1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26
27 #include <pcap-types.h>
28 #ifdef _WIN32
29 #include <ws2tcpip.h>
30 #else
31 #include <sys/socket.h>
32
33 #ifdef __NetBSD__
34 #include <sys/param.h>
35 #endif
36
37 #include <netinet/in.h>
38 #include <arpa/inet.h>
39 #endif /* _WIN32 */
40
41 #include <stdlib.h>
42 #include <string.h>
43 #include <memory.h>
44 #include <setjmp.h>
45 #include <stdarg.h>
46
47 #ifdef MSDOS
48 #include "pcap-dos.h"
49 #endif
50
51 #include "pcap-int.h"
52
53 #include "extract.h"
54
55 #include "ethertype.h"
56 #include "nlpid.h"
57 #include "llc.h"
58 #include "gencode.h"
59 #include "ieee80211.h"
60 #include "atmuni31.h"
61 #include "sunatmpos.h"
62 #include "ppp.h"
63 #include "pcap/sll.h"
64 #include "pcap/ipnet.h"
65 #include "arcnet.h"
66
67 #include "grammar.h"
68 #include "scanner.h"
69
70 #if defined(linux)
71 #include <linux/types.h>
72 #include <linux/if_packet.h>
73 #include <linux/filter.h>
74 #endif
75
76 #ifdef HAVE_NET_PFVAR_H
77 #include <sys/socket.h>
78 #include <net/if.h>
79 #include <net/pfvar.h>
80 #include <net/if_pflog.h>
81 #endif
82
83 #ifndef offsetof
84 #define offsetof(s, e) ((size_t)&((s *)0)->e)
85 #endif
86
87 #ifdef _WIN32
88 #ifdef INET6
89 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
90 /* IPv6 address */
91 struct in6_addr
92 {
93 union
94 {
95 uint8_t u6_addr8[16];
96 uint16_t u6_addr16[8];
97 uint32_t u6_addr32[4];
98 } in6_u;
99 #define s6_addr in6_u.u6_addr8
100 #define s6_addr16 in6_u.u6_addr16
101 #define s6_addr32 in6_u.u6_addr32
102 #define s6_addr64 in6_u.u6_addr64
103 };
104
105 typedef unsigned short sa_family_t;
106
107 #define __SOCKADDR_COMMON(sa_prefix) \
108 sa_family_t sa_prefix##family
109
110 /* Ditto, for IPv6. */
111 struct sockaddr_in6
112 {
113 __SOCKADDR_COMMON (sin6_);
114 uint16_t sin6_port; /* Transport layer port # */
115 uint32_t sin6_flowinfo; /* IPv6 flow information */
116 struct in6_addr sin6_addr; /* IPv6 address */
117 };
118
119 #ifndef EAI_ADDRFAMILY
120 struct addrinfo {
121 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
122 int ai_family; /* PF_xxx */
123 int ai_socktype; /* SOCK_xxx */
124 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
125 size_t ai_addrlen; /* length of ai_addr */
126 char *ai_canonname; /* canonical name for hostname */
127 struct sockaddr *ai_addr; /* binary address */
128 struct addrinfo *ai_next; /* next structure in linked list */
129 };
130 #endif /* EAI_ADDRFAMILY */
131 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
132 #endif /* INET6 */
133 #else /* _WIN32 */
134 #include <netdb.h> /* for "struct addrinfo" */
135 #endif /* _WIN32 */
136 #include <pcap/namedb.h>
137
138 #include "nametoaddr.h"
139
140 #define ETHERMTU 1500
141
142 #ifndef IPPROTO_HOPOPTS
143 #define IPPROTO_HOPOPTS 0
144 #endif
145 #ifndef IPPROTO_ROUTING
146 #define IPPROTO_ROUTING 43
147 #endif
148 #ifndef IPPROTO_FRAGMENT
149 #define IPPROTO_FRAGMENT 44
150 #endif
151 #ifndef IPPROTO_DSTOPTS
152 #define IPPROTO_DSTOPTS 60
153 #endif
154 #ifndef IPPROTO_SCTP
155 #define IPPROTO_SCTP 132
156 #endif
157
158 #define GENEVE_PORT 6081
159
160 #ifdef HAVE_OS_PROTO_H
161 #include "os-proto.h"
162 #endif
163
164 #define JMP(c) ((c)|BPF_JMP|BPF_K)
165
166 /*
167 * "Push" the current value of the link-layer header type and link-layer
168 * header offset onto a "stack", and set a new value. (It's not a
169 * full-blown stack; we keep only the top two items.)
170 */
171 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
172 { \
173 (cs)->prevlinktype = (cs)->linktype; \
174 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
175 (cs)->linktype = (new_linktype); \
176 (cs)->off_linkhdr.is_variable = (new_is_variable); \
177 (cs)->off_linkhdr.constant_part = (new_constant_part); \
178 (cs)->off_linkhdr.reg = (new_reg); \
179 (cs)->is_geneve = 0; \
180 }
181
182 /*
183 * Offset "not set" value.
184 */
185 #define OFFSET_NOT_SET 0xffffffffU
186
187 /*
188 * Absolute offsets, which are offsets from the beginning of the raw
189 * packet data, are, in the general case, the sum of a variable value
190 * and a constant value; the variable value may be absent, in which
191 * case the offset is only the constant value, and the constant value
192 * may be zero, in which case the offset is only the variable value.
193 *
194 * bpf_abs_offset is a structure containing all that information:
195 *
196 * is_variable is 1 if there's a variable part.
197 *
198 * constant_part is the constant part of the value, possibly zero;
199 *
200 * if is_variable is 1, reg is the register number for a register
201 * containing the variable value if the register has been assigned,
202 * and -1 otherwise.
203 */
204 typedef struct {
205 int is_variable;
206 u_int constant_part;
207 int reg;
208 } bpf_abs_offset;
209
210 /*
211 * Value passed to gen_load_a() to indicate what the offset argument
212 * is relative to the beginning of.
213 */
214 enum e_offrel {
215 OR_PACKET, /* full packet data */
216 OR_LINKHDR, /* link-layer header */
217 OR_PREVLINKHDR, /* previous link-layer header */
218 OR_LLC, /* 802.2 LLC header */
219 OR_PREVMPLSHDR, /* previous MPLS header */
220 OR_LINKTYPE, /* link-layer type */
221 OR_LINKPL, /* link-layer payload */
222 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
223 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
224 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
225 };
226
227 /*
228 * We divy out chunks of memory rather than call malloc each time so
229 * we don't have to worry about leaking memory. It's probably
230 * not a big deal if all this memory was wasted but if this ever
231 * goes into a library that would probably not be a good idea.
232 *
233 * XXX - this *is* in a library....
234 */
235 #define NCHUNKS 16
236 #define CHUNK0SIZE 1024
237 struct chunk {
238 size_t n_left;
239 void *m;
240 };
241
242 /* Code generator state */
243
244 struct _compiler_state {
245 jmp_buf top_ctx;
246 pcap_t *bpf_pcap;
247 int error_set;
248
249 struct icode ic;
250
251 int snaplen;
252
253 int linktype;
254 int prevlinktype;
255 int outermostlinktype;
256
257 bpf_u_int32 netmask;
258 int no_optimize;
259
260 /* Hack for handling VLAN and MPLS stacks. */
261 u_int label_stack_depth;
262 u_int vlan_stack_depth;
263
264 /* XXX */
265 u_int pcap_fddipad;
266
267 /*
268 * As errors are handled by a longjmp, anything allocated must
269 * be freed in the longjmp handler, so it must be reachable
270 * from that handler.
271 *
272 * One thing that's allocated is the result of pcap_nametoaddrinfo();
273 * it must be freed with freeaddrinfo(). This variable points to
274 * any addrinfo structure that would need to be freed.
275 */
276 struct addrinfo *ai;
277
278 /*
279 * Another thing that's allocated is the result of pcap_ether_aton();
280 * it must be freed with free(). This variable points to any
281 * address that would need to be freed.
282 */
283 u_char *e;
284
285 /*
286 * Various code constructs need to know the layout of the packet.
287 * These values give the necessary offsets from the beginning
288 * of the packet data.
289 */
290
291 /*
292 * Absolute offset of the beginning of the link-layer header.
293 */
294 bpf_abs_offset off_linkhdr;
295
296 /*
297 * If we're checking a link-layer header for a packet encapsulated
298 * in another protocol layer, this is the equivalent information
299 * for the previous layers' link-layer header from the beginning
300 * of the raw packet data.
301 */
302 bpf_abs_offset off_prevlinkhdr;
303
304 /*
305 * This is the equivalent information for the outermost layers'
306 * link-layer header.
307 */
308 bpf_abs_offset off_outermostlinkhdr;
309
310 /*
311 * Absolute offset of the beginning of the link-layer payload.
312 */
313 bpf_abs_offset off_linkpl;
314
315 /*
316 * "off_linktype" is the offset to information in the link-layer
317 * header giving the packet type. This is an absolute offset
318 * from the beginning of the packet.
319 *
320 * For Ethernet, it's the offset of the Ethernet type field; this
321 * means that it must have a value that skips VLAN tags.
322 *
323 * For link-layer types that always use 802.2 headers, it's the
324 * offset of the LLC header; this means that it must have a value
325 * that skips VLAN tags.
326 *
327 * For PPP, it's the offset of the PPP type field.
328 *
329 * For Cisco HDLC, it's the offset of the CHDLC type field.
330 *
331 * For BSD loopback, it's the offset of the AF_ value.
332 *
333 * For Linux cooked sockets, it's the offset of the type field.
334 *
335 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
336 * encapsulation, in which case, IP is assumed.
337 */
338 bpf_abs_offset off_linktype;
339
340 /*
341 * TRUE if the link layer includes an ATM pseudo-header.
342 */
343 int is_atm;
344
345 /*
346 * TRUE if "geneve" appeared in the filter; it causes us to
347 * generate code that checks for a Geneve header and assume
348 * that later filters apply to the encapsulated payload.
349 */
350 int is_geneve;
351
352 /*
353 * TRUE if we need variable length part of VLAN offset
354 */
355 int is_vlan_vloffset;
356
357 /*
358 * These are offsets for the ATM pseudo-header.
359 */
360 u_int off_vpi;
361 u_int off_vci;
362 u_int off_proto;
363
364 /*
365 * These are offsets for the MTP2 fields.
366 */
367 u_int off_li;
368 u_int off_li_hsl;
369
370 /*
371 * These are offsets for the MTP3 fields.
372 */
373 u_int off_sio;
374 u_int off_opc;
375 u_int off_dpc;
376 u_int off_sls;
377
378 /*
379 * This is the offset of the first byte after the ATM pseudo_header,
380 * or -1 if there is no ATM pseudo-header.
381 */
382 u_int off_payload;
383
384 /*
385 * These are offsets to the beginning of the network-layer header.
386 * They are relative to the beginning of the link-layer payload
387 * (i.e., they don't include off_linkhdr.constant_part or
388 * off_linkpl.constant_part).
389 *
390 * If the link layer never uses 802.2 LLC:
391 *
392 * "off_nl" and "off_nl_nosnap" are the same.
393 *
394 * If the link layer always uses 802.2 LLC:
395 *
396 * "off_nl" is the offset if there's a SNAP header following
397 * the 802.2 header;
398 *
399 * "off_nl_nosnap" is the offset if there's no SNAP header.
400 *
401 * If the link layer is Ethernet:
402 *
403 * "off_nl" is the offset if the packet is an Ethernet II packet
404 * (we assume no 802.3+802.2+SNAP);
405 *
406 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
407 * with an 802.2 header following it.
408 */
409 u_int off_nl;
410 u_int off_nl_nosnap;
411
412 /*
413 * Here we handle simple allocation of the scratch registers.
414 * If too many registers are alloc'd, the allocator punts.
415 */
416 int regused[BPF_MEMWORDS];
417 int curreg;
418
419 /*
420 * Memory chunks.
421 */
422 struct chunk chunks[NCHUNKS];
423 int cur_chunk;
424 };
425
426 /*
427 * For use by routines outside this file.
428 */
429 /* VARARGS */
430 void
bpf_set_error(compiler_state_t * cstate,const char * fmt,...)431 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...)
432 {
433 va_list ap;
434
435 /*
436 * If we've already set an error, don't override it.
437 * The lexical analyzer reports some errors by setting
438 * the error and then returning a LEX_ERROR token, which
439 * is not recognized by any grammar rule, and thus forces
440 * the parse to stop. We don't want the error reported
441 * by the lexical analyzer to be overwritten by the syntax
442 * error.
443 */
444 if (!cstate->error_set) {
445 va_start(ap, fmt);
446 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
447 fmt, ap);
448 va_end(ap);
449 cstate->error_set = 1;
450 }
451 }
452
453 /*
454 * For use *ONLY* in routines in this file.
455 */
456 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...)
457 PCAP_PRINTFLIKE(2, 3);
458
459 /* VARARGS */
460 static void PCAP_NORETURN
bpf_error(compiler_state_t * cstate,const char * fmt,...)461 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
462 {
463 va_list ap;
464
465 va_start(ap, fmt);
466 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
467 fmt, ap);
468 va_end(ap);
469 longjmp(cstate->top_ctx, 1);
470 /*NOTREACHED*/
471 }
472
473 static int init_linktype(compiler_state_t *, pcap_t *);
474
475 static void init_regs(compiler_state_t *);
476 static int alloc_reg(compiler_state_t *);
477 static void free_reg(compiler_state_t *, int);
478
479 static void initchunks(compiler_state_t *cstate);
480 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t);
481 static void *newchunk(compiler_state_t *cstate, size_t);
482 static void freechunks(compiler_state_t *cstate);
483 static inline struct block *new_block(compiler_state_t *cstate, int);
484 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
485 static struct block *gen_retblk(compiler_state_t *cstate, int);
486 static inline void syntax(compiler_state_t *cstate);
487
488 static void backpatch(struct block *, struct block *);
489 static void merge(struct block *, struct block *);
490 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
491 u_int, bpf_u_int32);
492 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
493 u_int, bpf_u_int32);
494 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
495 u_int, bpf_u_int32);
496 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
497 u_int, bpf_u_int32);
498 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
499 u_int, bpf_u_int32);
500 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
501 u_int, bpf_u_int32, bpf_u_int32);
502 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
503 u_int, const u_char *);
504 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, u_int,
505 u_int, bpf_u_int32, int, int, bpf_u_int32);
506 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
507 u_int, u_int);
508 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
509 u_int);
510 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
511 static struct block *gen_uncond(compiler_state_t *, int);
512 static inline struct block *gen_true(compiler_state_t *);
513 static inline struct block *gen_false(compiler_state_t *);
514 static struct block *gen_ether_linktype(compiler_state_t *, bpf_u_int32);
515 static struct block *gen_ipnet_linktype(compiler_state_t *, bpf_u_int32);
516 static struct block *gen_linux_sll_linktype(compiler_state_t *, bpf_u_int32);
517 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
518 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
519 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
520 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
521 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
522 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
523 bpf_abs_offset *);
524 static bpf_u_int32 ethertype_to_ppptype(bpf_u_int32);
525 static struct block *gen_linktype(compiler_state_t *, bpf_u_int32);
526 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
527 static struct block *gen_llc_linktype(compiler_state_t *, bpf_u_int32);
528 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
529 int, bpf_u_int32, u_int, u_int);
530 #ifdef INET6
531 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
532 struct in6_addr *, int, bpf_u_int32, u_int, u_int);
533 #endif
534 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int);
535 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
536 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
537 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
538 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
539 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
540 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
541 static struct block *gen_mpls_linktype(compiler_state_t *, bpf_u_int32);
542 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
543 int, int, int);
544 #ifdef INET6
545 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
546 struct in6_addr *, int, int, int);
547 #endif
548 #ifndef INET6
549 static struct block *gen_gateway(compiler_state_t *, const u_char *,
550 struct addrinfo *, int, int);
551 #endif
552 static struct block *gen_ipfrag(compiler_state_t *);
553 static struct block *gen_portatom(compiler_state_t *, int, bpf_u_int32);
554 static struct block *gen_portrangeatom(compiler_state_t *, u_int, bpf_u_int32,
555 bpf_u_int32);
556 static struct block *gen_portatom6(compiler_state_t *, int, bpf_u_int32);
557 static struct block *gen_portrangeatom6(compiler_state_t *, u_int, bpf_u_int32,
558 bpf_u_int32);
559 static struct block *gen_portop(compiler_state_t *, u_int, u_int, int);
560 static struct block *gen_port(compiler_state_t *, u_int, int, int);
561 static struct block *gen_portrangeop(compiler_state_t *, u_int, u_int,
562 bpf_u_int32, int);
563 static struct block *gen_portrange(compiler_state_t *, u_int, u_int, int, int);
564 struct block *gen_portop6(compiler_state_t *, u_int, u_int, int);
565 static struct block *gen_port6(compiler_state_t *, u_int, int, int);
566 static struct block *gen_portrangeop6(compiler_state_t *, u_int, u_int,
567 bpf_u_int32, int);
568 static struct block *gen_portrange6(compiler_state_t *, u_int, u_int, int, int);
569 static int lookup_proto(compiler_state_t *, const char *, int);
570 static struct block *gen_protochain(compiler_state_t *, bpf_u_int32, int);
571 static struct block *gen_proto(compiler_state_t *, bpf_u_int32, int, int);
572 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
573 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
574 static struct block *gen_mac_multicast(compiler_state_t *, int);
575 static struct block *gen_len(compiler_state_t *, int, int);
576 static struct block *gen_check_802_11_data_frame(compiler_state_t *);
577 static struct block *gen_geneve_ll_check(compiler_state_t *cstate);
578
579 static struct block *gen_ppi_dlt_check(compiler_state_t *);
580 static struct block *gen_atmfield_code_internal(compiler_state_t *, int,
581 bpf_u_int32, int, int);
582 static struct block *gen_atmtype_llc(compiler_state_t *);
583 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
584
585 static void
initchunks(compiler_state_t * cstate)586 initchunks(compiler_state_t *cstate)
587 {
588 int i;
589
590 for (i = 0; i < NCHUNKS; i++) {
591 cstate->chunks[i].n_left = 0;
592 cstate->chunks[i].m = NULL;
593 }
594 cstate->cur_chunk = 0;
595 }
596
597 static void *
newchunk_nolongjmp(compiler_state_t * cstate,size_t n)598 newchunk_nolongjmp(compiler_state_t *cstate, size_t n)
599 {
600 struct chunk *cp;
601 int k;
602 size_t size;
603
604 #ifndef __NetBSD__
605 /* XXX Round up to nearest long. */
606 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
607 #else
608 /* XXX Round up to structure boundary. */
609 n = ALIGN(n);
610 #endif
611
612 cp = &cstate->chunks[cstate->cur_chunk];
613 if (n > cp->n_left) {
614 ++cp;
615 k = ++cstate->cur_chunk;
616 if (k >= NCHUNKS) {
617 bpf_set_error(cstate, "out of memory");
618 return (NULL);
619 }
620 size = CHUNK0SIZE << k;
621 cp->m = (void *)malloc(size);
622 if (cp->m == NULL) {
623 bpf_set_error(cstate, "out of memory");
624 return (NULL);
625 }
626 memset((char *)cp->m, 0, size);
627 cp->n_left = size;
628 if (n > size) {
629 bpf_set_error(cstate, "out of memory");
630 return (NULL);
631 }
632 }
633 cp->n_left -= n;
634 return (void *)((char *)cp->m + cp->n_left);
635 }
636
637 static void *
newchunk(compiler_state_t * cstate,size_t n)638 newchunk(compiler_state_t *cstate, size_t n)
639 {
640 void *p;
641
642 p = newchunk_nolongjmp(cstate, n);
643 if (p == NULL) {
644 longjmp(cstate->top_ctx, 1);
645 /*NOTREACHED*/
646 }
647 return (p);
648 }
649
650 static void
freechunks(compiler_state_t * cstate)651 freechunks(compiler_state_t *cstate)
652 {
653 int i;
654
655 for (i = 0; i < NCHUNKS; ++i)
656 if (cstate->chunks[i].m != NULL)
657 free(cstate->chunks[i].m);
658 }
659
660 /*
661 * A strdup whose allocations are freed after code generation is over.
662 * This is used by the lexical analyzer, so it can't longjmp; it just
663 * returns NULL on an allocation error, and the callers must check
664 * for it.
665 */
666 char *
sdup(compiler_state_t * cstate,const char * s)667 sdup(compiler_state_t *cstate, const char *s)
668 {
669 size_t n = strlen(s) + 1;
670 char *cp = newchunk_nolongjmp(cstate, n);
671
672 if (cp == NULL)
673 return (NULL);
674 pcap_strlcpy(cp, s, n);
675 return (cp);
676 }
677
678 static inline struct block *
new_block(compiler_state_t * cstate,int code)679 new_block(compiler_state_t *cstate, int code)
680 {
681 struct block *p;
682
683 p = (struct block *)newchunk(cstate, sizeof(*p));
684 p->s.code = code;
685 p->head = p;
686
687 return p;
688 }
689
690 static inline struct slist *
new_stmt(compiler_state_t * cstate,int code)691 new_stmt(compiler_state_t *cstate, int code)
692 {
693 struct slist *p;
694
695 p = (struct slist *)newchunk(cstate, sizeof(*p));
696 p->s.code = code;
697
698 return p;
699 }
700
701 static struct block *
gen_retblk(compiler_state_t * cstate,int v)702 gen_retblk(compiler_state_t *cstate, int v)
703 {
704 struct block *b = new_block(cstate, BPF_RET|BPF_K);
705
706 b->s.k = v;
707 return b;
708 }
709
710 static inline PCAP_NORETURN_DEF void
syntax(compiler_state_t * cstate)711 syntax(compiler_state_t *cstate)
712 {
713 bpf_error(cstate, "syntax error in filter expression");
714 }
715
716 int
pcap_compile(pcap_t * p,struct bpf_program * program,const char * buf,int optimize,bpf_u_int32 mask)717 pcap_compile(pcap_t *p, struct bpf_program *program,
718 const char *buf, int optimize, bpf_u_int32 mask)
719 {
720 #ifdef _WIN32
721 static int done = 0;
722 #endif
723 compiler_state_t cstate;
724 const char * volatile xbuf = buf;
725 yyscan_t scanner = NULL;
726 volatile YY_BUFFER_STATE in_buffer = NULL;
727 u_int len;
728 int rc;
729
730 /*
731 * If this pcap_t hasn't been activated, it doesn't have a
732 * link-layer type, so we can't use it.
733 */
734 if (!p->activated) {
735 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
736 "not-yet-activated pcap_t passed to pcap_compile");
737 return (-1);
738 }
739
740 #ifdef _WIN32
741 if (!done)
742 pcap_wsockinit();
743 done = 1;
744 #endif
745
746 #ifdef ENABLE_REMOTE
747 /*
748 * If the device on which we're capturing need to be notified
749 * that a new filter is being compiled, do so.
750 *
751 * This allows them to save a copy of it, in case, for example,
752 * they're implementing a form of remote packet capture, and
753 * want the remote machine to filter out the packets in which
754 * it's sending the packets it's captured.
755 *
756 * XXX - the fact that we happen to be compiling a filter
757 * doesn't necessarily mean we'll be installing it as the
758 * filter for this pcap_t; we might be running it from userland
759 * on captured packets to do packet classification. We really
760 * need a better way of handling this, but this is all that
761 * the WinPcap remote capture code did.
762 */
763 if (p->save_current_filter_op != NULL)
764 (p->save_current_filter_op)(p, buf);
765 #endif
766
767 initchunks(&cstate);
768 cstate.no_optimize = 0;
769 #ifdef INET6
770 cstate.ai = NULL;
771 #endif
772 cstate.e = NULL;
773 cstate.ic.root = NULL;
774 cstate.ic.cur_mark = 0;
775 cstate.bpf_pcap = p;
776 cstate.error_set = 0;
777 init_regs(&cstate);
778
779 cstate.netmask = mask;
780
781 cstate.snaplen = pcap_snapshot(p);
782 if (cstate.snaplen == 0) {
783 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
784 "snaplen of 0 rejects all packets");
785 rc = -1;
786 goto quit;
787 }
788
789 if (pcap_lex_init(&scanner) != 0)
790 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
791 errno, "can't initialize scanner");
792 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner);
793
794 /*
795 * Associate the compiler state with the lexical analyzer
796 * state.
797 */
798 pcap_set_extra(&cstate, scanner);
799
800 if (init_linktype(&cstate, p) == -1) {
801 rc = -1;
802 goto quit;
803 }
804 if (pcap_parse(scanner, &cstate) != 0) {
805 #ifdef INET6
806 if (cstate.ai != NULL)
807 freeaddrinfo(cstate.ai);
808 #endif
809 if (cstate.e != NULL)
810 free(cstate.e);
811 rc = -1;
812 goto quit;
813 }
814
815 if (cstate.ic.root == NULL) {
816 /*
817 * Catch errors reported by gen_retblk().
818 */
819 if (setjmp(cstate.top_ctx)) {
820 rc = -1;
821 goto quit;
822 }
823 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
824 }
825
826 if (optimize && !cstate.no_optimize) {
827 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) {
828 /* Failure */
829 rc = -1;
830 goto quit;
831 }
832 if (cstate.ic.root == NULL ||
833 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) {
834 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
835 "expression rejects all packets");
836 rc = -1;
837 goto quit;
838 }
839 }
840 program->bf_insns = icode_to_fcode(&cstate.ic,
841 cstate.ic.root, &len, p->errbuf);
842 if (program->bf_insns == NULL) {
843 /* Failure */
844 rc = -1;
845 goto quit;
846 }
847 program->bf_len = len;
848
849 rc = 0; /* We're all okay */
850
851 quit:
852 /*
853 * Clean up everything for the lexical analyzer.
854 */
855 if (in_buffer != NULL)
856 pcap__delete_buffer(in_buffer, scanner);
857 if (scanner != NULL)
858 pcap_lex_destroy(scanner);
859
860 /*
861 * Clean up our own allocated memory.
862 */
863 freechunks(&cstate);
864
865 return (rc);
866 }
867
868 /*
869 * entry point for using the compiler with no pcap open
870 * pass in all the stuff that is needed explicitly instead.
871 */
872 int
pcap_compile_nopcap(int snaplen_arg,int linktype_arg,struct bpf_program * program,const char * buf,int optimize,bpf_u_int32 mask)873 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
874 struct bpf_program *program,
875 const char *buf, int optimize, bpf_u_int32 mask)
876 {
877 pcap_t *p;
878 int ret;
879
880 p = pcap_open_dead(linktype_arg, snaplen_arg);
881 if (p == NULL)
882 return (-1);
883 ret = pcap_compile(p, program, buf, optimize, mask);
884 pcap_close(p);
885 return (ret);
886 }
887
888 /*
889 * Clean up a "struct bpf_program" by freeing all the memory allocated
890 * in it.
891 */
892 void
pcap_freecode(struct bpf_program * program)893 pcap_freecode(struct bpf_program *program)
894 {
895 program->bf_len = 0;
896 if (program->bf_insns != NULL) {
897 free((char *)program->bf_insns);
898 program->bf_insns = NULL;
899 }
900 }
901
902 /*
903 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
904 * which of the jt and jf fields has been resolved and which is a pointer
905 * back to another unresolved block (or nil). At least one of the fields
906 * in each block is already resolved.
907 */
908 static void
backpatch(struct block * list,struct block * target)909 backpatch(struct block *list, struct block *target)
910 {
911 struct block *next;
912
913 while (list) {
914 if (!list->sense) {
915 next = JT(list);
916 JT(list) = target;
917 } else {
918 next = JF(list);
919 JF(list) = target;
920 }
921 list = next;
922 }
923 }
924
925 /*
926 * Merge the lists in b0 and b1, using the 'sense' field to indicate
927 * which of jt and jf is the link.
928 */
929 static void
merge(struct block * b0,struct block * b1)930 merge(struct block *b0, struct block *b1)
931 {
932 register struct block **p = &b0;
933
934 /* Find end of list. */
935 while (*p)
936 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
937
938 /* Concatenate the lists. */
939 *p = b1;
940 }
941
942 int
finish_parse(compiler_state_t * cstate,struct block * p)943 finish_parse(compiler_state_t *cstate, struct block *p)
944 {
945 struct block *ppi_dlt_check;
946
947 /*
948 * Catch errors reported by us and routines below us, and return -1
949 * on an error.
950 */
951 if (setjmp(cstate->top_ctx))
952 return (-1);
953
954 /*
955 * Insert before the statements of the first (root) block any
956 * statements needed to load the lengths of any variable-length
957 * headers into registers.
958 *
959 * XXX - a fancier strategy would be to insert those before the
960 * statements of all blocks that use those lengths and that
961 * have no predecessors that use them, so that we only compute
962 * the lengths if we need them. There might be even better
963 * approaches than that.
964 *
965 * However, those strategies would be more complicated, and
966 * as we don't generate code to compute a length if the
967 * program has no tests that use the length, and as most
968 * tests will probably use those lengths, we would just
969 * postpone computing the lengths so that it's not done
970 * for tests that fail early, and it's not clear that's
971 * worth the effort.
972 */
973 insert_compute_vloffsets(cstate, p->head);
974
975 /*
976 * For DLT_PPI captures, generate a check of the per-packet
977 * DLT value to make sure it's DLT_IEEE802_11.
978 *
979 * XXX - TurboCap cards use DLT_PPI for Ethernet.
980 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
981 * with appropriate Ethernet information and use that rather
982 * than using something such as DLT_PPI where you don't know
983 * the link-layer header type until runtime, which, in the
984 * general case, would force us to generate both Ethernet *and*
985 * 802.11 code (*and* anything else for which PPI is used)
986 * and choose between them early in the BPF program?
987 */
988 ppi_dlt_check = gen_ppi_dlt_check(cstate);
989 if (ppi_dlt_check != NULL)
990 gen_and(ppi_dlt_check, p);
991
992 backpatch(p, gen_retblk(cstate, cstate->snaplen));
993 p->sense = !p->sense;
994 backpatch(p, gen_retblk(cstate, 0));
995 cstate->ic.root = p->head;
996 return (0);
997 }
998
999 void
gen_and(struct block * b0,struct block * b1)1000 gen_and(struct block *b0, struct block *b1)
1001 {
1002 backpatch(b0, b1->head);
1003 b0->sense = !b0->sense;
1004 b1->sense = !b1->sense;
1005 merge(b1, b0);
1006 b1->sense = !b1->sense;
1007 b1->head = b0->head;
1008 }
1009
1010 void
gen_or(struct block * b0,struct block * b1)1011 gen_or(struct block *b0, struct block *b1)
1012 {
1013 b0->sense = !b0->sense;
1014 backpatch(b0, b1->head);
1015 b0->sense = !b0->sense;
1016 merge(b1, b0);
1017 b1->head = b0->head;
1018 }
1019
1020 void
gen_not(struct block * b)1021 gen_not(struct block *b)
1022 {
1023 b->sense = !b->sense;
1024 }
1025
1026 static struct block *
gen_cmp(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v)1027 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1028 u_int size, bpf_u_int32 v)
1029 {
1030 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
1031 }
1032
1033 static struct block *
gen_cmp_gt(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v)1034 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1035 u_int size, bpf_u_int32 v)
1036 {
1037 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
1038 }
1039
1040 static struct block *
gen_cmp_ge(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v)1041 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1042 u_int size, bpf_u_int32 v)
1043 {
1044 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
1045 }
1046
1047 static struct block *
gen_cmp_lt(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v)1048 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1049 u_int size, bpf_u_int32 v)
1050 {
1051 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
1052 }
1053
1054 static struct block *
gen_cmp_le(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v)1055 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1056 u_int size, bpf_u_int32 v)
1057 {
1058 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
1059 }
1060
1061 static struct block *
gen_mcmp(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v,bpf_u_int32 mask)1062 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1063 u_int size, bpf_u_int32 v, bpf_u_int32 mask)
1064 {
1065 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
1066 }
1067
1068 static struct block *
gen_bcmp(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,const u_char * v)1069 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1070 u_int size, const u_char *v)
1071 {
1072 register struct block *b, *tmp;
1073
1074 b = NULL;
1075 while (size >= 4) {
1076 register const u_char *p = &v[size - 4];
1077
1078 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W,
1079 EXTRACT_BE_U_4(p));
1080 if (b != NULL)
1081 gen_and(b, tmp);
1082 b = tmp;
1083 size -= 4;
1084 }
1085 while (size >= 2) {
1086 register const u_char *p = &v[size - 2];
1087
1088 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H,
1089 EXTRACT_BE_U_2(p));
1090 if (b != NULL)
1091 gen_and(b, tmp);
1092 b = tmp;
1093 size -= 2;
1094 }
1095 if (size > 0) {
1096 tmp = gen_cmp(cstate, offrel, offset, BPF_B, v[0]);
1097 if (b != NULL)
1098 gen_and(b, tmp);
1099 b = tmp;
1100 }
1101 return b;
1102 }
1103
1104 /*
1105 * AND the field of size "size" at offset "offset" relative to the header
1106 * specified by "offrel" with "mask", and compare it with the value "v"
1107 * with the test specified by "jtype"; if "reverse" is true, the test
1108 * should test the opposite of "jtype".
1109 */
1110 static struct block *
gen_ncmp(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 mask,int jtype,int reverse,bpf_u_int32 v)1111 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1112 u_int size, bpf_u_int32 mask, int jtype, int reverse,
1113 bpf_u_int32 v)
1114 {
1115 struct slist *s, *s2;
1116 struct block *b;
1117
1118 s = gen_load_a(cstate, offrel, offset, size);
1119
1120 if (mask != 0xffffffff) {
1121 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1122 s2->s.k = mask;
1123 sappend(s, s2);
1124 }
1125
1126 b = new_block(cstate, JMP(jtype));
1127 b->stmts = s;
1128 b->s.k = v;
1129 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
1130 gen_not(b);
1131 return b;
1132 }
1133
1134 static int
init_linktype(compiler_state_t * cstate,pcap_t * p)1135 init_linktype(compiler_state_t *cstate, pcap_t *p)
1136 {
1137 cstate->pcap_fddipad = p->fddipad;
1138
1139 /*
1140 * We start out with only one link-layer header.
1141 */
1142 cstate->outermostlinktype = pcap_datalink(p);
1143 cstate->off_outermostlinkhdr.constant_part = 0;
1144 cstate->off_outermostlinkhdr.is_variable = 0;
1145 cstate->off_outermostlinkhdr.reg = -1;
1146
1147 cstate->prevlinktype = cstate->outermostlinktype;
1148 cstate->off_prevlinkhdr.constant_part = 0;
1149 cstate->off_prevlinkhdr.is_variable = 0;
1150 cstate->off_prevlinkhdr.reg = -1;
1151
1152 cstate->linktype = cstate->outermostlinktype;
1153 cstate->off_linkhdr.constant_part = 0;
1154 cstate->off_linkhdr.is_variable = 0;
1155 cstate->off_linkhdr.reg = -1;
1156
1157 /*
1158 * XXX
1159 */
1160 cstate->off_linkpl.constant_part = 0;
1161 cstate->off_linkpl.is_variable = 0;
1162 cstate->off_linkpl.reg = -1;
1163
1164 cstate->off_linktype.constant_part = 0;
1165 cstate->off_linktype.is_variable = 0;
1166 cstate->off_linktype.reg = -1;
1167
1168 /*
1169 * Assume it's not raw ATM with a pseudo-header, for now.
1170 */
1171 cstate->is_atm = 0;
1172 cstate->off_vpi = OFFSET_NOT_SET;
1173 cstate->off_vci = OFFSET_NOT_SET;
1174 cstate->off_proto = OFFSET_NOT_SET;
1175 cstate->off_payload = OFFSET_NOT_SET;
1176
1177 /*
1178 * And not Geneve.
1179 */
1180 cstate->is_geneve = 0;
1181
1182 /*
1183 * No variable length VLAN offset by default
1184 */
1185 cstate->is_vlan_vloffset = 0;
1186
1187 /*
1188 * And assume we're not doing SS7.
1189 */
1190 cstate->off_li = OFFSET_NOT_SET;
1191 cstate->off_li_hsl = OFFSET_NOT_SET;
1192 cstate->off_sio = OFFSET_NOT_SET;
1193 cstate->off_opc = OFFSET_NOT_SET;
1194 cstate->off_dpc = OFFSET_NOT_SET;
1195 cstate->off_sls = OFFSET_NOT_SET;
1196
1197 cstate->label_stack_depth = 0;
1198 cstate->vlan_stack_depth = 0;
1199
1200 switch (cstate->linktype) {
1201
1202 case DLT_ARCNET:
1203 cstate->off_linktype.constant_part = 2;
1204 cstate->off_linkpl.constant_part = 6;
1205 cstate->off_nl = 0; /* XXX in reality, variable! */
1206 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1207 break;
1208
1209 case DLT_ARCNET_LINUX:
1210 cstate->off_linktype.constant_part = 4;
1211 cstate->off_linkpl.constant_part = 8;
1212 cstate->off_nl = 0; /* XXX in reality, variable! */
1213 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1214 break;
1215
1216 case DLT_EN10MB:
1217 cstate->off_linktype.constant_part = 12;
1218 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1219 cstate->off_nl = 0; /* Ethernet II */
1220 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1221 break;
1222
1223 case DLT_SLIP:
1224 /*
1225 * SLIP doesn't have a link level type. The 16 byte
1226 * header is hacked into our SLIP driver.
1227 */
1228 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1229 cstate->off_linkpl.constant_part = 16;
1230 cstate->off_nl = 0;
1231 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1232 break;
1233
1234 case DLT_SLIP_BSDOS:
1235 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1236 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1237 /* XXX end */
1238 cstate->off_linkpl.constant_part = 24;
1239 cstate->off_nl = 0;
1240 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1241 break;
1242
1243 case DLT_NULL:
1244 case DLT_LOOP:
1245 cstate->off_linktype.constant_part = 0;
1246 cstate->off_linkpl.constant_part = 4;
1247 cstate->off_nl = 0;
1248 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1249 break;
1250
1251 case DLT_ENC:
1252 cstate->off_linktype.constant_part = 0;
1253 cstate->off_linkpl.constant_part = 12;
1254 cstate->off_nl = 0;
1255 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1256 break;
1257
1258 case DLT_PPP:
1259 case DLT_PPP_PPPD:
1260 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1261 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1262 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1263 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1264 cstate->off_nl = 0;
1265 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1266 break;
1267
1268 case DLT_PPP_ETHER:
1269 /*
1270 * This does no include the Ethernet header, and
1271 * only covers session state.
