ETHERTYPE_IP:
3062 /* Check for a version number of 4. */
3063 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3064
3065 case ETHERTYPE_IPV6:
3066 /* Check for a version number of 6. */
3067 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3068
3069 default:
3070 return gen_false(); /* always false */
3071 }
3072 /*NOTREACHED*/
3073 break;
3074
3075 case DLT_IPV4:
3076 /*
3077 * Raw IPv4, so no type field.
3078 */
3079 if (proto == ETHERTYPE_IP)
3080 return gen_true(); /* always true */
3081
3082 /* Checking for something other than IPv4; always false */
3083 return gen_false();
3084 /*NOTREACHED*/
3085 break;
3086
3087 case DLT_IPV6:
3088 /*
3089 * Raw IPv6, so no type field.
3090 */
3091 if (proto == ETHERTYPE_IPV6)
3092 return gen_true(); /* always true */
3093
3094 /* Checking for something other than IPv6; always false */
3095 return gen_false();
3096 /*NOTREACHED*/
3097 break;
3098
3099 case DLT_PPP:
3100 case DLT_PPP_PPPD:
3101 case DLT_PPP_SERIAL:
3102 case DLT_PPP_ETHER:
3103 /*
3104 * We use Ethernet protocol types inside libpcap;
3105 * map them to the corresponding PPP protocol types.
3106 */
3107 proto = ethertype_to_ppptype(proto);
3108 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3109 /*NOTREACHED*/
3110 break;
3111
3112 case DLT_PPP_BSDOS:
3113 /*
3114 * We use Ethernet protocol types inside libpcap;
3115 * map them to the corresponding PPP protocol types.
3116 */
3117 switch (proto) {
3118
3119 case ETHERTYPE_IP:
3120 /*
3121 * Also check for Van Jacobson-compressed IP.
3122 * XXX - do this for other forms of PPP?
3123 */
3124 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3125 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3126 gen_or(b0, b1);
3127 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3128 gen_or(b1, b0);
3129 return b0;
3130
3131 default:
3132 proto = ethertype_to_ppptype(proto);
3133 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3134 (bpf_int32)proto);
3135 }
3136 /*NOTREACHED*/
3137 break;
3138
3139 case DLT_NULL:
3140 case DLT_LOOP:
3141 case DLT_ENC:
3142 /*
3143 * For DLT_NULL, the link-layer header is a 32-bit
3144 * word containing an AF_ value in *host* byte order,
3145 * and for DLT_ENC, the link-layer header begins
3146 * with a 32-bit work containing an AF_ value in
3147 * host byte order.
3148 *
3149 * In addition, if we're reading a saved capture file,
3150 * the host byte order in the capture may not be the
3151 * same as the host byte order on this machine.
3152 *
3153 * For DLT_LOOP, the link-layer header is a 32-bit
3154 * word containing an AF_ value in *network* byte order.
3155 *
3156 * XXX - AF_ values may, unfortunately, be platform-
3157 * dependent; for example, FreeBSD's AF_INET6 is 24
3158 * whilst NetBSD's and OpenBSD's is 26.
3159 *
3160 * This means that, when reading a capture file, just
3161 * checking for our AF_INET6 value won't work if the
3162 * capture file came from another OS.
3163 */
3164 switch (proto) {
3165
3166 case ETHERTYPE_IP:
3167 proto = AF_INET;
3168 break;
3169
3170 #ifdef INET6
3171 case ETHERTYPE_IPV6:
3172 proto = AF_INET6;
3173 break;
3174 #endif
3175
3176 default:
3177 /*
3178 * Not a type on which we support filtering.
3179 * XXX - support those that have AF_ values
3180 * #defined on this platform, at least?
3181 */
3182 return gen_false();
3183 }
3184
3185 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3186 /*
3187 * The AF_ value is in host byte order, but
3188 * the BPF interpreter will convert it to
3189 * network byte order.
3190 *
3191 * If this is a save file, and it's from a
3192 * machine with the opposite byte order to
3193 * ours, we byte-swap the AF_ value.
3194 *
3195 * Then we run it through "htonl()", and
3196 * generate code to compare against the result.
3197 */
3198 if (bpf_pcap->sf.rfile != NULL &&
3199 bpf_pcap->sf.swapped)
3200 proto = SWAPLONG(proto);
3201 proto = htonl(proto);
3202 }
3203 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3204
3205 #ifdef HAVE_NET_PFVAR_H
3206 case DLT_PFLOG:
3207 /*
3208 * af field is host byte order in contrast to the rest of
3209 * the packet.
3210 */
3211 if (proto == ETHERTYPE_IP)
3212 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3213 BPF_B, (bpf_int32)AF_INET));
3214 else if (proto == ETHERTYPE_IPV6)
3215 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3216 BPF_B, (bpf_int32)AF_INET6));
3217 else
3218 return gen_false();
3219 /*NOTREACHED*/
3220 break;
3221 #endif /* HAVE_NET_PFVAR_H */
3222
3223 case DLT_ARCNET:
3224 case DLT_ARCNET_LINUX:
3225 /*
3226 * XXX should we check for first fragment if the protocol
3227 * uses PHDS?
3228 */
3229 switch (proto) {
3230
3231 default:
3232 return gen_false();
3233
3234 case ETHERTYPE_IPV6:
3235 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3236 (bpf_int32)ARCTYPE_INET6));
3237
3238 case ETHERTYPE_IP:
3239 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3240 (bpf_int32)ARCTYPE_IP);
3241 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3242 (bpf_int32)ARCTYPE_IP_OLD);
3243 gen_or(b0, b1);
3244 return (b1);
3245
3246 case ETHERTYPE_ARP:
3247 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3248 (bpf_int32)ARCTYPE_ARP);
3249 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3250 (bpf_int32)ARCTYPE_ARP_OLD);
3251 gen_or(b0, b1);
3252 return (b1);
3253
3254 case ETHERTYPE_REVARP:
3255 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3256 (bpf_int32)ARCTYPE_REVARP));
3257
3258 case ETHERTYPE_ATALK:
3259 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3260 (bpf_int32)ARCTYPE_ATALK));
3261 }
3262 /*NOTREACHED*/
3263 break;
3264
3265 case DLT_LTALK:
3266 switch (proto) {
3267 case ETHERTYPE_ATALK:
3268 return gen_true();
3269 default:
3270 return gen_false();
3271 }
3272 /*NOTREACHED*/
3273 break;
3274
3275 case DLT_FRELAY:
3276 /*
3277 * XXX - assumes a 2-byte Frame Relay header with
3278 * DLCI and flags. What if the address is longer?
3279 */
3280 switch (proto) {
3281
3282 case ETHERTYPE_IP:
3283 /*
3284 * Check for the special NLPID for IP.
3285 */
3286 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3287
3288 case ETHERTYPE_IPV6:
3289 /*
3290 * Check for the special NLPID for IPv6.
3291 */
3292 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3293
3294 case LLCSAP_ISONS:
3295 /*
3296 * Check for several OSI protocols.
3297 *
3298 * Frame Relay packets typically have an OSI
3299 * NLPID at the beginning; we check for each
3300 * of them.
3301 *
3302 * What we check for is the NLPID and a frame
3303 * control field of UI, i.e. 0x03 followed
3304 * by the NLPID.
3305 */
3306 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3307 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3308 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3309 gen_or(b1, b2);
3310 gen_or(b0, b2);
3311 return b2;
3312
3313 default:
3314 return gen_false();
3315 }
3316 /*NOTREACHED*/
3317 break;
3318
3319 case DLT_MFR:
3320 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3321
3322 case DLT_JUNIPER_MFR:
3323 case DLT_JUNIPER_MLFR:
3324 case DLT_JUNIPER_MLPPP:
3325 case DLT_JUNIPER_ATM1:
3326 case DLT_JUNIPER_ATM2:
3327 case DLT_JUNIPER_PPPOE:
3328 case DLT_JUNIPER_PPPOE_ATM:
3329 case DLT_JUNIPER_GGSN:
3330 case DLT_JUNIPER_ES:
3331 case DLT_JUNIPER_MONITOR:
3332 case DLT_JUNIPER_SERVICES:
3333 case DLT_JUNIPER_ETHER:
3334 case DLT_JUNIPER_PPP:
3335 case DLT_JUNIPER_FRELAY:
3336 case DLT_JUNIPER_CHDLC:
3337 case DLT_JUNIPER_VP:
3338 case DLT_JUNIPER_ST:
3339 case DLT_JUNIPER_ISM:
3340 case DLT_JUNIPER_VS:
3341 case DLT_JUNIPER_SRX_E2E:
3342 case DLT_JUNIPER_FIBRECHANNEL:
3343 case DLT_JUNIPER_ATM_CEMIC:
3344
3345 /* just lets verify the magic number for now -
3346 * on ATM we may have up to 6 different encapsulations on the wire
3347 * and need a lot of heuristics to figure out that the payload
3348 * might be;
3349 *
3350 * FIXME encapsulation specific BPF_ filters
3351 */
3352 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3353
3354 case DLT_IPNET:
3355 return gen_ipnet_linktype(proto);
3356
3357 case DLT_LINUX_IRDA:
3358 bpf_error("IrDA link-layer type filtering not implemented");
3359
3360 case DLT_DOCSIS:
3361 bpf_error("DOCSIS link-layer type filtering not implemented");
3362
3363 case DLT_MTP2:
3364 case DLT_MTP2_WITH_PHDR:
3365 bpf_error("MTP2 link-layer type filtering not implemented");
3366
3367 case DLT_ERF:
3368 bpf_error("ERF link-layer type filtering not implemented");
3369
3370 case DLT_PFSYNC:
3371 bpf_error("PFSYNC link-layer type filtering not implemented");
3372
3373 case DLT_LINUX_LAPD:
3374 bpf_error("LAPD link-layer type filtering not implemented");
3375
3376 case DLT_USB:
3377 case DLT_USB_LINUX:
3378 case DLT_USB_LINUX_MMAPPED:
3379 bpf_error("USB link-layer type filtering not implemented");
3380
3381 case DLT_BLUETOOTH_HCI_H4:
3382 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3383 bpf_error("Bluetooth link-layer type filtering not implemented");
3384
3385 case DLT_CAN20B:
3386 case DLT_CAN_SOCKETCAN:
3387 bpf_error("CAN link-layer type filtering not implemented");
3388
3389 case DLT_IEEE802_15_4:
3390 case DLT_IEEE802_15_4_LINUX:
3391 case DLT_IEEE802_15_4_NONASK_PHY:
3392 case DLT_IEEE802_15_4_NOFCS:
3393 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3394
3395 case DLT_IEEE802_16_MAC_CPS_RADIO:
3396 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3397
3398 case DLT_SITA:
3399 bpf_error("SITA link-layer type filtering not implemented");
3400
3401 case DLT_RAIF1:
3402 bpf_error("RAIF1 link-layer type filtering not implemented");
3403
3404 case DLT_IPMB:
3405 bpf_error("IPMB link-layer type filtering not implemented");
3406
3407 case DLT_AX25_KISS:
3408 bpf_error("AX.25 link-layer type filtering not implemented");
3409 }
3410
3411 /*
3412 * All the types that have no encapsulation should either be
3413 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3414 * all packets are IP packets, or should be handled in some
3415 * special case, if none of them are (if some are and some
3416 * aren't, the lack of encapsulation is a problem, as we'd
3417 * have to find some other way of determining the packet type).
3418 *
3419 * Therefore, if "off_linktype" is -1, there's an error.
3420 */
3421 if (off_linktype == (u_int)-1)
3422 abort();
3423
3424 /*
3425 * Any type not handled above should always have an Ethernet
3426 * type at an offset of "off_linktype".
3427 */
3428 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3429 }
3430
3431 /*
3432 * Check for an LLC SNAP packet with a given organization code and
3433 * protocol type; we check the entire contents of the 802.2 LLC and
3434 * snap headers, checking for DSAP and SSAP of SNAP and a control
3435 * field of 0x03 in the LLC header, and for the specified organization
3436 * code and protocol type in the SNAP header.
3437 */
3438 static struct block *
gen_snap(orgcode,ptype)3439 gen_snap(orgcode, ptype)
3440 bpf_u_int32 orgcode;
3441 bpf_u_int32 ptype;
3442 {
3443 u_char snapblock[8];
3444
3445 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3446 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3447 snapblock[2] = 0x03; /* control = UI */
3448 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3449 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3450 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3451 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3452 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3453 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3454 }
3455
3456 /*
3457 * Generate code to match a particular packet type, for link-layer types
3458 * using 802.2 LLC headers.
3459 *
3460 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3461 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3462 *
3463 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3464 * value, if <= ETHERMTU. We use that to determine whether to
3465 * match the DSAP or both DSAP and LSAP or to check the OUI and
3466 * protocol ID in a SNAP header.
3467 */
3468 static struct block *
gen_llc_linktype(proto)3469 gen_llc_linktype(proto)
3470 int proto;
3471 {
3472 /*
3473 * XXX - handle token-ring variable-length header.
3474 */
3475 switch (proto) {
3476
3477 case LLCSAP_IP:
3478 case LLCSAP_ISONS:
3479 case LLCSAP_NETBEUI:
3480 /*
3481 * XXX - should we check both the DSAP and the
3482 * SSAP, like this, or should we check just the
3483 * DSAP, as we do for other types <= ETHERMTU
3484 * (i.e., other SAP values)?
3485 */
3486 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3487 ((proto << 8) | proto));
3488
3489 case LLCSAP_IPX:
3490 /*
3491 * XXX - are there ever SNAP frames for IPX on
3492 * non-Ethernet 802.x networks?
3493 */
3494 return gen_cmp(OR_MACPL, 0, BPF_B,
3495 (bpf_int32)LLCSAP_IPX);
3496
3497 case ETHERTYPE_ATALK:
3498 /*
3499 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3500 * SNAP packets with an organization code of
3501 * 0x080007 (Apple, for Appletalk) and a protocol
3502 * type of ETHERTYPE_ATALK (Appletalk).
3503 *
3504 * XXX - check for an organization code of
3505 * encapsulated Ethernet as well?
3506 */
3507 return gen_snap(0x080007, ETHERTYPE_ATALK);
3508
3509 default:
3510 /*
3511 * XXX - we don't have to check for IPX 802.3
3512 * here, but should we check for the IPX Ethertype?
3513 */
3514 if (proto <= ETHERMTU) {
3515 /*
3516 * This is an LLC SAP value, so check
3517 * the DSAP.
3518 */
3519 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3520 } else {
3521 /*
3522 * This is an Ethernet type; we assume that it's
3523 * unlikely that it'll appear in the right place
3524 * at random, and therefore check only the
3525 * location that would hold the Ethernet type
3526 * in a SNAP frame with an organization code of
3527 * 0x000000 (encapsulated Ethernet).
3528 *
3529 * XXX - if we were to check for the SNAP DSAP and
3530 * LSAP, as per XXX, and were also to check for an
3531 * organization code of 0x000000 (encapsulated
3532 * Ethernet), we'd do
3533 *
3534 * return gen_snap(0x000000, proto);
3535 *
3536 * here; for now, we don't, as per the above.
3537 * I don't know whether it's worth the extra CPU
3538 * time to do the right check or not.
3539 */
3540 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3541 }
3542 }
3543 }
3544
3545 static struct block *
gen_hostop(addr,mask,dir,proto,src_off,dst_off)3546 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3547 bpf_u_int32 addr;
3548 bpf_u_int32 mask;
3549 int dir, proto;
3550 u_int src_off, dst_off;
3551 {
3552 struct block *b0, *b1;
3553 u_int offset;
3554
3555 switch (dir) {
3556
3557 case Q_SRC:
3558 offset = src_off;
3559 break;
3560
3561 case Q_DST:
3562 offset = dst_off;
3563 break;
3564
3565 case Q_AND:
3566 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3567 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3568 gen_and(b0, b1);
3569 return b1;
3570
3571 case Q_OR:
3572 case Q_DEFAULT:
3573 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3574 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3575 gen_or(b0, b1);
3576 return b1;
3577
3578 default:
3579 abort();
3580 }
3581 b0 = gen_linktype(proto);
3582 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3583 gen_and(b0, b1);
3584 return b1;
3585 }
3586
3587 #ifdef INET6
3588 static struct block *
gen_hostop6(addr,mask,dir,proto,src_off,dst_off)3589 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3590 struct in6_addr *addr;
3591 struct in6_addr *mask;
3592 int dir, proto;
3593 u_int src_off, dst_off;
3594 {
3595 struct block *b0, *b1;
3596 u_int offset;
3597 u_int32_t *a, *m;
3598
3599 switch (dir) {
3600
3601 case Q_SRC:
3602 offset = src_off;
3603 break;
3604
3605 case Q_DST:
3606 offset = dst_off;
3607 break;
3608
3609 case Q_AND:
3610 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3611 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3612 gen_and(b0, b1);
3613 return b1;
3614
3615 case Q_OR:
3616 case Q_DEFAULT:
3617 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3618 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3619 gen_or(b0, b1);
3620 return b1;
3621
3622 default:
3623 abort();
3624 }
3625 /* this order is important */
3626 a = (u_int32_t *)addr;
3627 m = (u_int32_t *)mask;
3628 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3629 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3630 gen_and(b0, b1);
3631 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3632 gen_and(b0, b1);
3633 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3634 gen_and(b0, b1);
3635 b0 = gen_linktype(proto);
3636 gen_and(b0, b1);
3637 return b1;
3638 }
3639 #endif
3640
3641 static struct block *
gen_ehostop(eaddr,dir)3642 gen_ehostop(eaddr, dir)
3643 register const u_char *eaddr;
3644 register int dir;
3645 {
3646 register struct block *b0, *b1;
3647
3648 switch (dir) {
3649 case Q_SRC:
3650 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3651
3652 case Q_DST:
3653 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3654
3655 case Q_AND:
3656 b0 = gen_ehostop(eaddr, Q_SRC);
3657 b1 = gen_ehostop(eaddr, Q_DST);
3658 gen_and(b0, b1);
3659 return b1;
3660
3661 case Q_DEFAULT:
3662 case Q_OR:
3663 b0 = gen_ehostop(eaddr, Q_SRC);
3664 b1 = gen_ehostop(eaddr, Q_DST);
3665 gen_or(b0, b1);
3666 return b1;
3667
3668 case Q_ADDR1:
3669 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers");
3670 break;
3671
3672 case Q_ADDR2:
3673 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers");
3674 break;
3675
3676 case Q_ADDR3:
3677 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers");
3678 break;
3679
3680 case Q_ADDR4:
3681 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers");
3682 break;
3683
3684 case Q_RA:
3685 bpf_error("'ra' is only supported on 802.11 with 802.11 headers");
3686 break;
3687
3688 case Q_TA:
3689 bpf_error("'ta' is only supported on 802.11 with 802.11 headers");
3690 break;
3691 }
3692 abort();
3693 /* NOTREACHED */
3694 }
3695
3696 /*
3697 * Like gen_ehostop, but for DLT_FDDI
3698 */
3699 static struct block *
gen_fhostop(eaddr,dir)3700 gen_fhostop(eaddr, dir)
3701 register const u_char *eaddr;
3702 register int dir;
3703 {
3704 struct block *b0, *b1;
3705
3706 switch (dir) {
3707 case Q_SRC:
3708 #ifdef PCAP_FDDIPAD
3709 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3710 #else
3711 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3712 #endif
3713
3714 case Q_DST:
3715 #ifdef PCAP_FDDIPAD
3716 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3717 #else
3718 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3719 #endif
3720
3721 case Q_AND:
3722 b0 = gen_fhostop(eaddr, Q_SRC);
3723 b1 = gen_fhostop(eaddr, Q_DST);
3724 gen_and(b0, b1);
3725 return b1;
3726
3727 case Q_DEFAULT:
3728 case Q_OR:
3729 b0 = gen_fhostop(eaddr, Q_SRC);
3730 b1 = gen_fhostop(eaddr, Q_DST);
3731 gen_or(b0, b1);
3732 return b1;
3733
3734 case Q_ADDR1:
3735 bpf_error("'addr1' is only supported on 802.11");
3736 break;
3737
3738 case Q_ADDR2:
3739 bpf_error("'addr2' is only supported on 802.11");
3740 break;
3741
3742 case Q_ADDR3:
3743 bpf_error("'addr3' is only supported on 802.11");
3744 break;
3745
3746 case Q_ADDR4:
3747 bpf_error("'addr4' is only supported on 802.11");
3748 break;
3749
3750 case Q_RA:
3751 bpf_error("'ra' is only supported on 802.11");
3752 break;
3753
3754 case Q_TA:
3755 bpf_error("'ta' is only supported on 802.11");
3756 break;
3757 }
3758 abort();
3759 /* NOTREACHED */
3760 }
3761
3762 /*
3763 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3764 */
3765 static struct block *
gen_thostop(eaddr,dir)3766 gen_thostop(eaddr, dir)
3767 register const u_char *eaddr;
3768 register int dir;
3769 {
3770 register struct block *b0, *b1;
3771
3772 switch (dir) {
3773 case Q_SRC:
3774 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3775
3776 case Q_DST:
3777 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3778
3779 case Q_AND:
3780 b0 = gen_thostop(eaddr, Q_SRC);
3781 b1 = gen_thostop(eaddr, Q_DST);
3782 gen_and(b0, b1);
3783 return b1;
3784
3785 case Q_DEFAULT:
3786 case Q_OR:
3787 b0 = gen_thostop(eaddr, Q_SRC);
3788 b1 = gen_thostop(eaddr, Q_DST);
3789 gen_or(b0, b1);
3790 return b1;
3791
3792 case Q_ADDR1:
3793 bpf_error("'addr1' is only supported on 802.11");
3794 break;
3795
3796 case Q_ADDR2:
3797 bpf_error("'addr2' is only supported on 802.11");
3798 break;
3799
3800 case Q_ADDR3:
3801 bpf_error("'addr3' is only supported on 802.11");
3802 break;
3803
3804 case Q_ADDR4:
3805 bpf_error("'addr4' is only supported on 802.11");
3806 break;
3807
3808 case Q_RA:
3809 bpf_error("'ra' is only supported on 802.11");
3810 break;
3811
3812 case Q_TA:
3813 bpf_error("'ta' is only supported on 802.11");
3814 break;
3815 }
3816 abort();
3817 /* NOTREACHED */
3818 }
3819
3820 /*
3821 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3822 * various 802.11 + radio headers.
