1/*#define CHASE_CHAIN*/
2/*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 *
| 1/*#define CHASE_CHAIN*/
2/*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 *
|
22 * $FreeBSD: head/contrib/libpcap/gencode.c 235426 2012-05-14 05:12:56Z delphij $
| 22 * $FreeBSD: head/contrib/libpcap/gencode.c 241231 2012-10-05 18:42:50Z delphij $
|
23 */
24#ifndef lint
25static const char rcsid[] _U_ =
26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)";
27#endif
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32
33#ifdef WIN32
34#include <pcap-stdinc.h>
35#else /* WIN32 */
36#if HAVE_INTTYPES_H
37#include <inttypes.h>
38#elif HAVE_STDINT_H
39#include <stdint.h>
40#endif
41#ifdef HAVE_SYS_BITYPES_H
42#include <sys/bitypes.h>
43#endif
44#include <sys/types.h>
45#include <sys/socket.h>
46#endif /* WIN32 */
47
48/*
49 * XXX - why was this included even on UNIX?
50 */
51#ifdef __MINGW32__
52#include "ip6_misc.h"
53#endif
54
55#ifndef WIN32
56
57#ifdef __NetBSD__
58#include <sys/param.h>
59#endif
60
61#include <netinet/in.h>
62#include <arpa/inet.h>
63
64#endif /* WIN32 */
65
66#include <stdlib.h>
67#include <string.h>
68#include <memory.h>
69#include <setjmp.h>
70#include <stdarg.h>
71
72#ifdef MSDOS
73#include "pcap-dos.h"
74#endif
75
76#include "pcap-int.h"
77
78#include "ethertype.h"
79#include "nlpid.h"
80#include "llc.h"
81#include "gencode.h"
82#include "ieee80211.h"
83#include "atmuni31.h"
84#include "sunatmpos.h"
85#include "ppp.h"
86#include "pcap/sll.h"
87#include "pcap/ipnet.h"
88#include "arcnet.h"
| 23 */
24#ifndef lint
25static const char rcsid[] _U_ =
26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)";
27#endif
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32
33#ifdef WIN32
34#include <pcap-stdinc.h>
35#else /* WIN32 */
36#if HAVE_INTTYPES_H
37#include <inttypes.h>
38#elif HAVE_STDINT_H
39#include <stdint.h>
40#endif
41#ifdef HAVE_SYS_BITYPES_H
42#include <sys/bitypes.h>
43#endif
44#include <sys/types.h>
45#include <sys/socket.h>
46#endif /* WIN32 */
47
48/*
49 * XXX - why was this included even on UNIX?
50 */
51#ifdef __MINGW32__
52#include "ip6_misc.h"
53#endif
54
55#ifndef WIN32
56
57#ifdef __NetBSD__
58#include <sys/param.h>
59#endif
60
61#include <netinet/in.h>
62#include <arpa/inet.h>
63
64#endif /* WIN32 */
65
66#include <stdlib.h>
67#include <string.h>
68#include <memory.h>
69#include <setjmp.h>
70#include <stdarg.h>
71
72#ifdef MSDOS
73#include "pcap-dos.h"
74#endif
75
76#include "pcap-int.h"
77
78#include "ethertype.h"
79#include "nlpid.h"
80#include "llc.h"
81#include "gencode.h"
82#include "ieee80211.h"
83#include "atmuni31.h"
84#include "sunatmpos.h"
85#include "ppp.h"
86#include "pcap/sll.h"
87#include "pcap/ipnet.h"
88#include "arcnet.h"
|
| 89#if defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
90#include <linux/types.h>
91#include <linux/if_packet.h>
92#include <linux/filter.h>
93#endif
|
89#ifdef HAVE_NET_PFVAR_H
90#include <sys/socket.h>
91#include <net/if.h>
92#include <net/pfvar.h>
93#include <net/if_pflog.h>
94#endif
95#ifndef offsetof
96#define offsetof(s, e) ((size_t)&((s *)0)->e)
97#endif
98#ifdef INET6
99#ifndef WIN32
100#include <netdb.h> /* for "struct addrinfo" */
101#endif /* WIN32 */
102#endif /*INET6*/
103#include <pcap/namedb.h>
104
105#define ETHERMTU 1500
106
107#ifndef IPPROTO_SCTP
108#define IPPROTO_SCTP 132
109#endif
110
111#ifdef HAVE_OS_PROTO_H
112#include "os-proto.h"
113#endif
114
115#define JMP(c) ((c)|BPF_JMP|BPF_K)
116
117/* Locals */
118static jmp_buf top_ctx;
119static pcap_t *bpf_pcap;
120
121/* Hack for updating VLAN, MPLS, and PPPoE offsets. */
122#ifdef WIN32
123static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
124#else
125static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
126#endif
127
128/* XXX */
129#ifdef PCAP_FDDIPAD
130static int pcap_fddipad;
131#endif
132
133/* VARARGS */
134void
135bpf_error(const char *fmt, ...)
136{
137 va_list ap;
138
139 va_start(ap, fmt);
140 if (bpf_pcap != NULL)
141 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
142 fmt, ap);
143 va_end(ap);
144 longjmp(top_ctx, 1);
145 /* NOTREACHED */
146}
147
148static void init_linktype(pcap_t *);
149
150static void init_regs(void);
151static int alloc_reg(void);
152static void free_reg(int);
153
154static struct block *root;
155
156/*
157 * Value passed to gen_load_a() to indicate what the offset argument
158 * is relative to.
159 */
160enum e_offrel {
161 OR_PACKET, /* relative to the beginning of the packet */
162 OR_LINK, /* relative to the beginning of the link-layer header */
163 OR_MACPL, /* relative to the end of the MAC-layer header */
164 OR_NET, /* relative to the network-layer header */
165 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
166 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
167 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
168};
169
170#ifdef INET6
171/*
172 * As errors are handled by a longjmp, anything allocated must be freed
173 * in the longjmp handler, so it must be reachable from that handler.
174 * One thing that's allocated is the result of pcap_nametoaddrinfo();
175 * it must be freed with freeaddrinfo(). This variable points to any
176 * addrinfo structure that would need to be freed.
177 */
178static struct addrinfo *ai;
179#endif
180
181/*
182 * We divy out chunks of memory rather than call malloc each time so
183 * we don't have to worry about leaking memory. It's probably
184 * not a big deal if all this memory was wasted but if this ever
185 * goes into a library that would probably not be a good idea.
186 *
187 * XXX - this *is* in a library....
188 */
189#define NCHUNKS 16
190#define CHUNK0SIZE 1024
191struct chunk {
192 u_int n_left;
193 void *m;
194};
195
196static struct chunk chunks[NCHUNKS];
197static int cur_chunk;
198
199static void *newchunk(u_int);
200static void freechunks(void);
201static inline struct block *new_block(int);
202static inline struct slist *new_stmt(int);
203static struct block *gen_retblk(int);
204static inline void syntax(void);
205
206static void backpatch(struct block *, struct block *);
207static void merge(struct block *, struct block *);
208static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
209static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
210static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
211static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
212static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
213static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
214 bpf_u_int32);
215static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
216static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
217 bpf_u_int32, bpf_u_int32, int, bpf_int32);
218static struct slist *gen_load_llrel(u_int, u_int);
219static struct slist *gen_load_macplrel(u_int, u_int);
220static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
221static struct slist *gen_loadx_iphdrlen(void);
222static struct block *gen_uncond(int);
223static inline struct block *gen_true(void);
224static inline struct block *gen_false(void);
225static struct block *gen_ether_linktype(int);
226static struct block *gen_ipnet_linktype(int);
227static struct block *gen_linux_sll_linktype(int);
228static struct slist *gen_load_prism_llprefixlen(void);
229static struct slist *gen_load_avs_llprefixlen(void);
230static struct slist *gen_load_radiotap_llprefixlen(void);
231static struct slist *gen_load_ppi_llprefixlen(void);
232static void insert_compute_vloffsets(struct block *);
233static struct slist *gen_llprefixlen(void);
234static struct slist *gen_off_macpl(void);
235static int ethertype_to_ppptype(int);
236static struct block *gen_linktype(int);
237static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
238static struct block *gen_llc_linktype(int);
239static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
240#ifdef INET6
241static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
242#endif
243static struct block *gen_ahostop(const u_char *, int);
244static struct block *gen_ehostop(const u_char *, int);
245static struct block *gen_fhostop(const u_char *, int);
246static struct block *gen_thostop(const u_char *, int);
247static struct block *gen_wlanhostop(const u_char *, int);
248static struct block *gen_ipfchostop(const u_char *, int);
249static struct block *gen_dnhostop(bpf_u_int32, int);
250static struct block *gen_mpls_linktype(int);
251static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
252#ifdef INET6
253static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
254#endif
255#ifndef INET6
256static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
257#endif
258static struct block *gen_ipfrag(void);
259static struct block *gen_portatom(int, bpf_int32);
260static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
261#ifdef INET6
262static struct block *gen_portatom6(int, bpf_int32);
263static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
264#endif
265struct block *gen_portop(int, int, int);
266static struct block *gen_port(int, int, int);
267struct block *gen_portrangeop(int, int, int, int);
268static struct block *gen_portrange(int, int, int, int);
269#ifdef INET6
270struct block *gen_portop6(int, int, int);
271static struct block *gen_port6(int, int, int);
272struct block *gen_portrangeop6(int, int, int, int);
273static struct block *gen_portrange6(int, int, int, int);
274#endif
275static int lookup_proto(const char *, int);
276static struct block *gen_protochain(int, int, int);
277static struct block *gen_proto(int, int, int);
278static struct slist *xfer_to_x(struct arth *);
279static struct slist *xfer_to_a(struct arth *);
280static struct block *gen_mac_multicast(int);
281static struct block *gen_len(int, int);
282static struct block *gen_check_802_11_data_frame(void);
283
284static struct block *gen_ppi_dlt_check(void);
285static struct block *gen_msg_abbrev(int type);
286
287static void *
288newchunk(n)
289 u_int n;
290{
291 struct chunk *cp;
292 int k;
293 size_t size;
294
295#ifndef __NetBSD__
296 /* XXX Round up to nearest long. */
297 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
298#else
299 /* XXX Round up to structure boundary. */
300 n = ALIGN(n);
301#endif
302
303 cp = &chunks[cur_chunk];
304 if (n > cp->n_left) {
305 ++cp, k = ++cur_chunk;
306 if (k >= NCHUNKS)
307 bpf_error("out of memory");
308 size = CHUNK0SIZE << k;
309 cp->m = (void *)malloc(size);
310 if (cp->m == NULL)
311 bpf_error("out of memory");
312 memset((char *)cp->m, 0, size);
313 cp->n_left = size;
314 if (n > size)
315 bpf_error("out of memory");
316 }
317 cp->n_left -= n;
318 return (void *)((char *)cp->m + cp->n_left);
319}
320
321static void
322freechunks()
323{
324 int i;
325
326 cur_chunk = 0;
327 for (i = 0; i < NCHUNKS; ++i)
328 if (chunks[i].m != NULL) {
329 free(chunks[i].m);
330 chunks[i].m = NULL;
331 }
332}
333
334/*
335 * A strdup whose allocations are freed after code generation is over.
336 */
337char *
338sdup(s)
339 register const char *s;
340{
341 int n = strlen(s) + 1;
342 char *cp = newchunk(n);
343
344 strlcpy(cp, s, n);
345 return (cp);
346}
347
348static inline struct block *
349new_block(code)
350 int code;
351{
352 struct block *p;
353
354 p = (struct block *)newchunk(sizeof(*p));
355 p->s.code = code;
356 p->head = p;
357
358 return p;
359}
360
361static inline struct slist *
362new_stmt(code)
363 int code;
364{
365 struct slist *p;
366
367 p = (struct slist *)newchunk(sizeof(*p));
368 p->s.code = code;
369
370 return p;
371}
372
373static struct block *
374gen_retblk(v)
375 int v;
376{
377 struct block *b = new_block(BPF_RET|BPF_K);
378
379 b->s.k = v;
380 return b;
381}
382
383static inline void
384syntax()
385{
386 bpf_error("syntax error in filter expression");
387}
388
389static bpf_u_int32 netmask;
390static int snaplen;
391int no_optimize;
392#ifdef WIN32
393static int
394pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
395 const char *buf, int optimize, bpf_u_int32 mask);
396
397int
398pcap_compile(pcap_t *p, struct bpf_program *program,
399 const char *buf, int optimize, bpf_u_int32 mask)
400{
401 int result;
402
403 EnterCriticalSection(&g_PcapCompileCriticalSection);
404
405 result = pcap_compile_unsafe(p, program, buf, optimize, mask);
406
407 LeaveCriticalSection(&g_PcapCompileCriticalSection);
408
409 return result;
410}
411
412static int
413pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
414 const char *buf, int optimize, bpf_u_int32 mask)
415#else /* WIN32 */
416int
417pcap_compile(pcap_t *p, struct bpf_program *program,
418 const char *buf, int optimize, bpf_u_int32 mask)
419#endif /* WIN32 */
420{
421 extern int n_errors;
422 const char * volatile xbuf = buf;
| 94#ifdef HAVE_NET_PFVAR_H
95#include <sys/socket.h>
96#include <net/if.h>
97#include <net/pfvar.h>
98#include <net/if_pflog.h>
99#endif
100#ifndef offsetof
101#define offsetof(s, e) ((size_t)&((s *)0)->e)
102#endif
103#ifdef INET6
104#ifndef WIN32
105#include <netdb.h> /* for "struct addrinfo" */
106#endif /* WIN32 */
107#endif /*INET6*/
108#include <pcap/namedb.h>
109
110#define ETHERMTU 1500
111
112#ifndef IPPROTO_SCTP
113#define IPPROTO_SCTP 132
114#endif
115
116#ifdef HAVE_OS_PROTO_H
117#include "os-proto.h"
118#endif
119
120#define JMP(c) ((c)|BPF_JMP|BPF_K)
121
122/* Locals */
123static jmp_buf top_ctx;
124static pcap_t *bpf_pcap;
125
126/* Hack for updating VLAN, MPLS, and PPPoE offsets. */
127#ifdef WIN32
128static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
129#else
130static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
131#endif
132
133/* XXX */
134#ifdef PCAP_FDDIPAD
135static int pcap_fddipad;
136#endif
137
138/* VARARGS */
139void
140bpf_error(const char *fmt, ...)
141{
142 va_list ap;
143
144 va_start(ap, fmt);
145 if (bpf_pcap != NULL)
146 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
147 fmt, ap);
148 va_end(ap);
149 longjmp(top_ctx, 1);
150 /* NOTREACHED */
151}
152
153static void init_linktype(pcap_t *);
154
155static void init_regs(void);
156static int alloc_reg(void);
157static void free_reg(int);
158
159static struct block *root;
160
161/*
162 * Value passed to gen_load_a() to indicate what the offset argument
163 * is relative to.
164 */
165enum e_offrel {
166 OR_PACKET, /* relative to the beginning of the packet */
167 OR_LINK, /* relative to the beginning of the link-layer header */
168 OR_MACPL, /* relative to the end of the MAC-layer header */
169 OR_NET, /* relative to the network-layer header */
170 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
171 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
172 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
173};
174
175#ifdef INET6
176/*
177 * As errors are handled by a longjmp, anything allocated must be freed
178 * in the longjmp handler, so it must be reachable from that handler.
179 * One thing that's allocated is the result of pcap_nametoaddrinfo();
180 * it must be freed with freeaddrinfo(). This variable points to any
181 * addrinfo structure that would need to be freed.
182 */
183static struct addrinfo *ai;
184#endif
185
186/*
187 * We divy out chunks of memory rather than call malloc each time so
188 * we don't have to worry about leaking memory. It's probably
189 * not a big deal if all this memory was wasted but if this ever
190 * goes into a library that would probably not be a good idea.
191 *
192 * XXX - this *is* in a library....
193 */
194#define NCHUNKS 16
195#define CHUNK0SIZE 1024
196struct chunk {
197 u_int n_left;
198 void *m;
199};
200
201static struct chunk chunks[NCHUNKS];
202static int cur_chunk;
203
204static void *newchunk(u_int);
205static void freechunks(void);
206static inline struct block *new_block(int);
207static inline struct slist *new_stmt(int);
208static struct block *gen_retblk(int);
209static inline void syntax(void);
210
211static void backpatch(struct block *, struct block *);
212static void merge(struct block *, struct block *);
213static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
214static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
215static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
216static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
217static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
218static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
219 bpf_u_int32);
220static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
221static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
222 bpf_u_int32, bpf_u_int32, int, bpf_int32);
223static struct slist *gen_load_llrel(u_int, u_int);
224static struct slist *gen_load_macplrel(u_int, u_int);
225static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
226static struct slist *gen_loadx_iphdrlen(void);
227static struct block *gen_uncond(int);
228static inline struct block *gen_true(void);
229static inline struct block *gen_false(void);
230static struct block *gen_ether_linktype(int);
231static struct block *gen_ipnet_linktype(int);
232static struct block *gen_linux_sll_linktype(int);
233static struct slist *gen_load_prism_llprefixlen(void);
234static struct slist *gen_load_avs_llprefixlen(void);
235static struct slist *gen_load_radiotap_llprefixlen(void);
236static struct slist *gen_load_ppi_llprefixlen(void);
237static void insert_compute_vloffsets(struct block *);
238static struct slist *gen_llprefixlen(void);
239static struct slist *gen_off_macpl(void);
240static int ethertype_to_ppptype(int);
241static struct block *gen_linktype(int);
242static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
243static struct block *gen_llc_linktype(int);
244static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
245#ifdef INET6
246static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
247#endif
248static struct block *gen_ahostop(const u_char *, int);
249static struct block *gen_ehostop(const u_char *, int);
250static struct block *gen_fhostop(const u_char *, int);
251static struct block *gen_thostop(const u_char *, int);
252static struct block *gen_wlanhostop(const u_char *, int);
253static struct block *gen_ipfchostop(const u_char *, int);
254static struct block *gen_dnhostop(bpf_u_int32, int);
255static struct block *gen_mpls_linktype(int);
256static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
257#ifdef INET6
258static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
259#endif
260#ifndef INET6
261static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
262#endif
263static struct block *gen_ipfrag(void);
264static struct block *gen_portatom(int, bpf_int32);
265static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
266#ifdef INET6
267static struct block *gen_portatom6(int, bpf_int32);
268static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
269#endif
270struct block *gen_portop(int, int, int);
271static struct block *gen_port(int, int, int);
272struct block *gen_portrangeop(int, int, int, int);
273static struct block *gen_portrange(int, int, int, int);
274#ifdef INET6
275struct block *gen_portop6(int, int, int);
276static struct block *gen_port6(int, int, int);
277struct block *gen_portrangeop6(int, int, int, int);
278static struct block *gen_portrange6(int, int, int, int);
279#endif
280static int lookup_proto(const char *, int);
281static struct block *gen_protochain(int, int, int);
282static struct block *gen_proto(int, int, int);
283static struct slist *xfer_to_x(struct arth *);
284static struct slist *xfer_to_a(struct arth *);
285static struct block *gen_mac_multicast(int);
286static struct block *gen_len(int, int);
287static struct block *gen_check_802_11_data_frame(void);
288
289static struct block *gen_ppi_dlt_check(void);
290static struct block *gen_msg_abbrev(int type);
291
292static void *
293newchunk(n)
294 u_int n;
295{
296 struct chunk *cp;
297 int k;
298 size_t size;
299
300#ifndef __NetBSD__
301 /* XXX Round up to nearest long. */
302 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
303#else
304 /* XXX Round up to structure boundary. */
305 n = ALIGN(n);
306#endif
307
308 cp = &chunks[cur_chunk];
309 if (n > cp->n_left) {
310 ++cp, k = ++cur_chunk;
311 if (k >= NCHUNKS)
312 bpf_error("out of memory");
313 size = CHUNK0SIZE << k;
314 cp->m = (void *)malloc(size);
315 if (cp->m == NULL)
316 bpf_error("out of memory");
317 memset((char *)cp->m, 0, size);
318 cp->n_left = size;
319 if (n > size)
320 bpf_error("out of memory");
321 }
322 cp->n_left -= n;
323 return (void *)((char *)cp->m + cp->n_left);
324}
325
326static void
327freechunks()
328{
329 int i;
330
331 cur_chunk = 0;
332 for (i = 0; i < NCHUNKS; ++i)
333 if (chunks[i].m != NULL) {
334 free(chunks[i].m);
335 chunks[i].m = NULL;
336 }
337}
338
339/*
340 * A strdup whose allocations are freed after code generation is over.
341 */
342char *
343sdup(s)
344 register const char *s;
345{
346 int n = strlen(s) + 1;
347 char *cp = newchunk(n);
348
349 strlcpy(cp, s, n);
350 return (cp);
351}
352
353static inline struct block *
354new_block(code)
355 int code;
356{
357 struct block *p;
358
359 p = (struct block *)newchunk(sizeof(*p));
360 p->s.code = code;
361 p->head = p;
362
363 return p;
364}
365
366static inline struct slist *
367new_stmt(code)
368 int code;
369{
370 struct slist *p;
371
372 p = (struct slist *)newchunk(sizeof(*p));
373 p->s.code = code;
374
375 return p;
376}
377
378static struct block *
379gen_retblk(v)
380 int v;
381{
382 struct block *b = new_block(BPF_RET|BPF_K);
383
384 b->s.k = v;
385 return b;
386}
387
388static inline void
389syntax()
390{
391 bpf_error("syntax error in filter expression");
392}
393
394static bpf_u_int32 netmask;
395static int snaplen;
396int no_optimize;
397#ifdef WIN32
398static int
399pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
400 const char *buf, int optimize, bpf_u_int32 mask);
401
402int
403pcap_compile(pcap_t *p, struct bpf_program *program,
404 const char *buf, int optimize, bpf_u_int32 mask)
405{
406 int result;
407
408 EnterCriticalSection(&g_PcapCompileCriticalSection);
409
410 result = pcap_compile_unsafe(p, program, buf, optimize, mask);
411
412 LeaveCriticalSection(&g_PcapCompileCriticalSection);
413
414 return result;
415}
416
417static int
418pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
419 const char *buf, int optimize, bpf_u_int32 mask)
420#else /* WIN32 */
421int
422pcap_compile(pcap_t *p, struct bpf_program *program,
423 const char *buf, int optimize, bpf_u_int32 mask)
424#endif /* WIN32 */
425{
426 extern int n_errors;
427 const char * volatile xbuf = buf;
|
423 int len;
| 428 u_int len;
|
424
425 no_optimize = 0;
426 n_errors = 0;
427 root = NULL;
428 bpf_pcap = p;
429 init_regs();
430 if (setjmp(top_ctx)) {
431#ifdef INET6
432 if (ai != NULL) {
433 freeaddrinfo(ai);
434 ai = NULL;
435 }
436#endif
437 lex_cleanup();
438 freechunks();
439 return (-1);
440 }
441
442 netmask = mask;
443
444 snaplen = pcap_snapshot(p);
445 if (snaplen == 0) {
446 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
447 "snaplen of 0 rejects all packets");
448 return -1;
449 }
450
451 lex_init(xbuf ? xbuf : "");
452 init_linktype(p);
453 (void)pcap_parse();
454
455 if (n_errors)
456 syntax();
457
458 if (root == NULL)
459 root = gen_retblk(snaplen);
460
461 if (optimize && !no_optimize) {
462 bpf_optimize(&root);
463 if (root == NULL ||
464 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
465 bpf_error("expression rejects all packets");
466 }
467 program->bf_insns = icode_to_fcode(root, &len);
468 program->bf_len = len;
469
470 lex_cleanup();
471 freechunks();
472 return (0);
473}
474
475/*
476 * entry point for using the compiler with no pcap open
477 * pass in all the stuff that is needed explicitly instead.
478 */
479int
480pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
481 struct bpf_program *program,
482 const char *buf, int optimize, bpf_u_int32 mask)
483{
484 pcap_t *p;
485 int ret;
486
487 p = pcap_open_dead(linktype_arg, snaplen_arg);
488 if (p == NULL)
489 return (-1);
490 ret = pcap_compile(p, program, buf, optimize, mask);
491 pcap_close(p);
492 return (ret);
493}
494
495/*
496 * Clean up a "struct bpf_program" by freeing all the memory allocated
497 * in it.
498 */
499void
500pcap_freecode(struct bpf_program *program)
501{
502 program->bf_len = 0;
503 if (program->bf_insns != NULL) {
504 free((char *)program->bf_insns);
505 program->bf_insns = NULL;
506 }
507}
508
509/*
510 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
511 * which of the jt and jf fields has been resolved and which is a pointer
512 * back to another unresolved block (or nil). At least one of the fields
513 * in each block is already resolved.
514 */
515static void
516backpatch(list, target)
517 struct block *list, *target;
518{
519 struct block *next;
520
521 while (list) {
522 if (!list->sense) {
523 next = JT(list);
524 JT(list) = target;
525 } else {
526 next = JF(list);
527 JF(list) = target;
528 }
529 list = next;
530 }
531}
532
533/*
534 * Merge the lists in b0 and b1, using the 'sense' field to indicate
535 * which of jt and jf is the link.
536 */
537static void
538merge(b0, b1)
539 struct block *b0, *b1;
540{
541 register struct block **p = &b0;
542
543 /* Find end of list. */
544 while (*p)
545 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
546
547 /* Concatenate the lists. */
548 *p = b1;
549}
550
551void
552finish_parse(p)
553 struct block *p;
554{
555 struct block *ppi_dlt_check;
556
557 /*
558 * Insert before the statements of the first (root) block any
559 * statements needed to load the lengths of any variable-length
560 * headers into registers.
561 *
562 * XXX - a fancier strategy would be to insert those before the
563 * statements of all blocks that use those lengths and that
564 * have no predecessors that use them, so that we only compute
565 * the lengths if we need them. There might be even better
566 * approaches than that.
567 *
568 * However, those strategies would be more complicated, and
569 * as we don't generate code to compute a length if the
570 * program has no tests that use the length, and as most
571 * tests will probably use those lengths, we would just
572 * postpone computing the lengths so that it's not done
573 * for tests that fail early, and it's not clear that's
574 * worth the effort.
575 */
576 insert_compute_vloffsets(p->head);
577
578 /*
579 * For DLT_PPI captures, generate a check of the per-packet
580 * DLT value to make sure it's DLT_IEEE802_11.
581 */
582 ppi_dlt_check = gen_ppi_dlt_check();
583 if (ppi_dlt_check != NULL)
584 gen_and(ppi_dlt_check, p);
585
586 backpatch(p, gen_retblk(snaplen));
587 p->sense = !p->sense;
588 backpatch(p, gen_retblk(0));
589 root = p->head;
590}
591
592void
593gen_and(b0, b1)
594 struct block *b0, *b1;
595{
596 backpatch(b0, b1->head);
597 b0->sense = !b0->sense;
598 b1->sense = !b1->sense;
599 merge(b1, b0);
600 b1->sense = !b1->sense;
601 b1->head = b0->head;
602}
603
604void
605gen_or(b0, b1)
606 struct block *b0, *b1;
607{
608 b0->sense = !b0->sense;
609 backpatch(b0, b1->head);
610 b0->sense = !b0->sense;
611 merge(b1, b0);
612 b1->head = b0->head;
613}
614
615void
616gen_not(b)
617 struct block *b;
618{
619 b->sense = !b->sense;
620}
621
622static struct block *
623gen_cmp(offrel, offset, size, v)
624 enum e_offrel offrel;
625 u_int offset, size;
626 bpf_int32 v;
627{
628 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
629}
630
631static struct block *
632gen_cmp_gt(offrel, offset, size, v)
633 enum e_offrel offrel;
634 u_int offset, size;
635 bpf_int32 v;
636{
637 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
638}
639
640static struct block *
641gen_cmp_ge(offrel, offset, size, v)
642 enum e_offrel offrel;
643 u_int offset, size;
644 bpf_int32 v;
645{
646 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
647}
648
649static struct block *
650gen_cmp_lt(offrel, offset, size, v)
651 enum e_offrel offrel;
652 u_int offset, size;
653 bpf_int32 v;
654{
655 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
656}
657
658static struct block *
659gen_cmp_le(offrel, offset, size, v)
660 enum e_offrel offrel;
661 u_int offset, size;
662 bpf_int32 v;
663{
664 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
665}
666
667static struct block *
668gen_mcmp(offrel, offset, size, v, mask)
669 enum e_offrel offrel;
670 u_int offset, size;
671 bpf_int32 v;
672 bpf_u_int32 mask;
673{
674 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
675}
676
677static struct block *
678gen_bcmp(offrel, offset, size, v)
679 enum e_offrel offrel;
680 register u_int offset, size;
681 register const u_char *v;
682{
683 register struct block *b, *tmp;
684
685 b = NULL;
686 while (size >= 4) {
687 register const u_char *p = &v[size - 4];
688 bpf_int32 w = ((bpf_int32)p[0] << 24) |
689 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
690
691 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
692 if (b != NULL)
693 gen_and(b, tmp);
694 b = tmp;
695 size -= 4;
696 }
697 while (size >= 2) {
698 register const u_char *p = &v[size - 2];
699 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
700
701 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
702 if (b != NULL)
703 gen_and(b, tmp);
704 b = tmp;
705 size -= 2;
706 }
707 if (size > 0) {
708 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
709 if (b != NULL)
710 gen_and(b, tmp);
711 b = tmp;
712 }
713 return b;
714}
715
716/*
717 * AND the field of size "size" at offset "offset" relative to the header
718 * specified by "offrel" with "mask", and compare it with the value "v"
719 * with the test specified by "jtype"; if "reverse" is true, the test
720 * should test the opposite of "jtype".
721 */
722static struct block *
723gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
724 enum e_offrel offrel;
725 bpf_int32 v;
726 bpf_u_int32 offset, size, mask, jtype;
727 int reverse;
728{
729 struct slist *s, *s2;
730 struct block *b;
731
732 s = gen_load_a(offrel, offset, size);
733
734 if (mask != 0xffffffff) {
735 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
736 s2->s.k = mask;
737 sappend(s, s2);
738 }
739
740 b = new_block(JMP(jtype));
741 b->stmts = s;
742 b->s.k = v;
743 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
744 gen_not(b);
745 return b;
746}
747
748/*
749 * Various code constructs need to know the layout of the data link
750 * layer. These variables give the necessary offsets from the beginning
751 * of the packet data.
752 */
753
754/*
755 * This is the offset of the beginning of the link-layer header from
756 * the beginning of the raw packet data.
757 *
758 * It's usually 0, except for 802.11 with a fixed-length radio header.
759 * (For 802.11 with a variable-length radio header, we have to generate
760 * code to compute that offset; off_ll is 0 in that case.)
761 */
762static u_int off_ll;
763
764/*
765 * If there's a variable-length header preceding the link-layer header,
766 * "reg_off_ll" is the register number for a register containing the
767 * length of that header, and therefore the offset of the link-layer
768 * header from the beginning of the raw packet data. Otherwise,
769 * "reg_off_ll" is -1.
770 */
771static int reg_off_ll;
772
773/*
774 * This is the offset of the beginning of the MAC-layer header from
775 * the beginning of the link-layer header.
776 * It's usually 0, except for ATM LANE, where it's the offset, relative
777 * to the beginning of the raw packet data, of the Ethernet header, and
778 * for Ethernet with various additional information.
779 */
780static u_int off_mac;
781
782/*
783 * This is the offset of the beginning of the MAC-layer payload,
784 * from the beginning of the raw packet data.
785 *
786 * I.e., it's the sum of the length of the link-layer header (without,
787 * for example, any 802.2 LLC header, so it's the MAC-layer
788 * portion of that header), plus any prefix preceding the
789 * link-layer header.
790 */
791static u_int off_macpl;
792
793/*
794 * This is 1 if the offset of the beginning of the MAC-layer payload
795 * from the beginning of the link-layer header is variable-length.
796 */
797static int off_macpl_is_variable;
798
799/*
800 * If the link layer has variable_length headers, "reg_off_macpl"
801 * is the register number for a register containing the length of the
802 * link-layer header plus the length of any variable-length header
803 * preceding the link-layer header. Otherwise, "reg_off_macpl"
804 * is -1.
805 */
806static int reg_off_macpl;
807
808/*
809 * "off_linktype" is the offset to information in the link-layer header
810 * giving the packet type. This offset is relative to the beginning
811 * of the link-layer header (i.e., it doesn't include off_ll).
812 *
813 * For Ethernet, it's the offset of the Ethernet type field.
814 *
815 * For link-layer types that always use 802.2 headers, it's the
816 * offset of the LLC header.
817 *
818 * For PPP, it's the offset of the PPP type field.
819 *
820 * For Cisco HDLC, it's the offset of the CHDLC type field.
821 *
822 * For BSD loopback, it's the offset of the AF_ value.
823 *
824 * For Linux cooked sockets, it's the offset of the type field.
825 *
826 * It's set to -1 for no encapsulation, in which case, IP is assumed.
827 */
828static u_int off_linktype;
829
830/*
831 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
832 * checks to check the PPP header, assumed to follow a LAN-style link-
833 * layer header and a PPPoE session header.
834 */
835static int is_pppoes = 0;
836
837/*
838 * TRUE if the link layer includes an ATM pseudo-header.
839 */
840static int is_atm = 0;
841
842/*
843 * TRUE if "lane" appeared in the filter; it causes us to generate
844 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
845 */
846static int is_lane = 0;
847
848/*
849 * These are offsets for the ATM pseudo-header.
850 */
851static u_int off_vpi;
852static u_int off_vci;
853static u_int off_proto;
854
855/*
856 * These are offsets for the MTP2 fields.
857 */
858static u_int off_li;
859
860/*
861 * These are offsets for the MTP3 fields.
862 */
863static u_int off_sio;
864static u_int off_opc;
865static u_int off_dpc;
866static u_int off_sls;
867
868/*
869 * This is the offset of the first byte after the ATM pseudo_header,
870 * or -1 if there is no ATM pseudo-header.
871 */
872static u_int off_payload;
873
874/*
875 * These are offsets to the beginning of the network-layer header.
876 * They are relative to the beginning of the MAC-layer payload (i.e.,
877 * they don't include off_ll or off_macpl).
878 *
879 * If the link layer never uses 802.2 LLC:
880 *
881 * "off_nl" and "off_nl_nosnap" are the same.
882 *
883 * If the link layer always uses 802.2 LLC:
884 *
885 * "off_nl" is the offset if there's a SNAP header following
886 * the 802.2 header;
887 *
888 * "off_nl_nosnap" is the offset if there's no SNAP header.
889 *
890 * If the link layer is Ethernet:
891 *
892 * "off_nl" is the offset if the packet is an Ethernet II packet
893 * (we assume no 802.3+802.2+SNAP);
894 *
895 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
896 * with an 802.2 header following it.
897 */
898static u_int off_nl;
899static u_int off_nl_nosnap;
900
901static int linktype;
902
903static void
904init_linktype(p)
905 pcap_t *p;
906{
907 linktype = pcap_datalink(p);
908#ifdef PCAP_FDDIPAD
909 pcap_fddipad = p->fddipad;
910#endif
911
912 /*
913 * Assume it's not raw ATM with a pseudo-header, for now.
914 */
915 off_mac = 0;
916 is_atm = 0;
917 is_lane = 0;
918 off_vpi = -1;
919 off_vci = -1;
920 off_proto = -1;
921 off_payload = -1;
922
923 /*
924 * And that we're not doing PPPoE.
925 */
926 is_pppoes = 0;
927
928 /*
929 * And assume we're not doing SS7.
930 */
931 off_li = -1;
932 off_sio = -1;
933 off_opc = -1;
934 off_dpc = -1;
935 off_sls = -1;
936
937 /*
938 * Also assume it's not 802.11.
939 */
940 off_ll = 0;
941 off_macpl = 0;
942 off_macpl_is_variable = 0;
943
944 orig_linktype = -1;
945 orig_nl = -1;
946 label_stack_depth = 0;
947
948 reg_off_ll = -1;
949 reg_off_macpl = -1;
950
951 switch (linktype) {
952
953 case DLT_ARCNET:
954 off_linktype = 2;
955 off_macpl = 6;
956 off_nl = 0; /* XXX in reality, variable! */
957 off_nl_nosnap = 0; /* no 802.2 LLC */
958 return;
959
960 case DLT_ARCNET_LINUX:
961 off_linktype = 4;
962 off_macpl = 8;
963 off_nl = 0; /* XXX in reality, variable! */
964 off_nl_nosnap = 0; /* no 802.2 LLC */
965 return;
966
967 case DLT_EN10MB:
968 off_linktype = 12;
969 off_macpl = 14; /* Ethernet header length */
970 off_nl = 0; /* Ethernet II */
971 off_nl_nosnap = 3; /* 802.3+802.2 */
972 return;
973
974 case DLT_SLIP:
975 /*
976 * SLIP doesn't have a link level type. The 16 byte
977 * header is hacked into our SLIP driver.
978 */
979 off_linktype = -1;
980 off_macpl = 16;
981 off_nl = 0;
982 off_nl_nosnap = 0; /* no 802.2 LLC */
983 return;
984
985 case DLT_SLIP_BSDOS:
986 /* XXX this may be the same as the DLT_PPP_BSDOS case */
987 off_linktype = -1;
988 /* XXX end */
989 off_macpl = 24;
990 off_nl = 0;
991 off_nl_nosnap = 0; /* no 802.2 LLC */
992 return;
993
994 case DLT_NULL:
995 case DLT_LOOP:
996 off_linktype = 0;
997 off_macpl = 4;
998 off_nl = 0;
999 off_nl_nosnap = 0; /* no 802.2 LLC */
1000 return;
1001
1002 case DLT_ENC:
1003 off_linktype = 0;
1004 off_macpl = 12;
1005 off_nl = 0;
1006 off_nl_nosnap = 0; /* no 802.2 LLC */
1007 return;
1008
1009 case DLT_PPP:
1010 case DLT_PPP_PPPD:
1011 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1012 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1013 off_linktype = 2;
1014 off_macpl = 4;
1015 off_nl = 0;
1016 off_nl_nosnap = 0; /* no 802.2 LLC */
1017 return;
1018
1019 case DLT_PPP_ETHER:
1020 /*
1021 * This does no include the Ethernet header, and
1022 * only covers session state.
1023 */
1024 off_linktype = 6;
1025 off_macpl = 8;
1026 off_nl = 0;
1027 off_nl_nosnap = 0; /* no 802.2 LLC */
1028 return;
1029
1030 case DLT_PPP_BSDOS:
1031 off_linktype = 5;
1032 off_macpl = 24;
1033 off_nl = 0;
1034 off_nl_nosnap = 0; /* no 802.2 LLC */
1035 return;
1036
1037 case DLT_FDDI:
1038 /*
1039 * FDDI doesn't really have a link-level type field.
1040 * We set "off_linktype" to the offset of the LLC header.
1041 *
1042 * To check for Ethernet types, we assume that SSAP = SNAP
1043 * is being used and pick out the encapsulated Ethernet type.
1044 * XXX - should we generate code to check for SNAP?
1045 */
1046 off_linktype = 13;
1047#ifdef PCAP_FDDIPAD
1048 off_linktype += pcap_fddipad;
1049#endif
1050 off_macpl = 13; /* FDDI MAC header length */
1051#ifdef PCAP_FDDIPAD
1052 off_macpl += pcap_fddipad;
1053#endif
1054 off_nl = 8; /* 802.2+SNAP */
1055 off_nl_nosnap = 3; /* 802.2 */
1056 return;
1057
1058 case DLT_IEEE802:
1059 /*
1060 * Token Ring doesn't really have a link-level type field.
1061 * We set "off_linktype" to the offset of the LLC header.
1062 *
1063 * To check for Ethernet types, we assume that SSAP = SNAP
1064 * is being used and pick out the encapsulated Ethernet type.
1065 * XXX - should we generate code to check for SNAP?
1066 *
1067 * XXX - the header is actually variable-length.
1068 * Some various Linux patched versions gave 38
1069 * as "off_linktype" and 40 as "off_nl"; however,
1070 * if a token ring packet has *no* routing
1071 * information, i.e. is not source-routed, the correct
1072 * values are 20 and 22, as they are in the vanilla code.
1073 *
1074 * A packet is source-routed iff the uppermost bit
1075 * of the first byte of the source address, at an
1076 * offset of 8, has the uppermost bit set. If the
1077 * packet is source-routed, the total number of bytes
1078 * of routing information is 2 plus bits 0x1F00 of
1079 * the 16-bit value at an offset of 14 (shifted right
1080 * 8 - figure out which byte that is).
1081 */
1082 off_linktype = 14;
1083 off_macpl = 14; /* Token Ring MAC header length */
1084 off_nl = 8; /* 802.2+SNAP */
1085 off_nl_nosnap = 3; /* 802.2 */
1086 return;
1087
1088 case DLT_IEEE802_11:
1089 case DLT_PRISM_HEADER:
1090 case DLT_IEEE802_11_RADIO_AVS:
1091 case DLT_IEEE802_11_RADIO:
1092 /*
1093 * 802.11 doesn't really have a link-level type field.
1094 * We set "off_linktype" to the offset of the LLC header.
1095 *
1096 * To check for Ethernet types, we assume that SSAP = SNAP
1097 * is being used and pick out the encapsulated Ethernet type.
1098 * XXX - should we generate code to check for SNAP?
1099 *
1100 * We also handle variable-length radio headers here.
1101 * The Prism header is in theory variable-length, but in
1102 * practice it's always 144 bytes long. However, some
1103 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1104 * sometimes or always supply an AVS header, so we
1105 * have to check whether the radio header is a Prism
1106 * header or an AVS header, so, in practice, it's
1107 * variable-length.
1108 */
1109 off_linktype = 24;
1110 off_macpl = 0; /* link-layer header is variable-length */
1111 off_macpl_is_variable = 1;
1112 off_nl = 8; /* 802.2+SNAP */
1113 off_nl_nosnap = 3; /* 802.2 */
1114 return;
1115
1116 case DLT_PPI:
1117 /*
1118 * At the moment we treat PPI the same way that we treat
1119 * normal Radiotap encoded packets. The difference is in
1120 * the function that generates the code at the beginning
1121 * to compute the header length. Since this code generator
1122 * of PPI supports bare 802.11 encapsulation only (i.e.
1123 * the encapsulated DLT should be DLT_IEEE802_11) we
1124 * generate code to check for this too.
1125 */
1126 off_linktype = 24;
1127 off_macpl = 0; /* link-layer header is variable-length */
1128 off_macpl_is_variable = 1;
1129 off_nl = 8; /* 802.2+SNAP */
1130 off_nl_nosnap = 3; /* 802.2 */
1131 return;
1132
1133 case DLT_ATM_RFC1483:
1134 case DLT_ATM_CLIP: /* Linux ATM defines this */
1135 /*
1136 * assume routed, non-ISO PDUs
1137 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1138 *
1139 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1140 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1141 * latter would presumably be treated the way PPPoE
1142 * should be, so you can do "pppoe and udp port 2049"
1143 * or "pppoa and tcp port 80" and have it check for
1144 * PPPo{A,E} and a PPP protocol of IP and....
1145 */
1146 off_linktype = 0;
1147 off_macpl = 0; /* packet begins with LLC header */
1148 off_nl = 8; /* 802.2+SNAP */
1149 off_nl_nosnap = 3; /* 802.2 */
1150 return;
1151
1152 case DLT_SUNATM:
1153 /*
1154 * Full Frontal ATM; you get AALn PDUs with an ATM
1155 * pseudo-header.
1156 */
1157 is_atm = 1;
1158 off_vpi = SUNATM_VPI_POS;
1159 off_vci = SUNATM_VCI_POS;
1160 off_proto = PROTO_POS;
1161 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1162 off_payload = SUNATM_PKT_BEGIN_POS;
1163 off_linktype = off_payload;
1164 off_macpl = off_payload; /* if LLC-encapsulated */
1165 off_nl = 8; /* 802.2+SNAP */
1166 off_nl_nosnap = 3; /* 802.2 */
1167 return;
1168
1169 case DLT_RAW:
1170 case DLT_IPV4:
1171 case DLT_IPV6:
1172 off_linktype = -1;
1173 off_macpl = 0;
1174 off_nl = 0;
1175 off_nl_nosnap = 0; /* no 802.2 LLC */
1176 return;
1177
1178 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1179 off_linktype = 14;
1180 off_macpl = 16;
1181 off_nl = 0;
1182 off_nl_nosnap = 0; /* no 802.2 LLC */
1183 return;
1184
1185 case DLT_LTALK:
1186 /*
1187 * LocalTalk does have a 1-byte type field in the LLAP header,
1188 * but really it just indicates whether there is a "short" or
1189 * "long" DDP packet following.
1190 */
1191 off_linktype = -1;
1192 off_macpl = 0;
1193 off_nl = 0;
1194 off_nl_nosnap = 0; /* no 802.2 LLC */
1195 return;
1196
1197 case DLT_IP_OVER_FC:
1198 /*
1199 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1200 * link-level type field. We set "off_linktype" to the
1201 * offset of the LLC header.
1202 *
1203 * To check for Ethernet types, we assume that SSAP = SNAP
1204 * is being used and pick out the encapsulated Ethernet type.
1205 * XXX - should we generate code to check for SNAP? RFC
1206 * 2625 says SNAP should be used.
1207 */
1208 off_linktype = 16;
1209 off_macpl = 16;
1210 off_nl = 8; /* 802.2+SNAP */
1211 off_nl_nosnap = 3; /* 802.2 */
1212 return;
1213
1214 case DLT_FRELAY:
1215 /*
1216 * XXX - we should set this to handle SNAP-encapsulated
1217 * frames (NLPID of 0x80).
1218 */
1219 off_linktype = -1;
1220 off_macpl = 0;
1221 off_nl = 0;
1222 off_nl_nosnap = 0; /* no 802.2 LLC */
1223 return;
1224
1225 /*
1226 * the only BPF-interesting FRF.16 frames are non-control frames;
1227 * Frame Relay has a variable length link-layer
1228 * so lets start with offset 4 for now and increments later on (FIXME);
1229 */
1230 case DLT_MFR:
1231 off_linktype = -1;
1232 off_macpl = 0;
1233 off_nl = 4;
1234 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1235 return;
1236
1237 case DLT_APPLE_IP_OVER_IEEE1394:
1238 off_linktype = 16;
1239 off_macpl = 18;
1240 off_nl = 0;
1241 off_nl_nosnap = 0; /* no 802.2 LLC */
1242 return;
1243
1244 case DLT_SYMANTEC_FIREWALL:
1245 off_linktype = 6;
1246 off_macpl = 44;
1247 off_nl = 0; /* Ethernet II */
1248 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1249 return;
1250
1251#ifdef HAVE_NET_PFVAR_H
1252 case DLT_PFLOG:
1253 off_linktype = 0;
1254 off_macpl = PFLOG_HDRLEN;
1255 off_nl = 0;
1256 off_nl_nosnap = 0; /* no 802.2 LLC */
1257 return;
1258#endif
1259
1260 case DLT_JUNIPER_MFR:
1261 case DLT_JUNIPER_MLFR:
1262 case DLT_JUNIPER_MLPPP:
1263 case DLT_JUNIPER_PPP:
1264 case DLT_JUNIPER_CHDLC:
1265 case DLT_JUNIPER_FRELAY:
1266 off_linktype = 4;
1267 off_macpl = 4;
1268 off_nl = 0;
1269 off_nl_nosnap = -1; /* no 802.2 LLC */
1270 return;
1271
1272 case DLT_JUNIPER_ATM1:
1273 off_linktype = 4; /* in reality variable between 4-8 */
1274 off_macpl = 4; /* in reality variable between 4-8 */
1275 off_nl = 0;
1276 off_nl_nosnap = 10;
1277 return;
1278
1279 case DLT_JUNIPER_ATM2:
1280 off_linktype = 8; /* in reality variable between 8-12 */
1281 off_macpl = 8; /* in reality variable between 8-12 */
1282 off_nl = 0;
1283 off_nl_nosnap = 10;
1284 return;
1285
1286 /* frames captured on a Juniper PPPoE service PIC
1287 * contain raw ethernet frames */
1288 case DLT_JUNIPER_PPPOE:
1289 case DLT_JUNIPER_ETHER:
1290 off_macpl = 14;
1291 off_linktype = 16;
1292 off_nl = 18; /* Ethernet II */
1293 off_nl_nosnap = 21; /* 802.3+802.2 */
1294 return;
1295
1296 case DLT_JUNIPER_PPPOE_ATM:
1297 off_linktype = 4;
1298 off_macpl = 6;
1299 off_nl = 0;
1300 off_nl_nosnap = -1; /* no 802.2 LLC */
1301 return;
1302
1303 case DLT_JUNIPER_GGSN:
1304 off_linktype = 6;
1305 off_macpl = 12;
1306 off_nl = 0;
1307 off_nl_nosnap = -1; /* no 802.2 LLC */
1308 return;
1309
1310 case DLT_JUNIPER_ES:
1311 off_linktype = 6;
1312 off_macpl = -1; /* not really a network layer but raw IP addresses */
1313 off_nl = -1; /* not really a network layer but raw IP addresses */
1314 off_nl_nosnap = -1; /* no 802.2 LLC */
1315 return;
1316
1317 case DLT_JUNIPER_MONITOR:
1318 off_linktype = 12;
1319 off_macpl = 12;
1320 off_nl = 0; /* raw IP/IP6 header */
1321 off_nl_nosnap = -1; /* no 802.2 LLC */
1322 return;
1323
1324 case DLT_JUNIPER_SERVICES:
1325 off_linktype = 12;
1326 off_macpl = -1; /* L3 proto location dep. on cookie type */
1327 off_nl = -1; /* L3 proto location dep. on cookie type */
1328 off_nl_nosnap = -1; /* no 802.2 LLC */
1329 return;
1330
1331 case DLT_JUNIPER_VP:
1332 off_linktype = 18;
1333 off_macpl = -1;
1334 off_nl = -1;
1335 off_nl_nosnap = -1;
1336 return;
1337
1338 case DLT_JUNIPER_ST:
1339 off_linktype = 18;
1340 off_macpl = -1;
1341 off_nl = -1;
1342 off_nl_nosnap = -1;
1343 return;
1344
1345 case DLT_JUNIPER_ISM:
1346 off_linktype = 8;
1347 off_macpl = -1;
1348 off_nl = -1;
1349 off_nl_nosnap = -1;
1350 return;
1351
1352 case DLT_JUNIPER_VS:
1353 case DLT_JUNIPER_SRX_E2E:
1354 case DLT_JUNIPER_FIBRECHANNEL:
1355 case DLT_JUNIPER_ATM_CEMIC:
1356 off_linktype = 8;
1357 off_macpl = -1;
1358 off_nl = -1;
1359 off_nl_nosnap = -1;
1360 return;
1361
1362 case DLT_MTP2:
1363 off_li = 2;
1364 off_sio = 3;
1365 off_opc = 4;
1366 off_dpc = 4;
1367 off_sls = 7;
1368 off_linktype = -1;
1369 off_macpl = -1;
1370 off_nl = -1;
1371 off_nl_nosnap = -1;
1372 return;
1373
1374 case DLT_MTP2_WITH_PHDR:
1375 off_li = 6;
1376 off_sio = 7;
1377 off_opc = 8;
1378 off_dpc = 8;
1379 off_sls = 11;
1380 off_linktype = -1;
1381 off_macpl = -1;
1382 off_nl = -1;
1383 off_nl_nosnap = -1;
1384 return;
1385
1386 case DLT_ERF:
1387 off_li = 22;
1388 off_sio = 23;
1389 off_opc = 24;
1390 off_dpc = 24;
1391 off_sls = 27;
1392 off_linktype = -1;
1393 off_macpl = -1;
1394 off_nl = -1;
1395 off_nl_nosnap = -1;
1396 return;
1397
| 429
430 no_optimize = 0;
431 n_errors = 0;
432 root = NULL;
433 bpf_pcap = p;
434 init_regs();
435 if (setjmp(top_ctx)) {
436#ifdef INET6
437 if (ai != NULL) {
438 freeaddrinfo(ai);
439 ai = NULL;
440 }
441#endif
442 lex_cleanup();
443 freechunks();
444 return (-1);
445 }
446
447 netmask = mask;
448
449 snaplen = pcap_snapshot(p);
450 if (snaplen == 0) {
451 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
452 "snaplen of 0 rejects all packets");
453 return -1;
454 }
455
456 lex_init(xbuf ? xbuf : "");
457 init_linktype(p);
458 (void)pcap_parse();
459
460 if (n_errors)
461 syntax();
462
463 if (root == NULL)
464 root = gen_retblk(snaplen);
465
466 if (optimize && !no_optimize) {
467 bpf_optimize(&root);
468 if (root == NULL ||
469 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
470 bpf_error("expression rejects all packets");
471 }
472 program->bf_insns = icode_to_fcode(root, &len);
473 program->bf_len = len;
474
475 lex_cleanup();
476 freechunks();
477 return (0);
478}
479
480/*
481 * entry point for using the compiler with no pcap open
482 * pass in all the stuff that is needed explicitly instead.
483 */
484int
485pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
486 struct bpf_program *program,
487 const char *buf, int optimize, bpf_u_int32 mask)
488{
489 pcap_t *p;
490 int ret;
491
492 p = pcap_open_dead(linktype_arg, snaplen_arg);
493 if (p == NULL)
494 return (-1);
495 ret = pcap_compile(p, program, buf, optimize, mask);
496 pcap_close(p);
497 return (ret);
498}
499
500/*
501 * Clean up a "struct bpf_program" by freeing all the memory allocated
502 * in it.
503 */
504void
505pcap_freecode(struct bpf_program *program)
506{
507 program->bf_len = 0;
508 if (program->bf_insns != NULL) {
509 free((char *)program->bf_insns);
510 program->bf_insns = NULL;
511 }
512}
513
514/*
515 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
516 * which of the jt and jf fields has been resolved and which is a pointer
517 * back to another unresolved block (or nil). At least one of the fields
518 * in each block is already resolved.
519 */
520static void
521backpatch(list, target)
522 struct block *list, *target;
523{
524 struct block *next;
525
526 while (list) {
527 if (!list->sense) {
528 next = JT(list);
529 JT(list) = target;
530 } else {
531 next = JF(list);
532 JF(list) = target;
533 }
534 list = next;
535 }
536}
537
538/*
539 * Merge the lists in b0 and b1, using the 'sense' field to indicate
540 * which of jt and jf is the link.
541 */
542static void
543merge(b0, b1)
544 struct block *b0, *b1;
545{
546 register struct block **p = &b0;
547
548 /* Find end of list. */
549 while (*p)
550 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
551
552 /* Concatenate the lists. */
553 *p = b1;
554}
555
556void
557finish_parse(p)
558 struct block *p;
559{
560 struct block *ppi_dlt_check;
561
562 /*
563 * Insert before the statements of the first (root) block any
564 * statements needed to load the lengths of any variable-length
565 * headers into registers.
566 *
567 * XXX - a fancier strategy would be to insert those before the
568 * statements of all blocks that use those lengths and that
569 * have no predecessors that use them, so that we only compute
570 * the lengths if we need them. There might be even better
571 * approaches than that.
572 *
573 * However, those strategies would be more complicated, and
574 * as we don't generate code to compute a length if the
575 * program has no tests that use the length, and as most
576 * tests will probably use those lengths, we would just
577 * postpone computing the lengths so that it's not done
578 * for tests that fail early, and it's not clear that's
579 * worth the effort.
580 */
581 insert_compute_vloffsets(p->head);
582
583 /*
584 * For DLT_PPI captures, generate a check of the per-packet
585 * DLT value to make sure it's DLT_IEEE802_11.
586 */
587 ppi_dlt_check = gen_ppi_dlt_check();
588 if (ppi_dlt_check != NULL)
589 gen_and(ppi_dlt_check, p);
590
591 backpatch(p, gen_retblk(snaplen));
592 p->sense = !p->sense;
593 backpatch(p, gen_retblk(0));
594 root = p->head;
595}
596
597void
598gen_and(b0, b1)
599 struct block *b0, *b1;
600{
601 backpatch(b0, b1->head);
602 b0->sense = !b0->sense;
603 b1->sense = !b1->sense;
604 merge(b1, b0);
605 b1->sense = !b1->sense;
606 b1->head = b0->head;
607}
608
609void
610gen_or(b0, b1)
611 struct block *b0, *b1;
612{
613 b0->sense = !b0->sense;
614 backpatch(b0, b1->head);
615 b0->sense = !b0->sense;
616 merge(b1, b0);
617 b1->head = b0->head;
618}
619
620void
621gen_not(b)
622 struct block *b;
623{
624 b->sense = !b->sense;
625}
626
627static struct block *
628gen_cmp(offrel, offset, size, v)
629 enum e_offrel offrel;
630 u_int offset, size;
631 bpf_int32 v;
632{
633 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
634}
635
636static struct block *
637gen_cmp_gt(offrel, offset, size, v)
638 enum e_offrel offrel;
639 u_int offset, size;
640 bpf_int32 v;
641{
642 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
643}
644
645static struct block *
646gen_cmp_ge(offrel, offset, size, v)
647 enum e_offrel offrel;
648 u_int offset, size;
649 bpf_int32 v;
650{
651 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
652}
653
654static struct block *
655gen_cmp_lt(offrel, offset, size, v)
656 enum e_offrel offrel;
657 u_int offset, size;
658 bpf_int32 v;
659{
660 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
661}
662
663static struct block *
664gen_cmp_le(offrel, offset, size, v)
665 enum e_offrel offrel;
666 u_int offset, size;
667 bpf_int32 v;
668{
669 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
670}
671
672static struct block *
673gen_mcmp(offrel, offset, size, v, mask)
674 enum e_offrel offrel;
675 u_int offset, size;
676 bpf_int32 v;
677 bpf_u_int32 mask;
678{
679 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
680}
681
682static struct block *
683gen_bcmp(offrel, offset, size, v)
684 enum e_offrel offrel;
685 register u_int offset, size;
686 register const u_char *v;
687{
688 register struct block *b, *tmp;
689
690 b = NULL;
691 while (size >= 4) {
692 register const u_char *p = &v[size - 4];
693 bpf_int32 w = ((bpf_int32)p[0] << 24) |
694 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
695
696 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
697 if (b != NULL)
698 gen_and(b, tmp);
699 b = tmp;
700 size -= 4;
701 }
702 while (size >= 2) {
703 register const u_char *p = &v[size - 2];
704 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
705
706 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
707 if (b != NULL)
708 gen_and(b, tmp);
709 b = tmp;
710 size -= 2;
711 }
712 if (size > 0) {
713 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
714 if (b != NULL)
715 gen_and(b, tmp);
716 b = tmp;
717 }
718 return b;
719}
720
721/*
722 * AND the field of size "size" at offset "offset" relative to the header
723 * specified by "offrel" with "mask", and compare it with the value "v"
724 * with the test specified by "jtype"; if "reverse" is true, the test
725 * should test the opposite of "jtype".
726 */
727static struct block *
728gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
729 enum e_offrel offrel;
730 bpf_int32 v;
731 bpf_u_int32 offset, size, mask, jtype;
732 int reverse;
733{
734 struct slist *s, *s2;
735 struct block *b;
736
737 s = gen_load_a(offrel, offset, size);
738
739 if (mask != 0xffffffff) {
740 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
741 s2->s.k = mask;
742 sappend(s, s2);
743 }
744
745 b = new_block(JMP(jtype));
746 b->stmts = s;
747 b->s.k = v;
748 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
749 gen_not(b);
750 return b;
751}
752
753/*
754 * Various code constructs need to know the layout of the data link
755 * layer. These variables give the necessary offsets from the beginning
756 * of the packet data.
757 */
758
759/*
760 * This is the offset of the beginning of the link-layer header from
761 * the beginning of the raw packet data.
762 *
763 * It's usually 0, except for 802.11 with a fixed-length radio header.
764 * (For 802.11 with a variable-length radio header, we have to generate
765 * code to compute that offset; off_ll is 0 in that case.)
766 */
767static u_int off_ll;
768
769/*
770 * If there's a variable-length header preceding the link-layer header,
771 * "reg_off_ll" is the register number for a register containing the
772 * length of that header, and therefore the offset of the link-layer
773 * header from the beginning of the raw packet data. Otherwise,
774 * "reg_off_ll" is -1.
775 */
776static int reg_off_ll;
777
778/*
779 * This is the offset of the beginning of the MAC-layer header from
780 * the beginning of the link-layer header.
781 * It's usually 0, except for ATM LANE, where it's the offset, relative
782 * to the beginning of the raw packet data, of the Ethernet header, and
783 * for Ethernet with various additional information.
784 */
785static u_int off_mac;
786
787/*
788 * This is the offset of the beginning of the MAC-layer payload,
789 * from the beginning of the raw packet data.
790 *
791 * I.e., it's the sum of the length of the link-layer header (without,
792 * for example, any 802.2 LLC header, so it's the MAC-layer
793 * portion of that header), plus any prefix preceding the
794 * link-layer header.
795 */
796static u_int off_macpl;
797
798/*
799 * This is 1 if the offset of the beginning of the MAC-layer payload
800 * from the beginning of the link-layer header is variable-length.
801 */
802static int off_macpl_is_variable;
803
804/*
805 * If the link layer has variable_length headers, "reg_off_macpl"
806 * is the register number for a register containing the length of the
807 * link-layer header plus the length of any variable-length header
808 * preceding the link-layer header. Otherwise, "reg_off_macpl"
809 * is -1.
810 */
811static int reg_off_macpl;
812
813/*
814 * "off_linktype" is the offset to information in the link-layer header
815 * giving the packet type. This offset is relative to the beginning
816 * of the link-layer header (i.e., it doesn't include off_ll).
817 *
818 * For Ethernet, it's the offset of the Ethernet type field.
819 *
820 * For link-layer types that always use 802.2 headers, it's the
821 * offset of the LLC header.
822 *
823 * For PPP, it's the offset of the PPP type field.