1272 */
1273 cstate->off_linktype.constant_part = 6;
1274 cstate->off_linkpl.constant_part = 8;
1275 cstate->off_nl = 0;
1276 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1277 break;
1278
1279 case DLT_PPP_BSDOS:
1280 cstate->off_linktype.constant_part = 5;
1281 cstate->off_linkpl.constant_part = 24;
1282 cstate->off_nl = 0;
1283 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1284 break;
1285
1286 case DLT_FDDI:
1287 /*
1288 * FDDI doesn't really have a link-level type field.
1289 * We set "off_linktype" to the offset of the LLC header.
1290 *
1291 * To check for Ethernet types, we assume that SSAP = SNAP
1292 * is being used and pick out the encapsulated Ethernet type.
1293 * XXX - should we generate code to check for SNAP?
1294 */
1295 cstate->off_linktype.constant_part = 13;
1296 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1297 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1298 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1299 cstate->off_nl = 8; /* 802.2+SNAP */
1300 cstate->off_nl_nosnap = 3; /* 802.2 */
1301 break;
1302
1303 case DLT_IEEE802:
1304 /*
1305 * Token Ring doesn't really have a link-level type field.
1306 * We set "off_linktype" to the offset of the LLC header.
1307 *
1308 * To check for Ethernet types, we assume that SSAP = SNAP
1309 * is being used and pick out the encapsulated Ethernet type.
1310 * XXX - should we generate code to check for SNAP?
1311 *
1312 * XXX - the header is actually variable-length.
1313 * Some various Linux patched versions gave 38
1314 * as "off_linktype" and 40 as "off_nl"; however,
1315 * if a token ring packet has *no* routing
1316 * information, i.e. is not source-routed, the correct
1317 * values are 20 and 22, as they are in the vanilla code.
1318 *
1319 * A packet is source-routed iff the uppermost bit
1320 * of the first byte of the source address, at an
1321 * offset of 8, has the uppermost bit set. If the
1322 * packet is source-routed, the total number of bytes
1323 * of routing information is 2 plus bits 0x1F00 of
1324 * the 16-bit value at an offset of 14 (shifted right
1325 * 8 - figure out which byte that is).
1326 */
1327 cstate->off_linktype.constant_part = 14;
1328 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1329 cstate->off_nl = 8; /* 802.2+SNAP */
1330 cstate->off_nl_nosnap = 3; /* 802.2 */
1331 break;
1332
1333 case DLT_PRISM_HEADER:
1334 case DLT_IEEE802_11_RADIO_AVS:
1335 case DLT_IEEE802_11_RADIO:
1336 cstate->off_linkhdr.is_variable = 1;
1337 /* Fall through, 802.11 doesn't have a variable link
1338 * prefix but is otherwise the same. */
1339 /* FALLTHROUGH */
1340
1341 case DLT_IEEE802_11:
1342 /*
1343 * 802.11 doesn't really have a link-level type field.
1344 * We set "off_linktype.constant_part" to the offset of
1345 * the LLC header.
1346 *
1347 * To check for Ethernet types, we assume that SSAP = SNAP
1348 * is being used and pick out the encapsulated Ethernet type.
1349 * XXX - should we generate code to check for SNAP?
1350 *
1351 * We also handle variable-length radio headers here.
1352 * The Prism header is in theory variable-length, but in
1353 * practice it's always 144 bytes long. However, some
1354 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1355 * sometimes or always supply an AVS header, so we
1356 * have to check whether the radio header is a Prism
1357 * header or an AVS header, so, in practice, it's
1358 * variable-length.
1359 */
1360 cstate->off_linktype.constant_part = 24;
1361 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1362 cstate->off_linkpl.is_variable = 1;
1363 cstate->off_nl = 8; /* 802.2+SNAP */
1364 cstate->off_nl_nosnap = 3; /* 802.2 */
1365 break;
1366
1367 case DLT_PPI:
1368 /*
1369 * At the moment we treat PPI the same way that we treat
1370 * normal Radiotap encoded packets. The difference is in
1371 * the function that generates the code at the beginning
1372 * to compute the header length. Since this code generator
1373 * of PPI supports bare 802.11 encapsulation only (i.e.
1374 * the encapsulated DLT should be DLT_IEEE802_11) we
1375 * generate code to check for this too.
1376 */
1377 cstate->off_linktype.constant_part = 24;
1378 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1379 cstate->off_linkpl.is_variable = 1;
1380 cstate->off_linkhdr.is_variable = 1;
1381 cstate->off_nl = 8; /* 802.2+SNAP */
1382 cstate->off_nl_nosnap = 3; /* 802.2 */
1383 break;
1384
1385 case DLT_ATM_RFC1483:
1386 case DLT_ATM_CLIP: /* Linux ATM defines this */
1387 /*
1388 * assume routed, non-ISO PDUs
1389 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1390 *
1391 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1392 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1393 * latter would presumably be treated the way PPPoE
1394 * should be, so you can do "pppoe and udp port 2049"
1395 * or "pppoa and tcp port 80" and have it check for
1396 * PPPo{A,E} and a PPP protocol of IP and....
1397 */
1398 cstate->off_linktype.constant_part = 0;
1399 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1400 cstate->off_nl = 8; /* 802.2+SNAP */
1401 cstate->off_nl_nosnap = 3; /* 802.2 */
1402 break;
1403
1404 case DLT_SUNATM:
1405 /*
1406 * Full Frontal ATM; you get AALn PDUs with an ATM
1407 * pseudo-header.
1408 */
1409 cstate->is_atm = 1;
1410 cstate->off_vpi = SUNATM_VPI_POS;
1411 cstate->off_vci = SUNATM_VCI_POS;
1412 cstate->off_proto = PROTO_POS;
1413 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1414 cstate->off_linktype.constant_part = cstate->off_payload;
1415 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1416 cstate->off_nl = 8; /* 802.2+SNAP */
1417 cstate->off_nl_nosnap = 3; /* 802.2 */
1418 break;
1419
1420 case DLT_RAW:
1421 case DLT_IPV4:
1422 case DLT_IPV6:
1423 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1424 cstate->off_linkpl.constant_part = 0;
1425 cstate->off_nl = 0;
1426 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1427 break;
1428
1429 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */
1430 cstate->off_linktype.constant_part = 14;
1431 cstate->off_linkpl.constant_part = 16;
1432 cstate->off_nl = 0;
1433 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1434 break;
1435
1436 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */
1437 cstate->off_linktype.constant_part = 0;
1438 cstate->off_linkpl.constant_part = 20;
1439 cstate->off_nl = 0;
1440 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1441 break;
1442
1443 case DLT_LTALK:
1444 /*
1445 * LocalTalk does have a 1-byte type field in the LLAP header,
1446 * but really it just indicates whether there is a "short" or
1447 * "long" DDP packet following.
1448 */
1449 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1450 cstate->off_linkpl.constant_part = 0;
1451 cstate->off_nl = 0;
1452 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1453 break;
1454
1455 case DLT_IP_OVER_FC:
1456 /*
1457 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1458 * link-level type field. We set "off_linktype" to the
1459 * offset of the LLC header.
1460 *
1461 * To check for Ethernet types, we assume that SSAP = SNAP
1462 * is being used and pick out the encapsulated Ethernet type.
1463 * XXX - should we generate code to check for SNAP? RFC
1464 * 2625 says SNAP should be used.
1465 */
1466 cstate->off_linktype.constant_part = 16;
1467 cstate->off_linkpl.constant_part = 16;
1468 cstate->off_nl = 8; /* 802.2+SNAP */
1469 cstate->off_nl_nosnap = 3; /* 802.2 */
1470 break;
1471
1472 case DLT_FRELAY:
1473 /*
1474 * XXX - we should set this to handle SNAP-encapsulated
1475 * frames (NLPID of 0x80).
1476 */
1477 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1478 cstate->off_linkpl.constant_part = 0;
1479 cstate->off_nl = 0;
1480 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1481 break;
1482
1483 /*
1484 * the only BPF-interesting FRF.16 frames are non-control frames;
1485 * Frame Relay has a variable length link-layer
1486 * so lets start with offset 4 for now and increments later on (FIXME);
1487 */
1488 case DLT_MFR:
1489 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1490 cstate->off_linkpl.constant_part = 0;
1491 cstate->off_nl = 4;
1492 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1493 break;
1494
1495 case DLT_APPLE_IP_OVER_IEEE1394:
1496 cstate->off_linktype.constant_part = 16;
1497 cstate->off_linkpl.constant_part = 18;
1498 cstate->off_nl = 0;
1499 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1500 break;
1501
1502 case DLT_SYMANTEC_FIREWALL:
1503 cstate->off_linktype.constant_part = 6;
1504 cstate->off_linkpl.constant_part = 44;
1505 cstate->off_nl = 0; /* Ethernet II */
1506 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1507 break;
1508
1509 #ifdef HAVE_NET_PFVAR_H
1510 case DLT_PFLOG:
1511 cstate->off_linktype.constant_part = 0;
1512 cstate->off_linkpl.constant_part = PFLOG_HDRLEN;
1513 cstate->off_nl = 0;
1514 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1515 break;
1516 #endif
1517
1518 case DLT_JUNIPER_MFR:
1519 case DLT_JUNIPER_MLFR:
1520 case DLT_JUNIPER_MLPPP:
1521 case DLT_JUNIPER_PPP:
1522 case DLT_JUNIPER_CHDLC:
1523 case DLT_JUNIPER_FRELAY:
1524 cstate->off_linktype.constant_part = 4;
1525 cstate->off_linkpl.constant_part = 4;
1526 cstate->off_nl = 0;
1527 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1528 break;
1529
1530 case DLT_JUNIPER_ATM1:
1531 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1532 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1533 cstate->off_nl = 0;
1534 cstate->off_nl_nosnap = 10;
1535 break;
1536
1537 case DLT_JUNIPER_ATM2:
1538 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1539 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1540 cstate->off_nl = 0;
1541 cstate->off_nl_nosnap = 10;
1542 break;
1543
1544 /* frames captured on a Juniper PPPoE service PIC
1545 * contain raw ethernet frames */
1546 case DLT_JUNIPER_PPPOE:
1547 case DLT_JUNIPER_ETHER:
1548 cstate->off_linkpl.constant_part = 14;
1549 cstate->off_linktype.constant_part = 16;
1550 cstate->off_nl = 18; /* Ethernet II */
1551 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1552 break;
1553
1554 case DLT_JUNIPER_PPPOE_ATM:
1555 cstate->off_linktype.constant_part = 4;
1556 cstate->off_linkpl.constant_part = 6;
1557 cstate->off_nl = 0;
1558 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1559 break;
1560
1561 case DLT_JUNIPER_GGSN:
1562 cstate->off_linktype.constant_part = 6;
1563 cstate->off_linkpl.constant_part = 12;
1564 cstate->off_nl = 0;
1565 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1566 break;
1567
1568 case DLT_JUNIPER_ES:
1569 cstate->off_linktype.constant_part = 6;
1570 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1571 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1572 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1573 break;
1574
1575 case DLT_JUNIPER_MONITOR:
1576 cstate->off_linktype.constant_part = 12;
1577 cstate->off_linkpl.constant_part = 12;
1578 cstate->off_nl = 0; /* raw IP/IP6 header */
1579 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1580 break;
1581
1582 case DLT_BACNET_MS_TP:
1583 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1584 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1585 cstate->off_nl = OFFSET_NOT_SET;
1586 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1587 break;
1588
1589 case DLT_JUNIPER_SERVICES:
1590 cstate->off_linktype.constant_part = 12;
1591 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1592 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1593 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1594 break;
1595
1596 case DLT_JUNIPER_VP:
1597 cstate->off_linktype.constant_part = 18;
1598 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1599 cstate->off_nl = OFFSET_NOT_SET;
1600 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1601 break;
1602
1603 case DLT_JUNIPER_ST:
1604 cstate->off_linktype.constant_part = 18;
1605 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1606 cstate->off_nl = OFFSET_NOT_SET;
1607 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1608 break;
1609
1610 case DLT_JUNIPER_ISM:
1611 cstate->off_linktype.constant_part = 8;
1612 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1613 cstate->off_nl = OFFSET_NOT_SET;
1614 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1615 break;
1616
1617 case DLT_JUNIPER_VS:
1618 case DLT_JUNIPER_SRX_E2E:
1619 case DLT_JUNIPER_FIBRECHANNEL:
1620 case DLT_JUNIPER_ATM_CEMIC:
1621 cstate->off_linktype.constant_part = 8;
1622 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1623 cstate->off_nl = OFFSET_NOT_SET;
1624 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1625 break;
1626
1627 case DLT_MTP2:
1628 cstate->off_li = 2;
1629 cstate->off_li_hsl = 4;
1630 cstate->off_sio = 3;
1631 cstate->off_opc = 4;
1632 cstate->off_dpc = 4;
1633 cstate->off_sls = 7;
1634 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1635 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1636 cstate->off_nl = OFFSET_NOT_SET;
1637 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1638 break;
1639
1640 case DLT_MTP2_WITH_PHDR:
1641 cstate->off_li = 6;
1642 cstate->off_li_hsl = 8;
1643 cstate->off_sio = 7;
1644 cstate->off_opc = 8;
1645 cstate->off_dpc = 8;
1646 cstate->off_sls = 11;
1647 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1648 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1649 cstate->off_nl = OFFSET_NOT_SET;
1650 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1651 break;
1652
1653 case DLT_ERF:
1654 cstate->off_li = 22;
1655 cstate->off_li_hsl = 24;
1656 cstate->off_sio = 23;
1657 cstate->off_opc = 24;
1658 cstate->off_dpc = 24;
1659 cstate->off_sls = 27;
1660 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1661 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1662 cstate->off_nl = OFFSET_NOT_SET;
1663 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1664 break;
1665
1666 case DLT_PFSYNC:
1667 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1668 cstate->off_linkpl.constant_part = 4;
1669 cstate->off_nl = 0;
1670 cstate->off_nl_nosnap = 0;
1671 break;
1672
1673 case DLT_AX25_KISS:
1674 /*
1675 * Currently, only raw "link[N:M]" filtering is supported.
1676 */
1677 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1678 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1679 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1680 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1681 break;
1682
1683 case DLT_IPNET:
1684 cstate->off_linktype.constant_part = 1;
1685 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
1686 cstate->off_nl = 0;
1687 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1688 break;
1689
1690 case DLT_NETANALYZER:
1691 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1692 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1693 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1694 cstate->off_nl = 0; /* Ethernet II */
1695 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1696 break;
1697
1698 case DLT_NETANALYZER_TRANSPARENT:
1699 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1700 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1701 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1702 cstate->off_nl = 0; /* Ethernet II */
1703 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1704 break;
1705
1706 default:
1707 /*
1708 * For values in the range in which we've assigned new
1709 * DLT_ values, only raw "link[N:M]" filtering is supported.
1710 */
1711 if (cstate->linktype >= DLT_MATCHING_MIN &&
1712 cstate->linktype <= DLT_MATCHING_MAX) {
1713 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1714 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1715 cstate->off_nl = OFFSET_NOT_SET;
1716 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1717 } else {
1718 bpf_set_error(cstate, "unknown data link type %d", cstate->linktype);
1719 return (-1);
1720 }
1721 break;
1722 }
1723
1724 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1725 return (0);
1726 }
1727
1728 /*
1729 * Load a value relative to the specified absolute offset.
1730 */
1731 static struct slist *
gen_load_absoffsetrel(compiler_state_t * cstate,bpf_abs_offset * abs_offset,u_int offset,u_int size)1732 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
1733 u_int offset, u_int size)
1734 {
1735 struct slist *s, *s2;
1736
1737 s = gen_abs_offset_varpart(cstate, abs_offset);
1738
1739 /*
1740 * If "s" is non-null, it has code to arrange that the X register
1741 * contains the variable part of the absolute offset, so we
1742 * generate a load relative to that, with an offset of
1743 * abs_offset->constant_part + offset.
1744 *
1745 * Otherwise, we can do an absolute load with an offset of
1746 * abs_offset->constant_part + offset.
1747 */
1748 if (s != NULL) {
1749 /*
1750 * "s" points to a list of statements that puts the
1751 * variable part of the absolute offset into the X register.
1752 * Do an indirect load, to use the X register as an offset.
1753 */
1754 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1755 s2->s.k = abs_offset->constant_part + offset;
1756 sappend(s, s2);
1757 } else {
1758 /*
1759 * There is no variable part of the absolute offset, so
1760 * just do an absolute load.
1761 */
1762 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1763 s->s.k = abs_offset->constant_part + offset;
1764 }
1765 return s;
1766 }
1767
1768 /*
1769 * Load a value relative to the beginning of the specified header.
1770 */
1771 static struct slist *
gen_load_a(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size)1772 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1773 u_int size)
1774 {
1775 struct slist *s, *s2;
1776
1777 /*
1778 * Squelch warnings from compilers that *don't* assume that
1779 * offrel always has a valid enum value and therefore don't
1780 * assume that we'll always go through one of the case arms.
1781 *
1782 * If we have a default case, compilers that *do* assume that
1783 * will then complain about the default case code being
1784 * unreachable.
1785 *
1786 * Damned if you do, damned if you don't.
1787 */
1788 s = NULL;
1789
1790 switch (offrel) {
1791
1792 case OR_PACKET:
1793 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1794 s->s.k = offset;
1795 break;
1796
1797 case OR_LINKHDR:
1798 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1799 break;
1800
1801 case OR_PREVLINKHDR:
1802 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1803 break;
1804
1805 case OR_LLC:
1806 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1807 break;
1808
1809 case OR_PREVMPLSHDR:
1810 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1811 break;
1812
1813 case OR_LINKPL:
1814 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1815 break;
1816
1817 case OR_LINKPL_NOSNAP:
1818 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1819 break;
1820
1821 case OR_LINKTYPE:
1822 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1823 break;
1824
1825 case OR_TRAN_IPV4:
1826 /*
1827 * Load the X register with the length of the IPv4 header
1828 * (plus the offset of the link-layer header, if it's
1829 * preceded by a variable-length header such as a radio
1830 * header), in bytes.
1831 */
1832 s = gen_loadx_iphdrlen(cstate);
1833
1834 /*
1835 * Load the item at {offset of the link-layer payload} +
1836 * {offset, relative to the start of the link-layer
1837 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1838 * {specified offset}.
1839 *
1840 * If the offset of the link-layer payload is variable,
1841 * the variable part of that offset is included in the
1842 * value in the X register, and we include the constant
1843 * part in the offset of the load.
1844 */
1845 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1846 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
1847 sappend(s, s2);
1848 break;
1849
1850 case OR_TRAN_IPV6:
1851 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
1852 break;
1853 }
1854 return s;
1855 }
1856
1857 /*
1858 * Generate code to load into the X register the sum of the length of
1859 * the IPv4 header and the variable part of the offset of the link-layer
1860 * payload.
1861 */
1862 static struct slist *
gen_loadx_iphdrlen(compiler_state_t * cstate)1863 gen_loadx_iphdrlen(compiler_state_t *cstate)
1864 {
1865 struct slist *s, *s2;
1866
1867 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
1868 if (s != NULL) {
1869 /*
1870 * The offset of the link-layer payload has a variable
1871 * part. "s" points to a list of statements that put
1872 * the variable part of that offset into the X register.
1873 *
1874 * The 4*([k]&0xf) addressing mode can't be used, as we
1875 * don't have a constant offset, so we have to load the
1876 * value in question into the A register and add to it
1877 * the value from the X register.
1878 */
1879 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
1880 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1881 sappend(s, s2);
1882 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1883 s2->s.k = 0xf;
1884 sappend(s, s2);
1885 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
1886 s2->s.k = 2;
1887 sappend(s, s2);
1888
1889 /*
1890 * The A register now contains the length of the IP header.
1891 * We need to add to it the variable part of the offset of
1892 * the link-layer payload, which is still in the X
1893 * register, and move the result into the X register.
1894 */
1895 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
1896 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
1897 } else {
1898 /*
1899 * The offset of the link-layer payload is a constant,
1900 * so no code was generated to load the (non-existent)
1901 * variable part of that offset.
1902 *
1903 * This means we can use the 4*([k]&0xf) addressing
1904 * mode. Load the length of the IPv4 header, which
1905 * is at an offset of cstate->off_nl from the beginning of
1906 * the link-layer payload, and thus at an offset of
1907 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
1908 * of the raw packet data, using that addressing mode.
1909 */
1910 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
1911 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1912 }
1913 return s;
1914 }
1915
1916
1917 static struct block *
gen_uncond(compiler_state_t * cstate,int rsense)1918 gen_uncond(compiler_state_t *cstate, int rsense)
1919 {
1920 struct block *b;
1921 struct slist *s;
1922
1923 s = new_stmt(cstate, BPF_LD|BPF_IMM);
1924 s->s.k = !rsense;
1925 b = new_block(cstate, JMP(BPF_JEQ));
1926 b->stmts = s;
1927
1928 return b;
1929 }
1930
1931 static inline struct block *
gen_true(compiler_state_t * cstate)1932 gen_true(compiler_state_t *cstate)
1933 {
1934 return gen_uncond(cstate, 1);
1935 }
1936
1937 static inline struct block *
gen_false(compiler_state_t * cstate)1938 gen_false(compiler_state_t *cstate)
1939 {
1940 return gen_uncond(cstate, 0);
1941 }
1942
1943 /*
1944 * Byte-swap a 32-bit number.
1945 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1946 * big-endian platforms.)
1947 */
1948 #define SWAPLONG(y) \
1949 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1950
1951 /*
1952 * Generate code to match a particular packet type.
1953 *
1954 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1955 * value, if <= ETHERMTU. We use that to determine whether to
1956 * match the type/length field or to check the type/length field for
1957 * a value <= ETHERMTU to see whether it's a type field and then do
1958 * the appropriate test.
1959 */
1960 static struct block *
gen_ether_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)1961 gen_ether_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
1962 {
1963 struct block *b0, *b1;
1964
1965 switch (ll_proto) {
1966
1967 case LLCSAP_ISONS:
1968 case LLCSAP_IP:
1969 case LLCSAP_NETBEUI:
1970 /*
1971 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1972 * so we check the DSAP and SSAP.
1973 *
1974 * LLCSAP_IP checks for IP-over-802.2, rather
1975 * than IP-over-Ethernet or IP-over-SNAP.
1976 *
1977 * XXX - should we check both the DSAP and the
1978 * SSAP, like this, or should we check just the
1979 * DSAP, as we do for other types <= ETHERMTU
1980 * (i.e., other SAP values)?
1981 */
1982 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1983 gen_not(b0);
1984 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
1985 gen_and(b0, b1);
1986 return b1;
1987
1988 case LLCSAP_IPX:
1989 /*
1990 * Check for;
1991 *
1992 * Ethernet_II frames, which are Ethernet
1993 * frames with a frame type of ETHERTYPE_IPX;
1994 *
1995 * Ethernet_802.3 frames, which are 802.3
1996 * frames (i.e., the type/length field is
1997 * a length field, <= ETHERMTU, rather than
1998 * a type field) with the first two bytes
1999 * after the Ethernet/802.3 header being
2000 * 0xFFFF;
2001 *
2002 * Ethernet_802.2 frames, which are 802.3
2003 * frames with an 802.2 LLC header and
2004 * with the IPX LSAP as the DSAP in the LLC
2005 * header;
2006 *
2007 * Ethernet_SNAP frames, which are 802.3
2008 * frames with an LLC header and a SNAP
2009 * header and with an OUI of 0x000000
2010 * (encapsulated Ethernet) and a protocol
2011 * ID of ETHERTYPE_IPX in the SNAP header.
2012 *
2013 * XXX - should we generate the same code both
2014 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
2015 */
2016
2017 /*
2018 * This generates code to check both for the
2019 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
2020 */
2021 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2022 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
2023 gen_or(b0, b1);
2024
2025 /*
2026 * Now we add code to check for SNAP frames with
2027 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
2028 */
2029 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2030 gen_or(b0, b1);
2031
2032 /*
2033 * Now we generate code to check for 802.3
2034 * frames in general.
2035 */
2036 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2037 gen_not(b0);
2038
2039 /*
2040 * Now add the check for 802.3 frames before the
2041 * check for Ethernet_802.2 and Ethernet_802.3,
2042 * as those checks should only be done on 802.3
2043 * frames, not on Ethernet frames.
2044 */
2045 gen_and(b0, b1);
2046
2047 /*
2048 * Now add the check for Ethernet_II frames, and
2049 * do that before checking for the other frame
2050 * types.
2051 */
2052 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2053 gen_or(b0, b1);
2054 return b1;
2055
2056 case ETHERTYPE_ATALK:
2057 case ETHERTYPE_AARP:
2058 /*
2059 * EtherTalk (AppleTalk protocols on Ethernet link
2060 * layer) may use 802.2 encapsulation.
2061 */
2062
2063 /*
2064 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2065 * we check for an Ethernet type field less than
2066 * 1500, which means it's an 802.3 length field.
2067 */
2068 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2069 gen_not(b0);
2070
2071 /*
2072 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2073 * SNAP packets with an organization code of
2074 * 0x080007 (Apple, for Appletalk) and a protocol
2075 * type of ETHERTYPE_ATALK (Appletalk).
2076 *
2077 * 802.2-encapsulated ETHERTYPE_AARP packets are
2078 * SNAP packets with an organization code of
2079 * 0x000000 (encapsulated Ethernet) and a protocol
2080 * type of ETHERTYPE_AARP (Appletalk ARP).
2081 */
2082 if (ll_proto == ETHERTYPE_ATALK)
2083 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2084 else /* ll_proto == ETHERTYPE_AARP */
2085 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2086 gen_and(b0, b1);
2087
2088 /*
2089 * Check for Ethernet encapsulation (Ethertalk
2090 * phase 1?); we just check for the Ethernet
2091 * protocol type.
2092 */
2093 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2094
2095 gen_or(b0, b1);
2096 return b1;
2097
2098 default:
2099 if (ll_proto <= ETHERMTU) {
2100 /*
2101 * This is an LLC SAP value, so the frames
2102 * that match would be 802.2 frames.
2103 * Check that the frame is an 802.2 frame
2104 * (i.e., that the length/type field is
2105 * a length field, <= ETHERMTU) and
2106 * then check the DSAP.
2107 */
2108 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2109 gen_not(b0);
2110 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, ll_proto);
2111 gen_and(b0, b1);
2112 return b1;
2113 } else {
2114 /*
2115 * This is an Ethernet type, so compare
2116 * the length/type field with it (if
2117 * the frame is an 802.2 frame, the length
2118 * field will be <= ETHERMTU, and, as
2119 * "ll_proto" is > ETHERMTU, this test
2120 * will fail and the frame won't match,
2121 * which is what we want).
2122 */
2123 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2124 }
2125 }
2126 }
2127
2128 static struct block *
gen_loopback_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)2129 gen_loopback_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2130 {
2131 /*
2132 * For DLT_NULL, the link-layer header is a 32-bit word
2133 * containing an AF_ value in *host* byte order, and for
2134 * DLT_ENC, the link-layer header begins with a 32-bit
2135 * word containing an AF_ value in host byte order.
2136 *
2137 * In addition, if we're reading a saved capture file,
2138 * the host byte order in the capture may not be the
2139 * same as the host byte order on this machine.
2140 *
2141 * For DLT_LOOP, the link-layer header is a 32-bit
2142 * word containing an AF_ value in *network* byte order.
2143 */
2144 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2145 /*
2146 * The AF_ value is in host byte order, but the BPF
2147 * interpreter will convert it to network byte order.
2148 *
2149 * If this is a save file, and it's from a machine
2150 * with the opposite byte order to ours, we byte-swap
2151 * the AF_ value.
2152 *
2153 * Then we run it through "htonl()", and generate
2154 * code to compare against the result.
2155 */
2156 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2157 ll_proto = SWAPLONG(ll_proto);
2158 ll_proto = htonl(ll_proto);
2159 }
2160 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, ll_proto));
2161 }
2162
2163 /*
2164 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2165 * or IPv6 then we have an error.
2166 */
2167 static struct block *
gen_ipnet_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)2168 gen_ipnet_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2169 {
2170 switch (ll_proto) {
2171
2172 case ETHERTYPE_IP:
2173 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET);
2174 /*NOTREACHED*/
2175
2176 case ETHERTYPE_IPV6:
2177 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET6);
2178 /*NOTREACHED*/
2179
2180 default:
2181 break;
2182 }
2183
2184 return gen_false(cstate);
2185 }
2186
2187 /*
2188 * Generate code to match a particular packet type.
2189 *
2190 * "ll_proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2191 * value, if <= ETHERMTU. We use that to determine whether to
2192 * match the type field or to check the type field for the special
2193 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2194 */
2195 static struct block *
gen_linux_sll_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)2196 gen_linux_sll_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2197 {
2198 struct block *b0, *b1;
2199
2200 switch (ll_proto) {
2201
2202 case LLCSAP_ISONS:
2203 case LLCSAP_IP:
2204 case LLCSAP_NETBEUI:
2205 /*
2206 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2207 * so we check the DSAP and SSAP.
2208 *
2209 * LLCSAP_IP checks for IP-over-802.2, rather
2210 * than IP-over-Ethernet or IP-over-SNAP.
2211 *
2212 * XXX - should we check both the DSAP and the
2213 * SSAP, like this, or should we check just the
2214 * DSAP, as we do for other types <= ETHERMTU
2215 * (i.e., other SAP values)?
2216 */
2217 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2218 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2219 gen_and(b0, b1);
2220 return b1;
2221
2222 case LLCSAP_IPX:
2223 /*
2224 * Ethernet_II frames, which are Ethernet
2225 * frames with a frame type of ETHERTYPE_IPX;
2226 *
2227 * Ethernet_802.3 frames, which have a frame
2228 * type of LINUX_SLL_P_802_3;
2229 *
2230 * Ethernet_802.2 frames, which are 802.3
2231 * frames with an 802.2 LLC header (i.e, have
2232 * a frame type of LINUX_SLL_P_802_2) and
2233 * with the IPX LSAP as the DSAP in the LLC
2234 * header;
2235 *
2236 * Ethernet_SNAP frames, which are 802.3
2237 * frames with an LLC header and a SNAP
2238 * header and with an OUI of 0x000000
2239 * (encapsulated Ethernet) and a protocol
2240 * ID of ETHERTYPE_IPX in the SNAP header.
2241 *
2242 * First, do the checks on LINUX_SLL_P_802_2
2243 * frames; generate the check for either
2244 * Ethernet_802.2 or Ethernet_SNAP frames, and
2245 * then put a check for LINUX_SLL_P_802_2 frames
2246 * before it.
2247 */
2248 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2249 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2250 gen_or(b0, b1);
2251 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2252 gen_and(b0, b1);
2253
2254 /*
2255 * Now check for 802.3 frames and OR that with
2256 * the previous test.
2257 */
2258 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2259 gen_or(b0, b1);
2260
2261 /*
2262 * Now add the check for Ethernet_II frames, and
2263 * do that before checking for the other frame
2264 * types.
2265 */
2266 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2267 gen_or(b0, b1);
2268 return b1;
2269
2270 case ETHERTYPE_ATALK:
2271 case ETHERTYPE_AARP:
2272 /*
2273 * EtherTalk (AppleTalk protocols on Ethernet link
2274 * layer) may use 802.2 encapsulation.
2275 */
2276
2277 /*
2278 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2279 * we check for the 802.2 protocol type in the
2280 * "Ethernet type" field.
2281 */
2282 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2283
2284 /*
2285 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2286 * SNAP packets with an organization code of
2287 * 0x080007 (Apple, for Appletalk) and a protocol
2288 * type of ETHERTYPE_ATALK (Appletalk).
2289 *
2290 * 802.2-encapsulated ETHERTYPE_AARP packets are
2291 * SNAP packets with an organization code of
2292 * 0x000000 (encapsulated Ethernet) and a protocol
2293 * type of ETHERTYPE_AARP (Appletalk ARP).
2294 */
2295 if (ll_proto == ETHERTYPE_ATALK)
2296 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2297 else /* ll_proto == ETHERTYPE_AARP */
2298 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2299 gen_and(b0, b1);
2300
2301 /*
2302 * Check for Ethernet encapsulation (Ethertalk
2303 * phase 1?); we just check for the Ethernet
2304 * protocol type.
2305 */
2306 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2307
2308 gen_or(b0, b1);
2309 return b1;
2310
2311 default:
2312 if (ll_proto <= ETHERMTU) {
2313 /*
2314 * This is an LLC SAP value, so the frames
2315 * that match would be 802.2 frames.
2316 * Check for the 802.2 protocol type
2317 * in the "Ethernet type" field, and
2318 * then check the DSAP.
2319 */
2320 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2321 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2322 ll_proto);
2323 gen_and(b0, b1);
2324 return b1;
2325 } else {
2326 /*
2327 * This is an Ethernet type, so compare
2328 * the length/type field with it (if
2329 * the frame is an 802.2 frame, the length
2330 * field will be <= ETHERMTU, and, as
2331 * "ll_proto" is > ETHERMTU, this test
2332 * will fail and the frame won't match,
2333 * which is what we want).
2334 */
2335 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2336 }
2337 }
2338 }
2339
2340 static struct slist *
gen_load_prism_llprefixlen(compiler_state_t * cstate)2341 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2342 {
2343 struct slist *s1, *s2;
2344 struct slist *sjeq_avs_cookie;
2345 struct slist *sjcommon;
2346
2347 /*
2348 * This code is not compatible with the optimizer, as
2349 * we are generating jmp instructions within a normal
2350 * slist of instructions
2351 */
2352 cstate->no_optimize = 1;
2353
2354 /*
2355 * Generate code to load the length of the radio header into
2356 * the register assigned to hold that length, if one has been
2357 * assigned. (If one hasn't been assigned, no code we've
2358 * generated uses that prefix, so we don't need to generate any
2359 * code to load it.)
2360 *
2361 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2362 * or always use the AVS header rather than the Prism header.
2363 * We load a 4-byte big-endian value at the beginning of the
2364 * raw packet data, and see whether, when masked with 0xFFFFF000,
2365 * it's equal to 0x80211000. If so, that indicates that it's
2366 * an AVS header (the masked-out bits are the version number).
2367 * Otherwise, it's a Prism header.
2368 *
2369 * XXX - the Prism header is also, in theory, variable-length,
2370 * but no known software generates headers that aren't 144
2371 * bytes long.
2372 */
2373 if (cstate->off_linkhdr.reg != -1) {
2374 /*
2375 * Load the cookie.
2376 */
2377 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2378 s1->s.k = 0;
2379
2380 /*
2381 * AND it with 0xFFFFF000.
2382 */
2383 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2384 s2->s.k = 0xFFFFF000;
2385 sappend(s1, s2);
2386
2387 /*
2388 * Compare with 0x80211000.
2389 */
2390 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2391 sjeq_avs_cookie->s.k = 0x80211000;
2392 sappend(s1, sjeq_avs_cookie);
2393
2394 /*
2395 * If it's AVS:
2396 *
2397 * The 4 bytes at an offset of 4 from the beginning of
2398 * the AVS header are the length of the AVS header.
2399 * That field is big-endian.
2400 */
2401 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2402 s2->s.k = 4;
2403 sappend(s1, s2);
2404 sjeq_avs_cookie->s.jt = s2;
2405
2406 /*
2407 * Now jump to the code to allocate a register
2408 * into which to save the header length and
2409 * store the length there. (The "jump always"
2410 * instruction needs to have the k field set;
2411 * it's added to the PC, so, as we're jumping
2412 * over a single instruction, it should be 1.)
2413 */
2414 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2415 sjcommon->s.k = 1;
2416 sappend(s1, sjcommon);
2417
2418 /*
2419 * Now for the code that handles the Prism header.
2420 * Just load the length of the Prism header (144)
2421 * into the A register. Have the test for an AVS
2422 * header branch here if we don't have an AVS header.
2423 */
2424 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2425 s2->s.k = 144;
2426 sappend(s1, s2);
2427 sjeq_avs_cookie->s.jf = s2;
2428
2429 /*
2430 * Now allocate a register to hold that value and store
2431 * it. The code for the AVS header will jump here after
2432 * loading the length of the AVS header.
2433 */
2434 s2 = new_stmt(cstate, BPF_ST);
2435 s2->s.k = cstate->off_linkhdr.reg;
2436 sappend(s1, s2);
2437 sjcommon->s.jf = s2;
2438
2439 /*
2440 * Now move it into the X register.
2441 */
2442 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2443 sappend(s1, s2);
2444
2445 return (s1);
2446 } else
2447 return (NULL);
2448 }
2449
2450 static struct slist *
gen_load_avs_llprefixlen(compiler_state_t * cstate)2451 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2452 {
2453 struct slist *s1, *s2;
2454
2455 /*
2456 * Generate code to load the length of the AVS header into
2457 * the register assigned to hold that length, if one has been
2458 * assigned. (If one hasn't been assigned, no code we've
2459 * generated uses that prefix, so we don't need to generate any
2460 * code to load it.)
2461 */
2462 if (cstate->off_linkhdr.reg != -1) {
2463 /*
2464 * The 4 bytes at an offset of 4 from the beginning of
2465 * the AVS header are the length of the AVS header.
2466 * That field is big-endian.
2467 */
2468 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2469 s1->s.k = 4;
2470
2471 /*
2472 * Now allocate a register to hold that value and store
2473 * it.
2474 */
2475 s2 = new_stmt(cstate, BPF_ST);
2476 s2->s.k = cstate->off_linkhdr.reg;
2477 sappend(s1, s2);
2478
2479 /*
2480 * Now move it into the X register.
2481 */
2482 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2483 sappend(s1, s2);
2484
2485 return (s1);
2486 } else
2487 return (NULL);
2488 }
2489
2490 static struct slist *
gen_load_radiotap_llprefixlen(compiler_state_t * cstate)2491 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2492 {
2493 struct slist *s1, *s2;
2494
2495 /*
2496 * Generate code to load the length of the radiotap header into
2497 * the register assigned to hold that length, if one has been
2498 * assigned. (If one hasn't been assigned, no code we've
2499 * generated uses that prefix, so we don't need to generate any
2500 * code to load it.)
