1 /*
2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22 #include <config.h>
23
24 #ifdef _WIN32
25 #include <ws2tcpip.h>
26 #else
27 #include <netinet/in.h>
28 #endif /* _WIN32 */
29
30 #include <stdlib.h>
31 #include <string.h>
32 #include <memory.h>
33 #include <setjmp.h>
34 #include <stdarg.h>
35 #include <stdio.h>
36
37 #ifdef MSDOS
38 #include "pcap-dos.h"
39 #endif
40
41 #include "pcap-int.h"
42
43 #include "extract.h"
44
45 #include "ethertype.h"
46 #include "nlpid.h"
47 #include "llc.h"
48 #include "gencode.h"
49 #include "ieee80211.h"
50 #include "atmuni31.h"
51 #include "sunatmpos.h"
52 #include "pflog.h"
53 #include "ppp.h"
54 #include "pcap/sll.h"
55 #include "pcap/ipnet.h"
56 #include "arcnet.h"
57 #include "diag-control.h"
58
59 #include "scanner.h"
60
61 #if defined(__linux__)
62 #include <linux/types.h>
63 #include <linux/if_packet.h>
64 #include <linux/filter.h>
65 #endif
66
67 #ifndef offsetof
68 #define offsetof(s, e) ((size_t)&((s *)0)->e)
69 #endif
70
71 #ifdef _WIN32
72 #ifdef HAVE_NPCAP_BPF_H
73 /* Defines BPF extensions for Npcap */
74 #include <npcap-bpf.h>
75 #endif
76 #ifdef INET6
77 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
78 /* IPv6 address */
79 struct in6_addr
80 {
81 union
82 {
83 uint8_t u6_addr8[16];
84 uint16_t u6_addr16[8];
85 uint32_t u6_addr32[4];
86 } in6_u;
87 #define s6_addr in6_u.u6_addr8
88 #define s6_addr16 in6_u.u6_addr16
89 #define s6_addr32 in6_u.u6_addr32
90 #define s6_addr64 in6_u.u6_addr64
91 };
92
93 typedef unsigned short sa_family_t;
94
95 #define __SOCKADDR_COMMON(sa_prefix) \
96 sa_family_t sa_prefix##family
97
98 /* Ditto, for IPv6. */
99 struct sockaddr_in6
100 {
101 __SOCKADDR_COMMON (sin6_);
102 uint16_t sin6_port; /* Transport layer port # */
103 uint32_t sin6_flowinfo; /* IPv6 flow information */
104 struct in6_addr sin6_addr; /* IPv6 address */
105 };
106
107 #ifndef EAI_ADDRFAMILY
108 struct addrinfo {
109 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
110 int ai_family; /* PF_xxx */
111 int ai_socktype; /* SOCK_xxx */
112 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
113 size_t ai_addrlen; /* length of ai_addr */
114 char *ai_canonname; /* canonical name for hostname */
115 struct sockaddr *ai_addr; /* binary address */
116 struct addrinfo *ai_next; /* next structure in linked list */
117 };
118 #endif /* EAI_ADDRFAMILY */
119 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
120 #endif /* INET6 */
121 #else /* _WIN32 */
122 #include <netdb.h> /* for "struct addrinfo" */
123 #endif /* _WIN32 */
124 #include <pcap/namedb.h>
125
126 #include "nametoaddr.h"
127
128 #define ETHERMTU 1500
129
130 #ifndef IPPROTO_HOPOPTS
131 #define IPPROTO_HOPOPTS 0
132 #endif
133 #ifndef IPPROTO_ROUTING
134 #define IPPROTO_ROUTING 43
135 #endif
136 #ifndef IPPROTO_FRAGMENT
137 #define IPPROTO_FRAGMENT 44
138 #endif
139 #ifndef IPPROTO_DSTOPTS
140 #define IPPROTO_DSTOPTS 60
141 #endif
142 #ifndef IPPROTO_SCTP
143 #define IPPROTO_SCTP 132
144 #endif
145
146 #define GENEVE_PORT 6081
147
148 #ifdef HAVE_OS_PROTO_H
149 #include "os-proto.h"
150 #endif
151
152 #define JMP(c) ((c)|BPF_JMP|BPF_K)
153
154 /*
155 * "Push" the current value of the link-layer header type and link-layer
156 * header offset onto a "stack", and set a new value. (It's not a
157 * full-blown stack; we keep only the top two items.)
158 */
159 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
160 { \
161 (cs)->prevlinktype = (cs)->linktype; \
162 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
163 (cs)->linktype = (new_linktype); \
164 (cs)->off_linkhdr.is_variable = (new_is_variable); \
165 (cs)->off_linkhdr.constant_part = (new_constant_part); \
166 (cs)->off_linkhdr.reg = (new_reg); \
167 (cs)->is_geneve = 0; \
168 }
169
170 /*
171 * Offset "not set" value.
172 */
173 #define OFFSET_NOT_SET 0xffffffffU
174
175 /*
176 * Absolute offsets, which are offsets from the beginning of the raw
177 * packet data, are, in the general case, the sum of a variable value
178 * and a constant value; the variable value may be absent, in which
179 * case the offset is only the constant value, and the constant value
180 * may be zero, in which case the offset is only the variable value.
181 *
182 * bpf_abs_offset is a structure containing all that information:
183 *
184 * is_variable is 1 if there's a variable part.
185 *
186 * constant_part is the constant part of the value, possibly zero;
187 *
188 * if is_variable is 1, reg is the register number for a register
189 * containing the variable value if the register has been assigned,
190 * and -1 otherwise.
191 */
192 typedef struct {
193 int is_variable;
194 u_int constant_part;
195 int reg;
196 } bpf_abs_offset;
197
198 /*
199 * Value passed to gen_load_a() to indicate what the offset argument
200 * is relative to the beginning of.
201 */
202 enum e_offrel {
203 OR_PACKET, /* full packet data */
204 OR_LINKHDR, /* link-layer header */
205 OR_PREVLINKHDR, /* previous link-layer header */
206 OR_LLC, /* 802.2 LLC header */
207 OR_PREVMPLSHDR, /* previous MPLS header */
208 OR_LINKTYPE, /* link-layer type */
209 OR_LINKPL, /* link-layer payload */
210 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
211 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
212 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
213 };
214
215 /*
216 * We divvy out chunks of memory rather than call malloc each time so
217 * we don't have to worry about leaking memory. It's probably
218 * not a big deal if all this memory was wasted but if this ever
219 * goes into a library that would probably not be a good idea.
220 *
221 * XXX - this *is* in a library....
222 */
223 #define NCHUNKS 16
224 #define CHUNK0SIZE 1024
225 struct chunk {
226 size_t n_left;
227 void *m;
228 };
229
230 /*
231 * A chunk can store any of:
232 * - a string (guaranteed alignment 1 but present for completeness)
233 * - a block
234 * - an slist
235 * - an arth
236 * For this simple allocator every allocated chunk gets rounded up to the
237 * alignment needed for any chunk.
238 */
239 struct chunk_align {
240 char dummy;
241 union {
242 char c;
243 struct block b;
244 struct slist s;
245 struct arth a;
246 } u;
247 };
248 #define CHUNK_ALIGN (offsetof(struct chunk_align, u))
249
250 /* Code generator state */
251
252 struct _compiler_state {
253 jmp_buf top_ctx;
254 pcap_t *bpf_pcap;
255 int error_set;
256
257 struct icode ic;
258
259 int snaplen;
260
261 int linktype;
262 int prevlinktype;
263 int outermostlinktype;
264
265 bpf_u_int32 netmask;
266 int no_optimize;
267
268 /* Hack for handling VLAN and MPLS stacks. */
269 u_int label_stack_depth;
270 u_int vlan_stack_depth;
271
272 /* XXX */
273 u_int pcap_fddipad;
274
275 /*
276 * As errors are handled by a longjmp, anything allocated must
277 * be freed in the longjmp handler, so it must be reachable
278 * from that handler.
279 *
280 * One thing that's allocated is the result of pcap_nametoaddrinfo();
281 * it must be freed with freeaddrinfo(). This variable points to
282 * any addrinfo structure that would need to be freed.
283 */
284 struct addrinfo *ai;
285
286 /*
287 * Another thing that's allocated is the result of pcap_ether_aton();
288 * it must be freed with free(). This variable points to any
289 * address that would need to be freed.
290 */
291 u_char *e;
292
293 /*
294 * Various code constructs need to know the layout of the packet.
295 * These values give the necessary offsets from the beginning
296 * of the packet data.
297 */
298
299 /*
300 * Absolute offset of the beginning of the link-layer header.
301 */
302 bpf_abs_offset off_linkhdr;
303
304 /*
305 * If we're checking a link-layer header for a packet encapsulated
306 * in another protocol layer, this is the equivalent information
307 * for the previous layers' link-layer header from the beginning
308 * of the raw packet data.
309 */
310 bpf_abs_offset off_prevlinkhdr;
311
312 /*
313 * This is the equivalent information for the outermost layers'
314 * link-layer header.
315 */
316 bpf_abs_offset off_outermostlinkhdr;
317
318 /*
319 * Absolute offset of the beginning of the link-layer payload.
320 */
321 bpf_abs_offset off_linkpl;
322
323 /*
324 * "off_linktype" is the offset to information in the link-layer
325 * header giving the packet type. This is an absolute offset
326 * from the beginning of the packet.
327 *
328 * For Ethernet, it's the offset of the Ethernet type field; this
329 * means that it must have a value that skips VLAN tags.
330 *
331 * For link-layer types that always use 802.2 headers, it's the
332 * offset of the LLC header; this means that it must have a value
333 * that skips VLAN tags.
334 *
335 * For PPP, it's the offset of the PPP type field.
336 *
337 * For Cisco HDLC, it's the offset of the CHDLC type field.
338 *
339 * For BSD loopback, it's the offset of the AF_ value.
340 *
341 * For Linux cooked sockets, it's the offset of the type field.
342 *
343 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
344 * encapsulation, in which case, IP is assumed.
345 */
346 bpf_abs_offset off_linktype;
347
348 /*
349 * TRUE if the link layer includes an ATM pseudo-header.
350 */
351 int is_atm;
352
353 /*
354 * TRUE if "geneve" appeared in the filter; it causes us to
355 * generate code that checks for a Geneve header and assume
356 * that later filters apply to the encapsulated payload.
357 */
358 int is_geneve;
359
360 /*
361 * TRUE if we need variable length part of VLAN offset
362 */
363 int is_vlan_vloffset;
364
365 /*
366 * These are offsets for the ATM pseudo-header.
367 */
368 u_int off_vpi;
369 u_int off_vci;
370 u_int off_proto;
371
372 /*
373 * These are offsets for the MTP2 fields.
374 */
375 u_int off_li;
376 u_int off_li_hsl;
377
378 /*
379 * These are offsets for the MTP3 fields.
380 */
381 u_int off_sio;
382 u_int off_opc;
383 u_int off_dpc;
384 u_int off_sls;
385
386 /*
387 * This is the offset of the first byte after the ATM pseudo_header,
388 * or -1 if there is no ATM pseudo-header.
389 */
390 u_int off_payload;
391
392 /*
393 * These are offsets to the beginning of the network-layer header.
394 * They are relative to the beginning of the link-layer payload
395 * (i.e., they don't include off_linkhdr.constant_part or
396 * off_linkpl.constant_part).
397 *
398 * If the link layer never uses 802.2 LLC:
399 *
400 * "off_nl" and "off_nl_nosnap" are the same.
401 *
402 * If the link layer always uses 802.2 LLC:
403 *
404 * "off_nl" is the offset if there's a SNAP header following
405 * the 802.2 header;
406 *
407 * "off_nl_nosnap" is the offset if there's no SNAP header.
408 *
409 * If the link layer is Ethernet:
410 *
411 * "off_nl" is the offset if the packet is an Ethernet II packet
412 * (we assume no 802.3+802.2+SNAP);
413 *
414 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
415 * with an 802.2 header following it.
416 */
417 u_int off_nl;
418 u_int off_nl_nosnap;
419
420 /*
421 * Here we handle simple allocation of the scratch registers.
422 * If too many registers are alloc'd, the allocator punts.
423 */
424 int regused[BPF_MEMWORDS];
425 int curreg;
426
427 /*
428 * Memory chunks.
429 */
430 struct chunk chunks[NCHUNKS];
431 int cur_chunk;
432 };
433
434 /*
435 * For use by routines outside this file.
436 */
437 /* VARARGS */
438 void
bpf_set_error(compiler_state_t * cstate,const char * fmt,...)439 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...)
440 {
441 va_list ap;
442
443 /*
444 * If we've already set an error, don't override it.
445 * The lexical analyzer reports some errors by setting
446 * the error and then returning a LEX_ERROR token, which
447 * is not recognized by any grammar rule, and thus forces
448 * the parse to stop. We don't want the error reported
449 * by the lexical analyzer to be overwritten by the syntax
450 * error.
451 */
452 if (!cstate->error_set) {
453 va_start(ap, fmt);
454 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
455 fmt, ap);
456 va_end(ap);
457 cstate->error_set = 1;
458 }
459 }
460
461 /*
462 * For use *ONLY* in routines in this file.
463 */
464 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...)
465 PCAP_PRINTFLIKE(2, 3);
466
467 /* VARARGS */
468 static void PCAP_NORETURN
bpf_error(compiler_state_t * cstate,const char * fmt,...)469 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
470 {
471 va_list ap;
472
473 va_start(ap, fmt);
474 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
475 fmt, ap);
476 va_end(ap);
477 longjmp(cstate->top_ctx, 1);
478 /*NOTREACHED*/
479 #ifdef _AIX
480 PCAP_UNREACHABLE
481 #endif /* _AIX */
482 }
483
484 static int init_linktype(compiler_state_t *, pcap_t *);
485
486 static void init_regs(compiler_state_t *);
487 static int alloc_reg(compiler_state_t *);
488 static void free_reg(compiler_state_t *, int);
489
490 static void initchunks(compiler_state_t *cstate);
491 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t);
492 static void *newchunk(compiler_state_t *cstate, size_t);
493 static void freechunks(compiler_state_t *cstate);
494 static inline struct block *new_block(compiler_state_t *cstate, int);
495 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
496 static struct block *gen_retblk(compiler_state_t *cstate, int);
497 static inline void syntax(compiler_state_t *cstate);
498
499 static void backpatch(struct block *, struct block *);
500 static void merge(struct block *, struct block *);
501 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
502 u_int, bpf_u_int32);
503 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
504 u_int, bpf_u_int32);
505 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
506 u_int, bpf_u_int32);
507 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
508 u_int, bpf_u_int32);
509 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
510 u_int, bpf_u_int32);
511 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
512 u_int, bpf_u_int32, bpf_u_int32);
513 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
514 u_int, const u_char *);
515 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, u_int,
516 u_int, bpf_u_int32, int, int, bpf_u_int32);
517 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
518 u_int, u_int);
519 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
520 u_int);
521 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
522 static struct block *gen_uncond(compiler_state_t *, int);
523 static inline struct block *gen_true(compiler_state_t *);
524 static inline struct block *gen_false(compiler_state_t *);
525 static struct block *gen_ether_linktype(compiler_state_t *, bpf_u_int32);
526 static struct block *gen_ipnet_linktype(compiler_state_t *, bpf_u_int32);
527 static struct block *gen_linux_sll_linktype(compiler_state_t *, bpf_u_int32);
528 static struct slist *gen_load_pflog_llprefixlen(compiler_state_t *);
529 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
530 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
531 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
532 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
533 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
534 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
535 bpf_abs_offset *);
536 static bpf_u_int32 ethertype_to_ppptype(bpf_u_int32);
537 static struct block *gen_linktype(compiler_state_t *, bpf_u_int32);
538 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
539 static struct block *gen_llc_linktype(compiler_state_t *, bpf_u_int32);
540 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
541 int, bpf_u_int32, u_int, u_int);
542 #ifdef INET6
543 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
544 struct in6_addr *, int, bpf_u_int32, u_int, u_int);
545 #endif
546 static struct block *gen_ahostop(compiler_state_t *, const uint8_t, int);
547 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
548 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
549 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
550 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
551 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
552 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
553 static struct block *gen_mpls_linktype(compiler_state_t *, bpf_u_int32);
554 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
555 int, int, int);
556 #ifdef INET6
557 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
558 struct in6_addr *, int, int, int);
559 #endif
560 #ifndef INET6
561 static struct block *gen_gateway(compiler_state_t *, const u_char *,
562 struct addrinfo *, int, int);
563 #endif
564 static struct block *gen_ipfrag(compiler_state_t *);
565 static struct block *gen_portatom(compiler_state_t *, int, bpf_u_int32);
566 static struct block *gen_portrangeatom(compiler_state_t *, u_int, bpf_u_int32,
567 bpf_u_int32);
568 static struct block *gen_portatom6(compiler_state_t *, int, bpf_u_int32);
569 static struct block *gen_portrangeatom6(compiler_state_t *, u_int, bpf_u_int32,
570 bpf_u_int32);
571 static struct block *gen_portop(compiler_state_t *, u_int, u_int, int);
572 static struct block *gen_port(compiler_state_t *, u_int, int, int);
573 static struct block *gen_portrangeop(compiler_state_t *, u_int, u_int,
574 bpf_u_int32, int);
575 static struct block *gen_portrange(compiler_state_t *, u_int, u_int, int, int);
576 struct block *gen_portop6(compiler_state_t *, u_int, u_int, int);
577 static struct block *gen_port6(compiler_state_t *, u_int, int, int);
578 static struct block *gen_portrangeop6(compiler_state_t *, u_int, u_int,
579 bpf_u_int32, int);
580 static struct block *gen_portrange6(compiler_state_t *, u_int, u_int, int, int);
581 static int lookup_proto(compiler_state_t *, const char *, int);
582 #if !defined(NO_PROTOCHAIN)
583 static struct block *gen_protochain(compiler_state_t *, bpf_u_int32, int);
584 #endif /* !defined(NO_PROTOCHAIN) */
585 static struct block *gen_proto(compiler_state_t *, bpf_u_int32, int, int);
586 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
587 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
588 static struct block *gen_mac_multicast(compiler_state_t *, int);
589 static struct block *gen_len(compiler_state_t *, int, int);
590 static struct block *gen_check_802_11_data_frame(compiler_state_t *);
591 static struct block *gen_geneve_ll_check(compiler_state_t *cstate);
592
593 static struct block *gen_ppi_dlt_check(compiler_state_t *);
594 static struct block *gen_atmfield_code_internal(compiler_state_t *, int,
595 bpf_u_int32, int, int);
596 static struct block *gen_atmtype_llc(compiler_state_t *);
597 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
598
599 static void
initchunks(compiler_state_t * cstate)600 initchunks(compiler_state_t *cstate)
601 {
602 int i;
603
604 for (i = 0; i < NCHUNKS; i++) {
605 cstate->chunks[i].n_left = 0;
606 cstate->chunks[i].m = NULL;
607 }
608 cstate->cur_chunk = 0;
609 }
610
611 static void *
newchunk_nolongjmp(compiler_state_t * cstate,size_t n)612 newchunk_nolongjmp(compiler_state_t *cstate, size_t n)
613 {
614 struct chunk *cp;
615 int k;
616 size_t size;
617
618 /* Round up to chunk alignment. */
619 n = (n + CHUNK_ALIGN - 1) & ~(CHUNK_ALIGN - 1);
620
621 cp = &cstate->chunks[cstate->cur_chunk];
622 if (n > cp->n_left) {
623 ++cp;
624 k = ++cstate->cur_chunk;
625 if (k >= NCHUNKS) {
626 bpf_set_error(cstate, "out of memory");
627 return (NULL);
628 }
629 size = CHUNK0SIZE << k;
630 cp->m = (void *)malloc(size);
631 if (cp->m == NULL) {
632 bpf_set_error(cstate, "out of memory");
633 return (NULL);
634 }
635 memset((char *)cp->m, 0, size);
636 cp->n_left = size;
637 if (n > size) {
638 bpf_set_error(cstate, "out of memory");
639 return (NULL);
640 }
641 }
642 cp->n_left -= n;
643 return (void *)((char *)cp->m + cp->n_left);
644 }
645
646 static void *
newchunk(compiler_state_t * cstate,size_t n)647 newchunk(compiler_state_t *cstate, size_t n)
648 {
649 void *p;
650
651 p = newchunk_nolongjmp(cstate, n);
652 if (p == NULL) {
653 longjmp(cstate->top_ctx, 1);
654 /*NOTREACHED*/
655 }
656 return (p);
657 }
658
659 static void
freechunks(compiler_state_t * cstate)660 freechunks(compiler_state_t *cstate)
661 {
662 int i;
663
664 for (i = 0; i < NCHUNKS; ++i)
665 if (cstate->chunks[i].m != NULL)
666 free(cstate->chunks[i].m);
667 }
668
669 /*
670 * A strdup whose allocations are freed after code generation is over.
671 * This is used by the lexical analyzer, so it can't longjmp; it just
672 * returns NULL on an allocation error, and the callers must check
673 * for it.
674 */
675 char *
sdup(compiler_state_t * cstate,const char * s)676 sdup(compiler_state_t *cstate, const char *s)
677 {
678 size_t n = strlen(s) + 1;
679 char *cp = newchunk_nolongjmp(cstate, n);
680
681 if (cp == NULL)
682 return (NULL);
683 pcapint_strlcpy(cp, s, n);
684 return (cp);
685 }
686
687 static inline struct block *
new_block(compiler_state_t * cstate,int code)688 new_block(compiler_state_t *cstate, int code)
689 {
690 struct block *p;
691
692 p = (struct block *)newchunk(cstate, sizeof(*p));
693 p->s.code = code;
694 p->head = p;
695
696 return p;
697 }
698
699 static inline struct slist *
new_stmt(compiler_state_t * cstate,int code)700 new_stmt(compiler_state_t *cstate, int code)
701 {
702 struct slist *p;
703
704 p = (struct slist *)newchunk(cstate, sizeof(*p));
705 p->s.code = code;
706
707 return p;
708 }
709
710 static struct block *
gen_retblk_internal(compiler_state_t * cstate,int v)711 gen_retblk_internal(compiler_state_t *cstate, int v)
712 {
713 struct block *b = new_block(cstate, BPF_RET|BPF_K);
714
715 b->s.k = v;
716 return b;
717 }
718
719 static struct block *
gen_retblk(compiler_state_t * cstate,int v)720 gen_retblk(compiler_state_t *cstate, int v)
721 {
722 if (setjmp(cstate->top_ctx)) {
723 /*
724 * gen_retblk() only fails because a memory
725 * allocation failed in newchunk(), meaning
726 * that it can't return a pointer.
727 *
728 * Return NULL.
729 */
730 return NULL;
731 }
732 return gen_retblk_internal(cstate, v);
733 }
734
735 static inline PCAP_NORETURN_DEF void
syntax(compiler_state_t * cstate)736 syntax(compiler_state_t *cstate)
737 {
738 bpf_error(cstate, "syntax error in filter expression");
739 }
740
741 int
pcap_compile(pcap_t * p,struct bpf_program * program,const char * buf,int optimize,bpf_u_int32 mask)742 pcap_compile(pcap_t *p, struct bpf_program *program,
743 const char *buf, int optimize, bpf_u_int32 mask)
744 {
745 #ifdef _WIN32
746 static int done = 0;
747 #endif
748 compiler_state_t cstate;
749 yyscan_t scanner = NULL;
750 YY_BUFFER_STATE in_buffer = NULL;
751 u_int len;
752 int rc;
753
754 /*
755 * If this pcap_t hasn't been activated, it doesn't have a
756 * link-layer type, so we can't use it.
757 */
758 if (!p->activated) {
759 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
760 "not-yet-activated pcap_t passed to pcap_compile");
761 return (PCAP_ERROR);
762 }
763
764 #ifdef _WIN32
765 if (!done) {
766 pcap_wsockinit();
767 done = 1;
768 }
769 #endif
770
771 #ifdef ENABLE_REMOTE
772 /*
773 * If the device on which we're capturing need to be notified
774 * that a new filter is being compiled, do so.
775 *
776 * This allows them to save a copy of it, in case, for example,
777 * they're implementing a form of remote packet capture, and
778 * want the remote machine to filter out the packets in which
779 * it's sending the packets it's captured.
780 *
781 * XXX - the fact that we happen to be compiling a filter
782 * doesn't necessarily mean we'll be installing it as the
783 * filter for this pcap_t; we might be running it from userland
784 * on captured packets to do packet classification. We really
785 * need a better way of handling this, but this is all that
786 * the WinPcap remote capture code did.
787 */
788 if (p->save_current_filter_op != NULL)
789 (p->save_current_filter_op)(p, buf);
790 #endif
791
792 initchunks(&cstate);
793 cstate.no_optimize = 0;
794 #ifdef INET6
795 cstate.ai = NULL;
796 #endif
797 cstate.e = NULL;
798 cstate.ic.root = NULL;
799 cstate.ic.cur_mark = 0;
800 cstate.bpf_pcap = p;
801 cstate.error_set = 0;
802 init_regs(&cstate);
803
804 cstate.netmask = mask;
805
806 cstate.snaplen = pcap_snapshot(p);
807 if (cstate.snaplen == 0) {
808 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
809 "snaplen of 0 rejects all packets");
810 rc = PCAP_ERROR;
811 goto quit;
812 }
813
814 if (pcap_lex_init(&scanner) != 0) {
815 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
816 errno, "can't initialize scanner");
817 rc = PCAP_ERROR;
818 goto quit;
819 }
820 in_buffer = pcap__scan_string(buf ? buf : "", scanner);
821
822 /*
823 * Associate the compiler state with the lexical analyzer
824 * state.
825 */
826 pcap_set_extra(&cstate, scanner);
827
828 if (init_linktype(&cstate, p) == -1) {
829 rc = PCAP_ERROR;
830 goto quit;
831 }
832 if (pcap_parse(scanner, &cstate) != 0) {
833 #ifdef INET6
834 if (cstate.ai != NULL)
835 freeaddrinfo(cstate.ai);
836 #endif
837 if (cstate.e != NULL)
838 free(cstate.e);
839 rc = PCAP_ERROR;
840 goto quit;
841 }
842
843 if (cstate.ic.root == NULL) {
844 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
845
846 /*
847 * Catch errors reported by gen_retblk().
848 */
849 if (cstate.ic.root== NULL) {
850 rc = PCAP_ERROR;
851 goto quit;
852 }
853 }
854
855 if (optimize && !cstate.no_optimize) {
856 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) {
857 /* Failure */
858 rc = PCAP_ERROR;
859 goto quit;
860 }
861 if (cstate.ic.root == NULL ||
862 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) {
863 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
864 "expression rejects all packets");
865 rc = PCAP_ERROR;
866 goto quit;
867 }
868 }
869 program->bf_insns = icode_to_fcode(&cstate.ic,
870 cstate.ic.root, &len, p->errbuf);
871 if (program->bf_insns == NULL) {
872 /* Failure */
873 rc = PCAP_ERROR;
874 goto quit;
875 }
876 program->bf_len = len;
877
878 rc = 0; /* We're all okay */
879
880 quit:
881 /*
882 * Clean up everything for the lexical analyzer.
883 */
884 if (in_buffer != NULL)
885 pcap__delete_buffer(in_buffer, scanner);
886 if (scanner != NULL)
887 pcap_lex_destroy(scanner);
888
889 /*
890 * Clean up our own allocated memory.
891 */
892 freechunks(&cstate);
893
894 return (rc);
895 }
896
897 /*
898 * entry point for using the compiler with no pcap open
899 * pass in all the stuff that is needed explicitly instead.
900 */
901 int
pcap_compile_nopcap(int snaplen_arg,int linktype_arg,struct bpf_program * program,const char * buf,int optimize,bpf_u_int32 mask)902 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
903 struct bpf_program *program,
904 const char *buf, int optimize, bpf_u_int32 mask)
905 {
906 pcap_t *p;
907 int ret;
908
909 p = pcap_open_dead(linktype_arg, snaplen_arg);
910 if (p == NULL)
911 return (PCAP_ERROR);
912 ret = pcap_compile(p, program, buf, optimize, mask);
913 pcap_close(p);
914 return (ret);
915 }
916
917 /*
918 * Clean up a "struct bpf_program" by freeing all the memory allocated
919 * in it.
920 */
921 void
pcap_freecode(struct bpf_program * program)922 pcap_freecode(struct bpf_program *program)
923 {
924 program->bf_len = 0;
925 if (program->bf_insns != NULL) {
926 free((char *)program->bf_insns);
927 program->bf_insns = NULL;
928 }
929 }
930
931 /*
932 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
933 * which of the jt and jf fields has been resolved and which is a pointer
934 * back to another unresolved block (or nil). At least one of the fields
935 * in each block is already resolved.
936 */
937 static void
backpatch(struct block * list,struct block * target)938 backpatch(struct block *list, struct block *target)
939 {
940 struct block *next;
941
942 while (list) {
943 if (!list->sense) {
944 next = JT(list);
945 JT(list) = target;
946 } else {
947 next = JF(list);
948 JF(list) = target;
949 }
950 list = next;
951 }
952 }
953
954 /*
955 * Merge the lists in b0 and b1, using the 'sense' field to indicate
956 * which of jt and jf is the link.
957 */
958 static void
merge(struct block * b0,struct block * b1)959 merge(struct block *b0, struct block *b1)
960 {
961 register struct block **p = &b0;
962
963 /* Find end of list. */
964 while (*p)
965 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
966
967 /* Concatenate the lists. */
968 *p = b1;
969 }
970
971 int
finish_parse(compiler_state_t * cstate,struct block * p)972 finish_parse(compiler_state_t *cstate, struct block *p)
973 {
974 struct block *ppi_dlt_check;
975
976 /*
977 * Catch errors reported by us and routines below us, and return -1
978 * on an error.
979 */
980 if (setjmp(cstate->top_ctx))
981 return (-1);
982
983 /*
984 * Insert before the statements of the first (root) block any
985 * statements needed to load the lengths of any variable-length
986 * headers into registers.
987 *
988 * XXX - a fancier strategy would be to insert those before the
989 * statements of all blocks that use those lengths and that
990 * have no predecessors that use them, so that we only compute
991 * the lengths if we need them. There might be even better
992 * approaches than that.
993 *
994 * However, those strategies would be more complicated, and
995 * as we don't generate code to compute a length if the
996 * program has no tests that use the length, and as most
997 * tests will probably use those lengths, we would just
998 * postpone computing the lengths so that it's not done
999 * for tests that fail early, and it's not clear that's
1000 * worth the effort.
1001 */
1002 insert_compute_vloffsets(cstate, p->head);
1003
1004 /*
1005 * For DLT_PPI captures, generate a check of the per-packet
1006 * DLT value to make sure it's DLT_IEEE802_11.
1007 *
1008 * XXX - TurboCap cards use DLT_PPI for Ethernet.
1009 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
1010 * with appropriate Ethernet information and use that rather
1011 * than using something such as DLT_PPI where you don't know
1012 * the link-layer header type until runtime, which, in the
1013 * general case, would force us to generate both Ethernet *and*
1014 * 802.11 code (*and* anything else for which PPI is used)
1015 * and choose between them early in the BPF program?