824 *
825 * For Cisco HDLC, it's the offset of the CHDLC type field.
826 *
827 * For BSD loopback, it's the offset of the AF_ value.
828 *
829 * For Linux cooked sockets, it's the offset of the type field.
830 *
831 * It's set to -1 for no encapsulation, in which case, IP is assumed.
832 */
833static u_int off_linktype;
834
835/*
836 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
837 * checks to check the PPP header, assumed to follow a LAN-style link-
838 * layer header and a PPPoE session header.
839 */
840static int is_pppoes = 0;
841
842/*
843 * TRUE if the link layer includes an ATM pseudo-header.
844 */
845static int is_atm = 0;
846
847/*
848 * TRUE if "lane" appeared in the filter; it causes us to generate
849 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
850 */
851static int is_lane = 0;
852
853/*
854 * These are offsets for the ATM pseudo-header.
855 */
856static u_int off_vpi;
857static u_int off_vci;
858static u_int off_proto;
859
860/*
861 * These are offsets for the MTP2 fields.
862 */
863static u_int off_li;
864
865/*
866 * These are offsets for the MTP3 fields.
867 */
868static u_int off_sio;
869static u_int off_opc;
870static u_int off_dpc;
871static u_int off_sls;
872
873/*
874 * This is the offset of the first byte after the ATM pseudo_header,
875 * or -1 if there is no ATM pseudo-header.
876 */
877static u_int off_payload;
878
879/*
880 * These are offsets to the beginning of the network-layer header.
881 * They are relative to the beginning of the MAC-layer payload (i.e.,
882 * they don't include off_ll or off_macpl).
883 *
884 * If the link layer never uses 802.2 LLC:
885 *
886 * "off_nl" and "off_nl_nosnap" are the same.
887 *
888 * If the link layer always uses 802.2 LLC:
889 *
890 * "off_nl" is the offset if there's a SNAP header following
891 * the 802.2 header;
892 *
893 * "off_nl_nosnap" is the offset if there's no SNAP header.
894 *
895 * If the link layer is Ethernet:
896 *
897 * "off_nl" is the offset if the packet is an Ethernet II packet
898 * (we assume no 802.3+802.2+SNAP);
899 *
900 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
901 * with an 802.2 header following it.
902 */
903static u_int off_nl;
904static u_int off_nl_nosnap;
905
906static int linktype;
907
908static void
909init_linktype(p)
910 pcap_t *p;
911{
912 linktype = pcap_datalink(p);
913#ifdef PCAP_FDDIPAD
914 pcap_fddipad = p->fddipad;
915#endif
916
917 /*
918 * Assume it's not raw ATM with a pseudo-header, for now.
919 */
920 off_mac = 0;
921 is_atm = 0;
922 is_lane = 0;
923 off_vpi = -1;
924 off_vci = -1;
925 off_proto = -1;
926 off_payload = -1;
927
928 /*
929 * And that we're not doing PPPoE.
930 */
931 is_pppoes = 0;
932
933 /*
934 * And assume we're not doing SS7.
935 */
936 off_li = -1;
937 off_sio = -1;
938 off_opc = -1;
939 off_dpc = -1;
940 off_sls = -1;
941
942 /*
943 * Also assume it's not 802.11.
944 */
945 off_ll = 0;
946 off_macpl = 0;
947 off_macpl_is_variable = 0;
948
949 orig_linktype = -1;
950 orig_nl = -1;
951 label_stack_depth = 0;
952
953 reg_off_ll = -1;
954 reg_off_macpl = -1;
955
956 switch (linktype) {
957
958 case DLT_ARCNET:
959 off_linktype = 2;
960 off_macpl = 6;
961 off_nl = 0; /* XXX in reality, variable! */
962 off_nl_nosnap = 0; /* no 802.2 LLC */
963 return;
964
965 case DLT_ARCNET_LINUX:
966 off_linktype = 4;
967 off_macpl = 8;
968 off_nl = 0; /* XXX in reality, variable! */
969 off_nl_nosnap = 0; /* no 802.2 LLC */
970 return;
971
972 case DLT_EN10MB:
973 off_linktype = 12;
974 off_macpl = 14; /* Ethernet header length */
975 off_nl = 0; /* Ethernet II */
976 off_nl_nosnap = 3; /* 802.3+802.2 */
977 return;
978
979 case DLT_SLIP:
980 /*
981 * SLIP doesn't have a link level type. The 16 byte
982 * header is hacked into our SLIP driver.
983 */
984 off_linktype = -1;
985 off_macpl = 16;
986 off_nl = 0;
987 off_nl_nosnap = 0; /* no 802.2 LLC */
988 return;
989
990 case DLT_SLIP_BSDOS:
991 /* XXX this may be the same as the DLT_PPP_BSDOS case */
992 off_linktype = -1;
993 /* XXX end */
994 off_macpl = 24;
995 off_nl = 0;
996 off_nl_nosnap = 0; /* no 802.2 LLC */
997 return;
998
999 case DLT_NULL:
1000 case DLT_LOOP:
1001 off_linktype = 0;
1002 off_macpl = 4;
1003 off_nl = 0;
1004 off_nl_nosnap = 0; /* no 802.2 LLC */
1005 return;
1006
1007 case DLT_ENC:
1008 off_linktype = 0;
1009 off_macpl = 12;
1010 off_nl = 0;
1011 off_nl_nosnap = 0; /* no 802.2 LLC */
1012 return;
1013
1014 case DLT_PPP:
1015 case DLT_PPP_PPPD:
1016 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1017 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1018 off_linktype = 2;
1019 off_macpl = 4;
1020 off_nl = 0;
1021 off_nl_nosnap = 0; /* no 802.2 LLC */
1022 return;
1023
1024 case DLT_PPP_ETHER:
1025 /*
1026 * This does no include the Ethernet header, and
1027 * only covers session state.
1028 */
1029 off_linktype = 6;
1030 off_macpl = 8;
1031 off_nl = 0;
1032 off_nl_nosnap = 0; /* no 802.2 LLC */
1033 return;
1034
1035 case DLT_PPP_BSDOS:
1036 off_linktype = 5;
1037 off_macpl = 24;
1038 off_nl = 0;
1039 off_nl_nosnap = 0; /* no 802.2 LLC */
1040 return;
1041
1042 case DLT_FDDI:
1043 /*
1044 * FDDI doesn't really have a link-level type field.
1045 * We set "off_linktype" to the offset of the LLC header.
1046 *
1047 * To check for Ethernet types, we assume that SSAP = SNAP
1048 * is being used and pick out the encapsulated Ethernet type.
1049 * XXX - should we generate code to check for SNAP?
1050 */
1051 off_linktype = 13;
1052#ifdef PCAP_FDDIPAD
1053 off_linktype += pcap_fddipad;
1054#endif
1055 off_macpl = 13; /* FDDI MAC header length */
1056#ifdef PCAP_FDDIPAD
1057 off_macpl += pcap_fddipad;
1058#endif
1059 off_nl = 8; /* 802.2+SNAP */
1060 off_nl_nosnap = 3; /* 802.2 */
1061 return;
1062
1063 case DLT_IEEE802:
1064 /*
1065 * Token Ring doesn't really have a link-level type field.
1066 * We set "off_linktype" to the offset of the LLC header.
1067 *
1068 * To check for Ethernet types, we assume that SSAP = SNAP
1069 * is being used and pick out the encapsulated Ethernet type.
1070 * XXX - should we generate code to check for SNAP?
1071 *
1072 * XXX - the header is actually variable-length.
1073 * Some various Linux patched versions gave 38
1074 * as "off_linktype" and 40 as "off_nl"; however,
1075 * if a token ring packet has *no* routing
1076 * information, i.e. is not source-routed, the correct
1077 * values are 20 and 22, as they are in the vanilla code.
1078 *
1079 * A packet is source-routed iff the uppermost bit
1080 * of the first byte of the source address, at an
1081 * offset of 8, has the uppermost bit set. If the
1082 * packet is source-routed, the total number of bytes
1083 * of routing information is 2 plus bits 0x1F00 of
1084 * the 16-bit value at an offset of 14 (shifted right
1085 * 8 - figure out which byte that is).
1086 */
1087 off_linktype = 14;
1088 off_macpl = 14; /* Token Ring MAC header length */
1089 off_nl = 8; /* 802.2+SNAP */
1090 off_nl_nosnap = 3; /* 802.2 */
1091 return;
1092
1093 case DLT_IEEE802_11:
1094 case DLT_PRISM_HEADER:
1095 case DLT_IEEE802_11_RADIO_AVS:
1096 case DLT_IEEE802_11_RADIO:
1097 /*
1098 * 802.11 doesn't really have a link-level type field.
1099 * We set "off_linktype" to the offset of the LLC header.
1100 *
1101 * To check for Ethernet types, we assume that SSAP = SNAP
1102 * is being used and pick out the encapsulated Ethernet type.
1103 * XXX - should we generate code to check for SNAP?
1104 *
1105 * We also handle variable-length radio headers here.
1106 * The Prism header is in theory variable-length, but in
1107 * practice it's always 144 bytes long. However, some
1108 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1109 * sometimes or always supply an AVS header, so we
1110 * have to check whether the radio header is a Prism
1111 * header or an AVS header, so, in practice, it's
1112 * variable-length.
1113 */
1114 off_linktype = 24;
1115 off_macpl = 0; /* link-layer header is variable-length */
1116 off_macpl_is_variable = 1;
1117 off_nl = 8; /* 802.2+SNAP */
1118 off_nl_nosnap = 3; /* 802.2 */
1119 return;
1120
1121 case DLT_PPI:
1122 /*
1123 * At the moment we treat PPI the same way that we treat
1124 * normal Radiotap encoded packets. The difference is in
1125 * the function that generates the code at the beginning
1126 * to compute the header length. Since this code generator
1127 * of PPI supports bare 802.11 encapsulation only (i.e.
1128 * the encapsulated DLT should be DLT_IEEE802_11) we
1129 * generate code to check for this too.
1130 */
1131 off_linktype = 24;
1132 off_macpl = 0; /* link-layer header is variable-length */
1133 off_macpl_is_variable = 1;
1134 off_nl = 8; /* 802.2+SNAP */
1135 off_nl_nosnap = 3; /* 802.2 */
1136 return;
1137
1138 case DLT_ATM_RFC1483:
1139 case DLT_ATM_CLIP: /* Linux ATM defines this */
1140 /*
1141 * assume routed, non-ISO PDUs
1142 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1143 *
1144 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1145 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1146 * latter would presumably be treated the way PPPoE
1147 * should be, so you can do "pppoe and udp port 2049"
1148 * or "pppoa and tcp port 80" and have it check for
1149 * PPPo{A,E} and a PPP protocol of IP and....
1150 */
1151 off_linktype = 0;
1152 off_macpl = 0; /* packet begins with LLC header */
1153 off_nl = 8; /* 802.2+SNAP */
1154 off_nl_nosnap = 3; /* 802.2 */
1155 return;
1156
1157 case DLT_SUNATM:
1158 /*
1159 * Full Frontal ATM; you get AALn PDUs with an ATM
1160 * pseudo-header.
1161 */
1162 is_atm = 1;
1163 off_vpi = SUNATM_VPI_POS;
1164 off_vci = SUNATM_VCI_POS;
1165 off_proto = PROTO_POS;
1166 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1167 off_payload = SUNATM_PKT_BEGIN_POS;
1168 off_linktype = off_payload;
1169 off_macpl = off_payload; /* if LLC-encapsulated */
1170 off_nl = 8; /* 802.2+SNAP */
1171 off_nl_nosnap = 3; /* 802.2 */
1172 return;
1173
1174 case DLT_RAW:
1175 case DLT_IPV4:
1176 case DLT_IPV6:
1177 off_linktype = -1;
1178 off_macpl = 0;
1179 off_nl = 0;
1180 off_nl_nosnap = 0; /* no 802.2 LLC */
1181 return;
1182
1183 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1184 off_linktype = 14;
1185 off_macpl = 16;
1186 off_nl = 0;
1187 off_nl_nosnap = 0; /* no 802.2 LLC */
1188 return;
1189
1190 case DLT_LTALK:
1191 /*
1192 * LocalTalk does have a 1-byte type field in the LLAP header,
1193 * but really it just indicates whether there is a "short" or
1194 * "long" DDP packet following.
1195 */
1196 off_linktype = -1;
1197 off_macpl = 0;
1198 off_nl = 0;
1199 off_nl_nosnap = 0; /* no 802.2 LLC */
1200 return;
1201
1202 case DLT_IP_OVER_FC:
1203 /*
1204 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1205 * link-level type field. We set "off_linktype" to the
1206 * offset of the LLC header.
1207 *
1208 * To check for Ethernet types, we assume that SSAP = SNAP
1209 * is being used and pick out the encapsulated Ethernet type.
1210 * XXX - should we generate code to check for SNAP? RFC
1211 * 2625 says SNAP should be used.
1212 */
1213 off_linktype = 16;
1214 off_macpl = 16;
1215 off_nl = 8; /* 802.2+SNAP */
1216 off_nl_nosnap = 3; /* 802.2 */
1217 return;
1218
1219 case DLT_FRELAY:
1220 /*
1221 * XXX - we should set this to handle SNAP-encapsulated
1222 * frames (NLPID of 0x80).
1223 */
1224 off_linktype = -1;
1225 off_macpl = 0;
1226 off_nl = 0;
1227 off_nl_nosnap = 0; /* no 802.2 LLC */
1228 return;
1229
1230 /*
1231 * the only BPF-interesting FRF.16 frames are non-control frames;
1232 * Frame Relay has a variable length link-layer
1233 * so lets start with offset 4 for now and increments later on (FIXME);
1234 */
1235 case DLT_MFR:
1236 off_linktype = -1;
1237 off_macpl = 0;
1238 off_nl = 4;
1239 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1240 return;
1241
1242 case DLT_APPLE_IP_OVER_IEEE1394:
1243 off_linktype = 16;
1244 off_macpl = 18;
1245 off_nl = 0;
1246 off_nl_nosnap = 0; /* no 802.2 LLC */
1247 return;
1248
1249 case DLT_SYMANTEC_FIREWALL:
1250 off_linktype = 6;
1251 off_macpl = 44;
1252 off_nl = 0; /* Ethernet II */
1253 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1254 return;
1255
1256#ifdef HAVE_NET_PFVAR_H
1257 case DLT_PFLOG:
1258 off_linktype = 0;
1259 off_macpl = PFLOG_HDRLEN;
1260 off_nl = 0;
1261 off_nl_nosnap = 0; /* no 802.2 LLC */
1262 return;
1263#endif
1264
1265 case DLT_JUNIPER_MFR:
1266 case DLT_JUNIPER_MLFR:
1267 case DLT_JUNIPER_MLPPP:
1268 case DLT_JUNIPER_PPP:
1269 case DLT_JUNIPER_CHDLC:
1270 case DLT_JUNIPER_FRELAY:
1271 off_linktype = 4;
1272 off_macpl = 4;
1273 off_nl = 0;
1274 off_nl_nosnap = -1; /* no 802.2 LLC */
1275 return;
1276
1277 case DLT_JUNIPER_ATM1:
1278 off_linktype = 4; /* in reality variable between 4-8 */
1279 off_macpl = 4; /* in reality variable between 4-8 */
1280 off_nl = 0;
1281 off_nl_nosnap = 10;
1282 return;
1283
1284 case DLT_JUNIPER_ATM2:
1285 off_linktype = 8; /* in reality variable between 8-12 */
1286 off_macpl = 8; /* in reality variable between 8-12 */
1287 off_nl = 0;
1288 off_nl_nosnap = 10;
1289 return;
1290
1291 /* frames captured on a Juniper PPPoE service PIC
1292 * contain raw ethernet frames */
1293 case DLT_JUNIPER_PPPOE:
1294 case DLT_JUNIPER_ETHER:
1295 off_macpl = 14;
1296 off_linktype = 16;
1297 off_nl = 18; /* Ethernet II */
1298 off_nl_nosnap = 21; /* 802.3+802.2 */
1299 return;
1300
1301 case DLT_JUNIPER_PPPOE_ATM:
1302 off_linktype = 4;
1303 off_macpl = 6;
1304 off_nl = 0;
1305 off_nl_nosnap = -1; /* no 802.2 LLC */
1306 return;
1307
1308 case DLT_JUNIPER_GGSN:
1309 off_linktype = 6;
1310 off_macpl = 12;
1311 off_nl = 0;
1312 off_nl_nosnap = -1; /* no 802.2 LLC */
1313 return;
1314
1315 case DLT_JUNIPER_ES:
1316 off_linktype = 6;
1317 off_macpl = -1; /* not really a network layer but raw IP addresses */
1318 off_nl = -1; /* not really a network layer but raw IP addresses */
1319 off_nl_nosnap = -1; /* no 802.2 LLC */
1320 return;
1321
1322 case DLT_JUNIPER_MONITOR:
1323 off_linktype = 12;
1324 off_macpl = 12;
1325 off_nl = 0; /* raw IP/IP6 header */
1326 off_nl_nosnap = -1; /* no 802.2 LLC */
1327 return;
1328
1329 case DLT_JUNIPER_SERVICES:
1330 off_linktype = 12;
1331 off_macpl = -1; /* L3 proto location dep. on cookie type */
1332 off_nl = -1; /* L3 proto location dep. on cookie type */
1333 off_nl_nosnap = -1; /* no 802.2 LLC */
1334 return;
1335
1336 case DLT_JUNIPER_VP:
1337 off_linktype = 18;
1338 off_macpl = -1;
1339 off_nl = -1;
1340 off_nl_nosnap = -1;
1341 return;
1342
1343 case DLT_JUNIPER_ST:
1344 off_linktype = 18;
1345 off_macpl = -1;
1346 off_nl = -1;
1347 off_nl_nosnap = -1;
1348 return;
1349
1350 case DLT_JUNIPER_ISM:
1351 off_linktype = 8;
1352 off_macpl = -1;
1353 off_nl = -1;
1354 off_nl_nosnap = -1;
1355 return;
1356
1357 case DLT_JUNIPER_VS:
1358 case DLT_JUNIPER_SRX_E2E:
1359 case DLT_JUNIPER_FIBRECHANNEL:
1360 case DLT_JUNIPER_ATM_CEMIC:
1361 off_linktype = 8;
1362 off_macpl = -1;
1363 off_nl = -1;
1364 off_nl_nosnap = -1;
1365 return;
1366
1367 case DLT_MTP2:
1368 off_li = 2;
1369 off_sio = 3;
1370 off_opc = 4;
1371 off_dpc = 4;
1372 off_sls = 7;
1373 off_linktype = -1;
1374 off_macpl = -1;
1375 off_nl = -1;
1376 off_nl_nosnap = -1;
1377 return;
1378
1379 case DLT_MTP2_WITH_PHDR:
1380 off_li = 6;
1381 off_sio = 7;
1382 off_opc = 8;
1383 off_dpc = 8;
1384 off_sls = 11;
1385 off_linktype = -1;
1386 off_macpl = -1;
1387 off_nl = -1;
1388 off_nl_nosnap = -1;
1389 return;
1390
1391 case DLT_ERF:
1392 off_li = 22;
1393 off_sio = 23;
1394 off_opc = 24;
1395 off_dpc = 24;
1396 off_sls = 27;
1397 off_linktype = -1;
1398 off_macpl = -1;
1399 off_nl = -1;
1400 off_nl_nosnap = -1;
1401 return;
1402
|
1398#ifdef DLT_PFSYNC
| |
1399 case DLT_PFSYNC:
1400 off_linktype = -1;
1401 off_macpl = 4;
1402 off_nl = 0;
1403 off_nl_nosnap = 0;
1404 return;
| 1403 case DLT_PFSYNC:
1404 off_linktype = -1;
1405 off_macpl = 4;
1406 off_nl = 0;
1407 off_nl_nosnap = 0;
1408 return;
|
1405#endif
| |
1406
1407 case DLT_AX25_KISS:
1408 /*
1409 * Currently, only raw "link[N:M]" filtering is supported.
1410 */
1411 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1412 off_macpl = -1;
1413 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1414 off_nl_nosnap = -1; /* no 802.2 LLC */
1415 off_mac = 1; /* step over the kiss length byte */
1416 return;
1417
1418 case DLT_IPNET:
1419 off_linktype = 1;
1420 off_macpl = 24; /* ipnet header length */
1421 off_nl = 0;
1422 off_nl_nosnap = -1;
1423 return;
1424
1425 case DLT_NETANALYZER:
1426 off_mac = 4; /* MAC header is past 4-byte pseudo-header */
1427 off_linktype = 16; /* includes 4-byte pseudo-header */
1428 off_macpl = 18; /* pseudo-header+Ethernet header length */
1429 off_nl = 0; /* Ethernet II */
1430 off_nl_nosnap = 3; /* 802.3+802.2 */
1431 return;
1432
1433 case DLT_NETANALYZER_TRANSPARENT:
1434 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1435 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */
1436 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */
1437 off_nl = 0; /* Ethernet II */
1438 off_nl_nosnap = 3; /* 802.3+802.2 */
1439 return;
1440
1441 default:
1442 /*
1443 * For values in the range in which we've assigned new
1444 * DLT_ values, only raw "link[N:M]" filtering is supported.
1445 */
1446 if (linktype >= DLT_MATCHING_MIN &&
1447 linktype <= DLT_MATCHING_MAX) {
1448 off_linktype = -1;
1449 off_macpl = -1;
1450 off_nl = -1;
1451 off_nl_nosnap = -1;
1452 return;
1453 }
1454
1455 }
1456 bpf_error("unknown data link type %d", linktype);
1457 /* NOTREACHED */
1458}
1459
1460/*
1461 * Load a value relative to the beginning of the link-layer header.
1462 * The link-layer header doesn't necessarily begin at the beginning
1463 * of the packet data; there might be a variable-length prefix containing
1464 * radio information.
1465 */
1466static struct slist *
1467gen_load_llrel(offset, size)
1468 u_int offset, size;
1469{
1470 struct slist *s, *s2;
1471
1472 s = gen_llprefixlen();
1473
1474 /*
1475 * If "s" is non-null, it has code to arrange that the X register
1476 * contains the length of the prefix preceding the link-layer
1477 * header.
1478 *
1479 * Otherwise, the length of the prefix preceding the link-layer
1480 * header is "off_ll".
1481 */
1482 if (s != NULL) {
1483 /*
1484 * There's a variable-length prefix preceding the
1485 * link-layer header. "s" points to a list of statements
1486 * that put the length of that prefix into the X register.
1487 * do an indirect load, to use the X register as an offset.
1488 */
1489 s2 = new_stmt(BPF_LD|BPF_IND|size);
1490 s2->s.k = offset;
1491 sappend(s, s2);
1492 } else {
1493 /*
1494 * There is no variable-length header preceding the
1495 * link-layer header; add in off_ll, which, if there's
1496 * a fixed-length header preceding the link-layer header,
1497 * is the length of that header.
1498 */
1499 s = new_stmt(BPF_LD|BPF_ABS|size);
1500 s->s.k = offset + off_ll;
1501 }
1502 return s;
1503}
1504
1505/*
1506 * Load a value relative to the beginning of the MAC-layer payload.
1507 */
1508static struct slist *
1509gen_load_macplrel(offset, size)
1510 u_int offset, size;
1511{
1512 struct slist *s, *s2;
1513
1514 s = gen_off_macpl();
1515
1516 /*
1517 * If s is non-null, the offset of the MAC-layer payload is
1518 * variable, and s points to a list of instructions that
1519 * arrange that the X register contains that offset.
1520 *
1521 * Otherwise, the offset of the MAC-layer payload is constant,
1522 * and is in off_macpl.
1523 */
1524 if (s != NULL) {
1525 /*
1526 * The offset of the MAC-layer payload is in the X
1527 * register. Do an indirect load, to use the X register
1528 * as an offset.
1529 */
1530 s2 = new_stmt(BPF_LD|BPF_IND|size);
1531 s2->s.k = offset;
1532 sappend(s, s2);
1533 } else {
1534 /*
1535 * The offset of the MAC-layer payload is constant,
1536 * and is in off_macpl; load the value at that offset
1537 * plus the specified offset.
1538 */
1539 s = new_stmt(BPF_LD|BPF_ABS|size);
1540 s->s.k = off_macpl + offset;
1541 }
1542 return s;
1543}
1544
1545/*
1546 * Load a value relative to the beginning of the specified header.
1547 */
1548static struct slist *
1549gen_load_a(offrel, offset, size)
1550 enum e_offrel offrel;
1551 u_int offset, size;
1552{
1553 struct slist *s, *s2;
1554
1555 switch (offrel) {
1556
1557 case OR_PACKET:
1558 s = new_stmt(BPF_LD|BPF_ABS|size);
1559 s->s.k = offset;
1560 break;
1561
1562 case OR_LINK:
1563 s = gen_load_llrel(offset, size);
1564 break;
1565
1566 case OR_MACPL:
1567 s = gen_load_macplrel(offset, size);
1568 break;
1569
1570 case OR_NET:
1571 s = gen_load_macplrel(off_nl + offset, size);
1572 break;
1573
1574 case OR_NET_NOSNAP:
1575 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1576 break;
1577
1578 case OR_TRAN_IPV4:
1579 /*
1580 * Load the X register with the length of the IPv4 header
1581 * (plus the offset of the link-layer header, if it's
1582 * preceded by a variable-length header such as a radio
1583 * header), in bytes.
1584 */
1585 s = gen_loadx_iphdrlen();
1586
1587 /*
1588 * Load the item at {offset of the MAC-layer payload} +
1589 * {offset, relative to the start of the MAC-layer
1590 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1591 * {specified offset}.
1592 *
1593 * (If the offset of the MAC-layer payload is variable,
1594 * it's included in the value in the X register, and
1595 * off_macpl is 0.)
1596 */
1597 s2 = new_stmt(BPF_LD|BPF_IND|size);
1598 s2->s.k = off_macpl + off_nl + offset;
1599 sappend(s, s2);
1600 break;
1601
1602 case OR_TRAN_IPV6:
1603 s = gen_load_macplrel(off_nl + 40 + offset, size);
1604 break;
1605
1606 default:
1607 abort();
1608 return NULL;
1609 }
1610 return s;
1611}
1612
1613/*
1614 * Generate code to load into the X register the sum of the length of
1615 * the IPv4 header and any variable-length header preceding the link-layer
1616 * header.
1617 */
1618static struct slist *
1619gen_loadx_iphdrlen()
1620{
1621 struct slist *s, *s2;
1622
1623 s = gen_off_macpl();
1624 if (s != NULL) {
1625 /*
1626 * There's a variable-length prefix preceding the
1627 * link-layer header, or the link-layer header is itself
1628 * variable-length. "s" points to a list of statements
1629 * that put the offset of the MAC-layer payload into
1630 * the X register.
1631 *
1632 * The 4*([k]&0xf) addressing mode can't be used, as we
1633 * don't have a constant offset, so we have to load the
1634 * value in question into the A register and add to it
1635 * the value from the X register.
1636 */
1637 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1638 s2->s.k = off_nl;
1639 sappend(s, s2);
1640 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1641 s2->s.k = 0xf;
1642 sappend(s, s2);
1643 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1644 s2->s.k = 2;
1645 sappend(s, s2);
1646
1647 /*
1648 * The A register now contains the length of the
1649 * IP header. We need to add to it the offset of
1650 * the MAC-layer payload, which is still in the X
1651 * register, and move the result into the X register.
1652 */
1653 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1654 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1655 } else {
1656 /*
1657 * There is no variable-length header preceding the
1658 * link-layer header, and the link-layer header is
1659 * fixed-length; load the length of the IPv4 header,
1660 * which is at an offset of off_nl from the beginning
1661 * of the MAC-layer payload, and thus at an offset
1662 * of off_mac_pl + off_nl from the beginning of the
1663 * raw packet data.
1664 */
1665 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1666 s->s.k = off_macpl + off_nl;
1667 }
1668 return s;
1669}
1670
1671static struct block *
1672gen_uncond(rsense)
1673 int rsense;
1674{
1675 struct block *b;
1676 struct slist *s;
1677
1678 s = new_stmt(BPF_LD|BPF_IMM);
1679 s->s.k = !rsense;
1680 b = new_block(JMP(BPF_JEQ));
1681 b->stmts = s;
1682
1683 return b;
1684}
1685
1686static inline struct block *
1687gen_true()
1688{
1689 return gen_uncond(1);
1690}
1691
1692static inline struct block *
1693gen_false()
1694{
1695 return gen_uncond(0);
1696}
1697
1698/*
1699 * Byte-swap a 32-bit number.
1700 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1701 * big-endian platforms.)
1702 */
1703#define SWAPLONG(y) \
1704((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1705
1706/*
1707 * Generate code to match a particular packet type.
1708 *
1709 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1710 * value, if <= ETHERMTU. We use that to determine whether to
1711 * match the type/length field or to check the type/length field for
1712 * a value <= ETHERMTU to see whether it's a type field and then do
1713 * the appropriate test.
1714 */
1715static struct block *
1716gen_ether_linktype(proto)
1717 register int proto;
1718{
1719 struct block *b0, *b1;
1720
1721 switch (proto) {
1722
1723 case LLCSAP_ISONS:
1724 case LLCSAP_IP:
1725 case LLCSAP_NETBEUI:
1726 /*
1727 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1728 * so we check the DSAP and SSAP.
1729 *
1730 * LLCSAP_IP checks for IP-over-802.2, rather
1731 * than IP-over-Ethernet or IP-over-SNAP.
1732 *
1733 * XXX - should we check both the DSAP and the
1734 * SSAP, like this, or should we check just the
1735 * DSAP, as we do for other types <= ETHERMTU
1736 * (i.e., other SAP values)?
1737 */
1738 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1739 gen_not(b0);
1740 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1741 ((proto << 8) | proto));
1742 gen_and(b0, b1);
1743 return b1;
1744
1745 case LLCSAP_IPX:
1746 /*
1747 * Check for;
1748 *
1749 * Ethernet_II frames, which are Ethernet
1750 * frames with a frame type of ETHERTYPE_IPX;
1751 *
1752 * Ethernet_802.3 frames, which are 802.3
1753 * frames (i.e., the type/length field is
1754 * a length field, <= ETHERMTU, rather than
1755 * a type field) with the first two bytes
1756 * after the Ethernet/802.3 header being
1757 * 0xFFFF;
1758 *
1759 * Ethernet_802.2 frames, which are 802.3
1760 * frames with an 802.2 LLC header and
1761 * with the IPX LSAP as the DSAP in the LLC
1762 * header;
1763 *
1764 * Ethernet_SNAP frames, which are 802.3
1765 * frames with an LLC header and a SNAP
1766 * header and with an OUI of 0x000000
1767 * (encapsulated Ethernet) and a protocol
1768 * ID of ETHERTYPE_IPX in the SNAP header.
1769 *
1770 * XXX - should we generate the same code both
1771 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1772 */
1773
1774 /*
1775 * This generates code to check both for the
1776 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1777 */
1778 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1779 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1780 gen_or(b0, b1);
1781
1782 /*
1783 * Now we add code to check for SNAP frames with
1784 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1785 */
1786 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1787 gen_or(b0, b1);
1788
1789 /*
1790 * Now we generate code to check for 802.3
1791 * frames in general.
1792 */
1793 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1794 gen_not(b0);
1795
1796 /*
1797 * Now add the check for 802.3 frames before the
1798 * check for Ethernet_802.2 and Ethernet_802.3,
1799 * as those checks should only be done on 802.3
1800 * frames, not on Ethernet frames.
1801 */
1802 gen_and(b0, b1);
1803
1804 /*
1805 * Now add the check for Ethernet_II frames, and
1806 * do that before checking for the other frame
1807 * types.
1808 */
1809 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1810 (bpf_int32)ETHERTYPE_IPX);
1811 gen_or(b0, b1);
1812 return b1;
1813
1814 case ETHERTYPE_ATALK:
1815 case ETHERTYPE_AARP:
1816 /*
1817 * EtherTalk (AppleTalk protocols on Ethernet link
1818 * layer) may use 802.2 encapsulation.
1819 */
1820
1821 /*
1822 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1823 * we check for an Ethernet type field less than
1824 * 1500, which means it's an 802.3 length field.
1825 */
1826 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1827 gen_not(b0);
1828
1829 /*
1830 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1831 * SNAP packets with an organization code of
1832 * 0x080007 (Apple, for Appletalk) and a protocol
1833 * type of ETHERTYPE_ATALK (Appletalk).
1834 *
1835 * 802.2-encapsulated ETHERTYPE_AARP packets are
1836 * SNAP packets with an organization code of
1837 * 0x000000 (encapsulated Ethernet) and a protocol
1838 * type of ETHERTYPE_AARP (Appletalk ARP).
1839 */
1840 if (proto == ETHERTYPE_ATALK)
1841 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1842 else /* proto == ETHERTYPE_AARP */
1843 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1844 gen_and(b0, b1);
1845
1846 /*
1847 * Check for Ethernet encapsulation (Ethertalk
1848 * phase 1?); we just check for the Ethernet
1849 * protocol type.
1850 */
1851 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1852
1853 gen_or(b0, b1);
1854 return b1;
1855
1856 default:
1857 if (proto <= ETHERMTU) {
1858 /*
1859 * This is an LLC SAP value, so the frames
1860 * that match would be 802.2 frames.
1861 * Check that the frame is an 802.2 frame
1862 * (i.e., that the length/type field is
1863 * a length field, <= ETHERMTU) and
1864 * then check the DSAP.
1865 */
1866 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1867 gen_not(b0);
1868 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1869 (bpf_int32)proto);
1870 gen_and(b0, b1);
1871 return b1;
1872 } else {
1873 /*
1874 * This is an Ethernet type, so compare
1875 * the length/type field with it (if
1876 * the frame is an 802.2 frame, the length
1877 * field will be <= ETHERMTU, and, as
1878 * "proto" is > ETHERMTU, this test
1879 * will fail and the frame won't match,
1880 * which is what we want).
1881 */
1882 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1883 (bpf_int32)proto);
1884 }
1885 }
1886}
1887
1888/*
1889 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
1890 * or IPv6 then we have an error.
1891 */
1892static struct block *
1893gen_ipnet_linktype(proto)
1894 register int proto;
1895{
1896 switch (proto) {
1897
1898 case ETHERTYPE_IP:
1899 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1900 (bpf_int32)IPH_AF_INET);
1901 /* NOTREACHED */
1902
1903 case ETHERTYPE_IPV6:
1904 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1905 (bpf_int32)IPH_AF_INET6);
1906 /* NOTREACHED */
1907
1908 default:
1909 break;
1910 }
1911
1912 return gen_false();
1913}
1914
1915/*
1916 * Generate code to match a particular packet type.
1917 *
1918 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1919 * value, if <= ETHERMTU. We use that to determine whether to
1920 * match the type field or to check the type field for the special
1921 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1922 */
1923static struct block *
1924gen_linux_sll_linktype(proto)
1925 register int proto;
1926{
1927 struct block *b0, *b1;
1928
1929 switch (proto) {
1930
1931 case LLCSAP_ISONS:
1932 case LLCSAP_IP:
1933 case LLCSAP_NETBEUI:
1934 /*
1935 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1936 * so we check the DSAP and SSAP.
1937 *
1938 * LLCSAP_IP checks for IP-over-802.2, rather
1939 * than IP-over-Ethernet or IP-over-SNAP.
1940 *
1941 * XXX - should we check both the DSAP and the
1942 * SSAP, like this, or should we check just the
1943 * DSAP, as we do for other types <= ETHERMTU
1944 * (i.e., other SAP values)?
1945 */
1946 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1947 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1948 ((proto << 8) | proto));
1949 gen_and(b0, b1);
1950 return b1;
1951
1952 case LLCSAP_IPX:
1953 /*
1954 * Ethernet_II frames, which are Ethernet
1955 * frames with a frame type of ETHERTYPE_IPX;
1956 *
1957 * Ethernet_802.3 frames, which have a frame
1958 * type of LINUX_SLL_P_802_3;
1959 *
1960 * Ethernet_802.2 frames, which are 802.3
1961 * frames with an 802.2 LLC header (i.e, have
1962 * a frame type of LINUX_SLL_P_802_2) and
1963 * with the IPX LSAP as the DSAP in the LLC
1964 * header;
1965 *
1966 * Ethernet_SNAP frames, which are 802.3
1967 * frames with an LLC header and a SNAP
1968 * header and with an OUI of 0x000000
1969 * (encapsulated Ethernet) and a protocol
1970 * ID of ETHERTYPE_IPX in the SNAP header.
1971 *
1972 * First, do the checks on LINUX_SLL_P_802_2
1973 * frames; generate the check for either
1974 * Ethernet_802.2 or Ethernet_SNAP frames, and
1975 * then put a check for LINUX_SLL_P_802_2 frames
1976 * before it.
1977 */
1978 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1979 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
1980 gen_or(b0, b1);
1981 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1982 gen_and(b0, b1);
1983
1984 /*
1985 * Now check for 802.3 frames and OR that with
1986 * the previous test.
1987 */
1988 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1989 gen_or(b0, b1);
1990
1991 /*
1992 * Now add the check for Ethernet_II frames, and
1993 * do that before checking for the other frame
1994 * types.
1995 */
1996 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1997 (bpf_int32)ETHERTYPE_IPX);
1998 gen_or(b0, b1);
1999 return b1;
2000
2001 case ETHERTYPE_ATALK:
2002 case ETHERTYPE_AARP:
2003 /*
2004 * EtherTalk (AppleTalk protocols on Ethernet link
2005 * layer) may use 802.2 encapsulation.
2006 */
2007
2008 /*
2009 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2010 * we check for the 802.2 protocol type in the
2011 * "Ethernet type" field.
2012 */
2013 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2014
2015 /*
2016 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2017 * SNAP packets with an organization code of
2018 * 0x080007 (Apple, for Appletalk) and a protocol
2019 * type of ETHERTYPE_ATALK (Appletalk).
2020 *
2021 * 802.2-encapsulated ETHERTYPE_AARP packets are
2022 * SNAP packets with an organization code of
2023 * 0x000000 (encapsulated Ethernet) and a protocol
2024 * type of ETHERTYPE_AARP (Appletalk ARP).
2025 */
2026 if (proto == ETHERTYPE_ATALK)
2027 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2028 else /* proto == ETHERTYPE_AARP */
2029 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2030 gen_and(b0, b1);
2031
2032 /*
2033 * Check for Ethernet encapsulation (Ethertalk
2034 * phase 1?); we just check for the Ethernet
2035 * protocol type.
2036 */
2037 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2038
2039 gen_or(b0, b1);
2040 return b1;
2041
2042 default:
2043 if (proto <= ETHERMTU) {
2044 /*
2045 * This is an LLC SAP value, so the frames
2046 * that match would be 802.2 frames.
2047 * Check for the 802.2 protocol type
2048 * in the "Ethernet type" field, and
2049 * then check the DSAP.
2050 */
2051 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2052 LINUX_SLL_P_802_2);
2053 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2054 (bpf_int32)proto);
2055 gen_and(b0, b1);
2056 return b1;
2057 } else {
2058 /*
2059 * This is an Ethernet type, so compare
2060 * the length/type field with it (if
2061 * the frame is an 802.2 frame, the length
2062 * field will be <= ETHERMTU, and, as
2063 * "proto" is > ETHERMTU, this test
2064 * will fail and the frame won't match,
2065 * which is what we want).
2066 */
2067 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2068 (bpf_int32)proto);
2069 }
2070 }
2071}
2072
2073static struct slist *
2074gen_load_prism_llprefixlen()
2075{
2076 struct slist *s1, *s2;
2077 struct slist *sjeq_avs_cookie;
2078 struct slist *sjcommon;
2079
2080 /*
2081 * This code is not compatible with the optimizer, as
2082 * we are generating jmp instructions within a normal
2083 * slist of instructions
2084 */
2085 no_optimize = 1;
2086
2087 /*
2088 * Generate code to load the length of the radio header into
2089 * the register assigned to hold that length, if one has been
2090 * assigned. (If one hasn't been assigned, no code we've
2091 * generated uses that prefix, so we don't need to generate any
2092 * code to load it.)
2093 *
2094 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2095 * or always use the AVS header rather than the Prism header.
2096 * We load a 4-byte big-endian value at the beginning of the
2097 * raw packet data, and see whether, when masked with 0xFFFFF000,
2098 * it's equal to 0x80211000. If so, that indicates that it's
2099 * an AVS header (the masked-out bits are the version number).
2100 * Otherwise, it's a Prism header.
2101 *
2102 * XXX - the Prism header is also, in theory, variable-length,
2103 * but no known software generates headers that aren't 144
2104 * bytes long.
2105 */
2106 if (reg_off_ll != -1) {
2107 /*
2108 * Load the cookie.
2109 */
2110 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2111 s1->s.k = 0;
2112
2113 /*
2114 * AND it with 0xFFFFF000.
2115 */
2116 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2117 s2->s.k = 0xFFFFF000;
2118 sappend(s1, s2);
2119
2120 /*
2121 * Compare with 0x80211000.
2122 */
2123 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2124 sjeq_avs_cookie->s.k = 0x80211000;
2125 sappend(s1, sjeq_avs_cookie);
2126
2127 /*
2128 * If it's AVS:
2129 *
2130 * The 4 bytes at an offset of 4 from the beginning of
2131 * the AVS header are the length of the AVS header.
2132 * That field is big-endian.
2133 */
2134 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2135 s2->s.k = 4;
2136 sappend(s1, s2);
2137 sjeq_avs_cookie->s.jt = s2;
2138
2139 /*
2140 * Now jump to the code to allocate a register
2141 * into which to save the header length and
2142 * store the length there. (The "jump always"
2143 * instruction needs to have the k field set;
2144 * it's added to the PC, so, as we're jumping
2145 * over a single instruction, it should be 1.)
2146 */
2147 sjcommon = new_stmt(JMP(BPF_JA));
2148 sjcommon->s.k = 1;
2149 sappend(s1, sjcommon);
2150
2151 /*
2152 * Now for the code that handles the Prism header.
2153 * Just load the length of the Prism header (144)
2154 * into the A register. Have the test for an AVS
2155 * header branch here if we don't have an AVS header.
2156 */
2157 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2158 s2->s.k = 144;
2159 sappend(s1, s2);
2160 sjeq_avs_cookie->s.jf = s2;
2161
2162 /*
2163 * Now allocate a register to hold that value and store
2164 * it. The code for the AVS header will jump here after
2165 * loading the length of the AVS header.
2166 */
2167 s2 = new_stmt(BPF_ST);
2168 s2->s.k = reg_off_ll;
2169 sappend(s1, s2);
2170 sjcommon->s.jf = s2;
2171
2172 /*
2173 * Now move it into the X register.
2174 */
2175 s2 = new_stmt(BPF_MISC|BPF_TAX);
2176 sappend(s1, s2);
2177
2178 return (s1);
2179 } else
2180 return (NULL);
2181}
2182
2183static struct slist *
2184gen_load_avs_llprefixlen()
2185{
2186 struct slist *s1, *s2;
2187
2188 /*
2189 * Generate code to load the length of the AVS header into
2190 * the register assigned to hold that length, if one has been
2191 * assigned. (If one hasn't been assigned, no code we've
2192 * generated uses that prefix, so we don't need to generate any
2193 * code to load it.)
2194 */
2195 if (reg_off_ll != -1) {
2196 /*
2197 * The 4 bytes at an offset of 4 from the beginning of
2198 * the AVS header are the length of the AVS header.
2199 * That field is big-endian.
2200 */
2201 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2202 s1->s.k = 4;
2203
2204 /*
2205 * Now allocate a register to hold that value and store
2206 * it.
2207 */
2208 s2 = new_stmt(BPF_ST);
2209 s2->s.k = reg_off_ll;
2210 sappend(s1, s2);
2211
2212 /*
2213 * Now move it into the X register.
2214 */
2215 s2 = new_stmt(BPF_MISC|BPF_TAX);
2216 sappend(s1, s2);
2217
2218 return (s1);
2219 } else
2220 return (NULL);
2221}
2222
2223static struct slist *
2224gen_load_radiotap_llprefixlen()
2225{
2226 struct slist *s1, *s2;
2227
2228 /*
2229 * Generate code to load the length of the radiotap header into
2230 * the register assigned to hold that length, if one has been
2231 * assigned. (If one hasn't been assigned, no code we've
2232 * generated uses that prefix, so we don't need to generate any
2233 * code to load it.)
2234 */
2235 if (reg_off_ll != -1) {
2236 /*
2237 * The 2 bytes at offsets of 2 and 3 from the beginning
2238 * of the radiotap header are the length of the radiotap
2239 * header; unfortunately, it's little-endian, so we have
2240 * to load it a byte at a time and construct the value.
2241 */
2242
2243 /*
2244 * Load the high-order byte, at an offset of 3, shift it
2245 * left a byte, and put the result in the X register.
2246 */
2247 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2248 s1->s.k = 3;
2249 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2250 sappend(s1, s2);
2251 s2->s.k = 8;
2252 s2 = new_stmt(BPF_MISC|BPF_TAX);
2253 sappend(s1, s2);
2254
2255 /*
2256 * Load the next byte, at an offset of 2, and OR the
2257 * value from the X register into it.
2258 */
2259 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2260 sappend(s1, s2);
2261 s2->s.k = 2;
2262 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2263 sappend(s1, s2);
2264
2265 /*
2266 * Now allocate a register to hold that value and store
2267 * it.
2268 */
2269 s2 = new_stmt(BPF_ST);
2270 s2->s.k = reg_off_ll;
2271 sappend(s1, s2);
2272
2273 /*
2274 * Now move it into the X register.
2275 */
2276 s2 = new_stmt(BPF_MISC|BPF_TAX);
2277 sappend(s1, s2);
2278
2279 return (s1);
2280 } else
2281 return (NULL);
2282}
2283
2284/*
2285 * At the moment we treat PPI as normal Radiotap encoded
2286 * packets. The difference is in the function that generates
2287 * the code at the beginning to compute the header length.
2288 * Since this code generator of PPI supports bare 802.11
2289 * encapsulation only (i.e. the encapsulated DLT should be
2290 * DLT_IEEE802_11) we generate code to check for this too;
2291 * that's done in finish_parse().
2292 */
2293static struct slist *
2294gen_load_ppi_llprefixlen()
2295{
2296 struct slist *s1, *s2;
2297
2298 /*
2299 * Generate code to load the length of the radiotap header
2300 * into the register assigned to hold that length, if one has
2301 * been assigned.
2302 */
2303 if (reg_off_ll != -1) {
2304 /*
2305 * The 2 bytes at offsets of 2 and 3 from the beginning
2306 * of the radiotap header are the length of the radiotap
2307 * header; unfortunately, it's little-endian, so we have
2308 * to load it a byte at a time and construct the value.
2309 */
2310
2311 /*
2312 * Load the high-order byte, at an offset of 3, shift it
2313 * left a byte, and put the result in the X register.
2314 */
2315 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2316 s1->s.k = 3;
2317 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2318 sappend(s1, s2);
2319 s2->s.k = 8;
2320 s2 = new_stmt(BPF_MISC|BPF_TAX);
2321 sappend(s1, s2);
2322
2323 /*
2324 * Load the next byte, at an offset of 2, and OR the
2325 * value from the X register into it.
2326 */
2327 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2328 sappend(s1, s2);
2329 s2->s.k = 2;
2330 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2331 sappend(s1, s2);
2332
2333 /*
2334 * Now allocate a register to hold that value and store
2335 * it.
2336 */
2337 s2 = new_stmt(BPF_ST);
2338 s2->s.k = reg_off_ll;
2339 sappend(s1, s2);
2340
2341 /*
2342 * Now move it into the X register.
2343 */
2344 s2 = new_stmt(BPF_MISC|BPF_TAX);
2345 sappend(s1, s2);
2346
2347 return (s1);
2348 } else
2349 return (NULL);
2350}
2351
2352/*
2353 * Load a value relative to the beginning of the link-layer header after the 802.11
2354 * header, i.e. LLC_SNAP.
2355 * The link-layer header doesn't necessarily begin at the beginning
2356 * of the packet data; there might be a variable-length prefix containing
2357 * radio information.
2358 */
2359static struct slist *
2360gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2361{
2362 struct slist *s2;
2363 struct slist *sjset_data_frame_1;
2364 struct slist *sjset_data_frame_2;
2365 struct slist *sjset_qos;
2366 struct slist *sjset_radiotap_flags;
2367 struct slist *sjset_radiotap_tsft;
2368 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2369 struct slist *s_roundup;
2370
2371 if (reg_off_macpl == -1) {
2372 /*
2373 * No register has been assigned to the offset of
2374 * the MAC-layer payload, which means nobody needs
2375 * it; don't bother computing it - just return
2376 * what we already have.
2377 */
2378 return (s);
2379 }
2380
2381 /*
2382 * This code is not compatible with the optimizer, as
2383 * we are generating jmp instructions within a normal
2384 * slist of instructions
2385 */
2386 no_optimize = 1;
2387
2388 /*
2389 * If "s" is non-null, it has code to arrange that the X register
2390 * contains the length of the prefix preceding the link-layer
2391 * header.
2392 *
2393 * Otherwise, the length of the prefix preceding the link-layer
2394 * header is "off_ll".
2395 */
2396 if (s == NULL) {
2397 /*
2398 * There is no variable-length header preceding the
2399 * link-layer header.
2400 *
2401 * Load the length of the fixed-length prefix preceding
2402 * the link-layer header (if any) into the X register,
2403 * and store it in the reg_off_macpl register.
2404 * That length is off_ll.
2405 */
2406 s = new_stmt(BPF_LDX|BPF_IMM);
2407 s->s.k = off_ll;
2408 }
2409
2410 /*
2411 * The X register contains the offset of the beginning of the
2412 * link-layer header; add 24, which is the minimum length
2413 * of the MAC header for a data frame, to that, and store it
2414 * in reg_off_macpl, and then load the Frame Control field,
2415 * which is at the offset in the X register, with an indexed load.
2416 */
2417 s2 = new_stmt(BPF_MISC|BPF_TXA);
2418 sappend(s, s2);
2419 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2420 s2->s.k = 24;
2421 sappend(s, s2);
2422 s2 = new_stmt(BPF_ST);
2423 s2->s.k = reg_off_macpl;
2424 sappend(s, s2);
2425
2426 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2427 s2->s.k = 0;
2428 sappend(s, s2);
2429
2430 /*
2431 * Check the Frame Control field to see if this is a data frame;
2432 * a data frame has the 0x08 bit (b3) in that field set and the
2433 * 0x04 bit (b2) clear.
2434 */
2435 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2436 sjset_data_frame_1->s.k = 0x08;
2437 sappend(s, sjset_data_frame_1);
2438
2439 /*
2440 * If b3 is set, test b2, otherwise go to the first statement of
2441 * the rest of the program.
2442 */
2443 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2444 sjset_data_frame_2->s.k = 0x04;
2445 sappend(s, sjset_data_frame_2);
2446 sjset_data_frame_1->s.jf = snext;
2447
2448 /*
2449 * If b2 is not set, this is a data frame; test the QoS bit.
2450 * Otherwise, go to the first statement of the rest of the
2451 * program.
2452 */
2453 sjset_data_frame_2->s.jt = snext;
2454 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2455 sjset_qos->s.k = 0x80; /* QoS bit */
2456 sappend(s, sjset_qos);
2457
2458 /*
2459 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2460 * field.
2461 * Otherwise, go to the first statement of the rest of the
2462 * program.
2463 */
2464 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2465 s2->s.k = reg_off_macpl;
2466 sappend(s, s2);
2467 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2468 s2->s.k = 2;
2469 sappend(s, s2);
2470 s2 = new_stmt(BPF_ST);
2471 s2->s.k = reg_off_macpl;
2472 sappend(s, s2);
2473
2474 /*
2475 * If we have a radiotap header, look at it to see whether
2476 * there's Atheros padding between the MAC-layer header
2477 * and the payload.
2478 *
2479 * Note: all of the fields in the radiotap header are
2480 * little-endian, so we byte-swap all of the values
2481 * we test against, as they will be loaded as big-endian
2482 * values.
2483 */
2484 if (linktype == DLT_IEEE802_11_RADIO) {
2485 /*
2486 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2487 * in the presence flag?
2488 */
2489 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2490 s2->s.k = 4;
2491 sappend(s, s2);
2492
2493 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2494 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2495 sappend(s, sjset_radiotap_flags);
2496
2497 /*
2498 * If not, skip all of this.
2499 */
2500 sjset_radiotap_flags->s.jf = snext;
2501
2502 /*
2503 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2504 */
2505 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2506 new_stmt(JMP(BPF_JSET));
2507 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2508 sappend(s, sjset_radiotap_tsft);
2509
2510 /*
2511 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2512 * at an offset of 16 from the beginning of the raw packet
2513 * data (8 bytes for the radiotap header and 8 bytes for
2514 * the TSFT field).
2515 *
2516 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2517 * is set.
2518 */
2519 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2520 s2->s.k = 16;
2521 sappend(s, s2);
2522
2523 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2524 sjset_tsft_datapad->s.k = 0x20;
2525 sappend(s, sjset_tsft_datapad);
2526
2527 /*
2528 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2529 * at an offset of 8 from the beginning of the raw packet
2530 * data (8 bytes for the radiotap header).
2531 *
2532 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2533 * is set.
2534 */
2535 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2536 s2->s.k = 8;
2537 sappend(s, s2);
2538
2539 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2540 sjset_notsft_datapad->s.k = 0x20;
2541 sappend(s, sjset_notsft_datapad);
2542
2543 /*
2544 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2545 * set, round the length of the 802.11 header to
2546 * a multiple of 4. Do that by adding 3 and then
2547 * dividing by and multiplying by 4, which we do by
2548 * ANDing with ~3.
2549 */
2550 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2551 s_roundup->s.k = reg_off_macpl;
2552 sappend(s, s_roundup);
2553 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2554 s2->s.k = 3;
2555 sappend(s, s2);
2556 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2557 s2->s.k = ~3;
2558 sappend(s, s2);
2559 s2 = new_stmt(BPF_ST);
2560 s2->s.k = reg_off_macpl;
2561 sappend(s, s2);
2562
2563 sjset_tsft_datapad->s.jt = s_roundup;
2564 sjset_tsft_datapad->s.jf = snext;
2565 sjset_notsft_datapad->s.jt = s_roundup;
2566 sjset_notsft_datapad->s.jf = snext;
2567 } else
2568 sjset_qos->s.jf = snext;
2569
2570 return s;
2571}
2572
2573static void
2574insert_compute_vloffsets(b)
2575 struct block *b;
2576{
2577 struct slist *s;
2578
2579 /*
2580 * For link-layer types that have a variable-length header
2581 * preceding the link-layer header, generate code to load
2582 * the offset of the link-layer header into the register
2583 * assigned to that offset, if any.
2584 */
2585 switch (linktype) {
2586
2587 case DLT_PRISM_HEADER:
2588 s = gen_load_prism_llprefixlen();
2589 break;
2590
2591 case DLT_IEEE802_11_RADIO_AVS:
2592 s = gen_load_avs_llprefixlen();
2593 break;
2594
2595 case DLT_IEEE802_11_RADIO:
2596 s = gen_load_radiotap_llprefixlen();
2597 break;
2598
2599 case DLT_PPI:
2600 s = gen_load_ppi_llprefixlen();
2601 break;
2602
2603 default:
2604 s = NULL;
2605 break;
2606 }
2607
2608 /*
2609 * For link-layer types that have a variable-length link-layer
2610 * header, generate code to load the offset of the MAC-layer
2611 * payload into the register assigned to that offset, if any.
2612 */
2613 switch (linktype) {
2614
2615 case DLT_IEEE802_11:
2616 case DLT_PRISM_HEADER:
2617 case DLT_IEEE802_11_RADIO_AVS:
2618 case DLT_IEEE802_11_RADIO:
2619 case DLT_PPI:
2620 s = gen_load_802_11_header_len(s, b->stmts);
2621 break;
2622 }
2623
2624 /*
2625 * If we have any offset-loading code, append all the
2626 * existing statements in the block to those statements,
2627 * and make the resulting list the list of statements
2628 * for the block.
2629 */
2630 if (s != NULL) {
2631 sappend(s, b->stmts);
2632 b->stmts = s;
2633 }
2634}
2635
2636static struct block *
2637gen_ppi_dlt_check(void)
2638{
2639 struct slist *s_load_dlt;
2640 struct block *b;
2641
2642 if (linktype == DLT_PPI)
2643 {
2644 /* Create the statements that check for the DLT
2645 */
2646 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2647 s_load_dlt->s.k = 4;
2648
2649 b = new_block(JMP(BPF_JEQ));
2650
2651 b->stmts = s_load_dlt;
2652 b->s.k = SWAPLONG(DLT_IEEE802_11);
2653 }
2654 else
2655 {
2656 b = NULL;
2657 }
2658
2659 return b;
2660}
2661
2662static struct slist *
2663gen_prism_llprefixlen(void)
2664{
2665 struct slist *s;
2666
2667 if (reg_off_ll == -1) {
2668 /*
2669 * We haven't yet assigned a register for the length
2670 * of the radio header; allocate one.
2671 */
2672 reg_off_ll = alloc_reg();
2673 }
2674
2675 /*
2676 * Load the register containing the radio length
2677 * into the X register.
2678 */
2679 s = new_stmt(BPF_LDX|BPF_MEM);
2680 s->s.k = reg_off_ll;
2681 return s;
2682}
2683
2684static struct slist *
2685gen_avs_llprefixlen(void)
2686{
2687 struct slist *s;
2688
2689 if (reg_off_ll == -1) {
2690 /*
2691 * We haven't yet assigned a register for the length
2692 * of the AVS header; allocate one.
2693 */
2694 reg_off_ll = alloc_reg();
2695 }
2696
2697 /*
2698 * Load the register containing the AVS length
2699 * into the X register.
2700 */
2701 s = new_stmt(BPF_LDX|BPF_MEM);
2702 s->s.k = reg_off_ll;
2703 return s;
2704}
2705
2706static struct slist *
2707gen_radiotap_llprefixlen(void)
2708{
2709 struct slist *s;
2710
2711 if (reg_off_ll == -1) {
2712 /*
2713 * We haven't yet assigned a register for the length
2714 * of the radiotap header; allocate one.
2715 */
2716 reg_off_ll = alloc_reg();
2717 }
2718
2719 /*
2720 * Load the register containing the radiotap length
2721 * into the X register.
2722 */
2723 s = new_stmt(BPF_LDX|BPF_MEM);
2724 s->s.k = reg_off_ll;
2725 return s;
2726}
2727
2728/*
2729 * At the moment we treat PPI as normal Radiotap encoded
2730 * packets. The difference is in the function that generates
2731 * the code at the beginning to compute the header length.
2732 * Since this code generator of PPI supports bare 802.11
2733 * encapsulation only (i.e. the encapsulated DLT should be
2734 * DLT_IEEE802_11) we generate code to check for this too.
2735 */
2736static struct slist *
2737gen_ppi_llprefixlen(void)
2738{
2739 struct slist *s;
2740
2741 if (reg_off_ll == -1) {
2742 /*
2743 * We haven't yet assigned a register for the length
2744 * of the radiotap header; allocate one.
2745 */
2746 reg_off_ll = alloc_reg();
2747 }
2748
2749 /*
2750 * Load the register containing the PPI length
2751 * into the X register.
2752 */
2753 s = new_stmt(BPF_LDX|BPF_MEM);
2754 s->s.k = reg_off_ll;
2755 return s;
2756}
2757
2758/*
2759 * Generate code to compute the link-layer header length, if necessary,
2760 * putting it into the X register, and to return either a pointer to a
2761 * "struct slist" for the list of statements in that code, or NULL if
2762 * no code is necessary.
2763 */
2764static struct slist *
2765gen_llprefixlen(void)
2766{
2767 switch (linktype) {
2768
2769 case DLT_PRISM_HEADER:
2770 return gen_prism_llprefixlen();
2771
2772 case DLT_IEEE802_11_RADIO_AVS:
2773 return gen_avs_llprefixlen();
2774
2775 case DLT_IEEE802_11_RADIO:
2776 return gen_radiotap_llprefixlen();
2777
2778 case DLT_PPI:
2779 return gen_ppi_llprefixlen();
2780
2781 default:
2782 return NULL;
2783 }
2784}
2785
2786/*
2787 * Generate code to load the register containing the offset of the
2788 * MAC-layer payload into the X register; if no register for that offset
2789 * has been allocated, allocate it first.
2790 */
2791static struct slist *
2792gen_off_macpl(void)
2793{
2794 struct slist *s;
2795
2796 if (off_macpl_is_variable) {
2797 if (reg_off_macpl == -1) {
2798 /*
2799 * We haven't yet assigned a register for the offset
2800 * of the MAC-layer payload; allocate one.
2801 */
2802 reg_off_macpl = alloc_reg();
2803 }
2804
2805 /*
2806 * Load the register containing the offset of the MAC-layer
2807 * payload into the X register.
2808 */
2809 s = new_stmt(BPF_LDX|BPF_MEM);
2810 s->s.k = reg_off_macpl;
2811 return s;
2812 } else {
2813 /*
2814 * That offset isn't variable, so we don't need to
2815 * generate any code.
2816 */
2817 return NULL;
2818 }
2819}
2820
2821/*
2822 * Map an Ethernet type to the equivalent PPP type.
2823 */
2824static int
2825ethertype_to_ppptype(proto)
2826 int proto;
2827{
2828 switch (proto) {
2829
2830 case ETHERTYPE_IP:
2831 proto = PPP_IP;
2832 break;
2833
2834#ifdef INET6
2835 case ETHERTYPE_IPV6:
2836 proto = PPP_IPV6;
2837 break;
2838#endif
2839
2840 case ETHERTYPE_DN:
2841 proto = PPP_DECNET;
2842 break;
2843
2844 case ETHERTYPE_ATALK:
2845 proto = PPP_APPLE;
2846 break;
2847
2848 case ETHERTYPE_NS:
2849 proto = PPP_NS;
2850 break;
2851
2852 case LLCSAP_ISONS:
2853 proto = PPP_OSI;
2854 break;
2855
2856 case LLCSAP_8021D:
2857 /*
2858 * I'm assuming the "Bridging PDU"s that go
2859 * over PPP are Spanning Tree Protocol
2860 * Bridging PDUs.