2501 */
2502 if (cstate->off_linkhdr.reg != -1) {
2503 /*
2504 * The 2 bytes at offsets of 2 and 3 from the beginning
2505 * of the radiotap header are the length of the radiotap
2506 * header; unfortunately, it's little-endian, so we have
2507 * to load it a byte at a time and construct the value.
2508 */
2509
2510 /*
2511 * Load the high-order byte, at an offset of 3, shift it
2512 * left a byte, and put the result in the X register.
2513 */
2514 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2515 s1->s.k = 3;
2516 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2517 sappend(s1, s2);
2518 s2->s.k = 8;
2519 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2520 sappend(s1, s2);
2521
2522 /*
2523 * Load the next byte, at an offset of 2, and OR the
2524 * value from the X register into it.
2525 */
2526 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2527 sappend(s1, s2);
2528 s2->s.k = 2;
2529 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2530 sappend(s1, s2);
2531
2532 /*
2533 * Now allocate a register to hold that value and store
2534 * it.
2535 */
2536 s2 = new_stmt(cstate, BPF_ST);
2537 s2->s.k = cstate->off_linkhdr.reg;
2538 sappend(s1, s2);
2539
2540 /*
2541 * Now move it into the X register.
2542 */
2543 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2544 sappend(s1, s2);
2545
2546 return (s1);
2547 } else
2548 return (NULL);
2549 }
2550
2551 /*
2552 * At the moment we treat PPI as normal Radiotap encoded
2553 * packets. The difference is in the function that generates
2554 * the code at the beginning to compute the header length.
2555 * Since this code generator of PPI supports bare 802.11
2556 * encapsulation only (i.e. the encapsulated DLT should be
2557 * DLT_IEEE802_11) we generate code to check for this too;
2558 * that's done in finish_parse().
2559 */
2560 static struct slist *
gen_load_ppi_llprefixlen(compiler_state_t * cstate)2561 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
2562 {
2563 struct slist *s1, *s2;
2564
2565 /*
2566 * Generate code to load the length of the radiotap header
2567 * into the register assigned to hold that length, if one has
2568 * been assigned.
2569 */
2570 if (cstate->off_linkhdr.reg != -1) {
2571 /*
2572 * The 2 bytes at offsets of 2 and 3 from the beginning
2573 * of the radiotap header are the length of the radiotap
2574 * header; unfortunately, it's little-endian, so we have
2575 * to load it a byte at a time and construct the value.
2576 */
2577
2578 /*
2579 * Load the high-order byte, at an offset of 3, shift it
2580 * left a byte, and put the result in the X register.
2581 */
2582 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2583 s1->s.k = 3;
2584 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2585 sappend(s1, s2);
2586 s2->s.k = 8;
2587 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2588 sappend(s1, s2);
2589
2590 /*
2591 * Load the next byte, at an offset of 2, and OR the
2592 * value from the X register into it.
2593 */
2594 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2595 sappend(s1, s2);
2596 s2->s.k = 2;
2597 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2598 sappend(s1, s2);
2599
2600 /*
2601 * Now allocate a register to hold that value and store
2602 * it.
2603 */
2604 s2 = new_stmt(cstate, BPF_ST);
2605 s2->s.k = cstate->off_linkhdr.reg;
2606 sappend(s1, s2);
2607
2608 /*
2609 * Now move it into the X register.
2610 */
2611 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2612 sappend(s1, s2);
2613
2614 return (s1);
2615 } else
2616 return (NULL);
2617 }
2618
2619 /*
2620 * Load a value relative to the beginning of the link-layer header after the 802.11
2621 * header, i.e. LLC_SNAP.
2622 * The link-layer header doesn't necessarily begin at the beginning
2623 * of the packet data; there might be a variable-length prefix containing
2624 * radio information.
2625 */
2626 static struct slist *
gen_load_802_11_header_len(compiler_state_t * cstate,struct slist * s,struct slist * snext)2627 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2628 {
2629 struct slist *s2;
2630 struct slist *sjset_data_frame_1;
2631 struct slist *sjset_data_frame_2;
2632 struct slist *sjset_qos;
2633 struct slist *sjset_radiotap_flags_present;
2634 struct slist *sjset_radiotap_ext_present;
2635 struct slist *sjset_radiotap_tsft_present;
2636 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2637 struct slist *s_roundup;
2638
2639 if (cstate->off_linkpl.reg == -1) {
2640 /*
2641 * No register has been assigned to the offset of
2642 * the link-layer payload, which means nobody needs
2643 * it; don't bother computing it - just return
2644 * what we already have.
2645 */
2646 return (s);
2647 }
2648
2649 /*
2650 * This code is not compatible with the optimizer, as
2651 * we are generating jmp instructions within a normal
2652 * slist of instructions
2653 */
2654 cstate->no_optimize = 1;
2655
2656 /*
2657 * If "s" is non-null, it has code to arrange that the X register
2658 * contains the length of the prefix preceding the link-layer
2659 * header.
2660 *
2661 * Otherwise, the length of the prefix preceding the link-layer
2662 * header is "off_outermostlinkhdr.constant_part".
2663 */
2664 if (s == NULL) {
2665 /*
2666 * There is no variable-length header preceding the
2667 * link-layer header.
2668 *
2669 * Load the length of the fixed-length prefix preceding
2670 * the link-layer header (if any) into the X register,
2671 * and store it in the cstate->off_linkpl.reg register.
2672 * That length is off_outermostlinkhdr.constant_part.
2673 */
2674 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2675 s->s.k = cstate->off_outermostlinkhdr.constant_part;
2676 }
2677
2678 /*
2679 * The X register contains the offset of the beginning of the
2680 * link-layer header; add 24, which is the minimum length
2681 * of the MAC header for a data frame, to that, and store it
2682 * in cstate->off_linkpl.reg, and then load the Frame Control field,
2683 * which is at the offset in the X register, with an indexed load.
2684 */
2685 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2686 sappend(s, s2);
2687 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2688 s2->s.k = 24;
2689 sappend(s, s2);
2690 s2 = new_stmt(cstate, BPF_ST);
2691 s2->s.k = cstate->off_linkpl.reg;
2692 sappend(s, s2);
2693
2694 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2695 s2->s.k = 0;
2696 sappend(s, s2);
2697
2698 /*
2699 * Check the Frame Control field to see if this is a data frame;
2700 * a data frame has the 0x08 bit (b3) in that field set and the
2701 * 0x04 bit (b2) clear.
2702 */
2703 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2704 sjset_data_frame_1->s.k = 0x08;
2705 sappend(s, sjset_data_frame_1);
2706
2707 /*
2708 * If b3 is set, test b2, otherwise go to the first statement of
2709 * the rest of the program.
2710 */
2711 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2712 sjset_data_frame_2->s.k = 0x04;
2713 sappend(s, sjset_data_frame_2);
2714 sjset_data_frame_1->s.jf = snext;
2715
2716 /*
2717 * If b2 is not set, this is a data frame; test the QoS bit.
2718 * Otherwise, go to the first statement of the rest of the
2719 * program.
2720 */
2721 sjset_data_frame_2->s.jt = snext;
2722 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2723 sjset_qos->s.k = 0x80; /* QoS bit */
2724 sappend(s, sjset_qos);
2725
2726 /*
2727 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2728 * field.
2729 * Otherwise, go to the first statement of the rest of the
2730 * program.
2731 */
2732 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2733 s2->s.k = cstate->off_linkpl.reg;
2734 sappend(s, s2);
2735 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2736 s2->s.k = 2;
2737 sappend(s, s2);
2738 s2 = new_stmt(cstate, BPF_ST);
2739 s2->s.k = cstate->off_linkpl.reg;
2740 sappend(s, s2);
2741
2742 /*
2743 * If we have a radiotap header, look at it to see whether
2744 * there's Atheros padding between the MAC-layer header
2745 * and the payload.
2746 *
2747 * Note: all of the fields in the radiotap header are
2748 * little-endian, so we byte-swap all of the values
2749 * we test against, as they will be loaded as big-endian
2750 * values.
2751 *
2752 * XXX - in the general case, we would have to scan through
2753 * *all* the presence bits, if there's more than one word of
2754 * presence bits. That would require a loop, meaning that
2755 * we wouldn't be able to run the filter in the kernel.
2756 *
2757 * We assume here that the Atheros adapters that insert the
2758 * annoying padding don't have multiple antennae and therefore
2759 * do not generate radiotap headers with multiple presence words.
2760 */
2761 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2762 /*
2763 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2764 * in the first presence flag word?
2765 */
2766 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2767 s2->s.k = 4;
2768 sappend(s, s2);
2769
2770 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2771 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2772 sappend(s, sjset_radiotap_flags_present);
2773
2774 /*
2775 * If not, skip all of this.
2776 */
2777 sjset_radiotap_flags_present->s.jf = snext;
2778
2779 /*
2780 * Otherwise, is the "extension" bit set in that word?
2781 */
2782 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2783 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2784 sappend(s, sjset_radiotap_ext_present);
2785 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2786
2787 /*
2788 * If so, skip all of this.
2789 */
2790 sjset_radiotap_ext_present->s.jt = snext;
2791
2792 /*
2793 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2794 */
2795 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
2796 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
2797 sappend(s, sjset_radiotap_tsft_present);
2798 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
2799
2800 /*
2801 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2802 * at an offset of 16 from the beginning of the raw packet
2803 * data (8 bytes for the radiotap header and 8 bytes for
2804 * the TSFT field).
2805 *
2806 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2807 * is set.
2808 */
2809 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2810 s2->s.k = 16;
2811 sappend(s, s2);
2812 sjset_radiotap_tsft_present->s.jt = s2;
2813
2814 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2815 sjset_tsft_datapad->s.k = 0x20;
2816 sappend(s, sjset_tsft_datapad);
2817
2818 /*
2819 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2820 * at an offset of 8 from the beginning of the raw packet
2821 * data (8 bytes for the radiotap header).
2822 *
2823 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2824 * is set.
2825 */
2826 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2827 s2->s.k = 8;
2828 sappend(s, s2);
2829 sjset_radiotap_tsft_present->s.jf = s2;
2830
2831 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2832 sjset_notsft_datapad->s.k = 0x20;
2833 sappend(s, sjset_notsft_datapad);
2834
2835 /*
2836 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2837 * set, round the length of the 802.11 header to
2838 * a multiple of 4. Do that by adding 3 and then
2839 * dividing by and multiplying by 4, which we do by
2840 * ANDing with ~3.
2841 */
2842 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
2843 s_roundup->s.k = cstate->off_linkpl.reg;
2844 sappend(s, s_roundup);
2845 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2846 s2->s.k = 3;
2847 sappend(s, s2);
2848 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
2849 s2->s.k = (bpf_u_int32)~3;
2850 sappend(s, s2);
2851 s2 = new_stmt(cstate, BPF_ST);
2852 s2->s.k = cstate->off_linkpl.reg;
2853 sappend(s, s2);
2854
2855 sjset_tsft_datapad->s.jt = s_roundup;
2856 sjset_tsft_datapad->s.jf = snext;
2857 sjset_notsft_datapad->s.jt = s_roundup;
2858 sjset_notsft_datapad->s.jf = snext;
2859 } else
2860 sjset_qos->s.jf = snext;
2861
2862 return s;
2863 }
2864
2865 static void
insert_compute_vloffsets(compiler_state_t * cstate,struct block * b)2866 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
2867 {
2868 struct slist *s;
2869
2870 /* There is an implicit dependency between the link
2871 * payload and link header since the payload computation
2872 * includes the variable part of the header. Therefore,
2873 * if nobody else has allocated a register for the link
2874 * header and we need it, do it now. */
2875 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
2876 cstate->off_linkhdr.reg == -1)
2877 cstate->off_linkhdr.reg = alloc_reg(cstate);
2878
2879 /*
2880 * For link-layer types that have a variable-length header
2881 * preceding the link-layer header, generate code to load
2882 * the offset of the link-layer header into the register
2883 * assigned to that offset, if any.
2884 *
2885 * XXX - this, and the next switch statement, won't handle
2886 * encapsulation of 802.11 or 802.11+radio information in
2887 * some other protocol stack. That's significantly more
2888 * complicated.
2889 */
2890 switch (cstate->outermostlinktype) {
2891
2892 case DLT_PRISM_HEADER:
2893 s = gen_load_prism_llprefixlen(cstate);
2894 break;
2895
2896 case DLT_IEEE802_11_RADIO_AVS:
2897 s = gen_load_avs_llprefixlen(cstate);
2898 break;
2899
2900 case DLT_IEEE802_11_RADIO:
2901 s = gen_load_radiotap_llprefixlen(cstate);
2902 break;
2903
2904 case DLT_PPI:
2905 s = gen_load_ppi_llprefixlen(cstate);
2906 break;
2907
2908 default:
2909 s = NULL;
2910 break;
2911 }
2912
2913 /*
2914 * For link-layer types that have a variable-length link-layer
2915 * header, generate code to load the offset of the link-layer
2916 * payload into the register assigned to that offset, if any.
2917 */
2918 switch (cstate->outermostlinktype) {
2919
2920 case DLT_IEEE802_11:
2921 case DLT_PRISM_HEADER:
2922 case DLT_IEEE802_11_RADIO_AVS:
2923 case DLT_IEEE802_11_RADIO:
2924 case DLT_PPI:
2925 s = gen_load_802_11_header_len(cstate, s, b->stmts);
2926 break;
2927 }
2928
2929 /*
2930 * If there is no initialization yet and we need variable
2931 * length offsets for VLAN, initialize them to zero
2932 */
2933 if (s == NULL && cstate->is_vlan_vloffset) {
2934 struct slist *s2;
2935
2936 if (cstate->off_linkpl.reg == -1)
2937 cstate->off_linkpl.reg = alloc_reg(cstate);
2938 if (cstate->off_linktype.reg == -1)
2939 cstate->off_linktype.reg = alloc_reg(cstate);
2940
2941 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2942 s->s.k = 0;
2943 s2 = new_stmt(cstate, BPF_ST);
2944 s2->s.k = cstate->off_linkpl.reg;
2945 sappend(s, s2);
2946 s2 = new_stmt(cstate, BPF_ST);
2947 s2->s.k = cstate->off_linktype.reg;
2948 sappend(s, s2);
2949 }
2950
2951 /*
2952 * If we have any offset-loading code, append all the
2953 * existing statements in the block to those statements,
2954 * and make the resulting list the list of statements
2955 * for the block.
2956 */
2957 if (s != NULL) {
2958 sappend(s, b->stmts);
2959 b->stmts = s;
2960 }
2961 }
2962
2963 static struct block *
gen_ppi_dlt_check(compiler_state_t * cstate)2964 gen_ppi_dlt_check(compiler_state_t *cstate)
2965 {
2966 struct slist *s_load_dlt;
2967 struct block *b;
2968
2969 if (cstate->linktype == DLT_PPI)
2970 {
2971 /* Create the statements that check for the DLT
2972 */
2973 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2974 s_load_dlt->s.k = 4;
2975
2976 b = new_block(cstate, JMP(BPF_JEQ));
2977
2978 b->stmts = s_load_dlt;
2979 b->s.k = SWAPLONG(DLT_IEEE802_11);
2980 }
2981 else
2982 {
2983 b = NULL;
2984 }
2985
2986 return b;
2987 }
2988
2989 /*
2990 * Take an absolute offset, and:
2991 *
2992 * if it has no variable part, return NULL;
2993 *
2994 * if it has a variable part, generate code to load the register
2995 * containing that variable part into the X register, returning
2996 * a pointer to that code - if no register for that offset has
2997 * been allocated, allocate it first.
2998 *
2999 * (The code to set that register will be generated later, but will
3000 * be placed earlier in the code sequence.)
3001 */
3002 static struct slist *
gen_abs_offset_varpart(compiler_state_t * cstate,bpf_abs_offset * off)3003 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
3004 {
3005 struct slist *s;
3006
3007 if (off->is_variable) {
3008 if (off->reg == -1) {
3009 /*
3010 * We haven't yet assigned a register for the
3011 * variable part of the offset of the link-layer
3012 * header; allocate one.
3013 */
3014 off->reg = alloc_reg(cstate);
3015 }
3016
3017 /*
3018 * Load the register containing the variable part of the
3019 * offset of the link-layer header into the X register.
3020 */
3021 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
3022 s->s.k = off->reg;
3023 return s;
3024 } else {
3025 /*
3026 * That offset isn't variable, there's no variable part,
3027 * so we don't need to generate any code.
3028 */
3029 return NULL;
3030 }
3031 }
3032
3033 /*
3034 * Map an Ethernet type to the equivalent PPP type.
3035 */
3036 static bpf_u_int32
ethertype_to_ppptype(bpf_u_int32 ll_proto)3037 ethertype_to_ppptype(bpf_u_int32 ll_proto)
3038 {
3039 switch (ll_proto) {
3040
3041 case ETHERTYPE_IP:
3042 ll_proto = PPP_IP;
3043 break;
3044
3045 case ETHERTYPE_IPV6:
3046 ll_proto = PPP_IPV6;
3047 break;
3048
3049 case ETHERTYPE_DN:
3050 ll_proto = PPP_DECNET;
3051 break;
3052
3053 case ETHERTYPE_ATALK:
3054 ll_proto = PPP_APPLE;
3055 break;
3056
3057 case ETHERTYPE_NS:
3058 ll_proto = PPP_NS;
3059 break;
3060
3061 case LLCSAP_ISONS:
3062 ll_proto = PPP_OSI;
3063 break;
3064
3065 case LLCSAP_8021D:
3066 /*
3067 * I'm assuming the "Bridging PDU"s that go
3068 * over PPP are Spanning Tree Protocol
3069 * Bridging PDUs.
3070 */
3071 ll_proto = PPP_BRPDU;
3072 break;
3073
3074 case LLCSAP_IPX:
3075 ll_proto = PPP_IPX;
3076 break;
3077 }
3078 return (ll_proto);
3079 }
3080
3081 /*
3082 * Generate any tests that, for encapsulation of a link-layer packet
3083 * inside another protocol stack, need to be done to check for those
3084 * link-layer packets (and that haven't already been done by a check
3085 * for that encapsulation).
3086 */
3087 static struct block *
gen_prevlinkhdr_check(compiler_state_t * cstate)3088 gen_prevlinkhdr_check(compiler_state_t *cstate)
3089 {
3090 struct block *b0;
3091
3092 if (cstate->is_geneve)
3093 return gen_geneve_ll_check(cstate);
3094
3095 switch (cstate->prevlinktype) {
3096
3097 case DLT_SUNATM:
3098 /*
3099 * This is LANE-encapsulated Ethernet; check that the LANE
3100 * packet doesn't begin with an LE Control marker, i.e.
3101 * that it's data, not a control message.
3102 *
3103 * (We've already generated a test for LANE.)
3104 */
3105 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3106 gen_not(b0);
3107 return b0;
3108
3109 default:
3110 /*
3111 * No such tests are necessary.
3112 */
3113 return NULL;
3114 }
3115 /*NOTREACHED*/
3116 }
3117
3118 /*
3119 * The three different values we should check for when checking for an
3120 * IPv6 packet with DLT_NULL.
3121 */
3122 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3123 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3124 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */
3125
3126 /*
3127 * Generate code to match a particular packet type by matching the
3128 * link-layer type field or fields in the 802.2 LLC header.
3129 *
3130 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3131 * value, if <= ETHERMTU.
3132 */
3133 static struct block *
gen_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)3134 gen_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3135 {
3136 struct block *b0, *b1, *b2;
3137 const char *description;
3138
3139 /* are we checking MPLS-encapsulated packets? */
3140 if (cstate->label_stack_depth > 0)
3141 return gen_mpls_linktype(cstate, ll_proto);
3142
3143 switch (cstate->linktype) {
3144
3145 case DLT_EN10MB:
3146 case DLT_NETANALYZER:
3147 case DLT_NETANALYZER_TRANSPARENT:
3148 /* Geneve has an EtherType regardless of whether there is an
3149 * L2 header. */
3150 if (!cstate->is_geneve)
3151 b0 = gen_prevlinkhdr_check(cstate);
3152 else
3153 b0 = NULL;
3154
3155 b1 = gen_ether_linktype(cstate, ll_proto);
3156 if (b0 != NULL)
3157 gen_and(b0, b1);
3158 return b1;
3159 /*NOTREACHED*/
3160
3161 case DLT_C_HDLC:
3162 switch (ll_proto) {
3163
3164 case LLCSAP_ISONS:
3165 ll_proto = (ll_proto << 8 | LLCSAP_ISONS);
3166 /* fall through */
3167
3168 default:
3169 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3170 /*NOTREACHED*/
3171 }
3172
3173 case DLT_IEEE802_11:
3174 case DLT_PRISM_HEADER:
3175 case DLT_IEEE802_11_RADIO_AVS:
3176 case DLT_IEEE802_11_RADIO:
3177 case DLT_PPI:
3178 /*
3179 * Check that we have a data frame.
3180 */
3181 b0 = gen_check_802_11_data_frame(cstate);
3182
3183 /*
3184 * Now check for the specified link-layer type.
3185 */
3186 b1 = gen_llc_linktype(cstate, ll_proto);
3187 gen_and(b0, b1);
3188 return b1;
3189 /*NOTREACHED*/
3190
3191 case DLT_FDDI:
3192 /*
3193 * XXX - check for LLC frames.
3194 */
3195 return gen_llc_linktype(cstate, ll_proto);
3196 /*NOTREACHED*/
3197
3198 case DLT_IEEE802:
3199 /*
3200 * XXX - check for LLC PDUs, as per IEEE 802.5.
3201 */
3202 return gen_llc_linktype(cstate, ll_proto);
3203 /*NOTREACHED*/
3204
3205 case DLT_ATM_RFC1483:
3206 case DLT_ATM_CLIP:
3207 case DLT_IP_OVER_FC:
3208 return gen_llc_linktype(cstate, ll_proto);
3209 /*NOTREACHED*/
3210
3211 case DLT_SUNATM:
3212 /*
3213 * Check for an LLC-encapsulated version of this protocol;
3214 * if we were checking for LANE, linktype would no longer
3215 * be DLT_SUNATM.
3216 *
3217 * Check for LLC encapsulation and then check the protocol.
3218 */
3219 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3220 b1 = gen_llc_linktype(cstate, ll_proto);
3221 gen_and(b0, b1);
3222 return b1;
3223 /*NOTREACHED*/
3224
3225 case DLT_LINUX_SLL:
3226 return gen_linux_sll_linktype(cstate, ll_proto);
3227 /*NOTREACHED*/
3228
3229 case DLT_SLIP:
3230 case DLT_SLIP_BSDOS:
3231 case DLT_RAW:
3232 /*
3233 * These types don't provide any type field; packets
3234 * are always IPv4 or IPv6.
3235 *
3236 * XXX - for IPv4, check for a version number of 4, and,
3237 * for IPv6, check for a version number of 6?
3238 */
3239 switch (ll_proto) {
3240
3241 case ETHERTYPE_IP:
3242 /* Check for a version number of 4. */
3243 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3244
3245 case ETHERTYPE_IPV6:
3246 /* Check for a version number of 6. */
3247 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3248
3249 default:
3250 return gen_false(cstate); /* always false */
3251 }
3252 /*NOTREACHED*/
3253
3254 case DLT_IPV4:
3255 /*
3256 * Raw IPv4, so no type field.
3257 */
3258 if (ll_proto == ETHERTYPE_IP)
3259 return gen_true(cstate); /* always true */
3260
3261 /* Checking for something other than IPv4; always false */
3262 return gen_false(cstate);
3263 /*NOTREACHED*/
3264
3265 case DLT_IPV6:
3266 /*
3267 * Raw IPv6, so no type field.
3268 */
3269 if (ll_proto == ETHERTYPE_IPV6)
3270 return gen_true(cstate); /* always true */
3271
3272 /* Checking for something other than IPv6; always false */
3273 return gen_false(cstate);
3274 /*NOTREACHED*/
3275
3276 case DLT_PPP:
3277 case DLT_PPP_PPPD:
3278 case DLT_PPP_SERIAL:
3279 case DLT_PPP_ETHER:
3280 /*
3281 * We use Ethernet protocol types inside libpcap;
3282 * map them to the corresponding PPP protocol types.
3283 */
3284 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3285 ethertype_to_ppptype(ll_proto));
3286 /*NOTREACHED*/
3287
3288 case DLT_PPP_BSDOS:
3289 /*
3290 * We use Ethernet protocol types inside libpcap;
3291 * map them to the corresponding PPP protocol types.
3292 */
3293 switch (ll_proto) {
3294
3295 case ETHERTYPE_IP:
3296 /*
3297 * Also check for Van Jacobson-compressed IP.
3298 * XXX - do this for other forms of PPP?
3299 */
3300 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3301 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3302 gen_or(b0, b1);
3303 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3304 gen_or(b1, b0);
3305 return b0;
3306
3307 default:
3308 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3309 ethertype_to_ppptype(ll_proto));
3310 }
3311 /*NOTREACHED*/
3312
3313 case DLT_NULL:
3314 case DLT_LOOP:
3315 case DLT_ENC:
3316 switch (ll_proto) {
3317
3318 case ETHERTYPE_IP:
3319 return (gen_loopback_linktype(cstate, AF_INET));
3320
3321 case ETHERTYPE_IPV6:
3322 /*
3323 * AF_ values may, unfortunately, be platform-
3324 * dependent; AF_INET isn't, because everybody
3325 * used 4.2BSD's value, but AF_INET6 is, because
3326 * 4.2BSD didn't have a value for it (given that
3327 * IPv6 didn't exist back in the early 1980's),
3328 * and they all picked their own values.
3329 *
3330 * This means that, if we're reading from a
3331 * savefile, we need to check for all the
3332 * possible values.
3333 *
3334 * If we're doing a live capture, we only need
3335 * to check for this platform's value; however,
3336 * Npcap uses 24, which isn't Windows's AF_INET6
3337 * value. (Given the multiple different values,
3338 * programs that read pcap files shouldn't be
3339 * checking for their platform's AF_INET6 value
3340 * anyway, they should check for all of the
3341 * possible values. and they might as well do
3342 * that even for live captures.)
3343 */
3344 if (cstate->bpf_pcap->rfile != NULL) {
3345 /*
3346 * Savefile - check for all three
3347 * possible IPv6 values.
3348 */
3349 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3350 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3351 gen_or(b0, b1);
3352 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3353 gen_or(b0, b1);
3354 return (b1);
3355 } else {
3356 /*
3357 * Live capture, so we only need to
3358 * check for the value used on this
3359 * platform.
3360 */
3361 #ifdef _WIN32
3362 /*
3363 * Npcap doesn't use Windows's AF_INET6,
3364 * as that collides with AF_IPX on
3365 * some BSDs (both have the value 23).
3366 * Instead, it uses 24.
3367 */
3368 return (gen_loopback_linktype(cstate, 24));
3369 #else /* _WIN32 */
3370 #ifdef AF_INET6
3371 return (gen_loopback_linktype(cstate, AF_INET6));
3372 #else /* AF_INET6 */
3373 /*
3374 * I guess this platform doesn't support
3375 * IPv6, so we just reject all packets.
3376 */
3377 return gen_false(cstate);
3378 #endif /* AF_INET6 */
3379 #endif /* _WIN32 */
3380 }
3381
3382 default:
3383 /*
3384 * Not a type on which we support filtering.
3385 * XXX - support those that have AF_ values
3386 * #defined on this platform, at least?
3387 */
3388 return gen_false(cstate);
3389 }
3390
3391 #ifdef HAVE_NET_PFVAR_H
3392 case DLT_PFLOG:
3393 /*
3394 * af field is host byte order in contrast to the rest of
3395 * the packet.
3396 */
3397 if (ll_proto == ETHERTYPE_IP)
3398 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3399 BPF_B, AF_INET));
3400 else if (ll_proto == ETHERTYPE_IPV6)
3401 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3402 BPF_B, AF_INET6));
3403 else
3404 return gen_false(cstate);
3405 /*NOTREACHED*/
3406 #endif /* HAVE_NET_PFVAR_H */
3407
3408 case DLT_ARCNET:
3409 case DLT_ARCNET_LINUX:
3410 /*
3411 * XXX should we check for first fragment if the protocol
3412 * uses PHDS?
3413 */
3414 switch (ll_proto) {
3415
3416 default:
3417 return gen_false(cstate);
3418
3419 case ETHERTYPE_IPV6:
3420 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3421 ARCTYPE_INET6));
3422
3423 case ETHERTYPE_IP:
3424 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3425 ARCTYPE_IP);
3426 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3427 ARCTYPE_IP_OLD);
3428 gen_or(b0, b1);
3429 return (b1);
3430
3431 case ETHERTYPE_ARP:
3432 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3433 ARCTYPE_ARP);
3434 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3435 ARCTYPE_ARP_OLD);
3436 gen_or(b0, b1);
3437 return (b1);
3438
3439 case ETHERTYPE_REVARP:
3440 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3441 ARCTYPE_REVARP));
3442
3443 case ETHERTYPE_ATALK:
3444 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3445 ARCTYPE_ATALK));
3446 }
3447 /*NOTREACHED*/
3448
3449 case DLT_LTALK:
3450 switch (ll_proto) {
3451 case ETHERTYPE_ATALK:
3452 return gen_true(cstate);
3453 default:
3454 return gen_false(cstate);
3455 }
3456 /*NOTREACHED*/
3457
3458 case DLT_FRELAY:
3459 /*
3460 * XXX - assumes a 2-byte Frame Relay header with
3461 * DLCI and flags. What if the address is longer?
3462 */
3463 switch (ll_proto) {
3464
3465 case ETHERTYPE_IP:
3466 /*
3467 * Check for the special NLPID for IP.
3468 */
3469 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3470
3471 case ETHERTYPE_IPV6:
3472 /*
3473 * Check for the special NLPID for IPv6.
3474 */
3475 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3476
3477 case LLCSAP_ISONS:
3478 /*
3479 * Check for several OSI protocols.
3480 *
3481 * Frame Relay packets typically have an OSI
3482 * NLPID at the beginning; we check for each
3483 * of them.
3484 *
3485 * What we check for is the NLPID and a frame
3486 * control field of UI, i.e. 0x03 followed
3487 * by the NLPID.
3488 */
3489 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3490 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3491 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3492 gen_or(b1, b2);
3493 gen_or(b0, b2);
3494 return b2;
3495
3496 default:
3497 return gen_false(cstate);
3498 }
3499 /*NOTREACHED*/
3500
3501 case DLT_MFR:
3502 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented");
3503
3504 case DLT_JUNIPER_MFR:
3505 case DLT_JUNIPER_MLFR:
3506 case DLT_JUNIPER_MLPPP:
3507 case DLT_JUNIPER_ATM1:
3508 case DLT_JUNIPER_ATM2:
3509 case DLT_JUNIPER_PPPOE:
3510 case DLT_JUNIPER_PPPOE_ATM:
3511 case DLT_JUNIPER_GGSN:
3512 case DLT_JUNIPER_ES:
3513 case DLT_JUNIPER_MONITOR:
3514 case DLT_JUNIPER_SERVICES:
3515 case DLT_JUNIPER_ETHER:
3516 case DLT_JUNIPER_PPP:
3517 case DLT_JUNIPER_FRELAY:
3518 case DLT_JUNIPER_CHDLC:
3519 case DLT_JUNIPER_VP:
3520 case DLT_JUNIPER_ST:
3521 case DLT_JUNIPER_ISM:
3522 case DLT_JUNIPER_VS:
3523 case DLT_JUNIPER_SRX_E2E:
3524 case DLT_JUNIPER_FIBRECHANNEL:
3525 case DLT_JUNIPER_ATM_CEMIC:
3526
3527 /* just lets verify the magic number for now -
3528 * on ATM we may have up to 6 different encapsulations on the wire
3529 * and need a lot of heuristics to figure out that the payload
3530 * might be;
3531 *
3532 * FIXME encapsulation specific BPF_ filters
3533 */
3534 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3535
3536 case DLT_BACNET_MS_TP:
3537 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3538
3539 case DLT_IPNET:
3540 return gen_ipnet_linktype(cstate, ll_proto);
3541
3542 case DLT_LINUX_IRDA:
3543 bpf_error(cstate, "IrDA link-layer type filtering not implemented");
3544
3545 case DLT_DOCSIS:
3546 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented");
3547
3548 case DLT_MTP2:
3549 case DLT_MTP2_WITH_PHDR:
3550 bpf_error(cstate, "MTP2 link-layer type filtering not implemented");
3551
3552 case DLT_ERF:
3553 bpf_error(cstate, "ERF link-layer type filtering not implemented");
3554
3555 case DLT_PFSYNC:
3556 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented");
3557
3558 case DLT_LINUX_LAPD:
3559 bpf_error(cstate, "LAPD link-layer type filtering not implemented");
3560
3561 case DLT_USB_FREEBSD:
3562 case DLT_USB_LINUX:
3563 case DLT_USB_LINUX_MMAPPED:
3564 case DLT_USBPCAP:
3565 bpf_error(cstate, "USB link-layer type filtering not implemented");
3566
3567 case DLT_BLUETOOTH_HCI_H4:
3568 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3569 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented");
3570
3571 case DLT_CAN20B:
3572 case DLT_CAN_SOCKETCAN:
3573 bpf_error(cstate, "CAN link-layer type filtering not implemented");
3574
3575 case DLT_IEEE802_15_4:
3576 case DLT_IEEE802_15_4_LINUX:
3577 case DLT_IEEE802_15_4_NONASK_PHY:
3578 case DLT_IEEE802_15_4_NOFCS:
3579 case DLT_IEEE802_15_4_TAP:
3580 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented");
3581
3582 case DLT_IEEE802_16_MAC_CPS_RADIO:
3583 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented");
3584
3585 case DLT_SITA:
3586 bpf_error(cstate, "SITA link-layer type filtering not implemented");
3587
3588 case DLT_RAIF1:
3589 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented");
3590
3591 case DLT_IPMB_KONTRON:
3592 case DLT_IPMB_LINUX:
3593 bpf_error(cstate, "IPMB link-layer type filtering not implemented");
3594
3595 case DLT_AX25_KISS:
3596 bpf_error(cstate, "AX.25 link-layer type filtering not implemented");
3597
3598 case DLT_NFLOG:
3599 /* Using the fixed-size NFLOG header it is possible to tell only
3600 * the address family of the packet, other meaningful data is
3601 * either missing or behind TLVs.
3602 */
3603 bpf_error(cstate, "NFLOG link-layer type filtering not implemented");
3604
3605 default:
3606 /*
3607 * Does this link-layer header type have a field
3608 * indicating the type of the next protocol? If
3609 * so, off_linktype.constant_part will be the offset of that
3610 * field in the packet; if not, it will be OFFSET_NOT_SET.
3611 */
3612 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3613 /*
3614 * Yes; assume it's an Ethernet type. (If
3615 * it's not, it needs to be handled specially
3616 * above.)
3617 */
3618 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3619 /*NOTREACHED */
3620 } else {
3621 /*
3622 * No; report an error.
3623 */
3624 description = pcap_datalink_val_to_description_or_dlt(cstate->linktype);
3625 bpf_error(cstate, "%s link-layer type filtering not implemented",
3626 description);
3627 /*NOTREACHED */
3628 }
3629 }
3630 }
3631
3632 /*
3633 * Check for an LLC SNAP packet with a given organization code and
3634 * protocol type; we check the entire contents of the 802.2 LLC and
3635 * snap headers, checking for DSAP and SSAP of SNAP and a control
3636 * field of 0x03 in the LLC header, and for the specified organization
3637 * code and protocol type in the SNAP header.
3638 */
3639 static struct block *
gen_snap(compiler_state_t * cstate,bpf_u_int32 orgcode,bpf_u_int32 ptype)3640 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
3641 {
3642 u_char snapblock[8];
3643
3644 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3645 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3646 snapblock[2] = 0x03; /* control = UI */
3647 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */
3648 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */
3649 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */
3650 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */
3651 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */
3652 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3653 }
3654
3655 /*
3656 * Generate code to match frames with an LLC header.
3657 */
3658 static struct block *
gen_llc_internal(compiler_state_t * cstate)3659 gen_llc_internal(compiler_state_t *cstate)
3660 {
3661 struct block *b0, *b1;
3662
3663 switch (cstate->linktype) {
3664
3665 case DLT_EN10MB:
3666 /*
3667 * We check for an Ethernet type field less than
3668 * 1500, which means it's an 802.3 length field.
3669 */
3670 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3671 gen_not(b0);
3672
3673 /*
3674 * Now check for the purported DSAP and SSAP not being
3675 * 0xFF, to rule out NetWare-over-802.3.
3676 */
3677 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
3678 gen_not(b1);
3679 gen_and(b0, b1);
3680 return b1;
3681
3682 case DLT_SUNATM:
3683 /*
3684 * We check for LLC traffic.
3685 */
3686 b0 = gen_atmtype_llc(cstate);
3687 return b0;
3688
3689 case DLT_IEEE802: /* Token Ring */
3690 /*
3691 * XXX - check for LLC frames.
3692 */
3693 return gen_true(cstate);
3694
3695 case DLT_FDDI:
3696 /*
3697 * XXX - check for LLC frames.
3698 */
3699 return gen_true(cstate);
3700
3701 case DLT_ATM_RFC1483:
3702 /*
3703 * For LLC encapsulation, these are defined to have an
3704 * 802.2 LLC header.
3705 *
3706 * For VC encapsulation, they don't, but there's no
3707 * way to check for that; the protocol used on the VC
3708 * is negotiated out of band.
3709 */
3710 return gen_true(cstate);
3711
3712 case DLT_IEEE802_11:
3713 case DLT_PRISM_HEADER:
3714 case DLT_IEEE802_11_RADIO:
3715 case DLT_IEEE802_11_RADIO_AVS:
3716 case DLT_PPI:
3717 /*
3718 * Check that we have a data frame.