3823 */
3824 static struct block *
gen_wlanhostop(eaddr,dir)3825 gen_wlanhostop(eaddr, dir)
3826 register const u_char *eaddr;
3827 register int dir;
3828 {
3829 register struct block *b0, *b1, *b2;
3830 register struct slist *s;
3831
3832 #ifdef ENABLE_WLAN_FILTERING_PATCH
3833 /*
3834 * TODO GV 20070613
3835 * We need to disable the optimizer because the optimizer is buggy
3836 * and wipes out some LD instructions generated by the below
3837 * code to validate the Frame Control bits
3838 */
3839 no_optimize = 1;
3840 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3841
3842 switch (dir) {
3843 case Q_SRC:
3844 /*
3845 * Oh, yuk.
3846 *
3847 * For control frames, there is no SA.
3848 *
3849 * For management frames, SA is at an
3850 * offset of 10 from the beginning of
3851 * the packet.
3852 *
3853 * For data frames, SA is at an offset
3854 * of 10 from the beginning of the packet
3855 * if From DS is clear, at an offset of
3856 * 16 from the beginning of the packet
3857 * if From DS is set and To DS is clear,
3858 * and an offset of 24 from the beginning
3859 * of the packet if From DS is set and To DS
3860 * is set.
3861 */
3862
3863 /*
3864 * Generate the tests to be done for data frames
3865 * with From DS set.
3866 *
3867 * First, check for To DS set, i.e. check "link[1] & 0x01".
3868 */
3869 s = gen_load_a(OR_LINK, 1, BPF_B);
3870 b1 = new_block(JMP(BPF_JSET));
3871 b1->s.k = 0x01; /* To DS */
3872 b1->stmts = s;
3873
3874 /*
3875 * If To DS is set, the SA is at 24.
3876 */
3877 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3878 gen_and(b1, b0);
3879
3880 /*
3881 * Now, check for To DS not set, i.e. check
3882 * "!(link[1] & 0x01)".
3883 */
3884 s = gen_load_a(OR_LINK, 1, BPF_B);
3885 b2 = new_block(JMP(BPF_JSET));
3886 b2->s.k = 0x01; /* To DS */
3887 b2->stmts = s;
3888 gen_not(b2);
3889
3890 /*
3891 * If To DS is not set, the SA is at 16.
3892 */
3893 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3894 gen_and(b2, b1);
3895
3896 /*
3897 * Now OR together the last two checks. That gives
3898 * the complete set of checks for data frames with
3899 * From DS set.
3900 */
3901 gen_or(b1, b0);
3902
3903 /*
3904 * Now check for From DS being set, and AND that with
3905 * the ORed-together checks.
3906 */
3907 s = gen_load_a(OR_LINK, 1, BPF_B);
3908 b1 = new_block(JMP(BPF_JSET));
3909 b1->s.k = 0x02; /* From DS */
3910 b1->stmts = s;
3911 gen_and(b1, b0);
3912
3913 /*
3914 * Now check for data frames with From DS not set.
3915 */
3916 s = gen_load_a(OR_LINK, 1, BPF_B);
3917 b2 = new_block(JMP(BPF_JSET));
3918 b2->s.k = 0x02; /* From DS */
3919 b2->stmts = s;
3920 gen_not(b2);
3921
3922 /*
3923 * If From DS isn't set, the SA is at 10.
3924 */
3925 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3926 gen_and(b2, b1);
3927
3928 /*
3929 * Now OR together the checks for data frames with
3930 * From DS not set and for data frames with From DS
3931 * set; that gives the checks done for data frames.
3932 */
3933 gen_or(b1, b0);
3934
3935 /*
3936 * Now check for a data frame.
3937 * I.e, check "link[0] & 0x08".
3938 */
3939 s = gen_load_a(OR_LINK, 0, BPF_B);
3940 b1 = new_block(JMP(BPF_JSET));
3941 b1->s.k = 0x08;
3942 b1->stmts = s;
3943
3944 /*
3945 * AND that with the checks done for data frames.
3946 */
3947 gen_and(b1, b0);
3948
3949 /*
3950 * If the high-order bit of the type value is 0, this
3951 * is a management frame.
3952 * I.e, check "!(link[0] & 0x08)".
3953 */
3954 s = gen_load_a(OR_LINK, 0, BPF_B);
3955 b2 = new_block(JMP(BPF_JSET));
3956 b2->s.k = 0x08;
3957 b2->stmts = s;
3958 gen_not(b2);
3959
3960 /*
3961 * For management frames, the SA is at 10.
3962 */
3963 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3964 gen_and(b2, b1);
3965
3966 /*
3967 * OR that with the checks done for data frames.
3968 * That gives the checks done for management and
3969 * data frames.
3970 */
3971 gen_or(b1, b0);
3972
3973 /*
3974 * If the low-order bit of the type value is 1,
3975 * this is either a control frame or a frame
3976 * with a reserved type, and thus not a
3977 * frame with an SA.
3978 *
3979 * I.e., check "!(link[0] & 0x04)".
3980 */
3981 s = gen_load_a(OR_LINK, 0, BPF_B);
3982 b1 = new_block(JMP(BPF_JSET));
3983 b1->s.k = 0x04;
3984 b1->stmts = s;
3985 gen_not(b1);
3986
3987 /*
3988 * AND that with the checks for data and management
3989 * frames.
3990 */
3991 gen_and(b1, b0);
3992 return b0;
3993
3994 case Q_DST:
3995 /*
3996 * Oh, yuk.
3997 *
3998 * For control frames, there is no DA.
3999 *
4000 * For management frames, DA is at an
4001 * offset of 4 from the beginning of
4002 * the packet.
4003 *
4004 * For data frames, DA is at an offset
4005 * of 4 from the beginning of the packet
4006 * if To DS is clear and at an offset of
4007 * 16 from the beginning of the packet
4008 * if To DS is set.
4009 */
4010
4011 /*
4012 * Generate the tests to be done for data frames.
4013 *
4014 * First, check for To DS set, i.e. "link[1] & 0x01".
4015 */
4016 s = gen_load_a(OR_LINK, 1, BPF_B);
4017 b1 = new_block(JMP(BPF_JSET));
4018 b1->s.k = 0x01; /* To DS */
4019 b1->stmts = s;
4020
4021 /*
4022 * If To DS is set, the DA is at 16.
4023 */
4024 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4025 gen_and(b1, b0);
4026
4027 /*
4028 * Now, check for To DS not set, i.e. check
4029 * "!(link[1] & 0x01)".
4030 */
4031 s = gen_load_a(OR_LINK, 1, BPF_B);
4032 b2 = new_block(JMP(BPF_JSET));
4033 b2->s.k = 0x01; /* To DS */
4034 b2->stmts = s;
4035 gen_not(b2);
4036
4037 /*
4038 * If To DS is not set, the DA is at 4.
4039 */
4040 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4041 gen_and(b2, b1);
4042
4043 /*
4044 * Now OR together the last two checks. That gives
4045 * the complete set of checks for data frames.
4046 */
4047 gen_or(b1, b0);
4048
4049 /*
4050 * Now check for a data frame.
4051 * I.e, check "link[0] & 0x08".
4052 */
4053 s = gen_load_a(OR_LINK, 0, BPF_B);
4054 b1 = new_block(JMP(BPF_JSET));
4055 b1->s.k = 0x08;
4056 b1->stmts = s;
4057
4058 /*
4059 * AND that with the checks done for data frames.
4060 */
4061 gen_and(b1, b0);
4062
4063 /*
4064 * If the high-order bit of the type value is 0, this
4065 * is a management frame.
4066 * I.e, check "!(link[0] & 0x08)".
4067 */
4068 s = gen_load_a(OR_LINK, 0, BPF_B);
4069 b2 = new_block(JMP(BPF_JSET));
4070 b2->s.k = 0x08;
4071 b2->stmts = s;
4072 gen_not(b2);
4073
4074 /*
4075 * For management frames, the DA is at 4.
4076 */
4077 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4078 gen_and(b2, b1);
4079
4080 /*
4081 * OR that with the checks done for data frames.
4082 * That gives the checks done for management and
4083 * data frames.
4084 */
4085 gen_or(b1, b0);
4086
4087 /*
4088 * If the low-order bit of the type value is 1,
4089 * this is either a control frame or a frame
4090 * with a reserved type, and thus not a
4091 * frame with an SA.
4092 *
4093 * I.e., check "!(link[0] & 0x04)".
4094 */
4095 s = gen_load_a(OR_LINK, 0, BPF_B);
4096 b1 = new_block(JMP(BPF_JSET));
4097 b1->s.k = 0x04;
4098 b1->stmts = s;
4099 gen_not(b1);
4100
4101 /*
4102 * AND that with the checks for data and management
4103 * frames.
4104 */
4105 gen_and(b1, b0);
4106 return b0;
4107
4108 case Q_RA:
4109 /*
4110 * Not present in management frames; addr1 in other
4111 * frames.
4112 */
4113
4114 /*
4115 * If the high-order bit of the type value is 0, this
4116 * is a management frame.
4117 * I.e, check "(link[0] & 0x08)".
4118 */
4119 s = gen_load_a(OR_LINK, 0, BPF_B);
4120 b1 = new_block(JMP(BPF_JSET));
4121 b1->s.k = 0x08;
4122 b1->stmts = s;
4123
4124 /*
4125 * Check addr1.
4126 */
4127 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4128
4129 /*
4130 * AND that with the check of addr1.
4131 */
4132 gen_and(b1, b0);
4133 return (b0);
4134
4135 case Q_TA:
4136 /*
4137 * Not present in management frames; addr2, if present,
4138 * in other frames.
4139 */
4140
4141 /*
4142 * Not present in CTS or ACK control frames.
4143 */
4144 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4145 IEEE80211_FC0_TYPE_MASK);
4146 gen_not(b0);
4147 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4148 IEEE80211_FC0_SUBTYPE_MASK);
4149 gen_not(b1);
4150 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4151 IEEE80211_FC0_SUBTYPE_MASK);
4152 gen_not(b2);
4153 gen_and(b1, b2);
4154 gen_or(b0, b2);
4155
4156 /*
4157 * If the high-order bit of the type value is 0, this
4158 * is a management frame.
4159 * I.e, check "(link[0] & 0x08)".
4160 */
4161 s = gen_load_a(OR_LINK, 0, BPF_B);
4162 b1 = new_block(JMP(BPF_JSET));
4163 b1->s.k = 0x08;
4164 b1->stmts = s;
4165
4166 /*
4167 * AND that with the check for frames other than
4168 * CTS and ACK frames.
4169 */
4170 gen_and(b1, b2);
4171
4172 /*
4173 * Check addr2.
4174 */
4175 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4176 gen_and(b2, b1);
4177 return b1;
4178
4179 /*
4180 * XXX - add BSSID keyword?
4181 */
4182 case Q_ADDR1:
4183 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4184
4185 case Q_ADDR2:
4186 /*
4187 * Not present in CTS or ACK control frames.
4188 */
4189 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4190 IEEE80211_FC0_TYPE_MASK);
4191 gen_not(b0);
4192 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4193 IEEE80211_FC0_SUBTYPE_MASK);
4194 gen_not(b1);
4195 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4196 IEEE80211_FC0_SUBTYPE_MASK);
4197 gen_not(b2);
4198 gen_and(b1, b2);
4199 gen_or(b0, b2);
4200 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4201 gen_and(b2, b1);
4202 return b1;
4203
4204 case Q_ADDR3:
4205 /*
4206 * Not present in control frames.
4207 */
4208 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4209 IEEE80211_FC0_TYPE_MASK);
4210 gen_not(b0);
4211 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4212 gen_and(b0, b1);
4213 return b1;
4214
4215 case Q_ADDR4:
4216 /*
4217 * Present only if the direction mask has both "From DS"
4218 * and "To DS" set. Neither control frames nor management
4219 * frames should have both of those set, so we don't
4220 * check the frame type.
4221 */
4222 b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4223 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4224 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4225 gen_and(b0, b1);
4226 return b1;
4227
4228 case Q_AND:
4229 b0 = gen_wlanhostop(eaddr, Q_SRC);
4230 b1 = gen_wlanhostop(eaddr, Q_DST);
4231 gen_and(b0, b1);
4232 return b1;
4233
4234 case Q_DEFAULT:
4235 case Q_OR:
4236 b0 = gen_wlanhostop(eaddr, Q_SRC);
4237 b1 = gen_wlanhostop(eaddr, Q_DST);
4238 gen_or(b0, b1);
4239 return b1;
4240 }
4241 abort();
4242 /* NOTREACHED */
4243 }
4244
4245 /*
4246 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4247 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4248 * as the RFC states.)
4249 */
4250 static struct block *
gen_ipfchostop(eaddr,dir)4251 gen_ipfchostop(eaddr, dir)
4252 register const u_char *eaddr;
4253 register int dir;
4254 {
4255 register struct block *b0, *b1;
4256
4257 switch (dir) {
4258 case Q_SRC:
4259 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4260
4261 case Q_DST:
4262 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4263
4264 case Q_AND:
4265 b0 = gen_ipfchostop(eaddr, Q_SRC);
4266 b1 = gen_ipfchostop(eaddr, Q_DST);
4267 gen_and(b0, b1);
4268 return b1;
4269
4270 case Q_DEFAULT:
4271 case Q_OR:
4272 b0 = gen_ipfchostop(eaddr, Q_SRC);
4273 b1 = gen_ipfchostop(eaddr, Q_DST);
4274 gen_or(b0, b1);
4275 return b1;
4276
4277 case Q_ADDR1:
4278 bpf_error("'addr1' is only supported on 802.11");
4279 break;
4280
4281 case Q_ADDR2:
4282 bpf_error("'addr2' is only supported on 802.11");
4283 break;
4284
4285 case Q_ADDR3:
4286 bpf_error("'addr3' is only supported on 802.11");
4287 break;
4288
4289 case Q_ADDR4:
4290 bpf_error("'addr4' is only supported on 802.11");
4291 break;
4292
4293 case Q_RA:
4294 bpf_error("'ra' is only supported on 802.11");
4295 break;
4296
4297 case Q_TA:
4298 bpf_error("'ta' is only supported on 802.11");
4299 break;
4300 }
4301 abort();
4302 /* NOTREACHED */
4303 }
4304
4305 /*
4306 * This is quite tricky because there may be pad bytes in front of the
4307 * DECNET header, and then there are two possible data packet formats that
4308 * carry both src and dst addresses, plus 5 packet types in a format that
4309 * carries only the src node, plus 2 types that use a different format and
4310 * also carry just the src node.
4311 *
4312 * Yuck.
4313 *
4314 * Instead of doing those all right, we just look for data packets with
4315 * 0 or 1 bytes of padding. If you want to look at other packets, that
4316 * will require a lot more hacking.
4317 *
4318 * To add support for filtering on DECNET "areas" (network numbers)
4319 * one would want to add a "mask" argument to this routine. That would
4320 * make the filter even more inefficient, although one could be clever
4321 * and not generate masking instructions if the mask is 0xFFFF.
4322 */
4323 static struct block *
gen_dnhostop(addr,dir)4324 gen_dnhostop(addr, dir)
4325 bpf_u_int32 addr;
4326 int dir;
4327 {
4328 struct block *b0, *b1, *b2, *tmp;
4329 u_int offset_lh; /* offset if long header is received */
4330 u_int offset_sh; /* offset if short header is received */
4331
4332 switch (dir) {
4333
4334 case Q_DST:
4335 offset_sh = 1; /* follows flags */
4336 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4337 break;
4338
4339 case Q_SRC:
4340 offset_sh = 3; /* follows flags, dstnode */
4341 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4342 break;
4343
4344 case Q_AND:
4345 /* Inefficient because we do our Calvinball dance twice */
4346 b0 = gen_dnhostop(addr, Q_SRC);
4347 b1 = gen_dnhostop(addr, Q_DST);
4348 gen_and(b0, b1);
4349 return b1;
4350
4351 case Q_OR:
4352 case Q_DEFAULT:
4353 /* Inefficient because we do our Calvinball dance twice */
4354 b0 = gen_dnhostop(addr, Q_SRC);
4355 b1 = gen_dnhostop(addr, Q_DST);
4356 gen_or(b0, b1);
4357 return b1;
4358
4359 case Q_ISO:
4360 bpf_error("ISO host filtering not implemented");
4361
4362 default:
4363 abort();
4364 }
4365 b0 = gen_linktype(ETHERTYPE_DN);
4366 /* Check for pad = 1, long header case */
4367 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4368 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4369 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4370 BPF_H, (bpf_int32)ntohs((u_short)addr));
4371 gen_and(tmp, b1);
4372 /* Check for pad = 0, long header case */
4373 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4374 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4375 gen_and(tmp, b2);
4376 gen_or(b2, b1);
4377 /* Check for pad = 1, short header case */
4378 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4379 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4380 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4381 gen_and(tmp, b2);
4382 gen_or(b2, b1);
4383 /* Check for pad = 0, short header case */
4384 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4385 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4386 gen_and(tmp, b2);
4387 gen_or(b2, b1);
4388
4389 /* Combine with test for linktype */
4390 gen_and(b0, b1);
4391 return b1;
4392 }
4393
4394 /*
4395 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4396 * test the bottom-of-stack bit, and then check the version number
4397 * field in the IP header.
4398 */
4399 static struct block *
gen_mpls_linktype(proto)4400 gen_mpls_linktype(proto)
4401 int proto;
4402 {
4403 struct block *b0, *b1;
4404
4405 switch (proto) {
4406
4407 case Q_IP:
4408 /* match the bottom-of-stack bit */
4409 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4410 /* match the IPv4 version number */
4411 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4412 gen_and(b0, b1);
4413 return b1;
4414
4415 case Q_IPV6:
4416 /* match the bottom-of-stack bit */
4417 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4418 /* match the IPv4 version number */
4419 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4420 gen_and(b0, b1);
4421 return b1;
4422
4423 default:
4424 abort();
4425 }
4426 }
4427
4428 static struct block *
gen_host(addr,mask,proto,dir,type)4429 gen_host(addr, mask, proto, dir, type)
4430 bpf_u_int32 addr;
4431 bpf_u_int32 mask;
4432 int proto;
4433 int dir;
4434 int type;
4435 {
4436 struct block *b0, *b1;
4437 const char *typestr;
4438
4439 if (type == Q_NET)
4440 typestr = "net";
4441 else
4442 typestr = "host";
4443
4444 switch (proto) {
4445
4446 case Q_DEFAULT:
4447 b0 = gen_host(addr, mask, Q_IP, dir, type);
4448 /*
4449 * Only check for non-IPv4 addresses if we're not
4450 * checking MPLS-encapsulated packets.