1016 */
1017 ppi_dlt_check = gen_ppi_dlt_check(cstate);
1018 if (ppi_dlt_check != NULL)
1019 gen_and(ppi_dlt_check, p);
1020
1021 backpatch(p, gen_retblk_internal(cstate, cstate->snaplen));
1022 p->sense = !p->sense;
1023 backpatch(p, gen_retblk_internal(cstate, 0));
1024 cstate->ic.root = p->head;
1025 return (0);
1026 }
1027
1028 void
gen_and(struct block * b0,struct block * b1)1029 gen_and(struct block *b0, struct block *b1)
1030 {
1031 backpatch(b0, b1->head);
1032 b0->sense = !b0->sense;
1033 b1->sense = !b1->sense;
1034 merge(b1, b0);
1035 b1->sense = !b1->sense;
1036 b1->head = b0->head;
1037 }
1038
1039 void
gen_or(struct block * b0,struct block * b1)1040 gen_or(struct block *b0, struct block *b1)
1041 {
1042 b0->sense = !b0->sense;
1043 backpatch(b0, b1->head);
1044 b0->sense = !b0->sense;
1045 merge(b1, b0);
1046 b1->head = b0->head;
1047 }
1048
1049 void
gen_not(struct block * b)1050 gen_not(struct block *b)
1051 {
1052 b->sense = !b->sense;
1053 }
1054
1055 static struct block *
gen_cmp(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v)1056 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1057 u_int size, bpf_u_int32 v)
1058 {
1059 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
1060 }
1061
1062 static struct block *
gen_cmp_gt(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v)1063 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1064 u_int size, bpf_u_int32 v)
1065 {
1066 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
1067 }
1068
1069 static struct block *
gen_cmp_ge(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v)1070 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1071 u_int size, bpf_u_int32 v)
1072 {
1073 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
1074 }
1075
1076 static struct block *
gen_cmp_lt(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v)1077 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1078 u_int size, bpf_u_int32 v)
1079 {
1080 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
1081 }
1082
1083 static struct block *
gen_cmp_le(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v)1084 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1085 u_int size, bpf_u_int32 v)
1086 {
1087 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
1088 }
1089
1090 static struct block *
gen_mcmp(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 v,bpf_u_int32 mask)1091 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1092 u_int size, bpf_u_int32 v, bpf_u_int32 mask)
1093 {
1094 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
1095 }
1096
1097 static struct block *
gen_bcmp(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,const u_char * v)1098 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1099 u_int size, const u_char *v)
1100 {
1101 register struct block *b, *tmp;
1102
1103 b = NULL;
1104 while (size >= 4) {
1105 register const u_char *p = &v[size - 4];
1106
1107 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W,
1108 EXTRACT_BE_U_4(p));
1109 if (b != NULL)
1110 gen_and(b, tmp);
1111 b = tmp;
1112 size -= 4;
1113 }
1114 while (size >= 2) {
1115 register const u_char *p = &v[size - 2];
1116
1117 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H,
1118 EXTRACT_BE_U_2(p));
1119 if (b != NULL)
1120 gen_and(b, tmp);
1121 b = tmp;
1122 size -= 2;
1123 }
1124 if (size > 0) {
1125 tmp = gen_cmp(cstate, offrel, offset, BPF_B, v[0]);
1126 if (b != NULL)
1127 gen_and(b, tmp);
1128 b = tmp;
1129 }
1130 return b;
1131 }
1132
1133 /*
1134 * AND the field of size "size" at offset "offset" relative to the header
1135 * specified by "offrel" with "mask", and compare it with the value "v"
1136 * with the test specified by "jtype"; if "reverse" is true, the test
1137 * should test the opposite of "jtype".
1138 */
1139 static struct block *
gen_ncmp(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size,bpf_u_int32 mask,int jtype,int reverse,bpf_u_int32 v)1140 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1141 u_int size, bpf_u_int32 mask, int jtype, int reverse,
1142 bpf_u_int32 v)
1143 {
1144 struct slist *s, *s2;
1145 struct block *b;
1146
1147 s = gen_load_a(cstate, offrel, offset, size);
1148
1149 if (mask != 0xffffffff) {
1150 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1151 s2->s.k = mask;
1152 sappend(s, s2);
1153 }
1154
1155 b = new_block(cstate, JMP(jtype));
1156 b->stmts = s;
1157 b->s.k = v;
1158 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
1159 gen_not(b);
1160 return b;
1161 }
1162
1163 static int
init_linktype(compiler_state_t * cstate,pcap_t * p)1164 init_linktype(compiler_state_t *cstate, pcap_t *p)
1165 {
1166 cstate->pcap_fddipad = p->fddipad;
1167
1168 /*
1169 * We start out with only one link-layer header.
1170 */
1171 cstate->outermostlinktype = pcap_datalink(p);
1172 cstate->off_outermostlinkhdr.constant_part = 0;
1173 cstate->off_outermostlinkhdr.is_variable = 0;
1174 cstate->off_outermostlinkhdr.reg = -1;
1175
1176 cstate->prevlinktype = cstate->outermostlinktype;
1177 cstate->off_prevlinkhdr.constant_part = 0;
1178 cstate->off_prevlinkhdr.is_variable = 0;
1179 cstate->off_prevlinkhdr.reg = -1;
1180
1181 cstate->linktype = cstate->outermostlinktype;
1182 cstate->off_linkhdr.constant_part = 0;
1183 cstate->off_linkhdr.is_variable = 0;
1184 cstate->off_linkhdr.reg = -1;
1185
1186 /*
1187 * XXX
1188 */
1189 cstate->off_linkpl.constant_part = 0;
1190 cstate->off_linkpl.is_variable = 0;
1191 cstate->off_linkpl.reg = -1;
1192
1193 cstate->off_linktype.constant_part = 0;
1194 cstate->off_linktype.is_variable = 0;
1195 cstate->off_linktype.reg = -1;
1196
1197 /*
1198 * Assume it's not raw ATM with a pseudo-header, for now.
1199 */
1200 cstate->is_atm = 0;
1201 cstate->off_vpi = OFFSET_NOT_SET;
1202 cstate->off_vci = OFFSET_NOT_SET;
1203 cstate->off_proto = OFFSET_NOT_SET;
1204 cstate->off_payload = OFFSET_NOT_SET;
1205
1206 /*
1207 * And not Geneve.
1208 */
1209 cstate->is_geneve = 0;
1210
1211 /*
1212 * No variable length VLAN offset by default
1213 */
1214 cstate->is_vlan_vloffset = 0;
1215
1216 /*
1217 * And assume we're not doing SS7.
1218 */
1219 cstate->off_li = OFFSET_NOT_SET;
1220 cstate->off_li_hsl = OFFSET_NOT_SET;
1221 cstate->off_sio = OFFSET_NOT_SET;
1222 cstate->off_opc = OFFSET_NOT_SET;
1223 cstate->off_dpc = OFFSET_NOT_SET;
1224 cstate->off_sls = OFFSET_NOT_SET;
1225
1226 cstate->label_stack_depth = 0;
1227 cstate->vlan_stack_depth = 0;
1228
1229 switch (cstate->linktype) {
1230
1231 case DLT_ARCNET:
1232 cstate->off_linktype.constant_part = 2;
1233 cstate->off_linkpl.constant_part = 6;
1234 cstate->off_nl = 0; /* XXX in reality, variable! */
1235 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1236 break;
1237
1238 case DLT_ARCNET_LINUX:
1239 cstate->off_linktype.constant_part = 4;
1240 cstate->off_linkpl.constant_part = 8;
1241 cstate->off_nl = 0; /* XXX in reality, variable! */
1242 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1243 break;
1244
1245 case DLT_EN10MB:
1246 cstate->off_linktype.constant_part = 12;
1247 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1248 cstate->off_nl = 0; /* Ethernet II */
1249 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1250 break;
1251
1252 case DLT_SLIP:
1253 /*
1254 * SLIP doesn't have a link level type. The 16 byte
1255 * header is hacked into our SLIP driver.
1256 */
1257 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1258 cstate->off_linkpl.constant_part = 16;
1259 cstate->off_nl = 0;
1260 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1261 break;
1262
1263 case DLT_SLIP_BSDOS:
1264 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1265 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1266 /* XXX end */
1267 cstate->off_linkpl.constant_part = 24;
1268 cstate->off_nl = 0;
1269 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1270 break;
1271
1272 case DLT_NULL:
1273 case DLT_LOOP:
1274 cstate->off_linktype.constant_part = 0;
1275 cstate->off_linkpl.constant_part = 4;
1276 cstate->off_nl = 0;
1277 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1278 break;
1279
1280 case DLT_ENC:
1281 cstate->off_linktype.constant_part = 0;
1282 cstate->off_linkpl.constant_part = 12;
1283 cstate->off_nl = 0;
1284 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1285 break;
1286
1287 case DLT_PPP:
1288 case DLT_PPP_PPPD:
1289 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1290 case DLT_HDLC: /* NetBSD (Cisco) HDLC */
1291 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1292 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1293 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1294 cstate->off_nl = 0;
1295 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1296 break;
1297
1298 case DLT_PPP_ETHER:
1299 /*
1300 * This does no include the Ethernet header, and
1301 * only covers session state.
1302 */
1303 cstate->off_linktype.constant_part = 6;
1304 cstate->off_linkpl.constant_part = 8;
1305 cstate->off_nl = 0;
1306 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1307 break;
1308
1309 case DLT_PPP_BSDOS:
1310 cstate->off_linktype.constant_part = 5;
1311 cstate->off_linkpl.constant_part = 24;
1312 cstate->off_nl = 0;
1313 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1314 break;
1315
1316 case DLT_FDDI:
1317 /*
1318 * FDDI doesn't really have a link-level type field.
1319 * We set "off_linktype" to the offset of the LLC header.
1320 *
1321 * To check for Ethernet types, we assume that SSAP = SNAP
1322 * is being used and pick out the encapsulated Ethernet type.
1323 * XXX - should we generate code to check for SNAP?
1324 */
1325 cstate->off_linktype.constant_part = 13;
1326 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1327 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1328 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1329 cstate->off_nl = 8; /* 802.2+SNAP */
1330 cstate->off_nl_nosnap = 3; /* 802.2 */
1331 break;
1332
1333 case DLT_IEEE802:
1334 /*
1335 * Token Ring doesn't really have a link-level type field.
1336 * We set "off_linktype" to the offset of the LLC header.
1337 *
1338 * To check for Ethernet types, we assume that SSAP = SNAP
1339 * is being used and pick out the encapsulated Ethernet type.
1340 * XXX - should we generate code to check for SNAP?
1341 *
1342 * XXX - the header is actually variable-length.
1343 * Some various Linux patched versions gave 38
1344 * as "off_linktype" and 40 as "off_nl"; however,
1345 * if a token ring packet has *no* routing
1346 * information, i.e. is not source-routed, the correct
1347 * values are 20 and 22, as they are in the vanilla code.
1348 *
1349 * A packet is source-routed iff the uppermost bit
1350 * of the first byte of the source address, at an
1351 * offset of 8, has the uppermost bit set. If the
1352 * packet is source-routed, the total number of bytes
1353 * of routing information is 2 plus bits 0x1F00 of
1354 * the 16-bit value at an offset of 14 (shifted right
1355 * 8 - figure out which byte that is).
1356 */
1357 cstate->off_linktype.constant_part = 14;
1358 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1359 cstate->off_nl = 8; /* 802.2+SNAP */
1360 cstate->off_nl_nosnap = 3; /* 802.2 */
1361 break;
1362
1363 case DLT_PRISM_HEADER:
1364 case DLT_IEEE802_11_RADIO_AVS:
1365 case DLT_IEEE802_11_RADIO:
1366 cstate->off_linkhdr.is_variable = 1;
1367 /* Fall through, 802.11 doesn't have a variable link
1368 * prefix but is otherwise the same. */
1369 /* FALLTHROUGH */
1370
1371 case DLT_IEEE802_11:
1372 /*
1373 * 802.11 doesn't really have a link-level type field.
1374 * We set "off_linktype.constant_part" to the offset of
1375 * the LLC header.
1376 *
1377 * To check for Ethernet types, we assume that SSAP = SNAP
1378 * is being used and pick out the encapsulated Ethernet type.
1379 * XXX - should we generate code to check for SNAP?
1380 *
1381 * We also handle variable-length radio headers here.
1382 * The Prism header is in theory variable-length, but in
1383 * practice it's always 144 bytes long. However, some
1384 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1385 * sometimes or always supply an AVS header, so we
1386 * have to check whether the radio header is a Prism
1387 * header or an AVS header, so, in practice, it's
1388 * variable-length.
1389 */
1390 cstate->off_linktype.constant_part = 24;
1391 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1392 cstate->off_linkpl.is_variable = 1;
1393 cstate->off_nl = 8; /* 802.2+SNAP */
1394 cstate->off_nl_nosnap = 3; /* 802.2 */
1395 break;
1396
1397 case DLT_PPI:
1398 /*
1399 * At the moment we treat PPI the same way that we treat
1400 * normal Radiotap encoded packets. The difference is in
1401 * the function that generates the code at the beginning
1402 * to compute the header length. Since this code generator
1403 * of PPI supports bare 802.11 encapsulation only (i.e.
1404 * the encapsulated DLT should be DLT_IEEE802_11) we
1405 * generate code to check for this too.
1406 */
1407 cstate->off_linktype.constant_part = 24;
1408 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1409 cstate->off_linkpl.is_variable = 1;
1410 cstate->off_linkhdr.is_variable = 1;
1411 cstate->off_nl = 8; /* 802.2+SNAP */
1412 cstate->off_nl_nosnap = 3; /* 802.2 */
1413 break;
1414
1415 case DLT_ATM_RFC1483:
1416 case DLT_ATM_CLIP: /* Linux ATM defines this */
1417 /*
1418 * assume routed, non-ISO PDUs
1419 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1420 *
1421 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1422 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1423 * latter would presumably be treated the way PPPoE
1424 * should be, so you can do "pppoe and udp port 2049"
1425 * or "pppoa and tcp port 80" and have it check for
1426 * PPPo{A,E} and a PPP protocol of IP and....
1427 */
1428 cstate->off_linktype.constant_part = 0;
1429 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1430 cstate->off_nl = 8; /* 802.2+SNAP */
1431 cstate->off_nl_nosnap = 3; /* 802.2 */
1432 break;
1433
1434 case DLT_SUNATM:
1435 /*
1436 * Full Frontal ATM; you get AALn PDUs with an ATM
1437 * pseudo-header.
1438 */
1439 cstate->is_atm = 1;
1440 cstate->off_vpi = SUNATM_VPI_POS;
1441 cstate->off_vci = SUNATM_VCI_POS;
1442 cstate->off_proto = PROTO_POS;
1443 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1444 cstate->off_linktype.constant_part = cstate->off_payload;
1445 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1446 cstate->off_nl = 8; /* 802.2+SNAP */
1447 cstate->off_nl_nosnap = 3; /* 802.2 */
1448 break;
1449
1450 case DLT_RAW:
1451 case DLT_IPV4:
1452 case DLT_IPV6:
1453 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1454 cstate->off_linkpl.constant_part = 0;
1455 cstate->off_nl = 0;
1456 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1457 break;
1458
1459 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */
1460 cstate->off_linktype.constant_part = 14;
1461 cstate->off_linkpl.constant_part = 16;
1462 cstate->off_nl = 0;
1463 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1464 break;
1465
1466 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */
1467 cstate->off_linktype.constant_part = 0;
1468 cstate->off_linkpl.constant_part = 20;
1469 cstate->off_nl = 0;
1470 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1471 break;
1472
1473 case DLT_LTALK:
1474 /*
1475 * LocalTalk does have a 1-byte type field in the LLAP header,
1476 * but really it just indicates whether there is a "short" or
1477 * "long" DDP packet following.
1478 */
1479 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1480 cstate->off_linkpl.constant_part = 0;
1481 cstate->off_nl = 0;
1482 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1483 break;
1484
1485 case DLT_IP_OVER_FC:
1486 /*
1487 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1488 * link-level type field. We set "off_linktype" to the
1489 * offset of the LLC header.
1490 *
1491 * To check for Ethernet types, we assume that SSAP = SNAP
1492 * is being used and pick out the encapsulated Ethernet type.
1493 * XXX - should we generate code to check for SNAP? RFC
1494 * 2625 says SNAP should be used.
1495 */
1496 cstate->off_linktype.constant_part = 16;
1497 cstate->off_linkpl.constant_part = 16;
1498 cstate->off_nl = 8; /* 802.2+SNAP */
1499 cstate->off_nl_nosnap = 3; /* 802.2 */
1500 break;
1501
1502 case DLT_FRELAY:
1503 /*
1504 * XXX - we should set this to handle SNAP-encapsulated
1505 * frames (NLPID of 0x80).
1506 */
1507 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1508 cstate->off_linkpl.constant_part = 0;
1509 cstate->off_nl = 0;
1510 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1511 break;
1512
1513 /*
1514 * the only BPF-interesting FRF.16 frames are non-control frames;
1515 * Frame Relay has a variable length link-layer
1516 * so lets start with offset 4 for now and increments later on (FIXME);
1517 */
1518 case DLT_MFR:
1519 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1520 cstate->off_linkpl.constant_part = 0;
1521 cstate->off_nl = 4;
1522 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1523 break;
1524
1525 case DLT_APPLE_IP_OVER_IEEE1394:
1526 cstate->off_linktype.constant_part = 16;
1527 cstate->off_linkpl.constant_part = 18;
1528 cstate->off_nl = 0;
1529 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1530 break;
1531
1532 case DLT_SYMANTEC_FIREWALL:
1533 cstate->off_linktype.constant_part = 6;
1534 cstate->off_linkpl.constant_part = 44;
1535 cstate->off_nl = 0; /* Ethernet II */
1536 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1537 break;
1538
1539 case DLT_PFLOG:
1540 cstate->off_linktype.constant_part = 0;
1541 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1542 cstate->off_linkpl.is_variable = 1;
1543 cstate->off_nl = 0;
1544 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1545 break;
1546
1547 case DLT_JUNIPER_MFR:
1548 case DLT_JUNIPER_MLFR:
1549 case DLT_JUNIPER_MLPPP:
1550 case DLT_JUNIPER_PPP:
1551 case DLT_JUNIPER_CHDLC:
1552 case DLT_JUNIPER_FRELAY:
1553 cstate->off_linktype.constant_part = 4;
1554 cstate->off_linkpl.constant_part = 4;
1555 cstate->off_nl = 0;
1556 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1557 break;
1558
1559 case DLT_JUNIPER_ATM1:
1560 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1561 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1562 cstate->off_nl = 0;
1563 cstate->off_nl_nosnap = 10;
1564 break;
1565
1566 case DLT_JUNIPER_ATM2:
1567 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1568 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1569 cstate->off_nl = 0;
1570 cstate->off_nl_nosnap = 10;
1571 break;
1572
1573 /* frames captured on a Juniper PPPoE service PIC
1574 * contain raw ethernet frames */
1575 case DLT_JUNIPER_PPPOE:
1576 case DLT_JUNIPER_ETHER:
1577 cstate->off_linkpl.constant_part = 14;
1578 cstate->off_linktype.constant_part = 16;
1579 cstate->off_nl = 18; /* Ethernet II */
1580 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1581 break;
1582
1583 case DLT_JUNIPER_PPPOE_ATM:
1584 cstate->off_linktype.constant_part = 4;
1585 cstate->off_linkpl.constant_part = 6;
1586 cstate->off_nl = 0;
1587 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1588 break;
1589
1590 case DLT_JUNIPER_GGSN:
1591 cstate->off_linktype.constant_part = 6;
1592 cstate->off_linkpl.constant_part = 12;
1593 cstate->off_nl = 0;
1594 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1595 break;
1596
1597 case DLT_JUNIPER_ES:
1598 cstate->off_linktype.constant_part = 6;
1599 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1600 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1601 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1602 break;
1603
1604 case DLT_JUNIPER_MONITOR:
1605 cstate->off_linktype.constant_part = 12;
1606 cstate->off_linkpl.constant_part = 12;
1607 cstate->off_nl = 0; /* raw IP/IP6 header */
1608 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1609 break;
1610
1611 case DLT_BACNET_MS_TP:
1612 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1613 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1614 cstate->off_nl = OFFSET_NOT_SET;
1615 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1616 break;
1617
1618 case DLT_JUNIPER_SERVICES:
1619 cstate->off_linktype.constant_part = 12;
1620 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1621 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1622 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1623 break;
1624
1625 case DLT_JUNIPER_VP:
1626 cstate->off_linktype.constant_part = 18;
1627 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1628 cstate->off_nl = OFFSET_NOT_SET;
1629 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1630 break;
1631
1632 case DLT_JUNIPER_ST:
1633 cstate->off_linktype.constant_part = 18;
1634 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1635 cstate->off_nl = OFFSET_NOT_SET;
1636 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1637 break;
1638
1639 case DLT_JUNIPER_ISM:
1640 cstate->off_linktype.constant_part = 8;
1641 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1642 cstate->off_nl = OFFSET_NOT_SET;
1643 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1644 break;
1645
1646 case DLT_JUNIPER_VS:
1647 case DLT_JUNIPER_SRX_E2E:
1648 case DLT_JUNIPER_FIBRECHANNEL:
1649 case DLT_JUNIPER_ATM_CEMIC:
1650 cstate->off_linktype.constant_part = 8;
1651 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1652 cstate->off_nl = OFFSET_NOT_SET;
1653 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1654 break;
1655
1656 case DLT_MTP2:
1657 cstate->off_li = 2;
1658 cstate->off_li_hsl = 4;
1659 cstate->off_sio = 3;
1660 cstate->off_opc = 4;
1661 cstate->off_dpc = 4;
1662 cstate->off_sls = 7;
1663 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1664 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1665 cstate->off_nl = OFFSET_NOT_SET;
1666 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1667 break;
1668
1669 case DLT_MTP2_WITH_PHDR:
1670 cstate->off_li = 6;
1671 cstate->off_li_hsl = 8;
1672 cstate->off_sio = 7;
1673 cstate->off_opc = 8;
1674 cstate->off_dpc = 8;
1675 cstate->off_sls = 11;
1676 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1677 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1678 cstate->off_nl = OFFSET_NOT_SET;
1679 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1680 break;
1681
1682 case DLT_ERF:
1683 cstate->off_li = 22;
1684 cstate->off_li_hsl = 24;
1685 cstate->off_sio = 23;
1686 cstate->off_opc = 24;
1687 cstate->off_dpc = 24;
1688 cstate->off_sls = 27;
1689 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1690 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1691 cstate->off_nl = OFFSET_NOT_SET;
1692 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1693 break;
1694
1695 case DLT_PFSYNC:
1696 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1697 cstate->off_linkpl.constant_part = 4;
1698 cstate->off_nl = 0;
1699 cstate->off_nl_nosnap = 0;
1700 break;
1701
1702 case DLT_AX25_KISS:
1703 /*
1704 * Currently, only raw "link[N:M]" filtering is supported.
1705 */
1706 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1707 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1708 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1709 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1710 break;
1711
1712 case DLT_IPNET:
1713 cstate->off_linktype.constant_part = 1;
1714 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
1715 cstate->off_nl = 0;
1716 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1717 break;
1718
1719 case DLT_NETANALYZER:
1720 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1721 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1722 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1723 cstate->off_nl = 0; /* Ethernet II */
1724 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1725 break;
1726
1727 case DLT_NETANALYZER_TRANSPARENT:
1728 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1729 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1730 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1731 cstate->off_nl = 0; /* Ethernet II */
1732 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1733 break;
1734
1735 case DLT_EN3MB:
1736 /*
1737 * Currently, only raw "link[N:M]" filtering is supported.
1738 */
1739 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1740 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1741 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1742 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1743 break;
1744
1745 case DLT_AX25:
1746 /*
1747 * Currently, only raw "link[N:M]" filtering is supported.
1748 */
1749 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1750 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1751 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1752 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1753 break;
1754
1755 case DLT_PRONET:
1756 /*
1757 * Currently, only raw "link[N:M]" filtering is supported.
1758 */
1759 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1760 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1761 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1762 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1763 break;
1764
1765 case DLT_CHAOS:
1766 /*
1767 * Currently, only raw "link[N:M]" filtering is supported.
1768 */
1769 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1770 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1771 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1772 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1773 break;
1774
1775 #ifdef DLT_HIPPI
1776 case DLT_HIPPI:
1777 /*
1778 * Currently, only raw "link[N:M]" filtering is supported.
1779 */
1780 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1781 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1782 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1783 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1784 break;
1785
1786 #endif
1787
1788 case DLT_REDBACK_SMARTEDGE:
1789 /*
1790 * Currently, only raw "link[N:M]" filtering is supported.
1791 */
1792 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1793 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1794 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1795 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1796 break;
1797
1798
1799 #ifdef DLT_HHDLC
1800 case DLT_HHDLC:
1801 /*
1802 * Currently, only raw "link[N:M]" filtering is supported.
1803 */
1804 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1805 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1806 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1807 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1808 break;
1809
1810 #endif
1811
1812 default:
1813 /*
1814 * For values in the range in which we've assigned new
1815 * DLT_ values, only raw "link[N:M]" filtering is supported.
1816 */
1817 if (cstate->linktype >= DLT_HIGH_MATCHING_MIN &&
1818 cstate->linktype <= DLT_HIGH_MATCHING_MAX) {
1819 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1820 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1821 cstate->off_nl = OFFSET_NOT_SET;
1822 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1823 } else {
1824 bpf_set_error(cstate, "unknown data link type %d",
1825 cstate->linktype);
1826 return (-1);
1827 }
1828 break;
1829 }
1830
1831 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1832 return (0);
1833 }
1834
1835 /*
1836 * Load a value relative to the specified absolute offset.
1837 */
1838 static struct slist *
gen_load_absoffsetrel(compiler_state_t * cstate,bpf_abs_offset * abs_offset,u_int offset,u_int size)1839 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
1840 u_int offset, u_int size)
1841 {
1842 struct slist *s, *s2;
1843
1844 s = gen_abs_offset_varpart(cstate, abs_offset);
1845
1846 /*
1847 * If "s" is non-null, it has code to arrange that the X register
1848 * contains the variable part of the absolute offset, so we
1849 * generate a load relative to that, with an offset of
1850 * abs_offset->constant_part + offset.
1851 *
1852 * Otherwise, we can do an absolute load with an offset of
1853 * abs_offset->constant_part + offset.
1854 */
1855 if (s != NULL) {
1856 /*
1857 * "s" points to a list of statements that puts the
1858 * variable part of the absolute offset into the X register.
1859 * Do an indirect load, to use the X register as an offset.
1860 */
1861 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1862 s2->s.k = abs_offset->constant_part + offset;
1863 sappend(s, s2);
1864 } else {
1865 /*
1866 * There is no variable part of the absolute offset, so
1867 * just do an absolute load.
1868 */
1869 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1870 s->s.k = abs_offset->constant_part + offset;
1871 }
1872 return s;
1873 }
1874
1875 /*
1876 * Load a value relative to the beginning of the specified header.
1877 */
1878 static struct slist *
gen_load_a(compiler_state_t * cstate,enum e_offrel offrel,u_int offset,u_int size)1879 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1880 u_int size)
1881 {
1882 struct slist *s, *s2;
1883
1884 /*
1885 * Squelch warnings from compilers that *don't* assume that
1886 * offrel always has a valid enum value and therefore don't
1887 * assume that we'll always go through one of the case arms.
1888 *
1889 * If we have a default case, compilers that *do* assume that
1890 * will then complain about the default case code being
1891 * unreachable.
1892 *
1893 * Damned if you do, damned if you don't.
1894 */
1895 s = NULL;
1896
1897 switch (offrel) {
1898
1899 case OR_PACKET:
1900 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1901 s->s.k = offset;
1902 break;
1903
1904 case OR_LINKHDR:
1905 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1906 break;
1907
1908 case OR_PREVLINKHDR:
1909 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1910 break;
1911
1912 case OR_LLC:
1913 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1914 break;
1915
1916 case OR_PREVMPLSHDR:
1917 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1918 break;
1919
1920 case OR_LINKPL:
1921 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1922 break;
1923
1924 case OR_LINKPL_NOSNAP:
1925 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1926 break;
1927
1928 case OR_LINKTYPE:
1929 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1930 break;
1931
1932 case OR_TRAN_IPV4:
1933 /*
1934 * Load the X register with the length of the IPv4 header
1935 * (plus the offset of the link-layer header, if it's
1936 * preceded by a variable-length header such as a radio
1937 * header), in bytes.
1938 */
1939 s = gen_loadx_iphdrlen(cstate);
1940
1941 /*
1942 * Load the item at {offset of the link-layer payload} +
1943 * {offset, relative to the start of the link-layer
1944 * payload, of the IPv4 header} + {length of the IPv4 header} +
1945 * {specified offset}.
1946 *
1947 * If the offset of the link-layer payload is variable,
1948 * the variable part of that offset is included in the
1949 * value in the X register, and we include the constant
1950 * part in the offset of the load.
1951 */
1952 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1953 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
1954 sappend(s, s2);
1955 break;
1956
1957 case OR_TRAN_IPV6:
1958 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
1959 break;
1960 }
1961 return s;
1962 }
1963
1964 /*
1965 * Generate code to load into the X register the sum of the length of
1966 * the IPv4 header and the variable part of the offset of the link-layer
1967 * payload.
1968 */
1969 static struct slist *
gen_loadx_iphdrlen(compiler_state_t * cstate)1970 gen_loadx_iphdrlen(compiler_state_t *cstate)
1971 {
1972 struct slist *s, *s2;
1973
1974 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
1975 if (s != NULL) {
1976 /*
1977 * The offset of the link-layer payload has a variable
1978 * part. "s" points to a list of statements that put
1979 * the variable part of that offset into the X register.
1980 *
1981 * The 4*([k]&0xf) addressing mode can't be used, as we
1982 * don't have a constant offset, so we have to load the
1983 * value in question into the A register and add to it
1984 * the value from the X register.
1985 */
1986 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
1987 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1988 sappend(s, s2);
1989 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1990 s2->s.k = 0xf;
1991 sappend(s, s2);
1992 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
1993 s2->s.k = 2;
1994 sappend(s, s2);
1995
1996 /*
1997 * The A register now contains the length of the IP header.
1998 * We need to add to it the variable part of the offset of
1999 * the link-layer payload, which is still in the X
2000 * register, and move the result into the X register.
2001 */
2002 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
2003 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
2004 } else {
2005 /*
2006 * The offset of the link-layer payload is a constant,
2007 * so no code was generated to load the (nonexistent)
2008 * variable part of that offset.
2009 *
2010 * This means we can use the 4*([k]&0xf) addressing
2011 * mode. Load the length of the IPv4 header, which
2012 * is at an offset of cstate->off_nl from the beginning of
2013 * the link-layer payload, and thus at an offset of
2014 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
2015 * of the raw packet data, using that addressing mode.
2016 */
2017 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
2018 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
2019 }
2020 return s;
2021 }
2022
2023
2024 static struct block *
gen_uncond(compiler_state_t * cstate,int rsense)2025 gen_uncond(compiler_state_t *cstate, int rsense)
2026 {
2027 struct block *b;
2028 struct slist *s;
2029
2030 s = new_stmt(cstate, BPF_LD|BPF_IMM);
2031 s->s.k = !rsense;
2032 b = new_block(cstate, JMP(BPF_JEQ));
2033 b->stmts = s;
2034
2035 return b;
2036 }
2037
2038 static inline struct block *
gen_true(compiler_state_t * cstate)2039 gen_true(compiler_state_t *cstate)
2040 {
2041 return gen_uncond(cstate, 1);
2042 }
2043
2044 static inline struct block *
gen_false(compiler_state_t * cstate)2045 gen_false(compiler_state_t *cstate)
2046 {
2047 return gen_uncond(cstate, 0);
2048 }
2049
2050 /*
2051 * Byte-swap a 32-bit number.