3719 */
3720 b0 = gen_check_802_11_data_frame(cstate);
3721 return b0;
3722
3723 default:
3724 bpf_error(cstate, "'llc' not supported for %s",
3725 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
3726 /*NOTREACHED*/
3727 }
3728 }
3729
3730 struct block *
gen_llc(compiler_state_t * cstate)3731 gen_llc(compiler_state_t *cstate)
3732 {
3733 /*
3734 * Catch errors reported by us and routines below us, and return NULL
3735 * on an error.
3736 */
3737 if (setjmp(cstate->top_ctx))
3738 return (NULL);
3739
3740 return gen_llc_internal(cstate);
3741 }
3742
3743 struct block *
gen_llc_i(compiler_state_t * cstate)3744 gen_llc_i(compiler_state_t *cstate)
3745 {
3746 struct block *b0, *b1;
3747 struct slist *s;
3748
3749 /*
3750 * Catch errors reported by us and routines below us, and return NULL
3751 * on an error.
3752 */
3753 if (setjmp(cstate->top_ctx))
3754 return (NULL);
3755
3756 /*
3757 * Check whether this is an LLC frame.
3758 */
3759 b0 = gen_llc_internal(cstate);
3760
3761 /*
3762 * Load the control byte and test the low-order bit; it must
3763 * be clear for I frames.
3764 */
3765 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3766 b1 = new_block(cstate, JMP(BPF_JSET));
3767 b1->s.k = 0x01;
3768 b1->stmts = s;
3769 gen_not(b1);
3770 gen_and(b0, b1);
3771 return b1;
3772 }
3773
3774 struct block *
gen_llc_s(compiler_state_t * cstate)3775 gen_llc_s(compiler_state_t *cstate)
3776 {
3777 struct block *b0, *b1;
3778
3779 /*
3780 * Catch errors reported by us and routines below us, and return NULL
3781 * on an error.
3782 */
3783 if (setjmp(cstate->top_ctx))
3784 return (NULL);
3785
3786 /*
3787 * Check whether this is an LLC frame.
3788 */
3789 b0 = gen_llc_internal(cstate);
3790
3791 /*
3792 * Now compare the low-order 2 bit of the control byte against
3793 * the appropriate value for S frames.
3794 */
3795 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3796 gen_and(b0, b1);
3797 return b1;
3798 }
3799
3800 struct block *
gen_llc_u(compiler_state_t * cstate)3801 gen_llc_u(compiler_state_t *cstate)
3802 {
3803 struct block *b0, *b1;
3804
3805 /*
3806 * Catch errors reported by us and routines below us, and return NULL
3807 * on an error.
3808 */
3809 if (setjmp(cstate->top_ctx))
3810 return (NULL);
3811
3812 /*
3813 * Check whether this is an LLC frame.
3814 */
3815 b0 = gen_llc_internal(cstate);
3816
3817 /*
3818 * Now compare the low-order 2 bit of the control byte against
3819 * the appropriate value for U frames.
3820 */
3821 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3822 gen_and(b0, b1);
3823 return b1;
3824 }
3825
3826 struct block *
gen_llc_s_subtype(compiler_state_t * cstate,bpf_u_int32 subtype)3827 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3828 {
3829 struct block *b0, *b1;
3830
3831 /*
3832 * Catch errors reported by us and routines below us, and return NULL
3833 * on an error.
3834 */
3835 if (setjmp(cstate->top_ctx))
3836 return (NULL);
3837
3838 /*
3839 * Check whether this is an LLC frame.
3840 */
3841 b0 = gen_llc_internal(cstate);
3842
3843 /*
3844 * Now check for an S frame with the appropriate type.
3845 */
3846 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3847 gen_and(b0, b1);
3848 return b1;
3849 }
3850
3851 struct block *
gen_llc_u_subtype(compiler_state_t * cstate,bpf_u_int32 subtype)3852 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3853 {
3854 struct block *b0, *b1;
3855
3856 /*
3857 * Catch errors reported by us and routines below us, and return NULL
3858 * on an error.
3859 */
3860 if (setjmp(cstate->top_ctx))
3861 return (NULL);
3862
3863 /*
3864 * Check whether this is an LLC frame.
3865 */
3866 b0 = gen_llc_internal(cstate);
3867
3868 /*
3869 * Now check for a U frame with the appropriate type.
3870 */
3871 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3872 gen_and(b0, b1);
3873 return b1;
3874 }
3875
3876 /*
3877 * Generate code to match a particular packet type, for link-layer types
3878 * using 802.2 LLC headers.
3879 *
3880 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3881 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3882 *
3883 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3884 * value, if <= ETHERMTU. We use that to determine whether to
3885 * match the DSAP or both DSAP and LSAP or to check the OUI and
3886 * protocol ID in a SNAP header.
3887 */
3888 static struct block *
gen_llc_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)3889 gen_llc_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3890 {
3891 /*
3892 * XXX - handle token-ring variable-length header.
3893 */
3894 switch (ll_proto) {
3895
3896 case LLCSAP_IP:
3897 case LLCSAP_ISONS:
3898 case LLCSAP_NETBEUI:
3899 /*
3900 * XXX - should we check both the DSAP and the
3901 * SSAP, like this, or should we check just the
3902 * DSAP, as we do for other SAP values?
3903 */
3904 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
3905 ((ll_proto << 8) | ll_proto));
3906
3907 case LLCSAP_IPX:
3908 /*
3909 * XXX - are there ever SNAP frames for IPX on
3910 * non-Ethernet 802.x networks?
3911 */
3912 return gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
3913
3914 case ETHERTYPE_ATALK:
3915 /*
3916 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3917 * SNAP packets with an organization code of
3918 * 0x080007 (Apple, for Appletalk) and a protocol
3919 * type of ETHERTYPE_ATALK (Appletalk).
3920 *
3921 * XXX - check for an organization code of
3922 * encapsulated Ethernet as well?
3923 */
3924 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
3925
3926 default:
3927 /*
3928 * XXX - we don't have to check for IPX 802.3
3929 * here, but should we check for the IPX Ethertype?
3930 */
3931 if (ll_proto <= ETHERMTU) {
3932 /*
3933 * This is an LLC SAP value, so check
3934 * the DSAP.
3935 */
3936 return gen_cmp(cstate, OR_LLC, 0, BPF_B, ll_proto);
3937 } else {
3938 /*
3939 * This is an Ethernet type; we assume that it's
3940 * unlikely that it'll appear in the right place
3941 * at random, and therefore check only the
3942 * location that would hold the Ethernet type
3943 * in a SNAP frame with an organization code of
3944 * 0x000000 (encapsulated Ethernet).
3945 *
3946 * XXX - if we were to check for the SNAP DSAP and
3947 * LSAP, as per XXX, and were also to check for an
3948 * organization code of 0x000000 (encapsulated
3949 * Ethernet), we'd do
3950 *
3951 * return gen_snap(cstate, 0x000000, ll_proto);
3952 *
3953 * here; for now, we don't, as per the above.
3954 * I don't know whether it's worth the extra CPU
3955 * time to do the right check or not.
3956 */
3957 return gen_cmp(cstate, OR_LLC, 6, BPF_H, ll_proto);
3958 }
3959 }
3960 }
3961
3962 static struct block *
gen_hostop(compiler_state_t * cstate,bpf_u_int32 addr,bpf_u_int32 mask,int dir,bpf_u_int32 ll_proto,u_int src_off,u_int dst_off)3963 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
3964 int dir, bpf_u_int32 ll_proto, u_int src_off, u_int dst_off)
3965 {
3966 struct block *b0, *b1;
3967 u_int offset;
3968
3969 switch (dir) {
3970
3971 case Q_SRC:
3972 offset = src_off;
3973 break;
3974
3975 case Q_DST:
3976 offset = dst_off;
3977 break;
3978
3979 case Q_AND:
3980 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
3981 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
3982 gen_and(b0, b1);
3983 return b1;
3984
3985 case Q_DEFAULT:
3986 case Q_OR:
3987 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
3988 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
3989 gen_or(b0, b1);
3990 return b1;
3991
3992 case Q_ADDR1:
3993 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
3994 /*NOTREACHED*/
3995
3996 case Q_ADDR2:
3997 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
3998 /*NOTREACHED*/
3999
4000 case Q_ADDR3:
4001 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4002 /*NOTREACHED*/
4003
4004 case Q_ADDR4:
4005 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4006 /*NOTREACHED*/
4007
4008 case Q_RA:
4009 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4010 /*NOTREACHED*/
4011
4012 case Q_TA:
4013 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4014 /*NOTREACHED*/
4015
4016 default:
4017 abort();
4018 /*NOTREACHED*/
4019 }
4020 b0 = gen_linktype(cstate, ll_proto);
4021 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, addr, mask);
4022 gen_and(b0, b1);
4023 return b1;
4024 }
4025
4026 #ifdef INET6
4027 static struct block *
gen_hostop6(compiler_state_t * cstate,struct in6_addr * addr,struct in6_addr * mask,int dir,bpf_u_int32 ll_proto,u_int src_off,u_int dst_off)4028 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
4029 struct in6_addr *mask, int dir, bpf_u_int32 ll_proto, u_int src_off,
4030 u_int dst_off)
4031 {
4032 struct block *b0, *b1;
4033 u_int offset;
4034 uint32_t *a, *m;
4035
4036 switch (dir) {
4037
4038 case Q_SRC:
4039 offset = src_off;
4040 break;
4041
4042 case Q_DST:
4043 offset = dst_off;
4044 break;
4045
4046 case Q_AND:
4047 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4048 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4049 gen_and(b0, b1);
4050 return b1;
4051
4052 case Q_DEFAULT:
4053 case Q_OR:
4054 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4055 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4056 gen_or(b0, b1);
4057 return b1;
4058
4059 case Q_ADDR1:
4060 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4061 /*NOTREACHED*/
4062
4063 case Q_ADDR2:
4064 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4065 /*NOTREACHED*/
4066
4067 case Q_ADDR3:
4068 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4069 /*NOTREACHED*/
4070
4071 case Q_ADDR4:
4072 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4073 /*NOTREACHED*/
4074
4075 case Q_RA:
4076 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4077 /*NOTREACHED*/
4078
4079 case Q_TA:
4080 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4081 /*NOTREACHED*/
4082
4083 default:
4084 abort();
4085 /*NOTREACHED*/
4086 }
4087 /* this order is important */
4088 a = (uint32_t *)addr;
4089 m = (uint32_t *)mask;
4090 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
4091 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
4092 gen_and(b0, b1);
4093 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
4094 gen_and(b0, b1);
4095 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
4096 gen_and(b0, b1);
4097 b0 = gen_linktype(cstate, ll_proto);
4098 gen_and(b0, b1);
4099 return b1;
4100 }
4101 #endif
4102
4103 static struct block *
gen_ehostop(compiler_state_t * cstate,const u_char * eaddr,int dir)4104 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4105 {
4106 register struct block *b0, *b1;
4107
4108 switch (dir) {
4109 case Q_SRC:
4110 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
4111
4112 case Q_DST:
4113 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
4114
4115 case Q_AND:
4116 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4117 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4118 gen_and(b0, b1);
4119 return b1;
4120
4121 case Q_DEFAULT:
4122 case Q_OR:
4123 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4124 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4125 gen_or(b0, b1);
4126 return b1;
4127
4128 case Q_ADDR1:
4129 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers");
4130 /*NOTREACHED*/
4131
4132 case Q_ADDR2:
4133 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers");
4134 /*NOTREACHED*/
4135
4136 case Q_ADDR3:
4137 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers");
4138 /*NOTREACHED*/
4139
4140 case Q_ADDR4:
4141 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers");
4142 /*NOTREACHED*/
4143
4144 case Q_RA:
4145 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
4146 /*NOTREACHED*/
4147
4148 case Q_TA:
4149 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
4150 /*NOTREACHED*/
4151 }
4152 abort();
4153 /*NOTREACHED*/
4154 }
4155
4156 /*
4157 * Like gen_ehostop, but for DLT_FDDI
4158 */
4159 static struct block *
gen_fhostop(compiler_state_t * cstate,const u_char * eaddr,int dir)4160 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4161 {
4162 struct block *b0, *b1;
4163
4164 switch (dir) {
4165 case Q_SRC:
4166 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4167
4168 case Q_DST:
4169 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4170
4171 case Q_AND:
4172 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4173 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4174 gen_and(b0, b1);
4175 return b1;
4176
4177 case Q_DEFAULT:
4178 case Q_OR:
4179 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4180 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4181 gen_or(b0, b1);
4182 return b1;
4183
4184 case Q_ADDR1:
4185 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4186 /*NOTREACHED*/
4187
4188 case Q_ADDR2:
4189 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4190 /*NOTREACHED*/
4191
4192 case Q_ADDR3:
4193 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4194 /*NOTREACHED*/
4195
4196 case Q_ADDR4:
4197 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4198 /*NOTREACHED*/
4199
4200 case Q_RA:
4201 bpf_error(cstate, "'ra' is only supported on 802.11");
4202 /*NOTREACHED*/
4203
4204 case Q_TA:
4205 bpf_error(cstate, "'ta' is only supported on 802.11");
4206 /*NOTREACHED*/
4207 }
4208 abort();
4209 /*NOTREACHED*/
4210 }
4211
4212 /*
4213 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4214 */
4215 static struct block *
gen_thostop(compiler_state_t * cstate,const u_char * eaddr,int dir)4216 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4217 {
4218 register struct block *b0, *b1;
4219
4220 switch (dir) {
4221 case Q_SRC:
4222 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4223
4224 case Q_DST:
4225 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4226
4227 case Q_AND:
4228 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4229 b1 = gen_thostop(cstate, eaddr, Q_DST);
4230 gen_and(b0, b1);
4231 return b1;
4232
4233 case Q_DEFAULT:
4234 case Q_OR:
4235 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4236 b1 = gen_thostop(cstate, eaddr, Q_DST);
4237 gen_or(b0, b1);
4238 return b1;
4239
4240 case Q_ADDR1:
4241 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4242 /*NOTREACHED*/
4243
4244 case Q_ADDR2:
4245 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4246 /*NOTREACHED*/
4247
4248 case Q_ADDR3:
4249 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4250 /*NOTREACHED*/
4251
4252 case Q_ADDR4:
4253 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4254 /*NOTREACHED*/
4255
4256 case Q_RA:
4257 bpf_error(cstate, "'ra' is only supported on 802.11");
4258 /*NOTREACHED*/
4259
4260 case Q_TA:
4261 bpf_error(cstate, "'ta' is only supported on 802.11");
4262 /*NOTREACHED*/
4263 }
4264 abort();
4265 /*NOTREACHED*/
4266 }
4267
4268 /*
4269 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4270 * various 802.11 + radio headers.
4271 */
4272 static struct block *
gen_wlanhostop(compiler_state_t * cstate,const u_char * eaddr,int dir)4273 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4274 {
4275 register struct block *b0, *b1, *b2;
4276 register struct slist *s;
4277
4278 #ifdef ENABLE_WLAN_FILTERING_PATCH
4279 /*
4280 * TODO GV 20070613
4281 * We need to disable the optimizer because the optimizer is buggy
4282 * and wipes out some LD instructions generated by the below
4283 * code to validate the Frame Control bits
4284 */
4285 cstate->no_optimize = 1;
4286 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4287
4288 switch (dir) {
4289 case Q_SRC:
4290 /*
4291 * Oh, yuk.
4292 *
4293 * For control frames, there is no SA.
4294 *
4295 * For management frames, SA is at an
4296 * offset of 10 from the beginning of
4297 * the packet.
4298 *
4299 * For data frames, SA is at an offset
4300 * of 10 from the beginning of the packet
4301 * if From DS is clear, at an offset of
4302 * 16 from the beginning of the packet
4303 * if From DS is set and To DS is clear,
4304 * and an offset of 24 from the beginning
4305 * of the packet if From DS is set and To DS
4306 * is set.
4307 */
4308
4309 /*
4310 * Generate the tests to be done for data frames
4311 * with From DS set.
4312 *
4313 * First, check for To DS set, i.e. check "link[1] & 0x01".
4314 */
4315 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4316 b1 = new_block(cstate, JMP(BPF_JSET));
4317 b1->s.k = 0x01; /* To DS */
4318 b1->stmts = s;
4319
4320 /*
4321 * If To DS is set, the SA is at 24.
4322 */
4323 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4324 gen_and(b1, b0);
4325
4326 /*
4327 * Now, check for To DS not set, i.e. check
4328 * "!(link[1] & 0x01)".
4329 */
4330 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4331 b2 = new_block(cstate, JMP(BPF_JSET));
4332 b2->s.k = 0x01; /* To DS */
4333 b2->stmts = s;
4334 gen_not(b2);
4335
4336 /*
4337 * If To DS is not set, the SA is at 16.
4338 */
4339 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4340 gen_and(b2, b1);
4341
4342 /*
4343 * Now OR together the last two checks. That gives
4344 * the complete set of checks for data frames with
4345 * From DS set.
4346 */
4347 gen_or(b1, b0);
4348
4349 /*
4350 * Now check for From DS being set, and AND that with
4351 * the ORed-together checks.
4352 */
4353 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4354 b1 = new_block(cstate, JMP(BPF_JSET));
4355 b1->s.k = 0x02; /* From DS */
4356 b1->stmts = s;
4357 gen_and(b1, b0);
4358
4359 /*
4360 * Now check for data frames with From DS not set.
4361 */
4362 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4363 b2 = new_block(cstate, JMP(BPF_JSET));
4364 b2->s.k = 0x02; /* From DS */
4365 b2->stmts = s;
4366 gen_not(b2);
4367
4368 /*
4369 * If From DS isn't set, the SA is at 10.
4370 */
4371 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4372 gen_and(b2, b1);
4373
4374 /*
4375 * Now OR together the checks for data frames with
4376 * From DS not set and for data frames with From DS
4377 * set; that gives the checks done for data frames.
4378 */
4379 gen_or(b1, b0);
4380
4381 /*
4382 * Now check for a data frame.
4383 * I.e, check "link[0] & 0x08".
4384 */
4385 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4386 b1 = new_block(cstate, JMP(BPF_JSET));
4387 b1->s.k = 0x08;
4388 b1->stmts = s;
4389
4390 /*
4391 * AND that with the checks done for data frames.
4392 */
4393 gen_and(b1, b0);
4394
4395 /*
4396 * If the high-order bit of the type value is 0, this
4397 * is a management frame.
4398 * I.e, check "!(link[0] & 0x08)".
4399 */
4400 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4401 b2 = new_block(cstate, JMP(BPF_JSET));
4402 b2->s.k = 0x08;
4403 b2->stmts = s;
4404 gen_not(b2);
4405
4406 /*
4407 * For management frames, the SA is at 10.
4408 */
4409 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4410 gen_and(b2, b1);
4411
4412 /*
4413 * OR that with the checks done for data frames.
4414 * That gives the checks done for management and
4415 * data frames.
4416 */
4417 gen_or(b1, b0);
4418
4419 /*
4420 * If the low-order bit of the type value is 1,
4421 * this is either a control frame or a frame
4422 * with a reserved type, and thus not a
4423 * frame with an SA.
4424 *
4425 * I.e., check "!(link[0] & 0x04)".
4426 */
4427 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4428 b1 = new_block(cstate, JMP(BPF_JSET));
4429 b1->s.k = 0x04;
4430 b1->stmts = s;
4431 gen_not(b1);
4432
4433 /*
4434 * AND that with the checks for data and management
4435 * frames.
4436 */
4437 gen_and(b1, b0);
4438 return b0;
4439
4440 case Q_DST:
4441 /*
4442 * Oh, yuk.
4443 *
4444 * For control frames, there is no DA.
4445 *
4446 * For management frames, DA is at an
4447 * offset of 4 from the beginning of
4448 * the packet.
4449 *
4450 * For data frames, DA is at an offset
4451 * of 4 from the beginning of the packet
4452 * if To DS is clear and at an offset of
4453 * 16 from the beginning of the packet
4454 * if To DS is set.
4455 */
4456
4457 /*
4458 * Generate the tests to be done for data frames.
4459 *
4460 * First, check for To DS set, i.e. "link[1] & 0x01".
4461 */
4462 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4463 b1 = new_block(cstate, JMP(BPF_JSET));
4464 b1->s.k = 0x01; /* To DS */
4465 b1->stmts = s;
4466
4467 /*
4468 * If To DS is set, the DA is at 16.
4469 */
4470 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4471 gen_and(b1, b0);
4472
4473 /*
4474 * Now, check for To DS not set, i.e. check
4475 * "!(link[1] & 0x01)".
4476 */
4477 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4478 b2 = new_block(cstate, JMP(BPF_JSET));
4479 b2->s.k = 0x01; /* To DS */
4480 b2->stmts = s;
4481 gen_not(b2);
4482
4483 /*
4484 * If To DS is not set, the DA is at 4.
4485 */
4486 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4487 gen_and(b2, b1);
4488
4489 /*
4490 * Now OR together the last two checks. That gives
4491 * the complete set of checks for data frames.
4492 */
4493 gen_or(b1, b0);
4494
4495 /*
4496 * Now check for a data frame.
4497 * I.e, check "link[0] & 0x08".
4498 */
4499 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4500 b1 = new_block(cstate, JMP(BPF_JSET));
4501 b1->s.k = 0x08;
4502 b1->stmts = s;
4503
4504 /*
4505 * AND that with the checks done for data frames.
4506 */
4507 gen_and(b1, b0);
4508
4509 /*
4510 * If the high-order bit of the type value is 0, this
4511 * is a management frame.
4512 * I.e, check "!(link[0] & 0x08)".
4513 */
4514 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4515 b2 = new_block(cstate, JMP(BPF_JSET));
4516 b2->s.k = 0x08;
4517 b2->stmts = s;
4518 gen_not(b2);
4519
4520 /*
4521 * For management frames, the DA is at 4.
4522 */
4523 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4524 gen_and(b2, b1);
4525
4526 /*
4527 * OR that with the checks done for data frames.
4528 * That gives the checks done for management and
4529 * data frames.
4530 */
4531 gen_or(b1, b0);
4532
4533 /*
4534 * If the low-order bit of the type value is 1,
4535 * this is either a control frame or a frame
4536 * with a reserved type, and thus not a
4537 * frame with an SA.
4538 *
4539 * I.e., check "!(link[0] & 0x04)".
4540 */
4541 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4542 b1 = new_block(cstate, JMP(BPF_JSET));
4543 b1->s.k = 0x04;
4544 b1->stmts = s;
4545 gen_not(b1);
4546
4547 /*
4548 * AND that with the checks for data and management
4549 * frames.
4550 */
4551 gen_and(b1, b0);
4552 return b0;
4553
4554 case Q_AND:
4555 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4556 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4557 gen_and(b0, b1);
4558 return b1;
4559
4560 case Q_DEFAULT:
4561 case Q_OR:
4562 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4563 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4564 gen_or(b0, b1);
4565 return b1;
4566
4567 /*
4568 * XXX - add BSSID keyword?
4569 */
4570 case Q_ADDR1:
4571 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4572
4573 case Q_ADDR2:
4574 /*
4575 * Not present in CTS or ACK control frames.
4576 */
4577 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4578 IEEE80211_FC0_TYPE_MASK);
4579 gen_not(b0);
4580 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4581 IEEE80211_FC0_SUBTYPE_MASK);
4582 gen_not(b1);
4583 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4584 IEEE80211_FC0_SUBTYPE_MASK);
4585 gen_not(b2);
4586 gen_and(b1, b2);
4587 gen_or(b0, b2);
4588 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4589 gen_and(b2, b1);
4590 return b1;
4591
4592 case Q_ADDR3:
4593 /*
4594 * Not present in control frames.
4595 */
4596 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4597 IEEE80211_FC0_TYPE_MASK);
4598 gen_not(b0);
4599 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4600 gen_and(b0, b1);
4601 return b1;
4602
4603 case Q_ADDR4:
4604 /*
4605 * Present only if the direction mask has both "From DS"
4606 * and "To DS" set. Neither control frames nor management
4607 * frames should have both of those set, so we don't
4608 * check the frame type.
4609 */
4610 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4611 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4612 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4613 gen_and(b0, b1);
4614 return b1;
4615
4616 case Q_RA:
4617 /*
4618 * Not present in management frames; addr1 in other
4619 * frames.
4620 */
4621
4622 /*
4623 * If the high-order bit of the type value is 0, this
4624 * is a management frame.
4625 * I.e, check "(link[0] & 0x08)".
4626 */
4627 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4628 b1 = new_block(cstate, JMP(BPF_JSET));
4629 b1->s.k = 0x08;
4630 b1->stmts = s;
4631
4632 /*
4633 * Check addr1.
4634 */
4635 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4636
4637 /*
4638 * AND that with the check of addr1.
4639 */
4640 gen_and(b1, b0);
4641 return (b0);
4642
4643 case Q_TA:
4644 /*
4645 * Not present in management frames; addr2, if present,
4646 * in other frames.
4647 */
4648
4649 /*
4650 * Not present in CTS or ACK control frames.
4651 */
4652 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4653 IEEE80211_FC0_TYPE_MASK);
4654 gen_not(b0);
4655 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4656 IEEE80211_FC0_SUBTYPE_MASK);
4657 gen_not(b1);
4658 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4659 IEEE80211_FC0_SUBTYPE_MASK);
4660 gen_not(b2);
4661 gen_and(b1, b2);
4662 gen_or(b0, b2);
4663
4664 /*
4665 * If the high-order bit of the type value is 0, this
4666 * is a management frame.
4667 * I.e, check "(link[0] & 0x08)".
4668 */
4669 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4670 b1 = new_block(cstate, JMP(BPF_JSET));
4671 b1->s.k = 0x08;
4672 b1->stmts = s;
4673
4674 /*
4675 * AND that with the check for frames other than
4676 * CTS and ACK frames.
4677 */
4678 gen_and(b1, b2);
4679
4680 /*
4681 * Check addr2.
4682 */
4683 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4684 gen_and(b2, b1);
4685 return b1;
4686 }
4687 abort();
4688 /*NOTREACHED*/
4689 }
4690
4691 /*
4692 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4693 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4694 * as the RFC states.)
4695 */
4696 static struct block *
gen_ipfchostop(compiler_state_t * cstate,const u_char * eaddr,int dir)4697 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4698 {
4699 register struct block *b0, *b1;
4700
4701 switch (dir) {
4702 case Q_SRC:
4703 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4704
4705 case Q_DST:
4706 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4707
4708 case Q_AND:
4709 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4710 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4711 gen_and(b0, b1);
4712 return b1;
4713
4714 case Q_DEFAULT:
4715 case Q_OR:
4716 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4717 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4718 gen_or(b0, b1);
4719 return b1;
4720
4721 case Q_ADDR1:
4722 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4723 /*NOTREACHED*/
4724
4725 case Q_ADDR2:
4726 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4727 /*NOTREACHED*/
4728
4729 case Q_ADDR3:
4730 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4731 /*NOTREACHED*/
4732
4733 case Q_ADDR4:
4734 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4735 /*NOTREACHED*/
4736
4737 case Q_RA:
4738 bpf_error(cstate, "'ra' is only supported on 802.11");
4739 /*NOTREACHED*/
4740
4741 case Q_TA:
4742 bpf_error(cstate, "'ta' is only supported on 802.11");
4743 /*NOTREACHED*/
4744 }
4745 abort();
4746 /*NOTREACHED*/
4747 }
4748
4749 /*
4750 * This is quite tricky because there may be pad bytes in front of the
4751 * DECNET header, and then there are two possible data packet formats that
4752 * carry both src and dst addresses, plus 5 packet types in a format that
4753 * carries only the src node, plus 2 types that use a different format and
4754 * also carry just the src node.
4755 *
4756 * Yuck.
4757 *
4758 * Instead of doing those all right, we just look for data packets with
4759 * 0 or 1 bytes of padding. If you want to look at other packets, that
4760 * will require a lot more hacking.
4761 *
4762 * To add support for filtering on DECNET "areas" (network numbers)
4763 * one would want to add a "mask" argument to this routine. That would
4764 * make the filter even more inefficient, although one could be clever
4765 * and not generate masking instructions if the mask is 0xFFFF.
4766 */
4767 static struct block *
gen_dnhostop(compiler_state_t * cstate,bpf_u_int32 addr,int dir)4768 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
4769 {
4770 struct block *b0, *b1, *b2, *tmp;
4771 u_int offset_lh; /* offset if long header is received */
4772 u_int offset_sh; /* offset if short header is received */
4773
4774 switch (dir) {
4775
4776 case Q_DST:
4777 offset_sh = 1; /* follows flags */
4778 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4779 break;
4780
4781 case Q_SRC:
4782 offset_sh = 3; /* follows flags, dstnode */
4783 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4784 break;
4785
4786 case Q_AND:
4787 /* Inefficient because we do our Calvinball dance twice */
4788 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4789 b1 = gen_dnhostop(cstate, addr, Q_DST);
4790 gen_and(b0, b1);
4791 return b1;
4792
4793 case Q_DEFAULT:
4794 case Q_OR:
4795 /* Inefficient because we do our Calvinball dance twice */
4796 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4797 b1 = gen_dnhostop(cstate, addr, Q_DST);
4798 gen_or(b0, b1);
4799 return b1;
4800
4801 case Q_ADDR1:
4802 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4803 /*NOTREACHED*/
4804
4805 case Q_ADDR2:
4806 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4807 /*NOTREACHED*/
4808
4809 case Q_ADDR3:
4810 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4811 /*NOTREACHED*/
4812
4813 case Q_ADDR4:
4814 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4815 /*NOTREACHED*/
4816
4817 case Q_RA:
4818 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4819 /*NOTREACHED*/
4820
4821 case Q_TA:
4822 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4823 /*NOTREACHED*/
4824
4825 default:
4826 abort();
4827 /*NOTREACHED*/
4828 }
4829 b0 = gen_linktype(cstate, ETHERTYPE_DN);
4830 /* Check for pad = 1, long header case */
4831 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4832 (bpf_u_int32)ntohs(0x0681), (bpf_u_int32)ntohs(0x07FF));
4833 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
4834 BPF_H, (bpf_u_int32)ntohs((u_short)addr));
4835 gen_and(tmp, b1);
4836 /* Check for pad = 0, long header case */
4837 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x06,
4838 (bpf_u_int32)0x7);
4839 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H,
4840 (bpf_u_int32)ntohs((u_short)addr));
4841 gen_and(tmp, b2);
4842 gen_or(b2, b1);
4843 /* Check for pad = 1, short header case */
4844 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4845 (bpf_u_int32)ntohs(0x0281), (bpf_u_int32)ntohs(0x07FF));
4846 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H,
4847 (bpf_u_int32)ntohs((u_short)addr));
4848 gen_and(tmp, b2);
4849 gen_or(b2, b1);
4850 /* Check for pad = 0, short header case */
4851 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x02,
4852 (bpf_u_int32)0x7);
4853 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H,
4854 (bpf_u_int32)ntohs((u_short)addr));
4855 gen_and(tmp, b2);
4856 gen_or(b2, b1);
4857
4858 /* Combine with test for cstate->linktype */
4859 gen_and(b0, b1);
4860 return b1;
4861 }
4862
4863 /*
4864 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4865 * test the bottom-of-stack bit, and then check the version number
4866 * field in the IP header.
4867 */
4868 static struct block *
gen_mpls_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)4869 gen_mpls_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
4870 {
4871 struct block *b0, *b1;
4872
4873 switch (ll_proto) {
4874
4875 case ETHERTYPE_IP:
4876 /* match the bottom-of-stack bit */
4877 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4878 /* match the IPv4 version number */
4879 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4880 gen_and(b0, b1);
4881 return b1;
4882
4883 case ETHERTYPE_IPV6:
4884 /* match the bottom-of-stack bit */
4885 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4886 /* match the IPv4 version number */
4887 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4888 gen_and(b0, b1);
4889 return b1;
4890
4891 default:
4892 /* FIXME add other L3 proto IDs */
4893 bpf_error(cstate, "unsupported protocol over mpls");
4894 /*NOTREACHED*/
4895 }
4896 }
4897
4898 static struct block *
gen_host(compiler_state_t * cstate,bpf_u_int32 addr,bpf_u_int32 mask,int proto,int dir,int type)4899 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4900 int proto, int dir, int type)
4901 {
4902 struct block *b0, *b1;
4903 const char *typestr;
4904
4905 if (type == Q_NET)
4906 typestr = "net";
4907 else
4908 typestr = "host";
4909
4910 switch (proto) {
4911
4912 case Q_DEFAULT:
4913 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
4914 /*
4915 * Only check for non-IPv4 addresses if we're not
4916 * checking MPLS-encapsulated packets.
4917 */
4918 if (cstate->label_stack_depth == 0) {
4919 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
4920 gen_or(b0, b1);
4921 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
4922 gen_or(b1, b0);
4923 }
4924 return b0;
4925
4926 case Q_LINK:
4927 bpf_error(cstate, "link-layer modifier applied to %s", typestr);
4928
4929 case Q_IP:
4930 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16);
4931
4932 case Q_RARP:
4933 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4934
4935 case Q_ARP:
4936 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4937
4938 case Q_SCTP:
4939 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4940
4941 case Q_TCP:
4942 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4943
4944 case Q_UDP:
4945 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4946
4947 case Q_ICMP:
4948 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4949
4950 case Q_IGMP:
4951 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4952
4953 case Q_IGRP:
4954 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4955
4956 case Q_ATALK:
4957 bpf_error(cstate, "AppleTalk host filtering not implemented");
4958
4959 case Q_DECNET:
4960 return gen_dnhostop(cstate, addr, dir);
4961
4962 case Q_LAT:
4963 bpf_error(cstate, "LAT host filtering not implemented");
4964
4965 case Q_SCA:
4966 bpf_error(cstate, "SCA host filtering not implemented");
4967
4968 case Q_MOPRC:
4969 bpf_error(cstate, "MOPRC host filtering not implemented");
4970
4971 case Q_MOPDL:
4972 bpf_error(cstate, "MOPDL host filtering not implemented");
4973
4974 case Q_IPV6:
4975 bpf_error(cstate, "'ip6' modifier applied to ip host");
4976
4977 case Q_ICMPV6:
4978 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4979
4980 case Q_AH:
4981 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4982
4983 case Q_ESP:
4984 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4985
4986 case Q_PIM:
4987 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
4988
4989 case Q_VRRP:
4990 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
4991
4992 case Q_AARP:
4993 bpf_error(cstate, "AARP host filtering not implemented");
4994
4995 case Q_ISO:
4996 bpf_error(cstate, "ISO host filtering not implemented");
4997
4998 case Q_ESIS:
4999 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
5000
5001 case Q_ISIS:
5002 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
5003
5004 case Q_CLNP:
5005 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
5006
5007 case Q_STP:
5008 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
5009
5010 case Q_IPX:
5011 bpf_error(cstate, "IPX host filtering not implemented");
5012
5013 case Q_NETBEUI:
5014 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
5015
5016 case Q_ISIS_L1:
5017 bpf_error(cstate, "'l1' modifier applied to %s", typestr);
5018
5019 case Q_ISIS_L2:
5020 bpf_error(cstate, "'l2' modifier applied to %s", typestr);
5021
5022 case Q_ISIS_IIH:
5023 bpf_error(cstate, "'iih' modifier applied to %s", typestr);
5024
5025 case Q_ISIS_SNP:
5026 bpf_error(cstate, "'snp' modifier applied to %s", typestr);
5027
5028 case Q_ISIS_CSNP:
5029 bpf_error(cstate, "'csnp' modifier applied to %s", typestr);
5030
5031 case Q_ISIS_PSNP:
5032 bpf_error(cstate, "'psnp' modifier applied to %s", typestr);
5033
5034 case Q_ISIS_LSP:
5035 bpf_error(cstate, "'lsp' modifier applied to %s", typestr);
5036
5037 case Q_RADIO:
5038 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
5039
5040 case Q_CARP:
5041 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
5042
5043 default:
5044 abort();
5045 }
5046 /*NOTREACHED*/
5047 }
5048
5049 #ifdef INET6
5050 static struct block *
gen_host6(compiler_state_t * cstate,struct in6_addr * addr,struct in6_addr * mask,int proto,int dir,int type)5051 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
5052 struct in6_addr *mask, int proto, int dir, int type)
5053 {
5054 const char *typestr;
5055
5056 if (type == Q_NET)
5057 typestr = "net";
5058 else
5059 typestr = "host";
5060
5061 switch (proto) {
5062
5063 case Q_DEFAULT:
5064 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type);
5065
5066 case Q_LINK:
5067 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
5068
5069 case Q_IP:
5070 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
5071
5072 case Q_RARP:
5073 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
5074
5075 case Q_ARP:
5076 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
5077
5078 case Q_SCTP:
5079 bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr);
5080
5081 case Q_TCP:
5082 bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr);
5083
5084 case Q_UDP:
5085 bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr);
5086
5087 case Q_ICMP:
5088 bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr);
5089
5090 case Q_IGMP:
5091 bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr);
5092
5093 case Q_IGRP:
5094 bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr);
5095
5096 case Q_ATALK:
5097 bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr);
5098
5099 case Q_DECNET:
5100 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
5101
5102 case Q_LAT:
5103 bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr);
5104
5105 case Q_SCA:
5106 bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr);
5107
5108 case Q_MOPRC:
5109 bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr);
5110
5111 case Q_MOPDL:
5112 bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr);
5113
5114 case Q_IPV6:
5115 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
5116
5117 case Q_ICMPV6:
5118 bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr);
5119
5120 case Q_AH:
5121 bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr);
5122
5123 case Q_ESP:
5124 bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr);
5125
5126 case Q_PIM:
5127 bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr);
5128
5129 case Q_VRRP:
5130 bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr);
5131
5132 case Q_AARP:
5133 bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr);
5134
5135 case Q_ISO:
5136 bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr);
5137
5138 case Q_ESIS:
5139 bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr);
5140
5141 case Q_ISIS:
5142 bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr);
5143
5144 case Q_CLNP:
5145 bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr);
5146
5147 case Q_STP:
5148 bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr);
5149
5150 case Q_IPX:
5151 bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr);
5152
5153 case Q_NETBEUI:
5154 bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr);
5155
5156 case Q_ISIS_L1:
5157 bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr);
5158
5159 case Q_ISIS_L2:
5160 bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr);
5161
5162 case Q_ISIS_IIH:
5163 bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr);
5164
5165 case Q_ISIS_SNP:
5166 bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr);
5167
5168 case Q_ISIS_CSNP:
5169 bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr);
5170
5171 case Q_ISIS_PSNP:
5172 bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr);
5173
5174 case Q_ISIS_LSP:
5175 bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr);
5176
5177 case Q_RADIO:
5178 bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr);
5179
5180 case Q_CARP:
5181 bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr);
5182
5183 default:
5184 abort();
5185 }
5186 /*NOTREACHED*/
5187 }
5188 #endif
5189
5190 #ifndef INET6
5191 static struct block *
gen_gateway(compiler_state_t * cstate,const u_char * eaddr,struct addrinfo * alist,int proto,int dir)5192 gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
5193 struct addrinfo *alist, int proto, int dir)
5194 {
5195 struct block *b0, *b1, *tmp;
5196 struct addrinfo *ai;
5197 struct sockaddr_in *sin;
5198
5199 if (dir != 0)
5200 bpf_error(cstate, "direction applied to 'gateway'");
5201
5202 switch (proto) {
5203 case Q_DEFAULT:
5204 case Q_IP:
5205 case Q_ARP:
5206 case Q_RARP:
5207 switch (cstate->linktype) {
5208 case DLT_EN10MB:
5209 case DLT_NETANALYZER:
5210 case DLT_NETANALYZER_TRANSPARENT:
5211 b1 = gen_prevlinkhdr_check(cstate);
5212 b0 = gen_ehostop(cstate, eaddr, Q_OR);
5213 if (b1 != NULL)
5214 gen_and(b1, b0);
5215 break;
5216 case DLT_FDDI:
5217 b0 = gen_fhostop(cstate, eaddr, Q_OR);
5218 break;
5219 case DLT_IEEE802:
5220 b0 = gen_thostop(cstate, eaddr, Q_OR);
5221 break;
5222 case DLT_IEEE802_11:
5223 case DLT_PRISM_HEADER:
5224 case DLT_IEEE802_11_RADIO_AVS:
5225 case DLT_IEEE802_11_RADIO:
5226 case DLT_PPI:
5227 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5228 break;
5229 case DLT_SUNATM:
5230 /*
5231 * This is LLC-multiplexed traffic; if it were
5232 * LANE, cstate->linktype would have been set to
5233 * DLT_EN10MB.