4451 */
4452 if (label_stack_depth == 0) {
4453 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4454 gen_or(b0, b1);
4455 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4456 gen_or(b1, b0);
4457 }
4458 return b0;
4459
4460 case Q_IP:
4461 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4462
4463 case Q_RARP:
4464 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4465
4466 case Q_ARP:
4467 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4468
4469 case Q_TCP:
4470 bpf_error("'tcp' modifier applied to %s", typestr);
4471
4472 case Q_SCTP:
4473 bpf_error("'sctp' modifier applied to %s", typestr);
4474
4475 case Q_UDP:
4476 bpf_error("'udp' modifier applied to %s", typestr);
4477
4478 case Q_ICMP:
4479 bpf_error("'icmp' modifier applied to %s", typestr);
4480
4481 case Q_IGMP:
4482 bpf_error("'igmp' modifier applied to %s", typestr);
4483
4484 case Q_IGRP:
4485 bpf_error("'igrp' modifier applied to %s", typestr);
4486
4487 case Q_PIM:
4488 bpf_error("'pim' modifier applied to %s", typestr);
4489
4490 case Q_VRRP:
4491 bpf_error("'vrrp' modifier applied to %s", typestr);
4492
4493 case Q_CARP:
4494 bpf_error("'carp' modifier applied to %s", typestr);
4495
4496 case Q_ATALK:
4497 bpf_error("ATALK host filtering not implemented");
4498
4499 case Q_AARP:
4500 bpf_error("AARP host filtering not implemented");
4501
4502 case Q_DECNET:
4503 return gen_dnhostop(addr, dir);
4504
4505 case Q_SCA:
4506 bpf_error("SCA host filtering not implemented");
4507
4508 case Q_LAT:
4509 bpf_error("LAT host filtering not implemented");
4510
4511 case Q_MOPDL:
4512 bpf_error("MOPDL host filtering not implemented");
4513
4514 case Q_MOPRC:
4515 bpf_error("MOPRC host filtering not implemented");
4516
4517 case Q_IPV6:
4518 bpf_error("'ip6' modifier applied to ip host");
4519
4520 case Q_ICMPV6:
4521 bpf_error("'icmp6' modifier applied to %s", typestr);
4522
4523 case Q_AH:
4524 bpf_error("'ah' modifier applied to %s", typestr);
4525
4526 case Q_ESP:
4527 bpf_error("'esp' modifier applied to %s", typestr);
4528
4529 case Q_ISO:
4530 bpf_error("ISO host filtering not implemented");
4531
4532 case Q_ESIS:
4533 bpf_error("'esis' modifier applied to %s", typestr);
4534
4535 case Q_ISIS:
4536 bpf_error("'isis' modifier applied to %s", typestr);
4537
4538 case Q_CLNP:
4539 bpf_error("'clnp' modifier applied to %s", typestr);
4540
4541 case Q_STP:
4542 bpf_error("'stp' modifier applied to %s", typestr);
4543
4544 case Q_IPX:
4545 bpf_error("IPX host filtering not implemented");
4546
4547 case Q_NETBEUI:
4548 bpf_error("'netbeui' modifier applied to %s", typestr);
4549
4550 case Q_RADIO:
4551 bpf_error("'radio' modifier applied to %s", typestr);
4552
4553 default:
4554 abort();
4555 }
4556 /* NOTREACHED */
4557 }
4558
4559 #ifdef INET6
4560 static struct block *
gen_host6(addr,mask,proto,dir,type)4561 gen_host6(addr, mask, proto, dir, type)
4562 struct in6_addr *addr;
4563 struct in6_addr *mask;
4564 int proto;
4565 int dir;
4566 int type;
4567 {
4568 const char *typestr;
4569
4570 if (type == Q_NET)
4571 typestr = "net";
4572 else
4573 typestr = "host";
4574
4575 switch (proto) {
4576
4577 case Q_DEFAULT:
4578 return gen_host6(addr, mask, Q_IPV6, dir, type);
4579
4580 case Q_IP:
4581 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4582
4583 case Q_RARP:
4584 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4585
4586 case Q_ARP:
4587 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4588
4589 case Q_SCTP:
4590 bpf_error("'sctp' modifier applied to %s", typestr);
4591
4592 case Q_TCP:
4593 bpf_error("'tcp' modifier applied to %s", typestr);
4594
4595 case Q_UDP:
4596 bpf_error("'udp' modifier applied to %s", typestr);
4597
4598 case Q_ICMP:
4599 bpf_error("'icmp' modifier applied to %s", typestr);
4600
4601 case Q_IGMP:
4602 bpf_error("'igmp' modifier applied to %s", typestr);
4603
4604 case Q_IGRP:
4605 bpf_error("'igrp' modifier applied to %s", typestr);
4606
4607 case Q_PIM:
4608 bpf_error("'pim' modifier applied to %s", typestr);
4609
4610 case Q_VRRP:
4611 bpf_error("'vrrp' modifier applied to %s", typestr);
4612
4613 case Q_CARP:
4614 bpf_error("'carp' modifier applied to %s", typestr);
4615
4616 case Q_ATALK:
4617 bpf_error("ATALK host filtering not implemented");
4618
4619 case Q_AARP:
4620 bpf_error("AARP host filtering not implemented");
4621
4622 case Q_DECNET:
4623 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4624
4625 case Q_SCA:
4626 bpf_error("SCA host filtering not implemented");
4627
4628 case Q_LAT:
4629 bpf_error("LAT host filtering not implemented");
4630
4631 case Q_MOPDL:
4632 bpf_error("MOPDL host filtering not implemented");
4633
4634 case Q_MOPRC:
4635 bpf_error("MOPRC host filtering not implemented");
4636
4637 case Q_IPV6:
4638 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4639
4640 case Q_ICMPV6:
4641 bpf_error("'icmp6' modifier applied to %s", typestr);
4642
4643 case Q_AH:
4644 bpf_error("'ah' modifier applied to %s", typestr);
4645
4646 case Q_ESP:
4647 bpf_error("'esp' modifier applied to %s", typestr);
4648
4649 case Q_ISO:
4650 bpf_error("ISO host filtering not implemented");
4651
4652 case Q_ESIS:
4653 bpf_error("'esis' modifier applied to %s", typestr);
4654
4655 case Q_ISIS:
4656 bpf_error("'isis' modifier applied to %s", typestr);
4657
4658 case Q_CLNP:
4659 bpf_error("'clnp' modifier applied to %s", typestr);
4660
4661 case Q_STP:
4662 bpf_error("'stp' modifier applied to %s", typestr);
4663
4664 case Q_IPX:
4665 bpf_error("IPX host filtering not implemented");
4666
4667 case Q_NETBEUI:
4668 bpf_error("'netbeui' modifier applied to %s", typestr);
4669
4670 case Q_RADIO:
4671 bpf_error("'radio' modifier applied to %s", typestr);
4672
4673 default:
4674 abort();
4675 }
4676 /* NOTREACHED */
4677 }
4678 #endif
4679
4680 #ifndef INET6
4681 static struct block *
gen_gateway(eaddr,alist,proto,dir)4682 gen_gateway(eaddr, alist, proto, dir)
4683 const u_char *eaddr;
4684 bpf_u_int32 **alist;
4685 int proto;
4686 int dir;
4687 {
4688 struct block *b0, *b1, *tmp;
4689
4690 if (dir != 0)
4691 bpf_error("direction applied to 'gateway'");
4692
4693 switch (proto) {
4694 case Q_DEFAULT:
4695 case Q_IP:
4696 case Q_ARP:
4697 case Q_RARP:
4698 switch (linktype) {
4699 case DLT_EN10MB:
4700 case DLT_NETANALYZER:
4701 case DLT_NETANALYZER_TRANSPARENT:
4702 b0 = gen_ehostop(eaddr, Q_OR);
4703 break;
4704 case DLT_FDDI:
4705 b0 = gen_fhostop(eaddr, Q_OR);
4706 break;
4707 case DLT_IEEE802:
4708 b0 = gen_thostop(eaddr, Q_OR);
4709 break;
4710 case DLT_IEEE802_11:
4711 case DLT_PRISM_HEADER:
4712 case DLT_IEEE802_11_RADIO_AVS:
4713 case DLT_IEEE802_11_RADIO:
4714 case DLT_PPI:
4715 b0 = gen_wlanhostop(eaddr, Q_OR);
4716 break;
4717 case DLT_SUNATM:
4718 if (!is_lane)
4719 bpf_error(
4720 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4721 /*
4722 * Check that the packet doesn't begin with an
4723 * LE Control marker. (We've already generated
4724 * a test for LANE.)
4725 */
4726 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4727 BPF_H, 0xFF00);
4728 gen_not(b1);
4729
4730 /*
4731 * Now check the MAC address.
4732 */
4733 b0 = gen_ehostop(eaddr, Q_OR);
4734 gen_and(b1, b0);
4735 break;
4736 case DLT_IP_OVER_FC:
4737 b0 = gen_ipfchostop(eaddr, Q_OR);
4738 break;
4739 default:
4740 bpf_error(
4741 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4742 }
4743 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4744 while (*alist) {
4745 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4746 Q_HOST);
4747 gen_or(b1, tmp);
4748 b1 = tmp;
4749 }
4750 gen_not(b1);
4751 gen_and(b0, b1);
4752 return b1;
4753 }
4754 bpf_error("illegal modifier of 'gateway'");
4755 /* NOTREACHED */
4756 }
4757 #endif
4758
4759 struct block *
gen_proto_abbrev(proto)4760 gen_proto_abbrev(proto)
4761 int proto;
4762 {
4763 struct block *b0;
4764 struct block *b1;
4765
4766 switch (proto) {
4767
4768 case Q_SCTP:
4769 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4770 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4771 gen_or(b0, b1);
4772 break;
4773
4774 case Q_TCP:
4775 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4776 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4777 gen_or(b0, b1);
4778 break;
4779
4780 case Q_UDP:
4781 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4782 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4783 gen_or(b0, b1);
4784 break;
4785
4786 case Q_ICMP:
4787 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4788 break;
4789
4790 #ifndef IPPROTO_IGMP
4791 #define IPPROTO_IGMP 2
4792 #endif
4793
4794 case Q_IGMP:
4795 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4796 break;
4797
4798 #ifndef IPPROTO_IGRP
4799 #define IPPROTO_IGRP 9
4800 #endif
4801 case Q_IGRP:
4802 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4803 break;
4804
4805 #ifndef IPPROTO_PIM
4806 #define IPPROTO_PIM 103
4807 #endif
4808
4809 case Q_PIM:
4810 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4811 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4812 gen_or(b0, b1);
4813 break;
4814
4815 #ifndef IPPROTO_VRRP
4816 #define IPPROTO_VRRP 112
4817 #endif
4818
4819 case Q_VRRP:
4820 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4821 break;
4822
4823 #ifndef IPPROTO_CARP
4824 #define IPPROTO_CARP 112
4825 #endif
4826
4827 case Q_CARP:
4828 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT);
4829 break;
4830
4831 case Q_IP:
4832 b1 = gen_linktype(ETHERTYPE_IP);
4833 break;
4834
4835 case Q_ARP:
4836 b1 = gen_linktype(ETHERTYPE_ARP);
4837 break;
4838
4839 case Q_RARP:
4840 b1 = gen_linktype(ETHERTYPE_REVARP);
4841 break;
4842
4843 case Q_LINK:
4844 bpf_error("link layer applied in wrong context");
4845
4846 case Q_ATALK:
4847 b1 = gen_linktype(ETHERTYPE_ATALK);
4848 break;
4849
4850 case Q_AARP:
4851 b1 = gen_linktype(ETHERTYPE_AARP);
4852 break;
4853
4854 case Q_DECNET:
4855 b1 = gen_linktype(ETHERTYPE_DN);
4856 break;
4857
4858 case Q_SCA:
4859 b1 = gen_linktype(ETHERTYPE_SCA);
4860 break;
4861
4862 case Q_LAT:
4863 b1 = gen_linktype(ETHERTYPE_LAT);
4864 break;
4865
4866 case Q_MOPDL:
4867 b1 = gen_linktype(ETHERTYPE_MOPDL);
4868 break;
4869
4870 case Q_MOPRC:
4871 b1 = gen_linktype(ETHERTYPE_MOPRC);
4872 break;
4873
4874 case Q_IPV6:
4875 b1 = gen_linktype(ETHERTYPE_IPV6);
4876 break;
4877
4878 #ifndef IPPROTO_ICMPV6
4879 #define IPPROTO_ICMPV6 58
4880 #endif
4881 case Q_ICMPV6:
4882 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4883 break;
4884
4885 #ifndef IPPROTO_AH
4886 #define IPPROTO_AH 51
4887 #endif
4888 case Q_AH:
4889 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4890 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4891 gen_or(b0, b1);
4892 break;
4893
4894 #ifndef IPPROTO_ESP
4895 #define IPPROTO_ESP 50
4896 #endif
4897 case Q_ESP:
4898 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4899 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4900 gen_or(b0, b1);
4901 break;
4902
4903 case Q_ISO:
4904 b1 = gen_linktype(LLCSAP_ISONS);
4905 break;
4906
4907 case Q_ESIS:
4908 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4909 break;
4910
4911 case Q_ISIS:
4912 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4913 break;
4914
4915 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4916 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4917 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4918 gen_or(b0, b1);
4919 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4920 gen_or(b0, b1);
4921 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4922 gen_or(b0, b1);
4923 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4924 gen_or(b0, b1);
4925 break;
4926
4927 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4928 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4929 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4930 gen_or(b0, b1);
4931 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4932 gen_or(b0, b1);
4933 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4934 gen_or(b0, b1);
4935 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4936 gen_or(b0, b1);
4937 break;
4938
4939 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4940 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4941 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4942 gen_or(b0, b1);
4943 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4944 gen_or(b0, b1);
4945 break;
4946
4947 case Q_ISIS_LSP:
4948 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4949 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4950 gen_or(b0, b1);
4951 break;
4952
4953 case Q_ISIS_SNP:
4954 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4955 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4956 gen_or(b0, b1);
4957 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4958 gen_or(b0, b1);
4959 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4960 gen_or(b0, b1);
4961 break;
4962
4963 case Q_ISIS_CSNP:
4964 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4965 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4966 gen_or(b0, b1);
4967 break;
4968
4969 case Q_ISIS_PSNP:
4970 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4971 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4972 gen_or(b0, b1);
4973 break;
4974
4975 case Q_CLNP:
4976 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4977 break;
4978
4979 case Q_STP:
4980 b1 = gen_linktype(LLCSAP_8021D);
4981 break;
4982
4983 case Q_IPX:
4984 b1 = gen_linktype(LLCSAP_IPX);
4985 break;
4986
4987 case Q_NETBEUI:
4988 b1 = gen_linktype(LLCSAP_NETBEUI);
4989 break;
4990
4991 case Q_RADIO:
4992 bpf_error("'radio' is not a valid protocol type");
4993
4994 default:
4995 abort();
4996 }
4997 return b1;
4998 }
4999
5000 static struct block *
gen_ipfrag()5001 gen_ipfrag()
5002 {
5003 struct slist *s;
5004 struct block *b;
5005
5006 /* not IPv4 frag other than the first frag */
5007 s = gen_load_a(OR_NET, 6, BPF_H);
5008 b = new_block(JMP(BPF_JSET));
5009 b->s.k = 0x1fff;
5010 b->stmts = s;
5011 gen_not(b);
5012
5013 return b;
5014 }
5015
5016 /*
5017 * Generate a comparison to a port value in the transport-layer header
5018 * at the specified offset from the beginning of that header.
5019 *
5020 * XXX - this handles a variable-length prefix preceding the link-layer
5021 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5022 * variable-length link-layer headers (such as Token Ring or 802.11
5023 * headers).
5024 */
5025 static struct block *
gen_portatom(off,v)5026 gen_portatom(off, v)
5027 int off;
5028 bpf_int32 v;
5029 {
5030 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
5031 }
5032
5033 static struct block *
gen_portatom6(off,v)5034 gen_portatom6(off, v)
5035 int off;
5036 bpf_int32 v;
5037 {
5038 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
5039 }
5040
5041 struct block *
gen_portop(port,proto,dir)5042 gen_portop(port, proto, dir)
5043 int port, proto, dir;
5044 {
5045 struct block *b0, *b1, *tmp;
5046
5047 /* ip proto 'proto' and not a fragment other than the first fragment */
5048 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5049 b0 = gen_ipfrag();
5050 gen_and(tmp, b0);
5051
5052 switch (dir) {
5053 case Q_SRC:
5054 b1 = gen_portatom(0, (bpf_int32)port);
5055 break;
5056
5057 case Q_DST:
5058 b1 = gen_portatom(2, (bpf_int32)port);
5059 break;
5060
5061 case Q_OR:
5062 case Q_DEFAULT:
5063 tmp = gen_portatom(0, (bpf_int32)port);
5064 b1 = gen_portatom(2, (bpf_int32)port);
5065 gen_or(tmp, b1);
5066 break;
5067
5068 case Q_AND:
5069 tmp = gen_portatom(0, (bpf_int32)port);
5070 b1 = gen_portatom(2, (bpf_int32)port);
5071 gen_and(tmp, b1);
5072 break;
5073
5074 default:
5075 abort();
5076 }
5077 gen_and(b0, b1);
5078
5079 return b1;
5080 }
5081
5082 static struct block *
gen_port(port,ip_proto,dir)5083 gen_port(port, ip_proto, dir)
5084 int port;
5085 int ip_proto;
5086 int dir;
5087 {
5088 struct block *b0, *b1, *tmp;
5089
5090 /*
5091 * ether proto ip
5092 *
5093 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5094 * not LLC encapsulation with LLCSAP_IP.
5095 *
5096 * For IEEE 802 networks - which includes 802.5 token ring
5097 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5098 * says that SNAP encapsulation is used, not LLC encapsulation
5099 * with LLCSAP_IP.
5100 *
5101 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5102 * RFC 2225 say that SNAP encapsulation is used, not LLC
5103 * encapsulation with LLCSAP_IP.
5104 *
5105 * So we always check for ETHERTYPE_IP.
5106 */
5107 b0 = gen_linktype(ETHERTYPE_IP);
5108
5109 switch (ip_proto) {
5110 case IPPROTO_UDP:
5111 case IPPROTO_TCP:
5112 case IPPROTO_SCTP:
5113 b1 = gen_portop(port, ip_proto, dir);
5114 break;
5115
5116 case PROTO_UNDEF:
5117 tmp = gen_portop(port, IPPROTO_TCP, dir);
5118 b1 = gen_portop(port, IPPROTO_UDP, dir);
5119 gen_or(tmp, b1);
5120 tmp = gen_portop(port, IPPROTO_SCTP, dir);
5121 gen_or(tmp, b1);
5122 break;
5123
5124 default:
5125 abort();
5126 }
5127 gen_and(b0, b1);
5128 return b1;
5129 }
5130
5131 struct block *
gen_portop6(port,proto,dir)5132 gen_portop6(port, proto, dir)
5133 int port, proto, dir;
5134 {
5135 struct block *b0, *b1, *tmp;
5136
5137 /* ip6 proto 'proto' */
5138 /* XXX - catch the first fragment of a fragmented packet? */
5139 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5140
5141 switch (dir) {
5142 case Q_SRC:
5143 b1 = gen_portatom6(0, (bpf_int32)port);
5144 break;
5145
5146 case Q_DST:
5147 b1 = gen_portatom6(2, (bpf_int32)port);
5148 break;
5149
5150 case Q_OR:
5151 case Q_DEFAULT:
5152 tmp = gen_portatom6(0, (bpf_int32)port);
5153 b1 = gen_portatom6(2, (bpf_int32)port);
5154 gen_or(tmp, b1);
5155 break;
5156
5157 case Q_AND:
5158 tmp = gen_portatom6(0, (bpf_int32)port);
5159 b1 = gen_portatom6(2, (bpf_int32)port);
5160 gen_and(tmp, b1);
5161 break;
5162
5163 default:
5164 abort();
5165 }
5166 gen_and(b0, b1);
5167
5168 return b1;
5169 }
5170
5171 static struct block *
gen_port6(port,ip_proto,dir)5172 gen_port6(port, ip_proto, dir)
5173 int port;
5174 int ip_proto;
5175 int dir;
5176 {
5177 struct block *b0, *b1, *tmp;
5178
5179 /* link proto ip6 */
5180 b0 = gen_linktype(ETHERTYPE_IPV6);
5181
5182 switch (ip_proto) {
5183 case IPPROTO_UDP:
5184 case IPPROTO_TCP:
5185 case IPPROTO_SCTP:
5186 b1 = gen_portop6(port, ip_proto, dir);
5187 break;
5188
5189 case PROTO_UNDEF:
5190 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5191 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5192 gen_or(tmp, b1);
5193 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5194 gen_or(tmp, b1);
5195 break;
5196
5197 default:
5198 abort();
5199 }
5200 gen_and(b0, b1);
5201 return b1;
5202 }
5203
5204 /* gen_portrange code */
5205 static struct block *
gen_portrangeatom(off,v1,v2)5206 gen_portrangeatom(off, v1, v2)
5207 int off;
5208 bpf_int32 v1, v2;
5209 {
5210 struct block *b1, *b2;
5211
5212 if (v1 > v2) {
5213 /*
5214 * Reverse the order of the ports, so v1 is the lower one.