2052 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
2053 * big-endian platforms.)
2054 */
2055 #define SWAPLONG(y) \
2056 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
2057
2058 /*
2059 * Generate code to match a particular packet type.
2060 *
2061 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2062 * value, if <= ETHERMTU. We use that to determine whether to
2063 * match the type/length field or to check the type/length field for
2064 * a value <= ETHERMTU to see whether it's a type field and then do
2065 * the appropriate test.
2066 */
2067 static struct block *
gen_ether_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)2068 gen_ether_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2069 {
2070 struct block *b0, *b1;
2071
2072 switch (ll_proto) {
2073
2074 case LLCSAP_ISONS:
2075 case LLCSAP_IP:
2076 case LLCSAP_NETBEUI:
2077 /*
2078 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2079 * so we check the DSAP and SSAP.
2080 *
2081 * LLCSAP_IP checks for IP-over-802.2, rather
2082 * than IP-over-Ethernet or IP-over-SNAP.
2083 *
2084 * XXX - should we check both the DSAP and the
2085 * SSAP, like this, or should we check just the
2086 * DSAP, as we do for other types <= ETHERMTU
2087 * (i.e., other SAP values)?
2088 */
2089 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2090 gen_not(b0);
2091 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2092 gen_and(b0, b1);
2093 return b1;
2094
2095 case LLCSAP_IPX:
2096 /*
2097 * Check for;
2098 *
2099 * Ethernet_II frames, which are Ethernet
2100 * frames with a frame type of ETHERTYPE_IPX;
2101 *
2102 * Ethernet_802.3 frames, which are 802.3
2103 * frames (i.e., the type/length field is
2104 * a length field, <= ETHERMTU, rather than
2105 * a type field) with the first two bytes
2106 * after the Ethernet/802.3 header being
2107 * 0xFFFF;
2108 *
2109 * Ethernet_802.2 frames, which are 802.3
2110 * frames with an 802.2 LLC header and
2111 * with the IPX LSAP as the DSAP in the LLC
2112 * header;
2113 *
2114 * Ethernet_SNAP frames, which are 802.3
2115 * frames with an LLC header and a SNAP
2116 * header and with an OUI of 0x000000
2117 * (encapsulated Ethernet) and a protocol
2118 * ID of ETHERTYPE_IPX in the SNAP header.
2119 *
2120 * XXX - should we generate the same code both
2121 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
2122 */
2123
2124 /*
2125 * This generates code to check both for the
2126 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
2127 */
2128 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2129 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
2130 gen_or(b0, b1);
2131
2132 /*
2133 * Now we add code to check for SNAP frames with
2134 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
2135 */
2136 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2137 gen_or(b0, b1);
2138
2139 /*
2140 * Now we generate code to check for 802.3
2141 * frames in general.
2142 */
2143 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2144 gen_not(b0);
2145
2146 /*
2147 * Now add the check for 802.3 frames before the
2148 * check for Ethernet_802.2 and Ethernet_802.3,
2149 * as those checks should only be done on 802.3
2150 * frames, not on Ethernet frames.
2151 */
2152 gen_and(b0, b1);
2153
2154 /*
2155 * Now add the check for Ethernet_II frames, and
2156 * do that before checking for the other frame
2157 * types.
2158 */
2159 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2160 gen_or(b0, b1);
2161 return b1;
2162
2163 case ETHERTYPE_ATALK:
2164 case ETHERTYPE_AARP:
2165 /*
2166 * EtherTalk (AppleTalk protocols on Ethernet link
2167 * layer) may use 802.2 encapsulation.
2168 */
2169
2170 /*
2171 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2172 * we check for an Ethernet type field less than
2173 * 1500, which means it's an 802.3 length field.
2174 */
2175 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2176 gen_not(b0);
2177
2178 /*
2179 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2180 * SNAP packets with an organization code of
2181 * 0x080007 (Apple, for Appletalk) and a protocol
2182 * type of ETHERTYPE_ATALK (Appletalk).
2183 *
2184 * 802.2-encapsulated ETHERTYPE_AARP packets are
2185 * SNAP packets with an organization code of
2186 * 0x000000 (encapsulated Ethernet) and a protocol
2187 * type of ETHERTYPE_AARP (Appletalk ARP).
2188 */
2189 if (ll_proto == ETHERTYPE_ATALK)
2190 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2191 else /* ll_proto == ETHERTYPE_AARP */
2192 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2193 gen_and(b0, b1);
2194
2195 /*
2196 * Check for Ethernet encapsulation (Ethertalk
2197 * phase 1?); we just check for the Ethernet
2198 * protocol type.
2199 */
2200 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2201
2202 gen_or(b0, b1);
2203 return b1;
2204
2205 default:
2206 if (ll_proto <= ETHERMTU) {
2207 /*
2208 * This is an LLC SAP value, so the frames
2209 * that match would be 802.2 frames.
2210 * Check that the frame is an 802.2 frame
2211 * (i.e., that the length/type field is
2212 * a length field, <= ETHERMTU) and
2213 * then check the DSAP.
2214 */
2215 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2216 gen_not(b0);
2217 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, ll_proto);
2218 gen_and(b0, b1);
2219 return b1;
2220 } else {
2221 /*
2222 * This is an Ethernet type, so compare
2223 * the length/type field with it (if
2224 * the frame is an 802.2 frame, the length
2225 * field will be <= ETHERMTU, and, as
2226 * "ll_proto" is > ETHERMTU, this test
2227 * will fail and the frame won't match,
2228 * which is what we want).
2229 */
2230 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2231 }
2232 }
2233 }
2234
2235 static struct block *
gen_loopback_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)2236 gen_loopback_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2237 {
2238 /*
2239 * For DLT_NULL, the link-layer header is a 32-bit word
2240 * containing an AF_ value in *host* byte order, and for
2241 * DLT_ENC, the link-layer header begins with a 32-bit
2242 * word containing an AF_ value in host byte order.
2243 *
2244 * In addition, if we're reading a saved capture file,
2245 * the host byte order in the capture may not be the
2246 * same as the host byte order on this machine.
2247 *
2248 * For DLT_LOOP, the link-layer header is a 32-bit
2249 * word containing an AF_ value in *network* byte order.
2250 */
2251 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2252 /*
2253 * The AF_ value is in host byte order, but the BPF
2254 * interpreter will convert it to network byte order.
2255 *
2256 * If this is a save file, and it's from a machine
2257 * with the opposite byte order to ours, we byte-swap
2258 * the AF_ value.
2259 *
2260 * Then we run it through "htonl()", and generate
2261 * code to compare against the result.
2262 */
2263 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2264 ll_proto = SWAPLONG(ll_proto);
2265 ll_proto = htonl(ll_proto);
2266 }
2267 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, ll_proto));
2268 }
2269
2270 /*
2271 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2272 * or IPv6 then we have an error.
2273 */
2274 static struct block *
gen_ipnet_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)2275 gen_ipnet_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2276 {
2277 switch (ll_proto) {
2278
2279 case ETHERTYPE_IP:
2280 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET);
2281 /*NOTREACHED*/
2282
2283 case ETHERTYPE_IPV6:
2284 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET6);
2285 /*NOTREACHED*/
2286
2287 default:
2288 break;
2289 }
2290
2291 return gen_false(cstate);
2292 }
2293
2294 /*
2295 * Generate code to match a particular packet type.
2296 *
2297 * "ll_proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2298 * value, if <= ETHERMTU. We use that to determine whether to
2299 * match the type field or to check the type field for the special
2300 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2301 */
2302 static struct block *
gen_linux_sll_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)2303 gen_linux_sll_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2304 {
2305 struct block *b0, *b1;
2306
2307 switch (ll_proto) {
2308
2309 case LLCSAP_ISONS:
2310 case LLCSAP_IP:
2311 case LLCSAP_NETBEUI:
2312 /*
2313 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2314 * so we check the DSAP and SSAP.
2315 *
2316 * LLCSAP_IP checks for IP-over-802.2, rather
2317 * than IP-over-Ethernet or IP-over-SNAP.
2318 *
2319 * XXX - should we check both the DSAP and the
2320 * SSAP, like this, or should we check just the
2321 * DSAP, as we do for other types <= ETHERMTU
2322 * (i.e., other SAP values)?
2323 */
2324 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2325 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2326 gen_and(b0, b1);
2327 return b1;
2328
2329 case LLCSAP_IPX:
2330 /*
2331 * Ethernet_II frames, which are Ethernet
2332 * frames with a frame type of ETHERTYPE_IPX;
2333 *
2334 * Ethernet_802.3 frames, which have a frame
2335 * type of LINUX_SLL_P_802_3;
2336 *
2337 * Ethernet_802.2 frames, which are 802.3
2338 * frames with an 802.2 LLC header (i.e, have
2339 * a frame type of LINUX_SLL_P_802_2) and
2340 * with the IPX LSAP as the DSAP in the LLC
2341 * header;
2342 *
2343 * Ethernet_SNAP frames, which are 802.3
2344 * frames with an LLC header and a SNAP
2345 * header and with an OUI of 0x000000
2346 * (encapsulated Ethernet) and a protocol
2347 * ID of ETHERTYPE_IPX in the SNAP header.
2348 *
2349 * First, do the checks on LINUX_SLL_P_802_2
2350 * frames; generate the check for either
2351 * Ethernet_802.2 or Ethernet_SNAP frames, and
2352 * then put a check for LINUX_SLL_P_802_2 frames
2353 * before it.
2354 */
2355 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2356 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2357 gen_or(b0, b1);
2358 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2359 gen_and(b0, b1);
2360
2361 /*
2362 * Now check for 802.3 frames and OR that with
2363 * the previous test.
2364 */
2365 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2366 gen_or(b0, b1);
2367
2368 /*
2369 * Now add the check for Ethernet_II frames, and
2370 * do that before checking for the other frame
2371 * types.
2372 */
2373 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2374 gen_or(b0, b1);
2375 return b1;
2376
2377 case ETHERTYPE_ATALK:
2378 case ETHERTYPE_AARP:
2379 /*
2380 * EtherTalk (AppleTalk protocols on Ethernet link
2381 * layer) may use 802.2 encapsulation.
2382 */
2383
2384 /*
2385 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2386 * we check for the 802.2 protocol type in the
2387 * "Ethernet type" field.
2388 */
2389 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2390
2391 /*
2392 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2393 * SNAP packets with an organization code of
2394 * 0x080007 (Apple, for Appletalk) and a protocol
2395 * type of ETHERTYPE_ATALK (Appletalk).
2396 *
2397 * 802.2-encapsulated ETHERTYPE_AARP packets are
2398 * SNAP packets with an organization code of
2399 * 0x000000 (encapsulated Ethernet) and a protocol
2400 * type of ETHERTYPE_AARP (Appletalk ARP).
2401 */
2402 if (ll_proto == ETHERTYPE_ATALK)
2403 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2404 else /* ll_proto == ETHERTYPE_AARP */
2405 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2406 gen_and(b0, b1);
2407
2408 /*
2409 * Check for Ethernet encapsulation (Ethertalk
2410 * phase 1?); we just check for the Ethernet
2411 * protocol type.
2412 */
2413 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2414
2415 gen_or(b0, b1);
2416 return b1;
2417
2418 default:
2419 if (ll_proto <= ETHERMTU) {
2420 /*
2421 * This is an LLC SAP value, so the frames
2422 * that match would be 802.2 frames.
2423 * Check for the 802.2 protocol type
2424 * in the "Ethernet type" field, and
2425 * then check the DSAP.
2426 */
2427 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2428 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2429 ll_proto);
2430 gen_and(b0, b1);
2431 return b1;
2432 } else {
2433 /*
2434 * This is an Ethernet type, so compare
2435 * the length/type field with it (if
2436 * the frame is an 802.2 frame, the length
2437 * field will be <= ETHERMTU, and, as
2438 * "ll_proto" is > ETHERMTU, this test
2439 * will fail and the frame won't match,
2440 * which is what we want).
2441 */
2442 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2443 }
2444 }
2445 }
2446
2447 /*
2448 * Load a value relative to the beginning of the link-layer header after the
2449 * pflog header.
2450 */
2451 static struct slist *
gen_load_pflog_llprefixlen(compiler_state_t * cstate)2452 gen_load_pflog_llprefixlen(compiler_state_t *cstate)
2453 {
2454 struct slist *s1, *s2;
2455
2456 /*
2457 * Generate code to load the length of the pflog header into
2458 * the register assigned to hold that length, if one has been
2459 * assigned. (If one hasn't been assigned, no code we've
2460 * generated uses that prefix, so we don't need to generate any
2461 * code to load it.)
2462 */
2463 if (cstate->off_linkpl.reg != -1) {
2464 /*
2465 * The length is in the first byte of the header.
2466 */
2467 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2468 s1->s.k = 0;
2469
2470 /*
2471 * Round it up to a multiple of 4.
2472 * Add 3, and clear the lower 2 bits.
2473 */
2474 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2475 s2->s.k = 3;
2476 sappend(s1, s2);
2477 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2478 s2->s.k = 0xfffffffc;
2479 sappend(s1, s2);
2480
2481 /*
2482 * Now allocate a register to hold that value and store
2483 * it.
2484 */
2485 s2 = new_stmt(cstate, BPF_ST);
2486 s2->s.k = cstate->off_linkpl.reg;
2487 sappend(s1, s2);
2488
2489 /*
2490 * Now move it into the X register.
2491 */
2492 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2493 sappend(s1, s2);
2494
2495 return (s1);
2496 } else
2497 return (NULL);
2498 }
2499
2500 static struct slist *
gen_load_prism_llprefixlen(compiler_state_t * cstate)2501 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2502 {
2503 struct slist *s1, *s2;
2504 struct slist *sjeq_avs_cookie;
2505 struct slist *sjcommon;
2506
2507 /*
2508 * This code is not compatible with the optimizer, as
2509 * we are generating jmp instructions within a normal
2510 * slist of instructions
2511 */
2512 cstate->no_optimize = 1;
2513
2514 /*
2515 * Generate code to load the length of the radio header into
2516 * the register assigned to hold that length, if one has been
2517 * assigned. (If one hasn't been assigned, no code we've
2518 * generated uses that prefix, so we don't need to generate any
2519 * code to load it.)
2520 *
2521 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2522 * or always use the AVS header rather than the Prism header.
2523 * We load a 4-byte big-endian value at the beginning of the
2524 * raw packet data, and see whether, when masked with 0xFFFFF000,
2525 * it's equal to 0x80211000. If so, that indicates that it's
2526 * an AVS header (the masked-out bits are the version number).
2527 * Otherwise, it's a Prism header.
2528 *
2529 * XXX - the Prism header is also, in theory, variable-length,
2530 * but no known software generates headers that aren't 144
2531 * bytes long.
2532 */
2533 if (cstate->off_linkhdr.reg != -1) {
2534 /*
2535 * Load the cookie.
2536 */
2537 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2538 s1->s.k = 0;
2539
2540 /*
2541 * AND it with 0xFFFFF000.
2542 */
2543 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2544 s2->s.k = 0xFFFFF000;
2545 sappend(s1, s2);
2546
2547 /*
2548 * Compare with 0x80211000.
2549 */
2550 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2551 sjeq_avs_cookie->s.k = 0x80211000;
2552 sappend(s1, sjeq_avs_cookie);
2553
2554 /*
2555 * If it's AVS:
2556 *
2557 * The 4 bytes at an offset of 4 from the beginning of
2558 * the AVS header are the length of the AVS header.
2559 * That field is big-endian.
2560 */
2561 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2562 s2->s.k = 4;
2563 sappend(s1, s2);
2564 sjeq_avs_cookie->s.jt = s2;
2565
2566 /*
2567 * Now jump to the code to allocate a register
2568 * into which to save the header length and
2569 * store the length there. (The "jump always"
2570 * instruction needs to have the k field set;
2571 * it's added to the PC, so, as we're jumping
2572 * over a single instruction, it should be 1.)
2573 */
2574 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2575 sjcommon->s.k = 1;
2576 sappend(s1, sjcommon);
2577
2578 /*
2579 * Now for the code that handles the Prism header.
2580 * Just load the length of the Prism header (144)
2581 * into the A register. Have the test for an AVS
2582 * header branch here if we don't have an AVS header.
2583 */
2584 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2585 s2->s.k = 144;
2586 sappend(s1, s2);
2587 sjeq_avs_cookie->s.jf = s2;
2588
2589 /*
2590 * Now allocate a register to hold that value and store
2591 * it. The code for the AVS header will jump here after
2592 * loading the length of the AVS header.
2593 */
2594 s2 = new_stmt(cstate, BPF_ST);
2595 s2->s.k = cstate->off_linkhdr.reg;
2596 sappend(s1, s2);
2597 sjcommon->s.jf = s2;
2598
2599 /*
2600 * Now move it into the X register.
2601 */
2602 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2603 sappend(s1, s2);
2604
2605 return (s1);
2606 } else
2607 return (NULL);
2608 }
2609
2610 static struct slist *
gen_load_avs_llprefixlen(compiler_state_t * cstate)2611 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2612 {
2613 struct slist *s1, *s2;
2614
2615 /*
2616 * Generate code to load the length of the AVS header into
2617 * the register assigned to hold that length, if one has been
2618 * assigned. (If one hasn't been assigned, no code we've
2619 * generated uses that prefix, so we don't need to generate any
2620 * code to load it.)
2621 */
2622 if (cstate->off_linkhdr.reg != -1) {
2623 /*
2624 * The 4 bytes at an offset of 4 from the beginning of
2625 * the AVS header are the length of the AVS header.
2626 * That field is big-endian.
2627 */
2628 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2629 s1->s.k = 4;
2630
2631 /*
2632 * Now allocate a register to hold that value and store
2633 * it.
2634 */
2635 s2 = new_stmt(cstate, BPF_ST);
2636 s2->s.k = cstate->off_linkhdr.reg;
2637 sappend(s1, s2);
2638
2639 /*
2640 * Now move it into the X register.
2641 */
2642 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2643 sappend(s1, s2);
2644
2645 return (s1);
2646 } else
2647 return (NULL);
2648 }
2649
2650 static struct slist *
gen_load_radiotap_llprefixlen(compiler_state_t * cstate)2651 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2652 {
2653 struct slist *s1, *s2;
2654
2655 /*
2656 * Generate code to load the length of the radiotap header into
2657 * the register assigned to hold that length, if one has been
2658 * assigned. (If one hasn't been assigned, no code we've
2659 * generated uses that prefix, so we don't need to generate any
2660 * code to load it.)
2661 */
2662 if (cstate->off_linkhdr.reg != -1) {
2663 /*
2664 * The 2 bytes at offsets of 2 and 3 from the beginning
2665 * of the radiotap header are the length of the radiotap
2666 * header; unfortunately, it's little-endian, so we have
2667 * to load it a byte at a time and construct the value.
2668 */
2669
2670 /*
2671 * Load the high-order byte, at an offset of 3, shift it
2672 * left a byte, and put the result in the X register.
2673 */
2674 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2675 s1->s.k = 3;
2676 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2677 sappend(s1, s2);
2678 s2->s.k = 8;
2679 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2680 sappend(s1, s2);
2681
2682 /*
2683 * Load the next byte, at an offset of 2, and OR the
2684 * value from the X register into it.
2685 */
2686 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2687 sappend(s1, s2);
2688 s2->s.k = 2;
2689 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2690 sappend(s1, s2);
2691
2692 /*
2693 * Now allocate a register to hold that value and store
2694 * it.
2695 */
2696 s2 = new_stmt(cstate, BPF_ST);
2697 s2->s.k = cstate->off_linkhdr.reg;
2698 sappend(s1, s2);
2699
2700 /*
2701 * Now move it into the X register.
2702 */
2703 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2704 sappend(s1, s2);
2705
2706 return (s1);
2707 } else
2708 return (NULL);
2709 }
2710
2711 /*
2712 * At the moment we treat PPI as normal Radiotap encoded
2713 * packets. The difference is in the function that generates
2714 * the code at the beginning to compute the header length.
2715 * Since this code generator of PPI supports bare 802.11
2716 * encapsulation only (i.e. the encapsulated DLT should be
2717 * DLT_IEEE802_11) we generate code to check for this too;
2718 * that's done in finish_parse().
2719 */
2720 static struct slist *
gen_load_ppi_llprefixlen(compiler_state_t * cstate)2721 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
2722 {
2723 struct slist *s1, *s2;
2724
2725 /*
2726 * Generate code to load the length of the radiotap header
2727 * into the register assigned to hold that length, if one has
2728 * been assigned.
2729 */
2730 if (cstate->off_linkhdr.reg != -1) {
2731 /*
2732 * The 2 bytes at offsets of 2 and 3 from the beginning
2733 * of the radiotap header are the length of the radiotap
2734 * header; unfortunately, it's little-endian, so we have
2735 * to load it a byte at a time and construct the value.
2736 */
2737
2738 /*
2739 * Load the high-order byte, at an offset of 3, shift it
2740 * left a byte, and put the result in the X register.
2741 */
2742 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2743 s1->s.k = 3;
2744 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2745 sappend(s1, s2);
2746 s2->s.k = 8;
2747 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2748 sappend(s1, s2);
2749
2750 /*
2751 * Load the next byte, at an offset of 2, and OR the
2752 * value from the X register into it.
2753 */
2754 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2755 sappend(s1, s2);
2756 s2->s.k = 2;
2757 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2758 sappend(s1, s2);
2759
2760 /*
2761 * Now allocate a register to hold that value and store
2762 * it.
2763 */
2764 s2 = new_stmt(cstate, BPF_ST);
2765 s2->s.k = cstate->off_linkhdr.reg;
2766 sappend(s1, s2);
2767
2768 /*
2769 * Now move it into the X register.
2770 */
2771 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2772 sappend(s1, s2);
2773
2774 return (s1);
2775 } else
2776 return (NULL);
2777 }
2778
2779 /*
2780 * Load a value relative to the beginning of the link-layer header after the 802.11
2781 * header, i.e. LLC_SNAP.
2782 * The link-layer header doesn't necessarily begin at the beginning
2783 * of the packet data; there might be a variable-length prefix containing
2784 * radio information.
2785 */
2786 static struct slist *
gen_load_802_11_header_len(compiler_state_t * cstate,struct slist * s,struct slist * snext)2787 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2788 {
2789 struct slist *s2;
2790 struct slist *sjset_data_frame_1;
2791 struct slist *sjset_data_frame_2;
2792 struct slist *sjset_qos;
2793 struct slist *sjset_radiotap_flags_present;
2794 struct slist *sjset_radiotap_ext_present;
2795 struct slist *sjset_radiotap_tsft_present;
2796 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2797 struct slist *s_roundup;
2798
2799 if (cstate->off_linkpl.reg == -1) {
2800 /*
2801 * No register has been assigned to the offset of
2802 * the link-layer payload, which means nobody needs
2803 * it; don't bother computing it - just return
2804 * what we already have.
2805 */
2806 return (s);
2807 }
2808
2809 /*
2810 * This code is not compatible with the optimizer, as
2811 * we are generating jmp instructions within a normal
2812 * slist of instructions
2813 */
2814 cstate->no_optimize = 1;
2815
2816 /*
2817 * If "s" is non-null, it has code to arrange that the X register
2818 * contains the length of the prefix preceding the link-layer
2819 * header.
2820 *
2821 * Otherwise, the length of the prefix preceding the link-layer
2822 * header is "off_outermostlinkhdr.constant_part".
2823 */
2824 if (s == NULL) {
2825 /*
2826 * There is no variable-length header preceding the
2827 * link-layer header.
2828 *
2829 * Load the length of the fixed-length prefix preceding
2830 * the link-layer header (if any) into the X register,
2831 * and store it in the cstate->off_linkpl.reg register.
2832 * That length is off_outermostlinkhdr.constant_part.
2833 */
2834 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2835 s->s.k = cstate->off_outermostlinkhdr.constant_part;
2836 }
2837
2838 /*
2839 * The X register contains the offset of the beginning of the
2840 * link-layer header; add 24, which is the minimum length
2841 * of the MAC header for a data frame, to that, and store it
2842 * in cstate->off_linkpl.reg, and then load the Frame Control field,
2843 * which is at the offset in the X register, with an indexed load.
2844 */
2845 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2846 sappend(s, s2);
2847 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2848 s2->s.k = 24;
2849 sappend(s, s2);
2850 s2 = new_stmt(cstate, BPF_ST);
2851 s2->s.k = cstate->off_linkpl.reg;
2852 sappend(s, s2);
2853
2854 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2855 s2->s.k = 0;
2856 sappend(s, s2);
2857
2858 /*
2859 * Check the Frame Control field to see if this is a data frame;
2860 * a data frame has the 0x08 bit (b3) in that field set and the
2861 * 0x04 bit (b2) clear.
2862 */
2863 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2864 sjset_data_frame_1->s.k = 0x08;
2865 sappend(s, sjset_data_frame_1);
2866
2867 /*
2868 * If b3 is set, test b2, otherwise go to the first statement of
2869 * the rest of the program.
2870 */
2871 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2872 sjset_data_frame_2->s.k = 0x04;
2873 sappend(s, sjset_data_frame_2);
2874 sjset_data_frame_1->s.jf = snext;
2875
2876 /*
2877 * If b2 is not set, this is a data frame; test the QoS bit.
2878 * Otherwise, go to the first statement of the rest of the
2879 * program.
2880 */
2881 sjset_data_frame_2->s.jt = snext;
2882 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2883 sjset_qos->s.k = 0x80; /* QoS bit */
2884 sappend(s, sjset_qos);
2885
2886 /*
2887 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2888 * field.
2889 * Otherwise, go to the first statement of the rest of the
2890 * program.
2891 */
2892 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2893 s2->s.k = cstate->off_linkpl.reg;
2894 sappend(s, s2);
2895 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2896 s2->s.k = 2;
2897 sappend(s, s2);
2898 s2 = new_stmt(cstate, BPF_ST);
2899 s2->s.k = cstate->off_linkpl.reg;
2900 sappend(s, s2);
2901
2902 /*
2903 * If we have a radiotap header, look at it to see whether
2904 * there's Atheros padding between the MAC-layer header
2905 * and the payload.
2906 *
2907 * Note: all of the fields in the radiotap header are
2908 * little-endian, so we byte-swap all of the values
2909 * we test against, as they will be loaded as big-endian
2910 * values.
2911 *
2912 * XXX - in the general case, we would have to scan through
2913 * *all* the presence bits, if there's more than one word of
2914 * presence bits. That would require a loop, meaning that
2915 * we wouldn't be able to run the filter in the kernel.
2916 *
2917 * We assume here that the Atheros adapters that insert the
2918 * annoying padding don't have multiple antennae and therefore
2919 * do not generate radiotap headers with multiple presence words.
2920 */
2921 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2922 /*
2923 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2924 * in the first presence flag word?
2925 */
2926 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2927 s2->s.k = 4;
2928 sappend(s, s2);
2929
2930 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2931 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2932 sappend(s, sjset_radiotap_flags_present);
2933
2934 /*
2935 * If not, skip all of this.
2936 */
2937 sjset_radiotap_flags_present->s.jf = snext;
2938
2939 /*
2940 * Otherwise, is the "extension" bit set in that word?
2941 */
2942 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2943 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2944 sappend(s, sjset_radiotap_ext_present);
2945 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2946
2947 /*
2948 * If so, skip all of this.
2949 */
2950 sjset_radiotap_ext_present->s.jt = snext;
2951
2952 /*
2953 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2954 */
2955 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
2956 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
2957 sappend(s, sjset_radiotap_tsft_present);
2958 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
2959
2960 /*
2961 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2962 * at an offset of 16 from the beginning of the raw packet
2963 * data (8 bytes for the radiotap header and 8 bytes for
2964 * the TSFT field).
2965 *
2966 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2967 * is set.
2968 */
2969 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2970 s2->s.k = 16;
2971 sappend(s, s2);
2972 sjset_radiotap_tsft_present->s.jt = s2;
2973
2974 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2975 sjset_tsft_datapad->s.k = 0x20;
2976 sappend(s, sjset_tsft_datapad);
2977
2978 /*
2979 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2980 * at an offset of 8 from the beginning of the raw packet
2981 * data (8 bytes for the radiotap header).
2982 *
2983 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2984 * is set.
2985 */
2986 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2987 s2->s.k = 8;
2988 sappend(s, s2);
2989 sjset_radiotap_tsft_present->s.jf = s2;
2990
2991 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2992 sjset_notsft_datapad->s.k = 0x20;
2993 sappend(s, sjset_notsft_datapad);
2994
2995 /*
2996 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2997 * set, round the length of the 802.11 header to
2998 * a multiple of 4. Do that by adding 3 and then
2999 * dividing by and multiplying by 4, which we do by
3000 * ANDing with ~3.
3001 */
3002 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
3003 s_roundup->s.k = cstate->off_linkpl.reg;
3004 sappend(s, s_roundup);
3005 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
3006 s2->s.k = 3;
3007 sappend(s, s2);
3008 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
3009 s2->s.k = (bpf_u_int32)~3;
3010 sappend(s, s2);
3011 s2 = new_stmt(cstate, BPF_ST);
3012 s2->s.k = cstate->off_linkpl.reg;
3013 sappend(s, s2);
3014
3015 sjset_tsft_datapad->s.jt = s_roundup;
3016 sjset_tsft_datapad->s.jf = snext;
3017 sjset_notsft_datapad->s.jt = s_roundup;
3018 sjset_notsft_datapad->s.jf = snext;
3019 } else
3020 sjset_qos->s.jf = snext;
3021
3022 return s;
3023 }
3024
3025 static void
insert_compute_vloffsets(compiler_state_t * cstate,struct block * b)3026 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
3027 {
3028 struct slist *s;
3029
3030 /* There is an implicit dependency between the link
3031 * payload and link header since the payload computation
3032 * includes the variable part of the header. Therefore,
3033 * if nobody else has allocated a register for the link
3034 * header and we need it, do it now. */
3035 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
3036 cstate->off_linkhdr.reg == -1)
3037 cstate->off_linkhdr.reg = alloc_reg(cstate);
3038
3039 /*
3040 * For link-layer types that have a variable-length header
3041 * preceding the link-layer header, generate code to load
3042 * the offset of the link-layer header into the register
3043 * assigned to that offset, if any.
3044 *
3045 * XXX - this, and the next switch statement, won't handle
3046 * encapsulation of 802.11 or 802.11+radio information in
3047 * some other protocol stack. That's significantly more
3048 * complicated.
3049 */
3050 switch (cstate->outermostlinktype) {
3051
3052 case DLT_PRISM_HEADER:
3053 s = gen_load_prism_llprefixlen(cstate);
3054 break;
3055
3056 case DLT_IEEE802_11_RADIO_AVS:
3057 s = gen_load_avs_llprefixlen(cstate);
3058 break;
3059
3060 case DLT_IEEE802_11_RADIO:
3061 s = gen_load_radiotap_llprefixlen(cstate);
3062 break;
3063
3064 case DLT_PPI:
3065 s = gen_load_ppi_llprefixlen(cstate);
3066 break;
3067
3068 default:
3069 s = NULL;
3070 break;
3071 }
3072
3073 /*
3074 * For link-layer types that have a variable-length link-layer
3075 * header, generate code to load the offset of the link-layer
3076 * payload into the register assigned to that offset, if any.