5234 */
5235 bpf_error(cstate,
5236 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5237 break;
5238 case DLT_IP_OVER_FC:
5239 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5240 break;
5241 default:
5242 bpf_error(cstate,
5243 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5244 }
5245 b1 = NULL;
5246 for (ai = alist; ai != NULL; ai = ai->ai_next) {
5247 /*
5248 * Does it have an address?
5249 */
5250 if (ai->ai_addr != NULL) {
5251 /*
5252 * Yes. Is it an IPv4 address?
5253 */
5254 if (ai->ai_addr->sa_family == AF_INET) {
5255 /*
5256 * Generate an entry for it.
5257 */
5258 sin = (struct sockaddr_in *)ai->ai_addr;
5259 tmp = gen_host(cstate,
5260 ntohl(sin->sin_addr.s_addr),
5261 0xffffffff, proto, Q_OR, Q_HOST);
5262 /*
5263 * Is it the *first* IPv4 address?
5264 */
5265 if (b1 == NULL) {
5266 /*
5267 * Yes, so start with it.
5268 */
5269 b1 = tmp;
5270 } else {
5271 /*
5272 * No, so OR it into the
5273 * existing set of
5274 * addresses.
5275 */
5276 gen_or(b1, tmp);
5277 b1 = tmp;
5278 }
5279 }
5280 }
5281 }
5282 if (b1 == NULL) {
5283 /*
5284 * No IPv4 addresses found.
5285 */
5286 return (NULL);
5287 }
5288 gen_not(b1);
5289 gen_and(b0, b1);
5290 return b1;
5291 }
5292 bpf_error(cstate, "illegal modifier of 'gateway'");
5293 /*NOTREACHED*/
5294 }
5295 #endif
5296
5297 static struct block *
gen_proto_abbrev_internal(compiler_state_t * cstate,int proto)5298 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto)
5299 {
5300 struct block *b0;
5301 struct block *b1;
5302
5303 switch (proto) {
5304
5305 case Q_SCTP:
5306 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT);
5307 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
5308 gen_or(b0, b1);
5309 break;
5310
5311 case Q_TCP:
5312 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT);
5313 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
5314 gen_or(b0, b1);
5315 break;
5316
5317 case Q_UDP:
5318 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT);
5319 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
5320 gen_or(b0, b1);
5321 break;
5322
5323 case Q_ICMP:
5324 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5325 break;
5326
5327 #ifndef IPPROTO_IGMP
5328 #define IPPROTO_IGMP 2
5329 #endif
5330
5331 case Q_IGMP:
5332 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5333 break;
5334
5335 #ifndef IPPROTO_IGRP
5336 #define IPPROTO_IGRP 9
5337 #endif
5338 case Q_IGRP:
5339 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5340 break;
5341
5342 #ifndef IPPROTO_PIM
5343 #define IPPROTO_PIM 103
5344 #endif
5345
5346 case Q_PIM:
5347 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT);
5348 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
5349 gen_or(b0, b1);
5350 break;
5351
5352 #ifndef IPPROTO_VRRP
5353 #define IPPROTO_VRRP 112
5354 #endif
5355
5356 case Q_VRRP:
5357 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5358 break;
5359
5360 #ifndef IPPROTO_CARP
5361 #define IPPROTO_CARP 112
5362 #endif
5363
5364 case Q_CARP:
5365 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5366 break;
5367
5368 case Q_IP:
5369 b1 = gen_linktype(cstate, ETHERTYPE_IP);
5370 break;
5371
5372 case Q_ARP:
5373 b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5374 break;
5375
5376 case Q_RARP:
5377 b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5378 break;
5379
5380 case Q_LINK:
5381 bpf_error(cstate, "link layer applied in wrong context");
5382
5383 case Q_ATALK:
5384 b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5385 break;
5386
5387 case Q_AARP:
5388 b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5389 break;
5390
5391 case Q_DECNET:
5392 b1 = gen_linktype(cstate, ETHERTYPE_DN);
5393 break;
5394
5395 case Q_SCA:
5396 b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5397 break;
5398
5399 case Q_LAT:
5400 b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5401 break;
5402
5403 case Q_MOPDL:
5404 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5405 break;
5406
5407 case Q_MOPRC:
5408 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5409 break;
5410
5411 case Q_IPV6:
5412 b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5413 break;
5414
5415 #ifndef IPPROTO_ICMPV6
5416 #define IPPROTO_ICMPV6 58
5417 #endif
5418 case Q_ICMPV6:
5419 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5420 break;
5421
5422 #ifndef IPPROTO_AH
5423 #define IPPROTO_AH 51
5424 #endif
5425 case Q_AH:
5426 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT);
5427 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT);
5428 gen_or(b0, b1);
5429 break;
5430
5431 #ifndef IPPROTO_ESP
5432 #define IPPROTO_ESP 50
5433 #endif
5434 case Q_ESP:
5435 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT);
5436 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
5437 gen_or(b0, b1);
5438 break;
5439
5440 case Q_ISO:
5441 b1 = gen_linktype(cstate, LLCSAP_ISONS);
5442 break;
5443
5444 case Q_ESIS:
5445 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5446 break;
5447
5448 case Q_ISIS:
5449 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5450 break;
5451
5452 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5453 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5454 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5455 gen_or(b0, b1);
5456 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5457 gen_or(b0, b1);
5458 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5459 gen_or(b0, b1);
5460 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5461 gen_or(b0, b1);
5462 break;
5463
5464 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5465 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5466 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5467 gen_or(b0, b1);
5468 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5469 gen_or(b0, b1);
5470 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5471 gen_or(b0, b1);
5472 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5473 gen_or(b0, b1);
5474 break;
5475
5476 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5477 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5478 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5479 gen_or(b0, b1);
5480 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5481 gen_or(b0, b1);
5482 break;
5483
5484 case Q_ISIS_LSP:
5485 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5486 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5487 gen_or(b0, b1);
5488 break;
5489
5490 case Q_ISIS_SNP:
5491 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5492 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5493 gen_or(b0, b1);
5494 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5495 gen_or(b0, b1);
5496 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5497 gen_or(b0, b1);
5498 break;
5499
5500 case Q_ISIS_CSNP:
5501 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5502 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5503 gen_or(b0, b1);
5504 break;
5505
5506 case Q_ISIS_PSNP:
5507 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5508 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5509 gen_or(b0, b1);
5510 break;
5511
5512 case Q_CLNP:
5513 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5514 break;
5515
5516 case Q_STP:
5517 b1 = gen_linktype(cstate, LLCSAP_8021D);
5518 break;
5519
5520 case Q_IPX:
5521 b1 = gen_linktype(cstate, LLCSAP_IPX);
5522 break;
5523
5524 case Q_NETBEUI:
5525 b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5526 break;
5527
5528 case Q_RADIO:
5529 bpf_error(cstate, "'radio' is not a valid protocol type");
5530
5531 default:
5532 abort();
5533 }
5534 return b1;
5535 }
5536
5537 struct block *
gen_proto_abbrev(compiler_state_t * cstate,int proto)5538 gen_proto_abbrev(compiler_state_t *cstate, int proto)
5539 {
5540 /*
5541 * Catch errors reported by us and routines below us, and return NULL
5542 * on an error.
5543 */
5544 if (setjmp(cstate->top_ctx))
5545 return (NULL);
5546
5547 return gen_proto_abbrev_internal(cstate, proto);
5548 }
5549
5550 static struct block *
gen_ipfrag(compiler_state_t * cstate)5551 gen_ipfrag(compiler_state_t *cstate)
5552 {
5553 struct slist *s;
5554 struct block *b;
5555
5556 /* not IPv4 frag other than the first frag */
5557 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5558 b = new_block(cstate, JMP(BPF_JSET));
5559 b->s.k = 0x1fff;
5560 b->stmts = s;
5561 gen_not(b);
5562
5563 return b;
5564 }
5565
5566 /*
5567 * Generate a comparison to a port value in the transport-layer header
5568 * at the specified offset from the beginning of that header.
5569 *
5570 * XXX - this handles a variable-length prefix preceding the link-layer
5571 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5572 * variable-length link-layer headers (such as Token Ring or 802.11
5573 * headers).
5574 */
5575 static struct block *
gen_portatom(compiler_state_t * cstate,int off,bpf_u_int32 v)5576 gen_portatom(compiler_state_t *cstate, int off, bpf_u_int32 v)
5577 {
5578 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5579 }
5580
5581 static struct block *
gen_portatom6(compiler_state_t * cstate,int off,bpf_u_int32 v)5582 gen_portatom6(compiler_state_t *cstate, int off, bpf_u_int32 v)
5583 {
5584 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5585 }
5586
5587 static struct block *
gen_portop(compiler_state_t * cstate,u_int port,u_int proto,int dir)5588 gen_portop(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5589 {
5590 struct block *b0, *b1, *tmp;
5591
5592 /* ip proto 'proto' and not a fragment other than the first fragment */
5593 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5594 b0 = gen_ipfrag(cstate);
5595 gen_and(tmp, b0);
5596
5597 switch (dir) {
5598 case Q_SRC:
5599 b1 = gen_portatom(cstate, 0, port);
5600 break;
5601
5602 case Q_DST:
5603 b1 = gen_portatom(cstate, 2, port);
5604 break;
5605
5606 case Q_AND:
5607 tmp = gen_portatom(cstate, 0, port);
5608 b1 = gen_portatom(cstate, 2, port);
5609 gen_and(tmp, b1);
5610 break;
5611
5612 case Q_DEFAULT:
5613 case Q_OR:
5614 tmp = gen_portatom(cstate, 0, port);
5615 b1 = gen_portatom(cstate, 2, port);
5616 gen_or(tmp, b1);
5617 break;
5618
5619 case Q_ADDR1:
5620 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports");
5621 /*NOTREACHED*/
5622
5623 case Q_ADDR2:
5624 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports");
5625 /*NOTREACHED*/
5626
5627 case Q_ADDR3:
5628 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports");
5629 /*NOTREACHED*/
5630
5631 case Q_ADDR4:
5632 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports");
5633 /*NOTREACHED*/
5634
5635 case Q_RA:
5636 bpf_error(cstate, "'ra' is not a valid qualifier for ports");
5637 /*NOTREACHED*/
5638
5639 case Q_TA:
5640 bpf_error(cstate, "'ta' is not a valid qualifier for ports");
5641 /*NOTREACHED*/
5642
5643 default:
5644 abort();
5645 /*NOTREACHED*/
5646 }
5647 gen_and(b0, b1);
5648
5649 return b1;
5650 }
5651
5652 static struct block *
gen_port(compiler_state_t * cstate,u_int port,int ip_proto,int dir)5653 gen_port(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5654 {
5655 struct block *b0, *b1, *tmp;
5656
5657 /*
5658 * ether proto ip
5659 *
5660 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5661 * not LLC encapsulation with LLCSAP_IP.
5662 *
5663 * For IEEE 802 networks - which includes 802.5 token ring
5664 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5665 * says that SNAP encapsulation is used, not LLC encapsulation
5666 * with LLCSAP_IP.
5667 *
5668 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5669 * RFC 2225 say that SNAP encapsulation is used, not LLC
5670 * encapsulation with LLCSAP_IP.
5671 *
5672 * So we always check for ETHERTYPE_IP.
5673 */
5674 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5675
5676 switch (ip_proto) {
5677 case IPPROTO_UDP:
5678 case IPPROTO_TCP:
5679 case IPPROTO_SCTP:
5680 b1 = gen_portop(cstate, port, (u_int)ip_proto, dir);
5681 break;
5682
5683 case PROTO_UNDEF:
5684 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5685 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5686 gen_or(tmp, b1);
5687 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5688 gen_or(tmp, b1);
5689 break;
5690
5691 default:
5692 abort();
5693 }
5694 gen_and(b0, b1);
5695 return b1;
5696 }
5697
5698 struct block *
gen_portop6(compiler_state_t * cstate,u_int port,u_int proto,int dir)5699 gen_portop6(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5700 {
5701 struct block *b0, *b1, *tmp;
5702
5703 /* ip6 proto 'proto' */
5704 /* XXX - catch the first fragment of a fragmented packet? */
5705 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
5706
5707 switch (dir) {
5708 case Q_SRC:
5709 b1 = gen_portatom6(cstate, 0, port);
5710 break;
5711
5712 case Q_DST:
5713 b1 = gen_portatom6(cstate, 2, port);
5714 break;
5715
5716 case Q_AND:
5717 tmp = gen_portatom6(cstate, 0, port);
5718 b1 = gen_portatom6(cstate, 2, port);
5719 gen_and(tmp, b1);
5720 break;
5721
5722 case Q_DEFAULT:
5723 case Q_OR:
5724 tmp = gen_portatom6(cstate, 0, port);
5725 b1 = gen_portatom6(cstate, 2, port);
5726 gen_or(tmp, b1);
5727 break;
5728
5729 default:
5730 abort();
5731 }
5732 gen_and(b0, b1);
5733
5734 return b1;
5735 }
5736
5737 static struct block *
gen_port6(compiler_state_t * cstate,u_int port,int ip_proto,int dir)5738 gen_port6(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5739 {
5740 struct block *b0, *b1, *tmp;
5741
5742 /* link proto ip6 */
5743 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5744
5745 switch (ip_proto) {
5746 case IPPROTO_UDP:
5747 case IPPROTO_TCP:
5748 case IPPROTO_SCTP:
5749 b1 = gen_portop6(cstate, port, (u_int)ip_proto, dir);
5750 break;
5751
5752 case PROTO_UNDEF:
5753 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5754 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5755 gen_or(tmp, b1);
5756 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5757 gen_or(tmp, b1);
5758 break;
5759
5760 default:
5761 abort();
5762 }
5763 gen_and(b0, b1);
5764 return b1;
5765 }
5766
5767 /* gen_portrange code */
5768 static struct block *
gen_portrangeatom(compiler_state_t * cstate,u_int off,bpf_u_int32 v1,bpf_u_int32 v2)5769 gen_portrangeatom(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
5770 bpf_u_int32 v2)
5771 {
5772 struct block *b1, *b2;
5773
5774 if (v1 > v2) {
5775 /*
5776 * Reverse the order of the ports, so v1 is the lower one.
5777 */
5778 bpf_u_int32 vtemp;
5779
5780 vtemp = v1;
5781 v1 = v2;
5782 v2 = vtemp;
5783 }
5784
5785 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1);
5786 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2);
5787
5788 gen_and(b1, b2);
5789
5790 return b2;
5791 }
5792
5793 static struct block *
gen_portrangeop(compiler_state_t * cstate,u_int port1,u_int port2,bpf_u_int32 proto,int dir)5794 gen_portrangeop(compiler_state_t *cstate, u_int port1, u_int port2,
5795 bpf_u_int32 proto, int dir)
5796 {
5797 struct block *b0, *b1, *tmp;
5798
5799 /* ip proto 'proto' and not a fragment other than the first fragment */
5800 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5801 b0 = gen_ipfrag(cstate);
5802 gen_and(tmp, b0);
5803
5804 switch (dir) {
5805 case Q_SRC:
5806 b1 = gen_portrangeatom(cstate, 0, port1, port2);
5807 break;
5808
5809 case Q_DST:
5810 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5811 break;
5812
5813 case Q_AND:
5814 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5815 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5816 gen_and(tmp, b1);
5817 break;
5818
5819 case Q_DEFAULT:
5820 case Q_OR:
5821 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5822 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5823 gen_or(tmp, b1);
5824 break;
5825
5826 case Q_ADDR1:
5827 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges");
5828 /*NOTREACHED*/
5829
5830 case Q_ADDR2:
5831 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges");
5832 /*NOTREACHED*/
5833
5834 case Q_ADDR3:
5835 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges");
5836 /*NOTREACHED*/
5837
5838 case Q_ADDR4:
5839 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges");
5840 /*NOTREACHED*/
5841
5842 case Q_RA:
5843 bpf_error(cstate, "'ra' is not a valid qualifier for port ranges");
5844 /*NOTREACHED*/
5845
5846 case Q_TA:
5847 bpf_error(cstate, "'ta' is not a valid qualifier for port ranges");
5848 /*NOTREACHED*/
5849
5850 default:
5851 abort();
5852 /*NOTREACHED*/
5853 }
5854 gen_and(b0, b1);
5855
5856 return b1;
5857 }
5858
5859 static struct block *
gen_portrange(compiler_state_t * cstate,u_int port1,u_int port2,int ip_proto,int dir)5860 gen_portrange(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
5861 int dir)
5862 {
5863 struct block *b0, *b1, *tmp;
5864
5865 /* link proto ip */
5866 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5867
5868 switch (ip_proto) {
5869 case IPPROTO_UDP:
5870 case IPPROTO_TCP:
5871 case IPPROTO_SCTP:
5872 b1 = gen_portrangeop(cstate, port1, port2, (bpf_u_int32)ip_proto,
5873 dir);
5874 break;
5875
5876 case PROTO_UNDEF:
5877 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
5878 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
5879 gen_or(tmp, b1);
5880 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
5881 gen_or(tmp, b1);
5882 break;
5883
5884 default:
5885 abort();
5886 }
5887 gen_and(b0, b1);
5888 return b1;
5889 }
5890
5891 static struct block *
gen_portrangeatom6(compiler_state_t * cstate,u_int off,bpf_u_int32 v1,bpf_u_int32 v2)5892 gen_portrangeatom6(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
5893 bpf_u_int32 v2)
5894 {
5895 struct block *b1, *b2;
5896
5897 if (v1 > v2) {
5898 /*
5899 * Reverse the order of the ports, so v1 is the lower one.
5900 */
5901 bpf_u_int32 vtemp;
5902
5903 vtemp = v1;
5904 v1 = v2;
5905 v2 = vtemp;
5906 }
5907
5908 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1);
5909 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2);
5910
5911 gen_and(b1, b2);
5912
5913 return b2;
5914 }
5915
5916 static struct block *
gen_portrangeop6(compiler_state_t * cstate,u_int port1,u_int port2,bpf_u_int32 proto,int dir)5917 gen_portrangeop6(compiler_state_t *cstate, u_int port1, u_int port2,
5918 bpf_u_int32 proto, int dir)
5919 {
5920 struct block *b0, *b1, *tmp;
5921
5922 /* ip6 proto 'proto' */
5923 /* XXX - catch the first fragment of a fragmented packet? */
5924 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
5925
5926 switch (dir) {
5927 case Q_SRC:
5928 b1 = gen_portrangeatom6(cstate, 0, port1, port2);
5929 break;
5930
5931 case Q_DST:
5932 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5933 break;
5934
5935 case Q_AND:
5936 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
5937 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5938 gen_and(tmp, b1);
5939 break;
5940
5941 case Q_DEFAULT:
5942 case Q_OR:
5943 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
5944 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5945 gen_or(tmp, b1);
5946 break;
5947
5948 default:
5949 abort();
5950 }
5951 gen_and(b0, b1);
5952
5953 return b1;
5954 }
5955
5956 static struct block *
gen_portrange6(compiler_state_t * cstate,u_int port1,u_int port2,int ip_proto,int dir)5957 gen_portrange6(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
5958 int dir)
5959 {
5960 struct block *b0, *b1, *tmp;
5961
5962 /* link proto ip6 */
5963 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5964
5965 switch (ip_proto) {
5966 case IPPROTO_UDP:
5967 case IPPROTO_TCP:
5968 case IPPROTO_SCTP:
5969 b1 = gen_portrangeop6(cstate, port1, port2, (bpf_u_int32)ip_proto,
5970 dir);
5971 break;
5972
5973 case PROTO_UNDEF:
5974 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
5975 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
5976 gen_or(tmp, b1);
5977 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
5978 gen_or(tmp, b1);
5979 break;
5980
5981 default:
5982 abort();
5983 }
5984 gen_and(b0, b1);
5985 return b1;
5986 }
5987
5988 static int
lookup_proto(compiler_state_t * cstate,const char * name,int proto)5989 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
5990 {
5991 register int v;
5992
5993 switch (proto) {
5994
5995 case Q_DEFAULT:
5996 case Q_IP:
5997 case Q_IPV6:
5998 v = pcap_nametoproto(name);
5999 if (v == PROTO_UNDEF)
6000 bpf_error(cstate, "unknown ip proto '%s'", name);
6001 break;
6002
6003 case Q_LINK:
6004 /* XXX should look up h/w protocol type based on cstate->linktype */
6005 v = pcap_nametoeproto(name);
6006 if (v == PROTO_UNDEF) {
6007 v = pcap_nametollc(name);
6008 if (v == PROTO_UNDEF)
6009 bpf_error(cstate, "unknown ether proto '%s'", name);
6010 }
6011 break;
6012
6013 case Q_ISO:
6014 if (strcmp(name, "esis") == 0)
6015 v = ISO9542_ESIS;
6016 else if (strcmp(name, "isis") == 0)
6017 v = ISO10589_ISIS;
6018 else if (strcmp(name, "clnp") == 0)
6019 v = ISO8473_CLNP;
6020 else
6021 bpf_error(cstate, "unknown osi proto '%s'", name);
6022 break;
6023
6024 default:
6025 v = PROTO_UNDEF;
6026 break;
6027 }
6028 return v;
6029 }
6030
6031 #if 0
6032 struct stmt *
6033 gen_joinsp(struct stmt **s, int n)
6034 {
6035 return NULL;
6036 }
6037 #endif
6038
6039 static struct block *
gen_protochain(compiler_state_t * cstate,bpf_u_int32 v,int proto)6040 gen_protochain(compiler_state_t *cstate, bpf_u_int32 v, int proto)
6041 {
6042 #ifdef NO_PROTOCHAIN
6043 return gen_proto(cstate, v, proto);
6044 #else
6045 struct block *b0, *b;
6046 struct slist *s[100];
6047 int fix2, fix3, fix4, fix5;
6048 int ahcheck, again, end;
6049 int i, max;
6050 int reg2 = alloc_reg(cstate);
6051
6052 memset(s, 0, sizeof(s));
6053 fix3 = fix4 = fix5 = 0;
6054
6055 switch (proto) {
6056 case Q_IP:
6057 case Q_IPV6:
6058 break;
6059 case Q_DEFAULT:
6060 b0 = gen_protochain(cstate, v, Q_IP);
6061 b = gen_protochain(cstate, v, Q_IPV6);
6062 gen_or(b0, b);
6063 return b;
6064 default:
6065 bpf_error(cstate, "bad protocol applied for 'protochain'");
6066 /*NOTREACHED*/
6067 }
6068
6069 /*
6070 * We don't handle variable-length prefixes before the link-layer
6071 * header, or variable-length link-layer headers, here yet.
6072 * We might want to add BPF instructions to do the protochain
6073 * work, to simplify that and, on platforms that have a BPF
6074 * interpreter with the new instructions, let the filtering
6075 * be done in the kernel. (We already require a modified BPF
6076 * engine to do the protochain stuff, to support backward
6077 * branches, and backward branch support is unlikely to appear
6078 * in kernel BPF engines.)
6079 */
6080 if (cstate->off_linkpl.is_variable)
6081 bpf_error(cstate, "'protochain' not supported with variable length headers");
6082
6083 cstate->no_optimize = 1; /* this code is not compatible with optimizer yet */
6084
6085 /*
6086 * s[0] is a dummy entry to protect other BPF insn from damage
6087 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
6088 * hard to find interdependency made by jump table fixup.
6089 */
6090 i = 0;
6091 s[i] = new_stmt(cstate, 0); /*dummy*/
6092 i++;
6093
6094 switch (proto) {
6095 case Q_IP:
6096 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6097
6098 /* A = ip->ip_p */
6099 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6100 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
6101 i++;
6102 /* X = ip->ip_hl << 2 */
6103 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
6104 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6105 i++;
6106 break;
6107
6108 case Q_IPV6:
6109 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6110
6111 /* A = ip6->ip_nxt */
6112 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6113 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
6114 i++;
6115 /* X = sizeof(struct ip6_hdr) */
6116 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
6117 s[i]->s.k = 40;
6118 i++;
6119 break;
6120
6121 default:
6122 bpf_error(cstate, "unsupported proto to gen_protochain");
6123 /*NOTREACHED*/
6124 }
6125
6126 /* again: if (A == v) goto end; else fall through; */
6127 again = i;
6128 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6129 s[i]->s.k = v;
6130 s[i]->s.jt = NULL; /*later*/
6131 s[i]->s.jf = NULL; /*update in next stmt*/
6132 fix5 = i;
6133 i++;
6134
6135 #ifndef IPPROTO_NONE
6136 #define IPPROTO_NONE 59
6137 #endif
6138 /* if (A == IPPROTO_NONE) goto end */
6139 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6140 s[i]->s.jt = NULL; /*later*/
6141 s[i]->s.jf = NULL; /*update in next stmt*/
6142 s[i]->s.k = IPPROTO_NONE;
6143 s[fix5]->s.jf = s[i];
6144 fix2 = i;
6145 i++;
6146
6147 if (proto == Q_IPV6) {
6148 int v6start, v6end, v6advance, j;
6149
6150 v6start = i;
6151 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
6152 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6153 s[i]->s.jt = NULL; /*later*/
6154 s[i]->s.jf = NULL; /*update in next stmt*/
6155 s[i]->s.k = IPPROTO_HOPOPTS;
6156 s[fix2]->s.jf = s[i];
6157 i++;
6158 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
6159 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6160 s[i]->s.jt = NULL; /*later*/
6161 s[i]->s.jf = NULL; /*update in next stmt*/
6162 s[i]->s.k = IPPROTO_DSTOPTS;
6163 i++;
6164 /* if (A == IPPROTO_ROUTING) goto v6advance */
6165 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6166 s[i]->s.jt = NULL; /*later*/
6167 s[i]->s.jf = NULL; /*update in next stmt*/
6168 s[i]->s.k = IPPROTO_ROUTING;
6169 i++;
6170 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
6171 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6172 s[i]->s.jt = NULL; /*later*/
6173 s[i]->s.jf = NULL; /*later*/
6174 s[i]->s.k = IPPROTO_FRAGMENT;
6175 fix3 = i;
6176 v6end = i;
6177 i++;
6178
6179 /* v6advance: */
6180 v6advance = i;
6181
6182 /*
6183 * in short,
6184 * A = P[X + packet head];
6185 * X = X + (P[X + packet head + 1] + 1) * 8;
6186 */
6187 /* A = P[X + packet head] */
6188 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6189 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6190 i++;
6191 /* MEM[reg2] = A */
6192 s[i] = new_stmt(cstate, BPF_ST);
6193 s[i]->s.k = reg2;
6194 i++;
6195 /* A = P[X + packet head + 1]; */
6196 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6197 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
6198 i++;
6199 /* A += 1 */
6200 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6201 s[i]->s.k = 1;
6202 i++;
6203 /* A *= 8 */
6204 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6205 s[i]->s.k = 8;
6206 i++;
6207 /* A += X */
6208 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
6209 s[i]->s.k = 0;
6210 i++;
6211 /* X = A; */
6212 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6213 i++;
6214 /* A = MEM[reg2] */
6215 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6216 s[i]->s.k = reg2;
6217 i++;
6218
6219 /* goto again; (must use BPF_JA for backward jump) */
6220 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6221 s[i]->s.k = again - i - 1;
6222 s[i - 1]->s.jf = s[i];
6223 i++;
6224
6225 /* fixup */
6226 for (j = v6start; j <= v6end; j++)
6227 s[j]->s.jt = s[v6advance];
6228 } else {
6229 /* nop */
6230 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6231 s[i]->s.k = 0;
6232 s[fix2]->s.jf = s[i];
6233 i++;
6234 }
6235
6236 /* ahcheck: */
6237 ahcheck = i;
6238 /* if (A == IPPROTO_AH) then fall through; else goto end; */
6239 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6240 s[i]->s.jt = NULL; /*later*/
6241 s[i]->s.jf = NULL; /*later*/
6242 s[i]->s.k = IPPROTO_AH;
6243 if (fix3)
6244 s[fix3]->s.jf = s[ahcheck];
6245 fix4 = i;
6246 i++;
6247
6248 /*
6249 * in short,
6250 * A = P[X];
6251 * X = X + (P[X + 1] + 2) * 4;
6252 */
6253 /* A = X */
6254 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6255 i++;
6256 /* A = P[X + packet head]; */
6257 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6258 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6259 i++;
6260 /* MEM[reg2] = A */
6261 s[i] = new_stmt(cstate, BPF_ST);
6262 s[i]->s.k = reg2;
6263 i++;
6264 /* A = X */
6265 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6266 i++;
6267 /* A += 1 */
6268 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6269 s[i]->s.k = 1;
6270 i++;
6271 /* X = A */
6272 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6273 i++;
6274 /* A = P[X + packet head] */
6275 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6276 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6277 i++;
6278 /* A += 2 */
6279 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6280 s[i]->s.k = 2;
6281 i++;
6282 /* A *= 4 */
6283 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6284 s[i]->s.k = 4;
6285 i++;
6286 /* X = A; */
6287 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6288 i++;
6289 /* A = MEM[reg2] */
6290 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6291 s[i]->s.k = reg2;
6292 i++;
6293
6294 /* goto again; (must use BPF_JA for backward jump) */
6295 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6296 s[i]->s.k = again - i - 1;
6297 i++;
6298
6299 /* end: nop */
6300 end = i;
6301 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6302 s[i]->s.k = 0;
6303 s[fix2]->s.jt = s[end];
6304 s[fix4]->s.jf = s[end];
6305 s[fix5]->s.jt = s[end];
6306 i++;
6307
6308 /*
6309 * make slist chain
6310 */
6311 max = i;
6312 for (i = 0; i < max - 1; i++)
6313 s[i]->next = s[i + 1];
6314 s[max - 1]->next = NULL;
6315
6316 /*
6317 * emit final check
6318 */
6319 b = new_block(cstate, JMP(BPF_JEQ));
6320 b->stmts = s[1]; /*remember, s[0] is dummy*/
6321 b->s.k = v;
6322
6323 free_reg(cstate, reg2);
6324
6325 gen_and(b0, b);
6326 return b;
6327 #endif
6328 }
6329
6330 static struct block *
gen_check_802_11_data_frame(compiler_state_t * cstate)6331 gen_check_802_11_data_frame(compiler_state_t *cstate)
6332 {
6333 struct slist *s;
6334 struct block *b0, *b1;
6335
6336 /*
6337 * A data frame has the 0x08 bit (b3) in the frame control field set
6338 * and the 0x04 bit (b2) clear.
6339 */
6340 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6341 b0 = new_block(cstate, JMP(BPF_JSET));
6342 b0->s.k = 0x08;
6343 b0->stmts = s;
6344
6345 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6346 b1 = new_block(cstate, JMP(BPF_JSET));
6347 b1->s.k = 0x04;
6348 b1->stmts = s;
6349 gen_not(b1);
6350
6351 gen_and(b1, b0);
6352
6353 return b0;
6354 }
6355
6356 /*
6357 * Generate code that checks whether the packet is a packet for protocol
6358 * <proto> and whether the type field in that protocol's header has
6359 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6360 * IP packet and checks the protocol number in the IP header against <v>.
6361 *
6362 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6363 * against Q_IP and Q_IPV6.
6364 */
6365 static struct block *
gen_proto(compiler_state_t * cstate,bpf_u_int32 v,int proto,int dir)6366 gen_proto(compiler_state_t *cstate, bpf_u_int32 v, int proto, int dir)
6367 {
6368 struct block *b0, *b1;
6369 #ifndef CHASE_CHAIN
6370 struct block *b2;
6371 #endif
6372
6373 if (dir != Q_DEFAULT)
6374 bpf_error(cstate, "direction applied to 'proto'");
6375
6376 switch (proto) {
6377 case Q_DEFAULT:
6378 b0 = gen_proto(cstate, v, Q_IP, dir);
6379 b1 = gen_proto(cstate, v, Q_IPV6, dir);
6380 gen_or(b0, b1);
6381 return b1;
6382
6383 case Q_LINK:
6384 return gen_linktype(cstate, v);
6385
6386 case Q_IP:
6387 /*
6388 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6389 * not LLC encapsulation with LLCSAP_IP.
6390 *
6391 * For IEEE 802 networks - which includes 802.5 token ring
6392 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6393 * says that SNAP encapsulation is used, not LLC encapsulation
6394 * with LLCSAP_IP.
6395 *
6396 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6397 * RFC 2225 say that SNAP encapsulation is used, not LLC
6398 * encapsulation with LLCSAP_IP.
6399 *
6400 * So we always check for ETHERTYPE_IP.
6401 */
6402 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6403 #ifndef CHASE_CHAIN
6404 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, v);
6405 #else
6406 b1 = gen_protochain(cstate, v, Q_IP);
6407 #endif
6408 gen_and(b0, b1);
6409 return b1;
6410
6411 case Q_ARP:
6412 bpf_error(cstate, "arp does not encapsulate another protocol");
6413 /*NOTREACHED*/
6414
6415 case Q_RARP:
6416 bpf_error(cstate, "rarp does not encapsulate another protocol");
6417 /*NOTREACHED*/
6418
6419 case Q_SCTP:
6420 bpf_error(cstate, "'sctp proto' is bogus");
6421 /*NOTREACHED*/
6422
6423 case Q_TCP:
6424 bpf_error(cstate, "'tcp proto' is bogus");
6425 /*NOTREACHED*/
6426
6427 case Q_UDP:
6428 bpf_error(cstate, "'udp proto' is bogus");
6429 /*NOTREACHED*/
6430
6431 case Q_ICMP:
6432 bpf_error(cstate, "'icmp proto' is bogus");
6433 /*NOTREACHED*/
6434
6435 case Q_IGMP:
6436 bpf_error(cstate, "'igmp proto' is bogus");
6437 /*NOTREACHED*/
6438
6439 case Q_IGRP:
6440 bpf_error(cstate, "'igrp proto' is bogus");
6441 /*NOTREACHED*/
6442
6443 case Q_ATALK:
6444 bpf_error(cstate, "AppleTalk encapsulation is not specifiable");
6445 /*NOTREACHED*/
6446
6447 case Q_DECNET:
6448 bpf_error(cstate, "DECNET encapsulation is not specifiable");
6449 /*NOTREACHED*/
6450
6451 case Q_LAT:
6452 bpf_error(cstate, "LAT does not encapsulate another protocol");
6453 /*NOTREACHED*/
6454
6455 case Q_SCA:
6456 bpf_error(cstate, "SCA does not encapsulate another protocol");
6457 /*NOTREACHED*/
6458
6459 case Q_MOPRC:
6460 bpf_error(cstate, "MOPRC does not encapsulate another protocol");
6461 /*NOTREACHED*/
6462
6463 case Q_MOPDL:
6464 bpf_error(cstate, "MOPDL does not encapsulate another protocol");
6465 /*NOTREACHED*/
6466
6467 case Q_IPV6:
6468 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6469 #ifndef CHASE_CHAIN
6470 /*
6471 * Also check for a fragment header before the final
6472 * header.
6473 */
6474 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6475 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, v);
6476 gen_and(b2, b1);
6477 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, v);
6478 gen_or(b2, b1);
6479 #else
6480 b1 = gen_protochain(cstate, v, Q_IPV6);
6481 #endif
6482 gen_and(b0, b1);
6483 return b1;
6484
6485 case Q_ICMPV6:
6486 bpf_error(cstate, "'icmp6 proto' is bogus");
6487 /*NOTREACHED*/
6488
6489 case Q_AH:
6490 bpf_error(cstate, "'ah proto' is bogus");
6491 /*NOTREACHED*/
6492
6493 case Q_ESP:
6494 bpf_error(cstate, "'esp proto' is bogus");
6495 /*NOTREACHED*/
6496
6497 case Q_PIM:
6498 bpf_error(cstate, "'pim proto' is bogus");
6499 /*NOTREACHED*/
6500
6501 case Q_VRRP:
6502 bpf_error(cstate, "'vrrp proto' is bogus");
6503 /*NOTREACHED*/
6504
6505 case Q_AARP:
6506 bpf_error(cstate, "'aarp proto' is bogus");
6507 /*NOTREACHED*/
6508
6509 case Q_ISO:
6510 switch (cstate->linktype) {
6511
6512 case DLT_FRELAY:
6513 /*
6514 * Frame Relay packets typically have an OSI
6515 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6516 * generates code to check for all the OSI
6517 * NLPIDs, so calling it and then adding a check
6518 * for the particular NLPID for which we're
6519 * looking is bogus, as we can just check for
6520 * the NLPID.