5215 */
5216 bpf_int32 vtemp;
5217
5218 vtemp = v1;
5219 v1 = v2;
5220 v2 = vtemp;
5221 }
5222
5223 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5224 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5225
5226 gen_and(b1, b2);
5227
5228 return b2;
5229 }
5230
5231 struct block *
gen_portrangeop(port1,port2,proto,dir)5232 gen_portrangeop(port1, port2, proto, dir)
5233 int port1, port2;
5234 int proto;
5235 int dir;
5236 {
5237 struct block *b0, *b1, *tmp;
5238
5239 /* ip proto 'proto' and not a fragment other than the first fragment */
5240 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5241 b0 = gen_ipfrag();
5242 gen_and(tmp, b0);
5243
5244 switch (dir) {
5245 case Q_SRC:
5246 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5247 break;
5248
5249 case Q_DST:
5250 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5251 break;
5252
5253 case Q_OR:
5254 case Q_DEFAULT:
5255 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5256 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5257 gen_or(tmp, b1);
5258 break;
5259
5260 case Q_AND:
5261 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5262 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5263 gen_and(tmp, b1);
5264 break;
5265
5266 default:
5267 abort();
5268 }
5269 gen_and(b0, b1);
5270
5271 return b1;
5272 }
5273
5274 static struct block *
gen_portrange(port1,port2,ip_proto,dir)5275 gen_portrange(port1, port2, ip_proto, dir)
5276 int port1, port2;
5277 int ip_proto;
5278 int dir;
5279 {
5280 struct block *b0, *b1, *tmp;
5281
5282 /* link proto ip */
5283 b0 = gen_linktype(ETHERTYPE_IP);
5284
5285 switch (ip_proto) {
5286 case IPPROTO_UDP:
5287 case IPPROTO_TCP:
5288 case IPPROTO_SCTP:
5289 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5290 break;
5291
5292 case PROTO_UNDEF:
5293 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5294 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5295 gen_or(tmp, b1);
5296 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5297 gen_or(tmp, b1);
5298 break;
5299
5300 default:
5301 abort();
5302 }
5303 gen_and(b0, b1);
5304 return b1;
5305 }
5306
5307 static struct block *
gen_portrangeatom6(off,v1,v2)5308 gen_portrangeatom6(off, v1, v2)
5309 int off;
5310 bpf_int32 v1, v2;
5311 {
5312 struct block *b1, *b2;
5313
5314 if (v1 > v2) {
5315 /*
5316 * Reverse the order of the ports, so v1 is the lower one.
5317 */
5318 bpf_int32 vtemp;
5319
5320 vtemp = v1;
5321 v1 = v2;
5322 v2 = vtemp;
5323 }
5324
5325 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5326 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5327
5328 gen_and(b1, b2);
5329
5330 return b2;
5331 }
5332
5333 struct block *
gen_portrangeop6(port1,port2,proto,dir)5334 gen_portrangeop6(port1, port2, proto, dir)
5335 int port1, port2;
5336 int proto;
5337 int dir;
5338 {
5339 struct block *b0, *b1, *tmp;
5340
5341 /* ip6 proto 'proto' */
5342 /* XXX - catch the first fragment of a fragmented packet? */
5343 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5344
5345 switch (dir) {
5346 case Q_SRC:
5347 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5348 break;
5349
5350 case Q_DST:
5351 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5352 break;
5353
5354 case Q_OR:
5355 case Q_DEFAULT:
5356 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5357 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5358 gen_or(tmp, b1);
5359 break;
5360
5361 case Q_AND:
5362 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5363 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5364 gen_and(tmp, b1);
5365 break;
5366
5367 default:
5368 abort();
5369 }
5370 gen_and(b0, b1);
5371
5372 return b1;
5373 }
5374
5375 static struct block *
gen_portrange6(port1,port2,ip_proto,dir)5376 gen_portrange6(port1, port2, ip_proto, dir)
5377 int port1, port2;
5378 int ip_proto;
5379 int dir;
5380 {
5381 struct block *b0, *b1, *tmp;
5382
5383 /* link proto ip6 */
5384 b0 = gen_linktype(ETHERTYPE_IPV6);
5385
5386 switch (ip_proto) {
5387 case IPPROTO_UDP:
5388 case IPPROTO_TCP:
5389 case IPPROTO_SCTP:
5390 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5391 break;
5392
5393 case PROTO_UNDEF:
5394 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5395 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5396 gen_or(tmp, b1);
5397 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5398 gen_or(tmp, b1);
5399 break;
5400
5401 default:
5402 abort();
5403 }
5404 gen_and(b0, b1);
5405 return b1;
5406 }
5407
5408 static int
lookup_proto(name,proto)5409 lookup_proto(name, proto)
5410 register const char *name;
5411 register int proto;
5412 {
5413 register int v;
5414
5415 switch (proto) {
5416
5417 case Q_DEFAULT:
5418 case Q_IP:
5419 case Q_IPV6:
5420 v = pcap_nametoproto(name);
5421 if (v == PROTO_UNDEF)
5422 bpf_error("unknown ip proto '%s'", name);
5423 break;
5424
5425 case Q_LINK:
5426 /* XXX should look up h/w protocol type based on linktype */
5427 v = pcap_nametoeproto(name);
5428 if (v == PROTO_UNDEF) {
5429 v = pcap_nametollc(name);
5430 if (v == PROTO_UNDEF)
5431 bpf_error("unknown ether proto '%s'", name);
5432 }
5433 break;
5434
5435 case Q_ISO:
5436 if (strcmp(name, "esis") == 0)
5437 v = ISO9542_ESIS;
5438 else if (strcmp(name, "isis") == 0)
5439 v = ISO10589_ISIS;
5440 else if (strcmp(name, "clnp") == 0)
5441 v = ISO8473_CLNP;
5442 else
5443 bpf_error("unknown osi proto '%s'", name);
5444 break;
5445
5446 default:
5447 v = PROTO_UNDEF;
5448 break;
5449 }
5450 return v;
5451 }
5452
5453 #if 0
5454 struct stmt *
5455 gen_joinsp(s, n)
5456 struct stmt **s;
5457 int n;
5458 {
5459 return NULL;
5460 }
5461 #endif
5462
5463 static struct block *
gen_protochain(v,proto,dir)5464 gen_protochain(v, proto, dir)
5465 int v;
5466 int proto;
5467 int dir;
5468 {
5469 #ifdef NO_PROTOCHAIN
5470 return gen_proto(v, proto, dir);
5471 #else
5472 struct block *b0, *b;
5473 struct slist *s[100];
5474 int fix2, fix3, fix4, fix5;
5475 int ahcheck, again, end;
5476 int i, max;
5477 int reg2 = alloc_reg();
5478
5479 memset(s, 0, sizeof(s));
5480 fix2 = fix3 = fix4 = fix5 = 0;
5481
5482 switch (proto) {
5483 case Q_IP:
5484 case Q_IPV6:
5485 break;
5486 case Q_DEFAULT:
5487 b0 = gen_protochain(v, Q_IP, dir);
5488 b = gen_protochain(v, Q_IPV6, dir);
5489 gen_or(b0, b);
5490 return b;
5491 default:
5492 bpf_error("bad protocol applied for 'protochain'");
5493 /*NOTREACHED*/
5494 }
5495
5496 /*
5497 * We don't handle variable-length prefixes before the link-layer
5498 * header, or variable-length link-layer headers, here yet.
5499 * We might want to add BPF instructions to do the protochain
5500 * work, to simplify that and, on platforms that have a BPF
5501 * interpreter with the new instructions, let the filtering
5502 * be done in the kernel. (We already require a modified BPF
5503 * engine to do the protochain stuff, to support backward
5504 * branches, and backward branch support is unlikely to appear
5505 * in kernel BPF engines.)
5506 */
5507 switch (linktype) {
5508
5509 case DLT_IEEE802_11:
5510 case DLT_PRISM_HEADER:
5511 case DLT_IEEE802_11_RADIO_AVS:
5512 case DLT_IEEE802_11_RADIO:
5513 case DLT_PPI:
5514 bpf_error("'protochain' not supported with 802.11");
5515 }
5516
5517 no_optimize = 1; /*this code is not compatible with optimzer yet */
5518
5519 /*
5520 * s[0] is a dummy entry to protect other BPF insn from damage
5521 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5522 * hard to find interdependency made by jump table fixup.
5523 */
5524 i = 0;
5525 s[i] = new_stmt(0); /*dummy*/
5526 i++;
5527
5528 switch (proto) {
5529 case Q_IP:
5530 b0 = gen_linktype(ETHERTYPE_IP);
5531
5532 /* A = ip->ip_p */
5533 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5534 s[i]->s.k = off_macpl + off_nl + 9;
5535 i++;
5536 /* X = ip->ip_hl << 2 */
5537 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5538 s[i]->s.k = off_macpl + off_nl;
5539 i++;
5540 break;
5541
5542 case Q_IPV6:
5543 b0 = gen_linktype(ETHERTYPE_IPV6);
5544
5545 /* A = ip6->ip_nxt */
5546 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5547 s[i]->s.k = off_macpl + off_nl + 6;
5548 i++;
5549 /* X = sizeof(struct ip6_hdr) */
5550 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5551 s[i]->s.k = 40;
5552 i++;
5553 break;
5554
5555 default:
5556 bpf_error("unsupported proto to gen_protochain");
5557 /*NOTREACHED*/
5558 }
5559
5560 /* again: if (A == v) goto end; else fall through; */
5561 again = i;
5562 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5563 s[i]->s.k = v;
5564 s[i]->s.jt = NULL; /*later*/
5565 s[i]->s.jf = NULL; /*update in next stmt*/
5566 fix5 = i;
5567 i++;
5568
5569 #ifndef IPPROTO_NONE
5570 #define IPPROTO_NONE 59
5571 #endif
5572 /* if (A == IPPROTO_NONE) goto end */
5573 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5574 s[i]->s.jt = NULL; /*later*/
5575 s[i]->s.jf = NULL; /*update in next stmt*/
5576 s[i]->s.k = IPPROTO_NONE;
5577 s[fix5]->s.jf = s[i];
5578 fix2 = i;
5579 i++;
5580
5581 if (proto == Q_IPV6) {
5582 int v6start, v6end, v6advance, j;
5583
5584 v6start = i;
5585 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5586 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5587 s[i]->s.jt = NULL; /*later*/
5588 s[i]->s.jf = NULL; /*update in next stmt*/
5589 s[i]->s.k = IPPROTO_HOPOPTS;
5590 s[fix2]->s.jf = s[i];
5591 i++;
5592 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5593 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5594 s[i]->s.jt = NULL; /*later*/
5595 s[i]->s.jf = NULL; /*update in next stmt*/
5596 s[i]->s.k = IPPROTO_DSTOPTS;
5597 i++;
5598 /* if (A == IPPROTO_ROUTING) goto v6advance */
5599 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5600 s[i]->s.jt = NULL; /*later*/
5601 s[i]->s.jf = NULL; /*update in next stmt*/
5602 s[i]->s.k = IPPROTO_ROUTING;
5603 i++;
5604 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5605 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5606 s[i]->s.jt = NULL; /*later*/
5607 s[i]->s.jf = NULL; /*later*/
5608 s[i]->s.k = IPPROTO_FRAGMENT;
5609 fix3 = i;
5610 v6end = i;
5611 i++;
5612
5613 /* v6advance: */
5614 v6advance = i;
5615
5616 /*
5617 * in short,
5618 * A = P[X + packet head];
5619 * X = X + (P[X + packet head + 1] + 1) * 8;
5620 */
5621 /* A = P[X + packet head] */
5622 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5623 s[i]->s.k = off_macpl + off_nl;
5624 i++;
5625 /* MEM[reg2] = A */
5626 s[i] = new_stmt(BPF_ST);
5627 s[i]->s.k = reg2;
5628 i++;
5629 /* A = P[X + packet head + 1]; */
5630 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5631 s[i]->s.k = off_macpl + off_nl + 1;
5632 i++;
5633 /* A += 1 */
5634 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5635 s[i]->s.k = 1;
5636 i++;
5637 /* A *= 8 */
5638 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5639 s[i]->s.k = 8;
5640 i++;
5641 /* A += X */
5642 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
5643 s[i]->s.k = 0;
5644 i++;
5645 /* X = A; */
5646 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5647 i++;
5648 /* A = MEM[reg2] */
5649 s[i] = new_stmt(BPF_LD|BPF_MEM);
5650 s[i]->s.k = reg2;
5651 i++;
5652
5653 /* goto again; (must use BPF_JA for backward jump) */
5654 s[i] = new_stmt(BPF_JMP|BPF_JA);
5655 s[i]->s.k = again - i - 1;
5656 s[i - 1]->s.jf = s[i];
5657 i++;
5658
5659 /* fixup */
5660 for (j = v6start; j <= v6end; j++)
5661 s[j]->s.jt = s[v6advance];
5662 } else {
5663 /* nop */
5664 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5665 s[i]->s.k = 0;
5666 s[fix2]->s.jf = s[i];
5667 i++;
5668 }
5669
5670 /* ahcheck: */
5671 ahcheck = i;
5672 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5673 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5674 s[i]->s.jt = NULL; /*later*/
5675 s[i]->s.jf = NULL; /*later*/
5676 s[i]->s.k = IPPROTO_AH;
5677 if (fix3)
5678 s[fix3]->s.jf = s[ahcheck];
5679 fix4 = i;
5680 i++;
5681
5682 /*
5683 * in short,
5684 * A = P[X];
5685 * X = X + (P[X + 1] + 2) * 4;
5686 */
5687 /* A = X */
5688 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5689 i++;
5690 /* A = P[X + packet head]; */
5691 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5692 s[i]->s.k = off_macpl + off_nl;
5693 i++;
5694 /* MEM[reg2] = A */
5695 s[i] = new_stmt(BPF_ST);
5696 s[i]->s.k = reg2;
5697 i++;
5698 /* A = X */
5699 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5700 i++;
5701 /* A += 1 */
5702 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5703 s[i]->s.k = 1;
5704 i++;
5705 /* X = A */
5706 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5707 i++;
5708 /* A = P[X + packet head] */
5709 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5710 s[i]->s.k = off_macpl + off_nl;
5711 i++;
5712 /* A += 2 */
5713 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5714 s[i]->s.k = 2;
5715 i++;
5716 /* A *= 4 */
5717 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5718 s[i]->s.k = 4;
5719 i++;
5720 /* X = A; */
5721 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5722 i++;
5723 /* A = MEM[reg2] */
5724 s[i] = new_stmt(BPF_LD|BPF_MEM);
5725 s[i]->s.k = reg2;
5726 i++;
5727
5728 /* goto again; (must use BPF_JA for backward jump) */
5729 s[i] = new_stmt(BPF_JMP|BPF_JA);
5730 s[i]->s.k = again - i - 1;
5731 i++;
5732
5733 /* end: nop */
5734 end = i;
5735 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5736 s[i]->s.k = 0;
5737 s[fix2]->s.jt = s[end];
5738 s[fix4]->s.jf = s[end];
5739 s[fix5]->s.jt = s[end];
5740 i++;
5741
5742 /*
5743 * make slist chain
5744 */
5745 max = i;
5746 for (i = 0; i < max - 1; i++)
5747 s[i]->next = s[i + 1];
5748 s[max - 1]->next = NULL;
5749
5750 /*
5751 * emit final check
5752 */
5753 b = new_block(JMP(BPF_JEQ));
5754 b->stmts = s[1]; /*remember, s[0] is dummy*/
5755 b->s.k = v;
5756
5757 free_reg(reg2);
5758
5759 gen_and(b0, b);
5760 return b;
5761 #endif
5762 }
5763
5764 static struct block *
gen_check_802_11_data_frame()5765 gen_check_802_11_data_frame()
5766 {
5767 struct slist *s;
5768 struct block *b0, *b1;
5769
5770 /*
5771 * A data frame has the 0x08 bit (b3) in the frame control field set
5772 * and the 0x04 bit (b2) clear.
5773 */
5774 s = gen_load_a(OR_LINK, 0, BPF_B);
5775 b0 = new_block(JMP(BPF_JSET));
5776 b0->s.k = 0x08;
5777 b0->stmts = s;
5778
5779 s = gen_load_a(OR_LINK, 0, BPF_B);
5780 b1 = new_block(JMP(BPF_JSET));
5781 b1->s.k = 0x04;
5782 b1->stmts = s;
5783 gen_not(b1);
5784
5785 gen_and(b1, b0);
5786
5787 return b0;
5788 }
5789
5790 /*
5791 * Generate code that checks whether the packet is a packet for protocol
5792 * <proto> and whether the type field in that protocol's header has
5793 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5794 * IP packet and checks the protocol number in the IP header against <v>.
5795 *
5796 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5797 * against Q_IP and Q_IPV6.
5798 */
5799 static struct block *
gen_proto(v,proto,dir)5800 gen_proto(v, proto, dir)
5801 int v;
5802 int proto;
5803 int dir;
5804 {
5805 struct block *b0, *b1;
5806 #ifndef CHASE_CHAIN
5807 struct block *b2;
5808 #endif
5809
5810 if (dir != Q_DEFAULT)
5811 bpf_error("direction applied to 'proto'");
5812
5813 switch (proto) {
5814 case Q_DEFAULT:
5815 b0 = gen_proto(v, Q_IP, dir);
5816 b1 = gen_proto(v, Q_IPV6, dir);
5817 gen_or(b0, b1);
5818 return b1;
5819
5820 case Q_IP:
5821 /*
5822 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5823 * not LLC encapsulation with LLCSAP_IP.
5824 *
5825 * For IEEE 802 networks - which includes 802.5 token ring
5826 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5827 * says that SNAP encapsulation is used, not LLC encapsulation
5828 * with LLCSAP_IP.
5829 *
5830 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5831 * RFC 2225 say that SNAP encapsulation is used, not LLC
5832 * encapsulation with LLCSAP_IP.
5833 *
5834 * So we always check for ETHERTYPE_IP.
5835 */
5836 b0 = gen_linktype(ETHERTYPE_IP);
5837 #ifndef CHASE_CHAIN
5838 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
5839 #else
5840 b1 = gen_protochain(v, Q_IP);
5841 #endif
5842 gen_and(b0, b1);
5843 return b1;
5844
5845 case Q_ISO:
5846 switch (linktype) {
5847
5848 case DLT_FRELAY:
5849 /*
5850 * Frame Relay packets typically have an OSI
5851 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5852 * generates code to check for all the OSI
5853 * NLPIDs, so calling it and then adding a check
5854 * for the particular NLPID for which we're
5855 * looking is bogus, as we can just check for
5856 * the NLPID.
5857 *
5858 * What we check for is the NLPID and a frame
5859 * control field value of UI, i.e. 0x03 followed
5860 * by the NLPID.
5861 *
5862 * XXX - assumes a 2-byte Frame Relay header with
5863 * DLCI and flags. What if the address is longer?
5864 *
5865 * XXX - what about SNAP-encapsulated frames?
5866 */
5867 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
5868 /*NOTREACHED*/
5869 break;
5870
5871 case DLT_C_HDLC:
5872 /*
5873 * Cisco uses an Ethertype lookalike - for OSI,
5874 * it's 0xfefe.