3077 */
3078 switch (cstate->outermostlinktype) {
3079
3080 case DLT_IEEE802_11:
3081 case DLT_PRISM_HEADER:
3082 case DLT_IEEE802_11_RADIO_AVS:
3083 case DLT_IEEE802_11_RADIO:
3084 case DLT_PPI:
3085 s = gen_load_802_11_header_len(cstate, s, b->stmts);
3086 break;
3087
3088 case DLT_PFLOG:
3089 s = gen_load_pflog_llprefixlen(cstate);
3090 break;
3091 }
3092
3093 /*
3094 * If there is no initialization yet and we need variable
3095 * length offsets for VLAN, initialize them to zero
3096 */
3097 if (s == NULL && cstate->is_vlan_vloffset) {
3098 struct slist *s2;
3099
3100 if (cstate->off_linkpl.reg == -1)
3101 cstate->off_linkpl.reg = alloc_reg(cstate);
3102 if (cstate->off_linktype.reg == -1)
3103 cstate->off_linktype.reg = alloc_reg(cstate);
3104
3105 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
3106 s->s.k = 0;
3107 s2 = new_stmt(cstate, BPF_ST);
3108 s2->s.k = cstate->off_linkpl.reg;
3109 sappend(s, s2);
3110 s2 = new_stmt(cstate, BPF_ST);
3111 s2->s.k = cstate->off_linktype.reg;
3112 sappend(s, s2);
3113 }
3114
3115 /*
3116 * If we have any offset-loading code, append all the
3117 * existing statements in the block to those statements,
3118 * and make the resulting list the list of statements
3119 * for the block.
3120 */
3121 if (s != NULL) {
3122 sappend(s, b->stmts);
3123 b->stmts = s;
3124 }
3125 }
3126
3127 static struct block *
gen_ppi_dlt_check(compiler_state_t * cstate)3128 gen_ppi_dlt_check(compiler_state_t *cstate)
3129 {
3130 struct slist *s_load_dlt;
3131 struct block *b;
3132
3133 if (cstate->linktype == DLT_PPI)
3134 {
3135 /* Create the statements that check for the DLT
3136 */
3137 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
3138 s_load_dlt->s.k = 4;
3139
3140 b = new_block(cstate, JMP(BPF_JEQ));
3141
3142 b->stmts = s_load_dlt;
3143 b->s.k = SWAPLONG(DLT_IEEE802_11);
3144 }
3145 else
3146 {
3147 b = NULL;
3148 }
3149
3150 return b;
3151 }
3152
3153 /*
3154 * Take an absolute offset, and:
3155 *
3156 * if it has no variable part, return NULL;
3157 *
3158 * if it has a variable part, generate code to load the register
3159 * containing that variable part into the X register, returning
3160 * a pointer to that code - if no register for that offset has
3161 * been allocated, allocate it first.
3162 *
3163 * (The code to set that register will be generated later, but will
3164 * be placed earlier in the code sequence.)
3165 */
3166 static struct slist *
gen_abs_offset_varpart(compiler_state_t * cstate,bpf_abs_offset * off)3167 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
3168 {
3169 struct slist *s;
3170
3171 if (off->is_variable) {
3172 if (off->reg == -1) {
3173 /*
3174 * We haven't yet assigned a register for the
3175 * variable part of the offset of the link-layer
3176 * header; allocate one.
3177 */
3178 off->reg = alloc_reg(cstate);
3179 }
3180
3181 /*
3182 * Load the register containing the variable part of the
3183 * offset of the link-layer header into the X register.
3184 */
3185 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
3186 s->s.k = off->reg;
3187 return s;
3188 } else {
3189 /*
3190 * That offset isn't variable, there's no variable part,
3191 * so we don't need to generate any code.
3192 */
3193 return NULL;
3194 }
3195 }
3196
3197 /*
3198 * Map an Ethernet type to the equivalent PPP type.
3199 */
3200 static bpf_u_int32
ethertype_to_ppptype(bpf_u_int32 ll_proto)3201 ethertype_to_ppptype(bpf_u_int32 ll_proto)
3202 {
3203 switch (ll_proto) {
3204
3205 case ETHERTYPE_IP:
3206 ll_proto = PPP_IP;
3207 break;
3208
3209 case ETHERTYPE_IPV6:
3210 ll_proto = PPP_IPV6;
3211 break;
3212
3213 case ETHERTYPE_DN:
3214 ll_proto = PPP_DECNET;
3215 break;
3216
3217 case ETHERTYPE_ATALK:
3218 ll_proto = PPP_APPLE;
3219 break;
3220
3221 case ETHERTYPE_NS:
3222 ll_proto = PPP_NS;
3223 break;
3224
3225 case LLCSAP_ISONS:
3226 ll_proto = PPP_OSI;
3227 break;
3228
3229 case LLCSAP_8021D:
3230 /*
3231 * I'm assuming the "Bridging PDU"s that go
3232 * over PPP are Spanning Tree Protocol
3233 * Bridging PDUs.
3234 */
3235 ll_proto = PPP_BRPDU;
3236 break;
3237
3238 case LLCSAP_IPX:
3239 ll_proto = PPP_IPX;
3240 break;
3241 }
3242 return (ll_proto);
3243 }
3244
3245 /*
3246 * Generate any tests that, for encapsulation of a link-layer packet
3247 * inside another protocol stack, need to be done to check for those
3248 * link-layer packets (and that haven't already been done by a check
3249 * for that encapsulation).
3250 */
3251 static struct block *
gen_prevlinkhdr_check(compiler_state_t * cstate)3252 gen_prevlinkhdr_check(compiler_state_t *cstate)
3253 {
3254 struct block *b0;
3255
3256 if (cstate->is_geneve)
3257 return gen_geneve_ll_check(cstate);
3258
3259 switch (cstate->prevlinktype) {
3260
3261 case DLT_SUNATM:
3262 /*
3263 * This is LANE-encapsulated Ethernet; check that the LANE
3264 * packet doesn't begin with an LE Control marker, i.e.
3265 * that it's data, not a control message.
3266 *
3267 * (We've already generated a test for LANE.)
3268 */
3269 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3270 gen_not(b0);
3271 return b0;
3272
3273 default:
3274 /*
3275 * No such tests are necessary.
3276 */
3277 return NULL;
3278 }
3279 /*NOTREACHED*/
3280 }
3281
3282 /*
3283 * The three different values we should check for when checking for an
3284 * IPv6 packet with DLT_NULL.
3285 */
3286 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3287 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3288 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */
3289
3290 /*
3291 * Generate code to match a particular packet type by matching the
3292 * link-layer type field or fields in the 802.2 LLC header.
3293 *
3294 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3295 * value, if <= ETHERMTU.
3296 */
3297 static struct block *
gen_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)3298 gen_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3299 {
3300 struct block *b0, *b1, *b2;
3301 const char *description;
3302
3303 /* are we checking MPLS-encapsulated packets? */
3304 if (cstate->label_stack_depth > 0)
3305 return gen_mpls_linktype(cstate, ll_proto);
3306
3307 switch (cstate->linktype) {
3308
3309 case DLT_EN10MB:
3310 case DLT_NETANALYZER:
3311 case DLT_NETANALYZER_TRANSPARENT:
3312 /* Geneve has an EtherType regardless of whether there is an
3313 * L2 header. */
3314 if (!cstate->is_geneve)
3315 b0 = gen_prevlinkhdr_check(cstate);
3316 else
3317 b0 = NULL;
3318
3319 b1 = gen_ether_linktype(cstate, ll_proto);
3320 if (b0 != NULL)
3321 gen_and(b0, b1);
3322 return b1;
3323 /*NOTREACHED*/
3324
3325 case DLT_C_HDLC:
3326 case DLT_HDLC:
3327 switch (ll_proto) {
3328
3329 case LLCSAP_ISONS:
3330 ll_proto = (ll_proto << 8 | LLCSAP_ISONS);
3331 /* fall through */
3332
3333 default:
3334 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3335 /*NOTREACHED*/
3336 }
3337
3338 case DLT_IEEE802_11:
3339 case DLT_PRISM_HEADER:
3340 case DLT_IEEE802_11_RADIO_AVS:
3341 case DLT_IEEE802_11_RADIO:
3342 case DLT_PPI:
3343 /*
3344 * Check that we have a data frame.
3345 */
3346 b0 = gen_check_802_11_data_frame(cstate);
3347
3348 /*
3349 * Now check for the specified link-layer type.
3350 */
3351 b1 = gen_llc_linktype(cstate, ll_proto);
3352 gen_and(b0, b1);
3353 return b1;
3354 /*NOTREACHED*/
3355
3356 case DLT_FDDI:
3357 /*
3358 * XXX - check for LLC frames.
3359 */
3360 return gen_llc_linktype(cstate, ll_proto);
3361 /*NOTREACHED*/
3362
3363 case DLT_IEEE802:
3364 /*
3365 * XXX - check for LLC PDUs, as per IEEE 802.5.
3366 */
3367 return gen_llc_linktype(cstate, ll_proto);
3368 /*NOTREACHED*/
3369
3370 case DLT_ATM_RFC1483:
3371 case DLT_ATM_CLIP:
3372 case DLT_IP_OVER_FC:
3373 return gen_llc_linktype(cstate, ll_proto);
3374 /*NOTREACHED*/
3375
3376 case DLT_SUNATM:
3377 /*
3378 * Check for an LLC-encapsulated version of this protocol;
3379 * if we were checking for LANE, linktype would no longer
3380 * be DLT_SUNATM.
3381 *
3382 * Check for LLC encapsulation and then check the protocol.
3383 */
3384 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3385 b1 = gen_llc_linktype(cstate, ll_proto);
3386 gen_and(b0, b1);
3387 return b1;
3388 /*NOTREACHED*/
3389
3390 case DLT_LINUX_SLL:
3391 return gen_linux_sll_linktype(cstate, ll_proto);
3392 /*NOTREACHED*/
3393
3394 case DLT_SLIP:
3395 case DLT_SLIP_BSDOS:
3396 case DLT_RAW:
3397 /*
3398 * These types don't provide any type field; packets
3399 * are always IPv4 or IPv6.
3400 *
3401 * XXX - for IPv4, check for a version number of 4, and,
3402 * for IPv6, check for a version number of 6?
3403 */
3404 switch (ll_proto) {
3405
3406 case ETHERTYPE_IP:
3407 /* Check for a version number of 4. */
3408 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3409
3410 case ETHERTYPE_IPV6:
3411 /* Check for a version number of 6. */
3412 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3413
3414 default:
3415 return gen_false(cstate); /* always false */
3416 }
3417 /*NOTREACHED*/
3418
3419 case DLT_IPV4:
3420 /*
3421 * Raw IPv4, so no type field.
3422 */
3423 if (ll_proto == ETHERTYPE_IP)
3424 return gen_true(cstate); /* always true */
3425
3426 /* Checking for something other than IPv4; always false */
3427 return gen_false(cstate);
3428 /*NOTREACHED*/
3429
3430 case DLT_IPV6:
3431 /*
3432 * Raw IPv6, so no type field.
3433 */
3434 if (ll_proto == ETHERTYPE_IPV6)
3435 return gen_true(cstate); /* always true */
3436
3437 /* Checking for something other than IPv6; always false */
3438 return gen_false(cstate);
3439 /*NOTREACHED*/
3440
3441 case DLT_PPP:
3442 case DLT_PPP_PPPD:
3443 case DLT_PPP_SERIAL:
3444 case DLT_PPP_ETHER:
3445 /*
3446 * We use Ethernet protocol types inside libpcap;
3447 * map them to the corresponding PPP protocol types.
3448 */
3449 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3450 ethertype_to_ppptype(ll_proto));
3451 /*NOTREACHED*/
3452
3453 case DLT_PPP_BSDOS:
3454 /*
3455 * We use Ethernet protocol types inside libpcap;
3456 * map them to the corresponding PPP protocol types.
3457 */
3458 switch (ll_proto) {
3459
3460 case ETHERTYPE_IP:
3461 /*
3462 * Also check for Van Jacobson-compressed IP.
3463 * XXX - do this for other forms of PPP?
3464 */
3465 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3466 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3467 gen_or(b0, b1);
3468 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3469 gen_or(b1, b0);
3470 return b0;
3471
3472 default:
3473 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3474 ethertype_to_ppptype(ll_proto));
3475 }
3476 /*NOTREACHED*/
3477
3478 case DLT_NULL:
3479 case DLT_LOOP:
3480 case DLT_ENC:
3481 switch (ll_proto) {
3482
3483 case ETHERTYPE_IP:
3484 return (gen_loopback_linktype(cstate, AF_INET));
3485
3486 case ETHERTYPE_IPV6:
3487 /*
3488 * AF_ values may, unfortunately, be platform-
3489 * dependent; AF_INET isn't, because everybody
3490 * used 4.2BSD's value, but AF_INET6 is, because
3491 * 4.2BSD didn't have a value for it (given that
3492 * IPv6 didn't exist back in the early 1980's),
3493 * and they all picked their own values.
3494 *
3495 * This means that, if we're reading from a
3496 * savefile, we need to check for all the
3497 * possible values.
3498 *
3499 * If we're doing a live capture, we only need
3500 * to check for this platform's value; however,
3501 * Npcap uses 24, which isn't Windows's AF_INET6
3502 * value. (Given the multiple different values,
3503 * programs that read pcap files shouldn't be
3504 * checking for their platform's AF_INET6 value
3505 * anyway, they should check for all of the
3506 * possible values. and they might as well do
3507 * that even for live captures.)
3508 */
3509 if (cstate->bpf_pcap->rfile != NULL) {
3510 /*
3511 * Savefile - check for all three
3512 * possible IPv6 values.
3513 */
3514 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3515 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3516 gen_or(b0, b1);
3517 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3518 gen_or(b0, b1);
3519 return (b1);
3520 } else {
3521 /*
3522 * Live capture, so we only need to
3523 * check for the value used on this
3524 * platform.
3525 */
3526 #ifdef _WIN32
3527 /*
3528 * Npcap doesn't use Windows's AF_INET6,
3529 * as that collides with AF_IPX on
3530 * some BSDs (both have the value 23).
3531 * Instead, it uses 24.
3532 */
3533 return (gen_loopback_linktype(cstate, 24));
3534 #else /* _WIN32 */
3535 #ifdef AF_INET6
3536 return (gen_loopback_linktype(cstate, AF_INET6));
3537 #else /* AF_INET6 */
3538 /*
3539 * I guess this platform doesn't support
3540 * IPv6, so we just reject all packets.
3541 */
3542 return gen_false(cstate);
3543 #endif /* AF_INET6 */
3544 #endif /* _WIN32 */
3545 }
3546
3547 default:
3548 /*
3549 * Not a type on which we support filtering.
3550 * XXX - support those that have AF_ values
3551 * #defined on this platform, at least?
3552 */
3553 return gen_false(cstate);
3554 }
3555
3556 case DLT_PFLOG:
3557 /*
3558 * af field is host byte order in contrast to the rest of
3559 * the packet.
3560 */
3561 if (ll_proto == ETHERTYPE_IP)
3562 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3563 BPF_B, AF_INET));
3564 else if (ll_proto == ETHERTYPE_IPV6)
3565 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3566 BPF_B, AF_INET6));
3567 else
3568 return gen_false(cstate);
3569 /*NOTREACHED*/
3570
3571 case DLT_ARCNET:
3572 case DLT_ARCNET_LINUX:
3573 /*
3574 * XXX should we check for first fragment if the protocol
3575 * uses PHDS?
3576 */
3577 switch (ll_proto) {
3578
3579 default:
3580 return gen_false(cstate);
3581
3582 case ETHERTYPE_IPV6:
3583 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3584 ARCTYPE_INET6));
3585
3586 case ETHERTYPE_IP:
3587 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3588 ARCTYPE_IP);
3589 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3590 ARCTYPE_IP_OLD);
3591 gen_or(b0, b1);
3592 return (b1);
3593
3594 case ETHERTYPE_ARP:
3595 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3596 ARCTYPE_ARP);
3597 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3598 ARCTYPE_ARP_OLD);
3599 gen_or(b0, b1);
3600 return (b1);
3601
3602 case ETHERTYPE_REVARP:
3603 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3604 ARCTYPE_REVARP));
3605
3606 case ETHERTYPE_ATALK:
3607 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3608 ARCTYPE_ATALK));
3609 }
3610 /*NOTREACHED*/
3611
3612 case DLT_LTALK:
3613 switch (ll_proto) {
3614 case ETHERTYPE_ATALK:
3615 return gen_true(cstate);
3616 default:
3617 return gen_false(cstate);
3618 }
3619 /*NOTREACHED*/
3620
3621 case DLT_FRELAY:
3622 /*
3623 * XXX - assumes a 2-byte Frame Relay header with
3624 * DLCI and flags. What if the address is longer?
3625 */
3626 switch (ll_proto) {
3627
3628 case ETHERTYPE_IP:
3629 /*
3630 * Check for the special NLPID for IP.
3631 */
3632 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3633
3634 case ETHERTYPE_IPV6:
3635 /*
3636 * Check for the special NLPID for IPv6.
3637 */
3638 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3639
3640 case LLCSAP_ISONS:
3641 /*
3642 * Check for several OSI protocols.
3643 *
3644 * Frame Relay packets typically have an OSI
3645 * NLPID at the beginning; we check for each
3646 * of them.
3647 *
3648 * What we check for is the NLPID and a frame
3649 * control field of UI, i.e. 0x03 followed
3650 * by the NLPID.
3651 */
3652 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3653 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3654 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3655 gen_or(b1, b2);
3656 gen_or(b0, b2);
3657 return b2;
3658
3659 default:
3660 return gen_false(cstate);
3661 }
3662 /*NOTREACHED*/
3663
3664 case DLT_MFR:
3665 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented");
3666
3667 case DLT_JUNIPER_MFR:
3668 case DLT_JUNIPER_MLFR:
3669 case DLT_JUNIPER_MLPPP:
3670 case DLT_JUNIPER_ATM1:
3671 case DLT_JUNIPER_ATM2:
3672 case DLT_JUNIPER_PPPOE:
3673 case DLT_JUNIPER_PPPOE_ATM:
3674 case DLT_JUNIPER_GGSN:
3675 case DLT_JUNIPER_ES:
3676 case DLT_JUNIPER_MONITOR:
3677 case DLT_JUNIPER_SERVICES:
3678 case DLT_JUNIPER_ETHER:
3679 case DLT_JUNIPER_PPP:
3680 case DLT_JUNIPER_FRELAY:
3681 case DLT_JUNIPER_CHDLC:
3682 case DLT_JUNIPER_VP:
3683 case DLT_JUNIPER_ST:
3684 case DLT_JUNIPER_ISM:
3685 case DLT_JUNIPER_VS:
3686 case DLT_JUNIPER_SRX_E2E:
3687 case DLT_JUNIPER_FIBRECHANNEL:
3688 case DLT_JUNIPER_ATM_CEMIC:
3689
3690 /* just lets verify the magic number for now -
3691 * on ATM we may have up to 6 different encapsulations on the wire
3692 * and need a lot of heuristics to figure out that the payload
3693 * might be;
3694 *
3695 * FIXME encapsulation specific BPF_ filters
3696 */
3697 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3698
3699 case DLT_BACNET_MS_TP:
3700 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3701
3702 case DLT_IPNET:
3703 return gen_ipnet_linktype(cstate, ll_proto);
3704
3705 case DLT_LINUX_IRDA:
3706 bpf_error(cstate, "IrDA link-layer type filtering not implemented");
3707
3708 case DLT_DOCSIS:
3709 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented");
3710
3711 case DLT_MTP2:
3712 case DLT_MTP2_WITH_PHDR:
3713 bpf_error(cstate, "MTP2 link-layer type filtering not implemented");
3714
3715 case DLT_ERF:
3716 bpf_error(cstate, "ERF link-layer type filtering not implemented");
3717
3718 case DLT_PFSYNC:
3719 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented");
3720
3721 case DLT_LINUX_LAPD:
3722 bpf_error(cstate, "LAPD link-layer type filtering not implemented");
3723
3724 case DLT_USB_FREEBSD:
3725 case DLT_USB_LINUX:
3726 case DLT_USB_LINUX_MMAPPED:
3727 case DLT_USBPCAP:
3728 bpf_error(cstate, "USB link-layer type filtering not implemented");
3729
3730 case DLT_BLUETOOTH_HCI_H4:
3731 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3732 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented");
3733
3734 case DLT_CAN20B:
3735 case DLT_CAN_SOCKETCAN:
3736 bpf_error(cstate, "CAN link-layer type filtering not implemented");
3737
3738 case DLT_IEEE802_15_4:
3739 case DLT_IEEE802_15_4_LINUX:
3740 case DLT_IEEE802_15_4_NONASK_PHY:
3741 case DLT_IEEE802_15_4_NOFCS:
3742 case DLT_IEEE802_15_4_TAP:
3743 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented");
3744
3745 case DLT_IEEE802_16_MAC_CPS_RADIO:
3746 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented");
3747
3748 case DLT_SITA:
3749 bpf_error(cstate, "SITA link-layer type filtering not implemented");
3750
3751 case DLT_RAIF1:
3752 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented");
3753
3754 case DLT_IPMB_KONTRON:
3755 case DLT_IPMB_LINUX:
3756 bpf_error(cstate, "IPMB link-layer type filtering not implemented");
3757
3758 case DLT_AX25_KISS:
3759 bpf_error(cstate, "AX.25 link-layer type filtering not implemented");
3760
3761 case DLT_NFLOG:
3762 /* Using the fixed-size NFLOG header it is possible to tell only
3763 * the address family of the packet, other meaningful data is
3764 * either missing or behind TLVs.
3765 */
3766 bpf_error(cstate, "NFLOG link-layer type filtering not implemented");
3767
3768 default:
3769 /*
3770 * Does this link-layer header type have a field
3771 * indicating the type of the next protocol? If
3772 * so, off_linktype.constant_part will be the offset of that
3773 * field in the packet; if not, it will be OFFSET_NOT_SET.
3774 */
3775 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3776 /*
3777 * Yes; assume it's an Ethernet type. (If
3778 * it's not, it needs to be handled specially
3779 * above.)
3780 */
3781 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3782 /*NOTREACHED */
3783 } else {
3784 /*
3785 * No; report an error.
3786 */
3787 description = pcap_datalink_val_to_description_or_dlt(cstate->linktype);
3788 bpf_error(cstate, "%s link-layer type filtering not implemented",
3789 description);
3790 /*NOTREACHED */
3791 }
3792 }
3793 }
3794
3795 /*
3796 * Check for an LLC SNAP packet with a given organization code and
3797 * protocol type; we check the entire contents of the 802.2 LLC and
3798 * snap headers, checking for DSAP and SSAP of SNAP and a control
3799 * field of 0x03 in the LLC header, and for the specified organization
3800 * code and protocol type in the SNAP header.
3801 */
3802 static struct block *
gen_snap(compiler_state_t * cstate,bpf_u_int32 orgcode,bpf_u_int32 ptype)3803 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
3804 {
3805 u_char snapblock[8];
3806
3807 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3808 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3809 snapblock[2] = 0x03; /* control = UI */
3810 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */
3811 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */
3812 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */
3813 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */
3814 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */
3815 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3816 }
3817
3818 /*
3819 * Generate code to match frames with an LLC header.
3820 */
3821 static struct block *
gen_llc_internal(compiler_state_t * cstate)3822 gen_llc_internal(compiler_state_t *cstate)
3823 {
3824 struct block *b0, *b1;
3825
3826 switch (cstate->linktype) {
3827
3828 case DLT_EN10MB:
3829 /*
3830 * We check for an Ethernet type field less than
3831 * 1500, which means it's an 802.3 length field.
3832 */
3833 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3834 gen_not(b0);
3835
3836 /*
3837 * Now check for the purported DSAP and SSAP not being
3838 * 0xFF, to rule out NetWare-over-802.3.
3839 */
3840 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
3841 gen_not(b1);
3842 gen_and(b0, b1);
3843 return b1;
3844
3845 case DLT_SUNATM:
3846 /*
3847 * We check for LLC traffic.
3848 */
3849 b0 = gen_atmtype_llc(cstate);
3850 return b0;
3851
3852 case DLT_IEEE802: /* Token Ring */
3853 /*
3854 * XXX - check for LLC frames.
3855 */
3856 return gen_true(cstate);
3857
3858 case DLT_FDDI:
3859 /*
3860 * XXX - check for LLC frames.
3861 */
3862 return gen_true(cstate);
3863
3864 case DLT_ATM_RFC1483:
3865 /*
3866 * For LLC encapsulation, these are defined to have an
3867 * 802.2 LLC header.
3868 *
3869 * For VC encapsulation, they don't, but there's no
3870 * way to check for that; the protocol used on the VC
3871 * is negotiated out of band.
3872 */
3873 return gen_true(cstate);
3874
3875 case DLT_IEEE802_11:
3876 case DLT_PRISM_HEADER:
3877 case DLT_IEEE802_11_RADIO:
3878 case DLT_IEEE802_11_RADIO_AVS:
3879 case DLT_PPI:
3880 /*
3881 * Check that we have a data frame.
3882 */
3883 b0 = gen_check_802_11_data_frame(cstate);
3884 return b0;
3885
3886 default:
3887 bpf_error(cstate, "'llc' not supported for %s",
3888 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
3889 /*NOTREACHED*/
3890 }
3891 }
3892
3893 struct block *
gen_llc(compiler_state_t * cstate)3894 gen_llc(compiler_state_t *cstate)
3895 {
3896 /*
3897 * Catch errors reported by us and routines below us, and return NULL
3898 * on an error.
3899 */
3900 if (setjmp(cstate->top_ctx))
3901 return (NULL);
3902
3903 return gen_llc_internal(cstate);
3904 }
3905
3906 struct block *
gen_llc_i(compiler_state_t * cstate)3907 gen_llc_i(compiler_state_t *cstate)
3908 {
3909 struct block *b0, *b1;
3910 struct slist *s;
3911
3912 /*
3913 * Catch errors reported by us and routines below us, and return NULL
3914 * on an error.
3915 */
3916 if (setjmp(cstate->top_ctx))
3917 return (NULL);
3918
3919 /*
3920 * Check whether this is an LLC frame.
3921 */
3922 b0 = gen_llc_internal(cstate);
3923
3924 /*
3925 * Load the control byte and test the low-order bit; it must
3926 * be clear for I frames.
3927 */
3928 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3929 b1 = new_block(cstate, JMP(BPF_JSET));
3930 b1->s.k = 0x01;
3931 b1->stmts = s;
3932 gen_not(b1);
3933 gen_and(b0, b1);
3934 return b1;
3935 }
3936
3937 struct block *
gen_llc_s(compiler_state_t * cstate)3938 gen_llc_s(compiler_state_t *cstate)
3939 {
3940 struct block *b0, *b1;
3941
3942 /*
3943 * Catch errors reported by us and routines below us, and return NULL
3944 * on an error.
3945 */
3946 if (setjmp(cstate->top_ctx))
3947 return (NULL);
3948
3949 /*
3950 * Check whether this is an LLC frame.
3951 */
3952 b0 = gen_llc_internal(cstate);
3953
3954 /*
3955 * Now compare the low-order 2 bit of the control byte against
3956 * the appropriate value for S frames.
3957 */
3958 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3959 gen_and(b0, b1);
3960 return b1;
3961 }
3962
3963 struct block *
gen_llc_u(compiler_state_t * cstate)3964 gen_llc_u(compiler_state_t *cstate)
3965 {
3966 struct block *b0, *b1;
3967
3968 /*
3969 * Catch errors reported by us and routines below us, and return NULL
3970 * on an error.
3971 */
3972 if (setjmp(cstate->top_ctx))
3973 return (NULL);
3974
3975 /*
3976 * Check whether this is an LLC frame.
3977 */
3978 b0 = gen_llc_internal(cstate);
3979
3980 /*
3981 * Now compare the low-order 2 bit of the control byte against
3982 * the appropriate value for U frames.
3983 */
3984 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3985 gen_and(b0, b1);
3986 return b1;
3987 }
3988
3989 struct block *
gen_llc_s_subtype(compiler_state_t * cstate,bpf_u_int32 subtype)3990 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3991 {
3992 struct block *b0, *b1;
3993
3994 /*
3995 * Catch errors reported by us and routines below us, and return NULL
3996 * on an error.
3997 */
3998 if (setjmp(cstate->top_ctx))
3999 return (NULL);
4000
4001 /*
4002 * Check whether this is an LLC frame.
4003 */
4004 b0 = gen_llc_internal(cstate);
4005
4006 /*
4007 * Now check for an S frame with the appropriate type.
4008 */
4009 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
4010 gen_and(b0, b1);
4011 return b1;
4012 }
4013
4014 struct block *
gen_llc_u_subtype(compiler_state_t * cstate,bpf_u_int32 subtype)4015 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
4016 {
4017 struct block *b0, *b1;
4018
4019 /*
4020 * Catch errors reported by us and routines below us, and return NULL
4021 * on an error.
4022 */
4023 if (setjmp(cstate->top_ctx))
4024 return (NULL);
4025
4026 /*
4027 * Check whether this is an LLC frame.
4028 */
4029 b0 = gen_llc_internal(cstate);
4030
4031 /*
4032 * Now check for a U frame with the appropriate type.
4033 */
4034 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
4035 gen_and(b0, b1);
4036 return b1;
4037 }
4038
4039 /*
4040 * Generate code to match a particular packet type, for link-layer types
4041 * using 802.2 LLC headers.
4042 *
4043 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
4044 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
4045 *
4046 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
4047 * value, if <= ETHERMTU. We use that to determine whether to
4048 * match the DSAP or both DSAP and LSAP or to check the OUI and
4049 * protocol ID in a SNAP header.
4050 */
4051 static struct block *
gen_llc_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)4052 gen_llc_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
4053 {
4054 /*
4055 * XXX - handle token-ring variable-length header.
4056 */
4057 switch (ll_proto) {
4058
4059 case LLCSAP_IP:
4060 case LLCSAP_ISONS:
4061 case LLCSAP_NETBEUI:
4062 /*
4063 * XXX - should we check both the DSAP and the
4064 * SSAP, like this, or should we check just the
4065 * DSAP, as we do for other SAP values?
4066 */
4067 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
4068 ((ll_proto << 8) | ll_proto));
4069
4070 case LLCSAP_IPX:
4071 /*
4072 * XXX - are there ever SNAP frames for IPX on
4073 * non-Ethernet 802.x networks?
4074 */
4075 return gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
4076
4077 case ETHERTYPE_ATALK:
4078 /*
4079 * 802.2-encapsulated ETHERTYPE_ATALK packets are
4080 * SNAP packets with an organization code of
4081 * 0x080007 (Apple, for Appletalk) and a protocol
4082 * type of ETHERTYPE_ATALK (Appletalk).
4083 *
4084 * XXX - check for an organization code of
4085 * encapsulated Ethernet as well?
4086 */
4087 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
4088
4089 default:
4090 /*
4091 * XXX - we don't have to check for IPX 802.3
4092 * here, but should we check for the IPX Ethertype?
4093 */
4094 if (ll_proto <= ETHERMTU) {
4095 /*
4096 * This is an LLC SAP value, so check
4097 * the DSAP.
4098 */
4099 return gen_cmp(cstate, OR_LLC, 0, BPF_B, ll_proto);
4100 } else {
4101 /*
4102 * This is an Ethernet type; we assume that it's
4103 * unlikely that it'll appear in the right place
4104 * at random, and therefore check only the
4105 * location that would hold the Ethernet type
4106 * in a SNAP frame with an organization code of
4107 * 0x000000 (encapsulated Ethernet).