2861 */
2862 proto = PPP_BRPDU;
2863 break;
2864
2865 case LLCSAP_IPX:
2866 proto = PPP_IPX;
2867 break;
2868 }
2869 return (proto);
2870}
2871
2872/*
2873 * Generate code to match a particular packet type by matching the
2874 * link-layer type field or fields in the 802.2 LLC header.
2875 *
2876 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2877 * value, if <= ETHERMTU.
2878 */
2879static struct block *
2880gen_linktype(proto)
2881 register int proto;
2882{
2883 struct block *b0, *b1, *b2;
2884
2885 /* are we checking MPLS-encapsulated packets? */
2886 if (label_stack_depth > 0) {
2887 switch (proto) {
2888 case ETHERTYPE_IP:
2889 case PPP_IP:
2890 /* FIXME add other L3 proto IDs */
2891 return gen_mpls_linktype(Q_IP);
2892
2893 case ETHERTYPE_IPV6:
2894 case PPP_IPV6:
2895 /* FIXME add other L3 proto IDs */
2896 return gen_mpls_linktype(Q_IPV6);
2897
2898 default:
2899 bpf_error("unsupported protocol over mpls");
2900 /* NOTREACHED */
2901 }
2902 }
2903
2904 /*
2905 * Are we testing PPPoE packets?
2906 */
2907 if (is_pppoes) {
2908 /*
2909 * The PPPoE session header is part of the
2910 * MAC-layer payload, so all references
2911 * should be relative to the beginning of
2912 * that payload.
2913 */
2914
2915 /*
2916 * We use Ethernet protocol types inside libpcap;
2917 * map them to the corresponding PPP protocol types.
2918 */
2919 proto = ethertype_to_ppptype(proto);
2920 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
2921 }
2922
2923 switch (linktype) {
2924
2925 case DLT_EN10MB:
2926 case DLT_NETANALYZER:
2927 case DLT_NETANALYZER_TRANSPARENT:
2928 return gen_ether_linktype(proto);
2929 /*NOTREACHED*/
2930 break;
2931
2932 case DLT_C_HDLC:
2933 switch (proto) {
2934
2935 case LLCSAP_ISONS:
2936 proto = (proto << 8 | LLCSAP_ISONS);
2937 /* fall through */
2938
2939 default:
2940 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2941 (bpf_int32)proto);
2942 /*NOTREACHED*/
2943 break;
2944 }
2945 break;
2946
2947 case DLT_IEEE802_11:
2948 case DLT_PRISM_HEADER:
2949 case DLT_IEEE802_11_RADIO_AVS:
2950 case DLT_IEEE802_11_RADIO:
2951 case DLT_PPI:
2952 /*
2953 * Check that we have a data frame.
2954 */
2955 b0 = gen_check_802_11_data_frame();
2956
2957 /*
2958 * Now check for the specified link-layer type.
2959 */
2960 b1 = gen_llc_linktype(proto);
2961 gen_and(b0, b1);
2962 return b1;
2963 /*NOTREACHED*/
2964 break;
2965
2966 case DLT_FDDI:
2967 /*
2968 * XXX - check for asynchronous frames, as per RFC 1103.
2969 */
2970 return gen_llc_linktype(proto);
2971 /*NOTREACHED*/
2972 break;
2973
2974 case DLT_IEEE802:
2975 /*
2976 * XXX - check for LLC PDUs, as per IEEE 802.5.
2977 */
2978 return gen_llc_linktype(proto);
2979 /*NOTREACHED*/
2980 break;
2981
2982 case DLT_ATM_RFC1483:
2983 case DLT_ATM_CLIP:
2984 case DLT_IP_OVER_FC:
2985 return gen_llc_linktype(proto);
2986 /*NOTREACHED*/
2987 break;
2988
2989 case DLT_SUNATM:
2990 /*
2991 * If "is_lane" is set, check for a LANE-encapsulated
2992 * version of this protocol, otherwise check for an
2993 * LLC-encapsulated version of this protocol.
2994 *
2995 * We assume LANE means Ethernet, not Token Ring.
2996 */
2997 if (is_lane) {
2998 /*
2999 * Check that the packet doesn't begin with an
3000 * LE Control marker. (We've already generated
3001 * a test for LANE.)
3002 */
3003 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3004 0xFF00);
3005 gen_not(b0);
3006
3007 /*
3008 * Now generate an Ethernet test.
3009 */
3010 b1 = gen_ether_linktype(proto);
3011 gen_and(b0, b1);
3012 return b1;
3013 } else {
3014 /*
3015 * Check for LLC encapsulation and then check the
3016 * protocol.
3017 */
3018 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3019 b1 = gen_llc_linktype(proto);
3020 gen_and(b0, b1);
3021 return b1;
3022 }
3023 /*NOTREACHED*/
3024 break;
3025
3026 case DLT_LINUX_SLL:
3027 return gen_linux_sll_linktype(proto);
3028 /*NOTREACHED*/
3029 break;
3030
3031 case DLT_SLIP:
3032 case DLT_SLIP_BSDOS:
3033 case DLT_RAW:
3034 /*
3035 * These types don't provide any type field; packets
3036 * are always IPv4 or IPv6.
3037 *
3038 * XXX - for IPv4, check for a version number of 4, and,
3039 * for IPv6, check for a version number of 6?
3040 */
3041 switch (proto) {
3042
3043 case ETHERTYPE_IP:
3044 /* Check for a version number of 4. */
3045 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3046#ifdef INET6
3047 case ETHERTYPE_IPV6:
3048 /* Check for a version number of 6. */
3049 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3050#endif
3051
3052 default:
3053 return gen_false(); /* always false */
3054 }
3055 /*NOTREACHED*/
3056 break;
3057
3058 case DLT_IPV4:
3059 /*
3060 * Raw IPv4, so no type field.
3061 */
3062 if (proto == ETHERTYPE_IP)
3063 return gen_true(); /* always true */
3064
3065 /* Checking for something other than IPv4; always false */
3066 return gen_false();
3067 /*NOTREACHED*/
3068 break;
3069
3070 case DLT_IPV6:
3071 /*
3072 * Raw IPv6, so no type field.
3073 */
3074#ifdef INET6
3075 if (proto == ETHERTYPE_IPV6)
3076 return gen_true(); /* always true */
3077#endif
3078
3079 /* Checking for something other than IPv6; always false */
3080 return gen_false();
3081 /*NOTREACHED*/
3082 break;
3083
3084 case DLT_PPP:
3085 case DLT_PPP_PPPD:
3086 case DLT_PPP_SERIAL:
3087 case DLT_PPP_ETHER:
3088 /*
3089 * We use Ethernet protocol types inside libpcap;
3090 * map them to the corresponding PPP protocol types.
3091 */
3092 proto = ethertype_to_ppptype(proto);
3093 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3094 /*NOTREACHED*/
3095 break;
3096
3097 case DLT_PPP_BSDOS:
3098 /*
3099 * We use Ethernet protocol types inside libpcap;
3100 * map them to the corresponding PPP protocol types.
3101 */
3102 switch (proto) {
3103
3104 case ETHERTYPE_IP:
3105 /*
3106 * Also check for Van Jacobson-compressed IP.
3107 * XXX - do this for other forms of PPP?
3108 */
3109 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3110 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3111 gen_or(b0, b1);
3112 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3113 gen_or(b1, b0);
3114 return b0;
3115
3116 default:
3117 proto = ethertype_to_ppptype(proto);
3118 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3119 (bpf_int32)proto);
3120 }
3121 /*NOTREACHED*/
3122 break;
3123
3124 case DLT_NULL:
3125 case DLT_LOOP:
3126 case DLT_ENC:
3127 /*
3128 * For DLT_NULL, the link-layer header is a 32-bit
3129 * word containing an AF_ value in *host* byte order,
3130 * and for DLT_ENC, the link-layer header begins
3131 * with a 32-bit work containing an AF_ value in
3132 * host byte order.
3133 *
3134 * In addition, if we're reading a saved capture file,
3135 * the host byte order in the capture may not be the
3136 * same as the host byte order on this machine.
3137 *
3138 * For DLT_LOOP, the link-layer header is a 32-bit
3139 * word containing an AF_ value in *network* byte order.
3140 *
3141 * XXX - AF_ values may, unfortunately, be platform-
3142 * dependent; for example, FreeBSD's AF_INET6 is 24
3143 * whilst NetBSD's and OpenBSD's is 26.
3144 *
3145 * This means that, when reading a capture file, just
3146 * checking for our AF_INET6 value won't work if the
3147 * capture file came from another OS.
3148 */
3149 switch (proto) {
3150
3151 case ETHERTYPE_IP:
3152 proto = AF_INET;
3153 break;
3154
3155#ifdef INET6
3156 case ETHERTYPE_IPV6:
3157 proto = AF_INET6;
3158 break;
3159#endif
3160
3161 default:
3162 /*
3163 * Not a type on which we support filtering.
3164 * XXX - support those that have AF_ values
3165 * #defined on this platform, at least?
3166 */
3167 return gen_false();
3168 }
3169
3170 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3171 /*
3172 * The AF_ value is in host byte order, but
3173 * the BPF interpreter will convert it to
3174 * network byte order.
3175 *
3176 * If this is a save file, and it's from a
3177 * machine with the opposite byte order to
3178 * ours, we byte-swap the AF_ value.
3179 *
3180 * Then we run it through "htonl()", and
3181 * generate code to compare against the result.
3182 */
3183 if (bpf_pcap->sf.rfile != NULL &&
3184 bpf_pcap->sf.swapped)
3185 proto = SWAPLONG(proto);
3186 proto = htonl(proto);
3187 }
3188 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3189
3190#ifdef HAVE_NET_PFVAR_H
3191 case DLT_PFLOG:
3192 /*
3193 * af field is host byte order in contrast to the rest of
3194 * the packet.
3195 */
3196 if (proto == ETHERTYPE_IP)
3197 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3198 BPF_B, (bpf_int32)AF_INET));
3199#ifdef INET6
3200 else if (proto == ETHERTYPE_IPV6)
3201 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3202 BPF_B, (bpf_int32)AF_INET6));
3203#endif /* INET6 */
3204 else
3205 return gen_false();
3206 /*NOTREACHED*/
3207 break;
3208#endif /* HAVE_NET_PFVAR_H */
3209
3210 case DLT_ARCNET:
3211 case DLT_ARCNET_LINUX:
3212 /*
3213 * XXX should we check for first fragment if the protocol
3214 * uses PHDS?
3215 */
3216 switch (proto) {
3217
3218 default:
3219 return gen_false();
3220
3221#ifdef INET6
3222 case ETHERTYPE_IPV6:
3223 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3224 (bpf_int32)ARCTYPE_INET6));
3225#endif /* INET6 */
3226
3227 case ETHERTYPE_IP:
3228 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3229 (bpf_int32)ARCTYPE_IP);
3230 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3231 (bpf_int32)ARCTYPE_IP_OLD);
3232 gen_or(b0, b1);
3233 return (b1);
3234
3235 case ETHERTYPE_ARP:
3236 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3237 (bpf_int32)ARCTYPE_ARP);
3238 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3239 (bpf_int32)ARCTYPE_ARP_OLD);
3240 gen_or(b0, b1);
3241 return (b1);
3242
3243 case ETHERTYPE_REVARP:
3244 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3245 (bpf_int32)ARCTYPE_REVARP));
3246
3247 case ETHERTYPE_ATALK:
3248 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3249 (bpf_int32)ARCTYPE_ATALK));
3250 }
3251 /*NOTREACHED*/
3252 break;
3253
3254 case DLT_LTALK:
3255 switch (proto) {
3256 case ETHERTYPE_ATALK:
3257 return gen_true();
3258 default:
3259 return gen_false();
3260 }
3261 /*NOTREACHED*/
3262 break;
3263
3264 case DLT_FRELAY:
3265 /*
3266 * XXX - assumes a 2-byte Frame Relay header with
3267 * DLCI and flags. What if the address is longer?
3268 */
3269 switch (proto) {
3270
3271 case ETHERTYPE_IP:
3272 /*
3273 * Check for the special NLPID for IP.
3274 */
3275 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3276
3277#ifdef INET6
3278 case ETHERTYPE_IPV6:
3279 /*
3280 * Check for the special NLPID for IPv6.
3281 */
3282 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3283#endif
3284
3285 case LLCSAP_ISONS:
3286 /*
3287 * Check for several OSI protocols.
3288 *
3289 * Frame Relay packets typically have an OSI
3290 * NLPID at the beginning; we check for each
3291 * of them.
3292 *
3293 * What we check for is the NLPID and a frame
3294 * control field of UI, i.e. 0x03 followed
3295 * by the NLPID.
3296 */
3297 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3298 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3299 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3300 gen_or(b1, b2);
3301 gen_or(b0, b2);
3302 return b2;
3303
3304 default:
3305 return gen_false();
3306 }
3307 /*NOTREACHED*/
3308 break;
3309
3310 case DLT_MFR:
3311 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3312
3313 case DLT_JUNIPER_MFR:
3314 case DLT_JUNIPER_MLFR:
3315 case DLT_JUNIPER_MLPPP:
3316 case DLT_JUNIPER_ATM1:
3317 case DLT_JUNIPER_ATM2:
3318 case DLT_JUNIPER_PPPOE:
3319 case DLT_JUNIPER_PPPOE_ATM:
3320 case DLT_JUNIPER_GGSN:
3321 case DLT_JUNIPER_ES:
3322 case DLT_JUNIPER_MONITOR:
3323 case DLT_JUNIPER_SERVICES:
3324 case DLT_JUNIPER_ETHER:
3325 case DLT_JUNIPER_PPP:
3326 case DLT_JUNIPER_FRELAY:
3327 case DLT_JUNIPER_CHDLC:
3328 case DLT_JUNIPER_VP:
3329 case DLT_JUNIPER_ST:
3330 case DLT_JUNIPER_ISM:
3331 case DLT_JUNIPER_VS:
3332 case DLT_JUNIPER_SRX_E2E:
3333 case DLT_JUNIPER_FIBRECHANNEL:
3334 case DLT_JUNIPER_ATM_CEMIC:
3335
3336 /* just lets verify the magic number for now -
3337 * on ATM we may have up to 6 different encapsulations on the wire
3338 * and need a lot of heuristics to figure out that the payload
3339 * might be;
3340 *
3341 * FIXME encapsulation specific BPF_ filters
3342 */
3343 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3344
3345 case DLT_IPNET:
3346 return gen_ipnet_linktype(proto);
3347
3348 case DLT_LINUX_IRDA:
3349 bpf_error("IrDA link-layer type filtering not implemented");
3350
3351 case DLT_DOCSIS:
3352 bpf_error("DOCSIS link-layer type filtering not implemented");
3353
3354 case DLT_MTP2:
3355 case DLT_MTP2_WITH_PHDR:
3356 bpf_error("MTP2 link-layer type filtering not implemented");
3357
3358 case DLT_ERF:
3359 bpf_error("ERF link-layer type filtering not implemented");
3360
| 1409
1410 case DLT_AX25_KISS:
1411 /*
1412 * Currently, only raw "link[N:M]" filtering is supported.
1413 */
1414 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1415 off_macpl = -1;
1416 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1417 off_nl_nosnap = -1; /* no 802.2 LLC */
1418 off_mac = 1; /* step over the kiss length byte */
1419 return;
1420
1421 case DLT_IPNET:
1422 off_linktype = 1;
1423 off_macpl = 24; /* ipnet header length */
1424 off_nl = 0;
1425 off_nl_nosnap = -1;
1426 return;
1427
1428 case DLT_NETANALYZER:
1429 off_mac = 4; /* MAC header is past 4-byte pseudo-header */
1430 off_linktype = 16; /* includes 4-byte pseudo-header */
1431 off_macpl = 18; /* pseudo-header+Ethernet header length */
1432 off_nl = 0; /* Ethernet II */
1433 off_nl_nosnap = 3; /* 802.3+802.2 */
1434 return;
1435
1436 case DLT_NETANALYZER_TRANSPARENT:
1437 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1438 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */
1439 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */
1440 off_nl = 0; /* Ethernet II */
1441 off_nl_nosnap = 3; /* 802.3+802.2 */
1442 return;
1443
1444 default:
1445 /*
1446 * For values in the range in which we've assigned new
1447 * DLT_ values, only raw "link[N:M]" filtering is supported.
1448 */
1449 if (linktype >= DLT_MATCHING_MIN &&
1450 linktype <= DLT_MATCHING_MAX) {
1451 off_linktype = -1;
1452 off_macpl = -1;
1453 off_nl = -1;
1454 off_nl_nosnap = -1;
1455 return;
1456 }
1457
1458 }
1459 bpf_error("unknown data link type %d", linktype);
1460 /* NOTREACHED */
1461}
1462
1463/*
1464 * Load a value relative to the beginning of the link-layer header.
1465 * The link-layer header doesn't necessarily begin at the beginning
1466 * of the packet data; there might be a variable-length prefix containing
1467 * radio information.
1468 */
1469static struct slist *
1470gen_load_llrel(offset, size)
1471 u_int offset, size;
1472{
1473 struct slist *s, *s2;
1474
1475 s = gen_llprefixlen();
1476
1477 /*
1478 * If "s" is non-null, it has code to arrange that the X register
1479 * contains the length of the prefix preceding the link-layer
1480 * header.
1481 *
1482 * Otherwise, the length of the prefix preceding the link-layer
1483 * header is "off_ll".
1484 */
1485 if (s != NULL) {
1486 /*
1487 * There's a variable-length prefix preceding the
1488 * link-layer header. "s" points to a list of statements
1489 * that put the length of that prefix into the X register.
1490 * do an indirect load, to use the X register as an offset.
1491 */
1492 s2 = new_stmt(BPF_LD|BPF_IND|size);
1493 s2->s.k = offset;
1494 sappend(s, s2);
1495 } else {
1496 /*
1497 * There is no variable-length header preceding the
1498 * link-layer header; add in off_ll, which, if there's
1499 * a fixed-length header preceding the link-layer header,
1500 * is the length of that header.
1501 */
1502 s = new_stmt(BPF_LD|BPF_ABS|size);
1503 s->s.k = offset + off_ll;
1504 }
1505 return s;
1506}
1507
1508/*
1509 * Load a value relative to the beginning of the MAC-layer payload.
1510 */
1511static struct slist *
1512gen_load_macplrel(offset, size)
1513 u_int offset, size;
1514{
1515 struct slist *s, *s2;
1516
1517 s = gen_off_macpl();
1518
1519 /*
1520 * If s is non-null, the offset of the MAC-layer payload is
1521 * variable, and s points to a list of instructions that
1522 * arrange that the X register contains that offset.
1523 *
1524 * Otherwise, the offset of the MAC-layer payload is constant,
1525 * and is in off_macpl.
1526 */
1527 if (s != NULL) {
1528 /*
1529 * The offset of the MAC-layer payload is in the X
1530 * register. Do an indirect load, to use the X register
1531 * as an offset.
1532 */
1533 s2 = new_stmt(BPF_LD|BPF_IND|size);
1534 s2->s.k = offset;
1535 sappend(s, s2);
1536 } else {
1537 /*
1538 * The offset of the MAC-layer payload is constant,
1539 * and is in off_macpl; load the value at that offset
1540 * plus the specified offset.
1541 */
1542 s = new_stmt(BPF_LD|BPF_ABS|size);
1543 s->s.k = off_macpl + offset;
1544 }
1545 return s;
1546}
1547
1548/*
1549 * Load a value relative to the beginning of the specified header.
1550 */
1551static struct slist *
1552gen_load_a(offrel, offset, size)
1553 enum e_offrel offrel;
1554 u_int offset, size;
1555{
1556 struct slist *s, *s2;
1557
1558 switch (offrel) {
1559
1560 case OR_PACKET:
1561 s = new_stmt(BPF_LD|BPF_ABS|size);
1562 s->s.k = offset;
1563 break;
1564
1565 case OR_LINK:
1566 s = gen_load_llrel(offset, size);
1567 break;
1568
1569 case OR_MACPL:
1570 s = gen_load_macplrel(offset, size);
1571 break;
1572
1573 case OR_NET:
1574 s = gen_load_macplrel(off_nl + offset, size);
1575 break;
1576
1577 case OR_NET_NOSNAP:
1578 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1579 break;
1580
1581 case OR_TRAN_IPV4:
1582 /*
1583 * Load the X register with the length of the IPv4 header
1584 * (plus the offset of the link-layer header, if it's
1585 * preceded by a variable-length header such as a radio
1586 * header), in bytes.
1587 */
1588 s = gen_loadx_iphdrlen();
1589
1590 /*
1591 * Load the item at {offset of the MAC-layer payload} +
1592 * {offset, relative to the start of the MAC-layer
1593 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1594 * {specified offset}.
1595 *
1596 * (If the offset of the MAC-layer payload is variable,
1597 * it's included in the value in the X register, and
1598 * off_macpl is 0.)
1599 */
1600 s2 = new_stmt(BPF_LD|BPF_IND|size);
1601 s2->s.k = off_macpl + off_nl + offset;
1602 sappend(s, s2);
1603 break;
1604
1605 case OR_TRAN_IPV6:
1606 s = gen_load_macplrel(off_nl + 40 + offset, size);
1607 break;
1608
1609 default:
1610 abort();
1611 return NULL;
1612 }
1613 return s;
1614}
1615
1616/*
1617 * Generate code to load into the X register the sum of the length of
1618 * the IPv4 header and any variable-length header preceding the link-layer
1619 * header.
1620 */
1621static struct slist *
1622gen_loadx_iphdrlen()
1623{
1624 struct slist *s, *s2;
1625
1626 s = gen_off_macpl();
1627 if (s != NULL) {
1628 /*
1629 * There's a variable-length prefix preceding the
1630 * link-layer header, or the link-layer header is itself
1631 * variable-length. "s" points to a list of statements
1632 * that put the offset of the MAC-layer payload into
1633 * the X register.
1634 *
1635 * The 4*([k]&0xf) addressing mode can't be used, as we
1636 * don't have a constant offset, so we have to load the
1637 * value in question into the A register and add to it
1638 * the value from the X register.
1639 */
1640 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1641 s2->s.k = off_nl;
1642 sappend(s, s2);
1643 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1644 s2->s.k = 0xf;
1645 sappend(s, s2);
1646 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1647 s2->s.k = 2;
1648 sappend(s, s2);
1649
1650 /*
1651 * The A register now contains the length of the
1652 * IP header. We need to add to it the offset of
1653 * the MAC-layer payload, which is still in the X
1654 * register, and move the result into the X register.
1655 */
1656 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1657 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1658 } else {
1659 /*
1660 * There is no variable-length header preceding the
1661 * link-layer header, and the link-layer header is
1662 * fixed-length; load the length of the IPv4 header,
1663 * which is at an offset of off_nl from the beginning
1664 * of the MAC-layer payload, and thus at an offset
1665 * of off_mac_pl + off_nl from the beginning of the
1666 * raw packet data.
1667 */
1668 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1669 s->s.k = off_macpl + off_nl;
1670 }
1671 return s;
1672}
1673
1674static struct block *
1675gen_uncond(rsense)
1676 int rsense;
1677{
1678 struct block *b;
1679 struct slist *s;
1680
1681 s = new_stmt(BPF_LD|BPF_IMM);
1682 s->s.k = !rsense;
1683 b = new_block(JMP(BPF_JEQ));
1684 b->stmts = s;
1685
1686 return b;
1687}
1688
1689static inline struct block *
1690gen_true()
1691{
1692 return gen_uncond(1);
1693}
1694
1695static inline struct block *
1696gen_false()
1697{
1698 return gen_uncond(0);
1699}
1700
1701/*
1702 * Byte-swap a 32-bit number.
1703 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1704 * big-endian platforms.)
1705 */
1706#define SWAPLONG(y) \
1707((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1708
1709/*
1710 * Generate code to match a particular packet type.
1711 *
1712 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1713 * value, if <= ETHERMTU. We use that to determine whether to
1714 * match the type/length field or to check the type/length field for
1715 * a value <= ETHERMTU to see whether it's a type field and then do
1716 * the appropriate test.
1717 */
1718static struct block *
1719gen_ether_linktype(proto)
1720 register int proto;
1721{
1722 struct block *b0, *b1;
1723
1724 switch (proto) {
1725
1726 case LLCSAP_ISONS:
1727 case LLCSAP_IP:
1728 case LLCSAP_NETBEUI:
1729 /*
1730 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1731 * so we check the DSAP and SSAP.
1732 *
1733 * LLCSAP_IP checks for IP-over-802.2, rather
1734 * than IP-over-Ethernet or IP-over-SNAP.
1735 *
1736 * XXX - should we check both the DSAP and the
1737 * SSAP, like this, or should we check just the
1738 * DSAP, as we do for other types <= ETHERMTU
1739 * (i.e., other SAP values)?
1740 */
1741 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1742 gen_not(b0);
1743 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1744 ((proto << 8) | proto));
1745 gen_and(b0, b1);
1746 return b1;
1747
1748 case LLCSAP_IPX:
1749 /*
1750 * Check for;
1751 *
1752 * Ethernet_II frames, which are Ethernet
1753 * frames with a frame type of ETHERTYPE_IPX;
1754 *
1755 * Ethernet_802.3 frames, which are 802.3
1756 * frames (i.e., the type/length field is
1757 * a length field, <= ETHERMTU, rather than
1758 * a type field) with the first two bytes
1759 * after the Ethernet/802.3 header being
1760 * 0xFFFF;
1761 *
1762 * Ethernet_802.2 frames, which are 802.3
1763 * frames with an 802.2 LLC header and
1764 * with the IPX LSAP as the DSAP in the LLC
1765 * header;
1766 *
1767 * Ethernet_SNAP frames, which are 802.3
1768 * frames with an LLC header and a SNAP
1769 * header and with an OUI of 0x000000
1770 * (encapsulated Ethernet) and a protocol
1771 * ID of ETHERTYPE_IPX in the SNAP header.
1772 *
1773 * XXX - should we generate the same code both
1774 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1775 */
1776
1777 /*
1778 * This generates code to check both for the
1779 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1780 */
1781 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1782 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1783 gen_or(b0, b1);
1784
1785 /*
1786 * Now we add code to check for SNAP frames with
1787 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1788 */
1789 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1790 gen_or(b0, b1);
1791
1792 /*
1793 * Now we generate code to check for 802.3
1794 * frames in general.
1795 */
1796 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1797 gen_not(b0);
1798
1799 /*
1800 * Now add the check for 802.3 frames before the
1801 * check for Ethernet_802.2 and Ethernet_802.3,
1802 * as those checks should only be done on 802.3
1803 * frames, not on Ethernet frames.
1804 */
1805 gen_and(b0, b1);
1806
1807 /*
1808 * Now add the check for Ethernet_II frames, and
1809 * do that before checking for the other frame
1810 * types.
1811 */
1812 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1813 (bpf_int32)ETHERTYPE_IPX);
1814 gen_or(b0, b1);
1815 return b1;
1816
1817 case ETHERTYPE_ATALK:
1818 case ETHERTYPE_AARP:
1819 /*
1820 * EtherTalk (AppleTalk protocols on Ethernet link
1821 * layer) may use 802.2 encapsulation.
1822 */
1823
1824 /*
1825 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1826 * we check for an Ethernet type field less than
1827 * 1500, which means it's an 802.3 length field.
1828 */
1829 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1830 gen_not(b0);
1831
1832 /*
1833 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1834 * SNAP packets with an organization code of
1835 * 0x080007 (Apple, for Appletalk) and a protocol
1836 * type of ETHERTYPE_ATALK (Appletalk).
1837 *
1838 * 802.2-encapsulated ETHERTYPE_AARP packets are
1839 * SNAP packets with an organization code of
1840 * 0x000000 (encapsulated Ethernet) and a protocol
1841 * type of ETHERTYPE_AARP (Appletalk ARP).
1842 */
1843 if (proto == ETHERTYPE_ATALK)
1844 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1845 else /* proto == ETHERTYPE_AARP */
1846 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1847 gen_and(b0, b1);
1848
1849 /*
1850 * Check for Ethernet encapsulation (Ethertalk
1851 * phase 1?); we just check for the Ethernet
1852 * protocol type.
1853 */
1854 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1855
1856 gen_or(b0, b1);
1857 return b1;
1858
1859 default:
1860 if (proto <= ETHERMTU) {
1861 /*
1862 * This is an LLC SAP value, so the frames
1863 * that match would be 802.2 frames.
1864 * Check that the frame is an 802.2 frame
1865 * (i.e., that the length/type field is
1866 * a length field, <= ETHERMTU) and
1867 * then check the DSAP.
1868 */
1869 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1870 gen_not(b0);
1871 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1872 (bpf_int32)proto);
1873 gen_and(b0, b1);
1874 return b1;
1875 } else {
1876 /*
1877 * This is an Ethernet type, so compare
1878 * the length/type field with it (if
1879 * the frame is an 802.2 frame, the length
1880 * field will be <= ETHERMTU, and, as
1881 * "proto" is > ETHERMTU, this test
1882 * will fail and the frame won't match,
1883 * which is what we want).
1884 */
1885 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1886 (bpf_int32)proto);
1887 }
1888 }
1889}
1890
1891/*
1892 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
1893 * or IPv6 then we have an error.
1894 */
1895static struct block *
1896gen_ipnet_linktype(proto)
1897 register int proto;
1898{
1899 switch (proto) {
1900
1901 case ETHERTYPE_IP:
1902 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1903 (bpf_int32)IPH_AF_INET);
1904 /* NOTREACHED */
1905
1906 case ETHERTYPE_IPV6:
1907 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1908 (bpf_int32)IPH_AF_INET6);
1909 /* NOTREACHED */
1910
1911 default:
1912 break;
1913 }
1914
1915 return gen_false();
1916}
1917
1918/*
1919 * Generate code to match a particular packet type.
1920 *
1921 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1922 * value, if <= ETHERMTU. We use that to determine whether to
1923 * match the type field or to check the type field for the special
1924 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1925 */
1926static struct block *
1927gen_linux_sll_linktype(proto)
1928 register int proto;
1929{
1930 struct block *b0, *b1;
1931
1932 switch (proto) {
1933
1934 case LLCSAP_ISONS:
1935 case LLCSAP_IP:
1936 case LLCSAP_NETBEUI:
1937 /*
1938 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1939 * so we check the DSAP and SSAP.
1940 *
1941 * LLCSAP_IP checks for IP-over-802.2, rather
1942 * than IP-over-Ethernet or IP-over-SNAP.
1943 *
1944 * XXX - should we check both the DSAP and the
1945 * SSAP, like this, or should we check just the
1946 * DSAP, as we do for other types <= ETHERMTU
1947 * (i.e., other SAP values)?
1948 */
1949 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1950 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1951 ((proto << 8) | proto));
1952 gen_and(b0, b1);
1953 return b1;
1954
1955 case LLCSAP_IPX:
1956 /*
1957 * Ethernet_II frames, which are Ethernet
1958 * frames with a frame type of ETHERTYPE_IPX;
1959 *
1960 * Ethernet_802.3 frames, which have a frame
1961 * type of LINUX_SLL_P_802_3;
1962 *
1963 * Ethernet_802.2 frames, which are 802.3
1964 * frames with an 802.2 LLC header (i.e, have
1965 * a frame type of LINUX_SLL_P_802_2) and
1966 * with the IPX LSAP as the DSAP in the LLC
1967 * header;
1968 *
1969 * Ethernet_SNAP frames, which are 802.3
1970 * frames with an LLC header and a SNAP
1971 * header and with an OUI of 0x000000
1972 * (encapsulated Ethernet) and a protocol
1973 * ID of ETHERTYPE_IPX in the SNAP header.
1974 *
1975 * First, do the checks on LINUX_SLL_P_802_2
1976 * frames; generate the check for either
1977 * Ethernet_802.2 or Ethernet_SNAP frames, and
1978 * then put a check for LINUX_SLL_P_802_2 frames
1979 * before it.
1980 */
1981 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1982 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
1983 gen_or(b0, b1);
1984 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1985 gen_and(b0, b1);
1986
1987 /*
1988 * Now check for 802.3 frames and OR that with
1989 * the previous test.
1990 */
1991 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1992 gen_or(b0, b1);
1993
1994 /*
1995 * Now add the check for Ethernet_II frames, and
1996 * do that before checking for the other frame
1997 * types.
1998 */
1999 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2000 (bpf_int32)ETHERTYPE_IPX);
2001 gen_or(b0, b1);
2002 return b1;
2003
2004 case ETHERTYPE_ATALK:
2005 case ETHERTYPE_AARP:
2006 /*
2007 * EtherTalk (AppleTalk protocols on Ethernet link
2008 * layer) may use 802.2 encapsulation.
2009 */
2010
2011 /*
2012 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2013 * we check for the 802.2 protocol type in the
2014 * "Ethernet type" field.
2015 */
2016 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2017
2018 /*
2019 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2020 * SNAP packets with an organization code of
2021 * 0x080007 (Apple, for Appletalk) and a protocol
2022 * type of ETHERTYPE_ATALK (Appletalk).
2023 *
2024 * 802.2-encapsulated ETHERTYPE_AARP packets are
2025 * SNAP packets with an organization code of
2026 * 0x000000 (encapsulated Ethernet) and a protocol
2027 * type of ETHERTYPE_AARP (Appletalk ARP).
2028 */
2029 if (proto == ETHERTYPE_ATALK)
2030 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2031 else /* proto == ETHERTYPE_AARP */
2032 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2033 gen_and(b0, b1);
2034
2035 /*
2036 * Check for Ethernet encapsulation (Ethertalk
2037 * phase 1?); we just check for the Ethernet
2038 * protocol type.
2039 */
2040 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2041
2042 gen_or(b0, b1);
2043 return b1;
2044
2045 default:
2046 if (proto <= ETHERMTU) {
2047 /*
2048 * This is an LLC SAP value, so the frames
2049 * that match would be 802.2 frames.
2050 * Check for the 802.2 protocol type
2051 * in the "Ethernet type" field, and
2052 * then check the DSAP.
2053 */
2054 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2055 LINUX_SLL_P_802_2);
2056 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2057 (bpf_int32)proto);
2058 gen_and(b0, b1);
2059 return b1;
2060 } else {
2061 /*
2062 * This is an Ethernet type, so compare
2063 * the length/type field with it (if
2064 * the frame is an 802.2 frame, the length
2065 * field will be <= ETHERMTU, and, as
2066 * "proto" is > ETHERMTU, this test
2067 * will fail and the frame won't match,
2068 * which is what we want).
2069 */
2070 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2071 (bpf_int32)proto);
2072 }
2073 }
2074}
2075
2076static struct slist *
2077gen_load_prism_llprefixlen()
2078{
2079 struct slist *s1, *s2;
2080 struct slist *sjeq_avs_cookie;
2081 struct slist *sjcommon;
2082
2083 /*
2084 * This code is not compatible with the optimizer, as
2085 * we are generating jmp instructions within a normal
2086 * slist of instructions
2087 */
2088 no_optimize = 1;
2089
2090 /*
2091 * Generate code to load the length of the radio header into
2092 * the register assigned to hold that length, if one has been
2093 * assigned. (If one hasn't been assigned, no code we've
2094 * generated uses that prefix, so we don't need to generate any
2095 * code to load it.)
2096 *
2097 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2098 * or always use the AVS header rather than the Prism header.
2099 * We load a 4-byte big-endian value at the beginning of the
2100 * raw packet data, and see whether, when masked with 0xFFFFF000,
2101 * it's equal to 0x80211000. If so, that indicates that it's
2102 * an AVS header (the masked-out bits are the version number).
2103 * Otherwise, it's a Prism header.
2104 *
2105 * XXX - the Prism header is also, in theory, variable-length,
2106 * but no known software generates headers that aren't 144
2107 * bytes long.
2108 */
2109 if (reg_off_ll != -1) {
2110 /*
2111 * Load the cookie.
2112 */
2113 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2114 s1->s.k = 0;
2115
2116 /*
2117 * AND it with 0xFFFFF000.
2118 */
2119 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2120 s2->s.k = 0xFFFFF000;
2121 sappend(s1, s2);
2122
2123 /*
2124 * Compare with 0x80211000.
2125 */
2126 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2127 sjeq_avs_cookie->s.k = 0x80211000;
2128 sappend(s1, sjeq_avs_cookie);
2129
2130 /*
2131 * If it's AVS:
2132 *
2133 * The 4 bytes at an offset of 4 from the beginning of
2134 * the AVS header are the length of the AVS header.
2135 * That field is big-endian.
2136 */
2137 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2138 s2->s.k = 4;
2139 sappend(s1, s2);
2140 sjeq_avs_cookie->s.jt = s2;
2141
2142 /*
2143 * Now jump to the code to allocate a register
2144 * into which to save the header length and
2145 * store the length there. (The "jump always"
2146 * instruction needs to have the k field set;
2147 * it's added to the PC, so, as we're jumping
2148 * over a single instruction, it should be 1.)
2149 */
2150 sjcommon = new_stmt(JMP(BPF_JA));
2151 sjcommon->s.k = 1;
2152 sappend(s1, sjcommon);
2153
2154 /*
2155 * Now for the code that handles the Prism header.
2156 * Just load the length of the Prism header (144)
2157 * into the A register. Have the test for an AVS
2158 * header branch here if we don't have an AVS header.
2159 */
2160 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2161 s2->s.k = 144;
2162 sappend(s1, s2);
2163 sjeq_avs_cookie->s.jf = s2;
2164
2165 /*
2166 * Now allocate a register to hold that value and store
2167 * it. The code for the AVS header will jump here after
2168 * loading the length of the AVS header.
2169 */
2170 s2 = new_stmt(BPF_ST);
2171 s2->s.k = reg_off_ll;
2172 sappend(s1, s2);
2173 sjcommon->s.jf = s2;
2174
2175 /*
2176 * Now move it into the X register.
2177 */
2178 s2 = new_stmt(BPF_MISC|BPF_TAX);
2179 sappend(s1, s2);
2180
2181 return (s1);
2182 } else
2183 return (NULL);
2184}
2185
2186static struct slist *
2187gen_load_avs_llprefixlen()
2188{
2189 struct slist *s1, *s2;
2190
2191 /*
2192 * Generate code to load the length of the AVS header into
2193 * the register assigned to hold that length, if one has been
2194 * assigned. (If one hasn't been assigned, no code we've
2195 * generated uses that prefix, so we don't need to generate any
2196 * code to load it.)
2197 */
2198 if (reg_off_ll != -1) {
2199 /*
2200 * The 4 bytes at an offset of 4 from the beginning of
2201 * the AVS header are the length of the AVS header.
2202 * That field is big-endian.
2203 */
2204 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2205 s1->s.k = 4;
2206
2207 /*
2208 * Now allocate a register to hold that value and store
2209 * it.
2210 */
2211 s2 = new_stmt(BPF_ST);
2212 s2->s.k = reg_off_ll;
2213 sappend(s1, s2);
2214
2215 /*
2216 * Now move it into the X register.
2217 */
2218 s2 = new_stmt(BPF_MISC|BPF_TAX);
2219 sappend(s1, s2);
2220
2221 return (s1);
2222 } else
2223 return (NULL);
2224}
2225
2226static struct slist *
2227gen_load_radiotap_llprefixlen()
2228{
2229 struct slist *s1, *s2;
2230
2231 /*
2232 * Generate code to load the length of the radiotap header into
2233 * the register assigned to hold that length, if one has been
2234 * assigned. (If one hasn't been assigned, no code we've
2235 * generated uses that prefix, so we don't need to generate any
2236 * code to load it.)
2237 */
2238 if (reg_off_ll != -1) {
2239 /*
2240 * The 2 bytes at offsets of 2 and 3 from the beginning
2241 * of the radiotap header are the length of the radiotap
2242 * header; unfortunately, it's little-endian, so we have
2243 * to load it a byte at a time and construct the value.
2244 */
2245
2246 /*
2247 * Load the high-order byte, at an offset of 3, shift it
2248 * left a byte, and put the result in the X register.
2249 */
2250 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2251 s1->s.k = 3;
2252 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2253 sappend(s1, s2);
2254 s2->s.k = 8;
2255 s2 = new_stmt(BPF_MISC|BPF_TAX);
2256 sappend(s1, s2);
2257
2258 /*
2259 * Load the next byte, at an offset of 2, and OR the
2260 * value from the X register into it.
2261 */
2262 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2263 sappend(s1, s2);
2264 s2->s.k = 2;
2265 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2266 sappend(s1, s2);
2267
2268 /*
2269 * Now allocate a register to hold that value and store
2270 * it.
2271 */
2272 s2 = new_stmt(BPF_ST);
2273 s2->s.k = reg_off_ll;
2274 sappend(s1, s2);
2275
2276 /*
2277 * Now move it into the X register.
2278 */
2279 s2 = new_stmt(BPF_MISC|BPF_TAX);
2280 sappend(s1, s2);
2281
2282 return (s1);
2283 } else
2284 return (NULL);
2285}
2286
2287/*
2288 * At the moment we treat PPI as normal Radiotap encoded
2289 * packets. The difference is in the function that generates
2290 * the code at the beginning to compute the header length.
2291 * Since this code generator of PPI supports bare 802.11
2292 * encapsulation only (i.e. the encapsulated DLT should be
2293 * DLT_IEEE802_11) we generate code to check for this too;
2294 * that's done in finish_parse().
2295 */
2296static struct slist *
2297gen_load_ppi_llprefixlen()
2298{
2299 struct slist *s1, *s2;
2300
2301 /*
2302 * Generate code to load the length of the radiotap header
2303 * into the register assigned to hold that length, if one has
2304 * been assigned.
2305 */
2306 if (reg_off_ll != -1) {
2307 /*
2308 * The 2 bytes at offsets of 2 and 3 from the beginning
2309 * of the radiotap header are the length of the radiotap
2310 * header; unfortunately, it's little-endian, so we have
2311 * to load it a byte at a time and construct the value.
2312 */
2313
2314 /*
2315 * Load the high-order byte, at an offset of 3, shift it
2316 * left a byte, and put the result in the X register.
2317 */
2318 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2319 s1->s.k = 3;
2320 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2321 sappend(s1, s2);
2322 s2->s.k = 8;
2323 s2 = new_stmt(BPF_MISC|BPF_TAX);
2324 sappend(s1, s2);
2325
2326 /*
2327 * Load the next byte, at an offset of 2, and OR the
2328 * value from the X register into it.
2329 */
2330 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2331 sappend(s1, s2);
2332 s2->s.k = 2;
2333 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2334 sappend(s1, s2);
2335
2336 /*
2337 * Now allocate a register to hold that value and store
2338 * it.
2339 */
2340 s2 = new_stmt(BPF_ST);
2341 s2->s.k = reg_off_ll;
2342 sappend(s1, s2);
2343
2344 /*
2345 * Now move it into the X register.
2346 */
2347 s2 = new_stmt(BPF_MISC|BPF_TAX);
2348 sappend(s1, s2);
2349
2350 return (s1);
2351 } else
2352 return (NULL);
2353}
2354
2355/*
2356 * Load a value relative to the beginning of the link-layer header after the 802.11
2357 * header, i.e. LLC_SNAP.
2358 * The link-layer header doesn't necessarily begin at the beginning
2359 * of the packet data; there might be a variable-length prefix containing
2360 * radio information.
2361 */
2362static struct slist *
2363gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2364{
2365 struct slist *s2;
2366 struct slist *sjset_data_frame_1;
2367 struct slist *sjset_data_frame_2;
2368 struct slist *sjset_qos;
2369 struct slist *sjset_radiotap_flags;
2370 struct slist *sjset_radiotap_tsft;
2371 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2372 struct slist *s_roundup;
2373
2374 if (reg_off_macpl == -1) {
2375 /*
2376 * No register has been assigned to the offset of
2377 * the MAC-layer payload, which means nobody needs
2378 * it; don't bother computing it - just return
2379 * what we already have.
2380 */
2381 return (s);
2382 }
2383
2384 /*
2385 * This code is not compatible with the optimizer, as
2386 * we are generating jmp instructions within a normal
2387 * slist of instructions
2388 */
2389 no_optimize = 1;
2390
2391 /*
2392 * If "s" is non-null, it has code to arrange that the X register
2393 * contains the length of the prefix preceding the link-layer
2394 * header.
2395 *
2396 * Otherwise, the length of the prefix preceding the link-layer
2397 * header is "off_ll".
2398 */
2399 if (s == NULL) {
2400 /*
2401 * There is no variable-length header preceding the
2402 * link-layer header.
2403 *
2404 * Load the length of the fixed-length prefix preceding
2405 * the link-layer header (if any) into the X register,
2406 * and store it in the reg_off_macpl register.
2407 * That length is off_ll.
2408 */
2409 s = new_stmt(BPF_LDX|BPF_IMM);
2410 s->s.k = off_ll;
2411 }
2412
2413 /*
2414 * The X register contains the offset of the beginning of the
2415 * link-layer header; add 24, which is the minimum length
2416 * of the MAC header for a data frame, to that, and store it
2417 * in reg_off_macpl, and then load the Frame Control field,
2418 * which is at the offset in the X register, with an indexed load.
2419 */
2420 s2 = new_stmt(BPF_MISC|BPF_TXA);
2421 sappend(s, s2);
2422 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2423 s2->s.k = 24;
2424 sappend(s, s2);
2425 s2 = new_stmt(BPF_ST);
2426 s2->s.k = reg_off_macpl;
2427 sappend(s, s2);
2428
2429 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2430 s2->s.k = 0;
2431 sappend(s, s2);
2432
2433 /*
2434 * Check the Frame Control field to see if this is a data frame;
2435 * a data frame has the 0x08 bit (b3) in that field set and the
2436 * 0x04 bit (b2) clear.
2437 */
2438 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2439 sjset_data_frame_1->s.k = 0x08;
2440 sappend(s, sjset_data_frame_1);
2441
2442 /*
2443 * If b3 is set, test b2, otherwise go to the first statement of
2444 * the rest of the program.
2445 */
2446 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2447 sjset_data_frame_2->s.k = 0x04;
2448 sappend(s, sjset_data_frame_2);
2449 sjset_data_frame_1->s.jf = snext;
2450
2451 /*
2452 * If b2 is not set, this is a data frame; test the QoS bit.
2453 * Otherwise, go to the first statement of the rest of the
2454 * program.
2455 */
2456 sjset_data_frame_2->s.jt = snext;
2457 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2458 sjset_qos->s.k = 0x80; /* QoS bit */
2459 sappend(s, sjset_qos);
2460
2461 /*
2462 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2463 * field.
2464 * Otherwise, go to the first statement of the rest of the
2465 * program.
2466 */
2467 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2468 s2->s.k = reg_off_macpl;
2469 sappend(s, s2);
2470 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2471 s2->s.k = 2;
2472 sappend(s, s2);
2473 s2 = new_stmt(BPF_ST);
2474 s2->s.k = reg_off_macpl;
2475 sappend(s, s2);
2476
2477 /*
2478 * If we have a radiotap header, look at it to see whether
2479 * there's Atheros padding between the MAC-layer header
2480 * and the payload.
2481 *
2482 * Note: all of the fields in the radiotap header are
2483 * little-endian, so we byte-swap all of the values
2484 * we test against, as they will be loaded as big-endian
2485 * values.
2486 */
2487 if (linktype == DLT_IEEE802_11_RADIO) {
2488 /*
2489 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2490 * in the presence flag?
2491 */
2492 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2493 s2->s.k = 4;
2494 sappend(s, s2);
2495
2496 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2497 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2498 sappend(s, sjset_radiotap_flags);
2499
2500 /*
2501 * If not, skip all of this.
2502 */
2503 sjset_radiotap_flags->s.jf = snext;
2504
2505 /*
2506 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2507 */
2508 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2509 new_stmt(JMP(BPF_JSET));
2510 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2511 sappend(s, sjset_radiotap_tsft);
2512
2513 /*
2514 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2515 * at an offset of 16 from the beginning of the raw packet
2516 * data (8 bytes for the radiotap header and 8 bytes for
2517 * the TSFT field).
2518 *
2519 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2520 * is set.
2521 */
2522 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2523 s2->s.k = 16;
2524 sappend(s, s2);
2525
2526 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2527 sjset_tsft_datapad->s.k = 0x20;
2528 sappend(s, sjset_tsft_datapad);
2529
2530 /*
2531 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2532 * at an offset of 8 from the beginning of the raw packet
2533 * data (8 bytes for the radiotap header).
2534 *
2535 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2536 * is set.
2537 */
2538 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2539 s2->s.k = 8;
2540 sappend(s, s2);
2541
2542 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2543 sjset_notsft_datapad->s.k = 0x20;
2544 sappend(s, sjset_notsft_datapad);
2545
2546 /*
2547 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2548 * set, round the length of the 802.11 header to
2549 * a multiple of 4. Do that by adding 3 and then
2550 * dividing by and multiplying by 4, which we do by
2551 * ANDing with ~3.
2552 */
2553 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2554 s_roundup->s.k = reg_off_macpl;
2555 sappend(s, s_roundup);
2556 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2557 s2->s.k = 3;
2558 sappend(s, s2);
2559 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2560 s2->s.k = ~3;
2561 sappend(s, s2);
2562 s2 = new_stmt(BPF_ST);
2563 s2->s.k = reg_off_macpl;
2564 sappend(s, s2);
2565
2566 sjset_tsft_datapad->s.jt = s_roundup;
2567 sjset_tsft_datapad->s.jf = snext;
2568 sjset_notsft_datapad->s.jt = s_roundup;
2569 sjset_notsft_datapad->s.jf = snext;
2570 } else
2571 sjset_qos->s.jf = snext;
2572
2573 return s;
2574}
2575
2576static void
2577insert_compute_vloffsets(b)
2578 struct block *b;
2579{
2580 struct slist *s;
2581
2582 /*
2583 * For link-layer types that have a variable-length header
2584 * preceding the link-layer header, generate code to load
2585 * the offset of the link-layer header into the register
2586 * assigned to that offset, if any.
2587 */
2588 switch (linktype) {
2589
2590 case DLT_PRISM_HEADER:
2591 s = gen_load_prism_llprefixlen();
2592 break;
2593
2594 case DLT_IEEE802_11_RADIO_AVS:
2595 s = gen_load_avs_llprefixlen();
2596 break;
2597
2598 case DLT_IEEE802_11_RADIO:
2599 s = gen_load_radiotap_llprefixlen();
2600 break;
2601
2602 case DLT_PPI:
2603 s = gen_load_ppi_llprefixlen();
2604 break;
2605
2606 default:
2607 s = NULL;
2608 break;
2609 }
2610
2611 /*
2612 * For link-layer types that have a variable-length link-layer
2613 * header, generate code to load the offset of the MAC-layer
2614 * payload into the register assigned to that offset, if any.
2615 */
2616 switch (linktype) {
2617
2618 case DLT_IEEE802_11:
2619 case DLT_PRISM_HEADER:
2620 case DLT_IEEE802_11_RADIO_AVS:
2621 case DLT_IEEE802_11_RADIO:
2622 case DLT_PPI:
2623 s = gen_load_802_11_header_len(s, b->stmts);
2624 break;
2625 }
2626
2627 /*
2628 * If we have any offset-loading code, append all the
2629 * existing statements in the block to those statements,
2630 * and make the resulting list the list of statements
2631 * for the block.
2632 */
2633 if (s != NULL) {
2634 sappend(s, b->stmts);
2635 b->stmts = s;
2636 }
2637}
2638
2639static struct block *
2640gen_ppi_dlt_check(void)
2641{
2642 struct slist *s_load_dlt;
2643 struct block *b;
2644
2645 if (linktype == DLT_PPI)
2646 {
2647 /* Create the statements that check for the DLT
2648 */
2649 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2650 s_load_dlt->s.k = 4;
2651
2652 b = new_block(JMP(BPF_JEQ));
2653
2654 b->stmts = s_load_dlt;
2655 b->s.k = SWAPLONG(DLT_IEEE802_11);
2656 }
2657 else
2658 {
2659 b = NULL;
2660 }
2661
2662 return b;
2663}
2664
2665static struct slist *
2666gen_prism_llprefixlen(void)
2667{
2668 struct slist *s;
2669
2670 if (reg_off_ll == -1) {
2671 /*
2672 * We haven't yet assigned a register for the length
2673 * of the radio header; allocate one.
2674 */
2675 reg_off_ll = alloc_reg();
2676 }
2677
2678 /*
2679 * Load the register containing the radio length
2680 * into the X register.
2681 */
2682 s = new_stmt(BPF_LDX|BPF_MEM);
2683 s->s.k = reg_off_ll;
2684 return s;
2685}
2686
2687static struct slist *
2688gen_avs_llprefixlen(void)
2689{
2690 struct slist *s;
2691
2692 if (reg_off_ll == -1) {
2693 /*
2694 * We haven't yet assigned a register for the length
2695 * of the AVS header; allocate one.
2696 */
2697 reg_off_ll = alloc_reg();
2698 }
2699
2700 /*
2701 * Load the register containing the AVS length
2702 * into the X register.
2703 */
2704 s = new_stmt(BPF_LDX|BPF_MEM);
2705 s->s.k = reg_off_ll;
2706 return s;
2707}
2708
2709static struct slist *
2710gen_radiotap_llprefixlen(void)
2711{
2712 struct slist *s;
2713
2714 if (reg_off_ll == -1) {
2715 /*
2716 * We haven't yet assigned a register for the length
2717 * of the radiotap header; allocate one.
2718 */
2719 reg_off_ll = alloc_reg();
2720 }
2721
2722 /*
2723 * Load the register containing the radiotap length
2724 * into the X register.
2725 */
2726 s = new_stmt(BPF_LDX|BPF_MEM);
2727 s->s.k = reg_off_ll;
2728 return s;
2729}
2730
2731/*
2732 * At the moment we treat PPI as normal Radiotap encoded
2733 * packets. The difference is in the function that generates
2734 * the code at the beginning to compute the header length.
2735 * Since this code generator of PPI supports bare 802.11
2736 * encapsulation only (i.e. the encapsulated DLT should be
2737 * DLT_IEEE802_11) we generate code to check for this too.
2738 */
2739static struct slist *
2740gen_ppi_llprefixlen(void)
2741{
2742 struct slist *s;
2743
2744 if (reg_off_ll == -1) {
2745 /*
2746 * We haven't yet assigned a register for the length
2747 * of the radiotap header; allocate one.
2748 */
2749 reg_off_ll = alloc_reg();
2750 }
2751
2752 /*
2753 * Load the register containing the PPI length
2754 * into the X register.
2755 */
2756 s = new_stmt(BPF_LDX|BPF_MEM);
2757 s->s.k = reg_off_ll;
2758 return s;
2759}
2760
2761/*
2762 * Generate code to compute the link-layer header length, if necessary,
2763 * putting it into the X register, and to return either a pointer to a
2764 * "struct slist" for the list of statements in that code, or NULL if
2765 * no code is necessary.
2766 */
2767static struct slist *
2768gen_llprefixlen(void)
2769{
2770 switch (linktype) {
2771
2772 case DLT_PRISM_HEADER:
2773 return gen_prism_llprefixlen();
2774
2775 case DLT_IEEE802_11_RADIO_AVS:
2776 return gen_avs_llprefixlen();
2777
2778 case DLT_IEEE802_11_RADIO:
2779 return gen_radiotap_llprefixlen();
2780
2781 case DLT_PPI:
2782 return gen_ppi_llprefixlen();
2783
2784 default:
2785 return NULL;
2786 }
2787}
2788
2789/*
2790 * Generate code to load the register containing the offset of the
2791 * MAC-layer payload into the X register; if no register for that offset
2792 * has been allocated, allocate it first.
2793 */
2794static struct slist *
2795gen_off_macpl(void)
2796{
2797 struct slist *s;
2798
2799 if (off_macpl_is_variable) {
2800 if (reg_off_macpl == -1) {
2801 /*
2802 * We haven't yet assigned a register for the offset
2803 * of the MAC-layer payload; allocate one.
2804 */
2805 reg_off_macpl = alloc_reg();
2806 }
2807
2808 /*
2809 * Load the register containing the offset of the MAC-layer
2810 * payload into the X register.
2811 */
2812 s = new_stmt(BPF_LDX|BPF_MEM);
2813 s->s.k = reg_off_macpl;
2814 return s;
2815 } else {
2816 /*
2817 * That offset isn't variable, so we don't need to
2818 * generate any code.
2819 */
2820 return NULL;
2821 }
2822}
2823
2824/*
2825 * Map an Ethernet type to the equivalent PPP type.
2826 */
2827static int
2828ethertype_to_ppptype(proto)
2829 int proto;
2830{
2831 switch (proto) {
2832
2833 case ETHERTYPE_IP:
2834 proto = PPP_IP;
2835 break;
2836
2837#ifdef INET6
2838 case ETHERTYPE_IPV6:
2839 proto = PPP_IPV6;
2840 break;
2841#endif
2842
2843 case ETHERTYPE_DN:
2844 proto = PPP_DECNET;
2845 break;
2846
2847 case ETHERTYPE_ATALK:
2848 proto = PPP_APPLE;
2849 break;
2850
2851 case ETHERTYPE_NS:
2852 proto = PPP_NS;
2853 break;
2854
2855 case LLCSAP_ISONS:
2856 proto = PPP_OSI;
2857 break;
2858
2859 case LLCSAP_8021D:
2860 /*
2861 * I'm assuming the "Bridging PDU"s that go
2862 * over PPP are Spanning Tree Protocol
2863 * Bridging PDUs.
2864 */
2865 proto = PPP_BRPDU;
2866 break;
2867
2868 case LLCSAP_IPX:
2869 proto = PPP_IPX;
2870 break;
2871 }
2872 return (proto);
2873}
2874
2875/*
2876 * Generate code to match a particular packet type by matching the
2877 * link-layer type field or fields in the 802.2 LLC header.
2878 *
2879 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2880 * value, if <= ETHERMTU.
2881 */
2882static struct block *
2883gen_linktype(proto)
2884 register int proto;
2885{
2886 struct block *b0, *b1, *b2;
2887
2888 /* are we checking MPLS-encapsulated packets? */
2889 if (label_stack_depth > 0) {
2890 switch (proto) {
2891 case ETHERTYPE_IP:
2892 case PPP_IP:
2893 /* FIXME add other L3 proto IDs */
2894 return gen_mpls_linktype(Q_IP);
2895
2896 case ETHERTYPE_IPV6:
2897 case PPP_IPV6:
2898 /* FIXME add other L3 proto IDs */
2899 return gen_mpls_linktype(Q_IPV6);
2900
2901 default:
2902 bpf_error("unsupported protocol over mpls");
2903 /* NOTREACHED */
2904 }
2905 }
2906
2907 /*
2908 * Are we testing PPPoE packets?
2909 */
2910 if (is_pppoes) {
2911 /*
2912 * The PPPoE session header is part of the
2913 * MAC-layer payload, so all references
2914 * should be relative to the beginning of
2915 * that payload.
2916 */
2917
2918 /*
2919 * We use Ethernet protocol types inside libpcap;
2920 * map them to the corresponding PPP protocol types.
2921 */
2922 proto = ethertype_to_ppptype(proto);
2923 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
2924 }
2925
2926 switch (linktype) {
2927
2928 case DLT_EN10MB:
2929 case DLT_NETANALYZER:
2930 case DLT_NETANALYZER_TRANSPARENT:
2931 return gen_ether_linktype(proto);
2932 /*NOTREACHED*/
2933 break;
2934
2935 case DLT_C_HDLC:
2936 switch (proto) {
2937
2938 case LLCSAP_ISONS:
2939 proto = (proto << 8 | LLCSAP_ISONS);
2940 /* fall through */
2941
2942 default:
2943 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2944 (bpf_int32)proto);
2945 /*NOTREACHED*/
2946 break;
2947 }
2948 break;
2949
2950 case DLT_IEEE802_11:
2951 case DLT_PRISM_HEADER:
2952 case DLT_IEEE802_11_RADIO_AVS:
2953 case DLT_IEEE802_11_RADIO:
2954 case DLT_PPI:
2955 /*
2956 * Check that we have a data frame.
2957 */
2958 b0 = gen_check_802_11_data_frame();
2959
2960 /*
2961 * Now check for the specified link-layer type.
2962 */
2963 b1 = gen_llc_linktype(proto);
2964 gen_and(b0, b1);
2965 return b1;
2966 /*NOTREACHED*/
2967 break;
2968
2969 case DLT_FDDI:
2970 /*
2971 * XXX - check for asynchronous frames, as per RFC 1103.
2972 */
2973 return gen_llc_linktype(proto);
2974 /*NOTREACHED*/
2975 break;
2976
2977 case DLT_IEEE802:
2978 /*
2979 * XXX - check for LLC PDUs, as per IEEE 802.5.
2980 */
2981 return gen_llc_linktype(proto);
2982 /*NOTREACHED*/
2983 break;
2984
2985 case DLT_ATM_RFC1483:
2986 case DLT_ATM_CLIP:
2987 case DLT_IP_OVER_FC:
2988 return gen_llc_linktype(proto);
2989 /*NOTREACHED*/
2990 break;
2991
2992 case DLT_SUNATM:
2993 /*
2994 * If "is_lane" is set, check for a LANE-encapsulated
2995 * version of this protocol, otherwise check for an
2996 * LLC-encapsulated version of this protocol.
2997 *
2998 * We assume LANE means Ethernet, not Token Ring.
2999 */
3000 if (is_lane) {
3001 /*
3002 * Check that the packet doesn't begin with an
3003 * LE Control marker. (We've already generated
3004 * a test for LANE.)
3005 */
3006 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3007 0xFF00);
3008 gen_not(b0);
3009
3010 /*
3011 * Now generate an Ethernet test.