5875 */
5876 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5877 /* OSI in C-HDLC is stuffed with a fudge byte */
5878 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
5879 gen_and(b0, b1);
5880 return b1;
5881
5882 default:
5883 b0 = gen_linktype(LLCSAP_ISONS);
5884 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
5885 gen_and(b0, b1);
5886 return b1;
5887 }
5888
5889 case Q_ISIS:
5890 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5891 /*
5892 * 4 is the offset of the PDU type relative to the IS-IS
5893 * header.
5894 */
5895 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
5896 gen_and(b0, b1);
5897 return b1;
5898
5899 case Q_ARP:
5900 bpf_error("arp does not encapsulate another protocol");
5901 /* NOTREACHED */
5902
5903 case Q_RARP:
5904 bpf_error("rarp does not encapsulate another protocol");
5905 /* NOTREACHED */
5906
5907 case Q_ATALK:
5908 bpf_error("atalk encapsulation is not specifiable");
5909 /* NOTREACHED */
5910
5911 case Q_DECNET:
5912 bpf_error("decnet encapsulation is not specifiable");
5913 /* NOTREACHED */
5914
5915 case Q_SCA:
5916 bpf_error("sca does not encapsulate another protocol");
5917 /* NOTREACHED */
5918
5919 case Q_LAT:
5920 bpf_error("lat does not encapsulate another protocol");
5921 /* NOTREACHED */
5922
5923 case Q_MOPRC:
5924 bpf_error("moprc does not encapsulate another protocol");
5925 /* NOTREACHED */
5926
5927 case Q_MOPDL:
5928 bpf_error("mopdl does not encapsulate another protocol");
5929 /* NOTREACHED */
5930
5931 case Q_LINK:
5932 return gen_linktype(v);
5933
5934 case Q_UDP:
5935 bpf_error("'udp proto' is bogus");
5936 /* NOTREACHED */
5937
5938 case Q_TCP:
5939 bpf_error("'tcp proto' is bogus");
5940 /* NOTREACHED */
5941
5942 case Q_SCTP:
5943 bpf_error("'sctp proto' is bogus");
5944 /* NOTREACHED */
5945
5946 case Q_ICMP:
5947 bpf_error("'icmp proto' is bogus");
5948 /* NOTREACHED */
5949
5950 case Q_IGMP:
5951 bpf_error("'igmp proto' is bogus");
5952 /* NOTREACHED */
5953
5954 case Q_IGRP:
5955 bpf_error("'igrp proto' is bogus");
5956 /* NOTREACHED */
5957
5958 case Q_PIM:
5959 bpf_error("'pim proto' is bogus");
5960 /* NOTREACHED */
5961
5962 case Q_VRRP:
5963 bpf_error("'vrrp proto' is bogus");
5964 /* NOTREACHED */
5965
5966 case Q_CARP:
5967 bpf_error("'carp proto' is bogus");
5968 /* NOTREACHED */
5969
5970 case Q_IPV6:
5971 b0 = gen_linktype(ETHERTYPE_IPV6);
5972 #ifndef CHASE_CHAIN
5973 /*
5974 * Also check for a fragment header before the final
5975 * header.
5976 */
5977 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT);
5978 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v);
5979 gen_and(b2, b1);
5980 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
5981 gen_or(b2, b1);
5982 #else
5983 b1 = gen_protochain(v, Q_IPV6);
5984 #endif
5985 gen_and(b0, b1);
5986 return b1;
5987
5988 case Q_ICMPV6:
5989 bpf_error("'icmp6 proto' is bogus");
5990
5991 case Q_AH:
5992 bpf_error("'ah proto' is bogus");
5993
5994 case Q_ESP:
5995 bpf_error("'ah proto' is bogus");
5996
5997 case Q_STP:
5998 bpf_error("'stp proto' is bogus");
5999
6000 case Q_IPX:
6001 bpf_error("'ipx proto' is bogus");
6002
6003 case Q_NETBEUI:
6004 bpf_error("'netbeui proto' is bogus");
6005
6006 case Q_RADIO:
6007 bpf_error("'radio proto' is bogus");
6008
6009 default:
6010 abort();
6011 /* NOTREACHED */
6012 }
6013 /* NOTREACHED */
6014 }
6015
6016 struct block *
gen_scode(name,q)6017 gen_scode(name, q)
6018 register const char *name;
6019 struct qual q;
6020 {
6021 int proto = q.proto;
6022 int dir = q.dir;
6023 int tproto;
6024 u_char *eaddr;
6025 bpf_u_int32 mask, addr;
6026 #ifndef INET6
6027 bpf_u_int32 **alist;
6028 #else
6029 int tproto6;
6030 struct sockaddr_in *sin4;
6031 struct sockaddr_in6 *sin6;
6032 struct addrinfo *res, *res0;
6033 struct in6_addr mask128;
6034 #endif /*INET6*/
6035 struct block *b, *tmp;
6036 int port, real_proto;
6037 int port1, port2;
6038
6039 switch (q.addr) {
6040
6041 case Q_NET:
6042 addr = pcap_nametonetaddr(name);
6043 if (addr == 0)
6044 bpf_error("unknown network '%s'", name);
6045 /* Left justify network addr and calculate its network mask */
6046 mask = 0xffffffff;
6047 while (addr && (addr & 0xff000000) == 0) {
6048 addr <<= 8;
6049 mask <<= 8;
6050 }
6051 return gen_host(addr, mask, proto, dir, q.addr);
6052
6053 case Q_DEFAULT:
6054 case Q_HOST:
6055 if (proto == Q_LINK) {
6056 switch (linktype) {
6057
6058 case DLT_EN10MB:
6059 case DLT_NETANALYZER:
6060 case DLT_NETANALYZER_TRANSPARENT:
6061 eaddr = pcap_ether_hostton(name);
6062 if (eaddr == NULL)
6063 bpf_error(
6064 "unknown ether host '%s'", name);
6065 b = gen_ehostop(eaddr, dir);
6066 free(eaddr);
6067 return b;
6068
6069 case DLT_FDDI:
6070 eaddr = pcap_ether_hostton(name);
6071 if (eaddr == NULL)
6072 bpf_error(
6073 "unknown FDDI host '%s'", name);
6074 b = gen_fhostop(eaddr, dir);
6075 free(eaddr);
6076 return b;
6077
6078 case DLT_IEEE802:
6079 eaddr = pcap_ether_hostton(name);
6080 if (eaddr == NULL)
6081 bpf_error(
6082 "unknown token ring host '%s'", name);
6083 b = gen_thostop(eaddr, dir);
6084 free(eaddr);
6085 return b;
6086
6087 case DLT_IEEE802_11:
6088 case DLT_PRISM_HEADER:
6089 case DLT_IEEE802_11_RADIO_AVS:
6090 case DLT_IEEE802_11_RADIO:
6091 case DLT_PPI:
6092 eaddr = pcap_ether_hostton(name);
6093 if (eaddr == NULL)
6094 bpf_error(
6095 "unknown 802.11 host '%s'", name);
6096 b = gen_wlanhostop(eaddr, dir);
6097 free(eaddr);
6098 return b;
6099
6100 case DLT_IP_OVER_FC:
6101 eaddr = pcap_ether_hostton(name);
6102 if (eaddr == NULL)
6103 bpf_error(
6104 "unknown Fibre Channel host '%s'", name);
6105 b = gen_ipfchostop(eaddr, dir);
6106 free(eaddr);
6107 return b;
6108
6109 case DLT_SUNATM:
6110 if (!is_lane)
6111 break;
6112
6113 /*
6114 * Check that the packet doesn't begin
6115 * with an LE Control marker. (We've
6116 * already generated a test for LANE.)
6117 */
6118 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6119 BPF_H, 0xFF00);
6120 gen_not(tmp);
6121
6122 eaddr = pcap_ether_hostton(name);
6123 if (eaddr == NULL)
6124 bpf_error(
6125 "unknown ether host '%s'", name);
6126 b = gen_ehostop(eaddr, dir);
6127 gen_and(tmp, b);
6128 free(eaddr);
6129 return b;
6130 }
6131
6132 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6133 } else if (proto == Q_DECNET) {
6134 unsigned short dn_addr = __pcap_nametodnaddr(name);
6135 /*
6136 * I don't think DECNET hosts can be multihomed, so
6137 * there is no need to build up a list of addresses
6138 */
6139 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6140 } else {
6141 #ifndef INET6
6142 alist = pcap_nametoaddr(name);
6143 if (alist == NULL || *alist == NULL)
6144 bpf_error("unknown host '%s'", name);
6145 tproto = proto;
6146 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
6147 tproto = Q_IP;
6148 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6149 while (*alist) {
6150 tmp = gen_host(**alist++, 0xffffffff,
6151 tproto, dir, q.addr);
6152 gen_or(b, tmp);
6153 b = tmp;
6154 }
6155 return b;
6156 #else
6157 memset(&mask128, 0xff, sizeof(mask128));
6158 res0 = res = pcap_nametoaddrinfo(name);
6159 if (res == NULL)
6160 bpf_error("unknown host '%s'", name);
6161 ai = res;
6162 b = tmp = NULL;
6163 tproto = tproto6 = proto;
6164 if (off_linktype == -1 && tproto == Q_DEFAULT) {
6165 tproto = Q_IP;
6166 tproto6 = Q_IPV6;
6167 }
6168 for (res = res0; res; res = res->ai_next) {
6169 switch (res->ai_family) {
6170 case AF_INET:
6171 if (tproto == Q_IPV6)
6172 continue;
6173
6174 sin4 = (struct sockaddr_in *)
6175 res->ai_addr;
6176 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6177 0xffffffff, tproto, dir, q.addr);
6178 break;
6179 case AF_INET6:
6180 if (tproto6 == Q_IP)
6181 continue;
6182
6183 sin6 = (struct sockaddr_in6 *)
6184 res->ai_addr;
6185 tmp = gen_host6(&sin6->sin6_addr,
6186 &mask128, tproto6, dir, q.addr);
6187 break;
6188 default:
6189 continue;
6190 }
6191 if (b)
6192 gen_or(b, tmp);
6193 b = tmp;
6194 }
6195 ai = NULL;
6196 freeaddrinfo(res0);
6197 if (b == NULL) {
6198 bpf_error("unknown host '%s'%s", name,
6199 (proto == Q_DEFAULT)
6200 ? ""
6201 : " for specified address family");
6202 }
6203 return b;
6204 #endif /*INET6*/
6205 }
6206
6207 case Q_PORT:
6208 if (proto != Q_DEFAULT &&
6209 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6210 bpf_error("illegal qualifier of 'port'");
6211 if (pcap_nametoport(name, &port, &real_proto) == 0)
6212 bpf_error("unknown port '%s'", name);
6213 if (proto == Q_UDP) {
6214 if (real_proto == IPPROTO_TCP)
6215 bpf_error("port '%s' is tcp", name);
6216 else if (real_proto == IPPROTO_SCTP)
6217 bpf_error("port '%s' is sctp", name);
6218 else
6219 /* override PROTO_UNDEF */
6220 real_proto = IPPROTO_UDP;
6221 }
6222 if (proto == Q_TCP) {
6223 if (real_proto == IPPROTO_UDP)
6224 bpf_error("port '%s' is udp", name);
6225
6226 else if (real_proto == IPPROTO_SCTP)
6227 bpf_error("port '%s' is sctp", name);
6228 else
6229 /* override PROTO_UNDEF */
6230 real_proto = IPPROTO_TCP;
6231 }
6232 if (proto == Q_SCTP) {
6233 if (real_proto == IPPROTO_UDP)
6234 bpf_error("port '%s' is udp", name);
6235
6236 else if (real_proto == IPPROTO_TCP)
6237 bpf_error("port '%s' is tcp", name);
6238 else
6239 /* override PROTO_UNDEF */
6240 real_proto = IPPROTO_SCTP;
6241 }
6242 if (port < 0)
6243 bpf_error("illegal port number %d < 0", port);
6244 if (port > 65535)
6245 bpf_error("illegal port number %d > 65535", port);
6246 b = gen_port(port, real_proto, dir);
6247 gen_or(gen_port6(port, real_proto, dir), b);
6248 return b;
6249
6250 case Q_PORTRANGE:
6251 if (proto != Q_DEFAULT &&
6252 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6253 bpf_error("illegal qualifier of 'portrange'");
6254 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6255 bpf_error("unknown port in range '%s'", name);
6256 if (proto == Q_UDP) {
6257 if (real_proto == IPPROTO_TCP)
6258 bpf_error("port in range '%s' is tcp", name);
6259 else if (real_proto == IPPROTO_SCTP)
6260 bpf_error("port in range '%s' is sctp", name);
6261 else
6262 /* override PROTO_UNDEF */
6263 real_proto = IPPROTO_UDP;
6264 }
6265 if (proto == Q_TCP) {
6266 if (real_proto == IPPROTO_UDP)
6267 bpf_error("port in range '%s' is udp", name);
6268 else if (real_proto == IPPROTO_SCTP)
6269 bpf_error("port in range '%s' is sctp", name);
6270 else
6271 /* override PROTO_UNDEF */
6272 real_proto = IPPROTO_TCP;
6273 }
6274 if (proto == Q_SCTP) {
6275 if (real_proto == IPPROTO_UDP)
6276 bpf_error("port in range '%s' is udp", name);
6277 else if (real_proto == IPPROTO_TCP)
6278 bpf_error("port in range '%s' is tcp", name);
6279 else
6280 /* override PROTO_UNDEF */
6281 real_proto = IPPROTO_SCTP;
6282 }
6283 if (port1 < 0)
6284 bpf_error("illegal port number %d < 0", port1);
6285 if (port1 > 65535)
6286 bpf_error("illegal port number %d > 65535", port1);
6287 if (port2 < 0)
6288 bpf_error("illegal port number %d < 0", port2);
6289 if (port2 > 65535)
6290 bpf_error("illegal port number %d > 65535", port2);
6291
6292 b = gen_portrange(port1, port2, real_proto, dir);
6293 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6294 return b;
6295
6296 case Q_GATEWAY:
6297 #ifndef INET6
6298 eaddr = pcap_ether_hostton(name);
6299 if (eaddr == NULL)
6300 bpf_error("unknown ether host: %s", name);
6301
6302 alist = pcap_nametoaddr(name);
6303 if (alist == NULL || *alist == NULL)
6304 bpf_error("unknown host '%s'", name);
6305 b = gen_gateway(eaddr, alist, proto, dir);
6306 free(eaddr);
6307 return b;
6308 #else
6309 bpf_error("'gateway' not supported in this configuration");
6310 #endif /*INET6*/
6311
6312 case Q_PROTO:
6313 real_proto = lookup_proto(name, proto);
6314 if (real_proto >= 0)
6315 return gen_proto(real_proto, proto, dir);
6316 else
6317 bpf_error("unknown protocol: %s", name);
6318
6319 case Q_PROTOCHAIN:
6320 real_proto = lookup_proto(name, proto);
6321 if (real_proto >= 0)
6322 return gen_protochain(real_proto, proto, dir);
6323 else
6324 bpf_error("unknown protocol: %s", name);
6325
6326 case Q_UNDEF:
6327 syntax();
6328 /* NOTREACHED */
6329 }
6330 abort();
6331 /* NOTREACHED */
6332 }
6333
6334 struct block *
gen_mcode(s1,s2,masklen,q)6335 gen_mcode(s1, s2, masklen, q)
6336 register const char *s1, *s2;
6337 register int masklen;
6338 struct qual q;
6339 {
6340 register int nlen, mlen;
6341 bpf_u_int32 n, m;
6342
6343 nlen = __pcap_atoin(s1, &n);
6344 /* Promote short ipaddr */
6345 n <<= 32 - nlen;
6346
6347 if (s2 != NULL) {
6348 mlen = __pcap_atoin(s2, &m);
6349 /* Promote short ipaddr */
6350 m <<= 32 - mlen;
6351 if ((n & ~m) != 0)
6352 bpf_error("non-network bits set in \"%s mask %s\"",
6353 s1, s2);
6354 } else {
6355 /* Convert mask len to mask */
6356 if (masklen > 32)
6357 bpf_error("mask length must be <= 32");
6358 if (masklen == 0) {
6359 /*
6360 * X << 32 is not guaranteed by C to be 0; it's
6361 * undefined.
6362 */
6363 m = 0;
6364 } else
6365 m = 0xffffffff << (32 - masklen);
6366 if ((n & ~m) != 0)
6367 bpf_error("non-network bits set in \"%s/%d\"",
6368 s1, masklen);
6369 }
6370
6371 switch (q.addr) {
6372
6373 case Q_NET:
6374 return gen_host(n, m, q.proto, q.dir, q.addr);
6375
6376 default:
6377 bpf_error("Mask syntax for networks only");
6378 /* NOTREACHED */
6379 }
6380 /* NOTREACHED */
6381 return NULL;
6382 }
6383
6384 struct block *
gen_ncode(s,v,q)6385 gen_ncode(s, v, q)
6386 register const char *s;
6387 bpf_u_int32 v;
6388 struct qual q;
6389 {
6390 bpf_u_int32 mask;
6391 int proto = q.proto;
6392 int dir = q.dir;
6393 register int vlen;
6394
6395 if (s == NULL)
6396 vlen = 32;
6397 else if (q.proto == Q_DECNET)
6398 vlen = __pcap_atodn(s, &v);
6399 else
6400 vlen = __pcap_atoin(s, &v);
6401
6402 switch (q.addr) {
6403
6404 case Q_DEFAULT:
6405 case Q_HOST:
6406 case Q_NET:
6407 if (proto == Q_DECNET)
6408 return gen_host(v, 0, proto, dir, q.addr);
6409 else if (proto == Q_LINK) {
6410 bpf_error("illegal link layer address");
6411 } else {
6412 mask = 0xffffffff;
6413 if (s == NULL && q.addr == Q_NET) {
6414 /* Promote short net number */
6415 while (v && (v & 0xff000000) == 0) {
6416 v <<= 8;
6417 mask <<= 8;
6418 }
6419 } else {
6420 /* Promote short ipaddr */
6421 v <<= 32 - vlen;
6422 mask <<= 32 - vlen;
6423 }
6424 return gen_host(v, mask, proto, dir, q.addr);
6425 }
6426
6427 case Q_PORT:
6428 if (proto == Q_UDP)
6429 proto = IPPROTO_UDP;
6430 else if (proto == Q_TCP)
6431 proto = IPPROTO_TCP;
6432 else if (proto == Q_SCTP)
6433 proto = IPPROTO_SCTP;
6434 else if (proto == Q_DEFAULT)
6435 proto = PROTO_UNDEF;
6436 else
6437 bpf_error("illegal qualifier of 'port'");
6438
6439 if (v > 65535)
6440 bpf_error("illegal port number %u > 65535", v);
6441
6442 {
6443 struct block *b;
6444 b = gen_port((int)v, proto, dir);
6445 gen_or(gen_port6((int)v, proto, dir), b);
6446 return b;
6447 }
6448
6449 case Q_PORTRANGE:
6450 if (proto == Q_UDP)
6451 proto = IPPROTO_UDP;
6452 else if (proto == Q_TCP)
6453 proto = IPPROTO_TCP;
6454 else if (proto == Q_SCTP)
6455 proto = IPPROTO_SCTP;
6456 else if (proto == Q_DEFAULT)
6457 proto = PROTO_UNDEF;
6458 else
6459 bpf_error("illegal qualifier of 'portrange'");
6460
6461 if (v > 65535)
6462 bpf_error("illegal port number %u > 65535", v);
6463
6464 {
6465 struct block *b;
6466 b = gen_portrange((int)v, (int)v, proto, dir);
6467 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6468 return b;
6469 }
6470
6471 case Q_GATEWAY:
6472 bpf_error("'gateway' requires a name");
6473 /* NOTREACHED */
6474
6475 case Q_PROTO:
6476 return gen_proto((int)v, proto, dir);
6477
6478 case Q_PROTOCHAIN:
6479 return gen_protochain((int)v, proto, dir);
6480
6481 case Q_UNDEF:
6482 syntax();
6483 /* NOTREACHED */
6484
6485 default:
6486 abort();
6487 /* NOTREACHED */
6488 }
6489 /* NOTREACHED */
6490 }
6491
6492 #ifdef INET6
6493 struct block *
gen_mcode6(s1,s2,masklen,q)6494 gen_mcode6(s1, s2, masklen, q)
6495 register const char *s1, *s2;
6496 register int masklen;
6497 struct qual q;
6498 {
6499 struct addrinfo *res;
6500 struct in6_addr *addr;
6501 struct in6_addr mask;
6502 struct block *b;
6503 u_int32_t *a, *m;
6504
6505 if (s2)
6506 bpf_error("no mask %s supported", s2);
6507
6508 res = pcap_nametoaddrinfo(s1);
6509 if (!res)
6510 bpf_error("invalid ip6 address %s", s1);
6511 ai = res;
6512 if (res->ai_next)
6513 bpf_error("%s resolved to multiple address", s1);
6514 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6515
6516 if (sizeof(mask) * 8 < masklen)
6517 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6518 memset(&mask, 0, sizeof(mask));
6519 memset(&mask, 0xff, masklen / 8);
6520 if (masklen % 8) {
6521 mask.s6_addr[masklen / 8] =
6522 (0xff << (8 - masklen % 8)) & 0xff;
6523 }
6524
6525 a = (u_int32_t *)addr;
6526 m = (u_int32_t *)&mask;
6527 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6528 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6529 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6530 }
6531
6532 switch (q.addr) {
6533
6534 case Q_DEFAULT:
6535 case Q_HOST:
6536 if (masklen != 128)
6537 bpf_error("Mask syntax for networks only");
6538 /* FALLTHROUGH */
6539
6540 case Q_NET:
6541 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6542 ai = NULL;
6543 freeaddrinfo(res);
6544 return b;
6545
6546 default:
6547 bpf_error("invalid qualifier against IPv6 address");
6548 /* NOTREACHED */
6549 }
6550 return NULL;
6551 }
6552 #endif /*INET6*/
6553
6554 struct block *
gen_ecode(eaddr,q)6555 gen_ecode(eaddr, q)
6556 register const u_char *eaddr;
6557 struct qual q;
6558 {
6559 struct block *b, *tmp;
6560
6561 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6562 switch (linktype) {
6563 case DLT_EN10MB:
6564 case DLT_NETANALYZER:
6565 case DLT_NETANALYZER_TRANSPARENT:
6566 return gen_ehostop(eaddr, (int)q.dir);
6567 case DLT_FDDI:
6568 return gen_fhostop(eaddr, (int)q.dir);
6569 case DLT_IEEE802:
6570 return gen_thostop(eaddr, (int)q.dir);
6571 case DLT_IEEE802_11:
6572 case DLT_PRISM_HEADER:
6573 case DLT_IEEE802_11_RADIO_AVS:
6574 case DLT_IEEE802_11_RADIO:
6575 case DLT_PPI:
6576 return gen_wlanhostop(eaddr, (int)q.dir);
6577 case DLT_SUNATM:
6578 if (is_lane) {
6579 /*
6580 * Check that the packet doesn't begin with an
6581 * LE Control marker. (We've already generated
6582 * a test for LANE.)