6521 *
6522 * What we check for is the NLPID and a frame
6523 * control field value of UI, i.e. 0x03 followed
6524 * by the NLPID.
6525 *
6526 * XXX - assumes a 2-byte Frame Relay header with
6527 * DLCI and flags. What if the address is longer?
6528 *
6529 * XXX - what about SNAP-encapsulated frames?
6530 */
6531 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6532 /*NOTREACHED*/
6533
6534 case DLT_C_HDLC:
6535 /*
6536 * Cisco uses an Ethertype lookalike - for OSI,
6537 * it's 0xfefe.
6538 */
6539 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6540 /* OSI in C-HDLC is stuffed with a fudge byte */
6541 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, v);
6542 gen_and(b0, b1);
6543 return b1;
6544
6545 default:
6546 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6547 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, v);
6548 gen_and(b0, b1);
6549 return b1;
6550 }
6551
6552 case Q_ESIS:
6553 bpf_error(cstate, "'esis proto' is bogus");
6554 /*NOTREACHED*/
6555
6556 case Q_ISIS:
6557 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6558 /*
6559 * 4 is the offset of the PDU type relative to the IS-IS
6560 * header.
6561 */
6562 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, v);
6563 gen_and(b0, b1);
6564 return b1;
6565
6566 case Q_CLNP:
6567 bpf_error(cstate, "'clnp proto' is not supported");
6568 /*NOTREACHED*/
6569
6570 case Q_STP:
6571 bpf_error(cstate, "'stp proto' is bogus");
6572 /*NOTREACHED*/
6573
6574 case Q_IPX:
6575 bpf_error(cstate, "'ipx proto' is bogus");
6576 /*NOTREACHED*/
6577
6578 case Q_NETBEUI:
6579 bpf_error(cstate, "'netbeui proto' is bogus");
6580 /*NOTREACHED*/
6581
6582 case Q_ISIS_L1:
6583 bpf_error(cstate, "'l1 proto' is bogus");
6584 /*NOTREACHED*/
6585
6586 case Q_ISIS_L2:
6587 bpf_error(cstate, "'l2 proto' is bogus");
6588 /*NOTREACHED*/
6589
6590 case Q_ISIS_IIH:
6591 bpf_error(cstate, "'iih proto' is bogus");
6592 /*NOTREACHED*/
6593
6594 case Q_ISIS_SNP:
6595 bpf_error(cstate, "'snp proto' is bogus");
6596 /*NOTREACHED*/
6597
6598 case Q_ISIS_CSNP:
6599 bpf_error(cstate, "'csnp proto' is bogus");
6600 /*NOTREACHED*/
6601
6602 case Q_ISIS_PSNP:
6603 bpf_error(cstate, "'psnp proto' is bogus");
6604 /*NOTREACHED*/
6605
6606 case Q_ISIS_LSP:
6607 bpf_error(cstate, "'lsp proto' is bogus");
6608 /*NOTREACHED*/
6609
6610 case Q_RADIO:
6611 bpf_error(cstate, "'radio proto' is bogus");
6612 /*NOTREACHED*/
6613
6614 case Q_CARP:
6615 bpf_error(cstate, "'carp proto' is bogus");
6616 /*NOTREACHED*/
6617
6618 default:
6619 abort();
6620 /*NOTREACHED*/
6621 }
6622 /*NOTREACHED*/
6623 }
6624
6625 struct block *
gen_scode(compiler_state_t * cstate,const char * name,struct qual q)6626 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
6627 {
6628 int proto = q.proto;
6629 int dir = q.dir;
6630 int tproto;
6631 u_char *eaddr;
6632 bpf_u_int32 mask, addr;
6633 struct addrinfo *res, *res0;
6634 struct sockaddr_in *sin4;
6635 #ifdef INET6
6636 int tproto6;
6637 struct sockaddr_in6 *sin6;
6638 struct in6_addr mask128;
6639 #endif /*INET6*/
6640 struct block *b, *tmp;
6641 int port, real_proto;
6642 int port1, port2;
6643
6644 /*
6645 * Catch errors reported by us and routines below us, and return NULL
6646 * on an error.
6647 */
6648 if (setjmp(cstate->top_ctx))
6649 return (NULL);
6650
6651 switch (q.addr) {
6652
6653 case Q_NET:
6654 addr = pcap_nametonetaddr(name);
6655 if (addr == 0)
6656 bpf_error(cstate, "unknown network '%s'", name);
6657 /* Left justify network addr and calculate its network mask */
6658 mask = 0xffffffff;
6659 while (addr && (addr & 0xff000000) == 0) {
6660 addr <<= 8;
6661 mask <<= 8;
6662 }
6663 return gen_host(cstate, addr, mask, proto, dir, q.addr);
6664
6665 case Q_DEFAULT:
6666 case Q_HOST:
6667 if (proto == Q_LINK) {
6668 switch (cstate->linktype) {
6669
6670 case DLT_EN10MB:
6671 case DLT_NETANALYZER:
6672 case DLT_NETANALYZER_TRANSPARENT:
6673 eaddr = pcap_ether_hostton(name);
6674 if (eaddr == NULL)
6675 bpf_error(cstate,
6676 "unknown ether host '%s'", name);
6677 tmp = gen_prevlinkhdr_check(cstate);
6678 b = gen_ehostop(cstate, eaddr, dir);
6679 if (tmp != NULL)
6680 gen_and(tmp, b);
6681 free(eaddr);
6682 return b;
6683
6684 case DLT_FDDI:
6685 eaddr = pcap_ether_hostton(name);
6686 if (eaddr == NULL)
6687 bpf_error(cstate,
6688 "unknown FDDI host '%s'", name);
6689 b = gen_fhostop(cstate, eaddr, dir);
6690 free(eaddr);
6691 return b;
6692
6693 case DLT_IEEE802:
6694 eaddr = pcap_ether_hostton(name);
6695 if (eaddr == NULL)
6696 bpf_error(cstate,
6697 "unknown token ring host '%s'", name);
6698 b = gen_thostop(cstate, eaddr, dir);
6699 free(eaddr);
6700 return b;
6701
6702 case DLT_IEEE802_11:
6703 case DLT_PRISM_HEADER:
6704 case DLT_IEEE802_11_RADIO_AVS:
6705 case DLT_IEEE802_11_RADIO:
6706 case DLT_PPI:
6707 eaddr = pcap_ether_hostton(name);
6708 if (eaddr == NULL)
6709 bpf_error(cstate,
6710 "unknown 802.11 host '%s'", name);
6711 b = gen_wlanhostop(cstate, eaddr, dir);
6712 free(eaddr);
6713 return b;
6714
6715 case DLT_IP_OVER_FC:
6716 eaddr = pcap_ether_hostton(name);
6717 if (eaddr == NULL)
6718 bpf_error(cstate,
6719 "unknown Fibre Channel host '%s'", name);
6720 b = gen_ipfchostop(cstate, eaddr, dir);
6721 free(eaddr);
6722 return b;
6723 }
6724
6725 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6726 } else if (proto == Q_DECNET) {
6727 unsigned short dn_addr;
6728
6729 if (!__pcap_nametodnaddr(name, &dn_addr)) {
6730 #ifdef DECNETLIB
6731 bpf_error(cstate, "unknown decnet host name '%s'\n", name);
6732 #else
6733 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n",
6734 name);
6735 #endif
6736 }
6737 /*
6738 * I don't think DECNET hosts can be multihomed, so
6739 * there is no need to build up a list of addresses
6740 */
6741 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr));
6742 } else {
6743 #ifdef INET6
6744 memset(&mask128, 0xff, sizeof(mask128));
6745 #endif
6746 res0 = res = pcap_nametoaddrinfo(name);
6747 if (res == NULL)
6748 bpf_error(cstate, "unknown host '%s'", name);
6749 cstate->ai = res;
6750 b = tmp = NULL;
6751 tproto = proto;
6752 #ifdef INET6
6753 tproto6 = proto;
6754 #endif
6755 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6756 tproto == Q_DEFAULT) {
6757 tproto = Q_IP;
6758 #ifdef INET6
6759 tproto6 = Q_IPV6;
6760 #endif
6761 }
6762 for (res = res0; res; res = res->ai_next) {
6763 switch (res->ai_family) {
6764 case AF_INET:
6765 #ifdef INET6
6766 if (tproto == Q_IPV6)
6767 continue;
6768 #endif
6769
6770 sin4 = (struct sockaddr_in *)
6771 res->ai_addr;
6772 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
6773 0xffffffff, tproto, dir, q.addr);
6774 break;
6775 #ifdef INET6
6776 case AF_INET6:
6777 if (tproto6 == Q_IP)
6778 continue;
6779
6780 sin6 = (struct sockaddr_in6 *)
6781 res->ai_addr;
6782 tmp = gen_host6(cstate, &sin6->sin6_addr,
6783 &mask128, tproto6, dir, q.addr);
6784 break;
6785 #endif
6786 default:
6787 continue;
6788 }
6789 if (b)
6790 gen_or(b, tmp);
6791 b = tmp;
6792 }
6793 cstate->ai = NULL;
6794 freeaddrinfo(res0);
6795 if (b == NULL) {
6796 bpf_error(cstate, "unknown host '%s'%s", name,
6797 (proto == Q_DEFAULT)
6798 ? ""
6799 : " for specified address family");
6800 }
6801 return b;
6802 }
6803
6804 case Q_PORT:
6805 if (proto != Q_DEFAULT &&
6806 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6807 bpf_error(cstate, "illegal qualifier of 'port'");
6808 if (pcap_nametoport(name, &port, &real_proto) == 0)
6809 bpf_error(cstate, "unknown port '%s'", name);
6810 if (proto == Q_UDP) {
6811 if (real_proto == IPPROTO_TCP)
6812 bpf_error(cstate, "port '%s' is tcp", name);
6813 else if (real_proto == IPPROTO_SCTP)
6814 bpf_error(cstate, "port '%s' is sctp", name);
6815 else
6816 /* override PROTO_UNDEF */
6817 real_proto = IPPROTO_UDP;
6818 }
6819 if (proto == Q_TCP) {
6820 if (real_proto == IPPROTO_UDP)
6821 bpf_error(cstate, "port '%s' is udp", name);
6822
6823 else if (real_proto == IPPROTO_SCTP)
6824 bpf_error(cstate, "port '%s' is sctp", name);
6825 else
6826 /* override PROTO_UNDEF */
6827 real_proto = IPPROTO_TCP;
6828 }
6829 if (proto == Q_SCTP) {
6830 if (real_proto == IPPROTO_UDP)
6831 bpf_error(cstate, "port '%s' is udp", name);
6832
6833 else if (real_proto == IPPROTO_TCP)
6834 bpf_error(cstate, "port '%s' is tcp", name);
6835 else
6836 /* override PROTO_UNDEF */
6837 real_proto = IPPROTO_SCTP;
6838 }
6839 if (port < 0)
6840 bpf_error(cstate, "illegal port number %d < 0", port);
6841 if (port > 65535)
6842 bpf_error(cstate, "illegal port number %d > 65535", port);
6843 b = gen_port(cstate, port, real_proto, dir);
6844 gen_or(gen_port6(cstate, port, real_proto, dir), b);
6845 return b;
6846
6847 case Q_PORTRANGE:
6848 if (proto != Q_DEFAULT &&
6849 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6850 bpf_error(cstate, "illegal qualifier of 'portrange'");
6851 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6852 bpf_error(cstate, "unknown port in range '%s'", name);
6853 if (proto == Q_UDP) {
6854 if (real_proto == IPPROTO_TCP)
6855 bpf_error(cstate, "port in range '%s' is tcp", name);
6856 else if (real_proto == IPPROTO_SCTP)
6857 bpf_error(cstate, "port in range '%s' is sctp", name);
6858 else
6859 /* override PROTO_UNDEF */
6860 real_proto = IPPROTO_UDP;
6861 }
6862 if (proto == Q_TCP) {
6863 if (real_proto == IPPROTO_UDP)
6864 bpf_error(cstate, "port in range '%s' is udp", name);
6865 else if (real_proto == IPPROTO_SCTP)
6866 bpf_error(cstate, "port in range '%s' is sctp", name);
6867 else
6868 /* override PROTO_UNDEF */
6869 real_proto = IPPROTO_TCP;
6870 }
6871 if (proto == Q_SCTP) {
6872 if (real_proto == IPPROTO_UDP)
6873 bpf_error(cstate, "port in range '%s' is udp", name);
6874 else if (real_proto == IPPROTO_TCP)
6875 bpf_error(cstate, "port in range '%s' is tcp", name);
6876 else
6877 /* override PROTO_UNDEF */
6878 real_proto = IPPROTO_SCTP;
6879 }
6880 if (port1 < 0)
6881 bpf_error(cstate, "illegal port number %d < 0", port1);
6882 if (port1 > 65535)
6883 bpf_error(cstate, "illegal port number %d > 65535", port1);
6884 if (port2 < 0)
6885 bpf_error(cstate, "illegal port number %d < 0", port2);
6886 if (port2 > 65535)
6887 bpf_error(cstate, "illegal port number %d > 65535", port2);
6888
6889 b = gen_portrange(cstate, port1, port2, real_proto, dir);
6890 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
6891 return b;
6892
6893 case Q_GATEWAY:
6894 #ifndef INET6
6895 eaddr = pcap_ether_hostton(name);
6896 if (eaddr == NULL)
6897 bpf_error(cstate, "unknown ether host: %s", name);
6898
6899 res = pcap_nametoaddrinfo(name);
6900 cstate->ai = res;
6901 if (res == NULL)
6902 bpf_error(cstate, "unknown host '%s'", name);
6903 b = gen_gateway(cstate, eaddr, res, proto, dir);
6904 cstate->ai = NULL;
6905 freeaddrinfo(res);
6906 if (b == NULL)
6907 bpf_error(cstate, "unknown host '%s'", name);
6908 return b;
6909 #else
6910 bpf_error(cstate, "'gateway' not supported in this configuration");
6911 #endif /*INET6*/
6912
6913 case Q_PROTO:
6914 real_proto = lookup_proto(cstate, name, proto);
6915 if (real_proto >= 0)
6916 return gen_proto(cstate, real_proto, proto, dir);
6917 else
6918 bpf_error(cstate, "unknown protocol: %s", name);
6919
6920 case Q_PROTOCHAIN:
6921 real_proto = lookup_proto(cstate, name, proto);
6922 if (real_proto >= 0)
6923 return gen_protochain(cstate, real_proto, proto);
6924 else
6925 bpf_error(cstate, "unknown protocol: %s", name);
6926
6927 case Q_UNDEF:
6928 syntax(cstate);
6929 /*NOTREACHED*/
6930 }
6931 abort();
6932 /*NOTREACHED*/
6933 }
6934
6935 struct block *
gen_mcode(compiler_state_t * cstate,const char * s1,const char * s2,bpf_u_int32 masklen,struct qual q)6936 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
6937 bpf_u_int32 masklen, struct qual q)
6938 {
6939 register int nlen, mlen;
6940 bpf_u_int32 n, m;
6941
6942 /*
6943 * Catch errors reported by us and routines below us, and return NULL
6944 * on an error.
6945 */
6946 if (setjmp(cstate->top_ctx))
6947 return (NULL);
6948
6949 nlen = __pcap_atoin(s1, &n);
6950 if (nlen < 0)
6951 bpf_error(cstate, "invalid IPv4 address '%s'", s1);
6952 /* Promote short ipaddr */
6953 n <<= 32 - nlen;
6954
6955 if (s2 != NULL) {
6956 mlen = __pcap_atoin(s2, &m);
6957 if (mlen < 0)
6958 bpf_error(cstate, "invalid IPv4 address '%s'", s2);
6959 /* Promote short ipaddr */
6960 m <<= 32 - mlen;
6961 if ((n & ~m) != 0)
6962 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
6963 s1, s2);
6964 } else {
6965 /* Convert mask len to mask */
6966 if (masklen > 32)
6967 bpf_error(cstate, "mask length must be <= 32");
6968 if (masklen == 0) {
6969 /*
6970 * X << 32 is not guaranteed by C to be 0; it's
6971 * undefined.
6972 */
6973 m = 0;
6974 } else
6975 m = 0xffffffff << (32 - masklen);
6976 if ((n & ~m) != 0)
6977 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
6978 s1, masklen);
6979 }
6980
6981 switch (q.addr) {
6982
6983 case Q_NET:
6984 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
6985
6986 default:
6987 bpf_error(cstate, "Mask syntax for networks only");
6988 /*NOTREACHED*/
6989 }
6990 /*NOTREACHED*/
6991 }
6992
6993 struct block *
gen_ncode(compiler_state_t * cstate,const char * s,bpf_u_int32 v,struct qual q)6994 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
6995 {
6996 bpf_u_int32 mask;
6997 int proto;
6998 int dir;
6999 register int vlen;
7000
7001 /*
7002 * Catch errors reported by us and routines below us, and return NULL
7003 * on an error.
7004 */
7005 if (setjmp(cstate->top_ctx))
7006 return (NULL);
7007
7008 proto = q.proto;
7009 dir = q.dir;
7010 if (s == NULL)
7011 vlen = 32;
7012 else if (q.proto == Q_DECNET) {
7013 vlen = __pcap_atodn(s, &v);
7014 if (vlen == 0)
7015 bpf_error(cstate, "malformed decnet address '%s'", s);
7016 } else {
7017 vlen = __pcap_atoin(s, &v);
7018 if (vlen < 0)
7019 bpf_error(cstate, "invalid IPv4 address '%s'", s);
7020 }
7021
7022 switch (q.addr) {
7023
7024 case Q_DEFAULT:
7025 case Q_HOST:
7026 case Q_NET:
7027 if (proto == Q_DECNET)
7028 return gen_host(cstate, v, 0, proto, dir, q.addr);
7029 else if (proto == Q_LINK) {
7030 bpf_error(cstate, "illegal link layer address");
7031 } else {
7032 mask = 0xffffffff;
7033 if (s == NULL && q.addr == Q_NET) {
7034 /* Promote short net number */
7035 while (v && (v & 0xff000000) == 0) {
7036 v <<= 8;
7037 mask <<= 8;
7038 }
7039 } else {
7040 /* Promote short ipaddr */
7041 v <<= 32 - vlen;
7042 mask <<= 32 - vlen ;
7043 }
7044 return gen_host(cstate, v, mask, proto, dir, q.addr);
7045 }
7046
7047 case Q_PORT:
7048 if (proto == Q_UDP)
7049 proto = IPPROTO_UDP;
7050 else if (proto == Q_TCP)
7051 proto = IPPROTO_TCP;
7052 else if (proto == Q_SCTP)
7053 proto = IPPROTO_SCTP;
7054 else if (proto == Q_DEFAULT)
7055 proto = PROTO_UNDEF;
7056 else
7057 bpf_error(cstate, "illegal qualifier of 'port'");
7058
7059 if (v > 65535)
7060 bpf_error(cstate, "illegal port number %u > 65535", v);
7061
7062 {
7063 struct block *b;
7064 b = gen_port(cstate, v, proto, dir);
7065 gen_or(gen_port6(cstate, v, proto, dir), b);
7066 return b;
7067 }
7068
7069 case Q_PORTRANGE:
7070 if (proto == Q_UDP)
7071 proto = IPPROTO_UDP;
7072 else if (proto == Q_TCP)
7073 proto = IPPROTO_TCP;
7074 else if (proto == Q_SCTP)
7075 proto = IPPROTO_SCTP;
7076 else if (proto == Q_DEFAULT)
7077 proto = PROTO_UNDEF;
7078 else
7079 bpf_error(cstate, "illegal qualifier of 'portrange'");
7080
7081 if (v > 65535)
7082 bpf_error(cstate, "illegal port number %u > 65535", v);
7083
7084 {
7085 struct block *b;
7086 b = gen_portrange(cstate, v, v, proto, dir);
7087 gen_or(gen_portrange6(cstate, v, v, proto, dir), b);
7088 return b;
7089 }
7090
7091 case Q_GATEWAY:
7092 bpf_error(cstate, "'gateway' requires a name");
7093 /*NOTREACHED*/
7094
7095 case Q_PROTO:
7096 return gen_proto(cstate, v, proto, dir);
7097
7098 case Q_PROTOCHAIN:
7099 return gen_protochain(cstate, v, proto);
7100
7101 case Q_UNDEF:
7102 syntax(cstate);
7103 /*NOTREACHED*/
7104
7105 default:
7106 abort();
7107 /*NOTREACHED*/
7108 }
7109 /*NOTREACHED*/
7110 }
7111
7112 #ifdef INET6
7113 struct block *
gen_mcode6(compiler_state_t * cstate,const char * s1,const char * s2,bpf_u_int32 masklen,struct qual q)7114 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2,
7115 bpf_u_int32 masklen, struct qual q)
7116 {
7117 struct addrinfo *res;
7118 struct in6_addr *addr;
7119 struct in6_addr mask;
7120 struct block *b;
7121 uint32_t *a, *m;
7122
7123 /*
7124 * Catch errors reported by us and routines below us, and return NULL
7125 * on an error.
7126 */
7127 if (setjmp(cstate->top_ctx))
7128 return (NULL);
7129
7130 if (s2)
7131 bpf_error(cstate, "no mask %s supported", s2);
7132
7133 res = pcap_nametoaddrinfo(s1);
7134 if (!res)
7135 bpf_error(cstate, "invalid ip6 address %s", s1);
7136 cstate->ai = res;
7137 if (res->ai_next)
7138 bpf_error(cstate, "%s resolved to multiple address", s1);
7139 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
7140
7141 if (masklen > sizeof(mask.s6_addr) * 8)
7142 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask.s6_addr) * 8));
7143 memset(&mask, 0, sizeof(mask));
7144 memset(&mask.s6_addr, 0xff, masklen / 8);
7145 if (masklen % 8) {
7146 mask.s6_addr[masklen / 8] =
7147 (0xff << (8 - masklen % 8)) & 0xff;
7148 }
7149
7150 a = (uint32_t *)addr;
7151 m = (uint32_t *)&mask;
7152 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
7153 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
7154 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen);
7155 }
7156
7157 switch (q.addr) {
7158
7159 case Q_DEFAULT:
7160 case Q_HOST:
7161 if (masklen != 128)
7162 bpf_error(cstate, "Mask syntax for networks only");
7163 /* FALLTHROUGH */
7164
7165 case Q_NET:
7166 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
7167 cstate->ai = NULL;
7168 freeaddrinfo(res);
7169 return b;
7170
7171 default:
7172 bpf_error(cstate, "invalid qualifier against IPv6 address");
7173 /*NOTREACHED*/
7174 }
7175 }
7176 #endif /*INET6*/
7177
7178 struct block *
gen_ecode(compiler_state_t * cstate,const char * s,struct qual q)7179 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
7180 {
7181 struct block *b, *tmp;
7182
7183 /*
7184 * Catch errors reported by us and routines below us, and return NULL
7185 * on an error.
7186 */
7187 if (setjmp(cstate->top_ctx))
7188 return (NULL);
7189
7190 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
7191 cstate->e = pcap_ether_aton(s);
7192 if (cstate->e == NULL)
7193 bpf_error(cstate, "malloc");
7194 switch (cstate->linktype) {
7195 case DLT_EN10MB:
7196 case DLT_NETANALYZER:
7197 case DLT_NETANALYZER_TRANSPARENT:
7198 tmp = gen_prevlinkhdr_check(cstate);
7199 b = gen_ehostop(cstate, cstate->e, (int)q.dir);
7200 if (tmp != NULL)
7201 gen_and(tmp, b);
7202 break;
7203 case DLT_FDDI:
7204 b = gen_fhostop(cstate, cstate->e, (int)q.dir);
7205 break;
7206 case DLT_IEEE802:
7207 b = gen_thostop(cstate, cstate->e, (int)q.dir);
7208 break;
7209 case DLT_IEEE802_11:
7210 case DLT_PRISM_HEADER:
7211 case DLT_IEEE802_11_RADIO_AVS:
7212 case DLT_IEEE802_11_RADIO:
7213 case DLT_PPI:
7214 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir);
7215 break;
7216 case DLT_IP_OVER_FC:
7217 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir);
7218 break;
7219 default:
7220 free(cstate->e);
7221 cstate->e = NULL;
7222 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
7223 /*NOTREACHED*/
7224 }
7225 free(cstate->e);
7226 cstate->e = NULL;
7227 return (b);
7228 }
7229 bpf_error(cstate, "ethernet address used in non-ether expression");
7230 /*NOTREACHED*/
7231 }
7232
7233 void
sappend(struct slist * s0,struct slist * s1)7234 sappend(struct slist *s0, struct slist *s1)
7235 {
7236 /*
7237 * This is definitely not the best way to do this, but the
7238 * lists will rarely get long.
7239 */
7240 while (s0->next)
7241 s0 = s0->next;
7242 s0->next = s1;
7243 }
7244
7245 static struct slist *
xfer_to_x(compiler_state_t * cstate,struct arth * a)7246 xfer_to_x(compiler_state_t *cstate, struct arth *a)
7247 {
7248 struct slist *s;
7249
7250 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
7251 s->s.k = a->regno;
7252 return s;
7253 }
7254
7255 static struct slist *
xfer_to_a(compiler_state_t * cstate,struct arth * a)7256 xfer_to_a(compiler_state_t *cstate, struct arth *a)
7257 {
7258 struct slist *s;
7259
7260 s = new_stmt(cstate, BPF_LD|BPF_MEM);
7261 s->s.k = a->regno;
7262 return s;
7263 }
7264
7265 /*
7266 * Modify "index" to use the value stored into its register as an
7267 * offset relative to the beginning of the header for the protocol
7268 * "proto", and allocate a register and put an item "size" bytes long
7269 * (1, 2, or 4) at that offset into that register, making it the register
7270 * for "index".
7271 */
7272 static struct arth *
gen_load_internal(compiler_state_t * cstate,int proto,struct arth * inst,bpf_u_int32 size)7273 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst,
7274 bpf_u_int32 size)
7275 {
7276 int size_code;
7277 struct slist *s, *tmp;
7278 struct block *b;
7279 int regno = alloc_reg(cstate);
7280
7281 free_reg(cstate, inst->regno);
7282 switch (size) {
7283
7284 default:
7285 bpf_error(cstate, "data size must be 1, 2, or 4");
7286 /*NOTREACHED*/
7287
7288 case 1:
7289 size_code = BPF_B;
7290 break;
7291
7292 case 2:
7293 size_code = BPF_H;
7294 break;
7295
7296 case 4:
7297 size_code = BPF_W;
7298 break;
7299 }
7300 switch (proto) {
7301 default:
7302 bpf_error(cstate, "unsupported index operation");
7303
7304 case Q_RADIO:
7305 /*
7306 * The offset is relative to the beginning of the packet
7307 * data, if we have a radio header. (If we don't, this
7308 * is an error.)
7309 */
7310 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
7311 cstate->linktype != DLT_IEEE802_11_RADIO &&
7312 cstate->linktype != DLT_PRISM_HEADER)
7313 bpf_error(cstate, "radio information not present in capture");
7314
7315 /*
7316 * Load into the X register the offset computed into the
7317 * register specified by "index".
7318 */
7319 s = xfer_to_x(cstate, inst);
7320
7321 /*
7322 * Load the item at that offset.
7323 */
7324 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7325 sappend(s, tmp);
7326 sappend(inst->s, s);
7327 break;
7328
7329 case Q_LINK:
7330 /*
7331 * The offset is relative to the beginning of
7332 * the link-layer header.
7333 *
7334 * XXX - what about ATM LANE? Should the index be
7335 * relative to the beginning of the AAL5 frame, so
7336 * that 0 refers to the beginning of the LE Control
7337 * field, or relative to the beginning of the LAN
7338 * frame, so that 0 refers, for Ethernet LANE, to
7339 * the beginning of the destination address?
7340 */
7341 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
7342
7343 /*
7344 * If "s" is non-null, it has code to arrange that the
7345 * X register contains the length of the prefix preceding
7346 * the link-layer header. Add to it the offset computed
7347 * into the register specified by "index", and move that
7348 * into the X register. Otherwise, just load into the X
7349 * register the offset computed into the register specified
7350 * by "index".
7351 */
7352 if (s != NULL) {
7353 sappend(s, xfer_to_a(cstate, inst));
7354 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7355 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7356 } else
7357 s = xfer_to_x(cstate, inst);
7358
7359 /*
7360 * Load the item at the sum of the offset we've put in the
7361 * X register and the offset of the start of the link
7362 * layer header (which is 0 if the radio header is
7363 * variable-length; that header length is what we put
7364 * into the X register and then added to the index).
7365 */
7366 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7367 tmp->s.k = cstate->off_linkhdr.constant_part;
7368 sappend(s, tmp);
7369 sappend(inst->s, s);
7370 break;
7371
7372 case Q_IP:
7373 case Q_ARP:
7374 case Q_RARP:
7375 case Q_ATALK:
7376 case Q_DECNET:
7377 case Q_SCA:
7378 case Q_LAT:
7379 case Q_MOPRC:
7380 case Q_MOPDL:
7381 case Q_IPV6:
7382 /*
7383 * The offset is relative to the beginning of
7384 * the network-layer header.
7385 * XXX - are there any cases where we want
7386 * cstate->off_nl_nosnap?
7387 */
7388 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7389
7390 /*
7391 * If "s" is non-null, it has code to arrange that the
7392 * X register contains the variable part of the offset
7393 * of the link-layer payload. Add to it the offset
7394 * computed into the register specified by "index",
7395 * and move that into the X register. Otherwise, just
7396 * load into the X register the offset computed into
7397 * the register specified by "index".
7398 */
7399 if (s != NULL) {
7400 sappend(s, xfer_to_a(cstate, inst));
7401 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7402 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7403 } else
7404 s = xfer_to_x(cstate, inst);
7405
7406 /*
7407 * Load the item at the sum of the offset we've put in the
7408 * X register, the offset of the start of the network
7409 * layer header from the beginning of the link-layer
7410 * payload, and the constant part of the offset of the
7411 * start of the link-layer payload.
7412 */
7413 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7414 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7415 sappend(s, tmp);
7416 sappend(inst->s, s);
7417
7418 /*
7419 * Do the computation only if the packet contains
7420 * the protocol in question.
7421 */
7422 b = gen_proto_abbrev_internal(cstate, proto);
7423 if (inst->b)
7424 gen_and(inst->b, b);
7425 inst->b = b;
7426 break;
7427
7428 case Q_SCTP:
7429 case Q_TCP:
7430 case Q_UDP:
7431 case Q_ICMP:
7432 case Q_IGMP:
7433 case Q_IGRP:
7434 case Q_PIM:
7435 case Q_VRRP:
7436 case Q_CARP:
7437 /*
7438 * The offset is relative to the beginning of
7439 * the transport-layer header.
7440 *
7441 * Load the X register with the length of the IPv4 header
7442 * (plus the offset of the link-layer header, if it's
7443 * a variable-length header), in bytes.
7444 *
7445 * XXX - are there any cases where we want
7446 * cstate->off_nl_nosnap?
7447 * XXX - we should, if we're built with
7448 * IPv6 support, generate code to load either
7449 * IPv4, IPv6, or both, as appropriate.
7450 */
7451 s = gen_loadx_iphdrlen(cstate);
7452
7453 /*
7454 * The X register now contains the sum of the variable
7455 * part of the offset of the link-layer payload and the
7456 * length of the network-layer header.
7457 *
7458 * Load into the A register the offset relative to
7459 * the beginning of the transport layer header,
7460 * add the X register to that, move that to the
7461 * X register, and load with an offset from the
7462 * X register equal to the sum of the constant part of
7463 * the offset of the link-layer payload and the offset,
7464 * relative to the beginning of the link-layer payload,
7465 * of the network-layer header.
7466 */
7467 sappend(s, xfer_to_a(cstate, inst));
7468 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7469 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7470 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code));
7471 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7472 sappend(inst->s, s);
7473
7474 /*
7475 * Do the computation only if the packet contains
7476 * the protocol in question - which is true only
7477 * if this is an IP datagram and is the first or
7478 * only fragment of that datagram.
7479 */
7480 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate));
7481 if (inst->b)
7482 gen_and(inst->b, b);
7483 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b);
7484 inst->b = b;
7485 break;
7486 case Q_ICMPV6:
7487 /*
7488 * Do the computation only if the packet contains
7489 * the protocol in question.
7490 */
7491 b = gen_proto_abbrev_internal(cstate, Q_IPV6);
7492 if (inst->b) {
7493 gen_and(inst->b, b);
7494 }
7495 inst->b = b;
7496
7497 /*
7498 * Check if we have an icmp6 next header
7499 */
7500 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58);
7501 if (inst->b) {
7502 gen_and(inst->b, b);
7503 }
7504 inst->b = b;
7505
7506
7507 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7508 /*
7509 * If "s" is non-null, it has code to arrange that the
7510 * X register contains the variable part of the offset
7511 * of the link-layer payload. Add to it the offset
7512 * computed into the register specified by "index",
7513 * and move that into the X register. Otherwise, just
7514 * load into the X register the offset computed into
7515 * the register specified by "index".
7516 */
7517 if (s != NULL) {
7518 sappend(s, xfer_to_a(cstate, inst));
7519 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7520 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7521 } else {
7522 s = xfer_to_x(cstate, inst);
7523 }
7524
7525 /*
7526 * Load the item at the sum of the offset we've put in the
7527 * X register, the offset of the start of the network
7528 * layer header from the beginning of the link-layer
7529 * payload, and the constant part of the offset of the
7530 * start of the link-layer payload.
7531 */
7532 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7533 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40;
7534
7535 sappend(s, tmp);
7536 sappend(inst->s, s);
7537
7538 break;
7539 }
7540 inst->regno = regno;
7541 s = new_stmt(cstate, BPF_ST);
7542 s->s.k = regno;
7543 sappend(inst->s, s);
7544
7545 return inst;
7546 }
7547
7548 struct arth *
gen_load(compiler_state_t * cstate,int proto,struct arth * inst,bpf_u_int32 size)7549 gen_load(compiler_state_t *cstate, int proto, struct arth *inst,
7550 bpf_u_int32 size)
7551 {
7552 /*
7553 * Catch errors reported by us and routines below us, and return NULL
7554 * on an error.
7555 */
7556 if (setjmp(cstate->top_ctx))
7557 return (NULL);
7558
7559 return gen_load_internal(cstate, proto, inst, size);
7560 }
7561
7562 static struct block *
gen_relation_internal(compiler_state_t * cstate,int code,struct arth * a0,struct arth * a1,int reversed)7563 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0,
7564 struct arth *a1, int reversed)
7565 {
7566 struct slist *s0, *s1, *s2;
7567 struct block *b, *tmp;
7568
7569 s0 = xfer_to_x(cstate, a1);
7570 s1 = xfer_to_a(cstate, a0);
7571 if (code == BPF_JEQ) {
7572 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
7573 b = new_block(cstate, JMP(code));
7574 sappend(s1, s2);
7575 }
7576 else
7577 b = new_block(cstate, BPF_JMP|code|BPF_X);
7578 if (reversed)
7579 gen_not(b);
7580
7581 sappend(s0, s1);
7582 sappend(a1->s, s0);
7583 sappend(a0->s, a1->s);
7584
7585 b->stmts = a0->s;
7586
7587 free_reg(cstate, a0->regno);
7588 free_reg(cstate, a1->regno);
7589
7590 /* 'and' together protocol checks */
7591 if (a0->b) {
7592 if (a1->b) {
7593 gen_and(a0->b, tmp = a1->b);
7594 }
7595 else
7596 tmp = a0->b;
7597 } else
7598 tmp = a1->b;
7599
7600 if (tmp)
7601 gen_and(tmp, b);
7602
7603 return b;
7604 }
7605
7606 struct block *
gen_relation(compiler_state_t * cstate,int code,struct arth * a0,struct arth * a1,int reversed)7607 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
7608 struct arth *a1, int reversed)
7609 {
7610 /*
7611 * Catch errors reported by us and routines below us, and return NULL
7612 * on an error.
7613 */
7614 if (setjmp(cstate->top_ctx))
7615 return (NULL);
7616
7617 return gen_relation_internal(cstate, code, a0, a1, reversed);
7618 }
7619
7620 struct arth *
gen_loadlen(compiler_state_t * cstate)7621 gen_loadlen(compiler_state_t *cstate)
7622 {
7623 int regno;
7624 struct arth *a;
7625 struct slist *s;
7626
7627 /*
7628 * Catch errors reported by us and routines below us, and return NULL
7629 * on an error.
7630 */
7631 if (setjmp(cstate->top_ctx))
7632 return (NULL);
7633
7634 regno = alloc_reg(cstate);
7635 a = (struct arth *)newchunk(cstate, sizeof(*a));
7636 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7637 s->next = new_stmt(cstate, BPF_ST);
7638 s->next->s.k = regno;
7639 a->s = s;
7640 a->regno = regno;
7641
7642 return a;
7643 }
7644
7645 static struct arth *
gen_loadi_internal(compiler_state_t * cstate,bpf_u_int32 val)7646 gen_loadi_internal(compiler_state_t *cstate, bpf_u_int32 val)
7647 {
7648 struct arth *a;
7649 struct slist *s;
7650 int reg;
7651
7652 a = (struct arth *)newchunk(cstate, sizeof(*a));
7653
7654 reg = alloc_reg(cstate);
7655
7656 s = new_stmt(cstate, BPF_LD|BPF_IMM);
7657 s->s.k = val;
7658 s->next = new_stmt(cstate, BPF_ST);
7659 s->next->s.k = reg;
7660 a->s = s;
7661 a->regno = reg;
7662
7663 return a;
7664 }
7665
7666 struct arth *
gen_loadi(compiler_state_t * cstate,bpf_u_int32 val)7667 gen_loadi(compiler_state_t *cstate, bpf_u_int32 val)
7668 {
7669 /*
7670 * Catch errors reported by us and routines below us, and return NULL
7671 * on an error.