3012 */
3013 b1 = gen_ether_linktype(proto);
3014 gen_and(b0, b1);
3015 return b1;
3016 } else {
3017 /*
3018 * Check for LLC encapsulation and then check the
3019 * protocol.
3020 */
3021 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3022 b1 = gen_llc_linktype(proto);
3023 gen_and(b0, b1);
3024 return b1;
3025 }
3026 /*NOTREACHED*/
3027 break;
3028
3029 case DLT_LINUX_SLL:
3030 return gen_linux_sll_linktype(proto);
3031 /*NOTREACHED*/
3032 break;
3033
3034 case DLT_SLIP:
3035 case DLT_SLIP_BSDOS:
3036 case DLT_RAW:
3037 /*
3038 * These types don't provide any type field; packets
3039 * are always IPv4 or IPv6.
3040 *
3041 * XXX - for IPv4, check for a version number of 4, and,
3042 * for IPv6, check for a version number of 6?
3043 */
3044 switch (proto) {
3045
3046 case ETHERTYPE_IP:
3047 /* Check for a version number of 4. */
3048 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3049#ifdef INET6
3050 case ETHERTYPE_IPV6:
3051 /* Check for a version number of 6. */
3052 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3053#endif
3054
3055 default:
3056 return gen_false(); /* always false */
3057 }
3058 /*NOTREACHED*/
3059 break;
3060
3061 case DLT_IPV4:
3062 /*
3063 * Raw IPv4, so no type field.
3064 */
3065 if (proto == ETHERTYPE_IP)
3066 return gen_true(); /* always true */
3067
3068 /* Checking for something other than IPv4; always false */
3069 return gen_false();
3070 /*NOTREACHED*/
3071 break;
3072
3073 case DLT_IPV6:
3074 /*
3075 * Raw IPv6, so no type field.
3076 */
3077#ifdef INET6
3078 if (proto == ETHERTYPE_IPV6)
3079 return gen_true(); /* always true */
3080#endif
3081
3082 /* Checking for something other than IPv6; always false */
3083 return gen_false();
3084 /*NOTREACHED*/
3085 break;
3086
3087 case DLT_PPP:
3088 case DLT_PPP_PPPD:
3089 case DLT_PPP_SERIAL:
3090 case DLT_PPP_ETHER:
3091 /*
3092 * We use Ethernet protocol types inside libpcap;
3093 * map them to the corresponding PPP protocol types.
3094 */
3095 proto = ethertype_to_ppptype(proto);
3096 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3097 /*NOTREACHED*/
3098 break;
3099
3100 case DLT_PPP_BSDOS:
3101 /*
3102 * We use Ethernet protocol types inside libpcap;
3103 * map them to the corresponding PPP protocol types.
3104 */
3105 switch (proto) {
3106
3107 case ETHERTYPE_IP:
3108 /*
3109 * Also check for Van Jacobson-compressed IP.
3110 * XXX - do this for other forms of PPP?
3111 */
3112 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3113 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3114 gen_or(b0, b1);
3115 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3116 gen_or(b1, b0);
3117 return b0;
3118
3119 default:
3120 proto = ethertype_to_ppptype(proto);
3121 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3122 (bpf_int32)proto);
3123 }
3124 /*NOTREACHED*/
3125 break;
3126
3127 case DLT_NULL:
3128 case DLT_LOOP:
3129 case DLT_ENC:
3130 /*
3131 * For DLT_NULL, the link-layer header is a 32-bit
3132 * word containing an AF_ value in *host* byte order,
3133 * and for DLT_ENC, the link-layer header begins
3134 * with a 32-bit work containing an AF_ value in
3135 * host byte order.
3136 *
3137 * In addition, if we're reading a saved capture file,
3138 * the host byte order in the capture may not be the
3139 * same as the host byte order on this machine.
3140 *
3141 * For DLT_LOOP, the link-layer header is a 32-bit
3142 * word containing an AF_ value in *network* byte order.
3143 *
3144 * XXX - AF_ values may, unfortunately, be platform-
3145 * dependent; for example, FreeBSD's AF_INET6 is 24
3146 * whilst NetBSD's and OpenBSD's is 26.
3147 *
3148 * This means that, when reading a capture file, just
3149 * checking for our AF_INET6 value won't work if the
3150 * capture file came from another OS.
3151 */
3152 switch (proto) {
3153
3154 case ETHERTYPE_IP:
3155 proto = AF_INET;
3156 break;
3157
3158#ifdef INET6
3159 case ETHERTYPE_IPV6:
3160 proto = AF_INET6;
3161 break;
3162#endif
3163
3164 default:
3165 /*
3166 * Not a type on which we support filtering.
3167 * XXX - support those that have AF_ values
3168 * #defined on this platform, at least?
3169 */
3170 return gen_false();
3171 }
3172
3173 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3174 /*
3175 * The AF_ value is in host byte order, but
3176 * the BPF interpreter will convert it to
3177 * network byte order.
3178 *
3179 * If this is a save file, and it's from a
3180 * machine with the opposite byte order to
3181 * ours, we byte-swap the AF_ value.
3182 *
3183 * Then we run it through "htonl()", and
3184 * generate code to compare against the result.
3185 */
3186 if (bpf_pcap->sf.rfile != NULL &&
3187 bpf_pcap->sf.swapped)
3188 proto = SWAPLONG(proto);
3189 proto = htonl(proto);
3190 }
3191 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3192
3193#ifdef HAVE_NET_PFVAR_H
3194 case DLT_PFLOG:
3195 /*
3196 * af field is host byte order in contrast to the rest of
3197 * the packet.
3198 */
3199 if (proto == ETHERTYPE_IP)
3200 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3201 BPF_B, (bpf_int32)AF_INET));
3202#ifdef INET6
3203 else if (proto == ETHERTYPE_IPV6)
3204 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3205 BPF_B, (bpf_int32)AF_INET6));
3206#endif /* INET6 */
3207 else
3208 return gen_false();
3209 /*NOTREACHED*/
3210 break;
3211#endif /* HAVE_NET_PFVAR_H */
3212
3213 case DLT_ARCNET:
3214 case DLT_ARCNET_LINUX:
3215 /*
3216 * XXX should we check for first fragment if the protocol
3217 * uses PHDS?
3218 */
3219 switch (proto) {
3220
3221 default:
3222 return gen_false();
3223
3224#ifdef INET6
3225 case ETHERTYPE_IPV6:
3226 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3227 (bpf_int32)ARCTYPE_INET6));
3228#endif /* INET6 */
3229
3230 case ETHERTYPE_IP:
3231 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3232 (bpf_int32)ARCTYPE_IP);
3233 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3234 (bpf_int32)ARCTYPE_IP_OLD);
3235 gen_or(b0, b1);
3236 return (b1);
3237
3238 case ETHERTYPE_ARP:
3239 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3240 (bpf_int32)ARCTYPE_ARP);
3241 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3242 (bpf_int32)ARCTYPE_ARP_OLD);
3243 gen_or(b0, b1);
3244 return (b1);
3245
3246 case ETHERTYPE_REVARP:
3247 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3248 (bpf_int32)ARCTYPE_REVARP));
3249
3250 case ETHERTYPE_ATALK:
3251 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3252 (bpf_int32)ARCTYPE_ATALK));
3253 }
3254 /*NOTREACHED*/
3255 break;
3256
3257 case DLT_LTALK:
3258 switch (proto) {
3259 case ETHERTYPE_ATALK:
3260 return gen_true();
3261 default:
3262 return gen_false();
3263 }
3264 /*NOTREACHED*/
3265 break;
3266
3267 case DLT_FRELAY:
3268 /*
3269 * XXX - assumes a 2-byte Frame Relay header with
3270 * DLCI and flags. What if the address is longer?
3271 */
3272 switch (proto) {
3273
3274 case ETHERTYPE_IP:
3275 /*
3276 * Check for the special NLPID for IP.
3277 */
3278 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3279
3280#ifdef INET6
3281 case ETHERTYPE_IPV6:
3282 /*
3283 * Check for the special NLPID for IPv6.
3284 */
3285 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3286#endif
3287
3288 case LLCSAP_ISONS:
3289 /*
3290 * Check for several OSI protocols.
3291 *
3292 * Frame Relay packets typically have an OSI
3293 * NLPID at the beginning; we check for each
3294 * of them.
3295 *
3296 * What we check for is the NLPID and a frame
3297 * control field of UI, i.e. 0x03 followed
3298 * by the NLPID.
3299 */
3300 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3301 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3302 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3303 gen_or(b1, b2);
3304 gen_or(b0, b2);
3305 return b2;
3306
3307 default:
3308 return gen_false();
3309 }
3310 /*NOTREACHED*/
3311 break;
3312
3313 case DLT_MFR:
3314 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3315
3316 case DLT_JUNIPER_MFR:
3317 case DLT_JUNIPER_MLFR:
3318 case DLT_JUNIPER_MLPPP:
3319 case DLT_JUNIPER_ATM1:
3320 case DLT_JUNIPER_ATM2:
3321 case DLT_JUNIPER_PPPOE:
3322 case DLT_JUNIPER_PPPOE_ATM:
3323 case DLT_JUNIPER_GGSN:
3324 case DLT_JUNIPER_ES:
3325 case DLT_JUNIPER_MONITOR:
3326 case DLT_JUNIPER_SERVICES:
3327 case DLT_JUNIPER_ETHER:
3328 case DLT_JUNIPER_PPP:
3329 case DLT_JUNIPER_FRELAY:
3330 case DLT_JUNIPER_CHDLC:
3331 case DLT_JUNIPER_VP:
3332 case DLT_JUNIPER_ST:
3333 case DLT_JUNIPER_ISM:
3334 case DLT_JUNIPER_VS:
3335 case DLT_JUNIPER_SRX_E2E:
3336 case DLT_JUNIPER_FIBRECHANNEL:
3337 case DLT_JUNIPER_ATM_CEMIC:
3338
3339 /* just lets verify the magic number for now -
3340 * on ATM we may have up to 6 different encapsulations on the wire
3341 * and need a lot of heuristics to figure out that the payload
3342 * might be;
3343 *
3344 * FIXME encapsulation specific BPF_ filters
3345 */
3346 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3347
3348 case DLT_IPNET:
3349 return gen_ipnet_linktype(proto);
3350
3351 case DLT_LINUX_IRDA:
3352 bpf_error("IrDA link-layer type filtering not implemented");
3353
3354 case DLT_DOCSIS:
3355 bpf_error("DOCSIS link-layer type filtering not implemented");
3356
3357 case DLT_MTP2:
3358 case DLT_MTP2_WITH_PHDR:
3359 bpf_error("MTP2 link-layer type filtering not implemented");
3360
3361 case DLT_ERF:
3362 bpf_error("ERF link-layer type filtering not implemented");
3363
|
3361#ifdef DLT_PFSYNC
| |
3362 case DLT_PFSYNC:
3363 bpf_error("PFSYNC link-layer type filtering not implemented");
| 3364 case DLT_PFSYNC:
3365 bpf_error("PFSYNC link-layer type filtering not implemented");
|
3364#endif
| |
3365
3366 case DLT_LINUX_LAPD:
3367 bpf_error("LAPD link-layer type filtering not implemented");
3368
3369 case DLT_USB:
3370 case DLT_USB_LINUX:
3371 case DLT_USB_LINUX_MMAPPED:
3372 bpf_error("USB link-layer type filtering not implemented");
3373
3374 case DLT_BLUETOOTH_HCI_H4:
3375 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3376 bpf_error("Bluetooth link-layer type filtering not implemented");
3377
3378 case DLT_CAN20B:
3379 case DLT_CAN_SOCKETCAN:
3380 bpf_error("CAN link-layer type filtering not implemented");
3381
3382 case DLT_IEEE802_15_4:
3383 case DLT_IEEE802_15_4_LINUX:
3384 case DLT_IEEE802_15_4_NONASK_PHY:
3385 case DLT_IEEE802_15_4_NOFCS:
3386 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3387
3388 case DLT_IEEE802_16_MAC_CPS_RADIO:
3389 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3390
3391 case DLT_SITA:
3392 bpf_error("SITA link-layer type filtering not implemented");
3393
3394 case DLT_RAIF1:
3395 bpf_error("RAIF1 link-layer type filtering not implemented");
3396
3397 case DLT_IPMB:
3398 bpf_error("IPMB link-layer type filtering not implemented");
3399
3400 case DLT_AX25_KISS:
3401 bpf_error("AX.25 link-layer type filtering not implemented");
3402 }
3403
3404 /*
3405 * All the types that have no encapsulation should either be
3406 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3407 * all packets are IP packets, or should be handled in some
3408 * special case, if none of them are (if some are and some
3409 * aren't, the lack of encapsulation is a problem, as we'd
3410 * have to find some other way of determining the packet type).
3411 *
3412 * Therefore, if "off_linktype" is -1, there's an error.
3413 */
3414 if (off_linktype == (u_int)-1)
3415 abort();
3416
3417 /*
3418 * Any type not handled above should always have an Ethernet
3419 * type at an offset of "off_linktype".
3420 */
3421 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3422}
3423
3424/*
3425 * Check for an LLC SNAP packet with a given organization code and
3426 * protocol type; we check the entire contents of the 802.2 LLC and
3427 * snap headers, checking for DSAP and SSAP of SNAP and a control
3428 * field of 0x03 in the LLC header, and for the specified organization
3429 * code and protocol type in the SNAP header.
3430 */
3431static struct block *
3432gen_snap(orgcode, ptype)
3433 bpf_u_int32 orgcode;
3434 bpf_u_int32 ptype;
3435{
3436 u_char snapblock[8];
3437
3438 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3439 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3440 snapblock[2] = 0x03; /* control = UI */
3441 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3442 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3443 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3444 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3445 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3446 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3447}
3448
3449/*
3450 * Generate code to match a particular packet type, for link-layer types
3451 * using 802.2 LLC headers.
3452 *
3453 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3454 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3455 *
3456 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3457 * value, if <= ETHERMTU. We use that to determine whether to
3458 * match the DSAP or both DSAP and LSAP or to check the OUI and
3459 * protocol ID in a SNAP header.
3460 */
3461static struct block *
3462gen_llc_linktype(proto)
3463 int proto;
3464{
3465 /*
3466 * XXX - handle token-ring variable-length header.
3467 */
3468 switch (proto) {
3469
3470 case LLCSAP_IP:
3471 case LLCSAP_ISONS:
3472 case LLCSAP_NETBEUI:
3473 /*
3474 * XXX - should we check both the DSAP and the
3475 * SSAP, like this, or should we check just the
3476 * DSAP, as we do for other types <= ETHERMTU
3477 * (i.e., other SAP values)?
3478 */
3479 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3480 ((proto << 8) | proto));
3481
3482 case LLCSAP_IPX:
3483 /*
3484 * XXX - are there ever SNAP frames for IPX on
3485 * non-Ethernet 802.x networks?
3486 */
3487 return gen_cmp(OR_MACPL, 0, BPF_B,
3488 (bpf_int32)LLCSAP_IPX);
3489
3490 case ETHERTYPE_ATALK:
3491 /*
3492 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3493 * SNAP packets with an organization code of
3494 * 0x080007 (Apple, for Appletalk) and a protocol
3495 * type of ETHERTYPE_ATALK (Appletalk).
3496 *
3497 * XXX - check for an organization code of
3498 * encapsulated Ethernet as well?
3499 */
3500 return gen_snap(0x080007, ETHERTYPE_ATALK);
3501
3502 default:
3503 /*
3504 * XXX - we don't have to check for IPX 802.3
3505 * here, but should we check for the IPX Ethertype?
3506 */
3507 if (proto <= ETHERMTU) {
3508 /*
3509 * This is an LLC SAP value, so check
3510 * the DSAP.
3511 */
3512 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3513 } else {
3514 /*
3515 * This is an Ethernet type; we assume that it's
3516 * unlikely that it'll appear in the right place
3517 * at random, and therefore check only the
3518 * location that would hold the Ethernet type
3519 * in a SNAP frame with an organization code of
3520 * 0x000000 (encapsulated Ethernet).
3521 *
3522 * XXX - if we were to check for the SNAP DSAP and
3523 * LSAP, as per XXX, and were also to check for an
3524 * organization code of 0x000000 (encapsulated
3525 * Ethernet), we'd do
3526 *
3527 * return gen_snap(0x000000, proto);
3528 *
3529 * here; for now, we don't, as per the above.
3530 * I don't know whether it's worth the extra CPU
3531 * time to do the right check or not.
3532 */
3533 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3534 }
3535 }
3536}
3537
3538static struct block *
3539gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3540 bpf_u_int32 addr;
3541 bpf_u_int32 mask;
3542 int dir, proto;
3543 u_int src_off, dst_off;
3544{
3545 struct block *b0, *b1;
3546 u_int offset;
3547
3548 switch (dir) {
3549
3550 case Q_SRC:
3551 offset = src_off;
3552 break;
3553
3554 case Q_DST:
3555 offset = dst_off;
3556 break;
3557
3558 case Q_AND:
3559 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3560 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3561 gen_and(b0, b1);
3562 return b1;
3563
3564 case Q_OR:
3565 case Q_DEFAULT:
3566 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3567 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3568 gen_or(b0, b1);
3569 return b1;
3570
3571 default:
3572 abort();
3573 }
3574 b0 = gen_linktype(proto);
3575 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3576 gen_and(b0, b1);
3577 return b1;
3578}
3579
3580#ifdef INET6
3581static struct block *
3582gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3583 struct in6_addr *addr;
3584 struct in6_addr *mask;
3585 int dir, proto;
3586 u_int src_off, dst_off;
3587{
3588 struct block *b0, *b1;
3589 u_int offset;
3590 u_int32_t *a, *m;
3591
3592 switch (dir) {
3593
3594 case Q_SRC:
3595 offset = src_off;
3596 break;
3597
3598 case Q_DST:
3599 offset = dst_off;
3600 break;
3601
3602 case Q_AND:
3603 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3604 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3605 gen_and(b0, b1);
3606 return b1;
3607
3608 case Q_OR:
3609 case Q_DEFAULT:
3610 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3611 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3612 gen_or(b0, b1);
3613 return b1;
3614
3615 default:
3616 abort();
3617 }
3618 /* this order is important */
3619 a = (u_int32_t *)addr;
3620 m = (u_int32_t *)mask;
3621 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3622 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3623 gen_and(b0, b1);
3624 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3625 gen_and(b0, b1);
3626 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3627 gen_and(b0, b1);
3628 b0 = gen_linktype(proto);
3629 gen_and(b0, b1);
3630 return b1;
3631}
3632#endif /*INET6*/
3633
3634static struct block *
3635gen_ehostop(eaddr, dir)
3636 register const u_char *eaddr;
3637 register int dir;
3638{
3639 register struct block *b0, *b1;
3640
3641 switch (dir) {
3642 case Q_SRC:
3643 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3644
3645 case Q_DST:
3646 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3647
3648 case Q_AND:
3649 b0 = gen_ehostop(eaddr, Q_SRC);
3650 b1 = gen_ehostop(eaddr, Q_DST);
3651 gen_and(b0, b1);
3652 return b1;
3653
3654 case Q_DEFAULT:
3655 case Q_OR:
3656 b0 = gen_ehostop(eaddr, Q_SRC);
3657 b1 = gen_ehostop(eaddr, Q_DST);
3658 gen_or(b0, b1);
3659 return b1;
3660
3661 case Q_ADDR1:
3662 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers");
3663 break;
3664
3665 case Q_ADDR2:
3666 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers");
3667 break;
3668
3669 case Q_ADDR3:
3670 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers");
3671 break;
3672
3673 case Q_ADDR4:
3674 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers");
3675 break;
3676
3677 case Q_RA:
3678 bpf_error("'ra' is only supported on 802.11 with 802.11 headers");
3679 break;
3680
3681 case Q_TA:
3682 bpf_error("'ta' is only supported on 802.11 with 802.11 headers");
3683 break;
3684 }
3685 abort();
3686 /* NOTREACHED */
3687}
3688
3689/*
3690 * Like gen_ehostop, but for DLT_FDDI
3691 */
3692static struct block *
3693gen_fhostop(eaddr, dir)
3694 register const u_char *eaddr;
3695 register int dir;
3696{
3697 struct block *b0, *b1;
3698
3699 switch (dir) {
3700 case Q_SRC:
3701#ifdef PCAP_FDDIPAD
3702 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3703#else
3704 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3705#endif
3706
3707 case Q_DST:
3708#ifdef PCAP_FDDIPAD
3709 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3710#else
3711 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3712#endif
3713
3714 case Q_AND:
3715 b0 = gen_fhostop(eaddr, Q_SRC);
3716 b1 = gen_fhostop(eaddr, Q_DST);
3717 gen_and(b0, b1);
3718 return b1;
3719
3720 case Q_DEFAULT:
3721 case Q_OR:
3722 b0 = gen_fhostop(eaddr, Q_SRC);
3723 b1 = gen_fhostop(eaddr, Q_DST);
3724 gen_or(b0, b1);
3725 return b1;
3726
3727 case Q_ADDR1:
3728 bpf_error("'addr1' is only supported on 802.11");
3729 break;
3730
3731 case Q_ADDR2:
3732 bpf_error("'addr2' is only supported on 802.11");
3733 break;
3734
3735 case Q_ADDR3:
3736 bpf_error("'addr3' is only supported on 802.11");
3737 break;
3738
3739 case Q_ADDR4:
3740 bpf_error("'addr4' is only supported on 802.11");
3741 break;
3742
3743 case Q_RA:
3744 bpf_error("'ra' is only supported on 802.11");
3745 break;
3746
3747 case Q_TA:
3748 bpf_error("'ta' is only supported on 802.11");
3749 break;
3750 }
3751 abort();
3752 /* NOTREACHED */
3753}
3754
3755/*
3756 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3757 */
3758static struct block *
3759gen_thostop(eaddr, dir)
3760 register const u_char *eaddr;
3761 register int dir;
3762{
3763 register struct block *b0, *b1;
3764
3765 switch (dir) {
3766 case Q_SRC:
3767 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3768
3769 case Q_DST:
3770 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3771
3772 case Q_AND:
3773 b0 = gen_thostop(eaddr, Q_SRC);
3774 b1 = gen_thostop(eaddr, Q_DST);
3775 gen_and(b0, b1);
3776 return b1;
3777
3778 case Q_DEFAULT:
3779 case Q_OR:
3780 b0 = gen_thostop(eaddr, Q_SRC);
3781 b1 = gen_thostop(eaddr, Q_DST);
3782 gen_or(b0, b1);
3783 return b1;
3784
3785 case Q_ADDR1:
3786 bpf_error("'addr1' is only supported on 802.11");
3787 break;
3788
3789 case Q_ADDR2:
3790 bpf_error("'addr2' is only supported on 802.11");
3791 break;
3792
3793 case Q_ADDR3:
3794 bpf_error("'addr3' is only supported on 802.11");
3795 break;
3796
3797 case Q_ADDR4:
3798 bpf_error("'addr4' is only supported on 802.11");
3799 break;
3800
3801 case Q_RA:
3802 bpf_error("'ra' is only supported on 802.11");
3803 break;
3804
3805 case Q_TA:
3806 bpf_error("'ta' is only supported on 802.11");
3807 break;
3808 }
3809 abort();
3810 /* NOTREACHED */
3811}
3812
3813/*
3814 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3815 * various 802.11 + radio headers.
3816 */
3817static struct block *
3818gen_wlanhostop(eaddr, dir)
3819 register const u_char *eaddr;
3820 register int dir;
3821{
3822 register struct block *b0, *b1, *b2;
3823 register struct slist *s;
3824
3825#ifdef ENABLE_WLAN_FILTERING_PATCH
3826 /*
3827 * TODO GV 20070613
3828 * We need to disable the optimizer because the optimizer is buggy
3829 * and wipes out some LD instructions generated by the below
3830 * code to validate the Frame Control bits
3831 */
3832 no_optimize = 1;
3833#endif /* ENABLE_WLAN_FILTERING_PATCH */
3834
3835 switch (dir) {
3836 case Q_SRC:
3837 /*
3838 * Oh, yuk.
3839 *
3840 * For control frames, there is no SA.
3841 *
3842 * For management frames, SA is at an
3843 * offset of 10 from the beginning of
3844 * the packet.
3845 *
3846 * For data frames, SA is at an offset
3847 * of 10 from the beginning of the packet
3848 * if From DS is clear, at an offset of
3849 * 16 from the beginning of the packet
3850 * if From DS is set and To DS is clear,
3851 * and an offset of 24 from the beginning
3852 * of the packet if From DS is set and To DS
3853 * is set.
3854 */
3855
3856 /*
3857 * Generate the tests to be done for data frames
3858 * with From DS set.
3859 *
3860 * First, check for To DS set, i.e. check "link[1] & 0x01".
3861 */
3862 s = gen_load_a(OR_LINK, 1, BPF_B);
3863 b1 = new_block(JMP(BPF_JSET));
3864 b1->s.k = 0x01; /* To DS */
3865 b1->stmts = s;
3866
3867 /*
3868 * If To DS is set, the SA is at 24.
3869 */
3870 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3871 gen_and(b1, b0);
3872
3873 /*
3874 * Now, check for To DS not set, i.e. check
3875 * "!(link[1] & 0x01)".
3876 */
3877 s = gen_load_a(OR_LINK, 1, BPF_B);
3878 b2 = new_block(JMP(BPF_JSET));
3879 b2->s.k = 0x01; /* To DS */
3880 b2->stmts = s;
3881 gen_not(b2);
3882
3883 /*
3884 * If To DS is not set, the SA is at 16.
3885 */
3886 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3887 gen_and(b2, b1);
3888
3889 /*
3890 * Now OR together the last two checks. That gives
3891 * the complete set of checks for data frames with
3892 * From DS set.
3893 */
3894 gen_or(b1, b0);
3895
3896 /*
3897 * Now check for From DS being set, and AND that with
3898 * the ORed-together checks.
3899 */
3900 s = gen_load_a(OR_LINK, 1, BPF_B);
3901 b1 = new_block(JMP(BPF_JSET));
3902 b1->s.k = 0x02; /* From DS */
3903 b1->stmts = s;
3904 gen_and(b1, b0);
3905
3906 /*
3907 * Now check for data frames with From DS not set.
3908 */
3909 s = gen_load_a(OR_LINK, 1, BPF_B);
3910 b2 = new_block(JMP(BPF_JSET));
3911 b2->s.k = 0x02; /* From DS */
3912 b2->stmts = s;
3913 gen_not(b2);
3914
3915 /*
3916 * If From DS isn't set, the SA is at 10.
3917 */
3918 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3919 gen_and(b2, b1);
3920
3921 /*
3922 * Now OR together the checks for data frames with
3923 * From DS not set and for data frames with From DS
3924 * set; that gives the checks done for data frames.
3925 */
3926 gen_or(b1, b0);
3927
3928 /*
3929 * Now check for a data frame.
3930 * I.e, check "link[0] & 0x08".
3931 */
3932 s = gen_load_a(OR_LINK, 0, BPF_B);
3933 b1 = new_block(JMP(BPF_JSET));
3934 b1->s.k = 0x08;
3935 b1->stmts = s;
3936
3937 /*
3938 * AND that with the checks done for data frames.
3939 */
3940 gen_and(b1, b0);
3941
3942 /*
3943 * If the high-order bit of the type value is 0, this
3944 * is a management frame.
3945 * I.e, check "!(link[0] & 0x08)".
3946 */
3947 s = gen_load_a(OR_LINK, 0, BPF_B);
3948 b2 = new_block(JMP(BPF_JSET));
3949 b2->s.k = 0x08;
3950 b2->stmts = s;
3951 gen_not(b2);
3952
3953 /*
3954 * For management frames, the SA is at 10.
3955 */
3956 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3957 gen_and(b2, b1);
3958
3959 /*
3960 * OR that with the checks done for data frames.
3961 * That gives the checks done for management and
3962 * data frames.
3963 */
3964 gen_or(b1, b0);
3965
3966 /*
3967 * If the low-order bit of the type value is 1,
3968 * this is either a control frame or a frame
3969 * with a reserved type, and thus not a
3970 * frame with an SA.
3971 *
3972 * I.e., check "!(link[0] & 0x04)".
3973 */
3974 s = gen_load_a(OR_LINK, 0, BPF_B);
3975 b1 = new_block(JMP(BPF_JSET));
3976 b1->s.k = 0x04;
3977 b1->stmts = s;
3978 gen_not(b1);
3979
3980 /*
3981 * AND that with the checks for data and management
3982 * frames.
3983 */
3984 gen_and(b1, b0);
3985 return b0;
3986
3987 case Q_DST:
3988 /*
3989 * Oh, yuk.
3990 *
3991 * For control frames, there is no DA.
3992 *
3993 * For management frames, DA is at an
3994 * offset of 4 from the beginning of
3995 * the packet.
3996 *
3997 * For data frames, DA is at an offset
3998 * of 4 from the beginning of the packet
3999 * if To DS is clear and at an offset of
4000 * 16 from the beginning of the packet
4001 * if To DS is set.
4002 */
4003
4004 /*
4005 * Generate the tests to be done for data frames.
4006 *
4007 * First, check for To DS set, i.e. "link[1] & 0x01".
4008 */
4009 s = gen_load_a(OR_LINK, 1, BPF_B);
4010 b1 = new_block(JMP(BPF_JSET));
4011 b1->s.k = 0x01; /* To DS */
4012 b1->stmts = s;
4013
4014 /*
4015 * If To DS is set, the DA is at 16.
4016 */
4017 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4018 gen_and(b1, b0);
4019
4020 /*
4021 * Now, check for To DS not set, i.e. check
4022 * "!(link[1] & 0x01)".
4023 */
4024 s = gen_load_a(OR_LINK, 1, BPF_B);
4025 b2 = new_block(JMP(BPF_JSET));
4026 b2->s.k = 0x01; /* To DS */
4027 b2->stmts = s;
4028 gen_not(b2);
4029
4030 /*
4031 * If To DS is not set, the DA is at 4.
4032 */
4033 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4034 gen_and(b2, b1);
4035
4036 /*
4037 * Now OR together the last two checks. That gives
4038 * the complete set of checks for data frames.
4039 */
4040 gen_or(b1, b0);
4041
4042 /*
4043 * Now check for a data frame.
4044 * I.e, check "link[0] & 0x08".
4045 */
4046 s = gen_load_a(OR_LINK, 0, BPF_B);
4047 b1 = new_block(JMP(BPF_JSET));
4048 b1->s.k = 0x08;
4049 b1->stmts = s;
4050
4051 /*
4052 * AND that with the checks done for data frames.
4053 */
4054 gen_and(b1, b0);
4055
4056 /*
4057 * If the high-order bit of the type value is 0, this
4058 * is a management frame.
4059 * I.e, check "!(link[0] & 0x08)".
4060 */
4061 s = gen_load_a(OR_LINK, 0, BPF_B);
4062 b2 = new_block(JMP(BPF_JSET));
4063 b2->s.k = 0x08;
4064 b2->stmts = s;
4065 gen_not(b2);
4066
4067 /*
4068 * For management frames, the DA is at 4.
4069 */
4070 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4071 gen_and(b2, b1);
4072
4073 /*
4074 * OR that with the checks done for data frames.
4075 * That gives the checks done for management and
4076 * data frames.
4077 */
4078 gen_or(b1, b0);
4079
4080 /*
4081 * If the low-order bit of the type value is 1,
4082 * this is either a control frame or a frame
4083 * with a reserved type, and thus not a
4084 * frame with an SA.
4085 *
4086 * I.e., check "!(link[0] & 0x04)".
4087 */
4088 s = gen_load_a(OR_LINK, 0, BPF_B);
4089 b1 = new_block(JMP(BPF_JSET));
4090 b1->s.k = 0x04;
4091 b1->stmts = s;
4092 gen_not(b1);
4093
4094 /*
4095 * AND that with the checks for data and management
4096 * frames.
4097 */
4098 gen_and(b1, b0);
4099 return b0;
4100
4101 case Q_RA:
4102 /*
4103 * Not present in management frames; addr1 in other
4104 * frames.
4105 */
4106
4107 /*
4108 * If the high-order bit of the type value is 0, this
4109 * is a management frame.
4110 * I.e, check "(link[0] & 0x08)".
4111 */
4112 s = gen_load_a(OR_LINK, 0, BPF_B);
4113 b1 = new_block(JMP(BPF_JSET));
4114 b1->s.k = 0x08;
4115 b1->stmts = s;
4116
4117 /*
4118 * Check addr1.
4119 */
4120 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4121
4122 /*
4123 * AND that with the check of addr1.
4124 */
4125 gen_and(b1, b0);
4126 return (b0);
4127
4128 case Q_TA:
4129 /*
4130 * Not present in management frames; addr2, if present,
4131 * in other frames.
4132 */
4133
4134 /*
4135 * Not present in CTS or ACK control frames.
4136 */
4137 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4138 IEEE80211_FC0_TYPE_MASK);
4139 gen_not(b0);
4140 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4141 IEEE80211_FC0_SUBTYPE_MASK);
4142 gen_not(b1);
4143 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4144 IEEE80211_FC0_SUBTYPE_MASK);
4145 gen_not(b2);
4146 gen_and(b1, b2);
4147 gen_or(b0, b2);
4148
4149 /*
4150 * If the high-order bit of the type value is 0, this
4151 * is a management frame.
4152 * I.e, check "(link[0] & 0x08)".
4153 */
4154 s = gen_load_a(OR_LINK, 0, BPF_B);
4155 b1 = new_block(JMP(BPF_JSET));
4156 b1->s.k = 0x08;
4157 b1->stmts = s;
4158
4159 /*
4160 * AND that with the check for frames other than
4161 * CTS and ACK frames.
4162 */
4163 gen_and(b1, b2);
4164
4165 /*
4166 * Check addr2.
4167 */
4168 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4169 gen_and(b2, b1);
4170 return b1;
4171
4172 /*
4173 * XXX - add BSSID keyword?
4174 */
4175 case Q_ADDR1:
4176 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4177
4178 case Q_ADDR2:
4179 /*
4180 * Not present in CTS or ACK control frames.
4181 */
4182 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4183 IEEE80211_FC0_TYPE_MASK);
4184 gen_not(b0);
4185 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4186 IEEE80211_FC0_SUBTYPE_MASK);
4187 gen_not(b1);
4188 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4189 IEEE80211_FC0_SUBTYPE_MASK);
4190 gen_not(b2);
4191 gen_and(b1, b2);
4192 gen_or(b0, b2);
4193 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4194 gen_and(b2, b1);
4195 return b1;
4196
4197 case Q_ADDR3:
4198 /*
4199 * Not present in control frames.
4200 */
4201 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4202 IEEE80211_FC0_TYPE_MASK);
4203 gen_not(b0);
4204 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4205 gen_and(b0, b1);
4206 return b1;
4207
4208 case Q_ADDR4:
4209 /*
4210 * Present only if the direction mask has both "From DS"
4211 * and "To DS" set. Neither control frames nor management
4212 * frames should have both of those set, so we don't
4213 * check the frame type.
4214 */
4215 b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4216 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4217 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4218 gen_and(b0, b1);
4219 return b1;
4220
4221 case Q_AND:
4222 b0 = gen_wlanhostop(eaddr, Q_SRC);
4223 b1 = gen_wlanhostop(eaddr, Q_DST);
4224 gen_and(b0, b1);
4225 return b1;
4226
4227 case Q_DEFAULT:
4228 case Q_OR:
4229 b0 = gen_wlanhostop(eaddr, Q_SRC);
4230 b1 = gen_wlanhostop(eaddr, Q_DST);
4231 gen_or(b0, b1);
4232 return b1;
4233 }
4234 abort();
4235 /* NOTREACHED */
4236}
4237
4238/*
4239 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4240 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4241 * as the RFC states.)
4242 */
4243static struct block *
4244gen_ipfchostop(eaddr, dir)
4245 register const u_char *eaddr;
4246 register int dir;
4247{
4248 register struct block *b0, *b1;
4249
4250 switch (dir) {
4251 case Q_SRC:
4252 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4253
4254 case Q_DST:
4255 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4256
4257 case Q_AND:
4258 b0 = gen_ipfchostop(eaddr, Q_SRC);
4259 b1 = gen_ipfchostop(eaddr, Q_DST);
4260 gen_and(b0, b1);
4261 return b1;
4262
4263 case Q_DEFAULT:
4264 case Q_OR:
4265 b0 = gen_ipfchostop(eaddr, Q_SRC);
4266 b1 = gen_ipfchostop(eaddr, Q_DST);
4267 gen_or(b0, b1);
4268 return b1;
4269
4270 case Q_ADDR1:
4271 bpf_error("'addr1' is only supported on 802.11");
4272 break;
4273
4274 case Q_ADDR2:
4275 bpf_error("'addr2' is only supported on 802.11");
4276 break;
4277
4278 case Q_ADDR3:
4279 bpf_error("'addr3' is only supported on 802.11");
4280 break;
4281
4282 case Q_ADDR4:
4283 bpf_error("'addr4' is only supported on 802.11");
4284 break;
4285
4286 case Q_RA:
4287 bpf_error("'ra' is only supported on 802.11");
4288 break;
4289
4290 case Q_TA:
4291 bpf_error("'ta' is only supported on 802.11");
4292 break;
4293 }
4294 abort();
4295 /* NOTREACHED */
4296}
4297
4298/*
4299 * This is quite tricky because there may be pad bytes in front of the
4300 * DECNET header, and then there are two possible data packet formats that
4301 * carry both src and dst addresses, plus 5 packet types in a format that
4302 * carries only the src node, plus 2 types that use a different format and
4303 * also carry just the src node.
4304 *
4305 * Yuck.
4306 *
4307 * Instead of doing those all right, we just look for data packets with
4308 * 0 or 1 bytes of padding. If you want to look at other packets, that
4309 * will require a lot more hacking.
4310 *
4311 * To add support for filtering on DECNET "areas" (network numbers)
4312 * one would want to add a "mask" argument to this routine. That would
4313 * make the filter even more inefficient, although one could be clever
4314 * and not generate masking instructions if the mask is 0xFFFF.
4315 */
4316static struct block *
4317gen_dnhostop(addr, dir)
4318 bpf_u_int32 addr;
4319 int dir;
4320{
4321 struct block *b0, *b1, *b2, *tmp;
4322 u_int offset_lh; /* offset if long header is received */
4323 u_int offset_sh; /* offset if short header is received */
4324
4325 switch (dir) {
4326
4327 case Q_DST:
4328 offset_sh = 1; /* follows flags */
4329 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4330 break;
4331
4332 case Q_SRC:
4333 offset_sh = 3; /* follows flags, dstnode */
4334 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4335 break;
4336
4337 case Q_AND:
4338 /* Inefficient because we do our Calvinball dance twice */
4339 b0 = gen_dnhostop(addr, Q_SRC);
4340 b1 = gen_dnhostop(addr, Q_DST);
4341 gen_and(b0, b1);
4342 return b1;
4343
4344 case Q_OR:
4345 case Q_DEFAULT:
4346 /* Inefficient because we do our Calvinball dance twice */
4347 b0 = gen_dnhostop(addr, Q_SRC);
4348 b1 = gen_dnhostop(addr, Q_DST);
4349 gen_or(b0, b1);
4350 return b1;
4351
4352 case Q_ISO:
4353 bpf_error("ISO host filtering not implemented");
4354
4355 default:
4356 abort();
4357 }
4358 b0 = gen_linktype(ETHERTYPE_DN);
4359 /* Check for pad = 1, long header case */
4360 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4361 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4362 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4363 BPF_H, (bpf_int32)ntohs((u_short)addr));
4364 gen_and(tmp, b1);
4365 /* Check for pad = 0, long header case */
4366 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4367 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4368 gen_and(tmp, b2);
4369 gen_or(b2, b1);
4370 /* Check for pad = 1, short header case */
4371 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4372 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4373 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4374 gen_and(tmp, b2);
4375 gen_or(b2, b1);
4376 /* Check for pad = 0, short header case */
4377 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4378 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4379 gen_and(tmp, b2);
4380 gen_or(b2, b1);
4381
4382 /* Combine with test for linktype */
4383 gen_and(b0, b1);
4384 return b1;
4385}
4386
4387/*
4388 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4389 * test the bottom-of-stack bit, and then check the version number
4390 * field in the IP header.
4391 */
4392static struct block *
4393gen_mpls_linktype(proto)
4394 int proto;
4395{
4396 struct block *b0, *b1;
4397
4398 switch (proto) {
4399
4400 case Q_IP:
4401 /* match the bottom-of-stack bit */
4402 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4403 /* match the IPv4 version number */
4404 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4405 gen_and(b0, b1);
4406 return b1;
4407
4408 case Q_IPV6:
4409 /* match the bottom-of-stack bit */
4410 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4411 /* match the IPv4 version number */
4412 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4413 gen_and(b0, b1);
4414 return b1;
4415
4416 default:
4417 abort();
4418 }
4419}
4420
4421static struct block *
4422gen_host(addr, mask, proto, dir, type)
4423 bpf_u_int32 addr;
4424 bpf_u_int32 mask;
4425 int proto;
4426 int dir;
4427 int type;
4428{
4429 struct block *b0, *b1;
4430 const char *typestr;
4431
4432 if (type == Q_NET)
4433 typestr = "net";
4434 else
4435 typestr = "host";
4436
4437 switch (proto) {
4438
4439 case Q_DEFAULT:
4440 b0 = gen_host(addr, mask, Q_IP, dir, type);
4441 /*
4442 * Only check for non-IPv4 addresses if we're not
4443 * checking MPLS-encapsulated packets.
4444 */
4445 if (label_stack_depth == 0) {
4446 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4447 gen_or(b0, b1);
4448 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4449 gen_or(b1, b0);
4450 }
4451 return b0;
4452
4453 case Q_IP:
4454 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4455
4456 case Q_RARP:
4457 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4458
4459 case Q_ARP:
4460 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4461
4462 case Q_TCP:
4463 bpf_error("'tcp' modifier applied to %s", typestr);
4464
4465 case Q_SCTP:
4466 bpf_error("'sctp' modifier applied to %s", typestr);
4467
4468 case Q_UDP:
4469 bpf_error("'udp' modifier applied to %s", typestr);
4470
4471 case Q_ICMP:
4472 bpf_error("'icmp' modifier applied to %s", typestr);
4473
4474 case Q_IGMP:
4475 bpf_error("'igmp' modifier applied to %s", typestr);
4476
4477 case Q_IGRP:
4478 bpf_error("'igrp' modifier applied to %s", typestr);
4479
4480 case Q_PIM:
4481 bpf_error("'pim' modifier applied to %s", typestr);
4482
4483 case Q_VRRP:
4484 bpf_error("'vrrp' modifier applied to %s", typestr);
4485
4486 case Q_CARP:
4487 bpf_error("'carp' modifier applied to %s", typestr);
4488
4489 case Q_ATALK:
4490 bpf_error("ATALK host filtering not implemented");
4491
4492 case Q_AARP:
4493 bpf_error("AARP host filtering not implemented");
4494
4495 case Q_DECNET:
4496 return gen_dnhostop(addr, dir);
4497
4498 case Q_SCA:
4499 bpf_error("SCA host filtering not implemented");
4500
4501 case Q_LAT:
4502 bpf_error("LAT host filtering not implemented");
4503
4504 case Q_MOPDL:
4505 bpf_error("MOPDL host filtering not implemented");
4506
4507 case Q_MOPRC:
4508 bpf_error("MOPRC host filtering not implemented");
4509
4510#ifdef INET6
4511 case Q_IPV6:
4512 bpf_error("'ip6' modifier applied to ip host");
4513
4514 case Q_ICMPV6:
4515 bpf_error("'icmp6' modifier applied to %s", typestr);
4516#endif /* INET6 */
4517
4518 case Q_AH:
4519 bpf_error("'ah' modifier applied to %s", typestr);
4520
4521 case Q_ESP:
4522 bpf_error("'esp' modifier applied to %s", typestr);
4523
4524 case Q_ISO:
4525 bpf_error("ISO host filtering not implemented");
4526
4527 case Q_ESIS:
4528 bpf_error("'esis' modifier applied to %s", typestr);
4529
4530 case Q_ISIS:
4531 bpf_error("'isis' modifier applied to %s", typestr);
4532
4533 case Q_CLNP:
4534 bpf_error("'clnp' modifier applied to %s", typestr);
4535
4536 case Q_STP:
4537 bpf_error("'stp' modifier applied to %s", typestr);
4538
4539 case Q_IPX:
4540 bpf_error("IPX host filtering not implemented");
4541
4542 case Q_NETBEUI:
4543 bpf_error("'netbeui' modifier applied to %s", typestr);
4544
4545 case Q_RADIO:
4546 bpf_error("'radio' modifier applied to %s", typestr);
4547
4548 default:
4549 abort();
4550 }
4551 /* NOTREACHED */
4552}
4553
4554#ifdef INET6
4555static struct block *
4556gen_host6(addr, mask, proto, dir, type)
4557 struct in6_addr *addr;
4558 struct in6_addr *mask;
4559 int proto;
4560 int dir;
4561 int type;
4562{
4563 const char *typestr;
4564
4565 if (type == Q_NET)
4566 typestr = "net";
4567 else
4568 typestr = "host";
4569
4570 switch (proto) {
4571
4572 case Q_DEFAULT:
4573 return gen_host6(addr, mask, Q_IPV6, dir, type);
4574
4575 case Q_IP:
4576 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4577
4578 case Q_RARP:
4579 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4580
4581 case Q_ARP:
4582 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4583
4584 case Q_SCTP:
4585 bpf_error("'sctp' modifier applied to %s", typestr);
4586
4587 case Q_TCP:
4588 bpf_error("'tcp' modifier applied to %s", typestr);
4589
4590 case Q_UDP:
4591 bpf_error("'udp' modifier applied to %s", typestr);
4592
4593 case Q_ICMP:
4594 bpf_error("'icmp' modifier applied to %s", typestr);
4595
4596 case Q_IGMP:
4597 bpf_error("'igmp' modifier applied to %s", typestr);
4598
4599 case Q_IGRP:
4600 bpf_error("'igrp' modifier applied to %s", typestr);
4601
4602 case Q_PIM:
4603 bpf_error("'pim' modifier applied to %s", typestr);
4604
4605 case Q_VRRP:
4606 bpf_error("'vrrp' modifier applied to %s", typestr);
4607
4608 case Q_CARP:
4609 bpf_error("'carp' modifier applied to %s", typestr);
4610
4611 case Q_ATALK:
4612 bpf_error("ATALK host filtering not implemented");
4613
4614 case Q_AARP:
4615 bpf_error("AARP host filtering not implemented");
4616
4617 case Q_DECNET:
4618 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4619
4620 case Q_SCA:
4621 bpf_error("SCA host filtering not implemented");
4622
4623 case Q_LAT:
4624 bpf_error("LAT host filtering not implemented");
4625
4626 case Q_MOPDL:
4627 bpf_error("MOPDL host filtering not implemented");
4628
4629 case Q_MOPRC:
4630 bpf_error("MOPRC host filtering not implemented");
4631
4632 case Q_IPV6:
4633 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4634
4635 case Q_ICMPV6:
4636 bpf_error("'icmp6' modifier applied to %s", typestr);
4637
4638 case Q_AH:
4639 bpf_error("'ah' modifier applied to %s", typestr);
4640
4641 case Q_ESP:
4642 bpf_error("'esp' modifier applied to %s", typestr);
4643
4644 case Q_ISO:
4645 bpf_error("ISO host filtering not implemented");
4646
4647 case Q_ESIS:
4648 bpf_error("'esis' modifier applied to %s", typestr);
4649
4650 case Q_ISIS:
4651 bpf_error("'isis' modifier applied to %s", typestr);
4652
4653 case Q_CLNP:
4654 bpf_error("'clnp' modifier applied to %s", typestr);
4655
4656 case Q_STP:
4657 bpf_error("'stp' modifier applied to %s", typestr);
4658
4659 case Q_IPX:
4660 bpf_error("IPX host filtering not implemented");
4661
4662 case Q_NETBEUI:
4663 bpf_error("'netbeui' modifier applied to %s", typestr);
4664
4665 case Q_RADIO:
4666 bpf_error("'radio' modifier applied to %s", typestr);
4667
4668 default:
4669 abort();
4670 }
4671 /* NOTREACHED */
4672}
4673#endif /*INET6*/
4674
4675#ifndef INET6
4676static struct block *
4677gen_gateway(eaddr, alist, proto, dir)
4678 const u_char *eaddr;
4679 bpf_u_int32 **alist;
4680 int proto;
4681 int dir;
4682{
4683 struct block *b0, *b1, *tmp;
4684
4685 if (dir != 0)
4686 bpf_error("direction applied to 'gateway'");
4687
4688 switch (proto) {
4689 case Q_DEFAULT:
4690 case Q_IP:
4691 case Q_ARP:
4692 case Q_RARP:
4693 switch (linktype) {
4694 case DLT_EN10MB:
4695 case DLT_NETANALYZER:
4696 case DLT_NETANALYZER_TRANSPARENT:
4697 b0 = gen_ehostop(eaddr, Q_OR);
4698 break;
4699 case DLT_FDDI:
4700 b0 = gen_fhostop(eaddr, Q_OR);
4701 break;
4702 case DLT_IEEE802:
4703 b0 = gen_thostop(eaddr, Q_OR);
4704 break;
4705 case DLT_IEEE802_11:
4706 case DLT_PRISM_HEADER:
4707 case DLT_IEEE802_11_RADIO_AVS:
4708 case DLT_IEEE802_11_RADIO:
4709 case DLT_PPI:
4710 b0 = gen_wlanhostop(eaddr, Q_OR);
4711 break;
4712 case DLT_SUNATM:
4713 if (!is_lane)
4714 bpf_error(
4715 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4716 /*
4717 * Check that the packet doesn't begin with an
4718 * LE Control marker. (We've already generated
4719 * a test for LANE.)
4720 */
4721 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4722 BPF_H, 0xFF00);
4723 gen_not(b1);
4724
4725 /*
4726 * Now check the MAC address.
4727 */
4728 b0 = gen_ehostop(eaddr, Q_OR);
4729 gen_and(b1, b0);
4730 break;
4731 case DLT_IP_OVER_FC:
4732 b0 = gen_ipfchostop(eaddr, Q_OR);
4733 break;
4734 default:
4735 bpf_error(
4736 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4737 }
4738 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4739 while (*alist) {
4740 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4741 Q_HOST);
4742 gen_or(b1, tmp);
4743 b1 = tmp;
4744 }
4745 gen_not(b1);
4746 gen_and(b0, b1);
4747 return b1;
4748 }
4749 bpf_error("illegal modifier of 'gateway'");
4750 /* NOTREACHED */
4751}
4752#endif
4753
4754struct block *
4755gen_proto_abbrev(proto)
4756 int proto;
4757{
4758 struct block *b0;
4759 struct block *b1;
4760
4761 switch (proto) {
4762
4763 case Q_SCTP:
4764 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4765#ifdef INET6
4766 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4767 gen_or(b0, b1);
4768#endif
4769 break;
4770
4771 case Q_TCP:
4772 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4773#ifdef INET6
4774 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4775 gen_or(b0, b1);
4776#endif
4777 break;
4778
4779 case Q_UDP:
4780 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4781#ifdef INET6
4782 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4783 gen_or(b0, b1);
4784#endif
4785 break;
4786
4787 case Q_ICMP:
4788 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4789 break;
4790
4791#ifndef IPPROTO_IGMP
4792#define IPPROTO_IGMP 2
4793#endif
4794
4795 case Q_IGMP:
4796 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4797 break;
4798
4799#ifndef IPPROTO_IGRP
4800#define IPPROTO_IGRP 9
4801#endif
4802 case Q_IGRP:
4803 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4804 break;
4805
4806#ifndef IPPROTO_PIM
4807#define IPPROTO_PIM 103
4808#endif
4809
4810 case Q_PIM:
4811 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4812#ifdef INET6
4813 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4814 gen_or(b0, b1);
4815#endif
4816 break;
4817
4818#ifndef IPPROTO_VRRP
4819#define IPPROTO_VRRP 112
4820#endif
4821
4822 case Q_VRRP:
4823 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4824 break;
4825
4826#ifndef IPPROTO_CARP
4827#define IPPROTO_CARP 112
4828#endif
4829
4830 case Q_CARP:
4831 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT);
4832 break;
4833
4834 case Q_IP:
4835 b1 = gen_linktype(ETHERTYPE_IP);
4836 break;
4837
4838 case Q_ARP:
4839 b1 = gen_linktype(ETHERTYPE_ARP);
4840 break;
4841
4842 case Q_RARP:
4843 b1 = gen_linktype(ETHERTYPE_REVARP);
4844 break;
4845
4846 case Q_LINK:
4847 bpf_error("link layer applied in wrong context");
4848
4849 case Q_ATALK:
4850 b1 = gen_linktype(ETHERTYPE_ATALK);
4851 break;
4852
4853 case Q_AARP:
4854 b1 = gen_linktype(ETHERTYPE_AARP);
4855 break;
4856
4857 case Q_DECNET:
4858 b1 = gen_linktype(ETHERTYPE_DN);
4859 break;
4860
4861 case Q_SCA:
4862 b1 = gen_linktype(ETHERTYPE_SCA);
4863 break;
4864
4865 case Q_LAT:
4866 b1 = gen_linktype(ETHERTYPE_LAT);
4867 break;
4868
4869 case Q_MOPDL:
4870 b1 = gen_linktype(ETHERTYPE_MOPDL);
4871 break;
4872
4873 case Q_MOPRC:
4874 b1 = gen_linktype(ETHERTYPE_MOPRC);
4875 break;
4876
4877#ifdef INET6
4878 case Q_IPV6:
4879 b1 = gen_linktype(ETHERTYPE_IPV6);
4880 break;
4881
4882#ifndef IPPROTO_ICMPV6
4883#define IPPROTO_ICMPV6 58
4884#endif
4885 case Q_ICMPV6:
4886 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4887 break;
4888#endif /* INET6 */
4889
4890#ifndef IPPROTO_AH
4891#define IPPROTO_AH 51
4892#endif
4893 case Q_AH:
4894 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4895#ifdef INET6
4896 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4897 gen_or(b0, b1);
4898#endif
4899 break;
4900
4901#ifndef IPPROTO_ESP
4902#define IPPROTO_ESP 50
4903#endif
4904 case Q_ESP:
4905 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4906#ifdef INET6
4907 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4908 gen_or(b0, b1);
4909#endif
4910 break;
4911
4912 case Q_ISO:
4913 b1 = gen_linktype(LLCSAP_ISONS);
4914 break;
4915
4916 case Q_ESIS:
4917 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4918 break;
4919
4920 case Q_ISIS:
4921 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4922 break;
4923
4924 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4925 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4926 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4927 gen_or(b0, b1);
4928 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4929 gen_or(b0, b1);
4930 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4931 gen_or(b0, b1);
4932 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4933 gen_or(b0, b1);
4934 break;
4935
4936 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4937 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4938 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4939 gen_or(b0, b1);
4940 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4941 gen_or(b0, b1);
4942 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4943 gen_or(b0, b1);
4944 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4945 gen_or(b0, b1);
4946 break;
4947
4948 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4949 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4950 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4951 gen_or(b0, b1);
4952 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4953 gen_or(b0, b1);
4954 break;
4955
4956 case Q_ISIS_LSP:
4957 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4958 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4959 gen_or(b0, b1);
4960 break;
4961
4962 case Q_ISIS_SNP:
4963 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4964 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4965 gen_or(b0, b1);
4966 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4967 gen_or(b0, b1);
4968 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4969 gen_or(b0, b1);
4970 break;
4971
4972 case Q_ISIS_CSNP:
4973 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4974 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4975 gen_or(b0, b1);
4976 break;
4977
4978 case Q_ISIS_PSNP:
4979 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4980 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4981 gen_or(b0, b1);
4982 break;
4983
4984 case Q_CLNP:
4985 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4986 break;
4987
4988 case Q_STP:
4989 b1 = gen_linktype(LLCSAP_8021D);
4990 break;
4991
4992 case Q_IPX:
4993 b1 = gen_linktype(LLCSAP_IPX);
4994 break;
4995
4996 case Q_NETBEUI:
4997 b1 = gen_linktype(LLCSAP_NETBEUI);
4998 break;
4999
5000 case Q_RADIO:
5001 bpf_error("'radio' is not a valid protocol type");
5002
5003 default:
5004 abort();
5005 }
5006 return b1;
5007}
5008
5009static struct block *
5010gen_ipfrag()
5011{
5012 struct slist *s;
5013 struct block *b;
5014
5015 /* not IPv4 frag other than the first frag */
5016 s = gen_load_a(OR_NET, 6, BPF_H);
5017 b = new_block(JMP(BPF_JSET));
5018 b->s.k = 0x1fff;
5019 b->stmts = s;
5020 gen_not(b);
5021
5022 return b;
5023}
5024
5025/*
5026 * Generate a comparison to a port value in the transport-layer header
5027 * at the specified offset from the beginning of that header.
5028 *
5029 * XXX - this handles a variable-length prefix preceding the link-layer
5030 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5031 * variable-length link-layer headers (such as Token Ring or 802.11
5032 * headers).
5033 */
5034static struct block *
5035gen_portatom(off, v)
5036 int off;
5037 bpf_int32 v;
5038{
5039 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
5040}
5041
5042#ifdef INET6
5043static struct block *
5044gen_portatom6(off, v)
5045 int off;
5046 bpf_int32 v;
5047{
5048 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
5049}
5050#endif/*INET6*/
5051
5052struct block *
5053gen_portop(port, proto, dir)
5054 int port, proto, dir;
5055{
5056 struct block *b0, *b1, *tmp;
5057
5058 /* ip proto 'proto' and not a fragment other than the first fragment */
5059 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5060 b0 = gen_ipfrag();
5061 gen_and(tmp, b0);
5062
5063 switch (dir) {
5064 case Q_SRC:
5065 b1 = gen_portatom(0, (bpf_int32)port);
5066 break;
5067
5068 case Q_DST:
5069 b1 = gen_portatom(2, (bpf_int32)port);
5070 break;
5071
5072 case Q_OR:
5073 case Q_DEFAULT:
5074 tmp = gen_portatom(0, (bpf_int32)port);
5075 b1 = gen_portatom(2, (bpf_int32)port);
5076 gen_or(tmp, b1);
5077 break;
5078
5079 case Q_AND:
5080 tmp = gen_portatom(0, (bpf_int32)port);
5081 b1 = gen_portatom(2, (bpf_int32)port);
5082 gen_and(tmp, b1);
5083 break;
5084
5085 default:
5086 abort();
5087 }
5088 gen_and(b0, b1);
5089
5090 return b1;
5091}
5092
5093static struct block *
5094gen_port(port, ip_proto, dir)
5095 int port;
5096 int ip_proto;
5097 int dir;
5098{
5099 struct block *b0, *b1, *tmp;
5100
5101 /*
5102 * ether proto ip
5103 *
5104 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5105 * not LLC encapsulation with LLCSAP_IP.
5106 *
5107 * For IEEE 802 networks - which includes 802.5 token ring
5108 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5109 * says that SNAP encapsulation is used, not LLC encapsulation
5110 * with LLCSAP_IP.
5111 *
5112 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5113 * RFC 2225 say that SNAP encapsulation is used, not LLC
5114 * encapsulation with LLCSAP_IP.
5115 *
5116 * So we always check for ETHERTYPE_IP.
5117 */
5118 b0 = gen_linktype(ETHERTYPE_IP);
5119
5120 switch (ip_proto) {
5121 case IPPROTO_UDP:
5122 case IPPROTO_TCP:
5123 case IPPROTO_SCTP:
5124 b1 = gen_portop(port, ip_proto, dir);
5125 break;
5126
5127 case PROTO_UNDEF:
5128 tmp = gen_portop(port, IPPROTO_TCP, dir);
5129 b1 = gen_portop(port, IPPROTO_UDP, dir);
5130 gen_or(tmp, b1);
5131 tmp = gen_portop(port, IPPROTO_SCTP, dir);
5132 gen_or(tmp, b1);
5133 break;
5134
5135 default:
5136 abort();
5137 }
5138 gen_and(b0, b1);
5139 return b1;
5140}
5141
5142#ifdef INET6
5143struct block *
5144gen_portop6(port, proto, dir)
5145 int port, proto, dir;
5146{
5147 struct block *b0, *b1, *tmp;
5148
5149 /* ip6 proto 'proto' */
5150 /* XXX - catch the first fragment of a fragmented packet? */
5151 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5152
5153 switch (dir) {
5154 case Q_SRC:
5155 b1 = gen_portatom6(0, (bpf_int32)port);
5156 break;
5157
5158 case Q_DST:
5159 b1 = gen_portatom6(2, (bpf_int32)port);
5160 break;
5161
5162 case Q_OR:
5163 case Q_DEFAULT:
5164 tmp = gen_portatom6(0, (bpf_int32)port);
5165 b1 = gen_portatom6(2, (bpf_int32)port);
5166 gen_or(tmp, b1);
5167 break;
5168
5169 case Q_AND:
5170 tmp = gen_portatom6(0, (bpf_int32)port);
5171 b1 = gen_portatom6(2, (bpf_int32)port);
5172 gen_and(tmp, b1);
5173 break;
5174
5175 default:
5176 abort();
5177 }
5178 gen_and(b0, b1);
5179
5180 return b1;
5181}
5182
5183static struct block *
5184gen_port6(port, ip_proto, dir)
5185 int port;
5186 int ip_proto;
5187 int dir;
5188{
5189 struct block *b0, *b1, *tmp;
5190
5191 /* link proto ip6 */
5192 b0 = gen_linktype(ETHERTYPE_IPV6);
5193
5194 switch (ip_proto) {
5195 case IPPROTO_UDP:
5196 case IPPROTO_TCP:
5197 case IPPROTO_SCTP:
5198 b1 = gen_portop6(port, ip_proto, dir);
5199 break;
5200
5201 case PROTO_UNDEF:
5202 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5203 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5204 gen_or(tmp, b1);
5205 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5206 gen_or(tmp, b1);
5207 break;
5208
5209 default:
5210 abort();
5211 }
5212 gen_and(b0, b1);
5213 return b1;
5214}
5215#endif /* INET6 */
5216
5217/* gen_portrange code */
5218static struct block *
5219gen_portrangeatom(off, v1, v2)
5220 int off;
5221 bpf_int32 v1, v2;
5222{
5223 struct block *b1, *b2;
5224
5225 if (v1 > v2) {
5226 /*
5227 * Reverse the order of the ports, so v1 is the lower one.