6583 */
6584 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6585 0xFF00);
6586 gen_not(tmp);
6587
6588 /*
6589 * Now check the MAC address.
6590 */
6591 b = gen_ehostop(eaddr, (int)q.dir);
6592 gen_and(tmp, b);
6593 return b;
6594 }
6595 break;
6596 case DLT_IP_OVER_FC:
6597 return gen_ipfchostop(eaddr, (int)q.dir);
6598 default:
6599 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6600 break;
6601 }
6602 }
6603 bpf_error("ethernet address used in non-ether expression");
6604 /* NOTREACHED */
6605 return NULL;
6606 }
6607
6608 void
sappend(s0,s1)6609 sappend(s0, s1)
6610 struct slist *s0, *s1;
6611 {
6612 /*
6613 * This is definitely not the best way to do this, but the
6614 * lists will rarely get long.
6615 */
6616 while (s0->next)
6617 s0 = s0->next;
6618 s0->next = s1;
6619 }
6620
6621 static struct slist *
xfer_to_x(a)6622 xfer_to_x(a)
6623 struct arth *a;
6624 {
6625 struct slist *s;
6626
6627 s = new_stmt(BPF_LDX|BPF_MEM);
6628 s->s.k = a->regno;
6629 return s;
6630 }
6631
6632 static struct slist *
xfer_to_a(a)6633 xfer_to_a(a)
6634 struct arth *a;
6635 {
6636 struct slist *s;
6637
6638 s = new_stmt(BPF_LD|BPF_MEM);
6639 s->s.k = a->regno;
6640 return s;
6641 }
6642
6643 /*
6644 * Modify "index" to use the value stored into its register as an
6645 * offset relative to the beginning of the header for the protocol
6646 * "proto", and allocate a register and put an item "size" bytes long
6647 * (1, 2, or 4) at that offset into that register, making it the register
6648 * for "index".
6649 */
6650 struct arth *
gen_load(proto,inst,size)6651 gen_load(proto, inst, size)
6652 int proto;
6653 struct arth *inst;
6654 int size;
6655 {
6656 struct slist *s, *tmp;
6657 struct block *b;
6658 int regno = alloc_reg();
6659
6660 free_reg(inst->regno);
6661 switch (size) {
6662
6663 default:
6664 bpf_error("data size must be 1, 2, or 4");
6665
6666 case 1:
6667 size = BPF_B;
6668 break;
6669
6670 case 2:
6671 size = BPF_H;
6672 break;
6673
6674 case 4:
6675 size = BPF_W;
6676 break;
6677 }
6678 switch (proto) {
6679 default:
6680 bpf_error("unsupported index operation");
6681
6682 case Q_RADIO:
6683 /*
6684 * The offset is relative to the beginning of the packet
6685 * data, if we have a radio header. (If we don't, this
6686 * is an error.)
6687 */
6688 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6689 linktype != DLT_IEEE802_11_RADIO &&
6690 linktype != DLT_PRISM_HEADER)
6691 bpf_error("radio information not present in capture");
6692
6693 /*
6694 * Load into the X register the offset computed into the
6695 * register specified by "index".
6696 */
6697 s = xfer_to_x(inst);
6698
6699 /*
6700 * Load the item at that offset.
6701 */
6702 tmp = new_stmt(BPF_LD|BPF_IND|size);
6703 sappend(s, tmp);
6704 sappend(inst->s, s);
6705 break;
6706
6707 case Q_LINK:
6708 /*
6709 * The offset is relative to the beginning of
6710 * the link-layer header.
6711 *
6712 * XXX - what about ATM LANE? Should the index be
6713 * relative to the beginning of the AAL5 frame, so
6714 * that 0 refers to the beginning of the LE Control
6715 * field, or relative to the beginning of the LAN
6716 * frame, so that 0 refers, for Ethernet LANE, to
6717 * the beginning of the destination address?
6718 */
6719 s = gen_llprefixlen();
6720
6721 /*
6722 * If "s" is non-null, it has code to arrange that the
6723 * X register contains the length of the prefix preceding
6724 * the link-layer header. Add to it the offset computed
6725 * into the register specified by "index", and move that
6726 * into the X register. Otherwise, just load into the X
6727 * register the offset computed into the register specified
6728 * by "index".
6729 */
6730 if (s != NULL) {
6731 sappend(s, xfer_to_a(inst));
6732 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6733 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6734 } else
6735 s = xfer_to_x(inst);
6736
6737 /*
6738 * Load the item at the sum of the offset we've put in the
6739 * X register and the offset of the start of the link
6740 * layer header (which is 0 if the radio header is
6741 * variable-length; that header length is what we put
6742 * into the X register and then added to the index).
6743 */
6744 tmp = new_stmt(BPF_LD|BPF_IND|size);
6745 tmp->s.k = off_ll;
6746 sappend(s, tmp);
6747 sappend(inst->s, s);
6748 break;
6749
6750 case Q_IP:
6751 case Q_ARP:
6752 case Q_RARP:
6753 case Q_ATALK:
6754 case Q_DECNET:
6755 case Q_SCA:
6756 case Q_LAT:
6757 case Q_MOPRC:
6758 case Q_MOPDL:
6759 case Q_IPV6:
6760 /*
6761 * The offset is relative to the beginning of
6762 * the network-layer header.
6763 * XXX - are there any cases where we want
6764 * off_nl_nosnap?
6765 */
6766 s = gen_off_macpl();
6767
6768 /*
6769 * If "s" is non-null, it has code to arrange that the
6770 * X register contains the offset of the MAC-layer
6771 * payload. Add to it the offset computed into the
6772 * register specified by "index", and move that into
6773 * the X register. Otherwise, just load into the X
6774 * register the offset computed into the register specified
6775 * by "index".
6776 */
6777 if (s != NULL) {
6778 sappend(s, xfer_to_a(inst));
6779 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6780 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6781 } else
6782 s = xfer_to_x(inst);
6783
6784 /*
6785 * Load the item at the sum of the offset we've put in the
6786 * X register, the offset of the start of the network
6787 * layer header from the beginning of the MAC-layer
6788 * payload, and the purported offset of the start of the
6789 * MAC-layer payload (which might be 0 if there's a
6790 * variable-length prefix before the link-layer header
6791 * or the link-layer header itself is variable-length;
6792 * the variable-length offset of the start of the
6793 * MAC-layer payload is what we put into the X register
6794 * and then added to the index).
6795 */
6796 tmp = new_stmt(BPF_LD|BPF_IND|size);
6797 tmp->s.k = off_macpl + off_nl;
6798 sappend(s, tmp);
6799 sappend(inst->s, s);
6800
6801 /*
6802 * Do the computation only if the packet contains
6803 * the protocol in question.
6804 */
6805 b = gen_proto_abbrev(proto);
6806 if (inst->b)
6807 gen_and(inst->b, b);
6808 inst->b = b;
6809 break;
6810
6811 case Q_SCTP:
6812 case Q_TCP:
6813 case Q_UDP:
6814 case Q_ICMP:
6815 case Q_IGMP:
6816 case Q_IGRP:
6817 case Q_PIM:
6818 case Q_VRRP:
6819 case Q_CARP:
6820 /*
6821 * The offset is relative to the beginning of
6822 * the transport-layer header.
6823 *
6824 * Load the X register with the length of the IPv4 header
6825 * (plus the offset of the link-layer header, if it's
6826 * a variable-length header), in bytes.
6827 *
6828 * XXX - are there any cases where we want
6829 * off_nl_nosnap?
6830 * XXX - we should, if we're built with
6831 * IPv6 support, generate code to load either
6832 * IPv4, IPv6, or both, as appropriate.
6833 */
6834 s = gen_loadx_iphdrlen();
6835
6836 /*
6837 * The X register now contains the sum of the length
6838 * of any variable-length header preceding the link-layer
6839 * header, any variable-length link-layer header, and the
6840 * length of the network-layer header.
6841 *
6842 * Load into the A register the offset relative to
6843 * the beginning of the transport layer header,
6844 * add the X register to that, move that to the
6845 * X register, and load with an offset from the
6846 * X register equal to the offset of the network
6847 * layer header relative to the beginning of
6848 * the MAC-layer payload plus the fixed-length
6849 * portion of the offset of the MAC-layer payload
6850 * from the beginning of the raw packet data.
6851 */
6852 sappend(s, xfer_to_a(inst));
6853 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6854 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6855 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6856 tmp->s.k = off_macpl + off_nl;
6857 sappend(inst->s, s);
6858
6859 /*
6860 * Do the computation only if the packet contains
6861 * the protocol in question - which is true only
6862 * if this is an IP datagram and is the first or
6863 * only fragment of that datagram.
6864 */
6865 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6866 if (inst->b)
6867 gen_and(inst->b, b);
6868 gen_and(gen_proto_abbrev(Q_IP), b);
6869 inst->b = b;
6870 break;
6871 case Q_ICMPV6:
6872 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6873 /*NOTREACHED*/
6874 }
6875 inst->regno = regno;
6876 s = new_stmt(BPF_ST);
6877 s->s.k = regno;
6878 sappend(inst->s, s);
6879
6880 return inst;
6881 }
6882
6883 struct block *
gen_relation(code,a0,a1,reversed)6884 gen_relation(code, a0, a1, reversed)
6885 int code;
6886 struct arth *a0, *a1;
6887 int reversed;
6888 {
6889 struct slist *s0, *s1, *s2;
6890 struct block *b, *tmp;
6891
6892 s0 = xfer_to_x(a1);
6893 s1 = xfer_to_a(a0);
6894 if (code == BPF_JEQ) {
6895 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6896 b = new_block(JMP(code));
6897 sappend(s1, s2);
6898 }
6899 else
6900 b = new_block(BPF_JMP|code|BPF_X);
6901 if (reversed)
6902 gen_not(b);
6903
6904 sappend(s0, s1);
6905 sappend(a1->s, s0);
6906 sappend(a0->s, a1->s);
6907
6908 b->stmts = a0->s;
6909
6910 free_reg(a0->regno);
6911 free_reg(a1->regno);
6912
6913 /* 'and' together protocol checks */
6914 if (a0->b) {
6915 if (a1->b) {
6916 gen_and(a0->b, tmp = a1->b);
6917 }
6918 else
6919 tmp = a0->b;
6920 } else
6921 tmp = a1->b;
6922
6923 if (tmp)
6924 gen_and(tmp, b);
6925
6926 return b;
6927 }
6928
6929 struct arth *
gen_loadlen()6930 gen_loadlen()
6931 {
6932 int regno = alloc_reg();
6933 struct arth *a = (struct arth *)newchunk(sizeof(*a));
6934 struct slist *s;
6935
6936 s = new_stmt(BPF_LD|BPF_LEN);
6937 s->next = new_stmt(BPF_ST);
6938 s->next->s.k = regno;
6939 a->s = s;
6940 a->regno = regno;
6941
6942 return a;
6943 }
6944
6945 struct arth *
gen_loadi(val)6946 gen_loadi(val)
6947 int val;
6948 {
6949 struct arth *a;
6950 struct slist *s;
6951 int reg;
6952
6953 a = (struct arth *)newchunk(sizeof(*a));
6954
6955 reg = alloc_reg();
6956
6957 s = new_stmt(BPF_LD|BPF_IMM);
6958 s->s.k = val;
6959 s->next = new_stmt(BPF_ST);
6960 s->next->s.k = reg;
6961 a->s = s;
6962 a->regno = reg;
6963
6964 return a;
6965 }
6966
6967 struct arth *
gen_neg(a)6968 gen_neg(a)
6969 struct arth *a;
6970 {
6971 struct slist *s;
6972
6973 s = xfer_to_a(a);
6974 sappend(a->s, s);
6975 s = new_stmt(BPF_ALU|BPF_NEG);
6976 s->s.k = 0;
6977 sappend(a->s, s);
6978 s = new_stmt(BPF_ST);
6979 s->s.k = a->regno;
6980 sappend(a->s, s);
6981
6982 return a;
6983 }
6984
6985 struct arth *
gen_arth(code,a0,a1)6986 gen_arth(code, a0, a1)
6987 int code;
6988 struct arth *a0, *a1;
6989 {
6990 struct slist *s0, *s1, *s2;
6991
6992 s0 = xfer_to_x(a1);
6993 s1 = xfer_to_a(a0);
6994 s2 = new_stmt(BPF_ALU|BPF_X|code);
6995
6996 sappend(s1, s2);
6997 sappend(s0, s1);
6998 sappend(a1->s, s0);
6999 sappend(a0->s, a1->s);
7000
7001 free_reg(a0->regno);
7002 free_reg(a1->regno);
7003
7004 s0 = new_stmt(BPF_ST);
7005 a0->regno = s0->s.k = alloc_reg();
7006 sappend(a0->s, s0);
7007
7008 return a0;
7009 }
7010
7011 /*
7012 * Here we handle simple allocation of the scratch registers.
7013 * If too many registers are alloc'd, the allocator punts.
7014 */
7015 static int regused[BPF_MEMWORDS];
7016 static int curreg;
7017
7018 /*
7019 * Initialize the table of used registers and the current register.
7020 */
7021 static void
init_regs()7022 init_regs()
7023 {
7024 curreg = 0;
7025 memset(regused, 0, sizeof regused);
7026 }
7027
7028 /*
7029 * Return the next free register.
7030 */
7031 static int
alloc_reg()7032 alloc_reg()
7033 {
7034 int n = BPF_MEMWORDS;
7035
7036 while (--n >= 0) {
7037 if (regused[curreg])
7038 curreg = (curreg + 1) % BPF_MEMWORDS;
7039 else {
7040 regused[curreg] = 1;
7041 return curreg;
7042 }
7043 }
7044 bpf_error("too many registers needed to evaluate expression");
7045 /* NOTREACHED */
7046 return 0;
7047 }
7048
7049 /*
7050 * Return a register to the table so it can
7051 * be used later.
7052 */
7053 static void
free_reg(n)7054 free_reg(n)
7055 int n;
7056 {
7057 regused[n] = 0;
7058 }
7059
7060 static struct block *
gen_len(jmp,n)7061 gen_len(jmp, n)
7062 int jmp, n;
7063 {
7064 struct slist *s;
7065 struct block *b;
7066
7067 s = new_stmt(BPF_LD|BPF_LEN);
7068 b = new_block(JMP(jmp));
7069 b->stmts = s;
7070 b->s.k = n;
7071
7072 return b;
7073 }
7074
7075 struct block *
gen_greater(n)7076 gen_greater(n)
7077 int n;
7078 {
7079 return gen_len(BPF_JGE, n);
7080 }
7081
7082 /*
7083 * Actually, this is less than or equal.
7084 */
7085 struct block *
gen_less(n)7086 gen_less(n)
7087 int n;
7088 {
7089 struct block *b;
7090
7091 b = gen_len(BPF_JGT, n);
7092 gen_not(b);
7093
7094 return b;
7095 }
7096
7097 /*
7098 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7099 * the beginning of the link-layer header.
7100 * XXX - that means you can't test values in the radiotap header, but
7101 * as that header is difficult if not impossible to parse generally
7102 * without a loop, that might not be a severe problem. A new keyword
7103 * "radio" could be added for that, although what you'd really want
7104 * would be a way of testing particular radio header values, which
7105 * would generate code appropriate to the radio header in question.
7106 */
7107 struct block *
gen_byteop(op,idx,val)7108 gen_byteop(op, idx, val)
7109 int op, idx, val;
7110 {
7111 struct block *b;
7112 struct slist *s;
7113
7114 switch (op) {
7115 default:
7116 abort();
7117
7118 case '=':
7119 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7120
7121 case '<':
7122 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7123 return b;
7124
7125 case '>':
7126 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7127 return b;
7128
7129 case '|':
7130 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7131 break;
7132
7133 case '&':
7134 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7135 break;
7136 }
7137 s->s.k = val;
7138 b = new_block(JMP(BPF_JEQ));
7139 b->stmts = s;
7140 gen_not(b);
7141
7142 return b;
7143 }
7144
7145 static u_char abroadcast[] = { 0x0 };
7146
7147 struct block *
gen_broadcast(proto)7148 gen_broadcast(proto)
7149 int proto;
7150 {
7151 bpf_u_int32 hostmask;
7152 struct block *b0, *b1, *b2;
7153 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7154
7155 switch (proto) {
7156
7157 case Q_DEFAULT:
7158 case Q_LINK:
7159 switch (linktype) {
7160 case DLT_ARCNET:
7161 case DLT_ARCNET_LINUX:
7162 return gen_ahostop(abroadcast, Q_DST);
7163 case DLT_EN10MB:
7164 case DLT_NETANALYZER:
7165 case DLT_NETANALYZER_TRANSPARENT:
7166 return gen_ehostop(ebroadcast, Q_DST);
7167 case DLT_FDDI:
7168 return gen_fhostop(ebroadcast, Q_DST);
7169 case DLT_IEEE802:
7170 return gen_thostop(ebroadcast, Q_DST);
7171 case DLT_IEEE802_11:
7172 case DLT_PRISM_HEADER:
7173 case DLT_IEEE802_11_RADIO_AVS:
7174 case DLT_IEEE802_11_RADIO:
7175 case DLT_PPI:
7176 return gen_wlanhostop(ebroadcast, Q_DST);
7177 case DLT_IP_OVER_FC:
7178 return gen_ipfchostop(ebroadcast, Q_DST);
7179 case DLT_SUNATM:
7180 if (is_lane) {
7181 /*
7182 * Check that the packet doesn't begin with an
7183 * LE Control marker. (We've already generated
7184 * a test for LANE.)
7185 */
7186 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7187 BPF_H, 0xFF00);
7188 gen_not(b1);
7189
7190 /*
7191 * Now check the MAC address.