4108 *
4109 * XXX - if we were to check for the SNAP DSAP and
4110 * LSAP, as per XXX, and were also to check for an
4111 * organization code of 0x000000 (encapsulated
4112 * Ethernet), we'd do
4113 *
4114 * return gen_snap(cstate, 0x000000, ll_proto);
4115 *
4116 * here; for now, we don't, as per the above.
4117 * I don't know whether it's worth the extra CPU
4118 * time to do the right check or not.
4119 */
4120 return gen_cmp(cstate, OR_LLC, 6, BPF_H, ll_proto);
4121 }
4122 }
4123 }
4124
4125 static struct block *
gen_hostop(compiler_state_t * cstate,bpf_u_int32 addr,bpf_u_int32 mask,int dir,bpf_u_int32 ll_proto,u_int src_off,u_int dst_off)4126 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4127 int dir, bpf_u_int32 ll_proto, u_int src_off, u_int dst_off)
4128 {
4129 struct block *b0, *b1;
4130 u_int offset;
4131
4132 switch (dir) {
4133
4134 case Q_SRC:
4135 offset = src_off;
4136 break;
4137
4138 case Q_DST:
4139 offset = dst_off;
4140 break;
4141
4142 case Q_AND:
4143 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4144 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4145 gen_and(b0, b1);
4146 return b1;
4147
4148 case Q_DEFAULT:
4149 case Q_OR:
4150 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4151 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4152 gen_or(b0, b1);
4153 return b1;
4154
4155 case Q_ADDR1:
4156 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4157 /*NOTREACHED*/
4158
4159 case Q_ADDR2:
4160 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4161 /*NOTREACHED*/
4162
4163 case Q_ADDR3:
4164 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4165 /*NOTREACHED*/
4166
4167 case Q_ADDR4:
4168 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4169 /*NOTREACHED*/
4170
4171 case Q_RA:
4172 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4173 /*NOTREACHED*/
4174
4175 case Q_TA:
4176 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4177 /*NOTREACHED*/
4178
4179 default:
4180 abort();
4181 /*NOTREACHED*/
4182 }
4183 b0 = gen_linktype(cstate, ll_proto);
4184 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, addr, mask);
4185 gen_and(b0, b1);
4186 return b1;
4187 }
4188
4189 #ifdef INET6
4190 static struct block *
gen_hostop6(compiler_state_t * cstate,struct in6_addr * addr,struct in6_addr * mask,int dir,bpf_u_int32 ll_proto,u_int src_off,u_int dst_off)4191 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
4192 struct in6_addr *mask, int dir, bpf_u_int32 ll_proto, u_int src_off,
4193 u_int dst_off)
4194 {
4195 struct block *b0, *b1;
4196 u_int offset;
4197 /*
4198 * Code below needs to access four separate 32-bit parts of the 128-bit
4199 * IPv6 address and mask. In some OSes this is as simple as using the
4200 * s6_addr32 pseudo-member of struct in6_addr, which contains a union of
4201 * 8-, 16- and 32-bit arrays. In other OSes this is not the case, as
4202 * far as libpcap sees it. Hence copy the data before use to avoid
4203 * potential unaligned memory access and the associated compiler
4204 * warnings (whether genuine or not).
4205 */
4206 bpf_u_int32 a[4], m[4];
4207
4208 switch (dir) {
4209
4210 case Q_SRC:
4211 offset = src_off;
4212 break;
4213
4214 case Q_DST:
4215 offset = dst_off;
4216 break;
4217
4218 case Q_AND:
4219 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4220 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4221 gen_and(b0, b1);
4222 return b1;
4223
4224 case Q_DEFAULT:
4225 case Q_OR:
4226 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4227 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4228 gen_or(b0, b1);
4229 return b1;
4230
4231 case Q_ADDR1:
4232 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4233 /*NOTREACHED*/
4234
4235 case Q_ADDR2:
4236 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4237 /*NOTREACHED*/
4238
4239 case Q_ADDR3:
4240 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4241 /*NOTREACHED*/
4242
4243 case Q_ADDR4:
4244 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4245 /*NOTREACHED*/
4246
4247 case Q_RA:
4248 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4249 /*NOTREACHED*/
4250
4251 case Q_TA:
4252 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4253 /*NOTREACHED*/
4254
4255 default:
4256 abort();
4257 /*NOTREACHED*/
4258 }
4259 /* this order is important */
4260 memcpy(a, addr, sizeof(a));
4261 memcpy(m, mask, sizeof(m));
4262 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
4263 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
4264 gen_and(b0, b1);
4265 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
4266 gen_and(b0, b1);
4267 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
4268 gen_and(b0, b1);
4269 b0 = gen_linktype(cstate, ll_proto);
4270 gen_and(b0, b1);
4271 return b1;
4272 }
4273 #endif
4274
4275 static struct block *
gen_ehostop(compiler_state_t * cstate,const u_char * eaddr,int dir)4276 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4277 {
4278 register struct block *b0, *b1;
4279
4280 switch (dir) {
4281 case Q_SRC:
4282 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
4283
4284 case Q_DST:
4285 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
4286
4287 case Q_AND:
4288 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4289 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4290 gen_and(b0, b1);
4291 return b1;
4292
4293 case Q_DEFAULT:
4294 case Q_OR:
4295 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4296 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4297 gen_or(b0, b1);
4298 return b1;
4299
4300 case Q_ADDR1:
4301 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers");
4302 /*NOTREACHED*/
4303
4304 case Q_ADDR2:
4305 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers");
4306 /*NOTREACHED*/
4307
4308 case Q_ADDR3:
4309 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers");
4310 /*NOTREACHED*/
4311
4312 case Q_ADDR4:
4313 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers");
4314 /*NOTREACHED*/
4315
4316 case Q_RA:
4317 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
4318 /*NOTREACHED*/
4319
4320 case Q_TA:
4321 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
4322 /*NOTREACHED*/
4323 }
4324 abort();
4325 /*NOTREACHED*/
4326 }
4327
4328 /*
4329 * Like gen_ehostop, but for DLT_FDDI
4330 */
4331 static struct block *
gen_fhostop(compiler_state_t * cstate,const u_char * eaddr,int dir)4332 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4333 {
4334 struct block *b0, *b1;
4335
4336 switch (dir) {
4337 case Q_SRC:
4338 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4339
4340 case Q_DST:
4341 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4342
4343 case Q_AND:
4344 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4345 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4346 gen_and(b0, b1);
4347 return b1;
4348
4349 case Q_DEFAULT:
4350 case Q_OR:
4351 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4352 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4353 gen_or(b0, b1);
4354 return b1;
4355
4356 case Q_ADDR1:
4357 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4358 /*NOTREACHED*/
4359
4360 case Q_ADDR2:
4361 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4362 /*NOTREACHED*/
4363
4364 case Q_ADDR3:
4365 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4366 /*NOTREACHED*/
4367
4368 case Q_ADDR4:
4369 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4370 /*NOTREACHED*/
4371
4372 case Q_RA:
4373 bpf_error(cstate, "'ra' is only supported on 802.11");
4374 /*NOTREACHED*/
4375
4376 case Q_TA:
4377 bpf_error(cstate, "'ta' is only supported on 802.11");
4378 /*NOTREACHED*/
4379 }
4380 abort();
4381 /*NOTREACHED*/
4382 }
4383
4384 /*
4385 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4386 */
4387 static struct block *
gen_thostop(compiler_state_t * cstate,const u_char * eaddr,int dir)4388 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4389 {
4390 register struct block *b0, *b1;
4391
4392 switch (dir) {
4393 case Q_SRC:
4394 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4395
4396 case Q_DST:
4397 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4398
4399 case Q_AND:
4400 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4401 b1 = gen_thostop(cstate, eaddr, Q_DST);
4402 gen_and(b0, b1);
4403 return b1;
4404
4405 case Q_DEFAULT:
4406 case Q_OR:
4407 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4408 b1 = gen_thostop(cstate, eaddr, Q_DST);
4409 gen_or(b0, b1);
4410 return b1;
4411
4412 case Q_ADDR1:
4413 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4414 /*NOTREACHED*/
4415
4416 case Q_ADDR2:
4417 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4418 /*NOTREACHED*/
4419
4420 case Q_ADDR3:
4421 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4422 /*NOTREACHED*/
4423
4424 case Q_ADDR4:
4425 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4426 /*NOTREACHED*/
4427
4428 case Q_RA:
4429 bpf_error(cstate, "'ra' is only supported on 802.11");
4430 /*NOTREACHED*/
4431
4432 case Q_TA:
4433 bpf_error(cstate, "'ta' is only supported on 802.11");
4434 /*NOTREACHED*/
4435 }
4436 abort();
4437 /*NOTREACHED*/
4438 }
4439
4440 /*
4441 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4442 * various 802.11 + radio headers.
4443 */
4444 static struct block *
gen_wlanhostop(compiler_state_t * cstate,const u_char * eaddr,int dir)4445 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4446 {
4447 register struct block *b0, *b1, *b2;
4448 register struct slist *s;
4449
4450 #ifdef ENABLE_WLAN_FILTERING_PATCH
4451 /*
4452 * TODO GV 20070613
4453 * We need to disable the optimizer because the optimizer is buggy
4454 * and wipes out some LD instructions generated by the below
4455 * code to validate the Frame Control bits
4456 */
4457 cstate->no_optimize = 1;
4458 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4459
4460 switch (dir) {
4461 case Q_SRC:
4462 /*
4463 * Oh, yuk.
4464 *
4465 * For control frames, there is no SA.
4466 *
4467 * For management frames, SA is at an
4468 * offset of 10 from the beginning of
4469 * the packet.
4470 *
4471 * For data frames, SA is at an offset
4472 * of 10 from the beginning of the packet
4473 * if From DS is clear, at an offset of
4474 * 16 from the beginning of the packet
4475 * if From DS is set and To DS is clear,
4476 * and an offset of 24 from the beginning
4477 * of the packet if From DS is set and To DS
4478 * is set.
4479 */
4480
4481 /*
4482 * Generate the tests to be done for data frames
4483 * with From DS set.
4484 *
4485 * First, check for To DS set, i.e. check "link[1] & 0x01".
4486 */
4487 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4488 b1 = new_block(cstate, JMP(BPF_JSET));
4489 b1->s.k = 0x01; /* To DS */
4490 b1->stmts = s;
4491
4492 /*
4493 * If To DS is set, the SA is at 24.
4494 */
4495 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4496 gen_and(b1, b0);
4497
4498 /*
4499 * Now, check for To DS not set, i.e. check
4500 * "!(link[1] & 0x01)".
4501 */
4502 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4503 b2 = new_block(cstate, JMP(BPF_JSET));
4504 b2->s.k = 0x01; /* To DS */
4505 b2->stmts = s;
4506 gen_not(b2);
4507
4508 /*
4509 * If To DS is not set, the SA is at 16.
4510 */
4511 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4512 gen_and(b2, b1);
4513
4514 /*
4515 * Now OR together the last two checks. That gives
4516 * the complete set of checks for data frames with
4517 * From DS set.
4518 */
4519 gen_or(b1, b0);
4520
4521 /*
4522 * Now check for From DS being set, and AND that with
4523 * the ORed-together checks.
4524 */
4525 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4526 b1 = new_block(cstate, JMP(BPF_JSET));
4527 b1->s.k = 0x02; /* From DS */
4528 b1->stmts = s;
4529 gen_and(b1, b0);
4530
4531 /*
4532 * Now check for data frames with From DS not set.
4533 */
4534 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4535 b2 = new_block(cstate, JMP(BPF_JSET));
4536 b2->s.k = 0x02; /* From DS */
4537 b2->stmts = s;
4538 gen_not(b2);
4539
4540 /*
4541 * If From DS isn't set, the SA is at 10.
4542 */
4543 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4544 gen_and(b2, b1);
4545
4546 /*
4547 * Now OR together the checks for data frames with
4548 * From DS not set and for data frames with From DS
4549 * set; that gives the checks done for data frames.
4550 */
4551 gen_or(b1, b0);
4552
4553 /*
4554 * Now check for a data frame.
4555 * I.e, check "link[0] & 0x08".
4556 */
4557 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4558 b1 = new_block(cstate, JMP(BPF_JSET));
4559 b1->s.k = 0x08;
4560 b1->stmts = s;
4561
4562 /*
4563 * AND that with the checks done for data frames.
4564 */
4565 gen_and(b1, b0);
4566
4567 /*
4568 * If the high-order bit of the type value is 0, this
4569 * is a management frame.
4570 * I.e, check "!(link[0] & 0x08)".
4571 */
4572 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4573 b2 = new_block(cstate, JMP(BPF_JSET));
4574 b2->s.k = 0x08;
4575 b2->stmts = s;
4576 gen_not(b2);
4577
4578 /*
4579 * For management frames, the SA is at 10.
4580 */
4581 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4582 gen_and(b2, b1);
4583
4584 /*
4585 * OR that with the checks done for data frames.
4586 * That gives the checks done for management and
4587 * data frames.
4588 */
4589 gen_or(b1, b0);
4590
4591 /*
4592 * If the low-order bit of the type value is 1,
4593 * this is either a control frame or a frame
4594 * with a reserved type, and thus not a
4595 * frame with an SA.
4596 *
4597 * I.e., check "!(link[0] & 0x04)".
4598 */
4599 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4600 b1 = new_block(cstate, JMP(BPF_JSET));
4601 b1->s.k = 0x04;
4602 b1->stmts = s;
4603 gen_not(b1);
4604
4605 /*
4606 * AND that with the checks for data and management
4607 * frames.
4608 */
4609 gen_and(b1, b0);
4610 return b0;
4611
4612 case Q_DST:
4613 /*
4614 * Oh, yuk.
4615 *
4616 * For control frames, there is no DA.
4617 *
4618 * For management frames, DA is at an
4619 * offset of 4 from the beginning of
4620 * the packet.
4621 *
4622 * For data frames, DA is at an offset
4623 * of 4 from the beginning of the packet
4624 * if To DS is clear and at an offset of
4625 * 16 from the beginning of the packet
4626 * if To DS is set.
4627 */
4628
4629 /*
4630 * Generate the tests to be done for data frames.
4631 *
4632 * First, check for To DS set, i.e. "link[1] & 0x01".
4633 */
4634 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4635 b1 = new_block(cstate, JMP(BPF_JSET));
4636 b1->s.k = 0x01; /* To DS */
4637 b1->stmts = s;
4638
4639 /*
4640 * If To DS is set, the DA is at 16.
4641 */
4642 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4643 gen_and(b1, b0);
4644
4645 /*
4646 * Now, check for To DS not set, i.e. check
4647 * "!(link[1] & 0x01)".
4648 */
4649 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4650 b2 = new_block(cstate, JMP(BPF_JSET));
4651 b2->s.k = 0x01; /* To DS */
4652 b2->stmts = s;
4653 gen_not(b2);
4654
4655 /*
4656 * If To DS is not set, the DA is at 4.
4657 */
4658 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4659 gen_and(b2, b1);
4660
4661 /*
4662 * Now OR together the last two checks. That gives
4663 * the complete set of checks for data frames.
4664 */
4665 gen_or(b1, b0);
4666
4667 /*
4668 * Now check for a data frame.
4669 * I.e, check "link[0] & 0x08".
4670 */
4671 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4672 b1 = new_block(cstate, JMP(BPF_JSET));
4673 b1->s.k = 0x08;
4674 b1->stmts = s;
4675
4676 /*
4677 * AND that with the checks done for data frames.
4678 */
4679 gen_and(b1, b0);
4680
4681 /*
4682 * If the high-order bit of the type value is 0, this
4683 * is a management frame.
4684 * I.e, check "!(link[0] & 0x08)".
4685 */
4686 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4687 b2 = new_block(cstate, JMP(BPF_JSET));
4688 b2->s.k = 0x08;
4689 b2->stmts = s;
4690 gen_not(b2);
4691
4692 /*
4693 * For management frames, the DA is at 4.
4694 */
4695 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4696 gen_and(b2, b1);
4697
4698 /*
4699 * OR that with the checks done for data frames.
4700 * That gives the checks done for management and
4701 * data frames.
4702 */
4703 gen_or(b1, b0);
4704
4705 /*
4706 * If the low-order bit of the type value is 1,
4707 * this is either a control frame or a frame
4708 * with a reserved type, and thus not a
4709 * frame with an SA.
4710 *
4711 * I.e., check "!(link[0] & 0x04)".
4712 */
4713 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4714 b1 = new_block(cstate, JMP(BPF_JSET));
4715 b1->s.k = 0x04;
4716 b1->stmts = s;
4717 gen_not(b1);
4718
4719 /*
4720 * AND that with the checks for data and management
4721 * frames.
4722 */
4723 gen_and(b1, b0);
4724 return b0;
4725
4726 case Q_AND:
4727 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4728 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4729 gen_and(b0, b1);
4730 return b1;
4731
4732 case Q_DEFAULT:
4733 case Q_OR:
4734 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4735 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4736 gen_or(b0, b1);
4737 return b1;
4738
4739 /*
4740 * XXX - add BSSID keyword?
4741 */
4742 case Q_ADDR1:
4743 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4744
4745 case Q_ADDR2:
4746 /*
4747 * Not present in CTS or ACK control frames.
4748 */
4749 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4750 IEEE80211_FC0_TYPE_MASK);
4751 gen_not(b0);
4752 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4753 IEEE80211_FC0_SUBTYPE_MASK);
4754 gen_not(b1);
4755 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4756 IEEE80211_FC0_SUBTYPE_MASK);
4757 gen_not(b2);
4758 gen_and(b1, b2);
4759 gen_or(b0, b2);
4760 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4761 gen_and(b2, b1);
4762 return b1;
4763
4764 case Q_ADDR3:
4765 /*
4766 * Not present in control frames.
4767 */
4768 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4769 IEEE80211_FC0_TYPE_MASK);
4770 gen_not(b0);
4771 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4772 gen_and(b0, b1);
4773 return b1;
4774
4775 case Q_ADDR4:
4776 /*
4777 * Present only if the direction mask has both "From DS"
4778 * and "To DS" set. Neither control frames nor management
4779 * frames should have both of those set, so we don't
4780 * check the frame type.
4781 */
4782 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4783 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4784 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4785 gen_and(b0, b1);
4786 return b1;
4787
4788 case Q_RA:
4789 /*
4790 * Not present in management frames; addr1 in other
4791 * frames.
4792 */
4793
4794 /*
4795 * If the high-order bit of the type value is 0, this
4796 * is a management frame.
4797 * I.e, check "(link[0] & 0x08)".
4798 */
4799 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4800 b1 = new_block(cstate, JMP(BPF_JSET));
4801 b1->s.k = 0x08;
4802 b1->stmts = s;
4803
4804 /*
4805 * Check addr1.
4806 */
4807 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4808
4809 /*
4810 * AND that with the check of addr1.
4811 */
4812 gen_and(b1, b0);
4813 return (b0);
4814
4815 case Q_TA:
4816 /*
4817 * Not present in management frames; addr2, if present,
4818 * in other frames.
4819 */
4820
4821 /*
4822 * Not present in CTS or ACK control frames.
4823 */
4824 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4825 IEEE80211_FC0_TYPE_MASK);
4826 gen_not(b0);
4827 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4828 IEEE80211_FC0_SUBTYPE_MASK);
4829 gen_not(b1);
4830 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4831 IEEE80211_FC0_SUBTYPE_MASK);
4832 gen_not(b2);
4833 gen_and(b1, b2);
4834 gen_or(b0, b2);
4835
4836 /*
4837 * If the high-order bit of the type value is 0, this
4838 * is a management frame.
4839 * I.e, check "(link[0] & 0x08)".
4840 */
4841 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4842 b1 = new_block(cstate, JMP(BPF_JSET));
4843 b1->s.k = 0x08;
4844 b1->stmts = s;
4845
4846 /*
4847 * AND that with the check for frames other than
4848 * CTS and ACK frames.
4849 */
4850 gen_and(b1, b2);
4851
4852 /*
4853 * Check addr2.
4854 */
4855 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4856 gen_and(b2, b1);
4857 return b1;
4858 }
4859 abort();
4860 /*NOTREACHED*/
4861 }
4862
4863 /*
4864 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4865 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4866 * as the RFC states.)
4867 */
4868 static struct block *
gen_ipfchostop(compiler_state_t * cstate,const u_char * eaddr,int dir)4869 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4870 {
4871 register struct block *b0, *b1;
4872
4873 switch (dir) {
4874 case Q_SRC:
4875 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4876
4877 case Q_DST:
4878 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4879
4880 case Q_AND:
4881 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4882 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4883 gen_and(b0, b1);
4884 return b1;
4885
4886 case Q_DEFAULT:
4887 case Q_OR:
4888 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4889 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4890 gen_or(b0, b1);
4891 return b1;
4892
4893 case Q_ADDR1:
4894 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4895 /*NOTREACHED*/
4896
4897 case Q_ADDR2:
4898 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4899 /*NOTREACHED*/
4900
4901 case Q_ADDR3:
4902 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4903 /*NOTREACHED*/
4904
4905 case Q_ADDR4:
4906 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4907 /*NOTREACHED*/
4908
4909 case Q_RA:
4910 bpf_error(cstate, "'ra' is only supported on 802.11");
4911 /*NOTREACHED*/
4912
4913 case Q_TA:
4914 bpf_error(cstate, "'ta' is only supported on 802.11");
4915 /*NOTREACHED*/
4916 }
4917 abort();
4918 /*NOTREACHED*/
4919 }
4920
4921 /*
4922 * This is quite tricky because there may be pad bytes in front of the
4923 * DECNET header, and then there are two possible data packet formats that
4924 * carry both src and dst addresses, plus 5 packet types in a format that
4925 * carries only the src node, plus 2 types that use a different format and
4926 * also carry just the src node.
4927 *
4928 * Yuck.
4929 *
4930 * Instead of doing those all right, we just look for data packets with
4931 * 0 or 1 bytes of padding. If you want to look at other packets, that
4932 * will require a lot more hacking.
4933 *
4934 * To add support for filtering on DECNET "areas" (network numbers)
4935 * one would want to add a "mask" argument to this routine. That would
4936 * make the filter even more inefficient, although one could be clever
4937 * and not generate masking instructions if the mask is 0xFFFF.
4938 */
4939 static struct block *
gen_dnhostop(compiler_state_t * cstate,bpf_u_int32 addr,int dir)4940 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
4941 {
4942 struct block *b0, *b1, *b2, *tmp;
4943 u_int offset_lh; /* offset if long header is received */
4944 u_int offset_sh; /* offset if short header is received */
4945
4946 switch (dir) {
4947
4948 case Q_DST:
4949 offset_sh = 1; /* follows flags */
4950 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4951 break;
4952
4953 case Q_SRC:
4954 offset_sh = 3; /* follows flags, dstnode */
4955 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4956 break;
4957
4958 case Q_AND:
4959 /* Inefficient because we do our Calvinball dance twice */
4960 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4961 b1 = gen_dnhostop(cstate, addr, Q_DST);
4962 gen_and(b0, b1);
4963 return b1;
4964
4965 case Q_DEFAULT:
4966 case Q_OR:
4967 /* Inefficient because we do our Calvinball dance twice */
4968 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4969 b1 = gen_dnhostop(cstate, addr, Q_DST);
4970 gen_or(b0, b1);
4971 return b1;
4972
4973 case Q_ADDR1:
4974 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4975 /*NOTREACHED*/
4976
4977 case Q_ADDR2:
4978 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4979 /*NOTREACHED*/
4980
4981 case Q_ADDR3:
4982 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4983 /*NOTREACHED*/
4984
4985 case Q_ADDR4:
4986 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4987 /*NOTREACHED*/
4988
4989 case Q_RA:
4990 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4991 /*NOTREACHED*/
4992
4993 case Q_TA:
4994 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4995 /*NOTREACHED*/
4996
4997 default:
4998 abort();
4999 /*NOTREACHED*/
5000 }
5001 b0 = gen_linktype(cstate, ETHERTYPE_DN);
5002 /* Check for pad = 1, long header case */
5003 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
5004 (bpf_u_int32)ntohs(0x0681), (bpf_u_int32)ntohs(0x07FF));
5005 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
5006 BPF_H, (bpf_u_int32)ntohs((u_short)addr));
5007 gen_and(tmp, b1);
5008 /* Check for pad = 0, long header case */
5009 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x06,
5010 (bpf_u_int32)0x7);
5011 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H,
5012 (bpf_u_int32)ntohs((u_short)addr));
5013 gen_and(tmp, b2);
5014 gen_or(b2, b1);
5015 /* Check for pad = 1, short header case */
5016 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
5017 (bpf_u_int32)ntohs(0x0281), (bpf_u_int32)ntohs(0x07FF));
5018 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H,
5019 (bpf_u_int32)ntohs((u_short)addr));
5020 gen_and(tmp, b2);
5021 gen_or(b2, b1);
5022 /* Check for pad = 0, short header case */
5023 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x02,
5024 (bpf_u_int32)0x7);
5025 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H,
5026 (bpf_u_int32)ntohs((u_short)addr));
5027 gen_and(tmp, b2);
5028 gen_or(b2, b1);
5029
5030 /* Combine with test for cstate->linktype */
5031 gen_and(b0, b1);
5032 return b1;
5033 }
5034
5035 /*
5036 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
5037 * test the bottom-of-stack bit, and then check the version number
5038 * field in the IP header.
5039 */
5040 static struct block *
gen_mpls_linktype(compiler_state_t * cstate,bpf_u_int32 ll_proto)5041 gen_mpls_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
5042 {
5043 struct block *b0, *b1;
5044
5045 switch (ll_proto) {
5046
5047 case ETHERTYPE_IP:
5048 /* match the bottom-of-stack bit */
5049 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
5050 /* match the IPv4 version number */
5051 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
5052 gen_and(b0, b1);
5053 return b1;
5054
5055 case ETHERTYPE_IPV6:
5056 /* match the bottom-of-stack bit */
5057 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
5058 /* match the IPv4 version number */
5059 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
5060 gen_and(b0, b1);
5061 return b1;
5062
5063 default:
5064 /* FIXME add other L3 proto IDs */
5065 bpf_error(cstate, "unsupported protocol over mpls");
5066 /*NOTREACHED*/
5067 }
5068 }
5069
5070 static struct block *
gen_host(compiler_state_t * cstate,bpf_u_int32 addr,bpf_u_int32 mask,int proto,int dir,int type)5071 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
5072 int proto, int dir, int type)
5073 {
5074 struct block *b0, *b1;
5075 const char *typestr;
5076
5077 if (type == Q_NET)
5078 typestr = "net";
5079 else
5080 typestr = "host";
5081
5082 switch (proto) {
5083
5084 case Q_DEFAULT:
5085 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
5086 /*
5087 * Only check for non-IPv4 addresses if we're not
5088 * checking MPLS-encapsulated packets.
5089 */
5090 if (cstate->label_stack_depth == 0) {
5091 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
5092 gen_or(b0, b1);
5093 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
5094 gen_or(b1, b0);
5095 }
5096 return b0;
5097
5098 case Q_LINK:
5099 bpf_error(cstate, "link-layer modifier applied to %s", typestr);
5100
5101 case Q_IP:
5102 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16);
5103
5104 case Q_RARP:
5105 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
5106
5107 case Q_ARP:
5108 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24);
5109
5110 case Q_SCTP:
5111 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
5112
5113 case Q_TCP:
5114 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
5115
5116 case Q_UDP:
5117 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
5118
5119 case Q_ICMP:
5120 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
5121
5122 case Q_IGMP:
5123 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
5124
5125 case Q_IGRP:
5126 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
5127
5128 case Q_ATALK:
5129 bpf_error(cstate, "AppleTalk host filtering not implemented");
5130
5131 case Q_DECNET:
5132 return gen_dnhostop(cstate, addr, dir);
5133
5134 case Q_LAT:
5135 bpf_error(cstate, "LAT host filtering not implemented");
5136
5137 case Q_SCA:
5138 bpf_error(cstate, "SCA host filtering not implemented");
5139
5140 case Q_MOPRC:
5141 bpf_error(cstate, "MOPRC host filtering not implemented");
5142
5143 case Q_MOPDL:
5144 bpf_error(cstate, "MOPDL host filtering not implemented");
5145
5146 case Q_IPV6:
5147 bpf_error(cstate, "'ip6' modifier applied to ip host");
5148
5149 case Q_ICMPV6:
5150 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
5151
5152 case Q_AH:
5153 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
5154
5155 case Q_ESP:
5156 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
5157
5158 case Q_PIM:
5159 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
5160
5161 case Q_VRRP:
5162 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
5163
5164 case Q_AARP:
5165 bpf_error(cstate, "AARP host filtering not implemented");
5166
5167 case Q_ISO:
5168 bpf_error(cstate, "ISO host filtering not implemented");
5169
5170 case Q_ESIS:
5171 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
5172
5173 case Q_ISIS:
5174 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
5175
5176 case Q_CLNP:
5177 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
5178
5179 case Q_STP:
5180 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
5181
5182 case Q_IPX:
5183 bpf_error(cstate, "IPX host filtering not implemented");
5184
5185 case Q_NETBEUI:
5186 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
5187
5188 case Q_ISIS_L1:
5189 bpf_error(cstate, "'l1' modifier applied to %s", typestr);
5190
5191 case Q_ISIS_L2:
5192 bpf_error(cstate, "'l2' modifier applied to %s", typestr);
5193
5194 case Q_ISIS_IIH:
5195 bpf_error(cstate, "'iih' modifier applied to %s", typestr);
5196
5197 case Q_ISIS_SNP:
5198 bpf_error(cstate, "'snp' modifier applied to %s", typestr);
5199
5200 case Q_ISIS_CSNP:
5201 bpf_error(cstate, "'csnp' modifier applied to %s", typestr);
5202
5203 case Q_ISIS_PSNP:
5204 bpf_error(cstate, "'psnp' modifier applied to %s", typestr);
5205
5206 case Q_ISIS_LSP:
5207 bpf_error(cstate, "'lsp' modifier applied to %s", typestr);
5208
5209 case Q_RADIO:
5210 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
5211
5212 case Q_CARP:
5213 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
5214
5215 default:
5216 abort();
5217 }
5218 /*NOTREACHED*/
5219 }
5220
5221 #ifdef INET6
5222 static struct block *
gen_host6(compiler_state_t * cstate,struct in6_addr * addr,struct in6_addr * mask,int proto,int dir,int type)5223 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
5224 struct in6_addr *mask, int proto, int dir, int type)
5225 {
5226 const char *typestr;
5227
5228 if (type == Q_NET)
5229 typestr = "net";
5230 else
5231 typestr = "host";
5232
5233 switch (proto) {
5234
5235 case Q_DEFAULT:
5236 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type);
5237
5238 case Q_LINK:
5239 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
5240
5241 case Q_IP:
5242 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
5243
5244 case Q_RARP:
5245 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
5246
5247 case Q_ARP:
5248 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
5249
5250 case Q_SCTP:
5251 bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr);
5252
5253 case Q_TCP:
5254 bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr);
5255
5256 case Q_UDP:
5257 bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr);
5258
5259 case Q_ICMP:
5260 bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr);
5261
5262 case Q_IGMP:
5263 bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr);
5264
5265 case Q_IGRP:
5266 bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr);
5267
5268 case Q_ATALK:
5269 bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr);
5270
5271 case Q_DECNET:
5272 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
5273
5274 case Q_LAT:
5275 bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr);
5276
5277 case Q_SCA:
5278 bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr);
5279
5280 case Q_MOPRC:
5281 bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr);
5282
5283 case Q_MOPDL:
5284 bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr);
5285
5286 case Q_IPV6:
5287 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
5288
5289 case Q_ICMPV6:
5290 bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr);
5291
5292 case Q_AH:
5293 bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr);
5294
5295 case Q_ESP:
5296 bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr);
5297
5298 case Q_PIM:
5299 bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr);
5300
5301 case Q_VRRP:
5302 bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr);
5303
5304 case Q_AARP:
5305 bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr);
5306
5307 case Q_ISO:
5308 bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr);
5309
5310 case Q_ESIS:
5311 bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr);
5312
5313 case Q_ISIS:
5314 bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr);
5315
5316 case Q_CLNP:
5317 bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr);
5318
5319 case Q_STP:
5320 bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr);
5321
5322 case Q_IPX:
5323 bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr);
5324
5325 case Q_NETBEUI:
5326 bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr);
5327
5328 case Q_ISIS_L1:
5329 bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr);
5330
5331 case Q_ISIS_L2:
5332 bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr);
5333
5334 case Q_ISIS_IIH:
5335 bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr);
5336
5337 case Q_ISIS_SNP:
5338 bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr);
5339
5340 case Q_ISIS_CSNP:
5341 bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr);
5342
5343 case Q_ISIS_PSNP:
5344 bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr);
5345
5346 case Q_ISIS_LSP:
5347 bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr);
5348
5349 case Q_RADIO:
5350 bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr);
5351
5352 case Q_CARP:
5353 bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr);
5354
5355 default:
5356 abort();
5357 }
5358 /*NOTREACHED*/
5359 }
5360 #endif
5361
5362 #ifndef INET6
5363 static struct block *
gen_gateway(compiler_state_t * cstate,const u_char * eaddr,struct addrinfo * alist,int proto,int dir)5364 gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
5365 struct addrinfo *alist, int proto, int dir)
5366 {
5367 struct block *b0, *b1, *tmp;
5368 struct addrinfo *ai;
5369 struct sockaddr_in *sin;
5370
5371 if (dir != 0)
5372 bpf_error(cstate, "direction applied to 'gateway'");
5373
5374 switch (proto) {
5375 case Q_DEFAULT:
5376 case Q_IP:
5377 case Q_ARP:
5378 case Q_RARP:
5379 switch (cstate->linktype) {
5380 case DLT_EN10MB:
5381 case DLT_NETANALYZER:
5382 case DLT_NETANALYZER_TRANSPARENT:
5383 b1 = gen_prevlinkhdr_check(cstate);
5384 b0 = gen_ehostop(cstate, eaddr, Q_OR);
5385 if (b1 != NULL)
5386 gen_and(b1, b0);
5387 break;
5388 case DLT_FDDI:
5389 b0 = gen_fhostop(cstate, eaddr, Q_OR);
5390 break;
5391 case DLT_IEEE802:
5392 b0 = gen_thostop(cstate, eaddr, Q_OR);
5393 break;
5394 case DLT_IEEE802_11:
5395 case DLT_PRISM_HEADER:
5396 case DLT_IEEE802_11_RADIO_AVS:
5397 case DLT_IEEE802_11_RADIO:
5398 case DLT_PPI:
5399 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5400 break;
5401 case DLT_SUNATM:
5402 /*
5403 * This is LLC-multiplexed traffic; if it were
5404 * LANE, cstate->linktype would have been set to
5405 * DLT_EN10MB.