5228 */
5229 bpf_int32 vtemp;
5230
5231 vtemp = v1;
5232 v1 = v2;
5233 v2 = vtemp;
5234 }
5235
5236 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5237 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5238
5239 gen_and(b1, b2);
5240
5241 return b2;
5242}
5243
5244struct block *
5245gen_portrangeop(port1, port2, proto, dir)
5246 int port1, port2;
5247 int proto;
5248 int dir;
5249{
5250 struct block *b0, *b1, *tmp;
5251
5252 /* ip proto 'proto' and not a fragment other than the first fragment */
5253 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5254 b0 = gen_ipfrag();
5255 gen_and(tmp, b0);
5256
5257 switch (dir) {
5258 case Q_SRC:
5259 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5260 break;
5261
5262 case Q_DST:
5263 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5264 break;
5265
5266 case Q_OR:
5267 case Q_DEFAULT:
5268 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5269 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5270 gen_or(tmp, b1);
5271 break;
5272
5273 case Q_AND:
5274 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5275 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5276 gen_and(tmp, b1);
5277 break;
5278
5279 default:
5280 abort();
5281 }
5282 gen_and(b0, b1);
5283
5284 return b1;
5285}
5286
5287static struct block *
5288gen_portrange(port1, port2, ip_proto, dir)
5289 int port1, port2;
5290 int ip_proto;
5291 int dir;
5292{
5293 struct block *b0, *b1, *tmp;
5294
5295 /* link proto ip */
5296 b0 = gen_linktype(ETHERTYPE_IP);
5297
5298 switch (ip_proto) {
5299 case IPPROTO_UDP:
5300 case IPPROTO_TCP:
5301 case IPPROTO_SCTP:
5302 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5303 break;
5304
5305 case PROTO_UNDEF:
5306 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5307 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5308 gen_or(tmp, b1);
5309 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5310 gen_or(tmp, b1);
5311 break;
5312
5313 default:
5314 abort();
5315 }
5316 gen_and(b0, b1);
5317 return b1;
5318}
5319
5320#ifdef INET6
5321static struct block *
5322gen_portrangeatom6(off, v1, v2)
5323 int off;
5324 bpf_int32 v1, v2;
5325{
5326 struct block *b1, *b2;
5327
5328 if (v1 > v2) {
5329 /*
5330 * Reverse the order of the ports, so v1 is the lower one.
5331 */
5332 bpf_int32 vtemp;
5333
5334 vtemp = v1;
5335 v1 = v2;
5336 v2 = vtemp;
5337 }
5338
5339 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5340 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5341
5342 gen_and(b1, b2);
5343
5344 return b2;
5345}
5346
5347struct block *
5348gen_portrangeop6(port1, port2, proto, dir)
5349 int port1, port2;
5350 int proto;
5351 int dir;
5352{
5353 struct block *b0, *b1, *tmp;
5354
5355 /* ip6 proto 'proto' */
5356 /* XXX - catch the first fragment of a fragmented packet? */
5357 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5358
5359 switch (dir) {
5360 case Q_SRC:
5361 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5362 break;
5363
5364 case Q_DST:
5365 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5366 break;
5367
5368 case Q_OR:
5369 case Q_DEFAULT:
5370 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5371 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5372 gen_or(tmp, b1);
5373 break;
5374
5375 case Q_AND:
5376 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5377 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5378 gen_and(tmp, b1);
5379 break;
5380
5381 default:
5382 abort();
5383 }
5384 gen_and(b0, b1);
5385
5386 return b1;
5387}
5388
5389static struct block *
5390gen_portrange6(port1, port2, ip_proto, dir)
5391 int port1, port2;
5392 int ip_proto;
5393 int dir;
5394{
5395 struct block *b0, *b1, *tmp;
5396
5397 /* link proto ip6 */
5398 b0 = gen_linktype(ETHERTYPE_IPV6);
5399
5400 switch (ip_proto) {
5401 case IPPROTO_UDP:
5402 case IPPROTO_TCP:
5403 case IPPROTO_SCTP:
5404 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5405 break;
5406
5407 case PROTO_UNDEF:
5408 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5409 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5410 gen_or(tmp, b1);
5411 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5412 gen_or(tmp, b1);
5413 break;
5414
5415 default:
5416 abort();
5417 }
5418 gen_and(b0, b1);
5419 return b1;
5420}
5421#endif /* INET6 */
5422
5423static int
5424lookup_proto(name, proto)
5425 register const char *name;
5426 register int proto;
5427{
5428 register int v;
5429
5430 switch (proto) {
5431
5432 case Q_DEFAULT:
5433 case Q_IP:
5434 case Q_IPV6:
5435 v = pcap_nametoproto(name);
5436 if (v == PROTO_UNDEF)
5437 bpf_error("unknown ip proto '%s'", name);
5438 break;
5439
5440 case Q_LINK:
5441 /* XXX should look up h/w protocol type based on linktype */
5442 v = pcap_nametoeproto(name);
5443 if (v == PROTO_UNDEF) {
5444 v = pcap_nametollc(name);
5445 if (v == PROTO_UNDEF)
5446 bpf_error("unknown ether proto '%s'", name);
5447 }
5448 break;
5449
5450 case Q_ISO:
5451 if (strcmp(name, "esis") == 0)
5452 v = ISO9542_ESIS;
5453 else if (strcmp(name, "isis") == 0)
5454 v = ISO10589_ISIS;
5455 else if (strcmp(name, "clnp") == 0)
5456 v = ISO8473_CLNP;
5457 else
5458 bpf_error("unknown osi proto '%s'", name);
5459 break;
5460
5461 default:
5462 v = PROTO_UNDEF;
5463 break;
5464 }
5465 return v;
5466}
5467
5468#if 0
5469struct stmt *
5470gen_joinsp(s, n)
5471 struct stmt **s;
5472 int n;
5473{
5474 return NULL;
5475}
5476#endif
5477
5478static struct block *
5479gen_protochain(v, proto, dir)
5480 int v;
5481 int proto;
5482 int dir;
5483{
5484#ifdef NO_PROTOCHAIN
5485 return gen_proto(v, proto, dir);
5486#else
5487 struct block *b0, *b;
5488 struct slist *s[100];
5489 int fix2, fix3, fix4, fix5;
5490 int ahcheck, again, end;
5491 int i, max;
5492 int reg2 = alloc_reg();
5493
5494 memset(s, 0, sizeof(s));
5495 fix2 = fix3 = fix4 = fix5 = 0;
5496
5497 switch (proto) {
5498 case Q_IP:
5499 case Q_IPV6:
5500 break;
5501 case Q_DEFAULT:
5502 b0 = gen_protochain(v, Q_IP, dir);
5503 b = gen_protochain(v, Q_IPV6, dir);
5504 gen_or(b0, b);
5505 return b;
5506 default:
5507 bpf_error("bad protocol applied for 'protochain'");
5508 /*NOTREACHED*/
5509 }
5510
5511 /*
5512 * We don't handle variable-length prefixes before the link-layer
5513 * header, or variable-length link-layer headers, here yet.
5514 * We might want to add BPF instructions to do the protochain
5515 * work, to simplify that and, on platforms that have a BPF
5516 * interpreter with the new instructions, let the filtering
5517 * be done in the kernel. (We already require a modified BPF
5518 * engine to do the protochain stuff, to support backward
5519 * branches, and backward branch support is unlikely to appear
5520 * in kernel BPF engines.)
5521 */
5522 switch (linktype) {
5523
5524 case DLT_IEEE802_11:
5525 case DLT_PRISM_HEADER:
5526 case DLT_IEEE802_11_RADIO_AVS:
5527 case DLT_IEEE802_11_RADIO:
5528 case DLT_PPI:
5529 bpf_error("'protochain' not supported with 802.11");
5530 }
5531
5532 no_optimize = 1; /*this code is not compatible with optimzer yet */
5533
5534 /*
5535 * s[0] is a dummy entry to protect other BPF insn from damage
5536 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5537 * hard to find interdependency made by jump table fixup.
5538 */
5539 i = 0;
5540 s[i] = new_stmt(0); /*dummy*/
5541 i++;
5542
5543 switch (proto) {
5544 case Q_IP:
5545 b0 = gen_linktype(ETHERTYPE_IP);
5546
5547 /* A = ip->ip_p */
5548 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5549 s[i]->s.k = off_macpl + off_nl + 9;
5550 i++;
5551 /* X = ip->ip_hl << 2 */
5552 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5553 s[i]->s.k = off_macpl + off_nl;
5554 i++;
5555 break;
5556#ifdef INET6
5557 case Q_IPV6:
5558 b0 = gen_linktype(ETHERTYPE_IPV6);
5559
5560 /* A = ip6->ip_nxt */
5561 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5562 s[i]->s.k = off_macpl + off_nl + 6;
5563 i++;
5564 /* X = sizeof(struct ip6_hdr) */
5565 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5566 s[i]->s.k = 40;
5567 i++;
5568 break;
5569#endif
5570 default:
5571 bpf_error("unsupported proto to gen_protochain");
5572 /*NOTREACHED*/
5573 }
5574
5575 /* again: if (A == v) goto end; else fall through; */
5576 again = i;
5577 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5578 s[i]->s.k = v;
5579 s[i]->s.jt = NULL; /*later*/
5580 s[i]->s.jf = NULL; /*update in next stmt*/
5581 fix5 = i;
5582 i++;
5583
5584#ifndef IPPROTO_NONE
5585#define IPPROTO_NONE 59
5586#endif
5587 /* if (A == IPPROTO_NONE) goto end */
5588 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5589 s[i]->s.jt = NULL; /*later*/
5590 s[i]->s.jf = NULL; /*update in next stmt*/
5591 s[i]->s.k = IPPROTO_NONE;
5592 s[fix5]->s.jf = s[i];
5593 fix2 = i;
5594 i++;
5595
5596#ifdef INET6
5597 if (proto == Q_IPV6) {
5598 int v6start, v6end, v6advance, j;
5599
5600 v6start = i;
5601 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5602 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5603 s[i]->s.jt = NULL; /*later*/
5604 s[i]->s.jf = NULL; /*update in next stmt*/
5605 s[i]->s.k = IPPROTO_HOPOPTS;
5606 s[fix2]->s.jf = s[i];
5607 i++;
5608 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5609 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5610 s[i]->s.jt = NULL; /*later*/
5611 s[i]->s.jf = NULL; /*update in next stmt*/
5612 s[i]->s.k = IPPROTO_DSTOPTS;
5613 i++;
5614 /* if (A == IPPROTO_ROUTING) goto v6advance */
5615 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5616 s[i]->s.jt = NULL; /*later*/
5617 s[i]->s.jf = NULL; /*update in next stmt*/
5618 s[i]->s.k = IPPROTO_ROUTING;
5619 i++;
5620 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5621 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5622 s[i]->s.jt = NULL; /*later*/
5623 s[i]->s.jf = NULL; /*later*/
5624 s[i]->s.k = IPPROTO_FRAGMENT;
5625 fix3 = i;
5626 v6end = i;
5627 i++;
5628
5629 /* v6advance: */
5630 v6advance = i;
5631
5632 /*
5633 * in short,
5634 * A = P[X + packet head];
5635 * X = X + (P[X + packet head + 1] + 1) * 8;
5636 */
5637 /* A = P[X + packet head] */
5638 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5639 s[i]->s.k = off_macpl + off_nl;
5640 i++;
5641 /* MEM[reg2] = A */
5642 s[i] = new_stmt(BPF_ST);
5643 s[i]->s.k = reg2;
5644 i++;
5645 /* A = P[X + packet head + 1]; */
5646 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5647 s[i]->s.k = off_macpl + off_nl + 1;
5648 i++;
5649 /* A += 1 */
5650 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5651 s[i]->s.k = 1;
5652 i++;
5653 /* A *= 8 */
5654 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5655 s[i]->s.k = 8;
5656 i++;
5657 /* A += X */
5658 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
5659 s[i]->s.k = 0;
5660 i++;
5661 /* X = A; */
5662 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5663 i++;
5664 /* A = MEM[reg2] */
5665 s[i] = new_stmt(BPF_LD|BPF_MEM);
5666 s[i]->s.k = reg2;
5667 i++;
5668
5669 /* goto again; (must use BPF_JA for backward jump) */
5670 s[i] = new_stmt(BPF_JMP|BPF_JA);
5671 s[i]->s.k = again - i - 1;
5672 s[i - 1]->s.jf = s[i];
5673 i++;
5674
5675 /* fixup */
5676 for (j = v6start; j <= v6end; j++)
5677 s[j]->s.jt = s[v6advance];
5678 } else
5679#endif
5680 {
5681 /* nop */
5682 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5683 s[i]->s.k = 0;
5684 s[fix2]->s.jf = s[i];
5685 i++;
5686 }
5687
5688 /* ahcheck: */
5689 ahcheck = i;
5690 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5691 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5692 s[i]->s.jt = NULL; /*later*/
5693 s[i]->s.jf = NULL; /*later*/
5694 s[i]->s.k = IPPROTO_AH;
5695 if (fix3)
5696 s[fix3]->s.jf = s[ahcheck];
5697 fix4 = i;
5698 i++;
5699
5700 /*
5701 * in short,
5702 * A = P[X];
5703 * X = X + (P[X + 1] + 2) * 4;
5704 */
5705 /* A = X */
5706 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5707 i++;
5708 /* A = P[X + packet head]; */
5709 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5710 s[i]->s.k = off_macpl + off_nl;
5711 i++;
5712 /* MEM[reg2] = A */
5713 s[i] = new_stmt(BPF_ST);
5714 s[i]->s.k = reg2;
5715 i++;
5716 /* A = X */
5717 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5718 i++;
5719 /* A += 1 */
5720 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5721 s[i]->s.k = 1;
5722 i++;
5723 /* X = A */
5724 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5725 i++;
5726 /* A = P[X + packet head] */
5727 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5728 s[i]->s.k = off_macpl + off_nl;
5729 i++;
5730 /* A += 2 */
5731 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5732 s[i]->s.k = 2;
5733 i++;
5734 /* A *= 4 */
5735 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5736 s[i]->s.k = 4;
5737 i++;
5738 /* X = A; */
5739 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5740 i++;
5741 /* A = MEM[reg2] */
5742 s[i] = new_stmt(BPF_LD|BPF_MEM);
5743 s[i]->s.k = reg2;
5744 i++;
5745
5746 /* goto again; (must use BPF_JA for backward jump) */
5747 s[i] = new_stmt(BPF_JMP|BPF_JA);
5748 s[i]->s.k = again - i - 1;
5749 i++;
5750
5751 /* end: nop */
5752 end = i;
5753 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5754 s[i]->s.k = 0;
5755 s[fix2]->s.jt = s[end];
5756 s[fix4]->s.jf = s[end];
5757 s[fix5]->s.jt = s[end];
5758 i++;
5759
5760 /*
5761 * make slist chain
5762 */
5763 max = i;
5764 for (i = 0; i < max - 1; i++)
5765 s[i]->next = s[i + 1];
5766 s[max - 1]->next = NULL;
5767
5768 /*
5769 * emit final check
5770 */
5771 b = new_block(JMP(BPF_JEQ));
5772 b->stmts = s[1]; /*remember, s[0] is dummy*/
5773 b->s.k = v;
5774
5775 free_reg(reg2);
5776
5777 gen_and(b0, b);
5778 return b;
5779#endif
5780}
5781
5782static struct block *
5783gen_check_802_11_data_frame()
5784{
5785 struct slist *s;
5786 struct block *b0, *b1;
5787
5788 /*
5789 * A data frame has the 0x08 bit (b3) in the frame control field set
5790 * and the 0x04 bit (b2) clear.
5791 */
5792 s = gen_load_a(OR_LINK, 0, BPF_B);
5793 b0 = new_block(JMP(BPF_JSET));
5794 b0->s.k = 0x08;
5795 b0->stmts = s;
5796
5797 s = gen_load_a(OR_LINK, 0, BPF_B);
5798 b1 = new_block(JMP(BPF_JSET));
5799 b1->s.k = 0x04;
5800 b1->stmts = s;
5801 gen_not(b1);
5802
5803 gen_and(b1, b0);
5804
5805 return b0;
5806}
5807
5808/*
5809 * Generate code that checks whether the packet is a packet for protocol
5810 * <proto> and whether the type field in that protocol's header has
5811 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5812 * IP packet and checks the protocol number in the IP header against <v>.
5813 *
5814 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5815 * against Q_IP and Q_IPV6.
5816 */
5817static struct block *
5818gen_proto(v, proto, dir)
5819 int v;
5820 int proto;
5821 int dir;
5822{
5823 struct block *b0, *b1;
| 3366
3367 case DLT_LINUX_LAPD:
3368 bpf_error("LAPD link-layer type filtering not implemented");
3369
3370 case DLT_USB:
3371 case DLT_USB_LINUX:
3372 case DLT_USB_LINUX_MMAPPED:
3373 bpf_error("USB link-layer type filtering not implemented");
3374
3375 case DLT_BLUETOOTH_HCI_H4:
3376 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3377 bpf_error("Bluetooth link-layer type filtering not implemented");
3378
3379 case DLT_CAN20B:
3380 case DLT_CAN_SOCKETCAN:
3381 bpf_error("CAN link-layer type filtering not implemented");
3382
3383 case DLT_IEEE802_15_4:
3384 case DLT_IEEE802_15_4_LINUX:
3385 case DLT_IEEE802_15_4_NONASK_PHY:
3386 case DLT_IEEE802_15_4_NOFCS:
3387 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3388
3389 case DLT_IEEE802_16_MAC_CPS_RADIO:
3390 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3391
3392 case DLT_SITA:
3393 bpf_error("SITA link-layer type filtering not implemented");
3394
3395 case DLT_RAIF1:
3396 bpf_error("RAIF1 link-layer type filtering not implemented");
3397
3398 case DLT_IPMB:
3399 bpf_error("IPMB link-layer type filtering not implemented");
3400
3401 case DLT_AX25_KISS:
3402 bpf_error("AX.25 link-layer type filtering not implemented");
3403 }
3404
3405 /*
3406 * All the types that have no encapsulation should either be
3407 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3408 * all packets are IP packets, or should be handled in some
3409 * special case, if none of them are (if some are and some
3410 * aren't, the lack of encapsulation is a problem, as we'd
3411 * have to find some other way of determining the packet type).
3412 *
3413 * Therefore, if "off_linktype" is -1, there's an error.
3414 */
3415 if (off_linktype == (u_int)-1)
3416 abort();
3417
3418 /*
3419 * Any type not handled above should always have an Ethernet
3420 * type at an offset of "off_linktype".
3421 */
3422 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3423}
3424
3425/*
3426 * Check for an LLC SNAP packet with a given organization code and
3427 * protocol type; we check the entire contents of the 802.2 LLC and
3428 * snap headers, checking for DSAP and SSAP of SNAP and a control
3429 * field of 0x03 in the LLC header, and for the specified organization
3430 * code and protocol type in the SNAP header.
3431 */
3432static struct block *
3433gen_snap(orgcode, ptype)
3434 bpf_u_int32 orgcode;
3435 bpf_u_int32 ptype;
3436{
3437 u_char snapblock[8];
3438
3439 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3440 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3441 snapblock[2] = 0x03; /* control = UI */
3442 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3443 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3444 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3445 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3446 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3447 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3448}
3449
3450/*
3451 * Generate code to match a particular packet type, for link-layer types
3452 * using 802.2 LLC headers.
3453 *
3454 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3455 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3456 *
3457 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3458 * value, if <= ETHERMTU. We use that to determine whether to
3459 * match the DSAP or both DSAP and LSAP or to check the OUI and
3460 * protocol ID in a SNAP header.
3461 */
3462static struct block *
3463gen_llc_linktype(proto)
3464 int proto;
3465{
3466 /*
3467 * XXX - handle token-ring variable-length header.
3468 */
3469 switch (proto) {
3470
3471 case LLCSAP_IP:
3472 case LLCSAP_ISONS:
3473 case LLCSAP_NETBEUI:
3474 /*
3475 * XXX - should we check both the DSAP and the
3476 * SSAP, like this, or should we check just the
3477 * DSAP, as we do for other types <= ETHERMTU
3478 * (i.e., other SAP values)?
3479 */
3480 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3481 ((proto << 8) | proto));
3482
3483 case LLCSAP_IPX:
3484 /*
3485 * XXX - are there ever SNAP frames for IPX on
3486 * non-Ethernet 802.x networks?
3487 */
3488 return gen_cmp(OR_MACPL, 0, BPF_B,
3489 (bpf_int32)LLCSAP_IPX);
3490
3491 case ETHERTYPE_ATALK:
3492 /*
3493 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3494 * SNAP packets with an organization code of
3495 * 0x080007 (Apple, for Appletalk) and a protocol
3496 * type of ETHERTYPE_ATALK (Appletalk).
3497 *
3498 * XXX - check for an organization code of
3499 * encapsulated Ethernet as well?
3500 */
3501 return gen_snap(0x080007, ETHERTYPE_ATALK);
3502
3503 default:
3504 /*
3505 * XXX - we don't have to check for IPX 802.3
3506 * here, but should we check for the IPX Ethertype?
3507 */
3508 if (proto <= ETHERMTU) {
3509 /*
3510 * This is an LLC SAP value, so check
3511 * the DSAP.
3512 */
3513 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3514 } else {
3515 /*
3516 * This is an Ethernet type; we assume that it's
3517 * unlikely that it'll appear in the right place
3518 * at random, and therefore check only the
3519 * location that would hold the Ethernet type
3520 * in a SNAP frame with an organization code of
3521 * 0x000000 (encapsulated Ethernet).
3522 *
3523 * XXX - if we were to check for the SNAP DSAP and
3524 * LSAP, as per XXX, and were also to check for an
3525 * organization code of 0x000000 (encapsulated
3526 * Ethernet), we'd do
3527 *
3528 * return gen_snap(0x000000, proto);
3529 *
3530 * here; for now, we don't, as per the above.
3531 * I don't know whether it's worth the extra CPU
3532 * time to do the right check or not.
3533 */
3534 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3535 }
3536 }
3537}
3538
3539static struct block *
3540gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3541 bpf_u_int32 addr;
3542 bpf_u_int32 mask;
3543 int dir, proto;
3544 u_int src_off, dst_off;
3545{
3546 struct block *b0, *b1;
3547 u_int offset;
3548
3549 switch (dir) {
3550
3551 case Q_SRC:
3552 offset = src_off;
3553 break;
3554
3555 case Q_DST:
3556 offset = dst_off;
3557 break;
3558
3559 case Q_AND:
3560 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3561 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3562 gen_and(b0, b1);
3563 return b1;
3564
3565 case Q_OR:
3566 case Q_DEFAULT:
3567 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3568 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3569 gen_or(b0, b1);
3570 return b1;
3571
3572 default:
3573 abort();
3574 }
3575 b0 = gen_linktype(proto);
3576 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3577 gen_and(b0, b1);
3578 return b1;
3579}
3580
3581#ifdef INET6
3582static struct block *
3583gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3584 struct in6_addr *addr;
3585 struct in6_addr *mask;
3586 int dir, proto;
3587 u_int src_off, dst_off;
3588{
3589 struct block *b0, *b1;
3590 u_int offset;
3591 u_int32_t *a, *m;
3592
3593 switch (dir) {
3594
3595 case Q_SRC:
3596 offset = src_off;
3597 break;
3598
3599 case Q_DST:
3600 offset = dst_off;
3601 break;
3602
3603 case Q_AND:
3604 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3605 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3606 gen_and(b0, b1);
3607 return b1;
3608
3609 case Q_OR:
3610 case Q_DEFAULT:
3611 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3612 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3613 gen_or(b0, b1);
3614 return b1;
3615
3616 default:
3617 abort();
3618 }
3619 /* this order is important */
3620 a = (u_int32_t *)addr;
3621 m = (u_int32_t *)mask;
3622 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3623 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3624 gen_and(b0, b1);
3625 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3626 gen_and(b0, b1);
3627 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3628 gen_and(b0, b1);
3629 b0 = gen_linktype(proto);
3630 gen_and(b0, b1);
3631 return b1;
3632}
3633#endif /*INET6*/
3634
3635static struct block *
3636gen_ehostop(eaddr, dir)
3637 register const u_char *eaddr;
3638 register int dir;
3639{
3640 register struct block *b0, *b1;
3641
3642 switch (dir) {
3643 case Q_SRC:
3644 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3645
3646 case Q_DST:
3647 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3648
3649 case Q_AND:
3650 b0 = gen_ehostop(eaddr, Q_SRC);
3651 b1 = gen_ehostop(eaddr, Q_DST);
3652 gen_and(b0, b1);
3653 return b1;
3654
3655 case Q_DEFAULT:
3656 case Q_OR:
3657 b0 = gen_ehostop(eaddr, Q_SRC);
3658 b1 = gen_ehostop(eaddr, Q_DST);
3659 gen_or(b0, b1);
3660 return b1;
3661
3662 case Q_ADDR1:
3663 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers");
3664 break;
3665
3666 case Q_ADDR2:
3667 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers");
3668 break;
3669
3670 case Q_ADDR3:
3671 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers");
3672 break;
3673
3674 case Q_ADDR4:
3675 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers");
3676 break;
3677
3678 case Q_RA:
3679 bpf_error("'ra' is only supported on 802.11 with 802.11 headers");
3680 break;
3681
3682 case Q_TA:
3683 bpf_error("'ta' is only supported on 802.11 with 802.11 headers");
3684 break;
3685 }
3686 abort();
3687 /* NOTREACHED */
3688}
3689
3690/*
3691 * Like gen_ehostop, but for DLT_FDDI
3692 */
3693static struct block *
3694gen_fhostop(eaddr, dir)
3695 register const u_char *eaddr;
3696 register int dir;
3697{
3698 struct block *b0, *b1;
3699
3700 switch (dir) {
3701 case Q_SRC:
3702#ifdef PCAP_FDDIPAD
3703 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3704#else
3705 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3706#endif
3707
3708 case Q_DST:
3709#ifdef PCAP_FDDIPAD
3710 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3711#else
3712 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3713#endif
3714
3715 case Q_AND:
3716 b0 = gen_fhostop(eaddr, Q_SRC);
3717 b1 = gen_fhostop(eaddr, Q_DST);
3718 gen_and(b0, b1);
3719 return b1;
3720
3721 case Q_DEFAULT:
3722 case Q_OR:
3723 b0 = gen_fhostop(eaddr, Q_SRC);
3724 b1 = gen_fhostop(eaddr, Q_DST);
3725 gen_or(b0, b1);
3726 return b1;
3727
3728 case Q_ADDR1:
3729 bpf_error("'addr1' is only supported on 802.11");
3730 break;
3731
3732 case Q_ADDR2:
3733 bpf_error("'addr2' is only supported on 802.11");
3734 break;
3735
3736 case Q_ADDR3:
3737 bpf_error("'addr3' is only supported on 802.11");
3738 break;
3739
3740 case Q_ADDR4:
3741 bpf_error("'addr4' is only supported on 802.11");
3742 break;
3743
3744 case Q_RA:
3745 bpf_error("'ra' is only supported on 802.11");
3746 break;
3747
3748 case Q_TA:
3749 bpf_error("'ta' is only supported on 802.11");
3750 break;
3751 }
3752 abort();
3753 /* NOTREACHED */
3754}
3755
3756/*
3757 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3758 */
3759static struct block *
3760gen_thostop(eaddr, dir)
3761 register const u_char *eaddr;
3762 register int dir;
3763{
3764 register struct block *b0, *b1;
3765
3766 switch (dir) {
3767 case Q_SRC:
3768 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3769
3770 case Q_DST:
3771 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3772
3773 case Q_AND:
3774 b0 = gen_thostop(eaddr, Q_SRC);
3775 b1 = gen_thostop(eaddr, Q_DST);
3776 gen_and(b0, b1);
3777 return b1;
3778
3779 case Q_DEFAULT:
3780 case Q_OR:
3781 b0 = gen_thostop(eaddr, Q_SRC);
3782 b1 = gen_thostop(eaddr, Q_DST);
3783 gen_or(b0, b1);
3784 return b1;
3785
3786 case Q_ADDR1:
3787 bpf_error("'addr1' is only supported on 802.11");
3788 break;
3789
3790 case Q_ADDR2:
3791 bpf_error("'addr2' is only supported on 802.11");
3792 break;
3793
3794 case Q_ADDR3:
3795 bpf_error("'addr3' is only supported on 802.11");
3796 break;
3797
3798 case Q_ADDR4:
3799 bpf_error("'addr4' is only supported on 802.11");
3800 break;
3801
3802 case Q_RA:
3803 bpf_error("'ra' is only supported on 802.11");
3804 break;
3805
3806 case Q_TA:
3807 bpf_error("'ta' is only supported on 802.11");
3808 break;
3809 }
3810 abort();
3811 /* NOTREACHED */
3812}
3813
3814/*
3815 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3816 * various 802.11 + radio headers.
3817 */
3818static struct block *
3819gen_wlanhostop(eaddr, dir)
3820 register const u_char *eaddr;
3821 register int dir;
3822{
3823 register struct block *b0, *b1, *b2;
3824 register struct slist *s;
3825
3826#ifdef ENABLE_WLAN_FILTERING_PATCH
3827 /*
3828 * TODO GV 20070613
3829 * We need to disable the optimizer because the optimizer is buggy
3830 * and wipes out some LD instructions generated by the below
3831 * code to validate the Frame Control bits
3832 */
3833 no_optimize = 1;
3834#endif /* ENABLE_WLAN_FILTERING_PATCH */
3835
3836 switch (dir) {
3837 case Q_SRC:
3838 /*
3839 * Oh, yuk.
3840 *
3841 * For control frames, there is no SA.
3842 *
3843 * For management frames, SA is at an
3844 * offset of 10 from the beginning of
3845 * the packet.
3846 *
3847 * For data frames, SA is at an offset
3848 * of 10 from the beginning of the packet
3849 * if From DS is clear, at an offset of
3850 * 16 from the beginning of the packet
3851 * if From DS is set and To DS is clear,
3852 * and an offset of 24 from the beginning
3853 * of the packet if From DS is set and To DS
3854 * is set.
3855 */
3856
3857 /*
3858 * Generate the tests to be done for data frames
3859 * with From DS set.
3860 *
3861 * First, check for To DS set, i.e. check "link[1] & 0x01".
3862 */
3863 s = gen_load_a(OR_LINK, 1, BPF_B);
3864 b1 = new_block(JMP(BPF_JSET));
3865 b1->s.k = 0x01; /* To DS */
3866 b1->stmts = s;
3867
3868 /*
3869 * If To DS is set, the SA is at 24.
3870 */
3871 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3872 gen_and(b1, b0);
3873
3874 /*
3875 * Now, check for To DS not set, i.e. check
3876 * "!(link[1] & 0x01)".
3877 */
3878 s = gen_load_a(OR_LINK, 1, BPF_B);
3879 b2 = new_block(JMP(BPF_JSET));
3880 b2->s.k = 0x01; /* To DS */
3881 b2->stmts = s;
3882 gen_not(b2);
3883
3884 /*
3885 * If To DS is not set, the SA is at 16.
3886 */
3887 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3888 gen_and(b2, b1);
3889
3890 /*
3891 * Now OR together the last two checks. That gives
3892 * the complete set of checks for data frames with
3893 * From DS set.
3894 */
3895 gen_or(b1, b0);
3896
3897 /*
3898 * Now check for From DS being set, and AND that with
3899 * the ORed-together checks.
3900 */
3901 s = gen_load_a(OR_LINK, 1, BPF_B);
3902 b1 = new_block(JMP(BPF_JSET));
3903 b1->s.k = 0x02; /* From DS */
3904 b1->stmts = s;
3905 gen_and(b1, b0);
3906
3907 /*
3908 * Now check for data frames with From DS not set.
3909 */
3910 s = gen_load_a(OR_LINK, 1, BPF_B);
3911 b2 = new_block(JMP(BPF_JSET));
3912 b2->s.k = 0x02; /* From DS */
3913 b2->stmts = s;
3914 gen_not(b2);
3915
3916 /*
3917 * If From DS isn't set, the SA is at 10.
3918 */
3919 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3920 gen_and(b2, b1);
3921
3922 /*
3923 * Now OR together the checks for data frames with
3924 * From DS not set and for data frames with From DS
3925 * set; that gives the checks done for data frames.
3926 */
3927 gen_or(b1, b0);
3928
3929 /*
3930 * Now check for a data frame.
3931 * I.e, check "link[0] & 0x08".
3932 */
3933 s = gen_load_a(OR_LINK, 0, BPF_B);
3934 b1 = new_block(JMP(BPF_JSET));
3935 b1->s.k = 0x08;
3936 b1->stmts = s;
3937
3938 /*
3939 * AND that with the checks done for data frames.
3940 */
3941 gen_and(b1, b0);
3942
3943 /*
3944 * If the high-order bit of the type value is 0, this
3945 * is a management frame.
3946 * I.e, check "!(link[0] & 0x08)".
3947 */
3948 s = gen_load_a(OR_LINK, 0, BPF_B);
3949 b2 = new_block(JMP(BPF_JSET));
3950 b2->s.k = 0x08;
3951 b2->stmts = s;
3952 gen_not(b2);
3953
3954 /*
3955 * For management frames, the SA is at 10.
3956 */
3957 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3958 gen_and(b2, b1);
3959
3960 /*
3961 * OR that with the checks done for data frames.
3962 * That gives the checks done for management and
3963 * data frames.
3964 */
3965 gen_or(b1, b0);
3966
3967 /*
3968 * If the low-order bit of the type value is 1,
3969 * this is either a control frame or a frame
3970 * with a reserved type, and thus not a
3971 * frame with an SA.
3972 *
3973 * I.e., check "!(link[0] & 0x04)".
3974 */
3975 s = gen_load_a(OR_LINK, 0, BPF_B);
3976 b1 = new_block(JMP(BPF_JSET));
3977 b1->s.k = 0x04;
3978 b1->stmts = s;
3979 gen_not(b1);
3980
3981 /*
3982 * AND that with the checks for data and management
3983 * frames.
3984 */
3985 gen_and(b1, b0);
3986 return b0;
3987
3988 case Q_DST:
3989 /*
3990 * Oh, yuk.
3991 *
3992 * For control frames, there is no DA.
3993 *
3994 * For management frames, DA is at an
3995 * offset of 4 from the beginning of
3996 * the packet.
3997 *
3998 * For data frames, DA is at an offset
3999 * of 4 from the beginning of the packet
4000 * if To DS is clear and at an offset of
4001 * 16 from the beginning of the packet
4002 * if To DS is set.
4003 */
4004
4005 /*
4006 * Generate the tests to be done for data frames.
4007 *
4008 * First, check for To DS set, i.e. "link[1] & 0x01".
4009 */
4010 s = gen_load_a(OR_LINK, 1, BPF_B);
4011 b1 = new_block(JMP(BPF_JSET));
4012 b1->s.k = 0x01; /* To DS */
4013 b1->stmts = s;
4014
4015 /*
4016 * If To DS is set, the DA is at 16.
4017 */
4018 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4019 gen_and(b1, b0);
4020
4021 /*
4022 * Now, check for To DS not set, i.e. check
4023 * "!(link[1] & 0x01)".
4024 */
4025 s = gen_load_a(OR_LINK, 1, BPF_B);
4026 b2 = new_block(JMP(BPF_JSET));
4027 b2->s.k = 0x01; /* To DS */
4028 b2->stmts = s;
4029 gen_not(b2);
4030
4031 /*
4032 * If To DS is not set, the DA is at 4.
4033 */
4034 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4035 gen_and(b2, b1);
4036
4037 /*
4038 * Now OR together the last two checks. That gives
4039 * the complete set of checks for data frames.
4040 */
4041 gen_or(b1, b0);
4042
4043 /*
4044 * Now check for a data frame.
4045 * I.e, check "link[0] & 0x08".
4046 */
4047 s = gen_load_a(OR_LINK, 0, BPF_B);
4048 b1 = new_block(JMP(BPF_JSET));
4049 b1->s.k = 0x08;
4050 b1->stmts = s;
4051
4052 /*
4053 * AND that with the checks done for data frames.
4054 */
4055 gen_and(b1, b0);
4056
4057 /*
4058 * If the high-order bit of the type value is 0, this
4059 * is a management frame.
4060 * I.e, check "!(link[0] & 0x08)".
4061 */
4062 s = gen_load_a(OR_LINK, 0, BPF_B);
4063 b2 = new_block(JMP(BPF_JSET));
4064 b2->s.k = 0x08;
4065 b2->stmts = s;
4066 gen_not(b2);
4067
4068 /*
4069 * For management frames, the DA is at 4.
4070 */
4071 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4072 gen_and(b2, b1);
4073
4074 /*
4075 * OR that with the checks done for data frames.
4076 * That gives the checks done for management and
4077 * data frames.
4078 */
4079 gen_or(b1, b0);
4080
4081 /*
4082 * If the low-order bit of the type value is 1,
4083 * this is either a control frame or a frame
4084 * with a reserved type, and thus not a
4085 * frame with an SA.
4086 *
4087 * I.e., check "!(link[0] & 0x04)".
4088 */
4089 s = gen_load_a(OR_LINK, 0, BPF_B);
4090 b1 = new_block(JMP(BPF_JSET));
4091 b1->s.k = 0x04;
4092 b1->stmts = s;
4093 gen_not(b1);
4094
4095 /*
4096 * AND that with the checks for data and management
4097 * frames.
4098 */
4099 gen_and(b1, b0);
4100 return b0;
4101
4102 case Q_RA:
4103 /*
4104 * Not present in management frames; addr1 in other
4105 * frames.
4106 */
4107
4108 /*
4109 * If the high-order bit of the type value is 0, this
4110 * is a management frame.
4111 * I.e, check "(link[0] & 0x08)".
4112 */
4113 s = gen_load_a(OR_LINK, 0, BPF_B);
4114 b1 = new_block(JMP(BPF_JSET));
4115 b1->s.k = 0x08;
4116 b1->stmts = s;
4117
4118 /*
4119 * Check addr1.
4120 */
4121 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4122
4123 /*
4124 * AND that with the check of addr1.
4125 */
4126 gen_and(b1, b0);
4127 return (b0);
4128
4129 case Q_TA:
4130 /*
4131 * Not present in management frames; addr2, if present,
4132 * in other frames.
4133 */
4134
4135 /*
4136 * Not present in CTS or ACK control frames.
4137 */
4138 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4139 IEEE80211_FC0_TYPE_MASK);
4140 gen_not(b0);
4141 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4142 IEEE80211_FC0_SUBTYPE_MASK);
4143 gen_not(b1);
4144 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4145 IEEE80211_FC0_SUBTYPE_MASK);
4146 gen_not(b2);
4147 gen_and(b1, b2);
4148 gen_or(b0, b2);
4149
4150 /*
4151 * If the high-order bit of the type value is 0, this
4152 * is a management frame.
4153 * I.e, check "(link[0] & 0x08)".
4154 */
4155 s = gen_load_a(OR_LINK, 0, BPF_B);
4156 b1 = new_block(JMP(BPF_JSET));
4157 b1->s.k = 0x08;
4158 b1->stmts = s;
4159
4160 /*
4161 * AND that with the check for frames other than
4162 * CTS and ACK frames.
4163 */
4164 gen_and(b1, b2);
4165
4166 /*
4167 * Check addr2.
4168 */
4169 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4170 gen_and(b2, b1);
4171 return b1;
4172
4173 /*
4174 * XXX - add BSSID keyword?
4175 */
4176 case Q_ADDR1:
4177 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4178
4179 case Q_ADDR2:
4180 /*
4181 * Not present in CTS or ACK control frames.
4182 */
4183 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4184 IEEE80211_FC0_TYPE_MASK);
4185 gen_not(b0);
4186 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4187 IEEE80211_FC0_SUBTYPE_MASK);
4188 gen_not(b1);
4189 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4190 IEEE80211_FC0_SUBTYPE_MASK);
4191 gen_not(b2);
4192 gen_and(b1, b2);
4193 gen_or(b0, b2);
4194 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4195 gen_and(b2, b1);
4196 return b1;
4197
4198 case Q_ADDR3:
4199 /*
4200 * Not present in control frames.
4201 */
4202 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4203 IEEE80211_FC0_TYPE_MASK);
4204 gen_not(b0);
4205 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4206 gen_and(b0, b1);
4207 return b1;
4208
4209 case Q_ADDR4:
4210 /*
4211 * Present only if the direction mask has both "From DS"
4212 * and "To DS" set. Neither control frames nor management
4213 * frames should have both of those set, so we don't
4214 * check the frame type.
4215 */
4216 b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4217 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4218 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4219 gen_and(b0, b1);
4220 return b1;
4221
4222 case Q_AND:
4223 b0 = gen_wlanhostop(eaddr, Q_SRC);
4224 b1 = gen_wlanhostop(eaddr, Q_DST);
4225 gen_and(b0, b1);
4226 return b1;
4227
4228 case Q_DEFAULT:
4229 case Q_OR:
4230 b0 = gen_wlanhostop(eaddr, Q_SRC);
4231 b1 = gen_wlanhostop(eaddr, Q_DST);
4232 gen_or(b0, b1);
4233 return b1;
4234 }
4235 abort();
4236 /* NOTREACHED */
4237}
4238
4239/*
4240 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4241 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4242 * as the RFC states.)
4243 */
4244static struct block *
4245gen_ipfchostop(eaddr, dir)
4246 register const u_char *eaddr;
4247 register int dir;
4248{
4249 register struct block *b0, *b1;
4250
4251 switch (dir) {
4252 case Q_SRC:
4253 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4254
4255 case Q_DST:
4256 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4257
4258 case Q_AND:
4259 b0 = gen_ipfchostop(eaddr, Q_SRC);
4260 b1 = gen_ipfchostop(eaddr, Q_DST);
4261 gen_and(b0, b1);
4262 return b1;
4263
4264 case Q_DEFAULT:
4265 case Q_OR:
4266 b0 = gen_ipfchostop(eaddr, Q_SRC);
4267 b1 = gen_ipfchostop(eaddr, Q_DST);
4268 gen_or(b0, b1);
4269 return b1;
4270
4271 case Q_ADDR1:
4272 bpf_error("'addr1' is only supported on 802.11");
4273 break;
4274
4275 case Q_ADDR2:
4276 bpf_error("'addr2' is only supported on 802.11");
4277 break;
4278
4279 case Q_ADDR3:
4280 bpf_error("'addr3' is only supported on 802.11");
4281 break;
4282
4283 case Q_ADDR4:
4284 bpf_error("'addr4' is only supported on 802.11");
4285 break;
4286
4287 case Q_RA:
4288 bpf_error("'ra' is only supported on 802.11");
4289 break;
4290
4291 case Q_TA:
4292 bpf_error("'ta' is only supported on 802.11");
4293 break;
4294 }
4295 abort();
4296 /* NOTREACHED */
4297}
4298
4299/*
4300 * This is quite tricky because there may be pad bytes in front of the
4301 * DECNET header, and then there are two possible data packet formats that
4302 * carry both src and dst addresses, plus 5 packet types in a format that
4303 * carries only the src node, plus 2 types that use a different format and
4304 * also carry just the src node.
4305 *
4306 * Yuck.
4307 *
4308 * Instead of doing those all right, we just look for data packets with
4309 * 0 or 1 bytes of padding. If you want to look at other packets, that
4310 * will require a lot more hacking.
4311 *
4312 * To add support for filtering on DECNET "areas" (network numbers)
4313 * one would want to add a "mask" argument to this routine. That would
4314 * make the filter even more inefficient, although one could be clever
4315 * and not generate masking instructions if the mask is 0xFFFF.
4316 */
4317static struct block *
4318gen_dnhostop(addr, dir)
4319 bpf_u_int32 addr;
4320 int dir;
4321{
4322 struct block *b0, *b1, *b2, *tmp;
4323 u_int offset_lh; /* offset if long header is received */
4324 u_int offset_sh; /* offset if short header is received */
4325
4326 switch (dir) {
4327
4328 case Q_DST:
4329 offset_sh = 1; /* follows flags */
4330 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4331 break;
4332
4333 case Q_SRC:
4334 offset_sh = 3; /* follows flags, dstnode */
4335 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4336 break;
4337
4338 case Q_AND:
4339 /* Inefficient because we do our Calvinball dance twice */
4340 b0 = gen_dnhostop(addr, Q_SRC);
4341 b1 = gen_dnhostop(addr, Q_DST);
4342 gen_and(b0, b1);
4343 return b1;
4344
4345 case Q_OR:
4346 case Q_DEFAULT:
4347 /* Inefficient because we do our Calvinball dance twice */
4348 b0 = gen_dnhostop(addr, Q_SRC);
4349 b1 = gen_dnhostop(addr, Q_DST);
4350 gen_or(b0, b1);
4351 return b1;
4352
4353 case Q_ISO:
4354 bpf_error("ISO host filtering not implemented");
4355
4356 default:
4357 abort();
4358 }
4359 b0 = gen_linktype(ETHERTYPE_DN);
4360 /* Check for pad = 1, long header case */
4361 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4362 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4363 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4364 BPF_H, (bpf_int32)ntohs((u_short)addr));
4365 gen_and(tmp, b1);
4366 /* Check for pad = 0, long header case */
4367 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4368 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4369 gen_and(tmp, b2);
4370 gen_or(b2, b1);
4371 /* Check for pad = 1, short header case */
4372 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4373 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4374 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4375 gen_and(tmp, b2);
4376 gen_or(b2, b1);
4377 /* Check for pad = 0, short header case */
4378 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4379 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4380 gen_and(tmp, b2);
4381 gen_or(b2, b1);
4382
4383 /* Combine with test for linktype */
4384 gen_and(b0, b1);
4385 return b1;
4386}
4387
4388/*
4389 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4390 * test the bottom-of-stack bit, and then check the version number
4391 * field in the IP header.
4392 */
4393static struct block *
4394gen_mpls_linktype(proto)
4395 int proto;
4396{
4397 struct block *b0, *b1;
4398
4399 switch (proto) {
4400
4401 case Q_IP:
4402 /* match the bottom-of-stack bit */
4403 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4404 /* match the IPv4 version number */
4405 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4406 gen_and(b0, b1);
4407 return b1;
4408
4409 case Q_IPV6:
4410 /* match the bottom-of-stack bit */
4411 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4412 /* match the IPv4 version number */
4413 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4414 gen_and(b0, b1);
4415 return b1;
4416
4417 default:
4418 abort();
4419 }
4420}
4421
4422static struct block *
4423gen_host(addr, mask, proto, dir, type)
4424 bpf_u_int32 addr;
4425 bpf_u_int32 mask;
4426 int proto;
4427 int dir;
4428 int type;
4429{
4430 struct block *b0, *b1;
4431 const char *typestr;
4432
4433 if (type == Q_NET)
4434 typestr = "net";
4435 else
4436 typestr = "host";
4437
4438 switch (proto) {
4439
4440 case Q_DEFAULT:
4441 b0 = gen_host(addr, mask, Q_IP, dir, type);
4442 /*
4443 * Only check for non-IPv4 addresses if we're not
4444 * checking MPLS-encapsulated packets.
4445 */
4446 if (label_stack_depth == 0) {
4447 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4448 gen_or(b0, b1);
4449 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4450 gen_or(b1, b0);
4451 }
4452 return b0;
4453
4454 case Q_IP:
4455 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4456
4457 case Q_RARP:
4458 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4459
4460 case Q_ARP:
4461 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4462
4463 case Q_TCP:
4464 bpf_error("'tcp' modifier applied to %s", typestr);
4465
4466 case Q_SCTP:
4467 bpf_error("'sctp' modifier applied to %s", typestr);
4468
4469 case Q_UDP:
4470 bpf_error("'udp' modifier applied to %s", typestr);
4471
4472 case Q_ICMP:
4473 bpf_error("'icmp' modifier applied to %s", typestr);
4474
4475 case Q_IGMP:
4476 bpf_error("'igmp' modifier applied to %s", typestr);
4477
4478 case Q_IGRP:
4479 bpf_error("'igrp' modifier applied to %s", typestr);
4480
4481 case Q_PIM:
4482 bpf_error("'pim' modifier applied to %s", typestr);
4483
4484 case Q_VRRP:
4485 bpf_error("'vrrp' modifier applied to %s", typestr);
4486
4487 case Q_CARP:
4488 bpf_error("'carp' modifier applied to %s", typestr);
4489
4490 case Q_ATALK:
4491 bpf_error("ATALK host filtering not implemented");
4492
4493 case Q_AARP:
4494 bpf_error("AARP host filtering not implemented");
4495
4496 case Q_DECNET:
4497 return gen_dnhostop(addr, dir);
4498
4499 case Q_SCA:
4500 bpf_error("SCA host filtering not implemented");
4501
4502 case Q_LAT:
4503 bpf_error("LAT host filtering not implemented");
4504
4505 case Q_MOPDL:
4506 bpf_error("MOPDL host filtering not implemented");
4507
4508 case Q_MOPRC:
4509 bpf_error("MOPRC host filtering not implemented");
4510
4511#ifdef INET6
4512 case Q_IPV6:
4513 bpf_error("'ip6' modifier applied to ip host");
4514
4515 case Q_ICMPV6:
4516 bpf_error("'icmp6' modifier applied to %s", typestr);
4517#endif /* INET6 */
4518
4519 case Q_AH:
4520 bpf_error("'ah' modifier applied to %s", typestr);
4521
4522 case Q_ESP:
4523 bpf_error("'esp' modifier applied to %s", typestr);
4524
4525 case Q_ISO:
4526 bpf_error("ISO host filtering not implemented");
4527
4528 case Q_ESIS:
4529 bpf_error("'esis' modifier applied to %s", typestr);
4530
4531 case Q_ISIS:
4532 bpf_error("'isis' modifier applied to %s", typestr);
4533
4534 case Q_CLNP:
4535 bpf_error("'clnp' modifier applied to %s", typestr);
4536
4537 case Q_STP:
4538 bpf_error("'stp' modifier applied to %s", typestr);
4539
4540 case Q_IPX:
4541 bpf_error("IPX host filtering not implemented");
4542
4543 case Q_NETBEUI:
4544 bpf_error("'netbeui' modifier applied to %s", typestr);
4545
4546 case Q_RADIO:
4547 bpf_error("'radio' modifier applied to %s", typestr);
4548
4549 default:
4550 abort();
4551 }
4552 /* NOTREACHED */
4553}
4554
4555#ifdef INET6
4556static struct block *
4557gen_host6(addr, mask, proto, dir, type)
4558 struct in6_addr *addr;
4559 struct in6_addr *mask;
4560 int proto;
4561 int dir;
4562 int type;
4563{
4564 const char *typestr;
4565
4566 if (type == Q_NET)
4567 typestr = "net";
4568 else
4569 typestr = "host";
4570
4571 switch (proto) {
4572
4573 case Q_DEFAULT:
4574 return gen_host6(addr, mask, Q_IPV6, dir, type);
4575
4576 case Q_IP:
4577 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4578
4579 case Q_RARP:
4580 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4581
4582 case Q_ARP:
4583 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4584
4585 case Q_SCTP:
4586 bpf_error("'sctp' modifier applied to %s", typestr);
4587
4588 case Q_TCP:
4589 bpf_error("'tcp' modifier applied to %s", typestr);
4590
4591 case Q_UDP:
4592 bpf_error("'udp' modifier applied to %s", typestr);
4593
4594 case Q_ICMP:
4595 bpf_error("'icmp' modifier applied to %s", typestr);
4596
4597 case Q_IGMP:
4598 bpf_error("'igmp' modifier applied to %s", typestr);
4599
4600 case Q_IGRP:
4601 bpf_error("'igrp' modifier applied to %s", typestr);
4602
4603 case Q_PIM:
4604 bpf_error("'pim' modifier applied to %s", typestr);
4605
4606 case Q_VRRP:
4607 bpf_error("'vrrp' modifier applied to %s", typestr);
4608
4609 case Q_CARP:
4610 bpf_error("'carp' modifier applied to %s", typestr);
4611
4612 case Q_ATALK:
4613 bpf_error("ATALK host filtering not implemented");
4614
4615 case Q_AARP:
4616 bpf_error("AARP host filtering not implemented");
4617
4618 case Q_DECNET:
4619 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4620
4621 case Q_SCA:
4622 bpf_error("SCA host filtering not implemented");
4623
4624 case Q_LAT:
4625 bpf_error("LAT host filtering not implemented");
4626
4627 case Q_MOPDL:
4628 bpf_error("MOPDL host filtering not implemented");
4629
4630 case Q_MOPRC:
4631 bpf_error("MOPRC host filtering not implemented");
4632
4633 case Q_IPV6:
4634 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4635
4636 case Q_ICMPV6:
4637 bpf_error("'icmp6' modifier applied to %s", typestr);
4638
4639 case Q_AH:
4640 bpf_error("'ah' modifier applied to %s", typestr);
4641
4642 case Q_ESP:
4643 bpf_error("'esp' modifier applied to %s", typestr);
4644
4645 case Q_ISO:
4646 bpf_error("ISO host filtering not implemented");
4647
4648 case Q_ESIS:
4649 bpf_error("'esis' modifier applied to %s", typestr);
4650
4651 case Q_ISIS:
4652 bpf_error("'isis' modifier applied to %s", typestr);
4653
4654 case Q_CLNP:
4655 bpf_error("'clnp' modifier applied to %s", typestr);
4656
4657 case Q_STP:
4658 bpf_error("'stp' modifier applied to %s", typestr);
4659
4660 case Q_IPX:
4661 bpf_error("IPX host filtering not implemented");
4662
4663 case Q_NETBEUI:
4664 bpf_error("'netbeui' modifier applied to %s", typestr);
4665
4666 case Q_RADIO:
4667 bpf_error("'radio' modifier applied to %s", typestr);
4668
4669 default:
4670 abort();
4671 }
4672 /* NOTREACHED */
4673}
4674#endif /*INET6*/
4675
4676#ifndef INET6
4677static struct block *
4678gen_gateway(eaddr, alist, proto, dir)
4679 const u_char *eaddr;
4680 bpf_u_int32 **alist;
4681 int proto;
4682 int dir;
4683{
4684 struct block *b0, *b1, *tmp;
4685
4686 if (dir != 0)
4687 bpf_error("direction applied to 'gateway'");
4688
4689 switch (proto) {
4690 case Q_DEFAULT:
4691 case Q_IP:
4692 case Q_ARP:
4693 case Q_RARP:
4694 switch (linktype) {
4695 case DLT_EN10MB:
4696 case DLT_NETANALYZER:
4697 case DLT_NETANALYZER_TRANSPARENT:
4698 b0 = gen_ehostop(eaddr, Q_OR);
4699 break;
4700 case DLT_FDDI:
4701 b0 = gen_fhostop(eaddr, Q_OR);
4702 break;
4703 case DLT_IEEE802:
4704 b0 = gen_thostop(eaddr, Q_OR);
4705 break;
4706 case DLT_IEEE802_11:
4707 case DLT_PRISM_HEADER:
4708 case DLT_IEEE802_11_RADIO_AVS:
4709 case DLT_IEEE802_11_RADIO:
4710 case DLT_PPI:
4711 b0 = gen_wlanhostop(eaddr, Q_OR);
4712 break;
4713 case DLT_SUNATM:
4714 if (!is_lane)
4715 bpf_error(
4716 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4717 /*
4718 * Check that the packet doesn't begin with an
4719 * LE Control marker. (We've already generated
4720 * a test for LANE.)
4721 */
4722 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4723 BPF_H, 0xFF00);
4724 gen_not(b1);
4725
4726 /*
4727 * Now check the MAC address.
4728 */
4729 b0 = gen_ehostop(eaddr, Q_OR);
4730 gen_and(b1, b0);
4731 break;
4732 case DLT_IP_OVER_FC:
4733 b0 = gen_ipfchostop(eaddr, Q_OR);
4734 break;
4735 default:
4736 bpf_error(
4737 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4738 }
4739 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4740 while (*alist) {
4741 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4742 Q_HOST);
4743 gen_or(b1, tmp);
4744 b1 = tmp;
4745 }
4746 gen_not(b1);
4747 gen_and(b0, b1);
4748 return b1;
4749 }
4750 bpf_error("illegal modifier of 'gateway'");
4751 /* NOTREACHED */
4752}
4753#endif
4754
4755struct block *
4756gen_proto_abbrev(proto)
4757 int proto;
4758{
4759 struct block *b0;
4760 struct block *b1;
4761
4762 switch (proto) {
4763
4764 case Q_SCTP:
4765 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4766#ifdef INET6
4767 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4768 gen_or(b0, b1);
4769#endif
4770 break;
4771
4772 case Q_TCP:
4773 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4774#ifdef INET6
4775 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4776 gen_or(b0, b1);
4777#endif
4778 break;
4779
4780 case Q_UDP:
4781 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4782#ifdef INET6
4783 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4784 gen_or(b0, b1);
4785#endif
4786 break;
4787
4788 case Q_ICMP:
4789 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4790 break;
4791
4792#ifndef IPPROTO_IGMP
4793#define IPPROTO_IGMP 2
4794#endif
4795
4796 case Q_IGMP:
4797 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4798 break;
4799
4800#ifndef IPPROTO_IGRP
4801#define IPPROTO_IGRP 9
4802#endif
4803 case Q_IGRP:
4804 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4805 break;
4806
4807#ifndef IPPROTO_PIM
4808#define IPPROTO_PIM 103
4809#endif
4810
4811 case Q_PIM:
4812 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4813#ifdef INET6
4814 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4815 gen_or(b0, b1);
4816#endif
4817 break;
4818
4819#ifndef IPPROTO_VRRP
4820#define IPPROTO_VRRP 112
4821#endif
4822
4823 case Q_VRRP:
4824 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4825 break;
4826
4827#ifndef IPPROTO_CARP
4828#define IPPROTO_CARP 112
4829#endif
4830
4831 case Q_CARP:
4832 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT);
4833 break;
4834
4835 case Q_IP:
4836 b1 = gen_linktype(ETHERTYPE_IP);
4837 break;
4838
4839 case Q_ARP:
4840 b1 = gen_linktype(ETHERTYPE_ARP);
4841 break;
4842
4843 case Q_RARP:
4844 b1 = gen_linktype(ETHERTYPE_REVARP);
4845 break;
4846
4847 case Q_LINK:
4848 bpf_error("link layer applied in wrong context");
4849
4850 case Q_ATALK:
4851 b1 = gen_linktype(ETHERTYPE_ATALK);
4852 break;
4853
4854 case Q_AARP:
4855 b1 = gen_linktype(ETHERTYPE_AARP);
4856 break;
4857
4858 case Q_DECNET:
4859 b1 = gen_linktype(ETHERTYPE_DN);
4860 break;
4861
4862 case Q_SCA:
4863 b1 = gen_linktype(ETHERTYPE_SCA);
4864 break;
4865
4866 case Q_LAT:
4867 b1 = gen_linktype(ETHERTYPE_LAT);
4868 break;
4869
4870 case Q_MOPDL:
4871 b1 = gen_linktype(ETHERTYPE_MOPDL);
4872 break;
4873
4874 case Q_MOPRC:
4875 b1 = gen_linktype(ETHERTYPE_MOPRC);
4876 break;
4877
4878#ifdef INET6
4879 case Q_IPV6:
4880 b1 = gen_linktype(ETHERTYPE_IPV6);
4881 break;
4882
4883#ifndef IPPROTO_ICMPV6
4884#define IPPROTO_ICMPV6 58
4885#endif
4886 case Q_ICMPV6:
4887 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4888 break;
4889#endif /* INET6 */
4890
4891#ifndef IPPROTO_AH
4892#define IPPROTO_AH 51
4893#endif
4894 case Q_AH:
4895 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4896#ifdef INET6
4897 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4898 gen_or(b0, b1);
4899#endif
4900 break;
4901
4902#ifndef IPPROTO_ESP
4903#define IPPROTO_ESP 50
4904#endif
4905 case Q_ESP:
4906 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4907#ifdef INET6
4908 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4909 gen_or(b0, b1);
4910#endif
4911 break;
4912
4913 case Q_ISO:
4914 b1 = gen_linktype(LLCSAP_ISONS);
4915 break;
4916
4917 case Q_ESIS:
4918 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4919 break;
4920
4921 case Q_ISIS:
4922 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4923 break;
4924
4925 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4926 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4927 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4928 gen_or(b0, b1);
4929 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4930 gen_or(b0, b1);
4931 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4932 gen_or(b0, b1);
4933 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4934 gen_or(b0, b1);
4935 break;
4936
4937 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4938 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4939 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4940 gen_or(b0, b1);
4941 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4942 gen_or(b0, b1);
4943 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4944 gen_or(b0, b1);
4945 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4946 gen_or(b0, b1);
4947 break;
4948
4949 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4950 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4951 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4952 gen_or(b0, b1);
4953 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4954 gen_or(b0, b1);
4955 break;
4956
4957 case Q_ISIS_LSP:
4958 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4959 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4960 gen_or(b0, b1);
4961 break;
4962
4963 case Q_ISIS_SNP:
4964 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4965 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4966 gen_or(b0, b1);
4967 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4968 gen_or(b0, b1);
4969 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4970 gen_or(b0, b1);
4971 break;
4972
4973 case Q_ISIS_CSNP:
4974 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4975 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4976 gen_or(b0, b1);
4977 break;
4978
4979 case Q_ISIS_PSNP:
4980 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4981 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4982 gen_or(b0, b1);
4983 break;
4984
4985 case Q_CLNP:
4986 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4987 break;
4988
4989 case Q_STP:
4990 b1 = gen_linktype(LLCSAP_8021D);
4991 break;
4992
4993 case Q_IPX:
4994 b1 = gen_linktype(LLCSAP_IPX);
4995 break;
4996
4997 case Q_NETBEUI:
4998 b1 = gen_linktype(LLCSAP_NETBEUI);
4999 break;
5000
5001 case Q_RADIO:
5002 bpf_error("'radio' is not a valid protocol type");
5003
5004 default:
5005 abort();
5006 }
5007 return b1;
5008}
5009
5010static struct block *
5011gen_ipfrag()
5012{
5013 struct slist *s;
5014 struct block *b;
5015
5016 /* not IPv4 frag other than the first frag */
5017 s = gen_load_a(OR_NET, 6, BPF_H);
5018 b = new_block(JMP(BPF_JSET));
5019 b->s.k = 0x1fff;
5020 b->stmts = s;
5021 gen_not(b);
5022
5023 return b;
5024}
5025
5026/*
5027 * Generate a comparison to a port value in the transport-layer header
5028 * at the specified offset from the beginning of that header.