7192 */
7193 b0 = gen_ehostop(ebroadcast, Q_DST);
7194 gen_and(b1, b0);
7195 return b0;
7196 }
7197 break;
7198 default:
7199 bpf_error("not a broadcast link");
7200 }
7201 break;
7202
7203 case Q_IP:
7204 /*
7205 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7206 * as an indication that we don't know the netmask, and fail
7207 * in that case.
7208 */
7209 if (netmask == PCAP_NETMASK_UNKNOWN)
7210 bpf_error("netmask not known, so 'ip broadcast' not supported");
7211 b0 = gen_linktype(ETHERTYPE_IP);
7212 hostmask = ~netmask;
7213 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7214 b2 = gen_mcmp(OR_NET, 16, BPF_W,
7215 (bpf_int32)(~0 & hostmask), hostmask);
7216 gen_or(b1, b2);
7217 gen_and(b0, b2);
7218 return b2;
7219 }
7220 bpf_error("only link-layer/IP broadcast filters supported");
7221 /* NOTREACHED */
7222 return NULL;
7223 }
7224
7225 /*
7226 * Generate code to test the low-order bit of a MAC address (that's
7227 * the bottom bit of the *first* byte).
7228 */
7229 static struct block *
gen_mac_multicast(offset)7230 gen_mac_multicast(offset)
7231 int offset;
7232 {
7233 register struct block *b0;
7234 register struct slist *s;
7235
7236 /* link[offset] & 1 != 0 */
7237 s = gen_load_a(OR_LINK, offset, BPF_B);
7238 b0 = new_block(JMP(BPF_JSET));
7239 b0->s.k = 1;
7240 b0->stmts = s;
7241 return b0;
7242 }
7243
7244 struct block *
gen_multicast(proto)7245 gen_multicast(proto)
7246 int proto;
7247 {
7248 register struct block *b0, *b1, *b2;
7249 register struct slist *s;
7250
7251 switch (proto) {
7252
7253 case Q_DEFAULT:
7254 case Q_LINK:
7255 switch (linktype) {
7256 case DLT_ARCNET:
7257 case DLT_ARCNET_LINUX:
7258 /* all ARCnet multicasts use the same address */
7259 return gen_ahostop(abroadcast, Q_DST);
7260 case DLT_EN10MB:
7261 case DLT_NETANALYZER:
7262 case DLT_NETANALYZER_TRANSPARENT:
7263 /* ether[0] & 1 != 0 */
7264 return gen_mac_multicast(0);
7265 case DLT_FDDI:
7266 /*
7267 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7268 *
7269 * XXX - was that referring to bit-order issues?
7270 */
7271 /* fddi[1] & 1 != 0 */
7272 return gen_mac_multicast(1);
7273 case DLT_IEEE802:
7274 /* tr[2] & 1 != 0 */
7275 return gen_mac_multicast(2);
7276 case DLT_IEEE802_11:
7277 case DLT_PRISM_HEADER:
7278 case DLT_IEEE802_11_RADIO_AVS:
7279 case DLT_IEEE802_11_RADIO:
7280 case DLT_PPI:
7281 /*
7282 * Oh, yuk.
7283 *
7284 * For control frames, there is no DA.
7285 *
7286 * For management frames, DA is at an
7287 * offset of 4 from the beginning of
7288 * the packet.
7289 *
7290 * For data frames, DA is at an offset
7291 * of 4 from the beginning of the packet
7292 * if To DS is clear and at an offset of
7293 * 16 from the beginning of the packet
7294 * if To DS is set.
7295 */
7296
7297 /*
7298 * Generate the tests to be done for data frames.
7299 *
7300 * First, check for To DS set, i.e. "link[1] & 0x01".
7301 */
7302 s = gen_load_a(OR_LINK, 1, BPF_B);
7303 b1 = new_block(JMP(BPF_JSET));
7304 b1->s.k = 0x01; /* To DS */
7305 b1->stmts = s;
7306
7307 /*
7308 * If To DS is set, the DA is at 16.
7309 */
7310 b0 = gen_mac_multicast(16);
7311 gen_and(b1, b0);
7312
7313 /*
7314 * Now, check for To DS not set, i.e. check
7315 * "!(link[1] & 0x01)".
7316 */
7317 s = gen_load_a(OR_LINK, 1, BPF_B);
7318 b2 = new_block(JMP(BPF_JSET));
7319 b2->s.k = 0x01; /* To DS */
7320 b2->stmts = s;
7321 gen_not(b2);
7322
7323 /*
7324 * If To DS is not set, the DA is at 4.
7325 */
7326 b1 = gen_mac_multicast(4);
7327 gen_and(b2, b1);
7328
7329 /*
7330 * Now OR together the last two checks. That gives
7331 * the complete set of checks for data frames.
7332 */
7333 gen_or(b1, b0);
7334
7335 /*
7336 * Now check for a data frame.
7337 * I.e, check "link[0] & 0x08".
7338 */
7339 s = gen_load_a(OR_LINK, 0, BPF_B);
7340 b1 = new_block(JMP(BPF_JSET));
7341 b1->s.k = 0x08;
7342 b1->stmts = s;
7343
7344 /*
7345 * AND that with the checks done for data frames.
7346 */
7347 gen_and(b1, b0);
7348
7349 /*
7350 * If the high-order bit of the type value is 0, this
7351 * is a management frame.
7352 * I.e, check "!(link[0] & 0x08)".
7353 */
7354 s = gen_load_a(OR_LINK, 0, BPF_B);
7355 b2 = new_block(JMP(BPF_JSET));
7356 b2->s.k = 0x08;
7357 b2->stmts = s;
7358 gen_not(b2);
7359
7360 /*
7361 * For management frames, the DA is at 4.
7362 */
7363 b1 = gen_mac_multicast(4);
7364 gen_and(b2, b1);
7365
7366 /*
7367 * OR that with the checks done for data frames.
7368 * That gives the checks done for management and
7369 * data frames.
7370 */
7371 gen_or(b1, b0);
7372
7373 /*
7374 * If the low-order bit of the type value is 1,
7375 * this is either a control frame or a frame
7376 * with a reserved type, and thus not a
7377 * frame with an SA.
7378 *
7379 * I.e., check "!(link[0] & 0x04)".
7380 */
7381 s = gen_load_a(OR_LINK, 0, BPF_B);
7382 b1 = new_block(JMP(BPF_JSET));
7383 b1->s.k = 0x04;
7384 b1->stmts = s;
7385 gen_not(b1);
7386
7387 /*
7388 * AND that with the checks for data and management
7389 * frames.
7390 */
7391 gen_and(b1, b0);
7392 return b0;
7393 case DLT_IP_OVER_FC:
7394 b0 = gen_mac_multicast(2);
7395 return b0;
7396 case DLT_SUNATM:
7397 if (is_lane) {
7398 /*
7399 * Check that the packet doesn't begin with an
7400 * LE Control marker. (We've already generated
7401 * a test for LANE.)
7402 */
7403 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7404 BPF_H, 0xFF00);
7405 gen_not(b1);
7406
7407 /* ether[off_mac] & 1 != 0 */
7408 b0 = gen_mac_multicast(off_mac);
7409 gen_and(b1, b0);
7410 return b0;
7411 }
7412 break;
7413 default:
7414 break;
7415 }
7416 /* Link not known to support multicasts */
7417 break;
7418
7419 case Q_IP:
7420 b0 = gen_linktype(ETHERTYPE_IP);
7421 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7422 gen_and(b0, b1);
7423 return b1;
7424
7425 case Q_IPV6:
7426 b0 = gen_linktype(ETHERTYPE_IPV6);
7427 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7428 gen_and(b0, b1);
7429 return b1;
7430 }
7431 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7432 /* NOTREACHED */
7433 return NULL;
7434 }
7435
7436 /*
7437 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
7438 * Outbound traffic is sent by this machine, while inbound traffic is
7439 * sent by a remote machine (and may include packets destined for a
7440 * unicast or multicast link-layer address we are not subscribing to).
7441 * These are the same definitions implemented by pcap_setdirection().
7442 * Capturing only unicast traffic destined for this host is probably
7443 * better accomplished using a higher-layer filter.
7444 */
7445 struct block *
gen_inbound(dir)7446 gen_inbound(dir)
7447 int dir;
7448 {
7449 register struct block *b0;
7450
7451 /*
7452 * Only some data link types support inbound/outbound qualifiers.
7453 */
7454 switch (linktype) {
7455 case DLT_SLIP:
7456 b0 = gen_relation(BPF_JEQ,
7457 gen_load(Q_LINK, gen_loadi(0), 1),
7458 gen_loadi(0),
7459 dir);
7460 break;
7461
7462 case DLT_IPNET:
7463 if (dir) {
7464 /* match outgoing packets */
7465 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND);
7466 } else {
7467 /* match incoming packets */
7468 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND);
7469 }
7470 break;
7471
7472 case DLT_LINUX_SLL:
7473 /* match outgoing packets */
7474 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7475 if (!dir) {
7476 /* to filter on inbound traffic, invert the match */
7477 gen_not(b0);
7478 }
7479 break;
7480
7481 #ifdef HAVE_NET_PFVAR_H
7482 case DLT_PFLOG:
7483 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7484 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7485 break;
7486 #endif
7487
7488 case DLT_PPP_PPPD:
7489 if (dir) {
7490 /* match outgoing packets */
7491 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7492 } else {
7493 /* match incoming packets */
7494 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7495 }
7496 break;
7497
7498 case DLT_JUNIPER_MFR:
7499 case DLT_JUNIPER_MLFR:
7500 case DLT_JUNIPER_MLPPP:
7501 case DLT_JUNIPER_ATM1:
7502 case DLT_JUNIPER_ATM2:
7503 case DLT_JUNIPER_PPPOE:
7504 case DLT_JUNIPER_PPPOE_ATM:
7505 case DLT_JUNIPER_GGSN:
7506 case DLT_JUNIPER_ES:
7507 case DLT_JUNIPER_MONITOR:
7508 case DLT_JUNIPER_SERVICES:
7509 case DLT_JUNIPER_ETHER:
7510 case DLT_JUNIPER_PPP:
7511 case DLT_JUNIPER_FRELAY:
7512 case DLT_JUNIPER_CHDLC:
7513 case DLT_JUNIPER_VP:
7514 case DLT_JUNIPER_ST:
7515 case DLT_JUNIPER_ISM:
7516 case DLT_JUNIPER_VS:
7517 case DLT_JUNIPER_SRX_E2E:
7518 case DLT_JUNIPER_FIBRECHANNEL:
7519 case DLT_JUNIPER_ATM_CEMIC:
7520
7521 /* juniper flags (including direction) are stored
7522 * the byte after the 3-byte magic number */
7523 if (dir) {
7524 /* match outgoing packets */
7525 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7526 } else {
7527 /* match incoming packets */
7528 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7529 }
7530 break;
7531
7532 default:
7533 /*
7534 * If we have packet meta-data indicating a direction,
7535 * check it, otherwise give up as this link-layer type
7536 * has nothing in the packet data.
7537 */
7538 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
7539 /*
7540 * We infer that this is Linux with PF_PACKET support.
7541 * If this is a *live* capture, we can look at
7542 * special meta-data in the filter expression;
7543 * if it's a savefile, we can't.
7544 */
7545 if (bpf_pcap->sf.rfile != NULL) {
7546 /* We have a FILE *, so this is a savefile */
7547 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles",
7548 linktype);
7549 b0 = NULL;
7550 /* NOTREACHED */
7551 }
7552 /* match outgoing packets */
7553 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
7554 PACKET_OUTGOING);
7555 if (!dir) {
7556 /* to filter on inbound traffic, invert the match */
7557 gen_not(b0);
7558 }
7559 #else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7560 bpf_error("inbound/outbound not supported on linktype %d",
7561 linktype);
7562 b0 = NULL;
7563 /* NOTREACHED */
7564 #endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7565 }
7566 return (b0);
7567 }
7568
7569 #ifdef HAVE_NET_PFVAR_H
7570 /* PF firewall log matched interface */
7571 struct block *
gen_pf_ifname(const char * ifname)7572 gen_pf_ifname(const char *ifname)
7573 {
7574 struct block *b0;
7575 u_int len, off;
7576
7577 if (linktype != DLT_PFLOG) {
7578 bpf_error("ifname supported only on PF linktype");
7579 /* NOTREACHED */
7580 }
7581 len = sizeof(((struct pfloghdr *)0)->ifname);
7582 off = offsetof(struct pfloghdr, ifname);
7583 if (strlen(ifname) >= len) {
7584 bpf_error("ifname interface names can only be %d characters",
7585 len-1);
7586 /* NOTREACHED */
7587 }
7588 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7589 return (b0);
7590 }
7591
7592 /* PF firewall log ruleset name */
7593 struct block *
gen_pf_ruleset(char * ruleset)7594 gen_pf_ruleset(char *ruleset)
7595 {
7596 struct block *b0;
7597
7598 if (linktype != DLT_PFLOG) {
7599 bpf_error("ruleset supported only on PF linktype");
7600 /* NOTREACHED */
7601 }
7602
7603 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7604 bpf_error("ruleset names can only be %ld characters",
7605 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7606 /* NOTREACHED */
7607 }
7608
7609 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7610 strlen(ruleset), (const u_char *)ruleset);
7611 return (b0);
7612 }
7613
7614 /* PF firewall log rule number */
7615 struct block *
gen_pf_rnr(int rnr)7616 gen_pf_rnr(int rnr)
7617 {
7618 struct block *b0;
7619
7620 if (linktype != DLT_PFLOG) {
7621 bpf_error("rnr supported only on PF linktype");
7622 /* NOTREACHED */
7623 }
7624
7625 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7626 (bpf_int32)rnr);
7627 return (b0);
7628 }
7629
7630 /* PF firewall log sub-rule number */
7631 struct block *
gen_pf_srnr(int srnr)7632 gen_pf_srnr(int srnr)
7633 {
7634 struct block *b0;
7635
7636 if (linktype != DLT_PFLOG) {
7637 bpf_error("srnr supported only on PF linktype");
7638 /* NOTREACHED */
7639 }
7640
7641 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7642 (bpf_int32)srnr);
7643 return (b0);
7644 }
7645
7646 /* PF firewall log reason code */
7647 struct block *
gen_pf_reason(int reason)7648 gen_pf_reason(int reason)
7649 {
7650 struct block *b0;
7651
7652 if (linktype != DLT_PFLOG) {
7653 bpf_error("reason supported only on PF linktype");
7654 /* NOTREACHED */
7655 }
7656
7657 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7658 (bpf_int32)reason);
7659 return (b0);
7660 }
7661
7662 /* PF firewall log action */
7663 struct block *
gen_pf_action(int action)7664 gen_pf_action(int action)
7665 {
7666 struct block *b0;
7667
7668 if (linktype != DLT_PFLOG) {
7669 bpf_error("action supported only on PF linktype");
7670 /* NOTREACHED */
7671 }
7672
7673 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7674 (bpf_int32)action);
7675 return (b0);
7676 }
7677 #else /* !HAVE_NET_PFVAR_H */
7678 struct block *
gen_pf_ifname(const char * ifname)7679 gen_pf_ifname(const char *ifname)
7680 {
7681 bpf_error("libpcap was compiled without pf support");
7682 /* NOTREACHED */
7683 return (NULL);
7684 }
7685
7686 struct block *
gen_pf_ruleset(char * ruleset)7687 gen_pf_ruleset(char *ruleset)
7688 {
7689 bpf_error("libpcap was compiled on a machine without pf support");
7690 /* NOTREACHED */
7691 return (NULL);
7692 }
7693
7694 struct block *
gen_pf_rnr(int rnr)7695 gen_pf_rnr(int rnr)
7696 {
7697 bpf_error("libpcap was compiled on a machine without pf support");
7698 /* NOTREACHED */
7699 return (NULL);
7700 }
7701
7702 struct block *
gen_pf_srnr(int srnr)7703 gen_pf_srnr(int srnr)
7704 {
7705 bpf_error("libpcap was compiled on a machine without pf support");
7706 /* NOTREACHED */
7707 return (NULL);
7708 }
7709
7710 struct block *
gen_pf_reason(int reason)7711 gen_pf_reason(int reason)
7712 {
7713 bpf_error("libpcap was compiled on a machine without pf support");
7714 /* NOTREACHED */
7715 return (NULL);
7716 }
7717
7718 struct block *
gen_pf_action(int action)7719 gen_pf_action(int action)
7720 {
7721 bpf_error("libpcap was compiled on a machine without pf support");
7722 /* NOTREACHED */
7723 return (NULL);
7724 }
7725 #endif /* HAVE_NET_PFVAR_H */
7726
7727 /* IEEE 802.11 wireless header */
7728 struct block *
gen_p80211_type(int type,int mask)7729 gen_p80211_type(int type, int mask)
7730 {
7731 struct block *b0;
7732
7733 switch (linktype) {
7734
7735 case DLT_IEEE802_11:
7736 case DLT_PRISM_HEADER:
7737 case DLT_IEEE802_11_RADIO_AVS:
7738 case DLT_IEEE802_11_RADIO:
7739 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7740 (bpf_int32)mask);
7741 break;
7742
7743 default:
7744 bpf_error("802.11 link-layer types supported only on 802.11");
7745 /* NOTREACHED */
7746 }
7747
7748 return (b0);
7749 }
7750
7751 struct block *
gen_p80211_fcdir(int fcdir)7752 gen_p80211_fcdir(int fcdir)
7753 {
7754 struct block *b0;
7755
7756 switch (linktype) {
7757
7758 case DLT_IEEE802_11:
7759 case DLT_PRISM_HEADER:
7760 case DLT_IEEE802_11_RADIO_AVS:
7761 case DLT_IEEE802_11_RADIO:
7762 break;
7763
7764 default:
7765 bpf_error("frame direction supported only with 802.11 headers");
7766 /* NOTREACHED */
7767 }
7768
7769 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7770 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7771
7772 return (b0);
7773 }
7774
7775 struct block *
gen_acode(eaddr,q)7776 gen_acode(eaddr, q)
7777 register const u_char *eaddr;
7778 struct qual q;
7779 {
7780 switch (linktype) {
7781
7782 case DLT_ARCNET:
7783 case DLT_ARCNET_LINUX:
7784 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7785 q.proto == Q_LINK)
7786 return (gen_ahostop(eaddr, (int)q.dir));
7787 else {
7788 bpf_error("ARCnet address used in non-arc expression");
7789 /* NOTREACHED */
7790 }
7791 break;
7792
7793 default:
7794 bpf_error("aid supported only on ARCnet");
7795 /* NOTREACHED */
7796 }
7797 bpf_error("ARCnet address used in non-arc expression");
7798 /* NOTREACHED */
7799 return NULL;
7800 }
7801
7802 static struct block *
gen_ahostop(eaddr,dir)7803 gen_ahostop(eaddr, dir)
7804 register const u_char *eaddr;
7805 register int dir;
7806 {
7807 register struct block *b0, *b1;
7808
7809 switch (dir) {
7810 /* src comes first, different from Ethernet */
7811 case Q_SRC:
7812 return gen_bcmp(OR_LINK, 0, 1, eaddr);
7813
7814 case Q_DST:
7815 return gen_bcmp(OR_LINK, 1, 1, eaddr);
7816
7817 case Q_AND:
7818 b0 = gen_ahostop(eaddr, Q_SRC);
7819 b1 = gen_ahostop(eaddr, Q_DST);
7820 gen_and(b0, b1);
7821 return b1;
7822
7823 case Q_DEFAULT:
7824 case Q_OR:
7825 b0 = gen_ahostop(eaddr, Q_SRC);
7826 b1 = gen_ahostop(eaddr, Q_DST);
7827 gen_or(b0, b1);
7828 return b1;
7829
7830 case Q_ADDR1:
7831 bpf_error("'addr1' is only supported on 802.11");
7832 break;
7833
7834 case Q_ADDR2:
7835 bpf_error("'addr2' is only supported on 802.11");
7836 break;
7837
7838 case Q_ADDR3:
7839 bpf_error("'addr3' is only supported on 802.11");
7840 break;
7841
7842 case Q_ADDR4:
7843 bpf_error("'addr4' is only supported on 802.11");
7844 break;
7845
7846 case Q_RA:
7847 bpf_error("'ra' is only supported on 802.11");
7848 break;
7849
7850 case Q_TA:
7851 bpf_error("'ta' is only supported on 802.11");
7852 break;
7853 }
7854 abort();
7855 /* NOTREACHED */
7856 }
7857
7858 /*
7859 * support IEEE 802.1Q VLAN trunk over ethernet
7860 */
7861 struct block *
gen_vlan(vlan_num)7862 gen_vlan(vlan_num)
7863 int vlan_num;
7864 {
7865 struct block *b0, *b1;
7866
7867 /* can't check for VLAN-encapsulated packets inside MPLS */
7868 if (label_stack_depth > 0)
7869 bpf_error("no VLAN match after MPLS");
7870
7871 /*
7872 * Check for a VLAN packet, and then change the offsets to point
7873 * to the type and data fields within the VLAN packet. Just
7874 * increment the offsets, so that we can support a hierarchy, e.g.