7672 */
7673 if (setjmp(cstate->top_ctx))
7674 return (NULL);
7675
7676 return gen_loadi_internal(cstate, val);
7677 }
7678
7679 /*
7680 * The a_arg dance is to avoid annoying whining by compilers that
7681 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7682 * It's not *used* after setjmp returns.
7683 */
7684 struct arth *
gen_neg(compiler_state_t * cstate,struct arth * a_arg)7685 gen_neg(compiler_state_t *cstate, struct arth *a_arg)
7686 {
7687 struct arth *a = a_arg;
7688 struct slist *s;
7689
7690 /*
7691 * Catch errors reported by us and routines below us, and return NULL
7692 * on an error.
7693 */
7694 if (setjmp(cstate->top_ctx))
7695 return (NULL);
7696
7697 s = xfer_to_a(cstate, a);
7698 sappend(a->s, s);
7699 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
7700 s->s.k = 0;
7701 sappend(a->s, s);
7702 s = new_stmt(cstate, BPF_ST);
7703 s->s.k = a->regno;
7704 sappend(a->s, s);
7705
7706 return a;
7707 }
7708
7709 /*
7710 * The a0_arg dance is to avoid annoying whining by compilers that
7711 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7712 * It's not *used* after setjmp returns.
7713 */
7714 struct arth *
gen_arth(compiler_state_t * cstate,int code,struct arth * a0_arg,struct arth * a1)7715 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg,
7716 struct arth *a1)
7717 {
7718 struct arth *a0 = a0_arg;
7719 struct slist *s0, *s1, *s2;
7720
7721 /*
7722 * Catch errors reported by us and routines below us, and return NULL
7723 * on an error.
7724 */
7725 if (setjmp(cstate->top_ctx))
7726 return (NULL);
7727
7728 /*
7729 * Disallow division by, or modulus by, zero; we do this here
7730 * so that it gets done even if the optimizer is disabled.
7731 *
7732 * Also disallow shifts by a value greater than 31; we do this
7733 * here, for the same reason.
7734 */
7735 if (code == BPF_DIV) {
7736 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7737 bpf_error(cstate, "division by zero");
7738 } else if (code == BPF_MOD) {
7739 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7740 bpf_error(cstate, "modulus by zero");
7741 } else if (code == BPF_LSH || code == BPF_RSH) {
7742 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k > 31)
7743 bpf_error(cstate, "shift by more than 31 bits");
7744 }
7745 s0 = xfer_to_x(cstate, a1);
7746 s1 = xfer_to_a(cstate, a0);
7747 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
7748
7749 sappend(s1, s2);
7750 sappend(s0, s1);
7751 sappend(a1->s, s0);
7752 sappend(a0->s, a1->s);
7753
7754 free_reg(cstate, a0->regno);
7755 free_reg(cstate, a1->regno);
7756
7757 s0 = new_stmt(cstate, BPF_ST);
7758 a0->regno = s0->s.k = alloc_reg(cstate);
7759 sappend(a0->s, s0);
7760
7761 return a0;
7762 }
7763
7764 /*
7765 * Initialize the table of used registers and the current register.
7766 */
7767 static void
init_regs(compiler_state_t * cstate)7768 init_regs(compiler_state_t *cstate)
7769 {
7770 cstate->curreg = 0;
7771 memset(cstate->regused, 0, sizeof cstate->regused);
7772 }
7773
7774 /*
7775 * Return the next free register.
7776 */
7777 static int
alloc_reg(compiler_state_t * cstate)7778 alloc_reg(compiler_state_t *cstate)
7779 {
7780 int n = BPF_MEMWORDS;
7781
7782 while (--n >= 0) {
7783 if (cstate->regused[cstate->curreg])
7784 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
7785 else {
7786 cstate->regused[cstate->curreg] = 1;
7787 return cstate->curreg;
7788 }
7789 }
7790 bpf_error(cstate, "too many registers needed to evaluate expression");
7791 /*NOTREACHED*/
7792 }
7793
7794 /*
7795 * Return a register to the table so it can
7796 * be used later.
7797 */
7798 static void
free_reg(compiler_state_t * cstate,int n)7799 free_reg(compiler_state_t *cstate, int n)
7800 {
7801 cstate->regused[n] = 0;
7802 }
7803
7804 static struct block *
gen_len(compiler_state_t * cstate,int jmp,int n)7805 gen_len(compiler_state_t *cstate, int jmp, int n)
7806 {
7807 struct slist *s;
7808 struct block *b;
7809
7810 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7811 b = new_block(cstate, JMP(jmp));
7812 b->stmts = s;
7813 b->s.k = n;
7814
7815 return b;
7816 }
7817
7818 struct block *
gen_greater(compiler_state_t * cstate,int n)7819 gen_greater(compiler_state_t *cstate, int n)
7820 {
7821 /*
7822 * Catch errors reported by us and routines below us, and return NULL
7823 * on an error.
7824 */
7825 if (setjmp(cstate->top_ctx))
7826 return (NULL);
7827
7828 return gen_len(cstate, BPF_JGE, n);
7829 }
7830
7831 /*
7832 * Actually, this is less than or equal.
7833 */
7834 struct block *
gen_less(compiler_state_t * cstate,int n)7835 gen_less(compiler_state_t *cstate, int n)
7836 {
7837 struct block *b;
7838
7839 /*
7840 * Catch errors reported by us and routines below us, and return NULL
7841 * on an error.
7842 */
7843 if (setjmp(cstate->top_ctx))
7844 return (NULL);
7845
7846 b = gen_len(cstate, BPF_JGT, n);
7847 gen_not(b);
7848
7849 return b;
7850 }
7851
7852 /*
7853 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7854 * the beginning of the link-layer header.
7855 * XXX - that means you can't test values in the radiotap header, but
7856 * as that header is difficult if not impossible to parse generally
7857 * without a loop, that might not be a severe problem. A new keyword
7858 * "radio" could be added for that, although what you'd really want
7859 * would be a way of testing particular radio header values, which
7860 * would generate code appropriate to the radio header in question.
7861 */
7862 struct block *
gen_byteop(compiler_state_t * cstate,int op,int idx,bpf_u_int32 val)7863 gen_byteop(compiler_state_t *cstate, int op, int idx, bpf_u_int32 val)
7864 {
7865 struct block *b;
7866 struct slist *s;
7867
7868 /*
7869 * Catch errors reported by us and routines below us, and return NULL
7870 * on an error.
7871 */
7872 if (setjmp(cstate->top_ctx))
7873 return (NULL);
7874
7875 switch (op) {
7876 default:
7877 abort();
7878
7879 case '=':
7880 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
7881
7882 case '<':
7883 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
7884 return b;
7885
7886 case '>':
7887 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
7888 return b;
7889
7890 case '|':
7891 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
7892 break;
7893
7894 case '&':
7895 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
7896 break;
7897 }
7898 s->s.k = val;
7899 b = new_block(cstate, JMP(BPF_JEQ));
7900 b->stmts = s;
7901 gen_not(b);
7902
7903 return b;
7904 }
7905
7906 static const u_char abroadcast[] = { 0x0 };
7907
7908 struct block *
gen_broadcast(compiler_state_t * cstate,int proto)7909 gen_broadcast(compiler_state_t *cstate, int proto)
7910 {
7911 bpf_u_int32 hostmask;
7912 struct block *b0, *b1, *b2;
7913 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7914
7915 /*
7916 * Catch errors reported by us and routines below us, and return NULL
7917 * on an error.
7918 */
7919 if (setjmp(cstate->top_ctx))
7920 return (NULL);
7921
7922 switch (proto) {
7923
7924 case Q_DEFAULT:
7925 case Q_LINK:
7926 switch (cstate->linktype) {
7927 case DLT_ARCNET:
7928 case DLT_ARCNET_LINUX:
7929 return gen_ahostop(cstate, abroadcast, Q_DST);
7930 case DLT_EN10MB:
7931 case DLT_NETANALYZER:
7932 case DLT_NETANALYZER_TRANSPARENT:
7933 b1 = gen_prevlinkhdr_check(cstate);
7934 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
7935 if (b1 != NULL)
7936 gen_and(b1, b0);
7937 return b0;
7938 case DLT_FDDI:
7939 return gen_fhostop(cstate, ebroadcast, Q_DST);
7940 case DLT_IEEE802:
7941 return gen_thostop(cstate, ebroadcast, Q_DST);
7942 case DLT_IEEE802_11:
7943 case DLT_PRISM_HEADER:
7944 case DLT_IEEE802_11_RADIO_AVS:
7945 case DLT_IEEE802_11_RADIO:
7946 case DLT_PPI:
7947 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
7948 case DLT_IP_OVER_FC:
7949 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
7950 default:
7951 bpf_error(cstate, "not a broadcast link");
7952 }
7953 /*NOTREACHED*/
7954
7955 case Q_IP:
7956 /*
7957 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7958 * as an indication that we don't know the netmask, and fail
7959 * in that case.
7960 */
7961 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
7962 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
7963 b0 = gen_linktype(cstate, ETHERTYPE_IP);
7964 hostmask = ~cstate->netmask;
7965 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 0, hostmask);
7966 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W,
7967 ~0 & hostmask, hostmask);
7968 gen_or(b1, b2);
7969 gen_and(b0, b2);
7970 return b2;
7971 }
7972 bpf_error(cstate, "only link-layer/IP broadcast filters supported");
7973 /*NOTREACHED*/
7974 }
7975
7976 /*
7977 * Generate code to test the low-order bit of a MAC address (that's
7978 * the bottom bit of the *first* byte).
7979 */
7980 static struct block *
gen_mac_multicast(compiler_state_t * cstate,int offset)7981 gen_mac_multicast(compiler_state_t *cstate, int offset)
7982 {
7983 register struct block *b0;
7984 register struct slist *s;
7985
7986 /* link[offset] & 1 != 0 */
7987 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
7988 b0 = new_block(cstate, JMP(BPF_JSET));
7989 b0->s.k = 1;
7990 b0->stmts = s;
7991 return b0;
7992 }
7993
7994 struct block *
gen_multicast(compiler_state_t * cstate,int proto)7995 gen_multicast(compiler_state_t *cstate, int proto)
7996 {
7997 register struct block *b0, *b1, *b2;
7998 register struct slist *s;
7999
8000 /*
8001 * Catch errors reported by us and routines below us, and return NULL
8002 * on an error.
8003 */
8004 if (setjmp(cstate->top_ctx))
8005 return (NULL);
8006
8007 switch (proto) {
8008
8009 case Q_DEFAULT:
8010 case Q_LINK:
8011 switch (cstate->linktype) {
8012 case DLT_ARCNET:
8013 case DLT_ARCNET_LINUX:
8014 /* all ARCnet multicasts use the same address */
8015 return gen_ahostop(cstate, abroadcast, Q_DST);
8016 case DLT_EN10MB:
8017 case DLT_NETANALYZER:
8018 case DLT_NETANALYZER_TRANSPARENT:
8019 b1 = gen_prevlinkhdr_check(cstate);
8020 /* ether[0] & 1 != 0 */
8021 b0 = gen_mac_multicast(cstate, 0);
8022 if (b1 != NULL)
8023 gen_and(b1, b0);
8024 return b0;
8025 case DLT_FDDI:
8026 /*
8027 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
8028 *
8029 * XXX - was that referring to bit-order issues?
8030 */
8031 /* fddi[1] & 1 != 0 */
8032 return gen_mac_multicast(cstate, 1);
8033 case DLT_IEEE802:
8034 /* tr[2] & 1 != 0 */
8035 return gen_mac_multicast(cstate, 2);
8036 case DLT_IEEE802_11:
8037 case DLT_PRISM_HEADER:
8038 case DLT_IEEE802_11_RADIO_AVS:
8039 case DLT_IEEE802_11_RADIO:
8040 case DLT_PPI:
8041 /*
8042 * Oh, yuk.
8043 *
8044 * For control frames, there is no DA.
8045 *
8046 * For management frames, DA is at an
8047 * offset of 4 from the beginning of
8048 * the packet.
8049 *
8050 * For data frames, DA is at an offset
8051 * of 4 from the beginning of the packet
8052 * if To DS is clear and at an offset of
8053 * 16 from the beginning of the packet
8054 * if To DS is set.
8055 */
8056
8057 /*
8058 * Generate the tests to be done for data frames.
8059 *
8060 * First, check for To DS set, i.e. "link[1] & 0x01".
8061 */
8062 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8063 b1 = new_block(cstate, JMP(BPF_JSET));
8064 b1->s.k = 0x01; /* To DS */
8065 b1->stmts = s;
8066
8067 /*
8068 * If To DS is set, the DA is at 16.
8069 */
8070 b0 = gen_mac_multicast(cstate, 16);
8071 gen_and(b1, b0);
8072
8073 /*
8074 * Now, check for To DS not set, i.e. check
8075 * "!(link[1] & 0x01)".
8076 */
8077 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8078 b2 = new_block(cstate, JMP(BPF_JSET));
8079 b2->s.k = 0x01; /* To DS */
8080 b2->stmts = s;
8081 gen_not(b2);
8082
8083 /*
8084 * If To DS is not set, the DA is at 4.
8085 */
8086 b1 = gen_mac_multicast(cstate, 4);
8087 gen_and(b2, b1);
8088
8089 /*
8090 * Now OR together the last two checks. That gives
8091 * the complete set of checks for data frames.
8092 */
8093 gen_or(b1, b0);
8094
8095 /*
8096 * Now check for a data frame.
8097 * I.e, check "link[0] & 0x08".
8098 */
8099 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8100 b1 = new_block(cstate, JMP(BPF_JSET));
8101 b1->s.k = 0x08;
8102 b1->stmts = s;
8103
8104 /*
8105 * AND that with the checks done for data frames.
8106 */
8107 gen_and(b1, b0);
8108
8109 /*
8110 * If the high-order bit of the type value is 0, this
8111 * is a management frame.
8112 * I.e, check "!(link[0] & 0x08)".
8113 */
8114 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8115 b2 = new_block(cstate, JMP(BPF_JSET));
8116 b2->s.k = 0x08;
8117 b2->stmts = s;
8118 gen_not(b2);
8119
8120 /*
8121 * For management frames, the DA is at 4.
8122 */
8123 b1 = gen_mac_multicast(cstate, 4);
8124 gen_and(b2, b1);
8125
8126 /*
8127 * OR that with the checks done for data frames.
8128 * That gives the checks done for management and
8129 * data frames.
8130 */
8131 gen_or(b1, b0);
8132
8133 /*
8134 * If the low-order bit of the type value is 1,
8135 * this is either a control frame or a frame
8136 * with a reserved type, and thus not a
8137 * frame with an SA.
8138 *
8139 * I.e., check "!(link[0] & 0x04)".
8140 */
8141 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8142 b1 = new_block(cstate, JMP(BPF_JSET));
8143 b1->s.k = 0x04;
8144 b1->stmts = s;
8145 gen_not(b1);
8146
8147 /*
8148 * AND that with the checks for data and management
8149 * frames.
8150 */
8151 gen_and(b1, b0);
8152 return b0;
8153 case DLT_IP_OVER_FC:
8154 b0 = gen_mac_multicast(cstate, 2);
8155 return b0;
8156 default:
8157 break;
8158 }
8159 /* Link not known to support multicasts */
8160 break;
8161
8162 case Q_IP:
8163 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8164 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, 224);
8165 gen_and(b0, b1);
8166 return b1;
8167
8168 case Q_IPV6:
8169 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
8170 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, 255);
8171 gen_and(b0, b1);
8172 return b1;
8173 }
8174 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
8175 /*NOTREACHED*/
8176 }
8177
8178 struct block *
gen_ifindex(compiler_state_t * cstate,int ifindex)8179 gen_ifindex(compiler_state_t *cstate, int ifindex)
8180 {
8181 register struct block *b0;
8182
8183 /*
8184 * Catch errors reported by us and routines below us, and return NULL
8185 * on an error.
8186 */
8187 if (setjmp(cstate->top_ctx))
8188 return (NULL);
8189
8190 /*
8191 * Only some data link types support ifindex qualifiers.
8192 */
8193 switch (cstate->linktype) {
8194 case DLT_LINUX_SLL2:
8195 /* match packets on this interface */
8196 b0 = gen_cmp(cstate, OR_LINKHDR, 4, BPF_W, ifindex);
8197 break;
8198 default:
8199 #if defined(linux)
8200 /*
8201 * This is Linux; we require PF_PACKET support.
8202 * If this is a *live* capture, we can look at
8203 * special meta-data in the filter expression;
8204 * if it's a savefile, we can't.
8205 */
8206 if (cstate->bpf_pcap->rfile != NULL) {
8207 /* We have a FILE *, so this is a savefile */
8208 bpf_error(cstate, "ifindex not supported on %s when reading savefiles",
8209 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8210 b0 = NULL;
8211 /*NOTREACHED*/
8212 }
8213 /* match ifindex */
8214 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_IFINDEX, BPF_W,
8215 ifindex);
8216 #else /* defined(linux) */
8217 bpf_error(cstate, "ifindex not supported on %s",
8218 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8219 /*NOTREACHED*/
8220 #endif /* defined(linux) */
8221 }
8222 return (b0);
8223 }
8224
8225 /*
8226 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
8227 * Outbound traffic is sent by this machine, while inbound traffic is
8228 * sent by a remote machine (and may include packets destined for a
8229 * unicast or multicast link-layer address we are not subscribing to).
8230 * These are the same definitions implemented by pcap_setdirection().
8231 * Capturing only unicast traffic destined for this host is probably
8232 * better accomplished using a higher-layer filter.
8233 */
8234 struct block *
gen_inbound(compiler_state_t * cstate,int dir)8235 gen_inbound(compiler_state_t *cstate, int dir)
8236 {
8237 register struct block *b0;
8238
8239 /*
8240 * Catch errors reported by us and routines below us, and return NULL
8241 * on an error.
8242 */
8243 if (setjmp(cstate->top_ctx))
8244 return (NULL);
8245
8246 /*
8247 * Only some data link types support inbound/outbound qualifiers.
8248 */
8249 switch (cstate->linktype) {
8250 case DLT_SLIP:
8251 b0 = gen_relation_internal(cstate, BPF_JEQ,
8252 gen_load_internal(cstate, Q_LINK, gen_loadi_internal(cstate, 0), 1),
8253 gen_loadi_internal(cstate, 0),
8254 dir);
8255 break;
8256
8257 case DLT_IPNET:
8258 if (dir) {
8259 /* match outgoing packets */
8260 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND);
8261 } else {
8262 /* match incoming packets */
8263 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND);
8264 }
8265 break;
8266
8267 case DLT_LINUX_SLL:
8268 /* match outgoing packets */
8269 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
8270 if (!dir) {
8271 /* to filter on inbound traffic, invert the match */
8272 gen_not(b0);
8273 }
8274 break;
8275
8276 case DLT_LINUX_SLL2:
8277 /* match outgoing packets */
8278 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING);
8279 if (!dir) {
8280 /* to filter on inbound traffic, invert the match */
8281 gen_not(b0);
8282 }
8283 break;
8284
8285 #ifdef HAVE_NET_PFVAR_H
8286 case DLT_PFLOG:
8287 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
8288 ((dir == 0) ? PF_IN : PF_OUT));
8289 break;
8290 #endif
8291
8292 case DLT_PPP_PPPD:
8293 if (dir) {
8294 /* match outgoing packets */
8295 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT);
8296 } else {
8297 /* match incoming packets */
8298 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN);
8299 }
8300 break;
8301
8302 case DLT_JUNIPER_MFR:
8303 case DLT_JUNIPER_MLFR:
8304 case DLT_JUNIPER_MLPPP:
8305 case DLT_JUNIPER_ATM1:
8306 case DLT_JUNIPER_ATM2:
8307 case DLT_JUNIPER_PPPOE:
8308 case DLT_JUNIPER_PPPOE_ATM:
8309 case DLT_JUNIPER_GGSN:
8310 case DLT_JUNIPER_ES:
8311 case DLT_JUNIPER_MONITOR:
8312 case DLT_JUNIPER_SERVICES:
8313 case DLT_JUNIPER_ETHER:
8314 case DLT_JUNIPER_PPP:
8315 case DLT_JUNIPER_FRELAY:
8316 case DLT_JUNIPER_CHDLC:
8317 case DLT_JUNIPER_VP:
8318 case DLT_JUNIPER_ST:
8319 case DLT_JUNIPER_ISM:
8320 case DLT_JUNIPER_VS:
8321 case DLT_JUNIPER_SRX_E2E:
8322 case DLT_JUNIPER_FIBRECHANNEL:
8323 case DLT_JUNIPER_ATM_CEMIC:
8324
8325 /* juniper flags (including direction) are stored
8326 * the byte after the 3-byte magic number */
8327 if (dir) {
8328 /* match outgoing packets */
8329 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01);
8330 } else {
8331 /* match incoming packets */
8332 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01);
8333 }
8334 break;
8335
8336 default:
8337 /*
8338 * If we have packet meta-data indicating a direction,
8339 * and that metadata can be checked by BPF code, check
8340 * it. Otherwise, give up, as this link-layer type has
8341 * nothing in the packet data.
8342 *
8343 * Currently, the only platform where a BPF filter can
8344 * check that metadata is Linux with the in-kernel
8345 * BPF interpreter. If other packet capture mechanisms
8346 * and BPF filters also supported this, it would be
8347 * nice. It would be even better if they made that
8348 * metadata available so that we could provide it
8349 * with newer capture APIs, allowing it to be saved
8350 * in pcapng files.
8351 */
8352 #if defined(linux)
8353 /*
8354 * This is Linux; we require PF_PACKET support.
8355 * If this is a *live* capture, we can look at
8356 * special meta-data in the filter expression;
8357 * if it's a savefile, we can't.
8358 */
8359 if (cstate->bpf_pcap->rfile != NULL) {
8360 /* We have a FILE *, so this is a savefile */
8361 bpf_error(cstate, "inbound/outbound not supported on %s when reading savefiles",
8362 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8363 /*NOTREACHED*/
8364 }
8365 /* match outgoing packets */
8366 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
8367 PACKET_OUTGOING);
8368 if (!dir) {
8369 /* to filter on inbound traffic, invert the match */
8370 gen_not(b0);
8371 }
8372 #else /* defined(linux) */
8373 bpf_error(cstate, "inbound/outbound not supported on %s",
8374 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8375 /*NOTREACHED*/
8376 #endif /* defined(linux) */
8377 }
8378 return (b0);
8379 }
8380
8381 #ifdef HAVE_NET_PFVAR_H
8382 /* PF firewall log matched interface */
8383 struct block *
gen_pf_ifname(compiler_state_t * cstate,const char * ifname)8384 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
8385 {
8386 struct block *b0;
8387 u_int len, off;
8388
8389 /*
8390 * Catch errors reported by us and routines below us, and return NULL
8391 * on an error.
8392 */
8393 if (setjmp(cstate->top_ctx))
8394 return (NULL);
8395
8396 if (cstate->linktype != DLT_PFLOG) {
8397 bpf_error(cstate, "ifname supported only on PF linktype");
8398 /*NOTREACHED*/
8399 }
8400 len = sizeof(((struct pfloghdr *)0)->ifname);
8401 off = offsetof(struct pfloghdr, ifname);
8402 if (strlen(ifname) >= len) {
8403 bpf_error(cstate, "ifname interface names can only be %d characters",
8404 len-1);
8405 /*NOTREACHED*/
8406 }
8407 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname),
8408 (const u_char *)ifname);
8409 return (b0);
8410 }
8411
8412 /* PF firewall log ruleset name */
8413 struct block *
gen_pf_ruleset(compiler_state_t * cstate,char * ruleset)8414 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
8415 {
8416 struct block *b0;
8417
8418 /*
8419 * Catch errors reported by us and routines below us, and return NULL
8420 * on an error.
8421 */
8422 if (setjmp(cstate->top_ctx))
8423 return (NULL);
8424
8425 if (cstate->linktype != DLT_PFLOG) {
8426 bpf_error(cstate, "ruleset supported only on PF linktype");
8427 /*NOTREACHED*/
8428 }
8429
8430 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
8431 bpf_error(cstate, "ruleset names can only be %ld characters",
8432 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
8433 /*NOTREACHED*/
8434 }
8435
8436 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
8437 (u_int)strlen(ruleset), (const u_char *)ruleset);
8438 return (b0);
8439 }
8440
8441 /* PF firewall log rule number */
8442 struct block *
gen_pf_rnr(compiler_state_t * cstate,int rnr)8443 gen_pf_rnr(compiler_state_t *cstate, int rnr)
8444 {
8445 struct block *b0;
8446
8447 /*
8448 * Catch errors reported by us and routines below us, and return NULL
8449 * on an error.
8450 */
8451 if (setjmp(cstate->top_ctx))
8452 return (NULL);
8453
8454 if (cstate->linktype != DLT_PFLOG) {
8455 bpf_error(cstate, "rnr supported only on PF linktype");
8456 /*NOTREACHED*/
8457 }
8458
8459 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
8460 (bpf_u_int32)rnr);
8461 return (b0);
8462 }
8463
8464 /* PF firewall log sub-rule number */
8465 struct block *
gen_pf_srnr(compiler_state_t * cstate,int srnr)8466 gen_pf_srnr(compiler_state_t *cstate, int srnr)
8467 {
8468 struct block *b0;
8469
8470 /*
8471 * Catch errors reported by us and routines below us, and return NULL
8472 * on an error.
8473 */
8474 if (setjmp(cstate->top_ctx))
8475 return (NULL);
8476
8477 if (cstate->linktype != DLT_PFLOG) {
8478 bpf_error(cstate, "srnr supported only on PF linktype");
8479 /*NOTREACHED*/
8480 }
8481
8482 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
8483 (bpf_u_int32)srnr);
8484 return (b0);
8485 }
8486
8487 /* PF firewall log reason code */
8488 struct block *
gen_pf_reason(compiler_state_t * cstate,int reason)8489 gen_pf_reason(compiler_state_t *cstate, int reason)
8490 {
8491 struct block *b0;
8492
8493 /*
8494 * Catch errors reported by us and routines below us, and return NULL
8495 * on an error.
8496 */
8497 if (setjmp(cstate->top_ctx))
8498 return (NULL);
8499
8500 if (cstate->linktype != DLT_PFLOG) {
8501 bpf_error(cstate, "reason supported only on PF linktype");
8502 /*NOTREACHED*/
8503 }
8504
8505 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
8506 (bpf_u_int32)reason);
8507 return (b0);
8508 }
8509
8510 /* PF firewall log action */
8511 struct block *
gen_pf_action(compiler_state_t * cstate,int action)8512 gen_pf_action(compiler_state_t *cstate, int action)
8513 {
8514 struct block *b0;
8515
8516 /*
8517 * Catch errors reported by us and routines below us, and return NULL
8518 * on an error.
8519 */
8520 if (setjmp(cstate->top_ctx))
8521 return (NULL);
8522
8523 if (cstate->linktype != DLT_PFLOG) {
8524 bpf_error(cstate, "action supported only on PF linktype");
8525 /*NOTREACHED*/
8526 }
8527
8528 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
8529 (bpf_u_int32)action);
8530 return (b0);
8531 }
8532 #else /* !HAVE_NET_PFVAR_H */
8533 struct block *
gen_pf_ifname(compiler_state_t * cstate,const char * ifname _U_)8534 gen_pf_ifname(compiler_state_t *cstate, const char *ifname _U_)
8535 {
8536 /*
8537 * Catch errors reported by us and routines below us, and return NULL
8538 * on an error.
8539 */
8540 if (setjmp(cstate->top_ctx))
8541 return (NULL);
8542
8543 bpf_error(cstate, "libpcap was compiled without pf support");
8544 /*NOTREACHED*/
8545 }
8546
8547 struct block *
gen_pf_ruleset(compiler_state_t * cstate,char * ruleset _U_)8548 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset _U_)
8549 {
8550 /*
8551 * Catch errors reported by us and routines below us, and return NULL
8552 * on an error.
8553 */
8554 if (setjmp(cstate->top_ctx))
8555 return (NULL);
8556
8557 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8558 /*NOTREACHED*/
8559 }
8560
8561 struct block *
gen_pf_rnr(compiler_state_t * cstate,int rnr _U_)8562 gen_pf_rnr(compiler_state_t *cstate, int rnr _U_)
8563 {
8564 /*
8565 * Catch errors reported by us and routines below us, and return NULL
8566 * on an error.
8567 */
8568 if (setjmp(cstate->top_ctx))
8569 return (NULL);
8570
8571 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8572 /*NOTREACHED*/
8573 }
8574
8575 struct block *
gen_pf_srnr(compiler_state_t * cstate,int srnr _U_)8576 gen_pf_srnr(compiler_state_t *cstate, int srnr _U_)
8577 {
8578 /*
8579 * Catch errors reported by us and routines below us, and return NULL
8580 * on an error.
8581 */
8582 if (setjmp(cstate->top_ctx))
8583 return (NULL);
8584
8585 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8586 /*NOTREACHED*/
8587 }
8588
8589 struct block *
gen_pf_reason(compiler_state_t * cstate,int reason _U_)8590 gen_pf_reason(compiler_state_t *cstate, int reason _U_)
8591 {
8592 /*
8593 * Catch errors reported by us and routines below us, and return NULL
8594 * on an error.
8595 */
8596 if (setjmp(cstate->top_ctx))
8597 return (NULL);
8598
8599 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8600 /*NOTREACHED*/
8601 }
8602
8603 struct block *
gen_pf_action(compiler_state_t * cstate,int action _U_)8604 gen_pf_action(compiler_state_t *cstate, int action _U_)
8605 {
8606 /*
8607 * Catch errors reported by us and routines below us, and return NULL
8608 * on an error.
8609 */
8610 if (setjmp(cstate->top_ctx))
8611 return (NULL);
8612
8613 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8614 /*NOTREACHED*/
8615 }
8616 #endif /* HAVE_NET_PFVAR_H */
8617
8618 /* IEEE 802.11 wireless header */
8619 struct block *
gen_p80211_type(compiler_state_t * cstate,bpf_u_int32 type,bpf_u_int32 mask)8620 gen_p80211_type(compiler_state_t *cstate, bpf_u_int32 type, bpf_u_int32 mask)
8621 {
8622 struct block *b0;
8623
8624 /*
8625 * Catch errors reported by us and routines below us, and return NULL
8626 * on an error.
8627 */
8628 if (setjmp(cstate->top_ctx))
8629 return (NULL);
8630
8631 switch (cstate->linktype) {
8632
8633 case DLT_IEEE802_11:
8634 case DLT_PRISM_HEADER:
8635 case DLT_IEEE802_11_RADIO_AVS:
8636 case DLT_IEEE802_11_RADIO:
8637 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, type, mask);
8638 break;
8639
8640 default:
8641 bpf_error(cstate, "802.11 link-layer types supported only on 802.11");
8642 /*NOTREACHED*/
8643 }
8644
8645 return (b0);
8646 }
8647
8648 struct block *
gen_p80211_fcdir(compiler_state_t * cstate,bpf_u_int32 fcdir)8649 gen_p80211_fcdir(compiler_state_t *cstate, bpf_u_int32 fcdir)
8650 {
8651 struct block *b0;
8652
8653 /*
8654 * Catch errors reported by us and routines below us, and return NULL
8655 * on an error.
8656 */
8657 if (setjmp(cstate->top_ctx))
8658 return (NULL);
8659
8660 switch (cstate->linktype) {
8661
8662 case DLT_IEEE802_11:
8663 case DLT_PRISM_HEADER:
8664 case DLT_IEEE802_11_RADIO_AVS:
8665 case DLT_IEEE802_11_RADIO:
8666 break;
8667
8668 default:
8669 bpf_error(cstate, "frame direction supported only with 802.11 headers");
8670 /*NOTREACHED*/
8671 }
8672
8673 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, fcdir,
8674 IEEE80211_FC1_DIR_MASK);
8675
8676 return (b0);
8677 }
8678
8679 struct block *
gen_acode(compiler_state_t * cstate,const char * s,struct qual q)8680 gen_acode(compiler_state_t *cstate, const char *s, struct qual q)
8681 {
8682 struct block *b;
8683
8684 /*
8685 * Catch errors reported by us and routines below us, and return NULL
8686 * on an error.
8687 */
8688 if (setjmp(cstate->top_ctx))
8689 return (NULL);
8690
8691 switch (cstate->linktype) {
8692
8693 case DLT_ARCNET:
8694 case DLT_ARCNET_LINUX:
8695 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
8696 q.proto == Q_LINK) {
8697 cstate->e = pcap_ether_aton(s);
8698 if (cstate->e == NULL)
8699 bpf_error(cstate, "malloc");
8700 b = gen_ahostop(cstate, cstate->e, (int)q.dir);
8701 free(cstate->e);
8702 cstate->e = NULL;
8703 return (b);
8704 } else
8705 bpf_error(cstate, "ARCnet address used in non-arc expression");
8706 /*NOTREACHED*/
8707
8708 default:
8709 bpf_error(cstate, "aid supported only on ARCnet");
8710 /*NOTREACHED*/
8711 }
8712 }
8713
8714 static struct block *
gen_ahostop(compiler_state_t * cstate,const u_char * eaddr,int dir)8715 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
8716 {
8717 register struct block *b0, *b1;
8718
8719 switch (dir) {
8720 /* src comes first, different from Ethernet */
8721 case Q_SRC:
8722 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr);
8723
8724 case Q_DST:
8725 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr);
8726
8727 case Q_AND:
8728 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8729 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8730 gen_and(b0, b1);
8731 return b1;
8732
8733 case Q_DEFAULT:
8734 case Q_OR:
8735 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8736 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8737 gen_or(b0, b1);
8738 return b1;
8739
8740 case Q_ADDR1:
8741 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
8742 /*NOTREACHED*/
8743
8744 case Q_ADDR2:
8745 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
8746 /*NOTREACHED*/
8747
8748 case Q_ADDR3:
8749 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
8750 /*NOTREACHED*/
8751
8752 case Q_ADDR4:
8753 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
8754 /*NOTREACHED*/
8755
8756 case Q_RA:
8757 bpf_error(cstate, "'ra' is only supported on 802.11");
8758 /*NOTREACHED*/
8759
8760 case Q_TA:
8761 bpf_error(cstate, "'ta' is only supported on 802.11");
8762 /*NOTREACHED*/
8763 }
8764 abort();
8765 /*NOTREACHED*/
8766 }
8767
8768 static struct block *
gen_vlan_tpid_test(compiler_state_t * cstate)8769 gen_vlan_tpid_test(compiler_state_t *cstate)
8770 {
8771 struct block *b0, *b1;
8772
8773 /* check for VLAN, including QinQ */
8774 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
8775 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
8776 gen_or(b0,b1);
8777 b0 = b1;
8778 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
8779 gen_or(b0,b1);
8780
8781 return b1;
8782 }
8783
8784 static struct block *
gen_vlan_vid_test(compiler_state_t * cstate,bpf_u_int32 vlan_num)8785 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num)
8786 {
8787 if (vlan_num > 0x0fff) {
8788 bpf_error(cstate, "VLAN tag %u greater than maximum %u",
8789 vlan_num, 0x0fff);
8790 }
8791 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, vlan_num, 0x0fff);
8792 }
8793
8794 static struct block *
gen_vlan_no_bpf_extensions(compiler_state_t * cstate,bpf_u_int32 vlan_num,int has_vlan_tag)8795 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8796 int has_vlan_tag)
8797 {
8798 struct block *b0, *b1;
8799
8800 b0 = gen_vlan_tpid_test(cstate);
8801
8802 if (has_vlan_tag) {
8803 b1 = gen_vlan_vid_test(cstate, vlan_num);
8804 gen_and(b0, b1);
8805 b0 = b1;
8806 }
8807
8808 /*
8809 * Both payload and link header type follow the VLAN tags so that
8810 * both need to be updated.
8811 */
8812 cstate->off_linkpl.constant_part += 4;
8813 cstate->off_linktype.constant_part += 4;
8814
8815 return b0;
8816 }
8817
8818 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8819 /* add v to variable part of off */
8820 static void
gen_vlan_vloffset_add(compiler_state_t * cstate,bpf_abs_offset * off,bpf_u_int32 v,struct slist * s)8821 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off,
8822 bpf_u_int32 v, struct slist *s)
8823 {
8824 struct slist *s2;
8825
8826 if (!off->is_variable)
8827 off->is_variable = 1;
8828 if (off->reg == -1)
8829 off->reg = alloc_reg(cstate);
8830
8831 s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
8832 s2->s.k = off->reg;
8833 sappend(s, s2);
8834 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
8835 s2->s.k = v;
8836 sappend(s, s2);
8837 s2 = new_stmt(cstate, BPF_ST);
8838 s2->s.k = off->reg;
8839 sappend(s, s2);
8840 }
8841
8842 /*
8843 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload
8844 * and link type offsets first
8845 */
8846 static void
gen_vlan_patch_tpid_test(compiler_state_t * cstate,struct block * b_tpid)8847 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid)
8848 {
8849 struct slist s;
8850
8851 /* offset determined at run time, shift variable part */
8852 s.next = NULL;
8853 cstate->is_vlan_vloffset = 1;
8854 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s);
8855 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s);
8856
8857 /* we get a pointer to a chain of or-ed blocks, patch first of them */
8858 sappend(s.next, b_tpid->head->stmts);
8859 b_tpid->head->stmts = s.next;
8860 }
8861
8862 /*
8863 * patch block b_vid (VLAN id test) to load VID value either from packet
8864 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true
8865 */
8866 static void
gen_vlan_patch_vid_test(compiler_state_t * cstate,struct block * b_vid)8867 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid)
8868 {
8869 struct slist *s, *s2, *sjeq;
8870 unsigned cnt;
8871
8872 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8873 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8874
8875 /* true -> next instructions, false -> beginning of b_vid */
8876 sjeq = new_stmt(cstate, JMP(BPF_JEQ));
8877 sjeq->s.k = 1;
8878 sjeq->s.jf = b_vid->stmts;
8879 sappend(s, sjeq);
8880
8881 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8882 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG;
8883 sappend(s, s2);
8884 sjeq->s.jt = s2;
8885
8886 /* Jump to the test in b_vid. We need to jump one instruction before
8887 * the end of the b_vid block so that we only skip loading the TCI
8888 * from packet data and not the 'and' instruction extractging VID.