5029 *
5030 * XXX - this handles a variable-length prefix preceding the link-layer
5031 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5032 * variable-length link-layer headers (such as Token Ring or 802.11
5033 * headers).
5034 */
5035static struct block *
5036gen_portatom(off, v)
5037 int off;
5038 bpf_int32 v;
5039{
5040 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
5041}
5042
5043#ifdef INET6
5044static struct block *
5045gen_portatom6(off, v)
5046 int off;
5047 bpf_int32 v;
5048{
5049 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
5050}
5051#endif/*INET6*/
5052
5053struct block *
5054gen_portop(port, proto, dir)
5055 int port, proto, dir;
5056{
5057 struct block *b0, *b1, *tmp;
5058
5059 /* ip proto 'proto' and not a fragment other than the first fragment */
5060 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5061 b0 = gen_ipfrag();
5062 gen_and(tmp, b0);
5063
5064 switch (dir) {
5065 case Q_SRC:
5066 b1 = gen_portatom(0, (bpf_int32)port);
5067 break;
5068
5069 case Q_DST:
5070 b1 = gen_portatom(2, (bpf_int32)port);
5071 break;
5072
5073 case Q_OR:
5074 case Q_DEFAULT:
5075 tmp = gen_portatom(0, (bpf_int32)port);
5076 b1 = gen_portatom(2, (bpf_int32)port);
5077 gen_or(tmp, b1);
5078 break;
5079
5080 case Q_AND:
5081 tmp = gen_portatom(0, (bpf_int32)port);
5082 b1 = gen_portatom(2, (bpf_int32)port);
5083 gen_and(tmp, b1);
5084 break;
5085
5086 default:
5087 abort();
5088 }
5089 gen_and(b0, b1);
5090
5091 return b1;
5092}
5093
5094static struct block *
5095gen_port(port, ip_proto, dir)
5096 int port;
5097 int ip_proto;
5098 int dir;
5099{
5100 struct block *b0, *b1, *tmp;
5101
5102 /*
5103 * ether proto ip
5104 *
5105 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5106 * not LLC encapsulation with LLCSAP_IP.
5107 *
5108 * For IEEE 802 networks - which includes 802.5 token ring
5109 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5110 * says that SNAP encapsulation is used, not LLC encapsulation
5111 * with LLCSAP_IP.
5112 *
5113 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5114 * RFC 2225 say that SNAP encapsulation is used, not LLC
5115 * encapsulation with LLCSAP_IP.
5116 *
5117 * So we always check for ETHERTYPE_IP.
5118 */
5119 b0 = gen_linktype(ETHERTYPE_IP);
5120
5121 switch (ip_proto) {
5122 case IPPROTO_UDP:
5123 case IPPROTO_TCP:
5124 case IPPROTO_SCTP:
5125 b1 = gen_portop(port, ip_proto, dir);
5126 break;
5127
5128 case PROTO_UNDEF:
5129 tmp = gen_portop(port, IPPROTO_TCP, dir);
5130 b1 = gen_portop(port, IPPROTO_UDP, dir);
5131 gen_or(tmp, b1);
5132 tmp = gen_portop(port, IPPROTO_SCTP, dir);
5133 gen_or(tmp, b1);
5134 break;
5135
5136 default:
5137 abort();
5138 }
5139 gen_and(b0, b1);
5140 return b1;
5141}
5142
5143#ifdef INET6
5144struct block *
5145gen_portop6(port, proto, dir)
5146 int port, proto, dir;
5147{
5148 struct block *b0, *b1, *tmp;
5149
5150 /* ip6 proto 'proto' */
5151 /* XXX - catch the first fragment of a fragmented packet? */
5152 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5153
5154 switch (dir) {
5155 case Q_SRC:
5156 b1 = gen_portatom6(0, (bpf_int32)port);
5157 break;
5158
5159 case Q_DST:
5160 b1 = gen_portatom6(2, (bpf_int32)port);
5161 break;
5162
5163 case Q_OR:
5164 case Q_DEFAULT:
5165 tmp = gen_portatom6(0, (bpf_int32)port);
5166 b1 = gen_portatom6(2, (bpf_int32)port);
5167 gen_or(tmp, b1);
5168 break;
5169
5170 case Q_AND:
5171 tmp = gen_portatom6(0, (bpf_int32)port);
5172 b1 = gen_portatom6(2, (bpf_int32)port);
5173 gen_and(tmp, b1);
5174 break;
5175
5176 default:
5177 abort();
5178 }
5179 gen_and(b0, b1);
5180
5181 return b1;
5182}
5183
5184static struct block *
5185gen_port6(port, ip_proto, dir)
5186 int port;
5187 int ip_proto;
5188 int dir;
5189{
5190 struct block *b0, *b1, *tmp;
5191
5192 /* link proto ip6 */
5193 b0 = gen_linktype(ETHERTYPE_IPV6);
5194
5195 switch (ip_proto) {
5196 case IPPROTO_UDP:
5197 case IPPROTO_TCP:
5198 case IPPROTO_SCTP:
5199 b1 = gen_portop6(port, ip_proto, dir);
5200 break;
5201
5202 case PROTO_UNDEF:
5203 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5204 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5205 gen_or(tmp, b1);
5206 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5207 gen_or(tmp, b1);
5208 break;
5209
5210 default:
5211 abort();
5212 }
5213 gen_and(b0, b1);
5214 return b1;
5215}
5216#endif /* INET6 */
5217
5218/* gen_portrange code */
5219static struct block *
5220gen_portrangeatom(off, v1, v2)
5221 int off;
5222 bpf_int32 v1, v2;
5223{
5224 struct block *b1, *b2;
5225
5226 if (v1 > v2) {
5227 /*
5228 * Reverse the order of the ports, so v1 is the lower one.
5229 */
5230 bpf_int32 vtemp;
5231
5232 vtemp = v1;
5233 v1 = v2;
5234 v2 = vtemp;
5235 }
5236
5237 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5238 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5239
5240 gen_and(b1, b2);
5241
5242 return b2;
5243}
5244
5245struct block *
5246gen_portrangeop(port1, port2, proto, dir)
5247 int port1, port2;
5248 int proto;
5249 int dir;
5250{
5251 struct block *b0, *b1, *tmp;
5252
5253 /* ip proto 'proto' and not a fragment other than the first fragment */
5254 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5255 b0 = gen_ipfrag();
5256 gen_and(tmp, b0);
5257
5258 switch (dir) {
5259 case Q_SRC:
5260 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5261 break;
5262
5263 case Q_DST:
5264 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5265 break;
5266
5267 case Q_OR:
5268 case Q_DEFAULT:
5269 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5270 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5271 gen_or(tmp, b1);
5272 break;
5273
5274 case Q_AND:
5275 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5276 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5277 gen_and(tmp, b1);
5278 break;
5279
5280 default:
5281 abort();
5282 }
5283 gen_and(b0, b1);
5284
5285 return b1;
5286}
5287
5288static struct block *
5289gen_portrange(port1, port2, ip_proto, dir)
5290 int port1, port2;
5291 int ip_proto;
5292 int dir;
5293{
5294 struct block *b0, *b1, *tmp;
5295
5296 /* link proto ip */
5297 b0 = gen_linktype(ETHERTYPE_IP);
5298
5299 switch (ip_proto) {
5300 case IPPROTO_UDP:
5301 case IPPROTO_TCP:
5302 case IPPROTO_SCTP:
5303 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5304 break;
5305
5306 case PROTO_UNDEF:
5307 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5308 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5309 gen_or(tmp, b1);
5310 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5311 gen_or(tmp, b1);
5312 break;
5313
5314 default:
5315 abort();
5316 }
5317 gen_and(b0, b1);
5318 return b1;
5319}
5320
5321#ifdef INET6
5322static struct block *
5323gen_portrangeatom6(off, v1, v2)
5324 int off;
5325 bpf_int32 v1, v2;
5326{
5327 struct block *b1, *b2;
5328
5329 if (v1 > v2) {
5330 /*
5331 * Reverse the order of the ports, so v1 is the lower one.
5332 */
5333 bpf_int32 vtemp;
5334
5335 vtemp = v1;
5336 v1 = v2;
5337 v2 = vtemp;
5338 }
5339
5340 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5341 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5342
5343 gen_and(b1, b2);
5344
5345 return b2;
5346}
5347
5348struct block *
5349gen_portrangeop6(port1, port2, proto, dir)
5350 int port1, port2;
5351 int proto;
5352 int dir;
5353{
5354 struct block *b0, *b1, *tmp;
5355
5356 /* ip6 proto 'proto' */
5357 /* XXX - catch the first fragment of a fragmented packet? */
5358 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5359
5360 switch (dir) {
5361 case Q_SRC:
5362 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5363 break;
5364
5365 case Q_DST:
5366 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5367 break;
5368
5369 case Q_OR:
5370 case Q_DEFAULT:
5371 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5372 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5373 gen_or(tmp, b1);
5374 break;
5375
5376 case Q_AND:
5377 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5378 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5379 gen_and(tmp, b1);
5380 break;
5381
5382 default:
5383 abort();
5384 }
5385 gen_and(b0, b1);
5386
5387 return b1;
5388}
5389
5390static struct block *
5391gen_portrange6(port1, port2, ip_proto, dir)
5392 int port1, port2;
5393 int ip_proto;
5394 int dir;
5395{
5396 struct block *b0, *b1, *tmp;
5397
5398 /* link proto ip6 */
5399 b0 = gen_linktype(ETHERTYPE_IPV6);
5400
5401 switch (ip_proto) {
5402 case IPPROTO_UDP:
5403 case IPPROTO_TCP:
5404 case IPPROTO_SCTP:
5405 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5406 break;
5407
5408 case PROTO_UNDEF:
5409 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5410 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5411 gen_or(tmp, b1);
5412 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5413 gen_or(tmp, b1);
5414 break;
5415
5416 default:
5417 abort();
5418 }
5419 gen_and(b0, b1);
5420 return b1;
5421}
5422#endif /* INET6 */
5423
5424static int
5425lookup_proto(name, proto)
5426 register const char *name;
5427 register int proto;
5428{
5429 register int v;
5430
5431 switch (proto) {
5432
5433 case Q_DEFAULT:
5434 case Q_IP:
5435 case Q_IPV6:
5436 v = pcap_nametoproto(name);
5437 if (v == PROTO_UNDEF)
5438 bpf_error("unknown ip proto '%s'", name);
5439 break;
5440
5441 case Q_LINK:
5442 /* XXX should look up h/w protocol type based on linktype */
5443 v = pcap_nametoeproto(name);
5444 if (v == PROTO_UNDEF) {
5445 v = pcap_nametollc(name);
5446 if (v == PROTO_UNDEF)
5447 bpf_error("unknown ether proto '%s'", name);
5448 }
5449 break;
5450
5451 case Q_ISO:
5452 if (strcmp(name, "esis") == 0)
5453 v = ISO9542_ESIS;
5454 else if (strcmp(name, "isis") == 0)
5455 v = ISO10589_ISIS;
5456 else if (strcmp(name, "clnp") == 0)
5457 v = ISO8473_CLNP;
5458 else
5459 bpf_error("unknown osi proto '%s'", name);
5460 break;
5461
5462 default:
5463 v = PROTO_UNDEF;
5464 break;
5465 }
5466 return v;
5467}
5468
5469#if 0
5470struct stmt *
5471gen_joinsp(s, n)
5472 struct stmt **s;
5473 int n;
5474{
5475 return NULL;
5476}
5477#endif
5478
5479static struct block *
5480gen_protochain(v, proto, dir)
5481 int v;
5482 int proto;
5483 int dir;
5484{
5485#ifdef NO_PROTOCHAIN
5486 return gen_proto(v, proto, dir);
5487#else
5488 struct block *b0, *b;
5489 struct slist *s[100];
5490 int fix2, fix3, fix4, fix5;
5491 int ahcheck, again, end;
5492 int i, max;
5493 int reg2 = alloc_reg();
5494
5495 memset(s, 0, sizeof(s));
5496 fix2 = fix3 = fix4 = fix5 = 0;
5497
5498 switch (proto) {
5499 case Q_IP:
5500 case Q_IPV6:
5501 break;
5502 case Q_DEFAULT:
5503 b0 = gen_protochain(v, Q_IP, dir);
5504 b = gen_protochain(v, Q_IPV6, dir);
5505 gen_or(b0, b);
5506 return b;
5507 default:
5508 bpf_error("bad protocol applied for 'protochain'");
5509 /*NOTREACHED*/
5510 }
5511
5512 /*
5513 * We don't handle variable-length prefixes before the link-layer
5514 * header, or variable-length link-layer headers, here yet.
5515 * We might want to add BPF instructions to do the protochain
5516 * work, to simplify that and, on platforms that have a BPF
5517 * interpreter with the new instructions, let the filtering
5518 * be done in the kernel. (We already require a modified BPF
5519 * engine to do the protochain stuff, to support backward
5520 * branches, and backward branch support is unlikely to appear
5521 * in kernel BPF engines.)
5522 */
5523 switch (linktype) {
5524
5525 case DLT_IEEE802_11:
5526 case DLT_PRISM_HEADER:
5527 case DLT_IEEE802_11_RADIO_AVS:
5528 case DLT_IEEE802_11_RADIO:
5529 case DLT_PPI:
5530 bpf_error("'protochain' not supported with 802.11");
5531 }
5532
5533 no_optimize = 1; /*this code is not compatible with optimzer yet */
5534
5535 /*
5536 * s[0] is a dummy entry to protect other BPF insn from damage
5537 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5538 * hard to find interdependency made by jump table fixup.
5539 */
5540 i = 0;
5541 s[i] = new_stmt(0); /*dummy*/
5542 i++;
5543
5544 switch (proto) {
5545 case Q_IP:
5546 b0 = gen_linktype(ETHERTYPE_IP);
5547
5548 /* A = ip->ip_p */
5549 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5550 s[i]->s.k = off_macpl + off_nl + 9;
5551 i++;
5552 /* X = ip->ip_hl << 2 */
5553 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5554 s[i]->s.k = off_macpl + off_nl;
5555 i++;
5556 break;
5557#ifdef INET6
5558 case Q_IPV6:
5559 b0 = gen_linktype(ETHERTYPE_IPV6);
5560
5561 /* A = ip6->ip_nxt */
5562 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5563 s[i]->s.k = off_macpl + off_nl + 6;
5564 i++;
5565 /* X = sizeof(struct ip6_hdr) */
5566 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5567 s[i]->s.k = 40;
5568 i++;
5569 break;
5570#endif
5571 default:
5572 bpf_error("unsupported proto to gen_protochain");
5573 /*NOTREACHED*/
5574 }
5575
5576 /* again: if (A == v) goto end; else fall through; */
5577 again = i;
5578 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5579 s[i]->s.k = v;
5580 s[i]->s.jt = NULL; /*later*/
5581 s[i]->s.jf = NULL; /*update in next stmt*/
5582 fix5 = i;
5583 i++;
5584
5585#ifndef IPPROTO_NONE
5586#define IPPROTO_NONE 59
5587#endif
5588 /* if (A == IPPROTO_NONE) goto end */
5589 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5590 s[i]->s.jt = NULL; /*later*/
5591 s[i]->s.jf = NULL; /*update in next stmt*/
5592 s[i]->s.k = IPPROTO_NONE;
5593 s[fix5]->s.jf = s[i];
5594 fix2 = i;
5595 i++;
5596
5597#ifdef INET6
5598 if (proto == Q_IPV6) {
5599 int v6start, v6end, v6advance, j;
5600
5601 v6start = i;
5602 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5603 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5604 s[i]->s.jt = NULL; /*later*/
5605 s[i]->s.jf = NULL; /*update in next stmt*/
5606 s[i]->s.k = IPPROTO_HOPOPTS;
5607 s[fix2]->s.jf = s[i];
5608 i++;
5609 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5610 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5611 s[i]->s.jt = NULL; /*later*/
5612 s[i]->s.jf = NULL; /*update in next stmt*/
5613 s[i]->s.k = IPPROTO_DSTOPTS;
5614 i++;
5615 /* if (A == IPPROTO_ROUTING) goto v6advance */
5616 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5617 s[i]->s.jt = NULL; /*later*/
5618 s[i]->s.jf = NULL; /*update in next stmt*/
5619 s[i]->s.k = IPPROTO_ROUTING;
5620 i++;
5621 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5622 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5623 s[i]->s.jt = NULL; /*later*/
5624 s[i]->s.jf = NULL; /*later*/
5625 s[i]->s.k = IPPROTO_FRAGMENT;
5626 fix3 = i;
5627 v6end = i;
5628 i++;
5629
5630 /* v6advance: */
5631 v6advance = i;
5632
5633 /*
5634 * in short,
5635 * A = P[X + packet head];
5636 * X = X + (P[X + packet head + 1] + 1) * 8;
5637 */
5638 /* A = P[X + packet head] */
5639 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5640 s[i]->s.k = off_macpl + off_nl;
5641 i++;
5642 /* MEM[reg2] = A */
5643 s[i] = new_stmt(BPF_ST);
5644 s[i]->s.k = reg2;
5645 i++;
5646 /* A = P[X + packet head + 1]; */
5647 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5648 s[i]->s.k = off_macpl + off_nl + 1;
5649 i++;
5650 /* A += 1 */
5651 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5652 s[i]->s.k = 1;
5653 i++;
5654 /* A *= 8 */
5655 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5656 s[i]->s.k = 8;
5657 i++;
5658 /* A += X */
5659 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
5660 s[i]->s.k = 0;
5661 i++;
5662 /* X = A; */
5663 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5664 i++;
5665 /* A = MEM[reg2] */
5666 s[i] = new_stmt(BPF_LD|BPF_MEM);
5667 s[i]->s.k = reg2;
5668 i++;
5669
5670 /* goto again; (must use BPF_JA for backward jump) */
5671 s[i] = new_stmt(BPF_JMP|BPF_JA);
5672 s[i]->s.k = again - i - 1;
5673 s[i - 1]->s.jf = s[i];
5674 i++;
5675
5676 /* fixup */
5677 for (j = v6start; j <= v6end; j++)
5678 s[j]->s.jt = s[v6advance];
5679 } else
5680#endif
5681 {
5682 /* nop */
5683 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5684 s[i]->s.k = 0;
5685 s[fix2]->s.jf = s[i];
5686 i++;
5687 }
5688
5689 /* ahcheck: */
5690 ahcheck = i;
5691 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5692 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5693 s[i]->s.jt = NULL; /*later*/
5694 s[i]->s.jf = NULL; /*later*/
5695 s[i]->s.k = IPPROTO_AH;
5696 if (fix3)
5697 s[fix3]->s.jf = s[ahcheck];
5698 fix4 = i;
5699 i++;
5700
5701 /*
5702 * in short,
5703 * A = P[X];
5704 * X = X + (P[X + 1] + 2) * 4;
5705 */
5706 /* A = X */
5707 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5708 i++;
5709 /* A = P[X + packet head]; */
5710 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5711 s[i]->s.k = off_macpl + off_nl;
5712 i++;
5713 /* MEM[reg2] = A */
5714 s[i] = new_stmt(BPF_ST);
5715 s[i]->s.k = reg2;
5716 i++;
5717 /* A = X */
5718 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5719 i++;
5720 /* A += 1 */
5721 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5722 s[i]->s.k = 1;
5723 i++;
5724 /* X = A */
5725 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5726 i++;
5727 /* A = P[X + packet head] */
5728 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5729 s[i]->s.k = off_macpl + off_nl;
5730 i++;
5731 /* A += 2 */
5732 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5733 s[i]->s.k = 2;
5734 i++;
5735 /* A *= 4 */
5736 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5737 s[i]->s.k = 4;
5738 i++;
5739 /* X = A; */
5740 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5741 i++;
5742 /* A = MEM[reg2] */
5743 s[i] = new_stmt(BPF_LD|BPF_MEM);
5744 s[i]->s.k = reg2;
5745 i++;
5746
5747 /* goto again; (must use BPF_JA for backward jump) */
5748 s[i] = new_stmt(BPF_JMP|BPF_JA);
5749 s[i]->s.k = again - i - 1;
5750 i++;
5751
5752 /* end: nop */
5753 end = i;
5754 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5755 s[i]->s.k = 0;
5756 s[fix2]->s.jt = s[end];
5757 s[fix4]->s.jf = s[end];
5758 s[fix5]->s.jt = s[end];
5759 i++;
5760
5761 /*
5762 * make slist chain
5763 */
5764 max = i;
5765 for (i = 0; i < max - 1; i++)
5766 s[i]->next = s[i + 1];
5767 s[max - 1]->next = NULL;
5768
5769 /*
5770 * emit final check
5771 */
5772 b = new_block(JMP(BPF_JEQ));
5773 b->stmts = s[1]; /*remember, s[0] is dummy*/
5774 b->s.k = v;
5775
5776 free_reg(reg2);
5777
5778 gen_and(b0, b);
5779 return b;
5780#endif
5781}
5782
5783static struct block *
5784gen_check_802_11_data_frame()
5785{
5786 struct slist *s;
5787 struct block *b0, *b1;
5788
5789 /*
5790 * A data frame has the 0x08 bit (b3) in the frame control field set
5791 * and the 0x04 bit (b2) clear.
5792 */
5793 s = gen_load_a(OR_LINK, 0, BPF_B);
5794 b0 = new_block(JMP(BPF_JSET));
5795 b0->s.k = 0x08;
5796 b0->stmts = s;
5797
5798 s = gen_load_a(OR_LINK, 0, BPF_B);
5799 b1 = new_block(JMP(BPF_JSET));
5800 b1->s.k = 0x04;
5801 b1->stmts = s;
5802 gen_not(b1);
5803
5804 gen_and(b1, b0);
5805
5806 return b0;
5807}
5808
5809/*
5810 * Generate code that checks whether the packet is a packet for protocol
5811 * <proto> and whether the type field in that protocol's header has
5812 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5813 * IP packet and checks the protocol number in the IP header against <v>.
5814 *
5815 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5816 * against Q_IP and Q_IPV6.
5817 */
5818static struct block *
5819gen_proto(v, proto, dir)
5820 int v;
5821 int proto;
5822 int dir;
5823{
5824 struct block *b0, *b1;
|
| 5825#ifdef INET6
5826#ifndef CHASE_CHAIN
5827 struct block *b2;
5828#endif
5829#endif
|
5824
5825 if (dir != Q_DEFAULT)
5826 bpf_error("direction applied to 'proto'");
5827
5828 switch (proto) {
5829 case Q_DEFAULT:
5830#ifdef INET6
5831 b0 = gen_proto(v, Q_IP, dir);
5832 b1 = gen_proto(v, Q_IPV6, dir);
5833 gen_or(b0, b1);
5834 return b1;
5835#else
5836 /*FALLTHROUGH*/
5837#endif
5838 case Q_IP:
5839 /*
5840 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5841 * not LLC encapsulation with LLCSAP_IP.
5842 *
5843 * For IEEE 802 networks - which includes 802.5 token ring
5844 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5845 * says that SNAP encapsulation is used, not LLC encapsulation
5846 * with LLCSAP_IP.
5847 *
5848 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5849 * RFC 2225 say that SNAP encapsulation is used, not LLC
5850 * encapsulation with LLCSAP_IP.
5851 *
5852 * So we always check for ETHERTYPE_IP.
5853 */
5854 b0 = gen_linktype(ETHERTYPE_IP);
5855#ifndef CHASE_CHAIN
5856 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
5857#else
5858 b1 = gen_protochain(v, Q_IP);
5859#endif
5860 gen_and(b0, b1);
5861 return b1;
5862
5863 case Q_ISO:
5864 switch (linktype) {
5865
5866 case DLT_FRELAY:
5867 /*
5868 * Frame Relay packets typically have an OSI
5869 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5870 * generates code to check for all the OSI
5871 * NLPIDs, so calling it and then adding a check
5872 * for the particular NLPID for which we're
5873 * looking is bogus, as we can just check for
5874 * the NLPID.
5875 *
5876 * What we check for is the NLPID and a frame
5877 * control field value of UI, i.e. 0x03 followed
5878 * by the NLPID.
5879 *
5880 * XXX - assumes a 2-byte Frame Relay header with
5881 * DLCI and flags. What if the address is longer?
5882 *
5883 * XXX - what about SNAP-encapsulated frames?
5884 */
5885 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
5886 /*NOTREACHED*/
5887 break;
5888
5889 case DLT_C_HDLC:
5890 /*
5891 * Cisco uses an Ethertype lookalike - for OSI,
5892 * it's 0xfefe.
5893 */
5894 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5895 /* OSI in C-HDLC is stuffed with a fudge byte */
5896 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
5897 gen_and(b0, b1);
5898 return b1;
5899
5900 default:
5901 b0 = gen_linktype(LLCSAP_ISONS);
5902 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
5903 gen_and(b0, b1);
5904 return b1;
5905 }
5906
5907 case Q_ISIS:
5908 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5909 /*
5910 * 4 is the offset of the PDU type relative to the IS-IS
5911 * header.
5912 */
5913 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
5914 gen_and(b0, b1);
5915 return b1;
5916
5917 case Q_ARP:
5918 bpf_error("arp does not encapsulate another protocol");
5919 /* NOTREACHED */
5920
5921 case Q_RARP:
5922 bpf_error("rarp does not encapsulate another protocol");
5923 /* NOTREACHED */
5924
5925 case Q_ATALK:
5926 bpf_error("atalk encapsulation is not specifiable");
5927 /* NOTREACHED */
5928
5929 case Q_DECNET:
5930 bpf_error("decnet encapsulation is not specifiable");
5931 /* NOTREACHED */
5932
5933 case Q_SCA:
5934 bpf_error("sca does not encapsulate another protocol");
5935 /* NOTREACHED */
5936
5937 case Q_LAT:
5938 bpf_error("lat does not encapsulate another protocol");
5939 /* NOTREACHED */
5940
5941 case Q_MOPRC:
5942 bpf_error("moprc does not encapsulate another protocol");
5943 /* NOTREACHED */
5944
5945 case Q_MOPDL:
5946 bpf_error("mopdl does not encapsulate another protocol");
5947 /* NOTREACHED */
5948
5949 case Q_LINK:
5950 return gen_linktype(v);
5951
5952 case Q_UDP:
5953 bpf_error("'udp proto' is bogus");
5954 /* NOTREACHED */
5955
5956 case Q_TCP:
5957 bpf_error("'tcp proto' is bogus");
5958 /* NOTREACHED */
5959
5960 case Q_SCTP:
5961 bpf_error("'sctp proto' is bogus");
5962 /* NOTREACHED */
5963
5964 case Q_ICMP:
5965 bpf_error("'icmp proto' is bogus");
5966 /* NOTREACHED */
5967
5968 case Q_IGMP:
5969 bpf_error("'igmp proto' is bogus");
5970 /* NOTREACHED */
5971
5972 case Q_IGRP:
5973 bpf_error("'igrp proto' is bogus");
5974 /* NOTREACHED */
5975
5976 case Q_PIM:
5977 bpf_error("'pim proto' is bogus");
5978 /* NOTREACHED */
5979
5980 case Q_VRRP:
5981 bpf_error("'vrrp proto' is bogus");
5982 /* NOTREACHED */
5983
5984 case Q_CARP:
5985 bpf_error("'carp proto' is bogus");
5986 /* NOTREACHED */
5987
5988#ifdef INET6
5989 case Q_IPV6:
5990 b0 = gen_linktype(ETHERTYPE_IPV6);
5991#ifndef CHASE_CHAIN
| 5830
5831 if (dir != Q_DEFAULT)
5832 bpf_error("direction applied to 'proto'");
5833
5834 switch (proto) {
5835 case Q_DEFAULT:
5836#ifdef INET6
5837 b0 = gen_proto(v, Q_IP, dir);
5838 b1 = gen_proto(v, Q_IPV6, dir);
5839 gen_or(b0, b1);
5840 return b1;
5841#else
5842 /*FALLTHROUGH*/
5843#endif
5844 case Q_IP:
5845 /*
5846 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5847 * not LLC encapsulation with LLCSAP_IP.
5848 *
5849 * For IEEE 802 networks - which includes 802.5 token ring
5850 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5851 * says that SNAP encapsulation is used, not LLC encapsulation
5852 * with LLCSAP_IP.
5853 *
5854 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5855 * RFC 2225 say that SNAP encapsulation is used, not LLC
5856 * encapsulation with LLCSAP_IP.
5857 *
5858 * So we always check for ETHERTYPE_IP.
5859 */
5860 b0 = gen_linktype(ETHERTYPE_IP);
5861#ifndef CHASE_CHAIN
5862 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
5863#else
5864 b1 = gen_protochain(v, Q_IP);
5865#endif
5866 gen_and(b0, b1);
5867 return b1;
5868
5869 case Q_ISO:
5870 switch (linktype) {
5871
5872 case DLT_FRELAY:
5873 /*
5874 * Frame Relay packets typically have an OSI
5875 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5876 * generates code to check for all the OSI
5877 * NLPIDs, so calling it and then adding a check
5878 * for the particular NLPID for which we're
5879 * looking is bogus, as we can just check for
5880 * the NLPID.
5881 *
5882 * What we check for is the NLPID and a frame
5883 * control field value of UI, i.e. 0x03 followed
5884 * by the NLPID.
5885 *
5886 * XXX - assumes a 2-byte Frame Relay header with
5887 * DLCI and flags. What if the address is longer?
5888 *
5889 * XXX - what about SNAP-encapsulated frames?
5890 */
5891 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
5892 /*NOTREACHED*/
5893 break;
5894
5895 case DLT_C_HDLC:
5896 /*
5897 * Cisco uses an Ethertype lookalike - for OSI,
5898 * it's 0xfefe.
5899 */
5900 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5901 /* OSI in C-HDLC is stuffed with a fudge byte */
5902 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
5903 gen_and(b0, b1);
5904 return b1;
5905
5906 default:
5907 b0 = gen_linktype(LLCSAP_ISONS);
5908 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
5909 gen_and(b0, b1);
5910 return b1;
5911 }
5912
5913 case Q_ISIS:
5914 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5915 /*
5916 * 4 is the offset of the PDU type relative to the IS-IS
5917 * header.
5918 */
5919 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
5920 gen_and(b0, b1);
5921 return b1;
5922
5923 case Q_ARP:
5924 bpf_error("arp does not encapsulate another protocol");
5925 /* NOTREACHED */
5926
5927 case Q_RARP:
5928 bpf_error("rarp does not encapsulate another protocol");
5929 /* NOTREACHED */
5930
5931 case Q_ATALK:
5932 bpf_error("atalk encapsulation is not specifiable");
5933 /* NOTREACHED */
5934
5935 case Q_DECNET:
5936 bpf_error("decnet encapsulation is not specifiable");
5937 /* NOTREACHED */
5938
5939 case Q_SCA:
5940 bpf_error("sca does not encapsulate another protocol");
5941 /* NOTREACHED */
5942
5943 case Q_LAT:
5944 bpf_error("lat does not encapsulate another protocol");
5945 /* NOTREACHED */
5946
5947 case Q_MOPRC:
5948 bpf_error("moprc does not encapsulate another protocol");
5949 /* NOTREACHED */
5950
5951 case Q_MOPDL:
5952 bpf_error("mopdl does not encapsulate another protocol");
5953 /* NOTREACHED */
5954
5955 case Q_LINK:
5956 return gen_linktype(v);
5957
5958 case Q_UDP:
5959 bpf_error("'udp proto' is bogus");
5960 /* NOTREACHED */
5961
5962 case Q_TCP:
5963 bpf_error("'tcp proto' is bogus");
5964 /* NOTREACHED */
5965
5966 case Q_SCTP:
5967 bpf_error("'sctp proto' is bogus");
5968 /* NOTREACHED */
5969
5970 case Q_ICMP:
5971 bpf_error("'icmp proto' is bogus");
5972 /* NOTREACHED */
5973
5974 case Q_IGMP:
5975 bpf_error("'igmp proto' is bogus");
5976 /* NOTREACHED */
5977
5978 case Q_IGRP:
5979 bpf_error("'igrp proto' is bogus");
5980 /* NOTREACHED */
5981
5982 case Q_PIM:
5983 bpf_error("'pim proto' is bogus");
5984 /* NOTREACHED */
5985
5986 case Q_VRRP:
5987 bpf_error("'vrrp proto' is bogus");
5988 /* NOTREACHED */
5989
5990 case Q_CARP:
5991 bpf_error("'carp proto' is bogus");
5992 /* NOTREACHED */
5993
5994#ifdef INET6
5995 case Q_IPV6:
5996 b0 = gen_linktype(ETHERTYPE_IPV6);
5997#ifndef CHASE_CHAIN
|
5992 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
| 5998 /*
5999 * Also check for a fragment header before the final
6000 * header.
6001 */
6002 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT);
6003 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v);
6004 gen_and(b2, b1);
6005 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
6006 gen_or(b2, b1);
|
5993#else
5994 b1 = gen_protochain(v, Q_IPV6);
5995#endif
5996 gen_and(b0, b1);
5997 return b1;
5998
5999 case Q_ICMPV6:
6000 bpf_error("'icmp6 proto' is bogus");
6001#endif /* INET6 */
6002
6003 case Q_AH:
6004 bpf_error("'ah proto' is bogus");
6005
6006 case Q_ESP:
6007 bpf_error("'ah proto' is bogus");
6008
6009 case Q_STP:
6010 bpf_error("'stp proto' is bogus");
6011
6012 case Q_IPX:
6013 bpf_error("'ipx proto' is bogus");
6014
6015 case Q_NETBEUI:
6016 bpf_error("'netbeui proto' is bogus");
6017
6018 case Q_RADIO:
6019 bpf_error("'radio proto' is bogus");
6020
6021 default:
6022 abort();
6023 /* NOTREACHED */
6024 }
6025 /* NOTREACHED */
6026}
6027
6028struct block *
6029gen_scode(name, q)
6030 register const char *name;
6031 struct qual q;
6032{
6033 int proto = q.proto;
6034 int dir = q.dir;
6035 int tproto;
6036 u_char *eaddr;
6037 bpf_u_int32 mask, addr;
6038#ifndef INET6
6039 bpf_u_int32 **alist;
6040#else
6041 int tproto6;
6042 struct sockaddr_in *sin4;
6043 struct sockaddr_in6 *sin6;
6044 struct addrinfo *res, *res0;
6045 struct in6_addr mask128;
6046#endif /*INET6*/
6047 struct block *b, *tmp;
6048 int port, real_proto;
6049 int port1, port2;
6050
6051 switch (q.addr) {
6052
6053 case Q_NET:
6054 addr = pcap_nametonetaddr(name);
6055 if (addr == 0)
6056 bpf_error("unknown network '%s'", name);
6057 /* Left justify network addr and calculate its network mask */
6058 mask = 0xffffffff;
6059 while (addr && (addr & 0xff000000) == 0) {
6060 addr <<= 8;
6061 mask <<= 8;
6062 }
6063 return gen_host(addr, mask, proto, dir, q.addr);
6064
6065 case Q_DEFAULT:
6066 case Q_HOST:
6067 if (proto == Q_LINK) {
6068 switch (linktype) {
6069
6070 case DLT_EN10MB:
6071 case DLT_NETANALYZER:
6072 case DLT_NETANALYZER_TRANSPARENT:
6073 eaddr = pcap_ether_hostton(name);
6074 if (eaddr == NULL)
6075 bpf_error(
6076 "unknown ether host '%s'", name);
6077 b = gen_ehostop(eaddr, dir);
6078 free(eaddr);
6079 return b;
6080
6081 case DLT_FDDI:
6082 eaddr = pcap_ether_hostton(name);
6083 if (eaddr == NULL)
6084 bpf_error(
6085 "unknown FDDI host '%s'", name);
6086 b = gen_fhostop(eaddr, dir);
6087 free(eaddr);
6088 return b;
6089
6090 case DLT_IEEE802:
6091 eaddr = pcap_ether_hostton(name);
6092 if (eaddr == NULL)
6093 bpf_error(
6094 "unknown token ring host '%s'", name);
6095 b = gen_thostop(eaddr, dir);
6096 free(eaddr);
6097 return b;
6098
6099 case DLT_IEEE802_11:
6100 case DLT_PRISM_HEADER:
6101 case DLT_IEEE802_11_RADIO_AVS:
6102 case DLT_IEEE802_11_RADIO:
6103 case DLT_PPI:
6104 eaddr = pcap_ether_hostton(name);
6105 if (eaddr == NULL)
6106 bpf_error(
6107 "unknown 802.11 host '%s'", name);
6108 b = gen_wlanhostop(eaddr, dir);
6109 free(eaddr);
6110 return b;
6111
6112 case DLT_IP_OVER_FC:
6113 eaddr = pcap_ether_hostton(name);
6114 if (eaddr == NULL)
6115 bpf_error(
6116 "unknown Fibre Channel host '%s'", name);
6117 b = gen_ipfchostop(eaddr, dir);
6118 free(eaddr);
6119 return b;
6120
6121 case DLT_SUNATM:
6122 if (!is_lane)
6123 break;
6124
6125 /*
6126 * Check that the packet doesn't begin
6127 * with an LE Control marker. (We've
6128 * already generated a test for LANE.)
6129 */
6130 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6131 BPF_H, 0xFF00);
6132 gen_not(tmp);
6133
6134 eaddr = pcap_ether_hostton(name);
6135 if (eaddr == NULL)
6136 bpf_error(
6137 "unknown ether host '%s'", name);
6138 b = gen_ehostop(eaddr, dir);
6139 gen_and(tmp, b);
6140 free(eaddr);
6141 return b;
6142 }
6143
6144 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6145 } else if (proto == Q_DECNET) {
6146 unsigned short dn_addr = __pcap_nametodnaddr(name);
6147 /*
6148 * I don't think DECNET hosts can be multihomed, so
6149 * there is no need to build up a list of addresses
6150 */
6151 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6152 } else {
6153#ifndef INET6
6154 alist = pcap_nametoaddr(name);
6155 if (alist == NULL || *alist == NULL)
6156 bpf_error("unknown host '%s'", name);
6157 tproto = proto;
6158 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
6159 tproto = Q_IP;
6160 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6161 while (*alist) {
6162 tmp = gen_host(**alist++, 0xffffffff,
6163 tproto, dir, q.addr);
6164 gen_or(b, tmp);
6165 b = tmp;
6166 }
6167 return b;
6168#else
6169 memset(&mask128, 0xff, sizeof(mask128));
6170 res0 = res = pcap_nametoaddrinfo(name);
6171 if (res == NULL)
6172 bpf_error("unknown host '%s'", name);
6173 ai = res;
6174 b = tmp = NULL;
6175 tproto = tproto6 = proto;
6176 if (off_linktype == -1 && tproto == Q_DEFAULT) {
6177 tproto = Q_IP;
6178 tproto6 = Q_IPV6;
6179 }
6180 for (res = res0; res; res = res->ai_next) {
6181 switch (res->ai_family) {
6182 case AF_INET:
6183 if (tproto == Q_IPV6)
6184 continue;
6185
6186 sin4 = (struct sockaddr_in *)
6187 res->ai_addr;
6188 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6189 0xffffffff, tproto, dir, q.addr);
6190 break;
6191 case AF_INET6:
6192 if (tproto6 == Q_IP)
6193 continue;
6194
6195 sin6 = (struct sockaddr_in6 *)
6196 res->ai_addr;
6197 tmp = gen_host6(&sin6->sin6_addr,
6198 &mask128, tproto6, dir, q.addr);
6199 break;
6200 default:
6201 continue;
6202 }
6203 if (b)
6204 gen_or(b, tmp);
6205 b = tmp;
6206 }
6207 ai = NULL;
6208 freeaddrinfo(res0);
6209 if (b == NULL) {
6210 bpf_error("unknown host '%s'%s", name,
6211 (proto == Q_DEFAULT)
6212 ? ""
6213 : " for specified address family");
6214 }
6215 return b;
6216#endif /*INET6*/
6217 }
6218
6219 case Q_PORT:
6220 if (proto != Q_DEFAULT &&
6221 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6222 bpf_error("illegal qualifier of 'port'");
6223 if (pcap_nametoport(name, &port, &real_proto) == 0)
6224 bpf_error("unknown port '%s'", name);
6225 if (proto == Q_UDP) {
6226 if (real_proto == IPPROTO_TCP)
6227 bpf_error("port '%s' is tcp", name);
6228 else if (real_proto == IPPROTO_SCTP)
6229 bpf_error("port '%s' is sctp", name);
6230 else
6231 /* override PROTO_UNDEF */
6232 real_proto = IPPROTO_UDP;
6233 }
6234 if (proto == Q_TCP) {
6235 if (real_proto == IPPROTO_UDP)
6236 bpf_error("port '%s' is udp", name);
6237
6238 else if (real_proto == IPPROTO_SCTP)
6239 bpf_error("port '%s' is sctp", name);
6240 else
6241 /* override PROTO_UNDEF */
6242 real_proto = IPPROTO_TCP;
6243 }
6244 if (proto == Q_SCTP) {
6245 if (real_proto == IPPROTO_UDP)
6246 bpf_error("port '%s' is udp", name);
6247
6248 else if (real_proto == IPPROTO_TCP)
6249 bpf_error("port '%s' is tcp", name);
6250 else
6251 /* override PROTO_UNDEF */
6252 real_proto = IPPROTO_SCTP;
6253 }
6254 if (port < 0)
6255 bpf_error("illegal port number %d < 0", port);
6256 if (port > 65535)
6257 bpf_error("illegal port number %d > 65535", port);
6258#ifndef INET6
6259 return gen_port(port, real_proto, dir);
6260#else
6261 b = gen_port(port, real_proto, dir);
6262 gen_or(gen_port6(port, real_proto, dir), b);
6263 return b;
6264#endif /* INET6 */
6265
6266 case Q_PORTRANGE:
6267 if (proto != Q_DEFAULT &&
6268 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6269 bpf_error("illegal qualifier of 'portrange'");
6270 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6271 bpf_error("unknown port in range '%s'", name);
6272 if (proto == Q_UDP) {
6273 if (real_proto == IPPROTO_TCP)
6274 bpf_error("port in range '%s' is tcp", name);
6275 else if (real_proto == IPPROTO_SCTP)
6276 bpf_error("port in range '%s' is sctp", name);
6277 else
6278 /* override PROTO_UNDEF */
6279 real_proto = IPPROTO_UDP;
6280 }
6281 if (proto == Q_TCP) {
6282 if (real_proto == IPPROTO_UDP)
6283 bpf_error("port in range '%s' is udp", name);
6284 else if (real_proto == IPPROTO_SCTP)
6285 bpf_error("port in range '%s' is sctp", name);
6286 else
6287 /* override PROTO_UNDEF */
6288 real_proto = IPPROTO_TCP;
6289 }
6290 if (proto == Q_SCTP) {
6291 if (real_proto == IPPROTO_UDP)
6292 bpf_error("port in range '%s' is udp", name);
6293 else if (real_proto == IPPROTO_TCP)
6294 bpf_error("port in range '%s' is tcp", name);
6295 else
6296 /* override PROTO_UNDEF */
6297 real_proto = IPPROTO_SCTP;
6298 }
6299 if (port1 < 0)
6300 bpf_error("illegal port number %d < 0", port1);
6301 if (port1 > 65535)
6302 bpf_error("illegal port number %d > 65535", port1);
6303 if (port2 < 0)
6304 bpf_error("illegal port number %d < 0", port2);
6305 if (port2 > 65535)
6306 bpf_error("illegal port number %d > 65535", port2);
6307
6308#ifndef INET6
6309 return gen_portrange(port1, port2, real_proto, dir);
6310#else
6311 b = gen_portrange(port1, port2, real_proto, dir);
6312 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6313 return b;
6314#endif /* INET6 */
6315
6316 case Q_GATEWAY:
6317#ifndef INET6
6318 eaddr = pcap_ether_hostton(name);
6319 if (eaddr == NULL)
6320 bpf_error("unknown ether host: %s", name);
6321
6322 alist = pcap_nametoaddr(name);
6323 if (alist == NULL || *alist == NULL)
6324 bpf_error("unknown host '%s'", name);
6325 b = gen_gateway(eaddr, alist, proto, dir);
6326 free(eaddr);
6327 return b;
6328#else
6329 bpf_error("'gateway' not supported in this configuration");
6330#endif /*INET6*/
6331
6332 case Q_PROTO:
6333 real_proto = lookup_proto(name, proto);
6334 if (real_proto >= 0)
6335 return gen_proto(real_proto, proto, dir);
6336 else
6337 bpf_error("unknown protocol: %s", name);
6338
6339 case Q_PROTOCHAIN:
6340 real_proto = lookup_proto(name, proto);
6341 if (real_proto >= 0)
6342 return gen_protochain(real_proto, proto, dir);
6343 else
6344 bpf_error("unknown protocol: %s", name);
6345
6346 case Q_UNDEF:
6347 syntax();
6348 /* NOTREACHED */
6349 }
6350 abort();
6351 /* NOTREACHED */
6352}
6353
6354struct block *
6355gen_mcode(s1, s2, masklen, q)
6356 register const char *s1, *s2;
6357 register int masklen;
6358 struct qual q;
6359{
6360 register int nlen, mlen;
6361 bpf_u_int32 n, m;
6362
6363 nlen = __pcap_atoin(s1, &n);
6364 /* Promote short ipaddr */
6365 n <<= 32 - nlen;
6366
6367 if (s2 != NULL) {
6368 mlen = __pcap_atoin(s2, &m);
6369 /* Promote short ipaddr */
6370 m <<= 32 - mlen;
6371 if ((n & ~m) != 0)
6372 bpf_error("non-network bits set in \"%s mask %s\"",
6373 s1, s2);
6374 } else {
6375 /* Convert mask len to mask */
6376 if (masklen > 32)
6377 bpf_error("mask length must be <= 32");
6378 if (masklen == 0) {
6379 /*
6380 * X << 32 is not guaranteed by C to be 0; it's
6381 * undefined.
6382 */
6383 m = 0;
6384 } else
6385 m = 0xffffffff << (32 - masklen);
6386 if ((n & ~m) != 0)
6387 bpf_error("non-network bits set in \"%s/%d\"",
6388 s1, masklen);
6389 }
6390
6391 switch (q.addr) {
6392
6393 case Q_NET:
6394 return gen_host(n, m, q.proto, q.dir, q.addr);
6395
6396 default:
6397 bpf_error("Mask syntax for networks only");
6398 /* NOTREACHED */
6399 }
6400 /* NOTREACHED */
6401 return NULL;
6402}
6403
6404struct block *
6405gen_ncode(s, v, q)
6406 register const char *s;
6407 bpf_u_int32 v;
6408 struct qual q;
6409{
6410 bpf_u_int32 mask;
6411 int proto = q.proto;
6412 int dir = q.dir;
6413 register int vlen;
6414
6415 if (s == NULL)
6416 vlen = 32;
6417 else if (q.proto == Q_DECNET)
6418 vlen = __pcap_atodn(s, &v);
6419 else
6420 vlen = __pcap_atoin(s, &v);
6421
6422 switch (q.addr) {
6423
6424 case Q_DEFAULT:
6425 case Q_HOST:
6426 case Q_NET:
6427 if (proto == Q_DECNET)
6428 return gen_host(v, 0, proto, dir, q.addr);
6429 else if (proto == Q_LINK) {
6430 bpf_error("illegal link layer address");
6431 } else {
6432 mask = 0xffffffff;
6433 if (s == NULL && q.addr == Q_NET) {
6434 /* Promote short net number */
6435 while (v && (v & 0xff000000) == 0) {
6436 v <<= 8;
6437 mask <<= 8;
6438 }
6439 } else {
6440 /* Promote short ipaddr */
6441 v <<= 32 - vlen;
6442 mask <<= 32 - vlen;
6443 }
6444 return gen_host(v, mask, proto, dir, q.addr);
6445 }
6446
6447 case Q_PORT:
6448 if (proto == Q_UDP)
6449 proto = IPPROTO_UDP;
6450 else if (proto == Q_TCP)
6451 proto = IPPROTO_TCP;
6452 else if (proto == Q_SCTP)
6453 proto = IPPROTO_SCTP;
6454 else if (proto == Q_DEFAULT)
6455 proto = PROTO_UNDEF;
6456 else
6457 bpf_error("illegal qualifier of 'port'");
6458
6459 if (v > 65535)
6460 bpf_error("illegal port number %u > 65535", v);
6461
6462#ifndef INET6
6463 return gen_port((int)v, proto, dir);
6464#else
6465 {
6466 struct block *b;
6467 b = gen_port((int)v, proto, dir);
6468 gen_or(gen_port6((int)v, proto, dir), b);
6469 return b;
6470 }
6471#endif /* INET6 */
6472
6473 case Q_PORTRANGE:
6474 if (proto == Q_UDP)
6475 proto = IPPROTO_UDP;
6476 else if (proto == Q_TCP)
6477 proto = IPPROTO_TCP;
6478 else if (proto == Q_SCTP)
6479 proto = IPPROTO_SCTP;
6480 else if (proto == Q_DEFAULT)
6481 proto = PROTO_UNDEF;
6482 else
6483 bpf_error("illegal qualifier of 'portrange'");
6484
6485 if (v > 65535)
6486 bpf_error("illegal port number %u > 65535", v);
6487
6488#ifndef INET6
6489 return gen_portrange((int)v, (int)v, proto, dir);
6490#else
6491 {
6492 struct block *b;
6493 b = gen_portrange((int)v, (int)v, proto, dir);
6494 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6495 return b;
6496 }
6497#endif /* INET6 */
6498
6499 case Q_GATEWAY:
6500 bpf_error("'gateway' requires a name");
6501 /* NOTREACHED */
6502
6503 case Q_PROTO:
6504 return gen_proto((int)v, proto, dir);
6505
6506 case Q_PROTOCHAIN:
6507 return gen_protochain((int)v, proto, dir);
6508
6509 case Q_UNDEF:
6510 syntax();
6511 /* NOTREACHED */
6512
6513 default:
6514 abort();
6515 /* NOTREACHED */
6516 }
6517 /* NOTREACHED */
6518}
6519
6520#ifdef INET6
6521struct block *
6522gen_mcode6(s1, s2, masklen, q)
6523 register const char *s1, *s2;
6524 register int masklen;
6525 struct qual q;
6526{
6527 struct addrinfo *res;
6528 struct in6_addr *addr;
6529 struct in6_addr mask;
6530 struct block *b;
6531 u_int32_t *a, *m;
6532
6533 if (s2)
6534 bpf_error("no mask %s supported", s2);
6535
6536 res = pcap_nametoaddrinfo(s1);
6537 if (!res)
6538 bpf_error("invalid ip6 address %s", s1);
6539 ai = res;
6540 if (res->ai_next)
6541 bpf_error("%s resolved to multiple address", s1);
6542 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6543
6544 if (sizeof(mask) * 8 < masklen)
6545 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6546 memset(&mask, 0, sizeof(mask));
6547 memset(&mask, 0xff, masklen / 8);
6548 if (masklen % 8) {
6549 mask.s6_addr[masklen / 8] =
6550 (0xff << (8 - masklen % 8)) & 0xff;
6551 }
6552
6553 a = (u_int32_t *)addr;
6554 m = (u_int32_t *)&mask;
6555 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6556 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6557 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6558 }
6559
6560 switch (q.addr) {
6561
6562 case Q_DEFAULT:
6563 case Q_HOST:
6564 if (masklen != 128)
6565 bpf_error("Mask syntax for networks only");
6566 /* FALLTHROUGH */
6567
6568 case Q_NET:
6569 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6570 ai = NULL;
6571 freeaddrinfo(res);
6572 return b;
6573
6574 default:
6575 bpf_error("invalid qualifier against IPv6 address");
6576 /* NOTREACHED */
6577 }
6578 return NULL;
6579}
6580#endif /*INET6*/
6581
6582struct block *
6583gen_ecode(eaddr, q)
6584 register const u_char *eaddr;
6585 struct qual q;
6586{
6587 struct block *b, *tmp;
6588
6589 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6590 switch (linktype) {
6591 case DLT_EN10MB:
6592 case DLT_NETANALYZER:
6593 case DLT_NETANALYZER_TRANSPARENT:
6594 return gen_ehostop(eaddr, (int)q.dir);
6595 case DLT_FDDI:
6596 return gen_fhostop(eaddr, (int)q.dir);
6597 case DLT_IEEE802:
6598 return gen_thostop(eaddr, (int)q.dir);
6599 case DLT_IEEE802_11:
6600 case DLT_PRISM_HEADER:
6601 case DLT_IEEE802_11_RADIO_AVS:
6602 case DLT_IEEE802_11_RADIO:
6603 case DLT_PPI:
6604 return gen_wlanhostop(eaddr, (int)q.dir);
6605 case DLT_SUNATM:
6606 if (is_lane) {
6607 /*
6608 * Check that the packet doesn't begin with an
6609 * LE Control marker. (We've already generated
6610 * a test for LANE.)
6611 */
6612 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6613 0xFF00);
6614 gen_not(tmp);
6615
6616 /*
6617 * Now check the MAC address.
6618 */
6619 b = gen_ehostop(eaddr, (int)q.dir);
6620 gen_and(tmp, b);
6621 return b;
6622 }
6623 break;
6624 case DLT_IP_OVER_FC:
6625 return gen_ipfchostop(eaddr, (int)q.dir);
6626 default:
6627 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6628 break;
6629 }
6630 }
6631 bpf_error("ethernet address used in non-ether expression");
6632 /* NOTREACHED */
6633 return NULL;
6634}
6635
6636void
6637sappend(s0, s1)
6638 struct slist *s0, *s1;
6639{
6640 /*
6641 * This is definitely not the best way to do this, but the
6642 * lists will rarely get long.
6643 */
6644 while (s0->next)
6645 s0 = s0->next;
6646 s0->next = s1;
6647}
6648
6649static struct slist *
6650xfer_to_x(a)
6651 struct arth *a;
6652{
6653 struct slist *s;
6654
6655 s = new_stmt(BPF_LDX|BPF_MEM);
6656 s->s.k = a->regno;
6657 return s;
6658}
6659
6660static struct slist *
6661xfer_to_a(a)
6662 struct arth *a;
6663{
6664 struct slist *s;
6665
6666 s = new_stmt(BPF_LD|BPF_MEM);
6667 s->s.k = a->regno;
6668 return s;
6669}
6670
6671/*
6672 * Modify "index" to use the value stored into its register as an
6673 * offset relative to the beginning of the header for the protocol
6674 * "proto", and allocate a register and put an item "size" bytes long
6675 * (1, 2, or 4) at that offset into that register, making it the register
6676 * for "index".
6677 */
6678struct arth *
6679gen_load(proto, inst, size)
6680 int proto;
6681 struct arth *inst;
6682 int size;
6683{
6684 struct slist *s, *tmp;
6685 struct block *b;
6686 int regno = alloc_reg();
6687
6688 free_reg(inst->regno);
6689 switch (size) {
6690
6691 default:
6692 bpf_error("data size must be 1, 2, or 4");
6693
6694 case 1:
6695 size = BPF_B;
6696 break;
6697
6698 case 2:
6699 size = BPF_H;
6700 break;
6701
6702 case 4:
6703 size = BPF_W;
6704 break;
6705 }
6706 switch (proto) {
6707 default:
6708 bpf_error("unsupported index operation");
6709
6710 case Q_RADIO:
6711 /*
6712 * The offset is relative to the beginning of the packet
6713 * data, if we have a radio header. (If we don't, this
6714 * is an error.)
6715 */
6716 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6717 linktype != DLT_IEEE802_11_RADIO &&
6718 linktype != DLT_PRISM_HEADER)
6719 bpf_error("radio information not present in capture");
6720
6721 /*
6722 * Load into the X register the offset computed into the
6723 * register specified by "index".
6724 */
6725 s = xfer_to_x(inst);
6726
6727 /*
6728 * Load the item at that offset.
6729 */
6730 tmp = new_stmt(BPF_LD|BPF_IND|size);
6731 sappend(s, tmp);
6732 sappend(inst->s, s);
6733 break;
6734
6735 case Q_LINK:
6736 /*
6737 * The offset is relative to the beginning of
6738 * the link-layer header.
6739 *
6740 * XXX - what about ATM LANE? Should the index be
6741 * relative to the beginning of the AAL5 frame, so
6742 * that 0 refers to the beginning of the LE Control
6743 * field, or relative to the beginning of the LAN
6744 * frame, so that 0 refers, for Ethernet LANE, to
6745 * the beginning of the destination address?
6746 */
6747 s = gen_llprefixlen();
6748
6749 /*
6750 * If "s" is non-null, it has code to arrange that the
6751 * X register contains the length of the prefix preceding
6752 * the link-layer header. Add to it the offset computed
6753 * into the register specified by "index", and move that
6754 * into the X register. Otherwise, just load into the X
6755 * register the offset computed into the register specified
6756 * by "index".
6757 */
6758 if (s != NULL) {
6759 sappend(s, xfer_to_a(inst));
6760 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6761 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6762 } else
6763 s = xfer_to_x(inst);
6764
6765 /*
6766 * Load the item at the sum of the offset we've put in the
6767 * X register and the offset of the start of the link
6768 * layer header (which is 0 if the radio header is
6769 * variable-length; that header length is what we put
6770 * into the X register and then added to the index).
6771 */
6772 tmp = new_stmt(BPF_LD|BPF_IND|size);
6773 tmp->s.k = off_ll;
6774 sappend(s, tmp);
6775 sappend(inst->s, s);
6776 break;
6777
6778 case Q_IP:
6779 case Q_ARP:
6780 case Q_RARP:
6781 case Q_ATALK:
6782 case Q_DECNET:
6783 case Q_SCA:
6784 case Q_LAT:
6785 case Q_MOPRC:
6786 case Q_MOPDL:
6787#ifdef INET6
6788 case Q_IPV6:
6789#endif
6790 /*
6791 * The offset is relative to the beginning of
6792 * the network-layer header.
6793 * XXX - are there any cases where we want
6794 * off_nl_nosnap?
6795 */
6796 s = gen_off_macpl();
6797
6798 /*
6799 * If "s" is non-null, it has code to arrange that the
6800 * X register contains the offset of the MAC-layer
6801 * payload. Add to it the offset computed into the
6802 * register specified by "index", and move that into
6803 * the X register. Otherwise, just load into the X
6804 * register the offset computed into the register specified
6805 * by "index".
6806 */
6807 if (s != NULL) {
6808 sappend(s, xfer_to_a(inst));
6809 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6810 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6811 } else
6812 s = xfer_to_x(inst);
6813
6814 /*
6815 * Load the item at the sum of the offset we've put in the
6816 * X register, the offset of the start of the network
6817 * layer header from the beginning of the MAC-layer
6818 * payload, and the purported offset of the start of the
6819 * MAC-layer payload (which might be 0 if there's a
6820 * variable-length prefix before the link-layer header
6821 * or the link-layer header itself is variable-length;
6822 * the variable-length offset of the start of the
6823 * MAC-layer payload is what we put into the X register
6824 * and then added to the index).
6825 */
6826 tmp = new_stmt(BPF_LD|BPF_IND|size);
6827 tmp->s.k = off_macpl + off_nl;
6828 sappend(s, tmp);
6829 sappend(inst->s, s);
6830
6831 /*
6832 * Do the computation only if the packet contains
6833 * the protocol in question.
6834 */
6835 b = gen_proto_abbrev(proto);
6836 if (inst->b)
6837 gen_and(inst->b, b);
6838 inst->b = b;
6839 break;
6840
6841 case Q_SCTP:
6842 case Q_TCP:
6843 case Q_UDP:
6844 case Q_ICMP:
6845 case Q_IGMP:
6846 case Q_IGRP:
6847 case Q_PIM:
6848 case Q_VRRP:
6849 case Q_CARP:
6850 /*
6851 * The offset is relative to the beginning of
6852 * the transport-layer header.
6853 *
6854 * Load the X register with the length of the IPv4 header
6855 * (plus the offset of the link-layer header, if it's
6856 * a variable-length header), in bytes.
6857 *
6858 * XXX - are there any cases where we want
6859 * off_nl_nosnap?
6860 * XXX - we should, if we're built with
6861 * IPv6 support, generate code to load either
6862 * IPv4, IPv6, or both, as appropriate.
6863 */
6864 s = gen_loadx_iphdrlen();
6865
6866 /*
6867 * The X register now contains the sum of the length
6868 * of any variable-length header preceding the link-layer
6869 * header, any variable-length link-layer header, and the
6870 * length of the network-layer header.
6871 *
6872 * Load into the A register the offset relative to
6873 * the beginning of the transport layer header,
6874 * add the X register to that, move that to the
6875 * X register, and load with an offset from the
6876 * X register equal to the offset of the network
6877 * layer header relative to the beginning of
6878 * the MAC-layer payload plus the fixed-length
6879 * portion of the offset of the MAC-layer payload
6880 * from the beginning of the raw packet data.