7875 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7876 * VLAN 100.
7877 *
7878 * XXX - this is a bit of a kludge. If we were to split the
7879 * compiler into a parser that parses an expression and
7880 * generates an expression tree, and a code generator that
7881 * takes an expression tree (which could come from our
7882 * parser or from some other parser) and generates BPF code,
7883 * we could perhaps make the offsets parameters of routines
7884 * and, in the handler for an "AND" node, pass to subnodes
7885 * other than the VLAN node the adjusted offsets.
7886 *
7887 * This would mean that "vlan" would, instead of changing the
7888 * behavior of *all* tests after it, change only the behavior
7889 * of tests ANDed with it. That would change the documented
7890 * semantics of "vlan", which might break some expressions.
7891 * However, it would mean that "(vlan and ip) or ip" would check
7892 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7893 * checking only for VLAN-encapsulated IP, so that could still
7894 * be considered worth doing; it wouldn't break expressions
7895 * that are of the form "vlan and ..." or "vlan N and ...",
7896 * which I suspect are the most common expressions involving
7897 * "vlan". "vlan or ..." doesn't necessarily do what the user
7898 * would really want, now, as all the "or ..." tests would
7899 * be done assuming a VLAN, even though the "or" could be viewed
7900 * as meaning "or, if this isn't a VLAN packet...".
7901 */
7902 orig_nl = off_nl;
7903
7904 switch (linktype) {
7905
7906 case DLT_EN10MB:
7907 case DLT_NETANALYZER:
7908 case DLT_NETANALYZER_TRANSPARENT:
7909 /* check for VLAN, including QinQ */
7910 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7911 (bpf_int32)ETHERTYPE_8021Q);
7912 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7913 (bpf_int32)ETHERTYPE_8021QINQ);
7914 gen_or(b0,b1);
7915 b0 = b1;
7916
7917 /* If a specific VLAN is requested, check VLAN id */
7918 if (vlan_num >= 0) {
7919 b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
7920 (bpf_int32)vlan_num, 0x0fff);
7921 gen_and(b0, b1);
7922 b0 = b1;
7923 }
7924
7925 off_macpl += 4;
7926 off_linktype += 4;
7927 #if 0
7928 off_nl_nosnap += 4;
7929 off_nl += 4;
7930 #endif
7931 break;
7932
7933 default:
7934 bpf_error("no VLAN support for data link type %d",
7935 linktype);
7936 /*NOTREACHED*/
7937 }
7938
7939 return (b0);
7940 }
7941
7942 /*
7943 * support for MPLS
7944 */
7945 struct block *
gen_mpls(label_num)7946 gen_mpls(label_num)
7947 int label_num;
7948 {
7949 struct block *b0,*b1;
7950
7951 /*
7952 * Change the offsets to point to the type and data fields within
7953 * the MPLS packet. Just increment the offsets, so that we
7954 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
7955 * capture packets with an outer label of 100000 and an inner
7956 * label of 1024.
7957 *
7958 * XXX - this is a bit of a kludge. See comments in gen_vlan().
7959 */
7960 orig_nl = off_nl;
7961
7962 if (label_stack_depth > 0) {
7963 /* just match the bottom-of-stack bit clear */
7964 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
7965 } else {
7966 /*
7967 * Indicate that we're checking MPLS-encapsulated headers,
7968 * to make sure higher level code generators don't try to
7969 * match against IP-related protocols such as Q_ARP, Q_RARP
7970 * etc.
7971 */
7972 switch (linktype) {
7973
7974 case DLT_C_HDLC: /* fall through */
7975 case DLT_EN10MB:
7976 case DLT_NETANALYZER:
7977 case DLT_NETANALYZER_TRANSPARENT:
7978 b0 = gen_linktype(ETHERTYPE_MPLS);
7979 break;
7980
7981 case DLT_PPP:
7982 b0 = gen_linktype(PPP_MPLS_UCAST);
7983 break;
7984
7985 /* FIXME add other DLT_s ...
7986 * for Frame-Relay/and ATM this may get messy due to SNAP headers
7987 * leave it for now */
7988
7989 default:
7990 bpf_error("no MPLS support for data link type %d",
7991 linktype);
7992 b0 = NULL;
7993 /*NOTREACHED*/
7994 break;
7995 }
7996 }
7997
7998 /* If a specific MPLS label is requested, check it */
7999 if (label_num >= 0) {
8000 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8001 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
8002 0xfffff000); /* only compare the first 20 bits */
8003 gen_and(b0, b1);
8004 b0 = b1;
8005 }
8006
8007 off_nl_nosnap += 4;
8008 off_nl += 4;
8009 label_stack_depth++;
8010 return (b0);
8011 }
8012
8013 /*
8014 * Support PPPOE discovery and session.
8015 */
8016 struct block *
gen_pppoed()8017 gen_pppoed()
8018 {
8019 /* check for PPPoE discovery */
8020 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
8021 }
8022
8023 struct block *
gen_pppoes()8024 gen_pppoes()
8025 {
8026 struct block *b0;
8027
8028 /*
8029 * Test against the PPPoE session link-layer type.
8030 */
8031 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
8032
8033 /*
8034 * Change the offsets to point to the type and data fields within
8035 * the PPP packet, and note that this is PPPoE rather than
8036 * raw PPP.
8037 *
8038 * XXX - this is a bit of a kludge. If we were to split the
8039 * compiler into a parser that parses an expression and
8040 * generates an expression tree, and a code generator that
8041 * takes an expression tree (which could come from our
8042 * parser or from some other parser) and generates BPF code,
8043 * we could perhaps make the offsets parameters of routines
8044 * and, in the handler for an "AND" node, pass to subnodes
8045 * other than the PPPoE node the adjusted offsets.
8046 *
8047 * This would mean that "pppoes" would, instead of changing the
8048 * behavior of *all* tests after it, change only the behavior
8049 * of tests ANDed with it. That would change the documented
8050 * semantics of "pppoes", which might break some expressions.
8051 * However, it would mean that "(pppoes and ip) or ip" would check
8052 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8053 * checking only for VLAN-encapsulated IP, so that could still
8054 * be considered worth doing; it wouldn't break expressions
8055 * that are of the form "pppoes and ..." which I suspect are the
8056 * most common expressions involving "pppoes". "pppoes or ..."
8057 * doesn't necessarily do what the user would really want, now,
8058 * as all the "or ..." tests would be done assuming PPPoE, even
8059 * though the "or" could be viewed as meaning "or, if this isn't
8060 * a PPPoE packet...".
8061 */
8062 orig_linktype = off_linktype; /* save original values */
8063 orig_nl = off_nl;
8064 is_pppoes = 1;
8065
8066 /*
8067 * The "network-layer" protocol is PPPoE, which has a 6-byte
8068 * PPPoE header, followed by a PPP packet.
8069 *
8070 * There is no HDLC encapsulation for the PPP packet (it's
8071 * encapsulated in PPPoES instead), so the link-layer type
8072 * starts at the first byte of the PPP packet. For PPPoE,
8073 * that offset is relative to the beginning of the total
8074 * link-layer payload, including any 802.2 LLC header, so
8075 * it's 6 bytes past off_nl.
8076 */
8077 off_linktype = off_nl + 6;
8078
8079 /*
8080 * The network-layer offsets are relative to the beginning
8081 * of the MAC-layer payload; that's past the 6-byte
8082 * PPPoE header and the 2-byte PPP header.
8083 */
8084 off_nl = 6+2;
8085 off_nl_nosnap = 6+2;
8086
8087 return b0;
8088 }
8089
8090 struct block *
gen_atmfield_code(atmfield,jvalue,jtype,reverse)8091 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
8092 int atmfield;
8093 bpf_int32 jvalue;
8094 bpf_u_int32 jtype;
8095 int reverse;
8096 {
8097 struct block *b0;
8098
8099 switch (atmfield) {
8100
8101 case A_VPI:
8102 if (!is_atm)
8103 bpf_error("'vpi' supported only on raw ATM");
8104 if (off_vpi == (u_int)-1)
8105 abort();
8106 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
8107 reverse, jvalue);
8108 break;
8109
8110 case A_VCI:
8111 if (!is_atm)
8112 bpf_error("'vci' supported only on raw ATM");
8113 if (off_vci == (u_int)-1)
8114 abort();
8115 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
8116 reverse, jvalue);
8117 break;
8118
8119 case A_PROTOTYPE:
8120 if (off_proto == (u_int)-1)
8121 abort(); /* XXX - this isn't on FreeBSD */
8122 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
8123 reverse, jvalue);
8124 break;
8125
8126 case A_MSGTYPE:
8127 if (off_payload == (u_int)-1)
8128 abort();
8129 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
8130 0xffffffff, jtype, reverse, jvalue);
8131 break;
8132
8133 case A_CALLREFTYPE:
8134 if (!is_atm)
8135 bpf_error("'callref' supported only on raw ATM");
8136 if (off_proto == (u_int)-1)
8137 abort();
8138 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
8139 jtype, reverse, jvalue);
8140 break;
8141
8142 default:
8143 abort();
8144 }
8145 return b0;
8146 }
8147
8148 struct block *
gen_atmtype_abbrev(type)8149 gen_atmtype_abbrev(type)
8150 int type;
8151 {
8152 struct block *b0, *b1;
8153
8154 switch (type) {
8155
8156 case A_METAC:
8157 /* Get all packets in Meta signalling Circuit */
8158 if (!is_atm)
8159 bpf_error("'metac' supported only on raw ATM");
8160 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8161 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
8162 gen_and(b0, b1);
8163 break;
8164
8165 case A_BCC:
8166 /* Get all packets in Broadcast Circuit*/
8167 if (!is_atm)
8168 bpf_error("'bcc' supported only on raw ATM");
8169 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8170 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
8171 gen_and(b0, b1);
8172 break;
8173
8174 case A_OAMF4SC:
8175 /* Get all cells in Segment OAM F4 circuit*/
8176 if (!is_atm)
8177 bpf_error("'oam4sc' supported only on raw ATM");
8178 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8179 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8180 gen_and(b0, b1);
8181 break;
8182
8183 case A_OAMF4EC:
8184 /* Get all cells in End-to-End OAM F4 Circuit*/
8185 if (!is_atm)
8186 bpf_error("'oam4ec' supported only on raw ATM");
8187 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8188 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8189 gen_and(b0, b1);
8190 break;
8191
8192 case A_SC:
8193 /* Get all packets in connection Signalling Circuit */
8194 if (!is_atm)
8195 bpf_error("'sc' supported only on raw ATM");
8196 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8197 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8198 gen_and(b0, b1);
8199 break;
8200
8201 case A_ILMIC:
8202 /* Get all packets in ILMI Circuit */
8203 if (!is_atm)
8204 bpf_error("'ilmic' supported only on raw ATM");
8205 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8206 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8207 gen_and(b0, b1);
8208 break;
8209
8210 case A_LANE:
8211 /* Get all LANE packets */
8212 if (!is_atm)
8213 bpf_error("'lane' supported only on raw ATM");
8214 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8215
8216 /*
8217 * Arrange that all subsequent tests assume LANE
8218 * rather than LLC-encapsulated packets, and set
8219 * the offsets appropriately for LANE-encapsulated
8220 * Ethernet.
8221 *
8222 * "off_mac" is the offset of the Ethernet header,
8223 * which is 2 bytes past the ATM pseudo-header
8224 * (skipping the pseudo-header and 2-byte LE Client
8225 * field). The other offsets are Ethernet offsets
8226 * relative to "off_mac".
8227 */
8228 is_lane = 1;
8229 off_mac = off_payload + 2; /* MAC header */
8230 off_linktype = off_mac + 12;
8231 off_macpl = off_mac + 14; /* Ethernet */
8232 off_nl = 0; /* Ethernet II */
8233 off_nl_nosnap = 3; /* 802.3+802.2 */
8234 break;
8235
8236 case A_LLC:
8237 /* Get all LLC-encapsulated packets */
8238 if (!is_atm)
8239 bpf_error("'llc' supported only on raw ATM");
8240 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8241 is_lane = 0;
8242 break;
8243
8244 default:
8245 abort();
8246 }
8247 return b1;
8248 }
8249
8250 /*
8251 * Filtering for MTP2 messages based on li value
8252 * FISU, length is null
8253 * LSSU, length is 1 or 2
8254 * MSU, length is 3 or more
8255 */
8256 struct block *
gen_mtp2type_abbrev(type)8257 gen_mtp2type_abbrev(type)
8258 int type;
8259 {
8260 struct block *b0, *b1;
8261
8262 switch (type) {
8263
8264 case M_FISU:
8265 if ( (linktype != DLT_MTP2) &&
8266 (linktype != DLT_ERF) &&
8267 (linktype != DLT_MTP2_WITH_PHDR) )
8268 bpf_error("'fisu' supported only on MTP2");
8269 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8270 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8271 break;
8272
8273 case M_LSSU:
8274 if ( (linktype != DLT_MTP2) &&
8275 (linktype != DLT_ERF) &&
8276 (linktype != DLT_MTP2_WITH_PHDR) )
8277 bpf_error("'lssu' supported only on MTP2");
8278 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8279 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8280 gen_and(b1, b0);
8281 break;
8282
8283 case M_MSU:
8284 if ( (linktype != DLT_MTP2) &&
8285 (linktype != DLT_ERF) &&
8286 (linktype != DLT_MTP2_WITH_PHDR) )
8287 bpf_error("'msu' supported only on MTP2");
8288 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8289 break;
8290
8291 default:
8292 abort();
8293 }
8294 return b0;
8295 }
8296
8297 struct block *
gen_mtp3field_code(mtp3field,jvalue,jtype,reverse)8298 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8299 int mtp3field;
8300 bpf_u_int32 jvalue;
8301 bpf_u_int32 jtype;
8302 int reverse;
8303 {
8304 struct block *b0;
8305 bpf_u_int32 val1 , val2 , val3;
8306
8307 switch (mtp3field) {
8308
8309 case M_SIO:
8310 if (off_sio == (u_int)-1)
8311 bpf_error("'sio' supported only on SS7");
8312 /* sio coded on 1 byte so max value 255 */
8313 if(jvalue > 255)
8314 bpf_error("sio value %u too big; max value = 255",
8315 jvalue);
8316 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
8317 (u_int)jtype, reverse, (u_int)jvalue);
8318 break;
8319
8320 case M_OPC:
8321 if (off_opc == (u_int)-1)
8322 bpf_error("'opc' supported only on SS7");
8323 /* opc coded on 14 bits so max value 16383 */
8324 if (jvalue > 16383)
8325 bpf_error("opc value %u too big; max value = 16383",
8326 jvalue);
8327 /* the following instructions are made to convert jvalue
8328 * to the form used to write opc in an ss7 message*/
8329 val1 = jvalue & 0x00003c00;
8330 val1 = val1 >>10;
8331 val2 = jvalue & 0x000003fc;
8332 val2 = val2 <<6;
8333 val3 = jvalue & 0x00000003;
8334 val3 = val3 <<22;
8335 jvalue = val1 + val2 + val3;
8336 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
8337 (u_int)jtype, reverse, (u_int)jvalue);
8338 break;
8339
8340 case M_DPC:
8341 if (off_dpc == (u_int)-1)
8342 bpf_error("'dpc' supported only on SS7");
8343 /* dpc coded on 14 bits so max value 16383 */
8344 if (jvalue > 16383)
8345 bpf_error("dpc value %u too big; max value = 16383",
8346 jvalue);
8347 /* the following instructions are made to convert jvalue
8348 * to the forme used to write dpc in an ss7 message*/
8349 val1 = jvalue & 0x000000ff;
8350 val1 = val1 << 24;
8351 val2 = jvalue & 0x00003f00;
8352 val2 = val2 << 8;
8353 jvalue = val1 + val2;
8354 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
8355 (u_int)jtype, reverse, (u_int)jvalue);
8356 break;
8357
8358 case M_SLS:
8359 if (off_sls == (u_int)-1)
8360 bpf_error("'sls' supported only on SS7");
8361 /* sls coded on 4 bits so max value 15 */
8362 if (jvalue > 15)
8363 bpf_error("sls value %u too big; max value = 15",
8364 jvalue);
8365 /* the following instruction is made to convert jvalue
8366 * to the forme used to write sls in an ss7 message*/
8367 jvalue = jvalue << 4;
8368 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
8369 (u_int)jtype,reverse, (u_int)jvalue);
8370 break;
8371
8372 default:
8373 abort();
8374 }
8375 return b0;
8376 }
8377
8378 static struct block *
gen_msg_abbrev(type)8379 gen_msg_abbrev(type)
8380 int type;
8381 {
8382 struct block *b1;
8383
8384 /*
8385 * Q.2931 signalling protocol messages for handling virtual circuits
8386 * establishment and teardown
8387 */
8388 switch (type) {
8389
8390 case A_SETUP:
8391 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8392 break;
8393
8394 case A_CALLPROCEED:
8395 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8396 break;
8397
8398 case A_CONNECT:
8399 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8400 break;
8401
8402 case A_CONNECTACK:
8403 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8404 break;
8405
8406 case A_RELEASE:
8407 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8408 break;
8409
8410 case A_RELEASE_DONE:
8411 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8412 break;
8413
8414 default:
8415 abort();
8416 }
8417 return b1;
8418 }
8419
8420 struct block *
gen_atmmulti_abbrev(type)8421 gen_atmmulti_abbrev(type)
8422 int type;
8423 {
8424 struct block *b0, *b1;
8425
8426 switch (type) {
8427
8428 case A_OAM:
8429 if (!is_atm)
8430 bpf_error("'oam' supported only on raw ATM");
8431 b1 = gen_atmmulti_abbrev(A_OAMF4);
8432 break;
8433
8434 case A_OAMF4:
8435 if (!is_atm)
8436 bpf_error("'oamf4' supported only on raw ATM");
8437 /* OAM F4 type */
8438 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8439 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8440 gen_or(b0, b1);
8441 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8442 gen_and(b0, b1);
8443 break;
8444
8445 case A_CONNECTMSG:
8446 /*
8447 * Get Q.2931 signalling messages for switched
8448 * virtual connection
8449 */
8450 if (!is_atm)
8451 bpf_error("'connectmsg' supported only on raw ATM");
8452 b0 = gen_msg_abbrev(A_SETUP);
8453 b1 = gen_msg_abbrev(A_CALLPROCEED);
8454 gen_or(b0, b1);
8455 b0 = gen_msg_abbrev(A_CONNECT);
8456 gen_or(b0, b1);
8457 b0 = gen_msg_abbrev(A_CONNECTACK);
8458 gen_or(b0, b1);
8459 b0 = gen_msg_abbrev(A_RELEASE);
8460 gen_or(b0, b1);
8461 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8462 gen_or(b0, b1);
8463 b0 = gen_atmtype_abbrev(A_SC);
8464 gen_and(b0, b1);
8465 break;
8466
8467 case A_METACONNECT:
8468 if (!is_atm)
8469 bpf_error("'metaconnect' supported only on raw ATM");
8470 b0 = gen_msg_abbrev(A_SETUP);
8471 b1 = gen_msg_abbrev(A_CALLPROCEED);
8472 gen_or(b0, b1);
8473 b0 = gen_msg_abbrev(A_CONNECT);
8474 gen_or(b0, b1);
8475 b0 = gen_msg_abbrev(A_RELEASE);
8476 gen_or(b0, b1);
8477 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8478 gen_or(b0, b1);
8479 b0 = gen_atmtype_abbrev(A_METAC);
8480 gen_and(b0, b1);
8481 break;
8482
8483 default:
8484 abort();
8485 }
8486 return b1;
8487 }
8488