5406 */
5407 bpf_error(cstate,
5408 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5409 case DLT_IP_OVER_FC:
5410 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5411 break;
5412 default:
5413 bpf_error(cstate,
5414 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5415 }
5416 b1 = NULL;
5417 for (ai = alist; ai != NULL; ai = ai->ai_next) {
5418 /*
5419 * Does it have an address?
5420 */
5421 if (ai->ai_addr != NULL) {
5422 /*
5423 * Yes. Is it an IPv4 address?
5424 */
5425 if (ai->ai_addr->sa_family == AF_INET) {
5426 /*
5427 * Generate an entry for it.
5428 */
5429 sin = (struct sockaddr_in *)ai->ai_addr;
5430 tmp = gen_host(cstate,
5431 ntohl(sin->sin_addr.s_addr),
5432 0xffffffff, proto, Q_OR, Q_HOST);
5433 /*
5434 * Is it the *first* IPv4 address?
5435 */
5436 if (b1 == NULL) {
5437 /*
5438 * Yes, so start with it.
5439 */
5440 b1 = tmp;
5441 } else {
5442 /*
5443 * No, so OR it into the
5444 * existing set of
5445 * addresses.
5446 */
5447 gen_or(b1, tmp);
5448 b1 = tmp;
5449 }
5450 }
5451 }
5452 }
5453 if (b1 == NULL) {
5454 /*
5455 * No IPv4 addresses found.
5456 */
5457 return (NULL);
5458 }
5459 gen_not(b1);
5460 gen_and(b0, b1);
5461 return b1;
5462 }
5463 bpf_error(cstate, "illegal modifier of 'gateway'");
5464 /*NOTREACHED*/
5465 }
5466 #endif
5467
5468 static struct block *
gen_proto_abbrev_internal(compiler_state_t * cstate,int proto)5469 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto)
5470 {
5471 struct block *b0;
5472 struct block *b1;
5473
5474 switch (proto) {
5475
5476 case Q_SCTP:
5477 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_DEFAULT, Q_DEFAULT);
5478 break;
5479
5480 case Q_TCP:
5481 b1 = gen_proto(cstate, IPPROTO_TCP, Q_DEFAULT, Q_DEFAULT);
5482 break;
5483
5484 case Q_UDP:
5485 b1 = gen_proto(cstate, IPPROTO_UDP, Q_DEFAULT, Q_DEFAULT);
5486 break;
5487
5488 case Q_ICMP:
5489 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5490 break;
5491
5492 #ifndef IPPROTO_IGMP
5493 #define IPPROTO_IGMP 2
5494 #endif
5495
5496 case Q_IGMP:
5497 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5498 break;
5499
5500 #ifndef IPPROTO_IGRP
5501 #define IPPROTO_IGRP 9
5502 #endif
5503 case Q_IGRP:
5504 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5505 break;
5506
5507 #ifndef IPPROTO_PIM
5508 #define IPPROTO_PIM 103
5509 #endif
5510
5511 case Q_PIM:
5512 b1 = gen_proto(cstate, IPPROTO_PIM, Q_DEFAULT, Q_DEFAULT);
5513 break;
5514
5515 #ifndef IPPROTO_VRRP
5516 #define IPPROTO_VRRP 112
5517 #endif
5518
5519 case Q_VRRP:
5520 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5521 break;
5522
5523 #ifndef IPPROTO_CARP
5524 #define IPPROTO_CARP 112
5525 #endif
5526
5527 case Q_CARP:
5528 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5529 break;
5530
5531 case Q_IP:
5532 b1 = gen_linktype(cstate, ETHERTYPE_IP);
5533 break;
5534
5535 case Q_ARP:
5536 b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5537 break;
5538
5539 case Q_RARP:
5540 b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5541 break;
5542
5543 case Q_LINK:
5544 bpf_error(cstate, "link layer applied in wrong context");
5545
5546 case Q_ATALK:
5547 b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5548 break;
5549
5550 case Q_AARP:
5551 b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5552 break;
5553
5554 case Q_DECNET:
5555 b1 = gen_linktype(cstate, ETHERTYPE_DN);
5556 break;
5557
5558 case Q_SCA:
5559 b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5560 break;
5561
5562 case Q_LAT:
5563 b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5564 break;
5565
5566 case Q_MOPDL:
5567 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5568 break;
5569
5570 case Q_MOPRC:
5571 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5572 break;
5573
5574 case Q_IPV6:
5575 b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5576 break;
5577
5578 #ifndef IPPROTO_ICMPV6
5579 #define IPPROTO_ICMPV6 58
5580 #endif
5581 case Q_ICMPV6:
5582 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5583 break;
5584
5585 #ifndef IPPROTO_AH
5586 #define IPPROTO_AH 51
5587 #endif
5588 case Q_AH:
5589 b1 = gen_proto(cstate, IPPROTO_AH, Q_DEFAULT, Q_DEFAULT);
5590 break;
5591
5592 #ifndef IPPROTO_ESP
5593 #define IPPROTO_ESP 50
5594 #endif
5595 case Q_ESP:
5596 b1 = gen_proto(cstate, IPPROTO_ESP, Q_DEFAULT, Q_DEFAULT);
5597 break;
5598
5599 case Q_ISO:
5600 b1 = gen_linktype(cstate, LLCSAP_ISONS);
5601 break;
5602
5603 case Q_ESIS:
5604 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5605 break;
5606
5607 case Q_ISIS:
5608 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5609 break;
5610
5611 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5612 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5613 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5614 gen_or(b0, b1);
5615 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5616 gen_or(b0, b1);
5617 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5618 gen_or(b0, b1);
5619 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5620 gen_or(b0, b1);
5621 break;
5622
5623 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5624 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5625 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5626 gen_or(b0, b1);
5627 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5628 gen_or(b0, b1);
5629 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5630 gen_or(b0, b1);
5631 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5632 gen_or(b0, b1);
5633 break;
5634
5635 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5636 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5637 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5638 gen_or(b0, b1);
5639 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5640 gen_or(b0, b1);
5641 break;
5642
5643 case Q_ISIS_LSP:
5644 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5645 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5646 gen_or(b0, b1);
5647 break;
5648
5649 case Q_ISIS_SNP:
5650 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5651 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5652 gen_or(b0, b1);
5653 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5654 gen_or(b0, b1);
5655 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5656 gen_or(b0, b1);
5657 break;
5658
5659 case Q_ISIS_CSNP:
5660 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5661 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5662 gen_or(b0, b1);
5663 break;
5664
5665 case Q_ISIS_PSNP:
5666 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5667 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5668 gen_or(b0, b1);
5669 break;
5670
5671 case Q_CLNP:
5672 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5673 break;
5674
5675 case Q_STP:
5676 b1 = gen_linktype(cstate, LLCSAP_8021D);
5677 break;
5678
5679 case Q_IPX:
5680 b1 = gen_linktype(cstate, LLCSAP_IPX);
5681 break;
5682
5683 case Q_NETBEUI:
5684 b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5685 break;
5686
5687 case Q_RADIO:
5688 bpf_error(cstate, "'radio' is not a valid protocol type");
5689
5690 default:
5691 abort();
5692 }
5693 return b1;
5694 }
5695
5696 struct block *
gen_proto_abbrev(compiler_state_t * cstate,int proto)5697 gen_proto_abbrev(compiler_state_t *cstate, int proto)
5698 {
5699 /*
5700 * Catch errors reported by us and routines below us, and return NULL
5701 * on an error.
5702 */
5703 if (setjmp(cstate->top_ctx))
5704 return (NULL);
5705
5706 return gen_proto_abbrev_internal(cstate, proto);
5707 }
5708
5709 static struct block *
gen_ipfrag(compiler_state_t * cstate)5710 gen_ipfrag(compiler_state_t *cstate)
5711 {
5712 struct slist *s;
5713 struct block *b;
5714
5715 /* not IPv4 frag other than the first frag */
5716 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5717 b = new_block(cstate, JMP(BPF_JSET));
5718 b->s.k = 0x1fff;
5719 b->stmts = s;
5720 gen_not(b);
5721
5722 return b;
5723 }
5724
5725 /*
5726 * Generate a comparison to a port value in the transport-layer header
5727 * at the specified offset from the beginning of that header.
5728 *
5729 * XXX - this handles a variable-length prefix preceding the link-layer
5730 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5731 * variable-length link-layer headers (such as Token Ring or 802.11
5732 * headers).
5733 */
5734 static struct block *
gen_portatom(compiler_state_t * cstate,int off,bpf_u_int32 v)5735 gen_portatom(compiler_state_t *cstate, int off, bpf_u_int32 v)
5736 {
5737 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5738 }
5739
5740 static struct block *
gen_portatom6(compiler_state_t * cstate,int off,bpf_u_int32 v)5741 gen_portatom6(compiler_state_t *cstate, int off, bpf_u_int32 v)
5742 {
5743 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5744 }
5745
5746 static struct block *
gen_portop(compiler_state_t * cstate,u_int port,u_int proto,int dir)5747 gen_portop(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5748 {
5749 struct block *b0, *b1, *tmp;
5750
5751 /* ip proto 'proto' and not a fragment other than the first fragment */
5752 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5753 b0 = gen_ipfrag(cstate);
5754 gen_and(tmp, b0);
5755
5756 switch (dir) {
5757 case Q_SRC:
5758 b1 = gen_portatom(cstate, 0, port);
5759 break;
5760
5761 case Q_DST:
5762 b1 = gen_portatom(cstate, 2, port);
5763 break;
5764
5765 case Q_AND:
5766 tmp = gen_portatom(cstate, 0, port);
5767 b1 = gen_portatom(cstate, 2, port);
5768 gen_and(tmp, b1);
5769 break;
5770
5771 case Q_DEFAULT:
5772 case Q_OR:
5773 tmp = gen_portatom(cstate, 0, port);
5774 b1 = gen_portatom(cstate, 2, port);
5775 gen_or(tmp, b1);
5776 break;
5777
5778 case Q_ADDR1:
5779 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports");
5780 /*NOTREACHED*/
5781
5782 case Q_ADDR2:
5783 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports");
5784 /*NOTREACHED*/
5785
5786 case Q_ADDR3:
5787 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports");
5788 /*NOTREACHED*/
5789
5790 case Q_ADDR4:
5791 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports");
5792 /*NOTREACHED*/
5793
5794 case Q_RA:
5795 bpf_error(cstate, "'ra' is not a valid qualifier for ports");
5796 /*NOTREACHED*/
5797
5798 case Q_TA:
5799 bpf_error(cstate, "'ta' is not a valid qualifier for ports");
5800 /*NOTREACHED*/
5801
5802 default:
5803 abort();
5804 /*NOTREACHED*/
5805 }
5806 gen_and(b0, b1);
5807
5808 return b1;
5809 }
5810
5811 static struct block *
gen_port(compiler_state_t * cstate,u_int port,int ip_proto,int dir)5812 gen_port(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5813 {
5814 struct block *b0, *b1, *tmp;
5815
5816 /*
5817 * ether proto ip
5818 *
5819 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5820 * not LLC encapsulation with LLCSAP_IP.
5821 *
5822 * For IEEE 802 networks - which includes 802.5 token ring
5823 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5824 * says that SNAP encapsulation is used, not LLC encapsulation
5825 * with LLCSAP_IP.
5826 *
5827 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5828 * RFC 2225 say that SNAP encapsulation is used, not LLC
5829 * encapsulation with LLCSAP_IP.
5830 *
5831 * So we always check for ETHERTYPE_IP.
5832 */
5833 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5834
5835 switch (ip_proto) {
5836 case IPPROTO_UDP:
5837 case IPPROTO_TCP:
5838 case IPPROTO_SCTP:
5839 b1 = gen_portop(cstate, port, (u_int)ip_proto, dir);
5840 break;
5841
5842 case PROTO_UNDEF:
5843 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5844 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5845 gen_or(tmp, b1);
5846 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5847 gen_or(tmp, b1);
5848 break;
5849
5850 default:
5851 abort();
5852 }
5853 gen_and(b0, b1);
5854 return b1;
5855 }
5856
5857 struct block *
gen_portop6(compiler_state_t * cstate,u_int port,u_int proto,int dir)5858 gen_portop6(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5859 {
5860 struct block *b0, *b1, *tmp;
5861
5862 /* ip6 proto 'proto' */
5863 /* XXX - catch the first fragment of a fragmented packet? */
5864 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
5865
5866 switch (dir) {
5867 case Q_SRC:
5868 b1 = gen_portatom6(cstate, 0, port);
5869 break;
5870
5871 case Q_DST:
5872 b1 = gen_portatom6(cstate, 2, port);
5873 break;
5874
5875 case Q_AND:
5876 tmp = gen_portatom6(cstate, 0, port);
5877 b1 = gen_portatom6(cstate, 2, port);
5878 gen_and(tmp, b1);
5879 break;
5880
5881 case Q_DEFAULT:
5882 case Q_OR:
5883 tmp = gen_portatom6(cstate, 0, port);
5884 b1 = gen_portatom6(cstate, 2, port);
5885 gen_or(tmp, b1);
5886 break;
5887
5888 default:
5889 abort();
5890 }
5891 gen_and(b0, b1);
5892
5893 return b1;
5894 }
5895
5896 static struct block *
gen_port6(compiler_state_t * cstate,u_int port,int ip_proto,int dir)5897 gen_port6(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5898 {
5899 struct block *b0, *b1, *tmp;
5900
5901 /* link proto ip6 */
5902 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5903
5904 switch (ip_proto) {
5905 case IPPROTO_UDP:
5906 case IPPROTO_TCP:
5907 case IPPROTO_SCTP:
5908 b1 = gen_portop6(cstate, port, (u_int)ip_proto, dir);
5909 break;
5910
5911 case PROTO_UNDEF:
5912 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5913 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5914 gen_or(tmp, b1);
5915 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5916 gen_or(tmp, b1);
5917 break;
5918
5919 default:
5920 abort();
5921 }
5922 gen_and(b0, b1);
5923 return b1;
5924 }
5925
5926 /* gen_portrange code */
5927 static struct block *
gen_portrangeatom(compiler_state_t * cstate,u_int off,bpf_u_int32 v1,bpf_u_int32 v2)5928 gen_portrangeatom(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
5929 bpf_u_int32 v2)
5930 {
5931 struct block *b1, *b2;
5932
5933 if (v1 > v2) {
5934 /*
5935 * Reverse the order of the ports, so v1 is the lower one.
5936 */
5937 bpf_u_int32 vtemp;
5938
5939 vtemp = v1;
5940 v1 = v2;
5941 v2 = vtemp;
5942 }
5943
5944 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1);
5945 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2);
5946
5947 gen_and(b1, b2);
5948
5949 return b2;
5950 }
5951
5952 static struct block *
gen_portrangeop(compiler_state_t * cstate,u_int port1,u_int port2,bpf_u_int32 proto,int dir)5953 gen_portrangeop(compiler_state_t *cstate, u_int port1, u_int port2,
5954 bpf_u_int32 proto, int dir)
5955 {
5956 struct block *b0, *b1, *tmp;
5957
5958 /* ip proto 'proto' and not a fragment other than the first fragment */
5959 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5960 b0 = gen_ipfrag(cstate);
5961 gen_and(tmp, b0);
5962
5963 switch (dir) {
5964 case Q_SRC:
5965 b1 = gen_portrangeatom(cstate, 0, port1, port2);
5966 break;
5967
5968 case Q_DST:
5969 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5970 break;
5971
5972 case Q_AND:
5973 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5974 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5975 gen_and(tmp, b1);
5976 break;
5977
5978 case Q_DEFAULT:
5979 case Q_OR:
5980 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5981 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5982 gen_or(tmp, b1);
5983 break;
5984
5985 case Q_ADDR1:
5986 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges");
5987 /*NOTREACHED*/
5988
5989 case Q_ADDR2:
5990 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges");
5991 /*NOTREACHED*/
5992
5993 case Q_ADDR3:
5994 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges");
5995 /*NOTREACHED*/
5996
5997 case Q_ADDR4:
5998 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges");
5999 /*NOTREACHED*/
6000
6001 case Q_RA:
6002 bpf_error(cstate, "'ra' is not a valid qualifier for port ranges");
6003 /*NOTREACHED*/
6004
6005 case Q_TA:
6006 bpf_error(cstate, "'ta' is not a valid qualifier for port ranges");
6007 /*NOTREACHED*/
6008
6009 default:
6010 abort();
6011 /*NOTREACHED*/
6012 }
6013 gen_and(b0, b1);
6014
6015 return b1;
6016 }
6017
6018 static struct block *
gen_portrange(compiler_state_t * cstate,u_int port1,u_int port2,int ip_proto,int dir)6019 gen_portrange(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
6020 int dir)
6021 {
6022 struct block *b0, *b1, *tmp;
6023
6024 /* link proto ip */
6025 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6026
6027 switch (ip_proto) {
6028 case IPPROTO_UDP:
6029 case IPPROTO_TCP:
6030 case IPPROTO_SCTP:
6031 b1 = gen_portrangeop(cstate, port1, port2, (bpf_u_int32)ip_proto,
6032 dir);
6033 break;
6034
6035 case PROTO_UNDEF:
6036 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
6037 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
6038 gen_or(tmp, b1);
6039 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
6040 gen_or(tmp, b1);
6041 break;
6042
6043 default:
6044 abort();
6045 }
6046 gen_and(b0, b1);
6047 return b1;
6048 }
6049
6050 static struct block *
gen_portrangeatom6(compiler_state_t * cstate,u_int off,bpf_u_int32 v1,bpf_u_int32 v2)6051 gen_portrangeatom6(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
6052 bpf_u_int32 v2)
6053 {
6054 struct block *b1, *b2;
6055
6056 if (v1 > v2) {
6057 /*
6058 * Reverse the order of the ports, so v1 is the lower one.
6059 */
6060 bpf_u_int32 vtemp;
6061
6062 vtemp = v1;
6063 v1 = v2;
6064 v2 = vtemp;
6065 }
6066
6067 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1);
6068 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2);
6069
6070 gen_and(b1, b2);
6071
6072 return b2;
6073 }
6074
6075 static struct block *
gen_portrangeop6(compiler_state_t * cstate,u_int port1,u_int port2,bpf_u_int32 proto,int dir)6076 gen_portrangeop6(compiler_state_t *cstate, u_int port1, u_int port2,
6077 bpf_u_int32 proto, int dir)
6078 {
6079 struct block *b0, *b1, *tmp;
6080
6081 /* ip6 proto 'proto' */
6082 /* XXX - catch the first fragment of a fragmented packet? */
6083 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
6084
6085 switch (dir) {
6086 case Q_SRC:
6087 b1 = gen_portrangeatom6(cstate, 0, port1, port2);
6088 break;
6089
6090 case Q_DST:
6091 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
6092 break;
6093
6094 case Q_AND:
6095 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
6096 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
6097 gen_and(tmp, b1);
6098 break;
6099
6100 case Q_DEFAULT:
6101 case Q_OR:
6102 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
6103 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
6104 gen_or(tmp, b1);
6105 break;
6106
6107 default:
6108 abort();
6109 }
6110 gen_and(b0, b1);
6111
6112 return b1;
6113 }
6114
6115 static struct block *
gen_portrange6(compiler_state_t * cstate,u_int port1,u_int port2,int ip_proto,int dir)6116 gen_portrange6(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
6117 int dir)
6118 {
6119 struct block *b0, *b1, *tmp;
6120
6121 /* link proto ip6 */
6122 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6123
6124 switch (ip_proto) {
6125 case IPPROTO_UDP:
6126 case IPPROTO_TCP:
6127 case IPPROTO_SCTP:
6128 b1 = gen_portrangeop6(cstate, port1, port2, (bpf_u_int32)ip_proto,
6129 dir);
6130 break;
6131
6132 case PROTO_UNDEF:
6133 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
6134 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
6135 gen_or(tmp, b1);
6136 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
6137 gen_or(tmp, b1);
6138 break;
6139
6140 default:
6141 abort();
6142 }
6143 gen_and(b0, b1);
6144 return b1;
6145 }
6146
6147 static int
lookup_proto(compiler_state_t * cstate,const char * name,int proto)6148 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
6149 {
6150 register int v;
6151
6152 switch (proto) {
6153
6154 case Q_DEFAULT:
6155 case Q_IP:
6156 case Q_IPV6:
6157 v = pcap_nametoproto(name);
6158 if (v == PROTO_UNDEF)
6159 bpf_error(cstate, "unknown ip proto '%s'", name);
6160 break;
6161
6162 case Q_LINK:
6163 /* XXX should look up h/w protocol type based on cstate->linktype */
6164 v = pcap_nametoeproto(name);
6165 if (v == PROTO_UNDEF) {
6166 v = pcap_nametollc(name);
6167 if (v == PROTO_UNDEF)
6168 bpf_error(cstate, "unknown ether proto '%s'", name);
6169 }
6170 break;
6171
6172 case Q_ISO:
6173 if (strcmp(name, "esis") == 0)
6174 v = ISO9542_ESIS;
6175 else if (strcmp(name, "isis") == 0)
6176 v = ISO10589_ISIS;
6177 else if (strcmp(name, "clnp") == 0)
6178 v = ISO8473_CLNP;
6179 else
6180 bpf_error(cstate, "unknown osi proto '%s'", name);
6181 break;
6182
6183 default:
6184 v = PROTO_UNDEF;
6185 break;
6186 }
6187 return v;
6188 }
6189
6190 #if !defined(NO_PROTOCHAIN)
6191 static struct block *
gen_protochain(compiler_state_t * cstate,bpf_u_int32 v,int proto)6192 gen_protochain(compiler_state_t *cstate, bpf_u_int32 v, int proto)
6193 {
6194 struct block *b0, *b;
6195 struct slist *s[100];
6196 int fix2, fix3, fix4, fix5;
6197 int ahcheck, again, end;
6198 int i, max;
6199 int reg2 = alloc_reg(cstate);
6200
6201 memset(s, 0, sizeof(s));
6202 fix3 = fix4 = fix5 = 0;
6203
6204 switch (proto) {
6205 case Q_IP:
6206 case Q_IPV6:
6207 break;
6208 case Q_DEFAULT:
6209 b0 = gen_protochain(cstate, v, Q_IP);
6210 b = gen_protochain(cstate, v, Q_IPV6);
6211 gen_or(b0, b);
6212 return b;
6213 default:
6214 bpf_error(cstate, "bad protocol applied for 'protochain'");
6215 /*NOTREACHED*/
6216 }
6217
6218 /*
6219 * We don't handle variable-length prefixes before the link-layer
6220 * header, or variable-length link-layer headers, here yet.
6221 * We might want to add BPF instructions to do the protochain
6222 * work, to simplify that and, on platforms that have a BPF
6223 * interpreter with the new instructions, let the filtering
6224 * be done in the kernel. (We already require a modified BPF
6225 * engine to do the protochain stuff, to support backward
6226 * branches, and backward branch support is unlikely to appear
6227 * in kernel BPF engines.)
6228 */
6229 if (cstate->off_linkpl.is_variable)
6230 bpf_error(cstate, "'protochain' not supported with variable length headers");
6231
6232 /*
6233 * To quote a comment in optimize.c:
6234 *
6235 * "These data structures are used in a Cocke and Schwartz style
6236 * value numbering scheme. Since the flowgraph is acyclic,
6237 * exit values can be propagated from a node's predecessors
6238 * provided it is uniquely defined."
6239 *
6240 * "Acyclic" means "no backward branches", which means "no
6241 * loops", so we have to turn the optimizer off.
6242 */
6243 cstate->no_optimize = 1;
6244
6245 /*
6246 * s[0] is a dummy entry to protect other BPF insn from damage
6247 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
6248 * hard to find interdependency made by jump table fixup.
6249 */
6250 i = 0;
6251 s[i] = new_stmt(cstate, 0); /*dummy*/
6252 i++;
6253
6254 switch (proto) {
6255 case Q_IP:
6256 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6257
6258 /* A = ip->ip_p */
6259 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6260 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
6261 i++;
6262 /* X = ip->ip_hl << 2 */
6263 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
6264 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6265 i++;
6266 break;
6267
6268 case Q_IPV6:
6269 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6270
6271 /* A = ip6->ip_nxt */
6272 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6273 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
6274 i++;
6275 /* X = sizeof(struct ip6_hdr) */
6276 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
6277 s[i]->s.k = 40;
6278 i++;
6279 break;
6280
6281 default:
6282 bpf_error(cstate, "unsupported proto to gen_protochain");
6283 /*NOTREACHED*/
6284 }
6285
6286 /* again: if (A == v) goto end; else fall through; */
6287 again = i;
6288 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6289 s[i]->s.k = v;
6290 s[i]->s.jt = NULL; /*later*/
6291 s[i]->s.jf = NULL; /*update in next stmt*/
6292 fix5 = i;
6293 i++;
6294
6295 #ifndef IPPROTO_NONE
6296 #define IPPROTO_NONE 59
6297 #endif
6298 /* if (A == IPPROTO_NONE) goto end */
6299 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6300 s[i]->s.jt = NULL; /*later*/
6301 s[i]->s.jf = NULL; /*update in next stmt*/
6302 s[i]->s.k = IPPROTO_NONE;
6303 s[fix5]->s.jf = s[i];
6304 fix2 = i;
6305 i++;
6306
6307 if (proto == Q_IPV6) {
6308 int v6start, v6end, v6advance, j;
6309
6310 v6start = i;
6311 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
6312 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6313 s[i]->s.jt = NULL; /*later*/
6314 s[i]->s.jf = NULL; /*update in next stmt*/
6315 s[i]->s.k = IPPROTO_HOPOPTS;
6316 s[fix2]->s.jf = s[i];
6317 i++;
6318 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
6319 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6320 s[i]->s.jt = NULL; /*later*/
6321 s[i]->s.jf = NULL; /*update in next stmt*/
6322 s[i]->s.k = IPPROTO_DSTOPTS;
6323 i++;
6324 /* if (A == IPPROTO_ROUTING) goto v6advance */
6325 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6326 s[i]->s.jt = NULL; /*later*/
6327 s[i]->s.jf = NULL; /*update in next stmt*/
6328 s[i]->s.k = IPPROTO_ROUTING;
6329 i++;
6330 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
6331 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6332 s[i]->s.jt = NULL; /*later*/
6333 s[i]->s.jf = NULL; /*later*/
6334 s[i]->s.k = IPPROTO_FRAGMENT;
6335 fix3 = i;
6336 v6end = i;
6337 i++;
6338
6339 /* v6advance: */
6340 v6advance = i;
6341
6342 /*
6343 * in short,
6344 * A = P[X + packet head];
6345 * X = X + (P[X + packet head + 1] + 1) * 8;
6346 */
6347 /* A = P[X + packet head] */
6348 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6349 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6350 i++;
6351 /* MEM[reg2] = A */
6352 s[i] = new_stmt(cstate, BPF_ST);
6353 s[i]->s.k = reg2;
6354 i++;
6355 /* A = P[X + packet head + 1]; */
6356 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6357 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
6358 i++;
6359 /* A += 1 */
6360 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6361 s[i]->s.k = 1;
6362 i++;
6363 /* A *= 8 */
6364 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6365 s[i]->s.k = 8;
6366 i++;
6367 /* A += X */
6368 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
6369 s[i]->s.k = 0;
6370 i++;
6371 /* X = A; */
6372 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6373 i++;
6374 /* A = MEM[reg2] */
6375 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6376 s[i]->s.k = reg2;
6377 i++;
6378
6379 /* goto again; (must use BPF_JA for backward jump) */
6380 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6381 s[i]->s.k = again - i - 1;
6382 s[i - 1]->s.jf = s[i];
6383 i++;
6384
6385 /* fixup */
6386 for (j = v6start; j <= v6end; j++)
6387 s[j]->s.jt = s[v6advance];
6388 } else {
6389 /* nop */
6390 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6391 s[i]->s.k = 0;
6392 s[fix2]->s.jf = s[i];
6393 i++;
6394 }
6395
6396 /* ahcheck: */
6397 ahcheck = i;
6398 /* if (A == IPPROTO_AH) then fall through; else goto end; */
6399 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6400 s[i]->s.jt = NULL; /*later*/
6401 s[i]->s.jf = NULL; /*later*/
6402 s[i]->s.k = IPPROTO_AH;
6403 if (fix3)
6404 s[fix3]->s.jf = s[ahcheck];
6405 fix4 = i;
6406 i++;
6407
6408 /*
6409 * in short,
6410 * A = P[X];
6411 * X = X + (P[X + 1] + 2) * 4;
6412 */
6413 /* A = X */
6414 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6415 i++;
6416 /* A = P[X + packet head]; */
6417 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6418 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6419 i++;
6420 /* MEM[reg2] = A */
6421 s[i] = new_stmt(cstate, BPF_ST);
6422 s[i]->s.k = reg2;
6423 i++;
6424 /* A = X */
6425 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6426 i++;
6427 /* A += 1 */
6428 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6429 s[i]->s.k = 1;
6430 i++;
6431 /* X = A */
6432 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6433 i++;
6434 /* A = P[X + packet head] */
6435 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6436 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6437 i++;
6438 /* A += 2 */
6439 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6440 s[i]->s.k = 2;
6441 i++;
6442 /* A *= 4 */
6443 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6444 s[i]->s.k = 4;
6445 i++;
6446 /* X = A; */
6447 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6448 i++;
6449 /* A = MEM[reg2] */
6450 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6451 s[i]->s.k = reg2;
6452 i++;
6453
6454 /* goto again; (must use BPF_JA for backward jump) */
6455 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6456 s[i]->s.k = again - i - 1;
6457 i++;
6458
6459 /* end: nop */
6460 end = i;
6461 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6462 s[i]->s.k = 0;
6463 s[fix2]->s.jt = s[end];
6464 s[fix4]->s.jf = s[end];
6465 s[fix5]->s.jt = s[end];
6466 i++;
6467
6468 /*
6469 * make slist chain
6470 */
6471 max = i;
6472 for (i = 0; i < max - 1; i++)
6473 s[i]->next = s[i + 1];
6474 s[max - 1]->next = NULL;
6475
6476 /*
6477 * emit final check
6478 */
6479 b = new_block(cstate, JMP(BPF_JEQ));
6480 b->stmts = s[1]; /*remember, s[0] is dummy*/
6481 b->s.k = v;
6482
6483 free_reg(cstate, reg2);
6484
6485 gen_and(b0, b);
6486 return b;
6487 }
6488 #endif /* !defined(NO_PROTOCHAIN) */
6489
6490 static struct block *
gen_check_802_11_data_frame(compiler_state_t * cstate)6491 gen_check_802_11_data_frame(compiler_state_t *cstate)
6492 {
6493 struct slist *s;
6494 struct block *b0, *b1;
6495
6496 /*
6497 * A data frame has the 0x08 bit (b3) in the frame control field set
6498 * and the 0x04 bit (b2) clear.