6881 */
6882 sappend(s, xfer_to_a(inst));
6883 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6884 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6885 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6886 tmp->s.k = off_macpl + off_nl;
6887 sappend(inst->s, s);
6888
6889 /*
6890 * Do the computation only if the packet contains
6891 * the protocol in question - which is true only
6892 * if this is an IP datagram and is the first or
6893 * only fragment of that datagram.
6894 */
6895 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6896 if (inst->b)
6897 gen_and(inst->b, b);
6898#ifdef INET6
6899 gen_and(gen_proto_abbrev(Q_IP), b);
6900#endif
6901 inst->b = b;
6902 break;
6903#ifdef INET6
6904 case Q_ICMPV6:
6905 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6906 /*NOTREACHED*/
6907#endif
6908 }
6909 inst->regno = regno;
6910 s = new_stmt(BPF_ST);
6911 s->s.k = regno;
6912 sappend(inst->s, s);
6913
6914 return inst;
6915}
6916
6917struct block *
6918gen_relation(code, a0, a1, reversed)
6919 int code;
6920 struct arth *a0, *a1;
6921 int reversed;
6922{
6923 struct slist *s0, *s1, *s2;
6924 struct block *b, *tmp;
6925
6926 s0 = xfer_to_x(a1);
6927 s1 = xfer_to_a(a0);
6928 if (code == BPF_JEQ) {
6929 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6930 b = new_block(JMP(code));
6931 sappend(s1, s2);
6932 }
6933 else
6934 b = new_block(BPF_JMP|code|BPF_X);
6935 if (reversed)
6936 gen_not(b);
6937
6938 sappend(s0, s1);
6939 sappend(a1->s, s0);
6940 sappend(a0->s, a1->s);
6941
6942 b->stmts = a0->s;
6943
6944 free_reg(a0->regno);
6945 free_reg(a1->regno);
6946
6947 /* 'and' together protocol checks */
6948 if (a0->b) {
6949 if (a1->b) {
6950 gen_and(a0->b, tmp = a1->b);
6951 }
6952 else
6953 tmp = a0->b;
6954 } else
6955 tmp = a1->b;
6956
6957 if (tmp)
6958 gen_and(tmp, b);
6959
6960 return b;
6961}
6962
6963struct arth *
6964gen_loadlen()
6965{
6966 int regno = alloc_reg();
6967 struct arth *a = (struct arth *)newchunk(sizeof(*a));
6968 struct slist *s;
6969
6970 s = new_stmt(BPF_LD|BPF_LEN);
6971 s->next = new_stmt(BPF_ST);
6972 s->next->s.k = regno;
6973 a->s = s;
6974 a->regno = regno;
6975
6976 return a;
6977}
6978
6979struct arth *
6980gen_loadi(val)
6981 int val;
6982{
6983 struct arth *a;
6984 struct slist *s;
6985 int reg;
6986
6987 a = (struct arth *)newchunk(sizeof(*a));
6988
6989 reg = alloc_reg();
6990
6991 s = new_stmt(BPF_LD|BPF_IMM);
6992 s->s.k = val;
6993 s->next = new_stmt(BPF_ST);
6994 s->next->s.k = reg;
6995 a->s = s;
6996 a->regno = reg;
6997
6998 return a;
6999}
7000
7001struct arth *
7002gen_neg(a)
7003 struct arth *a;
7004{
7005 struct slist *s;
7006
7007 s = xfer_to_a(a);
7008 sappend(a->s, s);
7009 s = new_stmt(BPF_ALU|BPF_NEG);
7010 s->s.k = 0;
7011 sappend(a->s, s);
7012 s = new_stmt(BPF_ST);
7013 s->s.k = a->regno;
7014 sappend(a->s, s);
7015
7016 return a;
7017}
7018
7019struct arth *
7020gen_arth(code, a0, a1)
7021 int code;
7022 struct arth *a0, *a1;
7023{
7024 struct slist *s0, *s1, *s2;
7025
7026 s0 = xfer_to_x(a1);
7027 s1 = xfer_to_a(a0);
7028 s2 = new_stmt(BPF_ALU|BPF_X|code);
7029
7030 sappend(s1, s2);
7031 sappend(s0, s1);
7032 sappend(a1->s, s0);
7033 sappend(a0->s, a1->s);
7034
7035 free_reg(a0->regno);
7036 free_reg(a1->regno);
7037
7038 s0 = new_stmt(BPF_ST);
7039 a0->regno = s0->s.k = alloc_reg();
7040 sappend(a0->s, s0);
7041
7042 return a0;
7043}
7044
7045/*
7046 * Here we handle simple allocation of the scratch registers.
7047 * If too many registers are alloc'd, the allocator punts.
7048 */
7049static int regused[BPF_MEMWORDS];
7050static int curreg;
7051
7052/*
7053 * Initialize the table of used registers and the current register.
7054 */
7055static void
7056init_regs()
7057{
7058 curreg = 0;
7059 memset(regused, 0, sizeof regused);
7060}
7061
7062/*
7063 * Return the next free register.
7064 */
7065static int
7066alloc_reg()
7067{
7068 int n = BPF_MEMWORDS;
7069
7070 while (--n >= 0) {
7071 if (regused[curreg])
7072 curreg = (curreg + 1) % BPF_MEMWORDS;
7073 else {
7074 regused[curreg] = 1;
7075 return curreg;
7076 }
7077 }
7078 bpf_error("too many registers needed to evaluate expression");
7079 /* NOTREACHED */
7080 return 0;
7081}
7082
7083/*
7084 * Return a register to the table so it can
7085 * be used later.
7086 */
7087static void
7088free_reg(n)
7089 int n;
7090{
7091 regused[n] = 0;
7092}
7093
7094static struct block *
7095gen_len(jmp, n)
7096 int jmp, n;
7097{
7098 struct slist *s;
7099 struct block *b;
7100
7101 s = new_stmt(BPF_LD|BPF_LEN);
7102 b = new_block(JMP(jmp));
7103 b->stmts = s;
7104 b->s.k = n;
7105
7106 return b;
7107}
7108
7109struct block *
7110gen_greater(n)
7111 int n;
7112{
7113 return gen_len(BPF_JGE, n);
7114}
7115
7116/*
7117 * Actually, this is less than or equal.
7118 */
7119struct block *
7120gen_less(n)
7121 int n;
7122{
7123 struct block *b;
7124
7125 b = gen_len(BPF_JGT, n);
7126 gen_not(b);
7127
7128 return b;
7129}
7130
7131/*
7132 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7133 * the beginning of the link-layer header.
7134 * XXX - that means you can't test values in the radiotap header, but
7135 * as that header is difficult if not impossible to parse generally
7136 * without a loop, that might not be a severe problem. A new keyword
7137 * "radio" could be added for that, although what you'd really want
7138 * would be a way of testing particular radio header values, which
7139 * would generate code appropriate to the radio header in question.
7140 */
7141struct block *
7142gen_byteop(op, idx, val)
7143 int op, idx, val;
7144{
7145 struct block *b;
7146 struct slist *s;
7147
7148 switch (op) {
7149 default:
7150 abort();
7151
7152 case '=':
7153 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7154
7155 case '<':
7156 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7157 return b;
7158
7159 case '>':
7160 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7161 return b;
7162
7163 case '|':
7164 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7165 break;
7166
7167 case '&':
7168 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7169 break;
7170 }
7171 s->s.k = val;
7172 b = new_block(JMP(BPF_JEQ));
7173 b->stmts = s;
7174 gen_not(b);
7175
7176 return b;
7177}
7178
7179static u_char abroadcast[] = { 0x0 };
7180
7181struct block *
7182gen_broadcast(proto)
7183 int proto;
7184{
7185 bpf_u_int32 hostmask;
7186 struct block *b0, *b1, *b2;
7187 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7188
7189 switch (proto) {
7190
7191 case Q_DEFAULT:
7192 case Q_LINK:
7193 switch (linktype) {
7194 case DLT_ARCNET:
7195 case DLT_ARCNET_LINUX:
7196 return gen_ahostop(abroadcast, Q_DST);
7197 case DLT_EN10MB:
7198 case DLT_NETANALYZER:
7199 case DLT_NETANALYZER_TRANSPARENT:
7200 return gen_ehostop(ebroadcast, Q_DST);
7201 case DLT_FDDI:
7202 return gen_fhostop(ebroadcast, Q_DST);
7203 case DLT_IEEE802:
7204 return gen_thostop(ebroadcast, Q_DST);
7205 case DLT_IEEE802_11:
7206 case DLT_PRISM_HEADER:
7207 case DLT_IEEE802_11_RADIO_AVS:
7208 case DLT_IEEE802_11_RADIO:
7209 case DLT_PPI:
7210 return gen_wlanhostop(ebroadcast, Q_DST);
7211 case DLT_IP_OVER_FC:
7212 return gen_ipfchostop(ebroadcast, Q_DST);
7213 case DLT_SUNATM:
7214 if (is_lane) {
7215 /*
7216 * Check that the packet doesn't begin with an
7217 * LE Control marker. (We've already generated
7218 * a test for LANE.)
7219 */
7220 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7221 BPF_H, 0xFF00);
7222 gen_not(b1);
7223
7224 /*
7225 * Now check the MAC address.
7226 */
7227 b0 = gen_ehostop(ebroadcast, Q_DST);
7228 gen_and(b1, b0);
7229 return b0;
7230 }
7231 break;
7232 default:
7233 bpf_error("not a broadcast link");
7234 }
7235 break;
7236
7237 case Q_IP:
7238 /*
7239 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7240 * as an indication that we don't know the netmask, and fail
7241 * in that case.
7242 */
7243 if (netmask == PCAP_NETMASK_UNKNOWN)
7244 bpf_error("netmask not known, so 'ip broadcast' not supported");
7245 b0 = gen_linktype(ETHERTYPE_IP);
7246 hostmask = ~netmask;
7247 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7248 b2 = gen_mcmp(OR_NET, 16, BPF_W,
7249 (bpf_int32)(~0 & hostmask), hostmask);
7250 gen_or(b1, b2);
7251 gen_and(b0, b2);
7252 return b2;
7253 }
7254 bpf_error("only link-layer/IP broadcast filters supported");
7255 /* NOTREACHED */
7256 return NULL;
7257}
7258
7259/*
7260 * Generate code to test the low-order bit of a MAC address (that's
7261 * the bottom bit of the *first* byte).
7262 */
7263static struct block *
7264gen_mac_multicast(offset)
7265 int offset;
7266{
7267 register struct block *b0;
7268 register struct slist *s;
7269
7270 /* link[offset] & 1 != 0 */
7271 s = gen_load_a(OR_LINK, offset, BPF_B);
7272 b0 = new_block(JMP(BPF_JSET));
7273 b0->s.k = 1;
7274 b0->stmts = s;
7275 return b0;
7276}
7277
7278struct block *
7279gen_multicast(proto)
7280 int proto;
7281{
7282 register struct block *b0, *b1, *b2;
7283 register struct slist *s;
7284
7285 switch (proto) {
7286
7287 case Q_DEFAULT:
7288 case Q_LINK:
7289 switch (linktype) {
7290 case DLT_ARCNET:
7291 case DLT_ARCNET_LINUX:
7292 /* all ARCnet multicasts use the same address */
7293 return gen_ahostop(abroadcast, Q_DST);
7294 case DLT_EN10MB:
7295 case DLT_NETANALYZER:
7296 case DLT_NETANALYZER_TRANSPARENT:
7297 /* ether[0] & 1 != 0 */
7298 return gen_mac_multicast(0);
7299 case DLT_FDDI:
7300 /*
7301 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7302 *
7303 * XXX - was that referring to bit-order issues?
7304 */
7305 /* fddi[1] & 1 != 0 */
7306 return gen_mac_multicast(1);
7307 case DLT_IEEE802:
7308 /* tr[2] & 1 != 0 */
7309 return gen_mac_multicast(2);
7310 case DLT_IEEE802_11:
7311 case DLT_PRISM_HEADER:
7312 case DLT_IEEE802_11_RADIO_AVS:
7313 case DLT_IEEE802_11_RADIO:
7314 case DLT_PPI:
7315 /*
7316 * Oh, yuk.
7317 *
7318 * For control frames, there is no DA.
7319 *
7320 * For management frames, DA is at an
7321 * offset of 4 from the beginning of
7322 * the packet.
7323 *
7324 * For data frames, DA is at an offset
7325 * of 4 from the beginning of the packet
7326 * if To DS is clear and at an offset of
7327 * 16 from the beginning of the packet
7328 * if To DS is set.
7329 */
7330
7331 /*
7332 * Generate the tests to be done for data frames.
7333 *
7334 * First, check for To DS set, i.e. "link[1] & 0x01".
7335 */
7336 s = gen_load_a(OR_LINK, 1, BPF_B);
7337 b1 = new_block(JMP(BPF_JSET));
7338 b1->s.k = 0x01; /* To DS */
7339 b1->stmts = s;
7340
7341 /*
7342 * If To DS is set, the DA is at 16.
7343 */
7344 b0 = gen_mac_multicast(16);
7345 gen_and(b1, b0);
7346
7347 /*
7348 * Now, check for To DS not set, i.e. check
7349 * "!(link[1] & 0x01)".
7350 */
7351 s = gen_load_a(OR_LINK, 1, BPF_B);
7352 b2 = new_block(JMP(BPF_JSET));
7353 b2->s.k = 0x01; /* To DS */
7354 b2->stmts = s;
7355 gen_not(b2);
7356
7357 /*
7358 * If To DS is not set, the DA is at 4.
7359 */
7360 b1 = gen_mac_multicast(4);
7361 gen_and(b2, b1);
7362
7363 /*
7364 * Now OR together the last two checks. That gives
7365 * the complete set of checks for data frames.
7366 */
7367 gen_or(b1, b0);
7368
7369 /*
7370 * Now check for a data frame.
7371 * I.e, check "link[0] & 0x08".
7372 */
7373 s = gen_load_a(OR_LINK, 0, BPF_B);
7374 b1 = new_block(JMP(BPF_JSET));
7375 b1->s.k = 0x08;
7376 b1->stmts = s;
7377
7378 /*
7379 * AND that with the checks done for data frames.
7380 */
7381 gen_and(b1, b0);
7382
7383 /*
7384 * If the high-order bit of the type value is 0, this
7385 * is a management frame.
7386 * I.e, check "!(link[0] & 0x08)".
7387 */
7388 s = gen_load_a(OR_LINK, 0, BPF_B);
7389 b2 = new_block(JMP(BPF_JSET));
7390 b2->s.k = 0x08;
7391 b2->stmts = s;
7392 gen_not(b2);
7393
7394 /*
7395 * For management frames, the DA is at 4.
7396 */
7397 b1 = gen_mac_multicast(4);
7398 gen_and(b2, b1);
7399
7400 /*
7401 * OR that with the checks done for data frames.
7402 * That gives the checks done for management and
7403 * data frames.
7404 */
7405 gen_or(b1, b0);
7406
7407 /*
7408 * If the low-order bit of the type value is 1,
7409 * this is either a control frame or a frame
7410 * with a reserved type, and thus not a
7411 * frame with an SA.
7412 *
7413 * I.e., check "!(link[0] & 0x04)".
7414 */
7415 s = gen_load_a(OR_LINK, 0, BPF_B);
7416 b1 = new_block(JMP(BPF_JSET));
7417 b1->s.k = 0x04;
7418 b1->stmts = s;
7419 gen_not(b1);
7420
7421 /*
7422 * AND that with the checks for data and management
7423 * frames.
7424 */
7425 gen_and(b1, b0);
7426 return b0;
7427 case DLT_IP_OVER_FC:
7428 b0 = gen_mac_multicast(2);
7429 return b0;
7430 case DLT_SUNATM:
7431 if (is_lane) {
7432 /*
7433 * Check that the packet doesn't begin with an
7434 * LE Control marker. (We've already generated
7435 * a test for LANE.)
7436 */
7437 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7438 BPF_H, 0xFF00);
7439 gen_not(b1);
7440
7441 /* ether[off_mac] & 1 != 0 */
7442 b0 = gen_mac_multicast(off_mac);
7443 gen_and(b1, b0);
7444 return b0;
7445 }
7446 break;
7447 default:
7448 break;
7449 }
7450 /* Link not known to support multicasts */
7451 break;
7452
7453 case Q_IP:
7454 b0 = gen_linktype(ETHERTYPE_IP);
7455 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7456 gen_and(b0, b1);
7457 return b1;
7458
7459#ifdef INET6
7460 case Q_IPV6:
7461 b0 = gen_linktype(ETHERTYPE_IPV6);
7462 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7463 gen_and(b0, b1);
7464 return b1;
7465#endif /* INET6 */
7466 }
7467 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7468 /* NOTREACHED */
7469 return NULL;
7470}
7471
7472/*
| 6007#else
6008 b1 = gen_protochain(v, Q_IPV6);
6009#endif
6010 gen_and(b0, b1);
6011 return b1;
6012
6013 case Q_ICMPV6:
6014 bpf_error("'icmp6 proto' is bogus");
6015#endif /* INET6 */
6016
6017 case Q_AH:
6018 bpf_error("'ah proto' is bogus");
6019
6020 case Q_ESP:
6021 bpf_error("'ah proto' is bogus");
6022
6023 case Q_STP:
6024 bpf_error("'stp proto' is bogus");
6025
6026 case Q_IPX:
6027 bpf_error("'ipx proto' is bogus");
6028
6029 case Q_NETBEUI:
6030 bpf_error("'netbeui proto' is bogus");
6031
6032 case Q_RADIO:
6033 bpf_error("'radio proto' is bogus");
6034
6035 default:
6036 abort();
6037 /* NOTREACHED */
6038 }
6039 /* NOTREACHED */
6040}
6041
6042struct block *
6043gen_scode(name, q)
6044 register const char *name;
6045 struct qual q;
6046{
6047 int proto = q.proto;
6048 int dir = q.dir;
6049 int tproto;
6050 u_char *eaddr;
6051 bpf_u_int32 mask, addr;
6052#ifndef INET6
6053 bpf_u_int32 **alist;
6054#else
6055 int tproto6;
6056 struct sockaddr_in *sin4;
6057 struct sockaddr_in6 *sin6;
6058 struct addrinfo *res, *res0;
6059 struct in6_addr mask128;
6060#endif /*INET6*/
6061 struct block *b, *tmp;
6062 int port, real_proto;
6063 int port1, port2;
6064
6065 switch (q.addr) {
6066
6067 case Q_NET:
6068 addr = pcap_nametonetaddr(name);
6069 if (addr == 0)
6070 bpf_error("unknown network '%s'", name);
6071 /* Left justify network addr and calculate its network mask */
6072 mask = 0xffffffff;
6073 while (addr && (addr & 0xff000000) == 0) {
6074 addr <<= 8;
6075 mask <<= 8;
6076 }
6077 return gen_host(addr, mask, proto, dir, q.addr);
6078
6079 case Q_DEFAULT:
6080 case Q_HOST:
6081 if (proto == Q_LINK) {
6082 switch (linktype) {
6083
6084 case DLT_EN10MB:
6085 case DLT_NETANALYZER:
6086 case DLT_NETANALYZER_TRANSPARENT:
6087 eaddr = pcap_ether_hostton(name);
6088 if (eaddr == NULL)
6089 bpf_error(
6090 "unknown ether host '%s'", name);
6091 b = gen_ehostop(eaddr, dir);
6092 free(eaddr);
6093 return b;
6094
6095 case DLT_FDDI:
6096 eaddr = pcap_ether_hostton(name);
6097 if (eaddr == NULL)
6098 bpf_error(
6099 "unknown FDDI host '%s'", name);
6100 b = gen_fhostop(eaddr, dir);
6101 free(eaddr);
6102 return b;
6103
6104 case DLT_IEEE802:
6105 eaddr = pcap_ether_hostton(name);
6106 if (eaddr == NULL)
6107 bpf_error(
6108 "unknown token ring host '%s'", name);
6109 b = gen_thostop(eaddr, dir);
6110 free(eaddr);
6111 return b;
6112
6113 case DLT_IEEE802_11:
6114 case DLT_PRISM_HEADER:
6115 case DLT_IEEE802_11_RADIO_AVS:
6116 case DLT_IEEE802_11_RADIO:
6117 case DLT_PPI:
6118 eaddr = pcap_ether_hostton(name);
6119 if (eaddr == NULL)
6120 bpf_error(
6121 "unknown 802.11 host '%s'", name);
6122 b = gen_wlanhostop(eaddr, dir);
6123 free(eaddr);
6124 return b;
6125
6126 case DLT_IP_OVER_FC:
6127 eaddr = pcap_ether_hostton(name);
6128 if (eaddr == NULL)
6129 bpf_error(
6130 "unknown Fibre Channel host '%s'", name);
6131 b = gen_ipfchostop(eaddr, dir);
6132 free(eaddr);
6133 return b;
6134
6135 case DLT_SUNATM:
6136 if (!is_lane)
6137 break;
6138
6139 /*
6140 * Check that the packet doesn't begin
6141 * with an LE Control marker. (We've
6142 * already generated a test for LANE.)
6143 */
6144 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6145 BPF_H, 0xFF00);
6146 gen_not(tmp);
6147
6148 eaddr = pcap_ether_hostton(name);
6149 if (eaddr == NULL)
6150 bpf_error(
6151 "unknown ether host '%s'", name);
6152 b = gen_ehostop(eaddr, dir);
6153 gen_and(tmp, b);
6154 free(eaddr);
6155 return b;
6156 }
6157
6158 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6159 } else if (proto == Q_DECNET) {
6160 unsigned short dn_addr = __pcap_nametodnaddr(name);
6161 /*
6162 * I don't think DECNET hosts can be multihomed, so
6163 * there is no need to build up a list of addresses
6164 */
6165 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6166 } else {
6167#ifndef INET6
6168 alist = pcap_nametoaddr(name);
6169 if (alist == NULL || *alist == NULL)
6170 bpf_error("unknown host '%s'", name);
6171 tproto = proto;
6172 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
6173 tproto = Q_IP;
6174 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6175 while (*alist) {
6176 tmp = gen_host(**alist++, 0xffffffff,
6177 tproto, dir, q.addr);
6178 gen_or(b, tmp);
6179 b = tmp;
6180 }
6181 return b;
6182#else
6183 memset(&mask128, 0xff, sizeof(mask128));
6184 res0 = res = pcap_nametoaddrinfo(name);
6185 if (res == NULL)
6186 bpf_error("unknown host '%s'", name);
6187 ai = res;
6188 b = tmp = NULL;
6189 tproto = tproto6 = proto;
6190 if (off_linktype == -1 && tproto == Q_DEFAULT) {
6191 tproto = Q_IP;
6192 tproto6 = Q_IPV6;
6193 }
6194 for (res = res0; res; res = res->ai_next) {
6195 switch (res->ai_family) {
6196 case AF_INET:
6197 if (tproto == Q_IPV6)
6198 continue;
6199
6200 sin4 = (struct sockaddr_in *)
6201 res->ai_addr;
6202 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6203 0xffffffff, tproto, dir, q.addr);
6204 break;
6205 case AF_INET6:
6206 if (tproto6 == Q_IP)
6207 continue;
6208
6209 sin6 = (struct sockaddr_in6 *)
6210 res->ai_addr;
6211 tmp = gen_host6(&sin6->sin6_addr,
6212 &mask128, tproto6, dir, q.addr);
6213 break;
6214 default:
6215 continue;
6216 }
6217 if (b)
6218 gen_or(b, tmp);
6219 b = tmp;
6220 }
6221 ai = NULL;
6222 freeaddrinfo(res0);
6223 if (b == NULL) {
6224 bpf_error("unknown host '%s'%s", name,
6225 (proto == Q_DEFAULT)
6226 ? ""
6227 : " for specified address family");
6228 }
6229 return b;
6230#endif /*INET6*/
6231 }
6232
6233 case Q_PORT:
6234 if (proto != Q_DEFAULT &&
6235 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6236 bpf_error("illegal qualifier of 'port'");
6237 if (pcap_nametoport(name, &port, &real_proto) == 0)
6238 bpf_error("unknown port '%s'", name);
6239 if (proto == Q_UDP) {
6240 if (real_proto == IPPROTO_TCP)
6241 bpf_error("port '%s' is tcp", name);
6242 else if (real_proto == IPPROTO_SCTP)
6243 bpf_error("port '%s' is sctp", name);
6244 else
6245 /* override PROTO_UNDEF */
6246 real_proto = IPPROTO_UDP;
6247 }
6248 if (proto == Q_TCP) {
6249 if (real_proto == IPPROTO_UDP)
6250 bpf_error("port '%s' is udp", name);
6251
6252 else if (real_proto == IPPROTO_SCTP)
6253 bpf_error("port '%s' is sctp", name);
6254 else
6255 /* override PROTO_UNDEF */
6256 real_proto = IPPROTO_TCP;
6257 }
6258 if (proto == Q_SCTP) {
6259 if (real_proto == IPPROTO_UDP)
6260 bpf_error("port '%s' is udp", name);
6261
6262 else if (real_proto == IPPROTO_TCP)
6263 bpf_error("port '%s' is tcp", name);
6264 else
6265 /* override PROTO_UNDEF */
6266 real_proto = IPPROTO_SCTP;
6267 }
6268 if (port < 0)
6269 bpf_error("illegal port number %d < 0", port);
6270 if (port > 65535)
6271 bpf_error("illegal port number %d > 65535", port);
6272#ifndef INET6
6273 return gen_port(port, real_proto, dir);
6274#else
6275 b = gen_port(port, real_proto, dir);
6276 gen_or(gen_port6(port, real_proto, dir), b);
6277 return b;
6278#endif /* INET6 */
6279
6280 case Q_PORTRANGE:
6281 if (proto != Q_DEFAULT &&
6282 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6283 bpf_error("illegal qualifier of 'portrange'");
6284 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6285 bpf_error("unknown port in range '%s'", name);
6286 if (proto == Q_UDP) {
6287 if (real_proto == IPPROTO_TCP)
6288 bpf_error("port in range '%s' is tcp", name);
6289 else if (real_proto == IPPROTO_SCTP)
6290 bpf_error("port in range '%s' is sctp", name);
6291 else
6292 /* override PROTO_UNDEF */
6293 real_proto = IPPROTO_UDP;
6294 }
6295 if (proto == Q_TCP) {
6296 if (real_proto == IPPROTO_UDP)
6297 bpf_error("port in range '%s' is udp", name);
6298 else if (real_proto == IPPROTO_SCTP)
6299 bpf_error("port in range '%s' is sctp", name);
6300 else
6301 /* override PROTO_UNDEF */
6302 real_proto = IPPROTO_TCP;
6303 }
6304 if (proto == Q_SCTP) {
6305 if (real_proto == IPPROTO_UDP)
6306 bpf_error("port in range '%s' is udp", name);
6307 else if (real_proto == IPPROTO_TCP)
6308 bpf_error("port in range '%s' is tcp", name);
6309 else
6310 /* override PROTO_UNDEF */
6311 real_proto = IPPROTO_SCTP;
6312 }
6313 if (port1 < 0)
6314 bpf_error("illegal port number %d < 0", port1);
6315 if (port1 > 65535)
6316 bpf_error("illegal port number %d > 65535", port1);
6317 if (port2 < 0)
6318 bpf_error("illegal port number %d < 0", port2);
6319 if (port2 > 65535)
6320 bpf_error("illegal port number %d > 65535", port2);
6321
6322#ifndef INET6
6323 return gen_portrange(port1, port2, real_proto, dir);
6324#else
6325 b = gen_portrange(port1, port2, real_proto, dir);
6326 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6327 return b;
6328#endif /* INET6 */
6329
6330 case Q_GATEWAY:
6331#ifndef INET6
6332 eaddr = pcap_ether_hostton(name);
6333 if (eaddr == NULL)
6334 bpf_error("unknown ether host: %s", name);
6335
6336 alist = pcap_nametoaddr(name);
6337 if (alist == NULL || *alist == NULL)
6338 bpf_error("unknown host '%s'", name);
6339 b = gen_gateway(eaddr, alist, proto, dir);
6340 free(eaddr);
6341 return b;
6342#else
6343 bpf_error("'gateway' not supported in this configuration");
6344#endif /*INET6*/
6345
6346 case Q_PROTO:
6347 real_proto = lookup_proto(name, proto);
6348 if (real_proto >= 0)
6349 return gen_proto(real_proto, proto, dir);
6350 else
6351 bpf_error("unknown protocol: %s", name);
6352
6353 case Q_PROTOCHAIN:
6354 real_proto = lookup_proto(name, proto);
6355 if (real_proto >= 0)
6356 return gen_protochain(real_proto, proto, dir);
6357 else
6358 bpf_error("unknown protocol: %s", name);
6359
6360 case Q_UNDEF:
6361 syntax();
6362 /* NOTREACHED */
6363 }
6364 abort();
6365 /* NOTREACHED */
6366}
6367
6368struct block *
6369gen_mcode(s1, s2, masklen, q)
6370 register const char *s1, *s2;
6371 register int masklen;
6372 struct qual q;
6373{
6374 register int nlen, mlen;
6375 bpf_u_int32 n, m;
6376
6377 nlen = __pcap_atoin(s1, &n);
6378 /* Promote short ipaddr */
6379 n <<= 32 - nlen;
6380
6381 if (s2 != NULL) {
6382 mlen = __pcap_atoin(s2, &m);
6383 /* Promote short ipaddr */
6384 m <<= 32 - mlen;
6385 if ((n & ~m) != 0)
6386 bpf_error("non-network bits set in \"%s mask %s\"",
6387 s1, s2);
6388 } else {
6389 /* Convert mask len to mask */
6390 if (masklen > 32)
6391 bpf_error("mask length must be <= 32");
6392 if (masklen == 0) {
6393 /*
6394 * X << 32 is not guaranteed by C to be 0; it's
6395 * undefined.
6396 */
6397 m = 0;
6398 } else
6399 m = 0xffffffff << (32 - masklen);
6400 if ((n & ~m) != 0)
6401 bpf_error("non-network bits set in \"%s/%d\"",
6402 s1, masklen);
6403 }
6404
6405 switch (q.addr) {
6406
6407 case Q_NET:
6408 return gen_host(n, m, q.proto, q.dir, q.addr);
6409
6410 default:
6411 bpf_error("Mask syntax for networks only");
6412 /* NOTREACHED */
6413 }
6414 /* NOTREACHED */
6415 return NULL;
6416}
6417
6418struct block *
6419gen_ncode(s, v, q)
6420 register const char *s;
6421 bpf_u_int32 v;
6422 struct qual q;
6423{
6424 bpf_u_int32 mask;
6425 int proto = q.proto;
6426 int dir = q.dir;
6427 register int vlen;
6428
6429 if (s == NULL)
6430 vlen = 32;
6431 else if (q.proto == Q_DECNET)
6432 vlen = __pcap_atodn(s, &v);
6433 else
6434 vlen = __pcap_atoin(s, &v);
6435
6436 switch (q.addr) {
6437
6438 case Q_DEFAULT:
6439 case Q_HOST:
6440 case Q_NET:
6441 if (proto == Q_DECNET)
6442 return gen_host(v, 0, proto, dir, q.addr);
6443 else if (proto == Q_LINK) {
6444 bpf_error("illegal link layer address");
6445 } else {
6446 mask = 0xffffffff;
6447 if (s == NULL && q.addr == Q_NET) {
6448 /* Promote short net number */
6449 while (v && (v & 0xff000000) == 0) {
6450 v <<= 8;
6451 mask <<= 8;
6452 }
6453 } else {
6454 /* Promote short ipaddr */
6455 v <<= 32 - vlen;
6456 mask <<= 32 - vlen;
6457 }
6458 return gen_host(v, mask, proto, dir, q.addr);
6459 }
6460
6461 case Q_PORT:
6462 if (proto == Q_UDP)
6463 proto = IPPROTO_UDP;
6464 else if (proto == Q_TCP)
6465 proto = IPPROTO_TCP;
6466 else if (proto == Q_SCTP)
6467 proto = IPPROTO_SCTP;
6468 else if (proto == Q_DEFAULT)
6469 proto = PROTO_UNDEF;
6470 else
6471 bpf_error("illegal qualifier of 'port'");
6472
6473 if (v > 65535)
6474 bpf_error("illegal port number %u > 65535", v);
6475
6476#ifndef INET6
6477 return gen_port((int)v, proto, dir);
6478#else
6479 {
6480 struct block *b;
6481 b = gen_port((int)v, proto, dir);
6482 gen_or(gen_port6((int)v, proto, dir), b);
6483 return b;
6484 }
6485#endif /* INET6 */
6486
6487 case Q_PORTRANGE:
6488 if (proto == Q_UDP)
6489 proto = IPPROTO_UDP;
6490 else if (proto == Q_TCP)
6491 proto = IPPROTO_TCP;
6492 else if (proto == Q_SCTP)
6493 proto = IPPROTO_SCTP;
6494 else if (proto == Q_DEFAULT)
6495 proto = PROTO_UNDEF;
6496 else
6497 bpf_error("illegal qualifier of 'portrange'");
6498
6499 if (v > 65535)
6500 bpf_error("illegal port number %u > 65535", v);
6501
6502#ifndef INET6
6503 return gen_portrange((int)v, (int)v, proto, dir);
6504#else
6505 {
6506 struct block *b;
6507 b = gen_portrange((int)v, (int)v, proto, dir);
6508 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6509 return b;
6510 }
6511#endif /* INET6 */
6512
6513 case Q_GATEWAY:
6514 bpf_error("'gateway' requires a name");
6515 /* NOTREACHED */
6516
6517 case Q_PROTO:
6518 return gen_proto((int)v, proto, dir);
6519
6520 case Q_PROTOCHAIN:
6521 return gen_protochain((int)v, proto, dir);
6522
6523 case Q_UNDEF:
6524 syntax();
6525 /* NOTREACHED */
6526
6527 default:
6528 abort();
6529 /* NOTREACHED */
6530 }
6531 /* NOTREACHED */
6532}
6533
6534#ifdef INET6
6535struct block *
6536gen_mcode6(s1, s2, masklen, q)
6537 register const char *s1, *s2;
6538 register int masklen;
6539 struct qual q;
6540{
6541 struct addrinfo *res;
6542 struct in6_addr *addr;
6543 struct in6_addr mask;
6544 struct block *b;
6545 u_int32_t *a, *m;
6546
6547 if (s2)
6548 bpf_error("no mask %s supported", s2);
6549
6550 res = pcap_nametoaddrinfo(s1);
6551 if (!res)
6552 bpf_error("invalid ip6 address %s", s1);
6553 ai = res;
6554 if (res->ai_next)
6555 bpf_error("%s resolved to multiple address", s1);
6556 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6557
6558 if (sizeof(mask) * 8 < masklen)
6559 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6560 memset(&mask, 0, sizeof(mask));
6561 memset(&mask, 0xff, masklen / 8);
6562 if (masklen % 8) {
6563 mask.s6_addr[masklen / 8] =
6564 (0xff << (8 - masklen % 8)) & 0xff;
6565 }
6566
6567 a = (u_int32_t *)addr;
6568 m = (u_int32_t *)&mask;
6569 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6570 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6571 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6572 }
6573
6574 switch (q.addr) {
6575
6576 case Q_DEFAULT:
6577 case Q_HOST:
6578 if (masklen != 128)
6579 bpf_error("Mask syntax for networks only");
6580 /* FALLTHROUGH */
6581
6582 case Q_NET:
6583 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6584 ai = NULL;
6585 freeaddrinfo(res);
6586 return b;
6587
6588 default:
6589 bpf_error("invalid qualifier against IPv6 address");
6590 /* NOTREACHED */
6591 }
6592 return NULL;
6593}
6594#endif /*INET6*/
6595
6596struct block *
6597gen_ecode(eaddr, q)
6598 register const u_char *eaddr;
6599 struct qual q;
6600{
6601 struct block *b, *tmp;
6602
6603 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6604 switch (linktype) {
6605 case DLT_EN10MB:
6606 case DLT_NETANALYZER:
6607 case DLT_NETANALYZER_TRANSPARENT:
6608 return gen_ehostop(eaddr, (int)q.dir);
6609 case DLT_FDDI:
6610 return gen_fhostop(eaddr, (int)q.dir);
6611 case DLT_IEEE802:
6612 return gen_thostop(eaddr, (int)q.dir);
6613 case DLT_IEEE802_11:
6614 case DLT_PRISM_HEADER:
6615 case DLT_IEEE802_11_RADIO_AVS:
6616 case DLT_IEEE802_11_RADIO:
6617 case DLT_PPI:
6618 return gen_wlanhostop(eaddr, (int)q.dir);
6619 case DLT_SUNATM:
6620 if (is_lane) {
6621 /*
6622 * Check that the packet doesn't begin with an
6623 * LE Control marker. (We've already generated
6624 * a test for LANE.)
6625 */
6626 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6627 0xFF00);
6628 gen_not(tmp);
6629
6630 /*
6631 * Now check the MAC address.
6632 */
6633 b = gen_ehostop(eaddr, (int)q.dir);
6634 gen_and(tmp, b);
6635 return b;
6636 }
6637 break;
6638 case DLT_IP_OVER_FC:
6639 return gen_ipfchostop(eaddr, (int)q.dir);
6640 default:
6641 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6642 break;
6643 }
6644 }
6645 bpf_error("ethernet address used in non-ether expression");
6646 /* NOTREACHED */
6647 return NULL;
6648}
6649
6650void
6651sappend(s0, s1)
6652 struct slist *s0, *s1;
6653{
6654 /*
6655 * This is definitely not the best way to do this, but the
6656 * lists will rarely get long.
6657 */
6658 while (s0->next)
6659 s0 = s0->next;
6660 s0->next = s1;
6661}
6662
6663static struct slist *
6664xfer_to_x(a)
6665 struct arth *a;
6666{
6667 struct slist *s;
6668
6669 s = new_stmt(BPF_LDX|BPF_MEM);
6670 s->s.k = a->regno;
6671 return s;
6672}
6673
6674static struct slist *
6675xfer_to_a(a)
6676 struct arth *a;
6677{
6678 struct slist *s;
6679
6680 s = new_stmt(BPF_LD|BPF_MEM);
6681 s->s.k = a->regno;
6682 return s;
6683}
6684
6685/*
6686 * Modify "index" to use the value stored into its register as an
6687 * offset relative to the beginning of the header for the protocol
6688 * "proto", and allocate a register and put an item "size" bytes long
6689 * (1, 2, or 4) at that offset into that register, making it the register
6690 * for "index".
6691 */
6692struct arth *
6693gen_load(proto, inst, size)
6694 int proto;
6695 struct arth *inst;
6696 int size;
6697{
6698 struct slist *s, *tmp;
6699 struct block *b;
6700 int regno = alloc_reg();
6701
6702 free_reg(inst->regno);
6703 switch (size) {
6704
6705 default:
6706 bpf_error("data size must be 1, 2, or 4");
6707
6708 case 1:
6709 size = BPF_B;
6710 break;
6711
6712 case 2:
6713 size = BPF_H;
6714 break;
6715
6716 case 4:
6717 size = BPF_W;
6718 break;
6719 }
6720 switch (proto) {
6721 default:
6722 bpf_error("unsupported index operation");
6723
6724 case Q_RADIO:
6725 /*
6726 * The offset is relative to the beginning of the packet
6727 * data, if we have a radio header. (If we don't, this
6728 * is an error.)
6729 */
6730 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6731 linktype != DLT_IEEE802_11_RADIO &&
6732 linktype != DLT_PRISM_HEADER)
6733 bpf_error("radio information not present in capture");
6734
6735 /*
6736 * Load into the X register the offset computed into the
6737 * register specified by "index".
6738 */
6739 s = xfer_to_x(inst);
6740
6741 /*
6742 * Load the item at that offset.
6743 */
6744 tmp = new_stmt(BPF_LD|BPF_IND|size);
6745 sappend(s, tmp);
6746 sappend(inst->s, s);
6747 break;
6748
6749 case Q_LINK:
6750 /*
6751 * The offset is relative to the beginning of
6752 * the link-layer header.
6753 *
6754 * XXX - what about ATM LANE? Should the index be
6755 * relative to the beginning of the AAL5 frame, so
6756 * that 0 refers to the beginning of the LE Control
6757 * field, or relative to the beginning of the LAN
6758 * frame, so that 0 refers, for Ethernet LANE, to
6759 * the beginning of the destination address?
6760 */
6761 s = gen_llprefixlen();
6762
6763 /*
6764 * If "s" is non-null, it has code to arrange that the
6765 * X register contains the length of the prefix preceding
6766 * the link-layer header. Add to it the offset computed
6767 * into the register specified by "index", and move that
6768 * into the X register. Otherwise, just load into the X
6769 * register the offset computed into the register specified
6770 * by "index".
6771 */
6772 if (s != NULL) {
6773 sappend(s, xfer_to_a(inst));
6774 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6775 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6776 } else
6777 s = xfer_to_x(inst);
6778
6779 /*
6780 * Load the item at the sum of the offset we've put in the
6781 * X register and the offset of the start of the link
6782 * layer header (which is 0 if the radio header is
6783 * variable-length; that header length is what we put
6784 * into the X register and then added to the index).
6785 */
6786 tmp = new_stmt(BPF_LD|BPF_IND|size);
6787 tmp->s.k = off_ll;
6788 sappend(s, tmp);
6789 sappend(inst->s, s);
6790 break;
6791
6792 case Q_IP:
6793 case Q_ARP:
6794 case Q_RARP:
6795 case Q_ATALK:
6796 case Q_DECNET:
6797 case Q_SCA:
6798 case Q_LAT:
6799 case Q_MOPRC:
6800 case Q_MOPDL:
6801#ifdef INET6
6802 case Q_IPV6:
6803#endif
6804 /*
6805 * The offset is relative to the beginning of
6806 * the network-layer header.
6807 * XXX - are there any cases where we want
6808 * off_nl_nosnap?
6809 */
6810 s = gen_off_macpl();
6811
6812 /*
6813 * If "s" is non-null, it has code to arrange that the
6814 * X register contains the offset of the MAC-layer
6815 * payload. Add to it the offset computed into the
6816 * register specified by "index", and move that into
6817 * the X register. Otherwise, just load into the X
6818 * register the offset computed into the register specified
6819 * by "index".
6820 */
6821 if (s != NULL) {
6822 sappend(s, xfer_to_a(inst));
6823 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6824 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6825 } else
6826 s = xfer_to_x(inst);
6827
6828 /*
6829 * Load the item at the sum of the offset we've put in the
6830 * X register, the offset of the start of the network
6831 * layer header from the beginning of the MAC-layer
6832 * payload, and the purported offset of the start of the
6833 * MAC-layer payload (which might be 0 if there's a
6834 * variable-length prefix before the link-layer header
6835 * or the link-layer header itself is variable-length;
6836 * the variable-length offset of the start of the
6837 * MAC-layer payload is what we put into the X register
6838 * and then added to the index).
6839 */
6840 tmp = new_stmt(BPF_LD|BPF_IND|size);
6841 tmp->s.k = off_macpl + off_nl;
6842 sappend(s, tmp);
6843 sappend(inst->s, s);
6844
6845 /*
6846 * Do the computation only if the packet contains
6847 * the protocol in question.
6848 */
6849 b = gen_proto_abbrev(proto);
6850 if (inst->b)
6851 gen_and(inst->b, b);
6852 inst->b = b;
6853 break;
6854
6855 case Q_SCTP:
6856 case Q_TCP:
6857 case Q_UDP:
6858 case Q_ICMP:
6859 case Q_IGMP:
6860 case Q_IGRP:
6861 case Q_PIM:
6862 case Q_VRRP:
6863 case Q_CARP:
6864 /*
6865 * The offset is relative to the beginning of
6866 * the transport-layer header.
6867 *
6868 * Load the X register with the length of the IPv4 header
6869 * (plus the offset of the link-layer header, if it's
6870 * a variable-length header), in bytes.
6871 *
6872 * XXX - are there any cases where we want
6873 * off_nl_nosnap?
6874 * XXX - we should, if we're built with
6875 * IPv6 support, generate code to load either
6876 * IPv4, IPv6, or both, as appropriate.
6877 */
6878 s = gen_loadx_iphdrlen();
6879
6880 /*
6881 * The X register now contains the sum of the length
6882 * of any variable-length header preceding the link-layer
6883 * header, any variable-length link-layer header, and the
6884 * length of the network-layer header.
6885 *
6886 * Load into the A register the offset relative to
6887 * the beginning of the transport layer header,
6888 * add the X register to that, move that to the
6889 * X register, and load with an offset from the
6890 * X register equal to the offset of the network
6891 * layer header relative to the beginning of
6892 * the MAC-layer payload plus the fixed-length
6893 * portion of the offset of the MAC-layer payload
6894 * from the beginning of the raw packet data.
6895 */
6896 sappend(s, xfer_to_a(inst));
6897 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6898 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6899 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6900 tmp->s.k = off_macpl + off_nl;
6901 sappend(inst->s, s);
6902
6903 /*
6904 * Do the computation only if the packet contains
6905 * the protocol in question - which is true only
6906 * if this is an IP datagram and is the first or
6907 * only fragment of that datagram.
6908 */
6909 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6910 if (inst->b)
6911 gen_and(inst->b, b);
6912#ifdef INET6
6913 gen_and(gen_proto_abbrev(Q_IP), b);
6914#endif
6915 inst->b = b;
6916 break;
6917#ifdef INET6
6918 case Q_ICMPV6:
6919 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6920 /*NOTREACHED*/
6921#endif
6922 }
6923 inst->regno = regno;
6924 s = new_stmt(BPF_ST);
6925 s->s.k = regno;
6926 sappend(inst->s, s);
6927
6928 return inst;
6929}
6930
6931struct block *
6932gen_relation(code, a0, a1, reversed)
6933 int code;
6934 struct arth *a0, *a1;
6935 int reversed;
6936{
6937 struct slist *s0, *s1, *s2;
6938 struct block *b, *tmp;
6939
6940 s0 = xfer_to_x(a1);
6941 s1 = xfer_to_a(a0);
6942 if (code == BPF_JEQ) {
6943 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6944 b = new_block(JMP(code));
6945 sappend(s1, s2);
6946 }
6947 else
6948 b = new_block(BPF_JMP|code|BPF_X);
6949 if (reversed)
6950 gen_not(b);
6951
6952 sappend(s0, s1);
6953 sappend(a1->s, s0);
6954 sappend(a0->s, a1->s);
6955
6956 b->stmts = a0->s;
6957
6958 free_reg(a0->regno);
6959 free_reg(a1->regno);
6960
6961 /* 'and' together protocol checks */
6962 if (a0->b) {
6963 if (a1->b) {
6964 gen_and(a0->b, tmp = a1->b);
6965 }
6966 else
6967 tmp = a0->b;
6968 } else
6969 tmp = a1->b;
6970
6971 if (tmp)
6972 gen_and(tmp, b);
6973
6974 return b;
6975}
6976
6977struct arth *
6978gen_loadlen()
6979{
6980 int regno = alloc_reg();
6981 struct arth *a = (struct arth *)newchunk(sizeof(*a));
6982 struct slist *s;
6983
6984 s = new_stmt(BPF_LD|BPF_LEN);
6985 s->next = new_stmt(BPF_ST);
6986 s->next->s.k = regno;
6987 a->s = s;
6988 a->regno = regno;
6989
6990 return a;
6991}
6992
6993struct arth *
6994gen_loadi(val)
6995 int val;
6996{
6997 struct arth *a;
6998 struct slist *s;
6999 int reg;
7000
7001 a = (struct arth *)newchunk(sizeof(*a));
7002
7003 reg = alloc_reg();
7004
7005 s = new_stmt(BPF_LD|BPF_IMM);
7006 s->s.k = val;
7007 s->next = new_stmt(BPF_ST);
7008 s->next->s.k = reg;
7009 a->s = s;
7010 a->regno = reg;
7011
7012 return a;
7013}
7014
7015struct arth *
7016gen_neg(a)
7017 struct arth *a;
7018{
7019 struct slist *s;
7020
7021 s = xfer_to_a(a);
7022 sappend(a->s, s);
7023 s = new_stmt(BPF_ALU|BPF_NEG);
7024 s->s.k = 0;
7025 sappend(a->s, s);
7026 s = new_stmt(BPF_ST);
7027 s->s.k = a->regno;
7028 sappend(a->s, s);
7029
7030 return a;
7031}
7032
7033struct arth *
7034gen_arth(code, a0, a1)
7035 int code;
7036 struct arth *a0, *a1;
7037{
7038 struct slist *s0, *s1, *s2;
7039
7040 s0 = xfer_to_x(a1);
7041 s1 = xfer_to_a(a0);
7042 s2 = new_stmt(BPF_ALU|BPF_X|code);
7043
7044 sappend(s1, s2);
7045 sappend(s0, s1);
7046 sappend(a1->s, s0);
7047 sappend(a0->s, a1->s);
7048
7049 free_reg(a0->regno);
7050 free_reg(a1->regno);
7051
7052 s0 = new_stmt(BPF_ST);
7053 a0->regno = s0->s.k = alloc_reg();
7054 sappend(a0->s, s0);
7055
7056 return a0;
7057}
7058
7059/*
7060 * Here we handle simple allocation of the scratch registers.
7061 * If too many registers are alloc'd, the allocator punts.
7062 */
7063static int regused[BPF_MEMWORDS];
7064static int curreg;
7065
7066/*
7067 * Initialize the table of used registers and the current register.
7068 */
7069static void
7070init_regs()
7071{
7072 curreg = 0;
7073 memset(regused, 0, sizeof regused);
7074}
7075
7076/*
7077 * Return the next free register.
7078 */
7079static int
7080alloc_reg()
7081{
7082 int n = BPF_MEMWORDS;
7083
7084 while (--n >= 0) {
7085 if (regused[curreg])
7086 curreg = (curreg + 1) % BPF_MEMWORDS;
7087 else {
7088 regused[curreg] = 1;
7089 return curreg;
7090 }
7091 }
7092 bpf_error("too many registers needed to evaluate expression");
7093 /* NOTREACHED */
7094 return 0;
7095}
7096
7097/*
7098 * Return a register to the table so it can
7099 * be used later.
7100 */
7101static void
7102free_reg(n)
7103 int n;
7104{
7105 regused[n] = 0;
7106}
7107
7108static struct block *
7109gen_len(jmp, n)
7110 int jmp, n;
7111{
7112 struct slist *s;
7113 struct block *b;
7114
7115 s = new_stmt(BPF_LD|BPF_LEN);
7116 b = new_block(JMP(jmp));
7117 b->stmts = s;
7118 b->s.k = n;
7119
7120 return b;
7121}
7122
7123struct block *
7124gen_greater(n)
7125 int n;
7126{
7127 return gen_len(BPF_JGE, n);
7128}
7129
7130/*
7131 * Actually, this is less than or equal.
7132 */
7133struct block *
7134gen_less(n)
7135 int n;
7136{
7137 struct block *b;
7138
7139 b = gen_len(BPF_JGT, n);
7140 gen_not(b);
7141
7142 return b;
7143}
7144
7145/*
7146 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7147 * the beginning of the link-layer header.
7148 * XXX - that means you can't test values in the radiotap header, but
7149 * as that header is difficult if not impossible to parse generally
7150 * without a loop, that might not be a severe problem. A new keyword
7151 * "radio" could be added for that, although what you'd really want
7152 * would be a way of testing particular radio header values, which
7153 * would generate code appropriate to the radio header in question.
7154 */
7155struct block *
7156gen_byteop(op, idx, val)
7157 int op, idx, val;
7158{
7159 struct block *b;
7160 struct slist *s;
7161
7162 switch (op) {
7163 default:
7164 abort();
7165
7166 case '=':
7167 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7168
7169 case '<':
7170 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7171 return b;
7172
7173 case '>':
7174 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7175 return b;
7176
7177 case '|':
7178 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7179 break;
7180
7181 case '&':
7182 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7183 break;
7184 }
7185 s->s.k = val;
7186 b = new_block(JMP(BPF_JEQ));
7187 b->stmts = s;
7188 gen_not(b);
7189
7190 return b;
7191}
7192
7193static u_char abroadcast[] = { 0x0 };
7194
7195struct block *
7196gen_broadcast(proto)
7197 int proto;
7198{
7199 bpf_u_int32 hostmask;
7200 struct block *b0, *b1, *b2;
7201 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7202
7203 switch (proto) {
7204
7205 case Q_DEFAULT:
7206 case Q_LINK:
7207 switch (linktype) {
7208 case DLT_ARCNET:
7209 case DLT_ARCNET_LINUX:
7210 return gen_ahostop(abroadcast, Q_DST);
7211 case DLT_EN10MB:
7212 case DLT_NETANALYZER:
7213 case DLT_NETANALYZER_TRANSPARENT:
7214 return gen_ehostop(ebroadcast, Q_DST);
7215 case DLT_FDDI:
7216 return gen_fhostop(ebroadcast, Q_DST);
7217 case DLT_IEEE802:
7218 return gen_thostop(ebroadcast, Q_DST);
7219 case DLT_IEEE802_11:
7220 case DLT_PRISM_HEADER:
7221 case DLT_IEEE802_11_RADIO_AVS:
7222 case DLT_IEEE802_11_RADIO:
7223 case DLT_PPI:
7224 return gen_wlanhostop(ebroadcast, Q_DST);
7225 case DLT_IP_OVER_FC:
7226 return gen_ipfchostop(ebroadcast, Q_DST);
7227 case DLT_SUNATM:
7228 if (is_lane) {
7229 /*
7230 * Check that the packet doesn't begin with an
7231 * LE Control marker. (We've already generated
7232 * a test for LANE.)
7233 */
7234 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7235 BPF_H, 0xFF00);
7236 gen_not(b1);
7237
7238 /*
7239 * Now check the MAC address.
7240 */
7241 b0 = gen_ehostop(ebroadcast, Q_DST);
7242 gen_and(b1, b0);
7243 return b0;
7244 }
7245 break;
7246 default:
7247 bpf_error("not a broadcast link");
7248 }
7249 break;
7250
7251 case Q_IP:
7252 /*
7253 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7254 * as an indication that we don't know the netmask, and fail
7255 * in that case.
7256 */
7257 if (netmask == PCAP_NETMASK_UNKNOWN)
7258 bpf_error("netmask not known, so 'ip broadcast' not supported");
7259 b0 = gen_linktype(ETHERTYPE_IP);
7260 hostmask = ~netmask;
7261 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7262 b2 = gen_mcmp(OR_NET, 16, BPF_W,
7263 (bpf_int32)(~0 & hostmask), hostmask);
7264 gen_or(b1, b2);
7265 gen_and(b0, b2);
7266 return b2;
7267 }
7268 bpf_error("only link-layer/IP broadcast filters supported");
7269 /* NOTREACHED */
7270 return NULL;
7271}
7272
7273/*
7274 * Generate code to test the low-order bit of a MAC address (that's
7275 * the bottom bit of the *first* byte).
7276 */
7277static struct block *
7278gen_mac_multicast(offset)
7279 int offset;
7280{
7281 register struct block *b0;
7282 register struct slist *s;
7283
7284 /* link[offset] & 1 != 0 */
7285 s = gen_load_a(OR_LINK, offset, BPF_B);
7286 b0 = new_block(JMP(BPF_JSET));
7287 b0->s.k = 1;
7288 b0->stmts = s;
7289 return b0;
7290}
7291
7292struct block *
7293gen_multicast(proto)
7294 int proto;
7295{
7296 register struct block *b0, *b1, *b2;
7297 register struct slist *s;
7298
7299 switch (proto) {
7300
7301 case Q_DEFAULT:
7302 case Q_LINK:
7303 switch (linktype) {
7304 case DLT_ARCNET:
7305 case DLT_ARCNET_LINUX:
7306 /* all ARCnet multicasts use the same address */
7307 return gen_ahostop(abroadcast, Q_DST);
7308 case DLT_EN10MB:
7309 case DLT_NETANALYZER:
7310 case DLT_NETANALYZER_TRANSPARENT:
7311 /* ether[0] & 1 != 0 */
7312 return gen_mac_multicast(0);
7313 case DLT_FDDI:
7314 /*
7315 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7316 *
7317 * XXX - was that referring to bit-order issues?
7318 */
7319 /* fddi[1] & 1 != 0 */
7320 return gen_mac_multicast(1);
7321 case DLT_IEEE802:
7322 /* tr[2] & 1 != 0 */
7323 return gen_mac_multicast(2);
7324 case DLT_IEEE802_11:
7325 case DLT_PRISM_HEADER:
7326 case DLT_IEEE802_11_RADIO_AVS:
7327 case DLT_IEEE802_11_RADIO:
7328 case DLT_PPI:
7329 /*
7330 * Oh, yuk.
7331 *
7332 * For control frames, there is no DA.
7333 *
7334 * For management frames, DA is at an
7335 * offset of 4 from the beginning of
7336 * the packet.
7337 *
7338 * For data frames, DA is at an offset
7339 * of 4 from the beginning of the packet
7340 * if To DS is clear and at an offset of
7341 * 16 from the beginning of the packet
7342 * if To DS is set.
7343 */
7344
7345 /*
7346 * Generate the tests to be done for data frames.
7347 *
7348 * First, check for To DS set, i.e. "link[1] & 0x01".
7349 */
7350 s = gen_load_a(OR_LINK, 1, BPF_B);
7351 b1 = new_block(JMP(BPF_JSET));
7352 b1->s.k = 0x01; /* To DS */
7353 b1->stmts = s;
7354
7355 /*
7356 * If To DS is set, the DA is at 16.
7357 */
7358 b0 = gen_mac_multicast(16);
7359 gen_and(b1, b0);
7360
7361 /*
7362 * Now, check for To DS not set, i.e. check
7363 * "!(link[1] & 0x01)".
7364 */
7365 s = gen_load_a(OR_LINK, 1, BPF_B);
7366 b2 = new_block(JMP(BPF_JSET));
7367 b2->s.k = 0x01; /* To DS */
7368 b2->stmts = s;
7369 gen_not(b2);
7370
7371 /*
7372 * If To DS is not set, the DA is at 4.
7373 */
7374 b1 = gen_mac_multicast(4);
7375 gen_and(b2, b1);
7376
7377 /*
7378 * Now OR together the last two checks. That gives
7379 * the complete set of checks for data frames.
7380 */
7381 gen_or(b1, b0);
7382
7383 /*
7384 * Now check for a data frame.
7385 * I.e, check "link[0] & 0x08".
7386 */
7387 s = gen_load_a(OR_LINK, 0, BPF_B);
7388 b1 = new_block(JMP(BPF_JSET));
7389 b1->s.k = 0x08;
7390 b1->stmts = s;
7391
7392 /*
7393 * AND that with the checks done for data frames.
7394 */
7395 gen_and(b1, b0);
7396
7397 /*
7398 * If the high-order bit of the type value is 0, this
7399 * is a management frame.
7400 * I.e, check "!(link[0] & 0x08)".
7401 */
7402 s = gen_load_a(OR_LINK, 0, BPF_B);
7403 b2 = new_block(JMP(BPF_JSET));
7404 b2->s.k = 0x08;
7405 b2->stmts = s;
7406 gen_not(b2);
7407
7408 /*
7409 * For management frames, the DA is at 4.
7410 */
7411 b1 = gen_mac_multicast(4);
7412 gen_and(b2, b1);
7413
7414 /*
7415 * OR that with the checks done for data frames.
7416 * That gives the checks done for management and
7417 * data frames.
7418 */
7419 gen_or(b1, b0);
7420
7421 /*
7422 * If the low-order bit of the type value is 1,
7423 * this is either a control frame or a frame
7424 * with a reserved type, and thus not a
7425 * frame with an SA.
7426 *
7427 * I.e., check "!(link[0] & 0x04)".
7428 */
7429 s = gen_load_a(OR_LINK, 0, BPF_B);
7430 b1 = new_block(JMP(BPF_JSET));
7431 b1->s.k = 0x04;
7432 b1->stmts = s;
7433 gen_not(b1);
7434
7435 /*
7436 * AND that with the checks for data and management
7437 * frames.
7438 */
7439 gen_and(b1, b0);
7440 return b0;
7441 case DLT_IP_OVER_FC:
7442 b0 = gen_mac_multicast(2);
7443 return b0;
7444 case DLT_SUNATM:
7445 if (is_lane) {
7446 /*
7447 * Check that the packet doesn't begin with an
7448 * LE Control marker. (We've already generated
7449 * a test for LANE.)
7450 */
7451 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7452 BPF_H, 0xFF00);
7453 gen_not(b1);
7454
7455 /* ether[off_mac] & 1 != 0 */
7456 b0 = gen_mac_multicast(off_mac);
7457 gen_and(b1, b0);
7458 return b0;
7459 }
7460 break;
7461 default:
7462 break;
7463 }
7464 /* Link not known to support multicasts */
7465 break;
7466
7467 case Q_IP:
7468 b0 = gen_linktype(ETHERTYPE_IP);
7469 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7470 gen_and(b0, b1);
7471 return b1;
7472
7473#ifdef INET6
7474 case Q_IPV6:
7475 b0 = gen_linktype(ETHERTYPE_IPV6);
7476 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7477 gen_and(b0, b1);
7478 return b1;
7479#endif /* INET6 */
7480 }
7481 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7482 /* NOTREACHED */
7483 return NULL;
7484}
7485
7486/*
|
7473 * generate command for inbound/outbound. It's here so we can
7474 * make it link-type specific. 'dir' = 0 implies "inbound",
7475 * = 1 implies "outbound".
| 7487 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
7488 * Outbound traffic is sent by this machine, while inbound traffic is
7489 * sent by a remote machine (and may include packets destined for a
7490 * unicast or multicast link-layer address we are not subscribing to).
7491 * These are the same definitions implemented by pcap_setdirection().