8889 */
8890 cnt = 0;
8891 for (s2 = b_vid->stmts; s2; s2 = s2->next)
8892 cnt++;
8893 s2 = new_stmt(cstate, JMP(BPF_JA));
8894 s2->s.k = cnt - 1;
8895 sappend(s, s2);
8896
8897 /* insert our statements at the beginning of b_vid */
8898 sappend(s, b_vid->stmts);
8899 b_vid->stmts = s;
8900 }
8901
8902 /*
8903 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF
8904 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN
8905 * tag can be either in metadata or in packet data; therefore if the
8906 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link
8907 * header for VLAN tag. As the decision is done at run time, we need
8908 * update variable part of the offsets
8909 */
8910 static struct block *
gen_vlan_bpf_extensions(compiler_state_t * cstate,bpf_u_int32 vlan_num,int has_vlan_tag)8911 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8912 int has_vlan_tag)
8913 {
8914 struct block *b0, *b_tpid, *b_vid = NULL;
8915 struct slist *s;
8916
8917 /* generate new filter code based on extracting packet
8918 * metadata */
8919 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8920 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8921
8922 b0 = new_block(cstate, JMP(BPF_JEQ));
8923 b0->stmts = s;
8924 b0->s.k = 1;
8925
8926 /*
8927 * This is tricky. We need to insert the statements updating variable
8928 * parts of offsets before the traditional TPID and VID tests so
8929 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but
8930 * we do not want this update to affect those checks. That's why we
8931 * generate both test blocks first and insert the statements updating
8932 * variable parts of both offsets after that. This wouldn't work if
8933 * there already were variable length link header when entering this
8934 * function but gen_vlan_bpf_extensions() isn't called in that case.
8935 */
8936 b_tpid = gen_vlan_tpid_test(cstate);
8937 if (has_vlan_tag)
8938 b_vid = gen_vlan_vid_test(cstate, vlan_num);
8939
8940 gen_vlan_patch_tpid_test(cstate, b_tpid);
8941 gen_or(b0, b_tpid);
8942 b0 = b_tpid;
8943
8944 if (has_vlan_tag) {
8945 gen_vlan_patch_vid_test(cstate, b_vid);
8946 gen_and(b0, b_vid);
8947 b0 = b_vid;
8948 }
8949
8950 return b0;
8951 }
8952 #endif
8953
8954 /*
8955 * support IEEE 802.1Q VLAN trunk over ethernet
8956 */
8957 struct block *
gen_vlan(compiler_state_t * cstate,bpf_u_int32 vlan_num,int has_vlan_tag)8958 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag)
8959 {
8960 struct block *b0;
8961
8962 /*
8963 * Catch errors reported by us and routines below us, and return NULL
8964 * on an error.
8965 */
8966 if (setjmp(cstate->top_ctx))
8967 return (NULL);
8968
8969 /* can't check for VLAN-encapsulated packets inside MPLS */
8970 if (cstate->label_stack_depth > 0)
8971 bpf_error(cstate, "no VLAN match after MPLS");
8972
8973 /*
8974 * Check for a VLAN packet, and then change the offsets to point
8975 * to the type and data fields within the VLAN packet. Just
8976 * increment the offsets, so that we can support a hierarchy, e.g.
8977 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
8978 * VLAN 100.
8979 *
8980 * XXX - this is a bit of a kludge. If we were to split the
8981 * compiler into a parser that parses an expression and
8982 * generates an expression tree, and a code generator that
8983 * takes an expression tree (which could come from our
8984 * parser or from some other parser) and generates BPF code,
8985 * we could perhaps make the offsets parameters of routines
8986 * and, in the handler for an "AND" node, pass to subnodes
8987 * other than the VLAN node the adjusted offsets.
8988 *
8989 * This would mean that "vlan" would, instead of changing the
8990 * behavior of *all* tests after it, change only the behavior
8991 * of tests ANDed with it. That would change the documented
8992 * semantics of "vlan", which might break some expressions.
8993 * However, it would mean that "(vlan and ip) or ip" would check
8994 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8995 * checking only for VLAN-encapsulated IP, so that could still
8996 * be considered worth doing; it wouldn't break expressions
8997 * that are of the form "vlan and ..." or "vlan N and ...",
8998 * which I suspect are the most common expressions involving
8999 * "vlan". "vlan or ..." doesn't necessarily do what the user
9000 * would really want, now, as all the "or ..." tests would
9001 * be done assuming a VLAN, even though the "or" could be viewed
9002 * as meaning "or, if this isn't a VLAN packet...".
9003 */
9004 switch (cstate->linktype) {
9005
9006 case DLT_EN10MB:
9007 case DLT_NETANALYZER:
9008 case DLT_NETANALYZER_TRANSPARENT:
9009 #if defined(SKF_AD_VLAN_TAG_PRESENT)
9010 /* Verify that this is the outer part of the packet and
9011 * not encapsulated somehow. */
9012 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
9013 cstate->off_linkhdr.constant_part ==
9014 cstate->off_outermostlinkhdr.constant_part) {
9015 /*
9016 * Do we need special VLAN handling?
9017 */
9018 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
9019 b0 = gen_vlan_bpf_extensions(cstate, vlan_num,
9020 has_vlan_tag);
9021 else
9022 b0 = gen_vlan_no_bpf_extensions(cstate,
9023 vlan_num, has_vlan_tag);
9024 } else
9025 #endif
9026 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num,
9027 has_vlan_tag);
9028 break;
9029
9030 case DLT_IEEE802_11:
9031 case DLT_PRISM_HEADER:
9032 case DLT_IEEE802_11_RADIO_AVS:
9033 case DLT_IEEE802_11_RADIO:
9034 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag);
9035 break;
9036
9037 default:
9038 bpf_error(cstate, "no VLAN support for %s",
9039 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9040 /*NOTREACHED*/
9041 }
9042
9043 cstate->vlan_stack_depth++;
9044
9045 return (b0);
9046 }
9047
9048 /*
9049 * support for MPLS
9050 *
9051 * The label_num_arg dance is to avoid annoying whining by compilers that
9052 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9053 * It's not *used* after setjmp returns.
9054 */
9055 struct block *
gen_mpls(compiler_state_t * cstate,bpf_u_int32 label_num_arg,int has_label_num)9056 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num_arg,
9057 int has_label_num)
9058 {
9059 volatile bpf_u_int32 label_num = label_num_arg;
9060 struct block *b0, *b1;
9061
9062 /*
9063 * Catch errors reported by us and routines below us, and return NULL
9064 * on an error.
9065 */
9066 if (setjmp(cstate->top_ctx))
9067 return (NULL);
9068
9069 if (cstate->label_stack_depth > 0) {
9070 /* just match the bottom-of-stack bit clear */
9071 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
9072 } else {
9073 /*
9074 * We're not in an MPLS stack yet, so check the link-layer
9075 * type against MPLS.
9076 */
9077 switch (cstate->linktype) {
9078
9079 case DLT_C_HDLC: /* fall through */
9080 case DLT_EN10MB:
9081 case DLT_NETANALYZER:
9082 case DLT_NETANALYZER_TRANSPARENT:
9083 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
9084 break;
9085
9086 case DLT_PPP:
9087 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
9088 break;
9089
9090 /* FIXME add other DLT_s ...
9091 * for Frame-Relay/and ATM this may get messy due to SNAP headers
9092 * leave it for now */
9093
9094 default:
9095 bpf_error(cstate, "no MPLS support for %s",
9096 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9097 /*NOTREACHED*/
9098 }
9099 }
9100
9101 /* If a specific MPLS label is requested, check it */
9102 if (has_label_num) {
9103 if (label_num > 0xFFFFF) {
9104 bpf_error(cstate, "MPLS label %u greater than maximum %u",
9105 label_num, 0xFFFFF);
9106 }
9107 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
9108 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, label_num,
9109 0xfffff000); /* only compare the first 20 bits */
9110 gen_and(b0, b1);
9111 b0 = b1;
9112 }
9113
9114 /*
9115 * Change the offsets to point to the type and data fields within
9116 * the MPLS packet. Just increment the offsets, so that we
9117 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
9118 * capture packets with an outer label of 100000 and an inner
9119 * label of 1024.
9120 *
9121 * Increment the MPLS stack depth as well; this indicates that
9122 * we're checking MPLS-encapsulated headers, to make sure higher
9123 * level code generators don't try to match against IP-related
9124 * protocols such as Q_ARP, Q_RARP etc.
9125 *
9126 * XXX - this is a bit of a kludge. See comments in gen_vlan().
9127 */
9128 cstate->off_nl_nosnap += 4;
9129 cstate->off_nl += 4;
9130 cstate->label_stack_depth++;
9131 return (b0);
9132 }
9133
9134 /*
9135 * Support PPPOE discovery and session.
9136 */
9137 struct block *
gen_pppoed(compiler_state_t * cstate)9138 gen_pppoed(compiler_state_t *cstate)
9139 {
9140 /*
9141 * Catch errors reported by us and routines below us, and return NULL
9142 * on an error.
9143 */
9144 if (setjmp(cstate->top_ctx))
9145 return (NULL);
9146
9147 /* check for PPPoE discovery */
9148 return gen_linktype(cstate, ETHERTYPE_PPPOED);
9149 }
9150
9151 struct block *
gen_pppoes(compiler_state_t * cstate,bpf_u_int32 sess_num,int has_sess_num)9152 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num)
9153 {
9154 struct block *b0, *b1;
9155
9156 /*
9157 * Catch errors reported by us and routines below us, and return NULL
9158 * on an error.
9159 */
9160 if (setjmp(cstate->top_ctx))
9161 return (NULL);
9162
9163 /*
9164 * Test against the PPPoE session link-layer type.
9165 */
9166 b0 = gen_linktype(cstate, ETHERTYPE_PPPOES);
9167
9168 /* If a specific session is requested, check PPPoE session id */
9169 if (has_sess_num) {
9170 if (sess_num > 0x0000ffff) {
9171 bpf_error(cstate, "PPPoE session number %u greater than maximum %u",
9172 sess_num, 0x0000ffff);
9173 }
9174 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, sess_num, 0x0000ffff);
9175 gen_and(b0, b1);
9176 b0 = b1;
9177 }
9178
9179 /*
9180 * Change the offsets to point to the type and data fields within
9181 * the PPP packet, and note that this is PPPoE rather than
9182 * raw PPP.
9183 *
9184 * XXX - this is a bit of a kludge. See the comments in
9185 * gen_vlan().
9186 *
9187 * The "network-layer" protocol is PPPoE, which has a 6-byte
9188 * PPPoE header, followed by a PPP packet.
9189 *
9190 * There is no HDLC encapsulation for the PPP packet (it's
9191 * encapsulated in PPPoES instead), so the link-layer type
9192 * starts at the first byte of the PPP packet. For PPPoE,
9193 * that offset is relative to the beginning of the total
9194 * link-layer payload, including any 802.2 LLC header, so
9195 * it's 6 bytes past cstate->off_nl.
9196 */
9197 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
9198 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
9199 cstate->off_linkpl.reg);
9200
9201 cstate->off_linktype = cstate->off_linkhdr;
9202 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
9203
9204 cstate->off_nl = 0;
9205 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
9206
9207 return b0;
9208 }
9209
9210 /* Check that this is Geneve and the VNI is correct if
9211 * specified. Parameterized to handle both IPv4 and IPv6. */
9212 static struct block *
gen_geneve_check(compiler_state_t * cstate,struct block * (* gen_portfn)(compiler_state_t *,u_int,int,int),enum e_offrel offrel,bpf_u_int32 vni,int has_vni)9213 gen_geneve_check(compiler_state_t *cstate,
9214 struct block *(*gen_portfn)(compiler_state_t *, u_int, int, int),
9215 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9216 {
9217 struct block *b0, *b1;
9218
9219 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
9220
9221 /* Check that we are operating on version 0. Otherwise, we
9222 * can't decode the rest of the fields. The version is 2 bits
9223 * in the first byte of the Geneve header. */
9224 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, 0, 0xc0);
9225 gen_and(b0, b1);
9226 b0 = b1;
9227
9228 if (has_vni) {
9229 if (vni > 0xffffff) {
9230 bpf_error(cstate, "Geneve VNI %u greater than maximum %u",
9231 vni, 0xffffff);
9232 }
9233 vni <<= 8; /* VNI is in the upper 3 bytes */
9234 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00);
9235 gen_and(b0, b1);
9236 b0 = b1;
9237 }
9238
9239 return b0;
9240 }
9241
9242 /* The IPv4 and IPv6 Geneve checks need to do two things:
9243 * - Verify that this actually is Geneve with the right VNI.
9244 * - Place the IP header length (plus variable link prefix if
9245 * needed) into register A to be used later to compute
9246 * the inner packet offsets. */
9247 static struct block *
gen_geneve4(compiler_state_t * cstate,bpf_u_int32 vni,int has_vni)9248 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9249 {
9250 struct block *b0, *b1;
9251 struct slist *s, *s1;
9252
9253 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9254
9255 /* Load the IP header length into A. */
9256 s = gen_loadx_iphdrlen(cstate);
9257
9258 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9259 sappend(s, s1);
9260
9261 /* Forcibly append these statements to the true condition
9262 * of the protocol check by creating a new block that is
9263 * always true and ANDing them. */
9264 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9265 b1->stmts = s;
9266 b1->s.k = 0;
9267
9268 gen_and(b0, b1);
9269
9270 return b1;
9271 }
9272
9273 static struct block *
gen_geneve6(compiler_state_t * cstate,bpf_u_int32 vni,int has_vni)9274 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9275 {
9276 struct block *b0, *b1;
9277 struct slist *s, *s1;
9278
9279 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9280
9281 /* Load the IP header length. We need to account for a
9282 * variable length link prefix if there is one. */
9283 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9284 if (s) {
9285 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9286 s1->s.k = 40;
9287 sappend(s, s1);
9288
9289 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9290 s1->s.k = 0;
9291 sappend(s, s1);
9292 } else {
9293 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9294 s->s.k = 40;
9295 }
9296
9297 /* Forcibly append these statements to the true condition
9298 * of the protocol check by creating a new block that is
9299 * always true and ANDing them. */
9300 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9301 sappend(s, s1);
9302
9303 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9304 b1->stmts = s;
9305 b1->s.k = 0;
9306
9307 gen_and(b0, b1);
9308
9309 return b1;
9310 }
9311
9312 /* We need to store three values based on the Geneve header::
9313 * - The offset of the linktype.
9314 * - The offset of the end of the Geneve header.
9315 * - The offset of the end of the encapsulated MAC header. */
9316 static struct slist *
gen_geneve_offsets(compiler_state_t * cstate)9317 gen_geneve_offsets(compiler_state_t *cstate)
9318 {
9319 struct slist *s, *s1, *s_proto;
9320
9321 /* First we need to calculate the offset of the Geneve header
9322 * itself. This is composed of the IP header previously calculated
9323 * (include any variable link prefix) and stored in A plus the
9324 * fixed sized headers (fixed link prefix, MAC length, and UDP
9325 * header). */
9326 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9327 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9328
9329 /* Stash this in X since we'll need it later. */
9330 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9331 sappend(s, s1);
9332
9333 /* The EtherType in Geneve is 2 bytes in. Calculate this and
9334 * store it. */
9335 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9336 s1->s.k = 2;
9337 sappend(s, s1);
9338
9339 cstate->off_linktype.reg = alloc_reg(cstate);
9340 cstate->off_linktype.is_variable = 1;
9341 cstate->off_linktype.constant_part = 0;
9342
9343 s1 = new_stmt(cstate, BPF_ST);
9344 s1->s.k = cstate->off_linktype.reg;
9345 sappend(s, s1);
9346
9347 /* Load the Geneve option length and mask and shift to get the
9348 * number of bytes. It is stored in the first byte of the Geneve
9349 * header. */
9350 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
9351 s1->s.k = 0;
9352 sappend(s, s1);
9353
9354 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
9355 s1->s.k = 0x3f;
9356 sappend(s, s1);
9357
9358 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
9359 s1->s.k = 4;
9360 sappend(s, s1);
9361
9362 /* Add in the rest of the Geneve base header. */
9363 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9364 s1->s.k = 8;
9365 sappend(s, s1);
9366
9367 /* Add the Geneve header length to its offset and store. */
9368 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9369 s1->s.k = 0;
9370 sappend(s, s1);
9371
9372 /* Set the encapsulated type as Ethernet. Even though we may
9373 * not actually have Ethernet inside there are two reasons this
9374 * is useful:
9375 * - The linktype field is always in EtherType format regardless
9376 * of whether it is in Geneve or an inner Ethernet frame.
9377 * - The only link layer that we have specific support for is
9378 * Ethernet. We will confirm that the packet actually is
9379 * Ethernet at runtime before executing these checks. */
9380 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9381
9382 s1 = new_stmt(cstate, BPF_ST);
9383 s1->s.k = cstate->off_linkhdr.reg;
9384 sappend(s, s1);
9385
9386 /* Calculate whether we have an Ethernet header or just raw IP/
9387 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
9388 * and linktype by 14 bytes so that the network header can be found
9389 * seamlessly. Otherwise, keep what we've calculated already. */
9390
9391 /* We have a bare jmp so we can't use the optimizer. */
9392 cstate->no_optimize = 1;
9393
9394 /* Load the EtherType in the Geneve header, 2 bytes in. */
9395 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
9396 s1->s.k = 2;
9397 sappend(s, s1);
9398
9399 /* Load X with the end of the Geneve header. */
9400 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9401 s1->s.k = cstate->off_linkhdr.reg;
9402 sappend(s, s1);
9403
9404 /* Check if the EtherType is Transparent Ethernet Bridging. At the
9405 * end of this check, we should have the total length in X. In
9406 * the non-Ethernet case, it's already there. */
9407 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
9408 s_proto->s.k = ETHERTYPE_TEB;
9409 sappend(s, s_proto);
9410
9411 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9412 sappend(s, s1);
9413 s_proto->s.jt = s1;
9414
9415 /* Since this is Ethernet, use the EtherType of the payload
9416 * directly as the linktype. Overwrite what we already have. */
9417 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9418 s1->s.k = 12;
9419 sappend(s, s1);
9420
9421 s1 = new_stmt(cstate, BPF_ST);
9422 s1->s.k = cstate->off_linktype.reg;
9423 sappend(s, s1);
9424
9425 /* Advance two bytes further to get the end of the Ethernet
9426 * header. */
9427 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9428 s1->s.k = 2;
9429 sappend(s, s1);
9430
9431 /* Move the result to X. */
9432 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9433 sappend(s, s1);
9434
9435 /* Store the final result of our linkpl calculation. */
9436 cstate->off_linkpl.reg = alloc_reg(cstate);
9437 cstate->off_linkpl.is_variable = 1;
9438 cstate->off_linkpl.constant_part = 0;
9439
9440 s1 = new_stmt(cstate, BPF_STX);
9441 s1->s.k = cstate->off_linkpl.reg;
9442 sappend(s, s1);
9443 s_proto->s.jf = s1;
9444
9445 cstate->off_nl = 0;
9446
9447 return s;
9448 }
9449
9450 /* Check to see if this is a Geneve packet. */
9451 struct block *
gen_geneve(compiler_state_t * cstate,bpf_u_int32 vni,int has_vni)9452 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9453 {
9454 struct block *b0, *b1;
9455 struct slist *s;
9456
9457 /*
9458 * Catch errors reported by us and routines below us, and return NULL
9459 * on an error.
9460 */
9461 if (setjmp(cstate->top_ctx))
9462 return (NULL);
9463
9464 b0 = gen_geneve4(cstate, vni, has_vni);
9465 b1 = gen_geneve6(cstate, vni, has_vni);
9466
9467 gen_or(b0, b1);
9468 b0 = b1;
9469
9470 /* Later filters should act on the payload of the Geneve frame,
9471 * update all of the header pointers. Attach this code so that
9472 * it gets executed in the event that the Geneve filter matches. */
9473 s = gen_geneve_offsets(cstate);
9474
9475 b1 = gen_true(cstate);
9476 sappend(s, b1->stmts);
9477 b1->stmts = s;
9478
9479 gen_and(b0, b1);
9480
9481 cstate->is_geneve = 1;
9482
9483 return b1;
9484 }
9485
9486 /* Check that the encapsulated frame has a link layer header
9487 * for Ethernet filters. */
9488 static struct block *
gen_geneve_ll_check(compiler_state_t * cstate)9489 gen_geneve_ll_check(compiler_state_t *cstate)
9490 {
9491 struct block *b0;
9492 struct slist *s, *s1;
9493
9494 /* The easiest way to see if there is a link layer present
9495 * is to check if the link layer header and payload are not
9496 * the same. */
9497
9498 /* Geneve always generates pure variable offsets so we can
9499 * compare only the registers. */
9500 s = new_stmt(cstate, BPF_LD|BPF_MEM);
9501 s->s.k = cstate->off_linkhdr.reg;
9502
9503 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9504 s1->s.k = cstate->off_linkpl.reg;
9505 sappend(s, s1);
9506
9507 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9508 b0->stmts = s;
9509 b0->s.k = 0;
9510 gen_not(b0);
9511
9512 return b0;
9513 }
9514
9515 static struct block *
gen_atmfield_code_internal(compiler_state_t * cstate,int atmfield,bpf_u_int32 jvalue,int jtype,int reverse)9516 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield,
9517 bpf_u_int32 jvalue, int jtype, int reverse)
9518 {
9519 struct block *b0;
9520
9521 switch (atmfield) {
9522
9523 case A_VPI:
9524 if (!cstate->is_atm)
9525 bpf_error(cstate, "'vpi' supported only on raw ATM");
9526 if (cstate->off_vpi == OFFSET_NOT_SET)
9527 abort();
9528 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B,
9529 0xffffffffU, jtype, reverse, jvalue);
9530 break;
9531
9532 case A_VCI:
9533 if (!cstate->is_atm)
9534 bpf_error(cstate, "'vci' supported only on raw ATM");
9535 if (cstate->off_vci == OFFSET_NOT_SET)
9536 abort();
9537 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H,
9538 0xffffffffU, jtype, reverse, jvalue);
9539 break;
9540
9541 case A_PROTOTYPE:
9542 if (cstate->off_proto == OFFSET_NOT_SET)
9543 abort(); /* XXX - this isn't on FreeBSD */
9544 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B,
9545 0x0fU, jtype, reverse, jvalue);
9546 break;
9547
9548 case A_MSGTYPE:
9549 if (cstate->off_payload == OFFSET_NOT_SET)
9550 abort();
9551 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B,
9552 0xffffffffU, jtype, reverse, jvalue);
9553 break;
9554
9555 case A_CALLREFTYPE:
9556 if (!cstate->is_atm)
9557 bpf_error(cstate, "'callref' supported only on raw ATM");
9558 if (cstate->off_proto == OFFSET_NOT_SET)
9559 abort();
9560 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B,
9561 0xffffffffU, jtype, reverse, jvalue);
9562 break;
9563
9564 default:
9565 abort();
9566 }
9567 return b0;
9568 }
9569
9570 static struct block *
gen_atmtype_metac(compiler_state_t * cstate)9571 gen_atmtype_metac(compiler_state_t *cstate)
9572 {
9573 struct block *b0, *b1;
9574
9575 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9576 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0);
9577 gen_and(b0, b1);
9578 return b1;
9579 }
9580
9581 static struct block *
gen_atmtype_sc(compiler_state_t * cstate)9582 gen_atmtype_sc(compiler_state_t *cstate)
9583 {
9584 struct block *b0, *b1;
9585
9586 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9587 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0);
9588 gen_and(b0, b1);
9589 return b1;
9590 }
9591
9592 static struct block *
gen_atmtype_llc(compiler_state_t * cstate)9593 gen_atmtype_llc(compiler_state_t *cstate)
9594 {
9595 struct block *b0;
9596
9597 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
9598 cstate->linktype = cstate->prevlinktype;
9599 return b0;
9600 }
9601
9602 struct block *
gen_atmfield_code(compiler_state_t * cstate,int atmfield,bpf_u_int32 jvalue,int jtype,int reverse)9603 gen_atmfield_code(compiler_state_t *cstate, int atmfield,
9604 bpf_u_int32 jvalue, int jtype, int reverse)
9605 {
9606 /*
9607 * Catch errors reported by us and routines below us, and return NULL
9608 * on an error.
9609 */
9610 if (setjmp(cstate->top_ctx))
9611 return (NULL);
9612
9613 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype,
9614 reverse);
9615 }
9616
9617 struct block *
gen_atmtype_abbrev(compiler_state_t * cstate,int type)9618 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
9619 {
9620 struct block *b0, *b1;
9621
9622 /*
9623 * Catch errors reported by us and routines below us, and return NULL
9624 * on an error.
9625 */
9626 if (setjmp(cstate->top_ctx))
9627 return (NULL);
9628
9629 switch (type) {
9630
9631 case A_METAC:
9632 /* Get all packets in Meta signalling Circuit */
9633 if (!cstate->is_atm)
9634 bpf_error(cstate, "'metac' supported only on raw ATM");
9635 b1 = gen_atmtype_metac(cstate);
9636 break;
9637
9638 case A_BCC:
9639 /* Get all packets in Broadcast Circuit*/
9640 if (!cstate->is_atm)
9641 bpf_error(cstate, "'bcc' supported only on raw ATM");
9642 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9643 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0);
9644 gen_and(b0, b1);
9645 break;
9646
9647 case A_OAMF4SC:
9648 /* Get all cells in Segment OAM F4 circuit*/
9649 if (!cstate->is_atm)
9650 bpf_error(cstate, "'oam4sc' supported only on raw ATM");
9651 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9652 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9653 gen_and(b0, b1);
9654 break;
9655
9656 case A_OAMF4EC:
9657 /* Get all cells in End-to-End OAM F4 Circuit*/
9658 if (!cstate->is_atm)
9659 bpf_error(cstate, "'oam4ec' supported only on raw ATM");
9660 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9661 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9662 gen_and(b0, b1);
9663 break;
9664
9665 case A_SC:
9666 /* Get all packets in connection Signalling Circuit */
9667 if (!cstate->is_atm)
9668 bpf_error(cstate, "'sc' supported only on raw ATM");
9669 b1 = gen_atmtype_sc(cstate);
9670 break;
9671
9672 case A_ILMIC:
9673 /* Get all packets in ILMI Circuit */
9674 if (!cstate->is_atm)
9675 bpf_error(cstate, "'ilmic' supported only on raw ATM");
9676 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9677 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0);
9678 gen_and(b0, b1);
9679 break;
9680
9681 case A_LANE:
9682 /* Get all LANE packets */
9683 if (!cstate->is_atm)
9684 bpf_error(cstate, "'lane' supported only on raw ATM");
9685 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
9686
9687 /*
9688 * Arrange that all subsequent tests assume LANE
9689 * rather than LLC-encapsulated packets, and set
9690 * the offsets appropriately for LANE-encapsulated
9691 * Ethernet.
9692 *
9693 * We assume LANE means Ethernet, not Token Ring.
9694 */
9695 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
9696 cstate->off_payload + 2, /* Ethernet header */
9697 -1);
9698 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
9699 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
9700 cstate->off_nl = 0; /* Ethernet II */
9701 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
9702 break;
9703
9704 case A_LLC:
9705 /* Get all LLC-encapsulated packets */
9706 if (!cstate->is_atm)
9707 bpf_error(cstate, "'llc' supported only on raw ATM");
9708 b1 = gen_atmtype_llc(cstate);
9709 break;
9710
9711 default:
9712 abort();
9713 }
9714 return b1;
9715 }
9716
9717 /*
9718 * Filtering for MTP2 messages based on li value
9719 * FISU, length is null
9720 * LSSU, length is 1 or 2
9721 * MSU, length is 3 or more
9722 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
9723 */
9724 struct block *
gen_mtp2type_abbrev(compiler_state_t * cstate,int type)9725 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
9726 {
9727 struct block *b0, *b1;
9728
9729 /*
9730 * Catch errors reported by us and routines below us, and return NULL
9731 * on an error.
9732 */
9733 if (setjmp(cstate->top_ctx))
9734 return (NULL);
9735
9736 switch (type) {
9737
9738 case M_FISU:
9739 if ( (cstate->linktype != DLT_MTP2) &&
9740 (cstate->linktype != DLT_ERF) &&
9741 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9742 bpf_error(cstate, "'fisu' supported only on MTP2");
9743 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
9744 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9745 0x3fU, BPF_JEQ, 0, 0U);
9746 break;
9747
9748 case M_LSSU:
9749 if ( (cstate->linktype != DLT_MTP2) &&
9750 (cstate->linktype != DLT_ERF) &&
9751 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9752 bpf_error(cstate, "'lssu' supported only on MTP2");
9753 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9754 0x3fU, BPF_JGT, 1, 2U);
9755 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9756 0x3fU, BPF_JGT, 0, 0U);
9757 gen_and(b1, b0);
9758 break;
9759
9760 case M_MSU:
9761 if ( (cstate->linktype != DLT_MTP2) &&
9762 (cstate->linktype != DLT_ERF) &&
9763 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9764 bpf_error(cstate, "'msu' supported only on MTP2");
9765 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9766 0x3fU, BPF_JGT, 0, 2U);
9767 break;
9768
9769 case MH_FISU:
9770 if ( (cstate->linktype != DLT_MTP2) &&
9771 (cstate->linktype != DLT_ERF) &&
9772 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9773 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL");
9774 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
9775 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9776 0xff80U, BPF_JEQ, 0, 0U);
9777 break;
9778
9779 case MH_LSSU:
9780 if ( (cstate->linktype != DLT_MTP2) &&
9781 (cstate->linktype != DLT_ERF) &&
9782 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9783 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL");
9784 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9785 0xff80U, BPF_JGT, 1, 0x0100U);
9786 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9787 0xff80U, BPF_JGT, 0, 0U);
9788 gen_and(b1, b0);
9789 break;
9790
9791 case MH_MSU:
9792 if ( (cstate->linktype != DLT_MTP2) &&
9793 (cstate->linktype != DLT_ERF) &&
9794 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9795 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL");
9796 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9797 0xff80U, BPF_JGT, 0, 0x0100U);
9798 break;
9799
9800 default:
9801 abort();
9802 }
9803 return b0;
9804 }
9805
9806 /*
9807 * The jvalue_arg dance is to avoid annoying whining by compilers that
9808 * jvalue might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9809 * It's not *used* after setjmp returns.
9810 */
9811 struct block *
gen_mtp3field_code(compiler_state_t * cstate,int mtp3field,bpf_u_int32 jvalue_arg,int jtype,int reverse)9812 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field,
9813 bpf_u_int32 jvalue_arg, int jtype, int reverse)
9814 {
9815 volatile bpf_u_int32 jvalue = jvalue_arg;
9816 struct block *b0;
9817 bpf_u_int32 val1 , val2 , val3;
9818 u_int newoff_sio;
9819 u_int newoff_opc;
9820 u_int newoff_dpc;
9821 u_int newoff_sls;
9822
9823 /*
9824 * Catch errors reported by us and routines below us, and return NULL
9825 * on an error.
9826 */
9827 if (setjmp(cstate->top_ctx))
9828 return (NULL);
9829
9830 newoff_sio = cstate->off_sio;
9831 newoff_opc = cstate->off_opc;
9832 newoff_dpc = cstate->off_dpc;
9833 newoff_sls = cstate->off_sls;
9834 switch (mtp3field) {
9835
9836 case MH_SIO:
9837 newoff_sio += 3; /* offset for MTP2_HSL */
9838 /* FALLTHROUGH */
9839
9840 case M_SIO:
9841 if (cstate->off_sio == OFFSET_NOT_SET)
9842 bpf_error(cstate, "'sio' supported only on SS7");
9843 /* sio coded on 1 byte so max value 255 */
9844 if(jvalue > 255)
9845 bpf_error(cstate, "sio value %u too big; max value = 255",
9846 jvalue);
9847 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffffU,
9848 jtype, reverse, jvalue);
9849 break;
9850
9851 case MH_OPC:
9852 newoff_opc += 3;
9853
9854 /* FALLTHROUGH */
9855 case M_OPC:
9856 if (cstate->off_opc == OFFSET_NOT_SET)
9857 bpf_error(cstate, "'opc' supported only on SS7");
9858 /* opc coded on 14 bits so max value 16383 */
9859 if (jvalue > 16383)
9860 bpf_error(cstate, "opc value %u too big; max value = 16383",
9861 jvalue);
9862 /* the following instructions are made to convert jvalue
9863 * to the form used to write opc in an ss7 message*/
9864 val1 = jvalue & 0x00003c00;
9865 val1 = val1 >>10;
9866 val2 = jvalue & 0x000003fc;
9867 val2 = val2 <<6;
9868 val3 = jvalue & 0x00000003;
9869 val3 = val3 <<22;
9870 jvalue = val1 + val2 + val3;
9871 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0fU,
9872 jtype, reverse, jvalue);
9873 break;
9874
9875 case MH_DPC:
9876 newoff_dpc += 3;
9877 /* FALLTHROUGH */
9878
9879 case M_DPC:
9880 if (cstate->off_dpc == OFFSET_NOT_SET)
9881 bpf_error(cstate, "'dpc' supported only on SS7");
9882 /* dpc coded on 14 bits so max value 16383 */
9883 if (jvalue > 16383)
9884 bpf_error(cstate, "dpc value %u too big; max value = 16383",
9885 jvalue);
9886 /* the following instructions are made to convert jvalue
9887 * to the forme used to write dpc in an ss7 message*/
9888 val1 = jvalue & 0x000000ff;
9889 val1 = val1 << 24;
9890 val2 = jvalue & 0x00003f00;
9891 val2 = val2 << 8;
9892 jvalue = val1 + val2;
9893 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000U,
9894 jtype, reverse, jvalue);
9895 break;
9896
9897 case MH_SLS:
9898 newoff_sls += 3;
9899 /* FALLTHROUGH */
9900
9901 case M_SLS:
9902 if (cstate->off_sls == OFFSET_NOT_SET)
9903 bpf_error(cstate, "'sls' supported only on SS7");
9904 /* sls coded on 4 bits so max value 15 */
9905 if (jvalue > 15)
9906 bpf_error(cstate, "sls value %u too big; max value = 15",
9907 jvalue);
9908 /* the following instruction is made to convert jvalue
9909 * to the forme used to write sls in an ss7 message*/
9910 jvalue = jvalue << 4;
9911 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0U,
9912 jtype, reverse, jvalue);
9913 break;
9914
9915 default:
9916 abort();
9917 }
9918 return b0;
9919 }
9920
9921 static struct block *
gen_msg_abbrev(compiler_state_t * cstate,int type)9922 gen_msg_abbrev(compiler_state_t *cstate, int type)
9923 {
9924 struct block *b1;
9925
9926 /*
9927 * Q.2931 signalling protocol messages for handling virtual circuits
9928 * establishment and teardown
9929 */
9930 switch (type) {
9931
9932 case A_SETUP:
9933 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0);
9934 break;
9935
9936 case A_CALLPROCEED:
9937 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
9938 break;
9939
9940 case A_CONNECT:
9941 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0);
9942 break;
9943
9944 case A_CONNECTACK:
9945 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
9946 break;
9947
9948 case A_RELEASE:
9949 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0);
9950 break;
9951
9952 case A_RELEASE_DONE:
9953 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
9954 break;
9955
9956 default:
9957 abort();
9958 }
9959 return b1;
9960 }
9961
9962 struct block *
gen_atmmulti_abbrev(compiler_state_t * cstate,int type)9963 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
9964 {
9965 struct block *b0, *b1;
9966
9967 /*
9968 * Catch errors reported by us and routines below us, and return NULL
9969 * on an error.
9970 */
9971 if (setjmp(cstate->top_ctx))
9972 return (NULL);
9973
9974 switch (type) {
9975
9976 case A_OAM:
9977 if (!cstate->is_atm)
9978 bpf_error(cstate, "'oam' supported only on raw ATM");
9979 /* OAM F4 type */
9980 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9981 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9982 gen_or(b0, b1);
9983 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9984 gen_and(b0, b1);
9985 break;
9986
9987 case A_OAMF4:
9988 if (!cstate->is_atm)
9989 bpf_error(cstate, "'oamf4' supported only on raw ATM");
9990 /* OAM F4 type */
9991 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9992 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9993 gen_or(b0, b1);
9994 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9995 gen_and(b0, b1);
9996 break;
9997
9998 case A_CONNECTMSG:
9999 /*
10000 * Get Q.2931 signalling messages for switched
10001 * virtual connection
10002 */
10003 if (!cstate->is_atm)
10004 bpf_error(cstate, "'connectmsg' supported only on raw ATM");
10005 b0 = gen_msg_abbrev(cstate, A_SETUP);
10006 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
10007 gen_or(b0, b1);
10008 b0 = gen_msg_abbrev(cstate, A_CONNECT);
10009 gen_or(b0, b1);
10010 b0 = gen_msg_abbrev(cstate, A_CONNECTACK);
10011 gen_or(b0, b1);
10012 b0 = gen_msg_abbrev(cstate, A_RELEASE);
10013 gen_or(b0, b1);
10014 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
10015 gen_or(b0, b1);
10016 b0 = gen_atmtype_sc(cstate);
10017 gen_and(b0, b1);
10018 break;
10019
10020 case A_METACONNECT:
10021 if (!cstate->is_atm)
10022 bpf_error(cstate, "'metaconnect' supported only on raw ATM");
10023 b0 = gen_msg_abbrev(cstate, A_SETUP);
10024 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
10025 gen_or(b0, b1);
10026 b0 = gen_msg_abbrev(cstate, A_CONNECT);
10027 gen_or(b0, b1);
10028 b0 = gen_msg_abbrev(cstate, A_RELEASE);
10029 gen_or(b0, b1);
10030 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
10031 gen_or(b0, b1);
10032 b0 = gen_atmtype_metac(cstate);
10033 gen_and(b0, b1);
10034 break;
10035
10036 default:
10037 abort();
10038 }
10039 return b1;
10040 }
10041