6499 */
6500 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6501 b0 = new_block(cstate, JMP(BPF_JSET));
6502 b0->s.k = 0x08;
6503 b0->stmts = s;
6504
6505 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6506 b1 = new_block(cstate, JMP(BPF_JSET));
6507 b1->s.k = 0x04;
6508 b1->stmts = s;
6509 gen_not(b1);
6510
6511 gen_and(b1, b0);
6512
6513 return b0;
6514 }
6515
6516 /*
6517 * Generate code that checks whether the packet is a packet for protocol
6518 * <proto> and whether the type field in that protocol's header has
6519 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6520 * IP packet and checks the protocol number in the IP header against <v>.
6521 *
6522 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6523 * against Q_IP and Q_IPV6.
6524 */
6525 static struct block *
gen_proto(compiler_state_t * cstate,bpf_u_int32 v,int proto,int dir)6526 gen_proto(compiler_state_t *cstate, bpf_u_int32 v, int proto, int dir)
6527 {
6528 struct block *b0, *b1;
6529 struct block *b2;
6530
6531 if (dir != Q_DEFAULT)
6532 bpf_error(cstate, "direction applied to 'proto'");
6533
6534 switch (proto) {
6535 case Q_DEFAULT:
6536 b0 = gen_proto(cstate, v, Q_IP, dir);
6537 b1 = gen_proto(cstate, v, Q_IPV6, dir);
6538 gen_or(b0, b1);
6539 return b1;
6540
6541 case Q_LINK:
6542 return gen_linktype(cstate, v);
6543
6544 case Q_IP:
6545 /*
6546 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6547 * not LLC encapsulation with LLCSAP_IP.
6548 *
6549 * For IEEE 802 networks - which includes 802.5 token ring
6550 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6551 * says that SNAP encapsulation is used, not LLC encapsulation
6552 * with LLCSAP_IP.
6553 *
6554 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6555 * RFC 2225 say that SNAP encapsulation is used, not LLC
6556 * encapsulation with LLCSAP_IP.
6557 *
6558 * So we always check for ETHERTYPE_IP.
6559 */
6560 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6561 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, v);
6562 gen_and(b0, b1);
6563 return b1;
6564
6565 case Q_ARP:
6566 bpf_error(cstate, "arp does not encapsulate another protocol");
6567 /*NOTREACHED*/
6568
6569 case Q_RARP:
6570 bpf_error(cstate, "rarp does not encapsulate another protocol");
6571 /*NOTREACHED*/
6572
6573 case Q_SCTP:
6574 bpf_error(cstate, "'sctp proto' is bogus");
6575 /*NOTREACHED*/
6576
6577 case Q_TCP:
6578 bpf_error(cstate, "'tcp proto' is bogus");
6579 /*NOTREACHED*/
6580
6581 case Q_UDP:
6582 bpf_error(cstate, "'udp proto' is bogus");
6583 /*NOTREACHED*/
6584
6585 case Q_ICMP:
6586 bpf_error(cstate, "'icmp proto' is bogus");
6587 /*NOTREACHED*/
6588
6589 case Q_IGMP:
6590 bpf_error(cstate, "'igmp proto' is bogus");
6591 /*NOTREACHED*/
6592
6593 case Q_IGRP:
6594 bpf_error(cstate, "'igrp proto' is bogus");
6595 /*NOTREACHED*/
6596
6597 case Q_ATALK:
6598 bpf_error(cstate, "AppleTalk encapsulation is not specifiable");
6599 /*NOTREACHED*/
6600
6601 case Q_DECNET:
6602 bpf_error(cstate, "DECNET encapsulation is not specifiable");
6603 /*NOTREACHED*/
6604
6605 case Q_LAT:
6606 bpf_error(cstate, "LAT does not encapsulate another protocol");
6607 /*NOTREACHED*/
6608
6609 case Q_SCA:
6610 bpf_error(cstate, "SCA does not encapsulate another protocol");
6611 /*NOTREACHED*/
6612
6613 case Q_MOPRC:
6614 bpf_error(cstate, "MOPRC does not encapsulate another protocol");
6615 /*NOTREACHED*/
6616
6617 case Q_MOPDL:
6618 bpf_error(cstate, "MOPDL does not encapsulate another protocol");
6619 /*NOTREACHED*/
6620
6621 case Q_IPV6:
6622 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6623 /*
6624 * Also check for a fragment header before the final
6625 * header.
6626 */
6627 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6628 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, v);
6629 gen_and(b2, b1);
6630 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, v);
6631 gen_or(b2, b1);
6632 gen_and(b0, b1);
6633 return b1;
6634
6635 case Q_ICMPV6:
6636 bpf_error(cstate, "'icmp6 proto' is bogus");
6637 /*NOTREACHED*/
6638
6639 case Q_AH:
6640 bpf_error(cstate, "'ah proto' is bogus");
6641 /*NOTREACHED*/
6642
6643 case Q_ESP:
6644 bpf_error(cstate, "'esp proto' is bogus");
6645 /*NOTREACHED*/
6646
6647 case Q_PIM:
6648 bpf_error(cstate, "'pim proto' is bogus");
6649 /*NOTREACHED*/
6650
6651 case Q_VRRP:
6652 bpf_error(cstate, "'vrrp proto' is bogus");
6653 /*NOTREACHED*/
6654
6655 case Q_AARP:
6656 bpf_error(cstate, "'aarp proto' is bogus");
6657 /*NOTREACHED*/
6658
6659 case Q_ISO:
6660 switch (cstate->linktype) {
6661
6662 case DLT_FRELAY:
6663 /*
6664 * Frame Relay packets typically have an OSI
6665 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6666 * generates code to check for all the OSI
6667 * NLPIDs, so calling it and then adding a check
6668 * for the particular NLPID for which we're
6669 * looking is bogus, as we can just check for
6670 * the NLPID.
6671 *
6672 * What we check for is the NLPID and a frame
6673 * control field value of UI, i.e. 0x03 followed
6674 * by the NLPID.
6675 *
6676 * XXX - assumes a 2-byte Frame Relay header with
6677 * DLCI and flags. What if the address is longer?
6678 *
6679 * XXX - what about SNAP-encapsulated frames?
6680 */
6681 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6682 /*NOTREACHED*/
6683
6684 case DLT_C_HDLC:
6685 case DLT_HDLC:
6686 /*
6687 * Cisco uses an Ethertype lookalike - for OSI,
6688 * it's 0xfefe.
6689 */
6690 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6691 /* OSI in C-HDLC is stuffed with a fudge byte */
6692 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, v);
6693 gen_and(b0, b1);
6694 return b1;
6695
6696 default:
6697 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6698 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, v);
6699 gen_and(b0, b1);
6700 return b1;
6701 }
6702
6703 case Q_ESIS:
6704 bpf_error(cstate, "'esis proto' is bogus");
6705 /*NOTREACHED*/
6706
6707 case Q_ISIS:
6708 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6709 /*
6710 * 4 is the offset of the PDU type relative to the IS-IS
6711 * header.
6712 */
6713 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, v);
6714 gen_and(b0, b1);
6715 return b1;
6716
6717 case Q_CLNP:
6718 bpf_error(cstate, "'clnp proto' is not supported");
6719 /*NOTREACHED*/
6720
6721 case Q_STP:
6722 bpf_error(cstate, "'stp proto' is bogus");
6723 /*NOTREACHED*/
6724
6725 case Q_IPX:
6726 bpf_error(cstate, "'ipx proto' is bogus");
6727 /*NOTREACHED*/
6728
6729 case Q_NETBEUI:
6730 bpf_error(cstate, "'netbeui proto' is bogus");
6731 /*NOTREACHED*/
6732
6733 case Q_ISIS_L1:
6734 bpf_error(cstate, "'l1 proto' is bogus");
6735 /*NOTREACHED*/
6736
6737 case Q_ISIS_L2:
6738 bpf_error(cstate, "'l2 proto' is bogus");
6739 /*NOTREACHED*/
6740
6741 case Q_ISIS_IIH:
6742 bpf_error(cstate, "'iih proto' is bogus");
6743 /*NOTREACHED*/
6744
6745 case Q_ISIS_SNP:
6746 bpf_error(cstate, "'snp proto' is bogus");
6747 /*NOTREACHED*/
6748
6749 case Q_ISIS_CSNP:
6750 bpf_error(cstate, "'csnp proto' is bogus");
6751 /*NOTREACHED*/
6752
6753 case Q_ISIS_PSNP:
6754 bpf_error(cstate, "'psnp proto' is bogus");
6755 /*NOTREACHED*/
6756
6757 case Q_ISIS_LSP:
6758 bpf_error(cstate, "'lsp proto' is bogus");
6759 /*NOTREACHED*/
6760
6761 case Q_RADIO:
6762 bpf_error(cstate, "'radio proto' is bogus");
6763 /*NOTREACHED*/
6764
6765 case Q_CARP:
6766 bpf_error(cstate, "'carp proto' is bogus");
6767 /*NOTREACHED*/
6768
6769 default:
6770 abort();
6771 /*NOTREACHED*/
6772 }
6773 /*NOTREACHED*/
6774 }
6775
6776 /*
6777 * Convert a non-numeric name to a port number.
6778 */
6779 static int
nametoport(compiler_state_t * cstate,const char * name,int ipproto)6780 nametoport(compiler_state_t *cstate, const char *name, int ipproto)
6781 {
6782 struct addrinfo hints, *res, *ai;
6783 int error;
6784 struct sockaddr_in *in4;
6785 #ifdef INET6
6786 struct sockaddr_in6 *in6;
6787 #endif
6788 int port = -1;
6789
6790 /*
6791 * We check for both TCP and UDP in case there are
6792 * ambiguous entries.
6793 */
6794 memset(&hints, 0, sizeof(hints));
6795 hints.ai_family = PF_UNSPEC;
6796 hints.ai_socktype = (ipproto == IPPROTO_TCP) ? SOCK_STREAM : SOCK_DGRAM;
6797 hints.ai_protocol = ipproto;
6798 error = getaddrinfo(NULL, name, &hints, &res);
6799 if (error != 0) {
6800 switch (error) {
6801
6802 case EAI_NONAME:
6803 case EAI_SERVICE:
6804 /*
6805 * No such port. Just return -1.
6806 */
6807 break;
6808
6809 #ifdef EAI_SYSTEM
6810 case EAI_SYSTEM:
6811 /*
6812 * We don't use strerror() because it's not
6813 * guaranteed to be thread-safe on all platforms
6814 * (probably because it might use a non-thread-local
6815 * buffer into which to format an error message
6816 * if the error code isn't one for which it has
6817 * a canned string; three cheers for C string
6818 * handling).
6819 */
6820 bpf_set_error(cstate, "getaddrinfo(\"%s\" fails with system error: %d",
6821 name, errno);
6822 port = -2; /* a real error */
6823 break;
6824 #endif
6825
6826 default:
6827 /*
6828 * This is a real error, not just "there's
6829 * no such service name".
6830 *
6831 * We don't use gai_strerror() because it's not
6832 * guaranteed to be thread-safe on all platforms
6833 * (probably because it might use a non-thread-local
6834 * buffer into which to format an error message
6835 * if the error code isn't one for which it has
6836 * a canned string; three cheers for C string
6837 * handling).
6838 */
6839 bpf_set_error(cstate, "getaddrinfo(\"%s\") fails with error: %d",
6840 name, error);
6841 port = -2; /* a real error */
6842 break;
6843 }
6844 } else {
6845 /*
6846 * OK, we found it. Did it find anything?
6847 */
6848 for (ai = res; ai != NULL; ai = ai->ai_next) {
6849 /*
6850 * Does it have an address?
6851 */
6852 if (ai->ai_addr != NULL) {
6853 /*
6854 * Yes. Get a port number; we're done.
6855 */
6856 if (ai->ai_addr->sa_family == AF_INET) {
6857 in4 = (struct sockaddr_in *)ai->ai_addr;
6858 port = ntohs(in4->sin_port);
6859 break;
6860 }
6861 #ifdef INET6
6862 if (ai->ai_addr->sa_family == AF_INET6) {
6863 in6 = (struct sockaddr_in6 *)ai->ai_addr;
6864 port = ntohs(in6->sin6_port);
6865 break;
6866 }
6867 #endif
6868 }
6869 }
6870 freeaddrinfo(res);
6871 }
6872 return port;
6873 }
6874
6875 /*
6876 * Convert a string to a port number.
6877 */
6878 static bpf_u_int32
stringtoport(compiler_state_t * cstate,const char * string,size_t string_size,int * proto)6879 stringtoport(compiler_state_t *cstate, const char *string, size_t string_size,
6880 int *proto)
6881 {
6882 stoulen_ret ret;
6883 char *cpy;
6884 bpf_u_int32 val;
6885 int tcp_port = -1;
6886 int udp_port = -1;
6887
6888 /*
6889 * See if it's a number.
6890 */
6891 ret = stoulen(string, string_size, &val, cstate);
6892 switch (ret) {
6893
6894 case STOULEN_OK:
6895 /* Unknown port type - it's just a number. */
6896 *proto = PROTO_UNDEF;
6897 break;
6898
6899 case STOULEN_NOT_OCTAL_NUMBER:
6900 case STOULEN_NOT_HEX_NUMBER:
6901 case STOULEN_NOT_DECIMAL_NUMBER:
6902 /*
6903 * Not a valid number; try looking it up as a port.
6904 */
6905 cpy = malloc(string_size + 1); /* +1 for terminating '\0' */
6906 memcpy(cpy, string, string_size);
6907 cpy[string_size] = '\0';
6908 tcp_port = nametoport(cstate, cpy, IPPROTO_TCP);
6909 if (tcp_port == -2) {
6910 /*
6911 * We got a hard error; the error string has
6912 * already been set.
6913 */
6914 free(cpy);
6915 longjmp(cstate->top_ctx, 1);
6916 /*NOTREACHED*/
6917 }
6918 udp_port = nametoport(cstate, cpy, IPPROTO_UDP);
6919 if (udp_port == -2) {
6920 /*
6921 * We got a hard error; the error string has
6922 * already been set.
6923 */
6924 free(cpy);
6925 longjmp(cstate->top_ctx, 1);
6926 /*NOTREACHED*/
6927 }
6928
6929 /*
6930 * We need to check /etc/services for ambiguous entries.
6931 * If we find an ambiguous entry, and it has the
6932 * same port number, change the proto to PROTO_UNDEF
6933 * so both TCP and UDP will be checked.
6934 */
6935 if (tcp_port >= 0) {
6936 val = (bpf_u_int32)tcp_port;
6937 *proto = IPPROTO_TCP;
6938 if (udp_port >= 0) {
6939 if (udp_port == tcp_port)
6940 *proto = PROTO_UNDEF;
6941 #ifdef notdef
6942 else
6943 /* Can't handle ambiguous names that refer
6944 to different port numbers. */
6945 warning("ambiguous port %s in /etc/services",
6946 cpy);
6947 #endif
6948 }
6949 free(cpy);
6950 break;
6951 }
6952 if (udp_port >= 0) {
6953 val = (bpf_u_int32)udp_port;
6954 *proto = IPPROTO_UDP;
6955 free(cpy);
6956 break;
6957 }
6958 #if defined(ultrix) || defined(__osf__)
6959 /* Special hack in case NFS isn't in /etc/services */
6960 if (strcmp(cpy, "nfs") == 0) {
6961 val = 2049;
6962 *proto = PROTO_UNDEF;
6963 free(cpy);
6964 break;
6965 }
6966 #endif
6967 bpf_set_error(cstate, "'%s' is not a valid port", cpy);
6968 free(cpy);
6969 longjmp(cstate->top_ctx, 1);
6970 /*NOTREACHED*/
6971
6972 case STOULEN_ERROR:
6973 /* Error already set. */
6974 longjmp(cstate->top_ctx, 1);
6975 /*NOTREACHED*/
6976
6977 default:
6978 /* Should not happen */
6979 bpf_set_error(cstate, "stoulen returned %d - this should not happen", ret);
6980 longjmp(cstate->top_ctx, 1);
6981 /*NOTREACHED*/
6982 }
6983 return (val);
6984 }
6985
6986 /*
6987 * Convert a string in the form PPP-PPP, which correspond to ports, to
6988 * a starting and ending port in a port range.
6989 */
6990 static void
stringtoportrange(compiler_state_t * cstate,const char * string,bpf_u_int32 * port1,bpf_u_int32 * port2,int * proto)6991 stringtoportrange(compiler_state_t *cstate, const char *string,
6992 bpf_u_int32 *port1, bpf_u_int32 *port2, int *proto)
6993 {
6994 char *hyphen_off;
6995 const char *first, *second;
6996 size_t first_size, second_size;
6997 int save_proto;
6998
6999 if ((hyphen_off = strchr(string, '-')) == NULL)
7000 bpf_error(cstate, "port range '%s' contains no hyphen", string);
7001
7002 /*
7003 * Make sure there are no other hyphens.
7004 *
7005 * XXX - we support named ports, but there are some port names
7006 * in /etc/services that include hyphens, so this would rule
7007 * that out.
7008 */
7009 if (strchr(hyphen_off + 1, '-') != NULL)
7010 bpf_error(cstate, "port range '%s' contains more than one hyphen",
7011 string);
7012
7013 /*
7014 * Get the length of the first port.
7015 */
7016 first = string;
7017 first_size = hyphen_off - string;
7018 if (first_size == 0) {
7019 /* Range of "-port", which we don't support. */
7020 bpf_error(cstate, "port range '%s' has no starting port", string);
7021 }
7022
7023 /*
7024 * Try to convert it to a port.
7025 */
7026 *port1 = stringtoport(cstate, first, first_size, proto);
7027 save_proto = *proto;
7028
7029 /*
7030 * Get the length of the second port.
7031 */
7032 second = hyphen_off + 1;
7033 second_size = strlen(second);
7034 if (second_size == 0) {
7035 /* Range of "port-", which we don't support. */
7036 bpf_error(cstate, "port range '%s' has no ending port", string);
7037 }
7038
7039 /*
7040 * Try to convert it to a port.
7041 */
7042 *port2 = stringtoport(cstate, second, second_size, proto);
7043 if (*proto != save_proto)
7044 *proto = PROTO_UNDEF;
7045 }
7046
7047 struct block *
gen_scode(compiler_state_t * cstate,const char * name,struct qual q)7048 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
7049 {
7050 int proto = q.proto;
7051 int dir = q.dir;
7052 int tproto;
7053 u_char *eaddrp;
7054 u_char eaddr[6];
7055 bpf_u_int32 mask, addr;
7056 struct addrinfo *res, *res0;
7057 struct sockaddr_in *sin4;
7058 #ifdef INET6
7059 int tproto6;
7060 struct sockaddr_in6 *sin6;
7061 struct in6_addr mask128;
7062 #endif /*INET6*/
7063 struct block *b, *tmp;
7064 int port, real_proto;
7065 bpf_u_int32 port1, port2;
7066
7067 /*
7068 * Catch errors reported by us and routines below us, and return NULL
7069 * on an error.
7070 */
7071 if (setjmp(cstate->top_ctx))
7072 return (NULL);
7073
7074 switch (q.addr) {
7075
7076 case Q_NET:
7077 addr = pcap_nametonetaddr(name);
7078 if (addr == 0)
7079 bpf_error(cstate, "unknown network '%s'", name);
7080 /* Left justify network addr and calculate its network mask */
7081 mask = 0xffffffff;
7082 while (addr && (addr & 0xff000000) == 0) {
7083 addr <<= 8;
7084 mask <<= 8;
7085 }
7086 return gen_host(cstate, addr, mask, proto, dir, q.addr);
7087
7088 case Q_DEFAULT:
7089 case Q_HOST:
7090 if (proto == Q_LINK) {
7091 switch (cstate->linktype) {
7092
7093 case DLT_EN10MB:
7094 case DLT_NETANALYZER:
7095 case DLT_NETANALYZER_TRANSPARENT:
7096 eaddrp = pcap_ether_hostton(name);
7097 if (eaddrp == NULL)
7098 bpf_error(cstate,
7099 "unknown ether host '%s'", name);
7100 memcpy(eaddr, eaddrp, sizeof(eaddr));
7101 free(eaddrp);
7102 tmp = gen_prevlinkhdr_check(cstate);
7103 b = gen_ehostop(cstate, eaddr, dir);
7104 if (tmp != NULL)
7105 gen_and(tmp, b);
7106 return b;
7107
7108 case DLT_FDDI:
7109 eaddrp = pcap_ether_hostton(name);
7110 if (eaddrp == NULL)
7111 bpf_error(cstate,
7112 "unknown FDDI host '%s'", name);
7113 memcpy(eaddr, eaddrp, sizeof(eaddr));
7114 free(eaddrp);
7115 b = gen_fhostop(cstate, eaddr, dir);
7116 return b;
7117
7118 case DLT_IEEE802:
7119 eaddrp = pcap_ether_hostton(name);
7120 if (eaddrp == NULL)
7121 bpf_error(cstate,
7122 "unknown token ring host '%s'", name);
7123 memcpy(eaddr, eaddrp, sizeof(eaddr));
7124 free(eaddrp);
7125 b = gen_thostop(cstate, eaddr, dir);
7126 return b;
7127
7128 case DLT_IEEE802_11:
7129 case DLT_PRISM_HEADER:
7130 case DLT_IEEE802_11_RADIO_AVS:
7131 case DLT_IEEE802_11_RADIO:
7132 case DLT_PPI:
7133 eaddrp = pcap_ether_hostton(name);
7134 if (eaddrp == NULL)
7135 bpf_error(cstate,
7136 "unknown 802.11 host '%s'", name);
7137 memcpy(eaddr, eaddrp, sizeof(eaddr));
7138 free(eaddrp);
7139 b = gen_wlanhostop(cstate, eaddr, dir);
7140 return b;
7141
7142 case DLT_IP_OVER_FC:
7143 eaddrp = pcap_ether_hostton(name);
7144 if (eaddrp == NULL)
7145 bpf_error(cstate,
7146 "unknown Fibre Channel host '%s'", name);
7147 memcpy(eaddr, eaddrp, sizeof(eaddr));
7148 free(eaddrp);
7149 b = gen_ipfchostop(cstate, eaddr, dir);
7150 return b;
7151 }
7152
7153 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
7154 } else if (proto == Q_DECNET) {
7155 unsigned short dn_addr;
7156
7157 if (!__pcap_nametodnaddr(name, &dn_addr)) {
7158 #ifdef DECNETLIB
7159 bpf_error(cstate, "unknown decnet host name '%s'\n", name);
7160 #else
7161 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n",
7162 name);
7163 #endif
7164 }
7165 /*
7166 * I don't think DECNET hosts can be multihomed, so
7167 * there is no need to build up a list of addresses
7168 */
7169 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr));
7170 } else {
7171 #ifdef INET6
7172 memset(&mask128, 0xff, sizeof(mask128));
7173 #endif
7174 res0 = res = pcap_nametoaddrinfo(name);
7175 if (res == NULL)
7176 bpf_error(cstate, "unknown host '%s'", name);
7177 cstate->ai = res;
7178 b = tmp = NULL;
7179 tproto = proto;
7180 #ifdef INET6
7181 tproto6 = proto;
7182 #endif
7183 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
7184 tproto == Q_DEFAULT) {
7185 tproto = Q_IP;
7186 #ifdef INET6
7187 tproto6 = Q_IPV6;
7188 #endif
7189 }
7190 for (res = res0; res; res = res->ai_next) {
7191 switch (res->ai_family) {
7192 case AF_INET:
7193 #ifdef INET6
7194 /*
7195 * Ignore any IPv4 addresses when resolving
7196 * "ip6 host NAME", validate all other proto
7197 * qualifiers in gen_host().
7198 */
7199 if (tproto == Q_IPV6)
7200 continue;
7201 #endif
7202
7203 sin4 = (struct sockaddr_in *)
7204 res->ai_addr;
7205 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
7206 0xffffffff, tproto, dir, q.addr);
7207 break;
7208 #ifdef INET6
7209 case AF_INET6:
7210 /*
7211 * Ignore any IPv6 addresses when resolving
7212 * "(arp|ip|rarp) host NAME", validate all
7213 * other proto qualifiers in gen_host6().
7214 */
7215 if (tproto6 == Q_ARP || tproto6 == Q_IP ||
7216 tproto6 == Q_RARP)
7217 continue;
7218
7219 sin6 = (struct sockaddr_in6 *)
7220 res->ai_addr;
7221 tmp = gen_host6(cstate, &sin6->sin6_addr,
7222 &mask128, tproto6, dir, q.addr);
7223 break;
7224 #endif
7225 default:
7226 continue;
7227 }
7228 if (b)
7229 gen_or(b, tmp);
7230 b = tmp;
7231 }
7232 cstate->ai = NULL;
7233 freeaddrinfo(res0);
7234 if (b == NULL) {
7235 bpf_error(cstate, "unknown host '%s'%s", name,
7236 (proto == Q_DEFAULT)
7237 ? ""
7238 : " for specified address family");
7239 }
7240 return b;
7241 }
7242
7243 case Q_PORT:
7244 if (proto != Q_DEFAULT &&
7245 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
7246 bpf_error(cstate, "illegal qualifier of 'port'");
7247 if (pcap_nametoport(name, &port, &real_proto) == 0)
7248 bpf_error(cstate, "unknown port '%s'", name);
7249 if (proto == Q_UDP) {
7250 if (real_proto == IPPROTO_TCP)
7251 bpf_error(cstate, "port '%s' is tcp", name);
7252 else if (real_proto == IPPROTO_SCTP)
7253 bpf_error(cstate, "port '%s' is sctp", name);
7254 else
7255 /* override PROTO_UNDEF */
7256 real_proto = IPPROTO_UDP;
7257 }
7258 if (proto == Q_TCP) {
7259 if (real_proto == IPPROTO_UDP)
7260 bpf_error(cstate, "port '%s' is udp", name);
7261
7262 else if (real_proto == IPPROTO_SCTP)
7263 bpf_error(cstate, "port '%s' is sctp", name);
7264 else
7265 /* override PROTO_UNDEF */
7266 real_proto = IPPROTO_TCP;
7267 }
7268 if (proto == Q_SCTP) {
7269 if (real_proto == IPPROTO_UDP)
7270 bpf_error(cstate, "port '%s' is udp", name);
7271
7272 else if (real_proto == IPPROTO_TCP)
7273 bpf_error(cstate, "port '%s' is tcp", name);
7274 else
7275 /* override PROTO_UNDEF */
7276 real_proto = IPPROTO_SCTP;
7277 }
7278 if (port < 0)
7279 bpf_error(cstate, "illegal port number %d < 0", port);
7280 if (port > 65535)
7281 bpf_error(cstate, "illegal port number %d > 65535", port);
7282 b = gen_port(cstate, port, real_proto, dir);
7283 gen_or(gen_port6(cstate, port, real_proto, dir), b);
7284 return b;
7285
7286 case Q_PORTRANGE:
7287 if (proto != Q_DEFAULT &&
7288 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
7289 bpf_error(cstate, "illegal qualifier of 'portrange'");
7290 stringtoportrange(cstate, name, &port1, &port2, &real_proto);
7291 if (proto == Q_UDP) {
7292 if (real_proto == IPPROTO_TCP)
7293 bpf_error(cstate, "port in range '%s' is tcp", name);
7294 else if (real_proto == IPPROTO_SCTP)
7295 bpf_error(cstate, "port in range '%s' is sctp", name);
7296 else
7297 /* override PROTO_UNDEF */
7298 real_proto = IPPROTO_UDP;
7299 }
7300 if (proto == Q_TCP) {
7301 if (real_proto == IPPROTO_UDP)
7302 bpf_error(cstate, "port in range '%s' is udp", name);
7303 else if (real_proto == IPPROTO_SCTP)
7304 bpf_error(cstate, "port in range '%s' is sctp", name);
7305 else
7306 /* override PROTO_UNDEF */
7307 real_proto = IPPROTO_TCP;
7308 }
7309 if (proto == Q_SCTP) {
7310 if (real_proto == IPPROTO_UDP)
7311 bpf_error(cstate, "port in range '%s' is udp", name);
7312 else if (real_proto == IPPROTO_TCP)
7313 bpf_error(cstate, "port in range '%s' is tcp", name);
7314 else
7315 /* override PROTO_UNDEF */
7316 real_proto = IPPROTO_SCTP;
7317 }
7318 if (port1 > 65535)
7319 bpf_error(cstate, "illegal port number %d > 65535", port1);
7320 if (port2 > 65535)
7321 bpf_error(cstate, "illegal port number %d > 65535", port2);
7322
7323 b = gen_portrange(cstate, port1, port2, real_proto, dir);
7324 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
7325 return b;
7326
7327 case Q_GATEWAY:
7328 #ifndef INET6
7329 eaddrp = pcap_ether_hostton(name);
7330 if (eaddrp == NULL)
7331 bpf_error(cstate, "unknown ether host: %s", name);
7332 memcpy(eaddr, eaddrp, sizeof(eaddr));
7333 free(eaddrp);
7334
7335 res = pcap_nametoaddrinfo(name);
7336 cstate->ai = res;
7337 if (res == NULL)
7338 bpf_error(cstate, "unknown host '%s'", name);
7339 b = gen_gateway(cstate, eaddr, res, proto, dir);
7340 cstate->ai = NULL;
7341 freeaddrinfo(res);
7342 if (b == NULL)
7343 bpf_error(cstate, "unknown host '%s'", name);
7344 return b;
7345 #else
7346 bpf_error(cstate, "'gateway' not supported in this configuration");
7347 #endif /*INET6*/
7348
7349 case Q_PROTO:
7350 real_proto = lookup_proto(cstate, name, proto);
7351 if (real_proto >= 0)
7352 return gen_proto(cstate, real_proto, proto, dir);
7353 else
7354 bpf_error(cstate, "unknown protocol: %s", name);
7355
7356 #if !defined(NO_PROTOCHAIN)
7357 case Q_PROTOCHAIN:
7358 real_proto = lookup_proto(cstate, name, proto);
7359 if (real_proto >= 0)
7360 return gen_protochain(cstate, real_proto, proto);
7361 else
7362 bpf_error(cstate, "unknown protocol: %s", name);
7363 #endif /* !defined(NO_PROTOCHAIN) */
7364
7365 case Q_UNDEF:
7366 syntax(cstate);
7367 /*NOTREACHED*/
7368 }
7369 abort();
7370 /*NOTREACHED*/
7371 }
7372
7373 struct block *
gen_mcode(compiler_state_t * cstate,const char * s1,const char * s2,bpf_u_int32 masklen,struct qual q)7374 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
7375 bpf_u_int32 masklen, struct qual q)
7376 {
7377 register int nlen, mlen;
7378 bpf_u_int32 n, m;
7379 uint64_t m64;
7380
7381 /*
7382 * Catch errors reported by us and routines below us, and return NULL
7383 * on an error.