7492 * Capturing only unicast traffic destined for this host is probably
7493 * better accomplished using a higher-layer filter.
|
7476 */
7477struct block *
7478gen_inbound(dir)
7479 int dir;
7480{
7481 register struct block *b0;
7482
7483 /*
7484 * Only some data link types support inbound/outbound qualifiers.
7485 */
7486 switch (linktype) {
7487 case DLT_SLIP:
7488 b0 = gen_relation(BPF_JEQ,
7489 gen_load(Q_LINK, gen_loadi(0), 1),
7490 gen_loadi(0),
7491 dir);
7492 break;
7493
7494 case DLT_IPNET:
7495 if (dir) {
7496 /* match outgoing packets */
7497 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND);
7498 } else {
7499 /* match incoming packets */
7500 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND);
7501 }
7502 break;
7503
7504 case DLT_LINUX_SLL:
| 7494 */
7495struct block *
7496gen_inbound(dir)
7497 int dir;
7498{
7499 register struct block *b0;
7500
7501 /*
7502 * Only some data link types support inbound/outbound qualifiers.
7503 */
7504 switch (linktype) {
7505 case DLT_SLIP:
7506 b0 = gen_relation(BPF_JEQ,
7507 gen_load(Q_LINK, gen_loadi(0), 1),
7508 gen_loadi(0),
7509 dir);
7510 break;
7511
7512 case DLT_IPNET:
7513 if (dir) {
7514 /* match outgoing packets */
7515 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND);
7516 } else {
7517 /* match incoming packets */
7518 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND);
7519 }
7520 break;
7521
7522 case DLT_LINUX_SLL:
|
7505 if (dir) {
7506 /*
7507 * Match packets sent by this machine.
7508 */
7509 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7510 } else {
7511 /*
7512 * Match packets sent to this machine.
7513 * (No broadcast or multicast packets, or
7514 * packets sent to some other machine and
7515 * received promiscuously.)
7516 *
7517 * XXX - packets sent to other machines probably
7518 * shouldn't be matched, but what about broadcast
7519 * or multicast packets we received?
7520 */
7521 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
| 7523 /* match outgoing packets */
7524 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7525 if (!dir) {
7526 /* to filter on inbound traffic, invert the match */
7527 gen_not(b0);
|
7522 }
7523 break;
7524
7525#ifdef HAVE_NET_PFVAR_H
7526 case DLT_PFLOG:
7527 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7528 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7529 break;
7530#endif
7531
7532 case DLT_PPP_PPPD:
7533 if (dir) {
7534 /* match outgoing packets */
7535 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7536 } else {
7537 /* match incoming packets */
7538 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7539 }
7540 break;
7541
7542 case DLT_JUNIPER_MFR:
7543 case DLT_JUNIPER_MLFR:
7544 case DLT_JUNIPER_MLPPP:
7545 case DLT_JUNIPER_ATM1:
7546 case DLT_JUNIPER_ATM2:
7547 case DLT_JUNIPER_PPPOE:
7548 case DLT_JUNIPER_PPPOE_ATM:
7549 case DLT_JUNIPER_GGSN:
7550 case DLT_JUNIPER_ES:
7551 case DLT_JUNIPER_MONITOR:
7552 case DLT_JUNIPER_SERVICES:
7553 case DLT_JUNIPER_ETHER:
7554 case DLT_JUNIPER_PPP:
7555 case DLT_JUNIPER_FRELAY:
7556 case DLT_JUNIPER_CHDLC:
7557 case DLT_JUNIPER_VP:
7558 case DLT_JUNIPER_ST:
7559 case DLT_JUNIPER_ISM:
7560 case DLT_JUNIPER_VS:
7561 case DLT_JUNIPER_SRX_E2E:
7562 case DLT_JUNIPER_FIBRECHANNEL:
7563 case DLT_JUNIPER_ATM_CEMIC:
7564
7565 /* juniper flags (including direction) are stored
7566 * the byte after the 3-byte magic number */
7567 if (dir) {
7568 /* match outgoing packets */
7569 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7570 } else {
7571 /* match incoming packets */
7572 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7573 }
7574 break;
7575
7576 default:
| 7528 }
7529 break;
7530
7531#ifdef HAVE_NET_PFVAR_H
7532 case DLT_PFLOG:
7533 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7534 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7535 break;
7536#endif
7537
7538 case DLT_PPP_PPPD:
7539 if (dir) {
7540 /* match outgoing packets */
7541 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7542 } else {
7543 /* match incoming packets */
7544 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7545 }
7546 break;
7547
7548 case DLT_JUNIPER_MFR:
7549 case DLT_JUNIPER_MLFR:
7550 case DLT_JUNIPER_MLPPP:
7551 case DLT_JUNIPER_ATM1:
7552 case DLT_JUNIPER_ATM2:
7553 case DLT_JUNIPER_PPPOE:
7554 case DLT_JUNIPER_PPPOE_ATM:
7555 case DLT_JUNIPER_GGSN:
7556 case DLT_JUNIPER_ES:
7557 case DLT_JUNIPER_MONITOR:
7558 case DLT_JUNIPER_SERVICES:
7559 case DLT_JUNIPER_ETHER:
7560 case DLT_JUNIPER_PPP:
7561 case DLT_JUNIPER_FRELAY:
7562 case DLT_JUNIPER_CHDLC:
7563 case DLT_JUNIPER_VP:
7564 case DLT_JUNIPER_ST:
7565 case DLT_JUNIPER_ISM:
7566 case DLT_JUNIPER_VS:
7567 case DLT_JUNIPER_SRX_E2E:
7568 case DLT_JUNIPER_FIBRECHANNEL:
7569 case DLT_JUNIPER_ATM_CEMIC:
7570
7571 /* juniper flags (including direction) are stored
7572 * the byte after the 3-byte magic number */
7573 if (dir) {
7574 /* match outgoing packets */
7575 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7576 } else {
7577 /* match incoming packets */
7578 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7579 }
7580 break;
7581
7582 default:
|
| 7583 /*
7584 * If we have packet meta-data indicating a direction,
7585 * check it, otherwise give up as this link-layer type
7586 * has nothing in the packet data.
7587 */
7588#if defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
7589 /*
7590 * We infer that this is Linux with PF_PACKET support.
7591 * If this is a *live* capture, we can look at
7592 * special meta-data in the filter expression;
7593 * if it's a savefile, we can't.
7594 */
7595 if (bpf_pcap->sf.rfile != NULL) {
7596 /* We have a FILE *, so this is a savefile */
7597 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles",
7598 linktype);
7599 b0 = NULL;
7600 /* NOTREACHED */
7601 }
7602 /* match outgoing packets */
7603 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
7604 PACKET_OUTGOING);
7605 if (!dir) {
7606 /* to filter on inbound traffic, invert the match */
7607 gen_not(b0);
7608 }
7609#else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
|
7577 bpf_error("inbound/outbound not supported on linktype %d",
7578 linktype);
7579 b0 = NULL;
7580 /* NOTREACHED */
| 7610 bpf_error("inbound/outbound not supported on linktype %d",
7611 linktype);
7612 b0 = NULL;
7613 /* NOTREACHED */
|
| 7614#endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
|
7581 }
7582 return (b0);
7583}
7584
7585#ifdef HAVE_NET_PFVAR_H
7586/* PF firewall log matched interface */
7587struct block *
7588gen_pf_ifname(const char *ifname)
7589{
7590 struct block *b0;
7591 u_int len, off;
7592
7593 if (linktype != DLT_PFLOG) {
7594 bpf_error("ifname supported only on PF linktype");
7595 /* NOTREACHED */
7596 }
7597 len = sizeof(((struct pfloghdr *)0)->ifname);
7598 off = offsetof(struct pfloghdr, ifname);
7599 if (strlen(ifname) >= len) {
7600 bpf_error("ifname interface names can only be %d characters",
7601 len-1);
7602 /* NOTREACHED */
7603 }
7604 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7605 return (b0);
7606}
7607
7608/* PF firewall log ruleset name */
7609struct block *
7610gen_pf_ruleset(char *ruleset)
7611{
7612 struct block *b0;
7613
7614 if (linktype != DLT_PFLOG) {
7615 bpf_error("ruleset supported only on PF linktype");
7616 /* NOTREACHED */
7617 }
7618
7619 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7620 bpf_error("ruleset names can only be %ld characters",
7621 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7622 /* NOTREACHED */
7623 }
7624
7625 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7626 strlen(ruleset), (const u_char *)ruleset);
7627 return (b0);
7628}
7629
7630/* PF firewall log rule number */
7631struct block *
7632gen_pf_rnr(int rnr)
7633{
7634 struct block *b0;
7635
7636 if (linktype != DLT_PFLOG) {
7637 bpf_error("rnr supported only on PF linktype");
7638 /* NOTREACHED */
7639 }
7640
7641 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7642 (bpf_int32)rnr);
7643 return (b0);
7644}
7645
7646/* PF firewall log sub-rule number */
7647struct block *
7648gen_pf_srnr(int srnr)
7649{
7650 struct block *b0;
7651
7652 if (linktype != DLT_PFLOG) {
7653 bpf_error("srnr supported only on PF linktype");
7654 /* NOTREACHED */
7655 }
7656
7657 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7658 (bpf_int32)srnr);
7659 return (b0);
7660}
7661
7662/* PF firewall log reason code */
7663struct block *
7664gen_pf_reason(int reason)
7665{
7666 struct block *b0;
7667
7668 if (linktype != DLT_PFLOG) {
7669 bpf_error("reason supported only on PF linktype");
7670 /* NOTREACHED */
7671 }
7672
7673 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7674 (bpf_int32)reason);
7675 return (b0);
7676}
7677
7678/* PF firewall log action */
7679struct block *
7680gen_pf_action(int action)
7681{
7682 struct block *b0;
7683
7684 if (linktype != DLT_PFLOG) {
7685 bpf_error("action supported only on PF linktype");
7686 /* NOTREACHED */
7687 }
7688
7689 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7690 (bpf_int32)action);
7691 return (b0);
7692}
7693#else /* !HAVE_NET_PFVAR_H */
7694struct block *
7695gen_pf_ifname(const char *ifname)
7696{
7697 bpf_error("libpcap was compiled without pf support");
7698 /* NOTREACHED */
7699 return (NULL);
7700}
7701
7702struct block *
7703gen_pf_ruleset(char *ruleset)
7704{
7705 bpf_error("libpcap was compiled on a machine without pf support");
7706 /* NOTREACHED */
7707 return (NULL);
7708}
7709
7710struct block *
7711gen_pf_rnr(int rnr)
7712{
7713 bpf_error("libpcap was compiled on a machine without pf support");
7714 /* NOTREACHED */
7715 return (NULL);
7716}
7717
7718struct block *
7719gen_pf_srnr(int srnr)
7720{
7721 bpf_error("libpcap was compiled on a machine without pf support");
7722 /* NOTREACHED */
7723 return (NULL);
7724}
7725
7726struct block *
7727gen_pf_reason(int reason)
7728{
7729 bpf_error("libpcap was compiled on a machine without pf support");
7730 /* NOTREACHED */
7731 return (NULL);
7732}
7733
7734struct block *
7735gen_pf_action(int action)
7736{
7737 bpf_error("libpcap was compiled on a machine without pf support");
7738 /* NOTREACHED */
7739 return (NULL);
7740}
7741#endif /* HAVE_NET_PFVAR_H */
7742
7743/* IEEE 802.11 wireless header */
7744struct block *
7745gen_p80211_type(int type, int mask)
7746{
7747 struct block *b0;
7748
7749 switch (linktype) {
7750
7751 case DLT_IEEE802_11:
7752 case DLT_PRISM_HEADER:
7753 case DLT_IEEE802_11_RADIO_AVS:
7754 case DLT_IEEE802_11_RADIO:
7755 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7756 (bpf_int32)mask);
7757 break;
7758
7759 default:
7760 bpf_error("802.11 link-layer types supported only on 802.11");
7761 /* NOTREACHED */
7762 }
7763
7764 return (b0);
7765}
7766
7767struct block *
7768gen_p80211_fcdir(int fcdir)
7769{
7770 struct block *b0;
7771
7772 switch (linktype) {
7773
7774 case DLT_IEEE802_11:
7775 case DLT_PRISM_HEADER:
7776 case DLT_IEEE802_11_RADIO_AVS:
7777 case DLT_IEEE802_11_RADIO:
7778 break;
7779
7780 default:
7781 bpf_error("frame direction supported only with 802.11 headers");
7782 /* NOTREACHED */
7783 }
7784
7785 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7786 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7787
7788 return (b0);
7789}
7790
7791struct block *
7792gen_acode(eaddr, q)
7793 register const u_char *eaddr;
7794 struct qual q;
7795{
7796 switch (linktype) {
7797
7798 case DLT_ARCNET:
7799 case DLT_ARCNET_LINUX:
7800 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7801 q.proto == Q_LINK)
7802 return (gen_ahostop(eaddr, (int)q.dir));
7803 else {
7804 bpf_error("ARCnet address used in non-arc expression");
7805 /* NOTREACHED */
7806 }
7807 break;
7808
7809 default:
7810 bpf_error("aid supported only on ARCnet");
7811 /* NOTREACHED */
7812 }
7813 bpf_error("ARCnet address used in non-arc expression");
7814 /* NOTREACHED */
7815 return NULL;
7816}
7817
7818static struct block *
7819gen_ahostop(eaddr, dir)
7820 register const u_char *eaddr;
7821 register int dir;
7822{
7823 register struct block *b0, *b1;
7824
7825 switch (dir) {
7826 /* src comes first, different from Ethernet */
7827 case Q_SRC:
7828 return gen_bcmp(OR_LINK, 0, 1, eaddr);
7829
7830 case Q_DST:
7831 return gen_bcmp(OR_LINK, 1, 1, eaddr);
7832
7833 case Q_AND:
7834 b0 = gen_ahostop(eaddr, Q_SRC);
7835 b1 = gen_ahostop(eaddr, Q_DST);
7836 gen_and(b0, b1);
7837 return b1;
7838
7839 case Q_DEFAULT:
7840 case Q_OR:
7841 b0 = gen_ahostop(eaddr, Q_SRC);
7842 b1 = gen_ahostop(eaddr, Q_DST);
7843 gen_or(b0, b1);
7844 return b1;
7845
7846 case Q_ADDR1:
7847 bpf_error("'addr1' is only supported on 802.11");
7848 break;
7849
7850 case Q_ADDR2:
7851 bpf_error("'addr2' is only supported on 802.11");
7852 break;
7853
7854 case Q_ADDR3:
7855 bpf_error("'addr3' is only supported on 802.11");
7856 break;
7857
7858 case Q_ADDR4:
7859 bpf_error("'addr4' is only supported on 802.11");
7860 break;
7861
7862 case Q_RA:
7863 bpf_error("'ra' is only supported on 802.11");
7864 break;
7865
7866 case Q_TA:
7867 bpf_error("'ta' is only supported on 802.11");
7868 break;
7869 }
7870 abort();
7871 /* NOTREACHED */
7872}
7873
7874/*
7875 * support IEEE 802.1Q VLAN trunk over ethernet
7876 */
7877struct block *
7878gen_vlan(vlan_num)
7879 int vlan_num;
7880{
7881 struct block *b0, *b1;
7882
7883 /* can't check for VLAN-encapsulated packets inside MPLS */
7884 if (label_stack_depth > 0)
7885 bpf_error("no VLAN match after MPLS");
7886
7887 /*
7888 * Check for a VLAN packet, and then change the offsets to point
7889 * to the type and data fields within the VLAN packet. Just
7890 * increment the offsets, so that we can support a hierarchy, e.g.
7891 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7892 * VLAN 100.
7893 *
7894 * XXX - this is a bit of a kludge. If we were to split the
7895 * compiler into a parser that parses an expression and
7896 * generates an expression tree, and a code generator that
7897 * takes an expression tree (which could come from our
7898 * parser or from some other parser) and generates BPF code,
7899 * we could perhaps make the offsets parameters of routines
7900 * and, in the handler for an "AND" node, pass to subnodes
7901 * other than the VLAN node the adjusted offsets.
7902 *
7903 * This would mean that "vlan" would, instead of changing the
7904 * behavior of *all* tests after it, change only the behavior
7905 * of tests ANDed with it. That would change the documented
7906 * semantics of "vlan", which might break some expressions.
7907 * However, it would mean that "(vlan and ip) or ip" would check
7908 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7909 * checking only for VLAN-encapsulated IP, so that could still
7910 * be considered worth doing; it wouldn't break expressions
7911 * that are of the form "vlan and ..." or "vlan N and ...",
7912 * which I suspect are the most common expressions involving
7913 * "vlan". "vlan or ..." doesn't necessarily do what the user
7914 * would really want, now, as all the "or ..." tests would
7915 * be done assuming a VLAN, even though the "or" could be viewed
7916 * as meaning "or, if this isn't a VLAN packet...".
7917 */
7918 orig_nl = off_nl;
7919
7920 switch (linktype) {
7921
7922 case DLT_EN10MB:
7923 case DLT_NETANALYZER:
7924 case DLT_NETANALYZER_TRANSPARENT:
7925 /* check for VLAN, including QinQ */
7926 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7927 (bpf_int32)ETHERTYPE_8021Q);
7928 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7929 (bpf_int32)ETHERTYPE_8021QINQ);
7930 gen_or(b0,b1);
7931 b0 = b1;
7932
7933 /* If a specific VLAN is requested, check VLAN id */
7934 if (vlan_num >= 0) {
7935 b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
7936 (bpf_int32)vlan_num, 0x0fff);
7937 gen_and(b0, b1);
7938 b0 = b1;
7939 }
7940
7941 off_macpl += 4;
7942 off_linktype += 4;
7943#if 0
7944 off_nl_nosnap += 4;
7945 off_nl += 4;
7946#endif
7947 break;
7948
7949 default:
7950 bpf_error("no VLAN support for data link type %d",
7951 linktype);
7952 /*NOTREACHED*/
7953 }
7954
7955 return (b0);
7956}
7957
7958/*
7959 * support for MPLS
7960 */
7961struct block *
7962gen_mpls(label_num)
7963 int label_num;
7964{
7965 struct block *b0,*b1;
7966
7967 /*
7968 * Change the offsets to point to the type and data fields within
7969 * the MPLS packet. Just increment the offsets, so that we
7970 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
7971 * capture packets with an outer label of 100000 and an inner
7972 * label of 1024.
7973 *
7974 * XXX - this is a bit of a kludge. See comments in gen_vlan().
7975 */
7976 orig_nl = off_nl;
7977
7978 if (label_stack_depth > 0) {
7979 /* just match the bottom-of-stack bit clear */
7980 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
7981 } else {
7982 /*
7983 * Indicate that we're checking MPLS-encapsulated headers,
7984 * to make sure higher level code generators don't try to
7985 * match against IP-related protocols such as Q_ARP, Q_RARP
7986 * etc.
7987 */
7988 switch (linktype) {
7989
7990 case DLT_C_HDLC: /* fall through */
7991 case DLT_EN10MB:
7992 case DLT_NETANALYZER:
7993 case DLT_NETANALYZER_TRANSPARENT:
7994 b0 = gen_linktype(ETHERTYPE_MPLS);
7995 break;
7996
7997 case DLT_PPP:
7998 b0 = gen_linktype(PPP_MPLS_UCAST);
7999 break;
8000
8001 /* FIXME add other DLT_s ...
8002 * for Frame-Relay/and ATM this may get messy due to SNAP headers
8003 * leave it for now */
8004
8005 default:
8006 bpf_error("no MPLS support for data link type %d",
8007 linktype);
8008 b0 = NULL;
8009 /*NOTREACHED*/
8010 break;
8011 }
8012 }
8013
8014 /* If a specific MPLS label is requested, check it */
8015 if (label_num >= 0) {
8016 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8017 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
8018 0xfffff000); /* only compare the first 20 bits */
8019 gen_and(b0, b1);
8020 b0 = b1;
8021 }
8022
8023 off_nl_nosnap += 4;
8024 off_nl += 4;
8025 label_stack_depth++;
8026 return (b0);
8027}
8028
8029/*
8030 * Support PPPOE discovery and session.
8031 */
8032struct block *
8033gen_pppoed()
8034{
8035 /* check for PPPoE discovery */
8036 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
8037}
8038
8039struct block *
8040gen_pppoes()
8041{
8042 struct block *b0;
8043
8044 /*
8045 * Test against the PPPoE session link-layer type.
8046 */
8047 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
8048
8049 /*
8050 * Change the offsets to point to the type and data fields within
8051 * the PPP packet, and note that this is PPPoE rather than
8052 * raw PPP.
8053 *
8054 * XXX - this is a bit of a kludge. If we were to split the
8055 * compiler into a parser that parses an expression and
8056 * generates an expression tree, and a code generator that
8057 * takes an expression tree (which could come from our
8058 * parser or from some other parser) and generates BPF code,
8059 * we could perhaps make the offsets parameters of routines
8060 * and, in the handler for an "AND" node, pass to subnodes
8061 * other than the PPPoE node the adjusted offsets.
8062 *
8063 * This would mean that "pppoes" would, instead of changing the
8064 * behavior of *all* tests after it, change only the behavior
8065 * of tests ANDed with it. That would change the documented
8066 * semantics of "pppoes", which might break some expressions.
8067 * However, it would mean that "(pppoes and ip) or ip" would check
8068 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8069 * checking only for VLAN-encapsulated IP, so that could still
8070 * be considered worth doing; it wouldn't break expressions
8071 * that are of the form "pppoes and ..." which I suspect are the
8072 * most common expressions involving "pppoes". "pppoes or ..."
8073 * doesn't necessarily do what the user would really want, now,
8074 * as all the "or ..." tests would be done assuming PPPoE, even
8075 * though the "or" could be viewed as meaning "or, if this isn't
8076 * a PPPoE packet...".
8077 */
8078 orig_linktype = off_linktype; /* save original values */
8079 orig_nl = off_nl;
8080 is_pppoes = 1;
8081
8082 /*
8083 * The "network-layer" protocol is PPPoE, which has a 6-byte
8084 * PPPoE header, followed by a PPP packet.
8085 *
8086 * There is no HDLC encapsulation for the PPP packet (it's
8087 * encapsulated in PPPoES instead), so the link-layer type
8088 * starts at the first byte of the PPP packet. For PPPoE,
8089 * that offset is relative to the beginning of the total
8090 * link-layer payload, including any 802.2 LLC header, so
8091 * it's 6 bytes past off_nl.
8092 */
8093 off_linktype = off_nl + 6;
8094
8095 /*
8096 * The network-layer offsets are relative to the beginning
8097 * of the MAC-layer payload; that's past the 6-byte
8098 * PPPoE header and the 2-byte PPP header.
8099 */
8100 off_nl = 6+2;
8101 off_nl_nosnap = 6+2;
8102
8103 return b0;
8104}
8105
8106struct block *
8107gen_atmfield_code(atmfield, jvalue, jtype, reverse)
8108 int atmfield;
8109 bpf_int32 jvalue;
8110 bpf_u_int32 jtype;
8111 int reverse;
8112{
8113 struct block *b0;
8114
8115 switch (atmfield) {
8116
8117 case A_VPI:
8118 if (!is_atm)
8119 bpf_error("'vpi' supported only on raw ATM");
8120 if (off_vpi == (u_int)-1)
8121 abort();
8122 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
8123 reverse, jvalue);
8124 break;
8125
8126 case A_VCI:
8127 if (!is_atm)
8128 bpf_error("'vci' supported only on raw ATM");
8129 if (off_vci == (u_int)-1)
8130 abort();
8131 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
8132 reverse, jvalue);
8133 break;
8134
8135 case A_PROTOTYPE:
8136 if (off_proto == (u_int)-1)
8137 abort(); /* XXX - this isn't on FreeBSD */
8138 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
8139 reverse, jvalue);
8140 break;
8141
8142 case A_MSGTYPE:
8143 if (off_payload == (u_int)-1)
8144 abort();
8145 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
8146 0xffffffff, jtype, reverse, jvalue);
8147 break;
8148
8149 case A_CALLREFTYPE:
8150 if (!is_atm)
8151 bpf_error("'callref' supported only on raw ATM");
8152 if (off_proto == (u_int)-1)
8153 abort();
8154 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
8155 jtype, reverse, jvalue);
8156 break;
8157
8158 default:
8159 abort();
8160 }
8161 return b0;
8162}
8163
8164struct block *
8165gen_atmtype_abbrev(type)
8166 int type;
8167{
8168 struct block *b0, *b1;
8169
8170 switch (type) {
8171
8172 case A_METAC:
8173 /* Get all packets in Meta signalling Circuit */
8174 if (!is_atm)
8175 bpf_error("'metac' supported only on raw ATM");
8176 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8177 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
8178 gen_and(b0, b1);
8179 break;
8180
8181 case A_BCC:
8182 /* Get all packets in Broadcast Circuit*/
8183 if (!is_atm)
8184 bpf_error("'bcc' supported only on raw ATM");
8185 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8186 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
8187 gen_and(b0, b1);
8188 break;
8189
8190 case A_OAMF4SC:
8191 /* Get all cells in Segment OAM F4 circuit*/
8192 if (!is_atm)
8193 bpf_error("'oam4sc' supported only on raw ATM");
8194 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8195 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8196 gen_and(b0, b1);
8197 break;
8198
8199 case A_OAMF4EC:
8200 /* Get all cells in End-to-End OAM F4 Circuit*/
8201 if (!is_atm)
8202 bpf_error("'oam4ec' supported only on raw ATM");
8203 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8204 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8205 gen_and(b0, b1);
8206 break;
8207
8208 case A_SC:
8209 /* Get all packets in connection Signalling Circuit */
8210 if (!is_atm)
8211 bpf_error("'sc' supported only on raw ATM");
8212 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8213 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8214 gen_and(b0, b1);
8215 break;
8216
8217 case A_ILMIC:
8218 /* Get all packets in ILMI Circuit */
8219 if (!is_atm)
8220 bpf_error("'ilmic' supported only on raw ATM");
8221 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8222 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8223 gen_and(b0, b1);
8224 break;
8225
8226 case A_LANE:
8227 /* Get all LANE packets */
8228 if (!is_atm)
8229 bpf_error("'lane' supported only on raw ATM");
8230 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8231
8232 /*
8233 * Arrange that all subsequent tests assume LANE
8234 * rather than LLC-encapsulated packets, and set
8235 * the offsets appropriately for LANE-encapsulated
8236 * Ethernet.
8237 *
8238 * "off_mac" is the offset of the Ethernet header,
8239 * which is 2 bytes past the ATM pseudo-header
8240 * (skipping the pseudo-header and 2-byte LE Client
8241 * field). The other offsets are Ethernet offsets
8242 * relative to "off_mac".
8243 */
8244 is_lane = 1;
8245 off_mac = off_payload + 2; /* MAC header */
8246 off_linktype = off_mac + 12;
8247 off_macpl = off_mac + 14; /* Ethernet */
8248 off_nl = 0; /* Ethernet II */
8249 off_nl_nosnap = 3; /* 802.3+802.2 */
8250 break;
8251
8252 case A_LLC:
8253 /* Get all LLC-encapsulated packets */
8254 if (!is_atm)
8255 bpf_error("'llc' supported only on raw ATM");
8256 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8257 is_lane = 0;
8258 break;
8259
8260 default:
8261 abort();
8262 }
8263 return b1;
8264}
8265
8266/*
8267 * Filtering for MTP2 messages based on li value
8268 * FISU, length is null
8269 * LSSU, length is 1 or 2
8270 * MSU, length is 3 or more
8271 */
8272struct block *
8273gen_mtp2type_abbrev(type)
8274 int type;
8275{
8276 struct block *b0, *b1;
8277
8278 switch (type) {
8279
8280 case M_FISU:
8281 if ( (linktype != DLT_MTP2) &&
8282 (linktype != DLT_ERF) &&
8283 (linktype != DLT_MTP2_WITH_PHDR) )
8284 bpf_error("'fisu' supported only on MTP2");
8285 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8286 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8287 break;
8288
8289 case M_LSSU:
8290 if ( (linktype != DLT_MTP2) &&
8291 (linktype != DLT_ERF) &&
8292 (linktype != DLT_MTP2_WITH_PHDR) )
8293 bpf_error("'lssu' supported only on MTP2");
8294 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8295 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8296 gen_and(b1, b0);
8297 break;
8298
8299 case M_MSU:
8300 if ( (linktype != DLT_MTP2) &&
8301 (linktype != DLT_ERF) &&
8302 (linktype != DLT_MTP2_WITH_PHDR) )
8303 bpf_error("'msu' supported only on MTP2");
8304 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8305 break;
8306
8307 default:
8308 abort();
8309 }
8310 return b0;
8311}
8312
8313struct block *
8314gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8315 int mtp3field;
8316 bpf_u_int32 jvalue;
8317 bpf_u_int32 jtype;
8318 int reverse;
8319{
8320 struct block *b0;
8321 bpf_u_int32 val1 , val2 , val3;
8322
8323 switch (mtp3field) {
8324
8325 case M_SIO:
8326 if (off_sio == (u_int)-1)
8327 bpf_error("'sio' supported only on SS7");
8328 /* sio coded on 1 byte so max value 255 */
8329 if(jvalue > 255)
8330 bpf_error("sio value %u too big; max value = 255",
8331 jvalue);
8332 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
8333 (u_int)jtype, reverse, (u_int)jvalue);
8334 break;
8335
8336 case M_OPC:
8337 if (off_opc == (u_int)-1)
8338 bpf_error("'opc' supported only on SS7");
8339 /* opc coded on 14 bits so max value 16383 */
8340 if (jvalue > 16383)
8341 bpf_error("opc value %u too big; max value = 16383",
8342 jvalue);
8343 /* the following instructions are made to convert jvalue
8344 * to the form used to write opc in an ss7 message*/
8345 val1 = jvalue & 0x00003c00;
8346 val1 = val1 >>10;
8347 val2 = jvalue & 0x000003fc;
8348 val2 = val2 <<6;
8349 val3 = jvalue & 0x00000003;
8350 val3 = val3 <<22;
8351 jvalue = val1 + val2 + val3;
8352 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
8353 (u_int)jtype, reverse, (u_int)jvalue);
8354 break;
8355
8356 case M_DPC:
8357 if (off_dpc == (u_int)-1)
8358 bpf_error("'dpc' supported only on SS7");
8359 /* dpc coded on 14 bits so max value 16383 */
8360 if (jvalue > 16383)
8361 bpf_error("dpc value %u too big; max value = 16383",
8362 jvalue);
8363 /* the following instructions are made to convert jvalue
8364 * to the forme used to write dpc in an ss7 message*/
8365 val1 = jvalue & 0x000000ff;
8366 val1 = val1 << 24;
8367 val2 = jvalue & 0x00003f00;
8368 val2 = val2 << 8;
8369 jvalue = val1 + val2;
8370 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
8371 (u_int)jtype, reverse, (u_int)jvalue);
8372 break;
8373
8374 case M_SLS:
8375 if (off_sls == (u_int)-1)
8376 bpf_error("'sls' supported only on SS7");
8377 /* sls coded on 4 bits so max value 15 */
8378 if (jvalue > 15)
8379 bpf_error("sls value %u too big; max value = 15",
8380 jvalue);
8381 /* the following instruction is made to convert jvalue
8382 * to the forme used to write sls in an ss7 message*/
8383 jvalue = jvalue << 4;
8384 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
8385 (u_int)jtype,reverse, (u_int)jvalue);
8386 break;
8387
8388 default:
8389 abort();
8390 }
8391 return b0;
8392}
8393
8394static struct block *
8395gen_msg_abbrev(type)
8396 int type;
8397{
8398 struct block *b1;
8399
8400 /*
8401 * Q.2931 signalling protocol messages for handling virtual circuits
8402 * establishment and teardown
8403 */
8404 switch (type) {
8405
8406 case A_SETUP:
8407 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8408 break;
8409
8410 case A_CALLPROCEED:
8411 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8412 break;
8413
8414 case A_CONNECT:
8415 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8416 break;
8417
8418 case A_CONNECTACK:
8419 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8420 break;
8421
8422 case A_RELEASE:
8423 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8424 break;
8425
8426 case A_RELEASE_DONE:
8427 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8428 break;
8429
8430 default:
8431 abort();
8432 }
8433 return b1;
8434}
8435
8436struct block *
8437gen_atmmulti_abbrev(type)
8438 int type;
8439{
8440 struct block *b0, *b1;
8441
8442 switch (type) {
8443
8444 case A_OAM:
8445 if (!is_atm)
8446 bpf_error("'oam' supported only on raw ATM");
8447 b1 = gen_atmmulti_abbrev(A_OAMF4);
8448 break;
8449
8450 case A_OAMF4:
8451 if (!is_atm)
8452 bpf_error("'oamf4' supported only on raw ATM");
8453 /* OAM F4 type */
8454 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8455 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8456 gen_or(b0, b1);
8457 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8458 gen_and(b0, b1);
8459 break;
8460
8461 case A_CONNECTMSG:
8462 /*
8463 * Get Q.2931 signalling messages for switched
8464 * virtual connection
8465 */
8466 if (!is_atm)
8467 bpf_error("'connectmsg' supported only on raw ATM");
8468 b0 = gen_msg_abbrev(A_SETUP);
8469 b1 = gen_msg_abbrev(A_CALLPROCEED);
8470 gen_or(b0, b1);
8471 b0 = gen_msg_abbrev(A_CONNECT);
8472 gen_or(b0, b1);
8473 b0 = gen_msg_abbrev(A_CONNECTACK);
8474 gen_or(b0, b1);
8475 b0 = gen_msg_abbrev(A_RELEASE);
8476 gen_or(b0, b1);
8477 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8478 gen_or(b0, b1);
8479 b0 = gen_atmtype_abbrev(A_SC);
8480 gen_and(b0, b1);
8481 break;
8482
8483 case A_METACONNECT:
8484 if (!is_atm)
8485 bpf_error("'metaconnect' supported only on raw ATM");
8486 b0 = gen_msg_abbrev(A_SETUP);
8487 b1 = gen_msg_abbrev(A_CALLPROCEED);
8488 gen_or(b0, b1);
8489 b0 = gen_msg_abbrev(A_CONNECT);
8490 gen_or(b0, b1);
8491 b0 = gen_msg_abbrev(A_RELEASE);
8492 gen_or(b0, b1);
8493 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8494 gen_or(b0, b1);
8495 b0 = gen_atmtype_abbrev(A_METAC);
8496 gen_and(b0, b1);
8497 break;
8498
8499 default:
8500 abort();
8501 }
8502 return b1;
8503}
| 7615 }
7616 return (b0);
7617}
7618
7619#ifdef HAVE_NET_PFVAR_H
7620/* PF firewall log matched interface */
7621struct block *
7622gen_pf_ifname(const char *ifname)
7623{
7624 struct block *b0;
7625 u_int len, off;
7626
7627 if (linktype != DLT_PFLOG) {
7628 bpf_error("ifname supported only on PF linktype");
7629 /* NOTREACHED */
7630 }
7631 len = sizeof(((struct pfloghdr *)0)->ifname);
7632 off = offsetof(struct pfloghdr, ifname);
7633 if (strlen(ifname) >= len) {
7634 bpf_error("ifname interface names can only be %d characters",
7635 len-1);
7636 /* NOTREACHED */
7637 }
7638 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7639 return (b0);
7640}
7641
7642/* PF firewall log ruleset name */
7643struct block *
7644gen_pf_ruleset(char *ruleset)
7645{
7646 struct block *b0;
7647
7648 if (linktype != DLT_PFLOG) {
7649 bpf_error("ruleset supported only on PF linktype");
7650 /* NOTREACHED */
7651 }
7652
7653 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7654 bpf_error("ruleset names can only be %ld characters",
7655 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7656 /* NOTREACHED */
7657 }
7658
7659 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7660 strlen(ruleset), (const u_char *)ruleset);
7661 return (b0);
7662}
7663
7664/* PF firewall log rule number */
7665struct block *
7666gen_pf_rnr(int rnr)
7667{
7668 struct block *b0;
7669
7670 if (linktype != DLT_PFLOG) {
7671 bpf_error("rnr supported only on PF linktype");
7672 /* NOTREACHED */
7673 }
7674
7675 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7676 (bpf_int32)rnr);
7677 return (b0);
7678}
7679
7680/* PF firewall log sub-rule number */
7681struct block *
7682gen_pf_srnr(int srnr)
7683{
7684 struct block *b0;
7685
7686 if (linktype != DLT_PFLOG) {
7687 bpf_error("srnr supported only on PF linktype");
7688 /* NOTREACHED */
7689 }
7690
7691 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7692 (bpf_int32)srnr);
7693 return (b0);
7694}
7695
7696/* PF firewall log reason code */
7697struct block *
7698gen_pf_reason(int reason)
7699{
7700 struct block *b0;
7701
7702 if (linktype != DLT_PFLOG) {
7703 bpf_error("reason supported only on PF linktype");
7704 /* NOTREACHED */
7705 }
7706
7707 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7708 (bpf_int32)reason);
7709 return (b0);
7710}
7711
7712/* PF firewall log action */
7713struct block *
7714gen_pf_action(int action)
7715{
7716 struct block *b0;
7717
7718 if (linktype != DLT_PFLOG) {
7719 bpf_error("action supported only on PF linktype");
7720 /* NOTREACHED */
7721 }
7722
7723 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7724 (bpf_int32)action);
7725 return (b0);
7726}
7727#else /* !HAVE_NET_PFVAR_H */
7728struct block *
7729gen_pf_ifname(const char *ifname)
7730{
7731 bpf_error("libpcap was compiled without pf support");
7732 /* NOTREACHED */
7733 return (NULL);
7734}
7735
7736struct block *
7737gen_pf_ruleset(char *ruleset)
7738{
7739 bpf_error("libpcap was compiled on a machine without pf support");
7740 /* NOTREACHED */
7741 return (NULL);
7742}
7743
7744struct block *
7745gen_pf_rnr(int rnr)
7746{
7747 bpf_error("libpcap was compiled on a machine without pf support");
7748 /* NOTREACHED */
7749 return (NULL);
7750}
7751
7752struct block *
7753gen_pf_srnr(int srnr)
7754{
7755 bpf_error("libpcap was compiled on a machine without pf support");
7756 /* NOTREACHED */
7757 return (NULL);
7758}
7759
7760struct block *
7761gen_pf_reason(int reason)
7762{
7763 bpf_error("libpcap was compiled on a machine without pf support");
7764 /* NOTREACHED */
7765 return (NULL);
7766}
7767
7768struct block *
7769gen_pf_action(int action)
7770{
7771 bpf_error("libpcap was compiled on a machine without pf support");
7772 /* NOTREACHED */
7773 return (NULL);
7774}
7775#endif /* HAVE_NET_PFVAR_H */
7776
7777/* IEEE 802.11 wireless header */
7778struct block *
7779gen_p80211_type(int type, int mask)
7780{
7781 struct block *b0;
7782
7783 switch (linktype) {
7784
7785 case DLT_IEEE802_11:
7786 case DLT_PRISM_HEADER:
7787 case DLT_IEEE802_11_RADIO_AVS:
7788 case DLT_IEEE802_11_RADIO:
7789 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7790 (bpf_int32)mask);
7791 break;
7792
7793 default:
7794 bpf_error("802.11 link-layer types supported only on 802.11");
7795 /* NOTREACHED */
7796 }
7797
7798 return (b0);
7799}
7800
7801struct block *
7802gen_p80211_fcdir(int fcdir)
7803{
7804 struct block *b0;
7805
7806 switch (linktype) {
7807
7808 case DLT_IEEE802_11:
7809 case DLT_PRISM_HEADER:
7810 case DLT_IEEE802_11_RADIO_AVS:
7811 case DLT_IEEE802_11_RADIO:
7812 break;
7813
7814 default:
7815 bpf_error("frame direction supported only with 802.11 headers");
7816 /* NOTREACHED */
7817 }
7818
7819 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7820 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7821
7822 return (b0);
7823}
7824
7825struct block *
7826gen_acode(eaddr, q)
7827 register const u_char *eaddr;
7828 struct qual q;
7829{
7830 switch (linktype) {
7831
7832 case DLT_ARCNET:
7833 case DLT_ARCNET_LINUX:
7834 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7835 q.proto == Q_LINK)
7836 return (gen_ahostop(eaddr, (int)q.dir));
7837 else {
7838 bpf_error("ARCnet address used in non-arc expression");
7839 /* NOTREACHED */
7840 }
7841 break;
7842
7843 default:
7844 bpf_error("aid supported only on ARCnet");
7845 /* NOTREACHED */
7846 }
7847 bpf_error("ARCnet address used in non-arc expression");
7848 /* NOTREACHED */
7849 return NULL;
7850}
7851
7852static struct block *
7853gen_ahostop(eaddr, dir)
7854 register const u_char *eaddr;
7855 register int dir;
7856{
7857 register struct block *b0, *b1;
7858
7859 switch (dir) {
7860 /* src comes first, different from Ethernet */
7861 case Q_SRC:
7862 return gen_bcmp(OR_LINK, 0, 1, eaddr);
7863
7864 case Q_DST:
7865 return gen_bcmp(OR_LINK, 1, 1, eaddr);
7866
7867 case Q_AND:
7868 b0 = gen_ahostop(eaddr, Q_SRC);
7869 b1 = gen_ahostop(eaddr, Q_DST);
7870 gen_and(b0, b1);
7871 return b1;
7872
7873 case Q_DEFAULT:
7874 case Q_OR:
7875 b0 = gen_ahostop(eaddr, Q_SRC);
7876 b1 = gen_ahostop(eaddr, Q_DST);
7877 gen_or(b0, b1);
7878 return b1;
7879
7880 case Q_ADDR1:
7881 bpf_error("'addr1' is only supported on 802.11");
7882 break;
7883
7884 case Q_ADDR2:
7885 bpf_error("'addr2' is only supported on 802.11");
7886 break;
7887
7888 case Q_ADDR3:
7889 bpf_error("'addr3' is only supported on 802.11");
7890 break;
7891
7892 case Q_ADDR4:
7893 bpf_error("'addr4' is only supported on 802.11");
7894 break;
7895
7896 case Q_RA:
7897 bpf_error("'ra' is only supported on 802.11");
7898 break;
7899
7900 case Q_TA:
7901 bpf_error("'ta' is only supported on 802.11");
7902 break;
7903 }
7904 abort();
7905 /* NOTREACHED */
7906}
7907
7908/*
7909 * support IEEE 802.1Q VLAN trunk over ethernet
7910 */
7911struct block *
7912gen_vlan(vlan_num)
7913 int vlan_num;
7914{
7915 struct block *b0, *b1;
7916
7917 /* can't check for VLAN-encapsulated packets inside MPLS */
7918 if (label_stack_depth > 0)
7919 bpf_error("no VLAN match after MPLS");
7920
7921 /*
7922 * Check for a VLAN packet, and then change the offsets to point
7923 * to the type and data fields within the VLAN packet. Just
7924 * increment the offsets, so that we can support a hierarchy, e.g.
7925 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7926 * VLAN 100.
7927 *
7928 * XXX - this is a bit of a kludge. If we were to split the
7929 * compiler into a parser that parses an expression and
7930 * generates an expression tree, and a code generator that
7931 * takes an expression tree (which could come from our
7932 * parser or from some other parser) and generates BPF code,
7933 * we could perhaps make the offsets parameters of routines
7934 * and, in the handler for an "AND" node, pass to subnodes
7935 * other than the VLAN node the adjusted offsets.
7936 *
7937 * This would mean that "vlan" would, instead of changing the
7938 * behavior of *all* tests after it, change only the behavior
7939 * of tests ANDed with it. That would change the documented
7940 * semantics of "vlan", which might break some expressions.
7941 * However, it would mean that "(vlan and ip) or ip" would check
7942 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7943 * checking only for VLAN-encapsulated IP, so that could still
7944 * be considered worth doing; it wouldn't break expressions
7945 * that are of the form "vlan and ..." or "vlan N and ...",
7946 * which I suspect are the most common expressions involving
7947 * "vlan". "vlan or ..." doesn't necessarily do what the user
7948 * would really want, now, as all the "or ..." tests would
7949 * be done assuming a VLAN, even though the "or" could be viewed
7950 * as meaning "or, if this isn't a VLAN packet...".
7951 */
7952 orig_nl = off_nl;
7953
7954 switch (linktype) {
7955
7956 case DLT_EN10MB:
7957 case DLT_NETANALYZER:
7958 case DLT_NETANALYZER_TRANSPARENT:
7959 /* check for VLAN, including QinQ */
7960 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7961 (bpf_int32)ETHERTYPE_8021Q);
7962 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7963 (bpf_int32)ETHERTYPE_8021QINQ);
7964 gen_or(b0,b1);
7965 b0 = b1;
7966
7967 /* If a specific VLAN is requested, check VLAN id */
7968 if (vlan_num >= 0) {
7969 b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
7970 (bpf_int32)vlan_num, 0x0fff);
7971 gen_and(b0, b1);
7972 b0 = b1;
7973 }
7974
7975 off_macpl += 4;
7976 off_linktype += 4;
7977#if 0
7978 off_nl_nosnap += 4;
7979 off_nl += 4;
7980#endif
7981 break;
7982
7983 default:
7984 bpf_error("no VLAN support for data link type %d",
7985 linktype);
7986 /*NOTREACHED*/
7987 }
7988
7989 return (b0);
7990}
7991
7992/*
7993 * support for MPLS
7994 */
7995struct block *
7996gen_mpls(label_num)
7997 int label_num;
7998{
7999 struct block *b0,*b1;
8000
8001 /*
8002 * Change the offsets to point to the type and data fields within
8003 * the MPLS packet. Just increment the offsets, so that we
8004 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
8005 * capture packets with an outer label of 100000 and an inner
8006 * label of 1024.
8007 *
8008 * XXX - this is a bit of a kludge. See comments in gen_vlan().
8009 */
8010 orig_nl = off_nl;
8011
8012 if (label_stack_depth > 0) {
8013 /* just match the bottom-of-stack bit clear */
8014 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
8015 } else {
8016 /*
8017 * Indicate that we're checking MPLS-encapsulated headers,
8018 * to make sure higher level code generators don't try to
8019 * match against IP-related protocols such as Q_ARP, Q_RARP
8020 * etc.
8021 */
8022 switch (linktype) {
8023
8024 case DLT_C_HDLC: /* fall through */
8025 case DLT_EN10MB:
8026 case DLT_NETANALYZER:
8027 case DLT_NETANALYZER_TRANSPARENT:
8028 b0 = gen_linktype(ETHERTYPE_MPLS);
8029 break;
8030
8031 case DLT_PPP:
8032 b0 = gen_linktype(PPP_MPLS_UCAST);
8033 break;
8034
8035 /* FIXME add other DLT_s ...
8036 * for Frame-Relay/and ATM this may get messy due to SNAP headers
8037 * leave it for now */
8038
8039 default:
8040 bpf_error("no MPLS support for data link type %d",
8041 linktype);
8042 b0 = NULL;
8043 /*NOTREACHED*/
8044 break;
8045 }
8046 }
8047
8048 /* If a specific MPLS label is requested, check it */
8049 if (label_num >= 0) {
8050 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8051 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
8052 0xfffff000); /* only compare the first 20 bits */
8053 gen_and(b0, b1);
8054 b0 = b1;
8055 }
8056
8057 off_nl_nosnap += 4;
8058 off_nl += 4;
8059 label_stack_depth++;
8060 return (b0);
8061}
8062
8063/*
8064 * Support PPPOE discovery and session.
8065 */
8066struct block *
8067gen_pppoed()
8068{
8069 /* check for PPPoE discovery */
8070 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
8071}
8072
8073struct block *
8074gen_pppoes()
8075{
8076 struct block *b0;
8077
8078 /*
8079 * Test against the PPPoE session link-layer type.
8080 */
8081 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
8082
8083 /*
8084 * Change the offsets to point to the type and data fields within
8085 * the PPP packet, and note that this is PPPoE rather than
8086 * raw PPP.
8087 *
8088 * XXX - this is a bit of a kludge. If we were to split the
8089 * compiler into a parser that parses an expression and
8090 * generates an expression tree, and a code generator that
8091 * takes an expression tree (which could come from our
8092 * parser or from some other parser) and generates BPF code,
8093 * we could perhaps make the offsets parameters of routines
8094 * and, in the handler for an "AND" node, pass to subnodes
8095 * other than the PPPoE node the adjusted offsets.
8096 *
8097 * This would mean that "pppoes" would, instead of changing the
8098 * behavior of *all* tests after it, change only the behavior
8099 * of tests ANDed with it. That would change the documented
8100 * semantics of "pppoes", which might break some expressions.
8101 * However, it would mean that "(pppoes and ip) or ip" would check
8102 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8103 * checking only for VLAN-encapsulated IP, so that could still
8104 * be considered worth doing; it wouldn't break expressions
8105 * that are of the form "pppoes and ..." which I suspect are the
8106 * most common expressions involving "pppoes". "pppoes or ..."
8107 * doesn't necessarily do what the user would really want, now,
8108 * as all the "or ..." tests would be done assuming PPPoE, even
8109 * though the "or" could be viewed as meaning "or, if this isn't
8110 * a PPPoE packet...".
8111 */
8112 orig_linktype = off_linktype; /* save original values */
8113 orig_nl = off_nl;
8114 is_pppoes = 1;
8115
8116 /*
8117 * The "network-layer" protocol is PPPoE, which has a 6-byte
8118 * PPPoE header, followed by a PPP packet.
8119 *
8120 * There is no HDLC encapsulation for the PPP packet (it's
8121 * encapsulated in PPPoES instead), so the link-layer type
8122 * starts at the first byte of the PPP packet. For PPPoE,
8123 * that offset is relative to the beginning of the total
8124 * link-layer payload, including any 802.2 LLC header, so
8125 * it's 6 bytes past off_nl.
8126 */
8127 off_linktype = off_nl + 6;
8128
8129 /*
8130 * The network-layer offsets are relative to the beginning
8131 * of the MAC-layer payload; that's past the 6-byte
8132 * PPPoE header and the 2-byte PPP header.
8133 */
8134 off_nl = 6+2;
8135 off_nl_nosnap = 6+2;
8136
8137 return b0;
8138}
8139
8140struct block *
8141gen_atmfield_code(atmfield, jvalue, jtype, reverse)
8142 int atmfield;
8143 bpf_int32 jvalue;
8144 bpf_u_int32 jtype;
8145 int reverse;
8146{
8147 struct block *b0;
8148
8149 switch (atmfield) {
8150
8151 case A_VPI:
8152 if (!is_atm)
8153 bpf_error("'vpi' supported only on raw ATM");
8154 if (off_vpi == (u_int)-1)
8155 abort();
8156 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
8157 reverse, jvalue);
8158 break;
8159
8160 case A_VCI:
8161 if (!is_atm)
8162 bpf_error("'vci' supported only on raw ATM");
8163 if (off_vci == (u_int)-1)
8164 abort();
8165 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
8166 reverse, jvalue);
8167 break;
8168
8169 case A_PROTOTYPE:
8170 if (off_proto == (u_int)-1)
8171 abort(); /* XXX - this isn't on FreeBSD */
8172 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
8173 reverse, jvalue);
8174 break;
8175
8176 case A_MSGTYPE:
8177 if (off_payload == (u_int)-1)
8178 abort();
8179 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
8180 0xffffffff, jtype, reverse, jvalue);
8181 break;
8182
8183 case A_CALLREFTYPE:
8184 if (!is_atm)
8185 bpf_error("'callref' supported only on raw ATM");
8186 if (off_proto == (u_int)-1)
8187 abort();
8188 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
8189 jtype, reverse, jvalue);
8190 break;
8191
8192 default:
8193 abort();
8194 }
8195 return b0;
8196}
8197
8198struct block *
8199gen_atmtype_abbrev(type)
8200 int type;
8201{
8202 struct block *b0, *b1;
8203
8204 switch (type) {
8205
8206 case A_METAC:
8207 /* Get all packets in Meta signalling Circuit */
8208 if (!is_atm)
8209 bpf_error("'metac' supported only on raw ATM");
8210 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8211 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
8212 gen_and(b0, b1);
8213 break;
8214
8215 case A_BCC:
8216 /* Get all packets in Broadcast Circuit*/
8217 if (!is_atm)
8218 bpf_error("'bcc' supported only on raw ATM");
8219 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8220 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
8221 gen_and(b0, b1);
8222 break;
8223
8224 case A_OAMF4SC:
8225 /* Get all cells in Segment OAM F4 circuit*/
8226 if (!is_atm)
8227 bpf_error("'oam4sc' supported only on raw ATM");
8228 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8229 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8230 gen_and(b0, b1);
8231 break;
8232
8233 case A_OAMF4EC:
8234 /* Get all cells in End-to-End OAM F4 Circuit*/
8235 if (!is_atm)
8236 bpf_error("'oam4ec' supported only on raw ATM");
8237 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8238 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8239 gen_and(b0, b1);
8240 break;
8241
8242 case A_SC:
8243 /* Get all packets in connection Signalling Circuit */
8244 if (!is_atm)
8245 bpf_error("'sc' supported only on raw ATM");
8246 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8247 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8248 gen_and(b0, b1);
8249 break;
8250
8251 case A_ILMIC:
8252 /* Get all packets in ILMI Circuit */
8253 if (!is_atm)
8254 bpf_error("'ilmic' supported only on raw ATM");
8255 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8256 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8257 gen_and(b0, b1);
8258 break;
8259
8260 case A_LANE:
8261 /* Get all LANE packets */
8262 if (!is_atm)
8263 bpf_error("'lane' supported only on raw ATM");
8264 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8265
8266 /*
8267 * Arrange that all subsequent tests assume LANE
8268 * rather than LLC-encapsulated packets, and set
8269 * the offsets appropriately for LANE-encapsulated
8270 * Ethernet.
8271 *
8272 * "off_mac" is the offset of the Ethernet header,
8273 * which is 2 bytes past the ATM pseudo-header
8274 * (skipping the pseudo-header and 2-byte LE Client
8275 * field). The other offsets are Ethernet offsets
8276 * relative to "off_mac".
8277 */
8278 is_lane = 1;
8279 off_mac = off_payload + 2; /* MAC header */
8280 off_linktype = off_mac + 12;
8281 off_macpl = off_mac + 14; /* Ethernet */
8282 off_nl = 0; /* Ethernet II */
8283 off_nl_nosnap = 3; /* 802.3+802.2 */
8284 break;
8285
8286 case A_LLC:
8287 /* Get all LLC-encapsulated packets */
8288 if (!is_atm)
8289 bpf_error("'llc' supported only on raw ATM");
8290 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8291 is_lane = 0;
8292 break;
8293
8294 default:
8295 abort();
8296 }
8297 return b1;
8298}
8299
8300/*
8301 * Filtering for MTP2 messages based on li value
8302 * FISU, length is null
8303 * LSSU, length is 1 or 2
8304 * MSU, length is 3 or more
8305 */
8306struct block *
8307gen_mtp2type_abbrev(type)
8308 int type;
8309{
8310 struct block *b0, *b1;
8311
8312 switch (type) {
8313
8314 case M_FISU:
8315 if ( (linktype != DLT_MTP2) &&
8316 (linktype != DLT_ERF) &&
8317 (linktype != DLT_MTP2_WITH_PHDR) )
8318 bpf_error("'fisu' supported only on MTP2");
8319 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8320 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8321 break;
8322
8323 case M_LSSU:
8324 if ( (linktype != DLT_MTP2) &&
8325 (linktype != DLT_ERF) &&
8326 (linktype != DLT_MTP2_WITH_PHDR) )
8327 bpf_error("'lssu' supported only on MTP2");
8328 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8329 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8330 gen_and(b1, b0);
8331 break;
8332
8333 case M_MSU:
8334 if ( (linktype != DLT_MTP2) &&
8335 (linktype != DLT_ERF) &&
8336 (linktype != DLT_MTP2_WITH_PHDR) )
8337 bpf_error("'msu' supported only on MTP2");
8338 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8339 break;
8340
8341 default:
8342 abort();
8343 }
8344 return b0;
8345}
8346
8347struct block *
8348gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8349 int mtp3field;
8350 bpf_u_int32 jvalue;
8351 bpf_u_int32 jtype;
8352 int reverse;
8353{
8354 struct block *b0;
8355 bpf_u_int32 val1 , val2 , val3;
8356
8357 switch (mtp3field) {
8358
8359 case M_SIO:
8360 if (off_sio == (u_int)-1)
8361 bpf_error("'sio' supported only on SS7");
8362 /* sio coded on 1 byte so max value 255 */
8363 if(jvalue > 255)
8364 bpf_error("sio value %u too big; max value = 255",
8365 jvalue);
8366 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
8367 (u_int)jtype, reverse, (u_int)jvalue);
8368 break;
8369
8370 case M_OPC:
8371 if (off_opc == (u_int)-1)
8372 bpf_error("'opc' supported only on SS7");
8373 /* opc coded on 14 bits so max value 16383 */
8374 if (jvalue > 16383)
8375 bpf_error("opc value %u too big; max value = 16383",
8376 jvalue);
8377 /* the following instructions are made to convert jvalue
8378 * to the form used to write opc in an ss7 message*/
8379 val1 = jvalue & 0x00003c00;
8380 val1 = val1 >>10;
8381 val2 = jvalue & 0x000003fc;
8382 val2 = val2 <<6;
8383 val3 = jvalue & 0x00000003;
8384 val3 = val3 <<22;
8385 jvalue = val1 + val2 + val3;
8386 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
8387 (u_int)jtype, reverse, (u_int)jvalue);
8388 break;
8389
8390 case M_DPC:
8391 if (off_dpc == (u_int)-1)
8392 bpf_error("'dpc' supported only on SS7");
8393 /* dpc coded on 14 bits so max value 16383 */
8394 if (jvalue > 16383)
8395 bpf_error("dpc value %u too big; max value = 16383",
8396 jvalue);
8397 /* the following instructions are made to convert jvalue
8398 * to the forme used to write dpc in an ss7 message*/
8399 val1 = jvalue & 0x000000ff;
8400 val1 = val1 << 24;
8401 val2 = jvalue & 0x00003f00;
8402 val2 = val2 << 8;
8403 jvalue = val1 + val2;
8404 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
8405 (u_int)jtype, reverse, (u_int)jvalue);
8406 break;
8407
8408 case M_SLS:
8409 if (off_sls == (u_int)-1)
8410 bpf_error("'sls' supported only on SS7");
8411 /* sls coded on 4 bits so max value 15 */
8412 if (jvalue > 15)
8413 bpf_error("sls value %u too big; max value = 15",
8414 jvalue);
8415 /* the following instruction is made to convert jvalue
8416 * to the forme used to write sls in an ss7 message*/
8417 jvalue = jvalue << 4;
8418 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
8419 (u_int)jtype,reverse, (u_int)jvalue);
8420 break;
8421
8422 default:
8423 abort();
8424 }
8425 return b0;
8426}
8427
8428static struct block *
8429gen_msg_abbrev(type)
8430 int type;
8431{
8432 struct block *b1;
8433
8434 /*
8435 * Q.2931 signalling protocol messages for handling virtual circuits
8436 * establishment and teardown
8437 */
8438 switch (type) {
8439
8440 case A_SETUP:
8441 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8442 break;
8443
8444 case A_CALLPROCEED:
8445 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8446 break;
8447
8448 case A_CONNECT:
8449 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8450 break;
8451
8452 case A_CONNECTACK:
8453 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8454 break;
8455
8456 case A_RELEASE:
8457 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8458 break;
8459
8460 case A_RELEASE_DONE:
8461 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8462 break;
8463
8464 default:
8465 abort();
8466 }
8467 return b1;
8468}
8469
8470struct block *
8471gen_atmmulti_abbrev(type)
8472 int type;
8473{
8474 struct block *b0, *b1;
8475
8476 switch (type) {
8477
8478 case A_OAM:
8479 if (!is_atm)
8480 bpf_error("'oam' supported only on raw ATM");
8481 b1 = gen_atmmulti_abbrev(A_OAMF4);
8482 break;
8483
8484 case A_OAMF4:
8485 if (!is_atm)
8486 bpf_error("'oamf4' supported only on raw ATM");
8487 /* OAM F4 type */
8488 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8489 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8490 gen_or(b0, b1);
8491 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8492 gen_and(b0, b1);
8493 break;
8494
8495 case A_CONNECTMSG:
8496 /*
8497 * Get Q.2931 signalling messages for switched
8498 * virtual connection
8499 */
8500 if (!is_atm)
8501 bpf_error("'connectmsg' supported only on raw ATM");
8502 b0 = gen_msg_abbrev(A_SETUP);
8503 b1 = gen_msg_abbrev(A_CALLPROCEED);
8504 gen_or(b0, b1);
8505 b0 = gen_msg_abbrev(A_CONNECT);
8506 gen_or(b0, b1);
8507 b0 = gen_msg_abbrev(A_CONNECTACK);
8508 gen_or(b0, b1);
8509 b0 = gen_msg_abbrev(A_RELEASE);
8510 gen_or(b0, b1);
8511 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8512 gen_or(b0, b1);
8513 b0 = gen_atmtype_abbrev(A_SC);
8514 gen_and(b0, b1);
8515 break;
8516
8517 case A_METACONNECT:
8518 if (!is_atm)
8519 bpf_error("'metaconnect' supported only on raw ATM");
8520 b0 = gen_msg_abbrev(A_SETUP);
8521 b1 = gen_msg_abbrev(A_CALLPROCEED);
8522 gen_or(b0, b1);
8523 b0 = gen_msg_abbrev(A_CONNECT);
8524 gen_or(b0, b1);
8525 b0 = gen_msg_abbrev(A_RELEASE);
8526 gen_or(b0, b1);
8527 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8528 gen_or(b0, b1);
8529 b0 = gen_atmtype_abbrev(A_METAC);
8530 gen_and(b0, b1);
8531 break;
8532
8533 default:
8534 abort();
8535 }
8536 return b1;
8537}
|