7384 */
7385 if (setjmp(cstate->top_ctx))
7386 return (NULL);
7387
7388 nlen = __pcap_atoin(s1, &n);
7389 if (nlen < 0)
7390 bpf_error(cstate, "invalid IPv4 address '%s'", s1);
7391 /* Promote short ipaddr */
7392 n <<= 32 - nlen;
7393
7394 if (s2 != NULL) {
7395 mlen = __pcap_atoin(s2, &m);
7396 if (mlen < 0)
7397 bpf_error(cstate, "invalid IPv4 address '%s'", s2);
7398 /* Promote short ipaddr */
7399 m <<= 32 - mlen;
7400 if ((n & ~m) != 0)
7401 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
7402 s1, s2);
7403 } else {
7404 /* Convert mask len to mask */
7405 if (masklen > 32)
7406 bpf_error(cstate, "mask length must be <= 32");
7407 m64 = UINT64_C(0xffffffff) << (32 - masklen);
7408 m = (bpf_u_int32)m64;
7409 if ((n & ~m) != 0)
7410 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
7411 s1, masklen);
7412 }
7413
7414 switch (q.addr) {
7415
7416 case Q_NET:
7417 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
7418
7419 default:
7420 bpf_error(cstate, "Mask syntax for networks only");
7421 /*NOTREACHED*/
7422 }
7423 /*NOTREACHED*/
7424 }
7425
7426 struct block *
gen_ncode(compiler_state_t * cstate,const char * s,bpf_u_int32 v,struct qual q)7427 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
7428 {
7429 bpf_u_int32 mask;
7430 int proto;
7431 int dir;
7432 register int vlen;
7433
7434 /*
7435 * Catch errors reported by us and routines below us, and return NULL
7436 * on an error.
7437 */
7438 if (setjmp(cstate->top_ctx))
7439 return (NULL);
7440
7441 proto = q.proto;
7442 dir = q.dir;
7443 if (s == NULL)
7444 vlen = 32;
7445 else if (q.proto == Q_DECNET) {
7446 vlen = __pcap_atodn(s, &v);
7447 if (vlen == 0)
7448 bpf_error(cstate, "malformed decnet address '%s'", s);
7449 } else {
7450 vlen = __pcap_atoin(s, &v);
7451 if (vlen < 0)
7452 bpf_error(cstate, "invalid IPv4 address '%s'", s);
7453 }
7454
7455 switch (q.addr) {
7456
7457 case Q_DEFAULT:
7458 case Q_HOST:
7459 case Q_NET:
7460 if (proto == Q_DECNET)
7461 return gen_host(cstate, v, 0, proto, dir, q.addr);
7462 else if (proto == Q_LINK) {
7463 bpf_error(cstate, "illegal link layer address");
7464 } else {
7465 mask = 0xffffffff;
7466 if (s == NULL && q.addr == Q_NET) {
7467 /* Promote short net number */
7468 while (v && (v & 0xff000000) == 0) {
7469 v <<= 8;
7470 mask <<= 8;
7471 }
7472 } else {
7473 /* Promote short ipaddr */
7474 v <<= 32 - vlen;
7475 mask <<= 32 - vlen ;
7476 }
7477 return gen_host(cstate, v, mask, proto, dir, q.addr);
7478 }
7479
7480 case Q_PORT:
7481 if (proto == Q_UDP)
7482 proto = IPPROTO_UDP;
7483 else if (proto == Q_TCP)
7484 proto = IPPROTO_TCP;
7485 else if (proto == Q_SCTP)
7486 proto = IPPROTO_SCTP;
7487 else if (proto == Q_DEFAULT)
7488 proto = PROTO_UNDEF;
7489 else
7490 bpf_error(cstate, "illegal qualifier of 'port'");
7491
7492 if (v > 65535)
7493 bpf_error(cstate, "illegal port number %u > 65535", v);
7494
7495 {
7496 struct block *b;
7497 b = gen_port(cstate, v, proto, dir);
7498 gen_or(gen_port6(cstate, v, proto, dir), b);
7499 return b;
7500 }
7501
7502 case Q_PORTRANGE:
7503 if (proto == Q_UDP)
7504 proto = IPPROTO_UDP;
7505 else if (proto == Q_TCP)
7506 proto = IPPROTO_TCP;
7507 else if (proto == Q_SCTP)
7508 proto = IPPROTO_SCTP;
7509 else if (proto == Q_DEFAULT)
7510 proto = PROTO_UNDEF;
7511 else
7512 bpf_error(cstate, "illegal qualifier of 'portrange'");
7513
7514 if (v > 65535)
7515 bpf_error(cstate, "illegal port number %u > 65535", v);
7516
7517 {
7518 struct block *b;
7519 b = gen_portrange(cstate, v, v, proto, dir);
7520 gen_or(gen_portrange6(cstate, v, v, proto, dir), b);
7521 return b;
7522 }
7523
7524 case Q_GATEWAY:
7525 bpf_error(cstate, "'gateway' requires a name");
7526 /*NOTREACHED*/
7527
7528 case Q_PROTO:
7529 return gen_proto(cstate, v, proto, dir);
7530
7531 #if !defined(NO_PROTOCHAIN)
7532 case Q_PROTOCHAIN:
7533 return gen_protochain(cstate, v, proto);
7534 #endif
7535
7536 case Q_UNDEF:
7537 syntax(cstate);
7538 /*NOTREACHED*/
7539
7540 default:
7541 abort();
7542 /*NOTREACHED*/
7543 }
7544 /*NOTREACHED*/
7545 }
7546
7547 #ifdef INET6
7548 struct block *
gen_mcode6(compiler_state_t * cstate,const char * s,bpf_u_int32 masklen,struct qual q)7549 gen_mcode6(compiler_state_t *cstate, const char *s, bpf_u_int32 masklen,
7550 struct qual q)
7551 {
7552 struct addrinfo *res;
7553 struct in6_addr *addr;
7554 struct in6_addr mask;
7555 struct block *b;
7556 bpf_u_int32 a[4], m[4]; /* Same as in gen_hostop6(). */
7557
7558 /*
7559 * Catch errors reported by us and routines below us, and return NULL
7560 * on an error.
7561 */
7562 if (setjmp(cstate->top_ctx))
7563 return (NULL);
7564
7565 res = pcap_nametoaddrinfo(s);
7566 if (!res)
7567 bpf_error(cstate, "invalid ip6 address %s", s);
7568 cstate->ai = res;
7569 if (res->ai_next)
7570 bpf_error(cstate, "%s resolved to multiple address", s);
7571 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
7572
7573 if (masklen > sizeof(mask.s6_addr) * 8)
7574 bpf_error(cstate, "mask length must be <= %zu", sizeof(mask.s6_addr) * 8);
7575 memset(&mask, 0, sizeof(mask));
7576 memset(&mask.s6_addr, 0xff, masklen / 8);
7577 if (masklen % 8) {
7578 mask.s6_addr[masklen / 8] =
7579 (0xff << (8 - masklen % 8)) & 0xff;
7580 }
7581
7582 memcpy(a, addr, sizeof(a));
7583 memcpy(m, &mask, sizeof(m));
7584 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
7585 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
7586 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s, masklen);
7587 }
7588
7589 switch (q.addr) {
7590
7591 case Q_DEFAULT:
7592 case Q_HOST:
7593 if (masklen != 128)
7594 bpf_error(cstate, "Mask syntax for networks only");
7595 /* FALLTHROUGH */
7596
7597 case Q_NET:
7598 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
7599 cstate->ai = NULL;
7600 freeaddrinfo(res);
7601 return b;
7602
7603 default:
7604 bpf_error(cstate, "invalid qualifier against IPv6 address");
7605 /*NOTREACHED*/
7606 }
7607 }
7608 #endif /*INET6*/
7609
7610 struct block *
gen_ecode(compiler_state_t * cstate,const char * s,struct qual q)7611 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
7612 {
7613 struct block *b, *tmp;
7614
7615 /*
7616 * Catch errors reported by us and routines below us, and return NULL
7617 * on an error.
7618 */
7619 if (setjmp(cstate->top_ctx))
7620 return (NULL);
7621
7622 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
7623 /*
7624 * Because the lexer guards the input string format, in this
7625 * context the function returns NULL iff the implicit malloc()
7626 * has failed.
7627 */
7628 cstate->e = pcap_ether_aton(s);
7629 if (cstate->e == NULL)
7630 bpf_error(cstate, "malloc");
7631 switch (cstate->linktype) {
7632 case DLT_EN10MB:
7633 case DLT_NETANALYZER:
7634 case DLT_NETANALYZER_TRANSPARENT:
7635 tmp = gen_prevlinkhdr_check(cstate);
7636 b = gen_ehostop(cstate, cstate->e, (int)q.dir);
7637 if (tmp != NULL)
7638 gen_and(tmp, b);
7639 break;
7640 case DLT_FDDI:
7641 b = gen_fhostop(cstate, cstate->e, (int)q.dir);
7642 break;
7643 case DLT_IEEE802:
7644 b = gen_thostop(cstate, cstate->e, (int)q.dir);
7645 break;
7646 case DLT_IEEE802_11:
7647 case DLT_PRISM_HEADER:
7648 case DLT_IEEE802_11_RADIO_AVS:
7649 case DLT_IEEE802_11_RADIO:
7650 case DLT_PPI:
7651 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir);
7652 break;
7653 case DLT_IP_OVER_FC:
7654 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir);
7655 break;
7656 default:
7657 free(cstate->e);
7658 cstate->e = NULL;
7659 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
7660 /*NOTREACHED*/
7661 }
7662 free(cstate->e);
7663 cstate->e = NULL;
7664 return (b);
7665 }
7666 bpf_error(cstate, "ethernet address used in non-ether expression");
7667 /*NOTREACHED*/
7668 }
7669
7670 void
sappend(struct slist * s0,struct slist * s1)7671 sappend(struct slist *s0, struct slist *s1)
7672 {
7673 /*
7674 * This is definitely not the best way to do this, but the
7675 * lists will rarely get long.
7676 */
7677 while (s0->next)
7678 s0 = s0->next;
7679 s0->next = s1;
7680 }
7681
7682 static struct slist *
xfer_to_x(compiler_state_t * cstate,struct arth * a)7683 xfer_to_x(compiler_state_t *cstate, struct arth *a)
7684 {
7685 struct slist *s;
7686
7687 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
7688 s->s.k = a->regno;
7689 return s;
7690 }
7691
7692 static struct slist *
xfer_to_a(compiler_state_t * cstate,struct arth * a)7693 xfer_to_a(compiler_state_t *cstate, struct arth *a)
7694 {
7695 struct slist *s;
7696
7697 s = new_stmt(cstate, BPF_LD|BPF_MEM);
7698 s->s.k = a->regno;
7699 return s;
7700 }
7701
7702 /*
7703 * Modify "index" to use the value stored into its register as an
7704 * offset relative to the beginning of the header for the protocol
7705 * "proto", and allocate a register and put an item "size" bytes long
7706 * (1, 2, or 4) at that offset into that register, making it the register
7707 * for "index".
7708 */
7709 static struct arth *
gen_load_internal(compiler_state_t * cstate,int proto,struct arth * inst,bpf_u_int32 size)7710 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst,
7711 bpf_u_int32 size)
7712 {
7713 int size_code;
7714 struct slist *s, *tmp;
7715 struct block *b;
7716 int regno = alloc_reg(cstate);
7717
7718 free_reg(cstate, inst->regno);
7719 switch (size) {
7720
7721 default:
7722 bpf_error(cstate, "data size must be 1, 2, or 4");
7723 /*NOTREACHED*/
7724
7725 case 1:
7726 size_code = BPF_B;
7727 break;
7728
7729 case 2:
7730 size_code = BPF_H;
7731 break;
7732
7733 case 4:
7734 size_code = BPF_W;
7735 break;
7736 }
7737 switch (proto) {
7738 default:
7739 bpf_error(cstate, "unsupported index operation");
7740
7741 case Q_RADIO:
7742 /*
7743 * The offset is relative to the beginning of the packet
7744 * data, if we have a radio header. (If we don't, this
7745 * is an error.)
7746 */
7747 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
7748 cstate->linktype != DLT_IEEE802_11_RADIO &&
7749 cstate->linktype != DLT_PRISM_HEADER)
7750 bpf_error(cstate, "radio information not present in capture");
7751
7752 /*
7753 * Load into the X register the offset computed into the
7754 * register specified by "index".
7755 */
7756 s = xfer_to_x(cstate, inst);
7757
7758 /*
7759 * Load the item at that offset.
7760 */
7761 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7762 sappend(s, tmp);
7763 sappend(inst->s, s);
7764 break;
7765
7766 case Q_LINK:
7767 /*
7768 * The offset is relative to the beginning of
7769 * the link-layer header.
7770 *
7771 * XXX - what about ATM LANE? Should the index be
7772 * relative to the beginning of the AAL5 frame, so
7773 * that 0 refers to the beginning of the LE Control
7774 * field, or relative to the beginning of the LAN
7775 * frame, so that 0 refers, for Ethernet LANE, to
7776 * the beginning of the destination address?
7777 */
7778 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
7779
7780 /*
7781 * If "s" is non-null, it has code to arrange that the
7782 * X register contains the length of the prefix preceding
7783 * the link-layer header. Add to it the offset computed
7784 * into the register specified by "index", and move that
7785 * into the X register. Otherwise, just load into the X
7786 * register the offset computed into the register specified
7787 * by "index".
7788 */
7789 if (s != NULL) {
7790 sappend(s, xfer_to_a(cstate, inst));
7791 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7792 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7793 } else
7794 s = xfer_to_x(cstate, inst);
7795
7796 /*
7797 * Load the item at the sum of the offset we've put in the
7798 * X register and the offset of the start of the link
7799 * layer header (which is 0 if the radio header is
7800 * variable-length; that header length is what we put
7801 * into the X register and then added to the index).
7802 */
7803 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7804 tmp->s.k = cstate->off_linkhdr.constant_part;
7805 sappend(s, tmp);
7806 sappend(inst->s, s);
7807 break;
7808
7809 case Q_IP:
7810 case Q_ARP:
7811 case Q_RARP:
7812 case Q_ATALK:
7813 case Q_DECNET:
7814 case Q_SCA:
7815 case Q_LAT:
7816 case Q_MOPRC:
7817 case Q_MOPDL:
7818 case Q_IPV6:
7819 /*
7820 * The offset is relative to the beginning of
7821 * the network-layer header.
7822 * XXX - are there any cases where we want
7823 * cstate->off_nl_nosnap?
7824 */
7825 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7826
7827 /*
7828 * If "s" is non-null, it has code to arrange that the
7829 * X register contains the variable part of the offset
7830 * of the link-layer payload. Add to it the offset
7831 * computed into the register specified by "index",
7832 * and move that into the X register. Otherwise, just
7833 * load into the X register the offset computed into
7834 * the register specified by "index".
7835 */
7836 if (s != NULL) {
7837 sappend(s, xfer_to_a(cstate, inst));
7838 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7839 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7840 } else
7841 s = xfer_to_x(cstate, inst);
7842
7843 /*
7844 * Load the item at the sum of the offset we've put in the
7845 * X register, the offset of the start of the network
7846 * layer header from the beginning of the link-layer
7847 * payload, and the constant part of the offset of the
7848 * start of the link-layer payload.
7849 */
7850 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7851 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7852 sappend(s, tmp);
7853 sappend(inst->s, s);
7854
7855 /*
7856 * Do the computation only if the packet contains
7857 * the protocol in question.
7858 */
7859 b = gen_proto_abbrev_internal(cstate, proto);
7860 if (inst->b)
7861 gen_and(inst->b, b);
7862 inst->b = b;
7863 break;
7864
7865 case Q_SCTP:
7866 case Q_TCP:
7867 case Q_UDP:
7868 case Q_ICMP:
7869 case Q_IGMP:
7870 case Q_IGRP:
7871 case Q_PIM:
7872 case Q_VRRP:
7873 case Q_CARP:
7874 /*
7875 * The offset is relative to the beginning of
7876 * the transport-layer header.
7877 *
7878 * Load the X register with the length of the IPv4 header
7879 * (plus the offset of the link-layer header, if it's
7880 * a variable-length header), in bytes.
7881 *
7882 * XXX - are there any cases where we want
7883 * cstate->off_nl_nosnap?
7884 * XXX - we should, if we're built with
7885 * IPv6 support, generate code to load either
7886 * IPv4, IPv6, or both, as appropriate.
7887 */
7888 s = gen_loadx_iphdrlen(cstate);
7889
7890 /*
7891 * The X register now contains the sum of the variable
7892 * part of the offset of the link-layer payload and the
7893 * length of the network-layer header.
7894 *
7895 * Load into the A register the offset relative to
7896 * the beginning of the transport layer header,
7897 * add the X register to that, move that to the
7898 * X register, and load with an offset from the
7899 * X register equal to the sum of the constant part of
7900 * the offset of the link-layer payload and the offset,
7901 * relative to the beginning of the link-layer payload,
7902 * of the network-layer header.
7903 */
7904 sappend(s, xfer_to_a(cstate, inst));
7905 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7906 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7907 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code));
7908 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7909 sappend(inst->s, s);
7910
7911 /*
7912 * Do the computation only if the packet contains
7913 * the protocol in question - which is true only
7914 * if this is an IP datagram and is the first or
7915 * only fragment of that datagram.
7916 */
7917 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate));
7918 if (inst->b)
7919 gen_and(inst->b, b);
7920 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b);
7921 inst->b = b;
7922 break;
7923 case Q_ICMPV6:
7924 /*
7925 * Do the computation only if the packet contains
7926 * the protocol in question.
7927 */
7928 b = gen_proto_abbrev_internal(cstate, Q_IPV6);
7929 if (inst->b)
7930 gen_and(inst->b, b);
7931 inst->b = b;
7932
7933 /*
7934 * Check if we have an icmp6 next header
7935 */
7936 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58);
7937 if (inst->b)
7938 gen_and(inst->b, b);
7939 inst->b = b;
7940
7941 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7942 /*
7943 * If "s" is non-null, it has code to arrange that the
7944 * X register contains the variable part of the offset
7945 * of the link-layer payload. Add to it the offset
7946 * computed into the register specified by "index",
7947 * and move that into the X register. Otherwise, just
7948 * load into the X register the offset computed into
7949 * the register specified by "index".
7950 */
7951 if (s != NULL) {
7952 sappend(s, xfer_to_a(cstate, inst));
7953 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7954 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7955 } else
7956 s = xfer_to_x(cstate, inst);
7957
7958 /*
7959 * Load the item at the sum of the offset we've put in the
7960 * X register, the offset of the start of the network
7961 * layer header from the beginning of the link-layer
7962 * payload, and the constant part of the offset of the
7963 * start of the link-layer payload.
7964 */
7965 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7966 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40;
7967
7968 sappend(s, tmp);
7969 sappend(inst->s, s);
7970
7971 break;
7972 }
7973 inst->regno = regno;
7974 s = new_stmt(cstate, BPF_ST);
7975 s->s.k = regno;
7976 sappend(inst->s, s);
7977
7978 return inst;
7979 }
7980
7981 struct arth *
gen_load(compiler_state_t * cstate,int proto,struct arth * inst,bpf_u_int32 size)7982 gen_load(compiler_state_t *cstate, int proto, struct arth *inst,
7983 bpf_u_int32 size)
7984 {
7985 /*
7986 * Catch errors reported by us and routines below us, and return NULL
7987 * on an error.
7988 */
7989 if (setjmp(cstate->top_ctx))
7990 return (NULL);
7991
7992 return gen_load_internal(cstate, proto, inst, size);
7993 }
7994
7995 static struct block *
gen_relation_internal(compiler_state_t * cstate,int code,struct arth * a0,struct arth * a1,int reversed)7996 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0,
7997 struct arth *a1, int reversed)
7998 {
7999 struct slist *s0, *s1, *s2;
8000 struct block *b, *tmp;
8001
8002 s0 = xfer_to_x(cstate, a1);
8003 s1 = xfer_to_a(cstate, a0);
8004 if (code == BPF_JEQ) {
8005 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
8006 b = new_block(cstate, JMP(code));
8007 sappend(s1, s2);
8008 }
8009 else
8010 b = new_block(cstate, BPF_JMP|code|BPF_X);
8011 if (reversed)
8012 gen_not(b);
8013
8014 sappend(s0, s1);
8015 sappend(a1->s, s0);
8016 sappend(a0->s, a1->s);
8017
8018 b->stmts = a0->s;
8019
8020 free_reg(cstate, a0->regno);
8021 free_reg(cstate, a1->regno);
8022
8023 /* 'and' together protocol checks */
8024 if (a0->b) {
8025 if (a1->b) {
8026 gen_and(a0->b, tmp = a1->b);
8027 }
8028 else
8029 tmp = a0->b;
8030 } else
8031 tmp = a1->b;
8032
8033 if (tmp)
8034 gen_and(tmp, b);
8035
8036 return b;
8037 }
8038
8039 struct block *
gen_relation(compiler_state_t * cstate,int code,struct arth * a0,struct arth * a1,int reversed)8040 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
8041 struct arth *a1, int reversed)
8042 {
8043 /*
8044 * Catch errors reported by us and routines below us, and return NULL
8045 * on an error.
8046 */
8047 if (setjmp(cstate->top_ctx))
8048 return (NULL);
8049
8050 return gen_relation_internal(cstate, code, a0, a1, reversed);
8051 }
8052
8053 struct arth *
gen_loadlen(compiler_state_t * cstate)8054 gen_loadlen(compiler_state_t *cstate)
8055 {
8056 int regno;
8057 struct arth *a;
8058 struct slist *s;
8059
8060 /*
8061 * Catch errors reported by us and routines below us, and return NULL
8062 * on an error.
8063 */
8064 if (setjmp(cstate->top_ctx))
8065 return (NULL);
8066
8067 regno = alloc_reg(cstate);
8068 a = (struct arth *)newchunk(cstate, sizeof(*a));
8069 s = new_stmt(cstate, BPF_LD|BPF_LEN);
8070 s->next = new_stmt(cstate, BPF_ST);
8071 s->next->s.k = regno;
8072 a->s = s;
8073 a->regno = regno;
8074
8075 return a;
8076 }
8077
8078 static struct arth *
gen_loadi_internal(compiler_state_t * cstate,bpf_u_int32 val)8079 gen_loadi_internal(compiler_state_t *cstate, bpf_u_int32 val)
8080 {
8081 struct arth *a;
8082 struct slist *s;
8083 int reg;
8084
8085 a = (struct arth *)newchunk(cstate, sizeof(*a));
8086
8087 reg = alloc_reg(cstate);
8088
8089 s = new_stmt(cstate, BPF_LD|BPF_IMM);
8090 s->s.k = val;
8091 s->next = new_stmt(cstate, BPF_ST);
8092 s->next->s.k = reg;
8093 a->s = s;
8094 a->regno = reg;
8095
8096 return a;
8097 }
8098
8099 struct arth *
gen_loadi(compiler_state_t * cstate,bpf_u_int32 val)8100 gen_loadi(compiler_state_t *cstate, bpf_u_int32 val)
8101 {
8102 /*
8103 * Catch errors reported by us and routines below us, and return NULL
8104 * on an error.
8105 */
8106 if (setjmp(cstate->top_ctx))
8107 return (NULL);
8108
8109 return gen_loadi_internal(cstate, val);
8110 }
8111
8112 /*
8113 * The a_arg dance is to avoid annoying whining by compilers that
8114 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
8115 * It's not *used* after setjmp returns.
8116 */
8117 struct arth *
gen_neg(compiler_state_t * cstate,struct arth * a_arg)8118 gen_neg(compiler_state_t *cstate, struct arth *a_arg)
8119 {
8120 struct arth *a = a_arg;
8121 struct slist *s;
8122
8123 /*
8124 * Catch errors reported by us and routines below us, and return NULL
8125 * on an error.
8126 */
8127 if (setjmp(cstate->top_ctx))
8128 return (NULL);
8129
8130 s = xfer_to_a(cstate, a);
8131 sappend(a->s, s);
8132 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
8133 s->s.k = 0;
8134 sappend(a->s, s);
8135 s = new_stmt(cstate, BPF_ST);
8136 s->s.k = a->regno;
8137 sappend(a->s, s);
8138
8139 return a;
8140 }
8141
8142 /*
8143 * The a0_arg dance is to avoid annoying whining by compilers that
8144 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
8145 * It's not *used* after setjmp returns.
8146 */
8147 struct arth *
gen_arth(compiler_state_t * cstate,int code,struct arth * a0_arg,struct arth * a1)8148 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg,
8149 struct arth *a1)
8150 {
8151 struct arth *a0 = a0_arg;
8152 struct slist *s0, *s1, *s2;
8153
8154 /*
8155 * Catch errors reported by us and routines below us, and return NULL
8156 * on an error.
8157 */
8158 if (setjmp(cstate->top_ctx))
8159 return (NULL);
8160
8161 /*
8162 * Disallow division by, or modulus by, zero; we do this here
8163 * so that it gets done even if the optimizer is disabled.
8164 *
8165 * Also disallow shifts by a value greater than 31; we do this
8166 * here, for the same reason.
8167 */
8168 if (code == BPF_DIV) {
8169 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
8170 bpf_error(cstate, "division by zero");
8171 } else if (code == BPF_MOD) {
8172 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
8173 bpf_error(cstate, "modulus by zero");
8174 } else if (code == BPF_LSH || code == BPF_RSH) {
8175 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k > 31)
8176 bpf_error(cstate, "shift by more than 31 bits");
8177 }
8178 s0 = xfer_to_x(cstate, a1);
8179 s1 = xfer_to_a(cstate, a0);
8180 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
8181
8182 sappend(s1, s2);
8183 sappend(s0, s1);
8184 sappend(a1->s, s0);
8185 sappend(a0->s, a1->s);
8186
8187 free_reg(cstate, a0->regno);
8188 free_reg(cstate, a1->regno);
8189
8190 s0 = new_stmt(cstate, BPF_ST);
8191 a0->regno = s0->s.k = alloc_reg(cstate);
8192 sappend(a0->s, s0);
8193
8194 return a0;
8195 }
8196
8197 /*
8198 * Initialize the table of used registers and the current register.
8199 */
8200 static void
init_regs(compiler_state_t * cstate)8201 init_regs(compiler_state_t *cstate)
8202 {
8203 cstate->curreg = 0;
8204 memset(cstate->regused, 0, sizeof cstate->regused);
8205 }
8206
8207 /*
8208 * Return the next free register.
8209 */
8210 static int
alloc_reg(compiler_state_t * cstate)8211 alloc_reg(compiler_state_t *cstate)
8212 {
8213 int n = BPF_MEMWORDS;
8214
8215 while (--n >= 0) {
8216 if (cstate->regused[cstate->curreg])
8217 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
8218 else {
8219 cstate->regused[cstate->curreg] = 1;
8220 return cstate->curreg;
8221 }
8222 }
8223 bpf_error(cstate, "too many registers needed to evaluate expression");
8224 /*NOTREACHED*/
8225 }
8226
8227 /*
8228 * Return a register to the table so it can
8229 * be used later.
8230 */
8231 static void
free_reg(compiler_state_t * cstate,int n)8232 free_reg(compiler_state_t *cstate, int n)
8233 {
8234 cstate->regused[n] = 0;
8235 }
8236
8237 static struct block *
gen_len(compiler_state_t * cstate,int jmp,int n)8238 gen_len(compiler_state_t *cstate, int jmp, int n)
8239 {
8240 struct slist *s;
8241 struct block *b;
8242
8243 s = new_stmt(cstate, BPF_LD|BPF_LEN);
8244 b = new_block(cstate, JMP(jmp));
8245 b->stmts = s;
8246 b->s.k = n;
8247
8248 return b;
8249 }
8250
8251 struct block *
gen_greater(compiler_state_t * cstate,int n)8252 gen_greater(compiler_state_t *cstate, int n)
8253 {
8254 /*
8255 * Catch errors reported by us and routines below us, and return NULL
8256 * on an error.
8257 */
8258 if (setjmp(cstate->top_ctx))
8259 return (NULL);
8260
8261 return gen_len(cstate, BPF_JGE, n);
8262 }
8263
8264 /*
8265 * Actually, this is less than or equal.
8266 */
8267 struct block *
gen_less(compiler_state_t * cstate,int n)8268 gen_less(compiler_state_t *cstate, int n)
8269 {
8270 struct block *b;
8271
8272 /*
8273 * Catch errors reported by us and routines below us, and return NULL
8274 * on an error.
8275 */
8276 if (setjmp(cstate->top_ctx))
8277 return (NULL);
8278
8279 b = gen_len(cstate, BPF_JGT, n);
8280 gen_not(b);
8281
8282 return b;
8283 }
8284
8285 /*
8286 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
8287 * the beginning of the link-layer header.
8288 * XXX - that means you can't test values in the radiotap header, but
8289 * as that header is difficult if not impossible to parse generally
8290 * without a loop, that might not be a severe problem. A new keyword
8291 * "radio" could be added for that, although what you'd really want
8292 * would be a way of testing particular radio header values, which
8293 * would generate code appropriate to the radio header in question.
8294 */
8295 struct block *
gen_byteop(compiler_state_t * cstate,int op,int idx,bpf_u_int32 val)8296 gen_byteop(compiler_state_t *cstate, int op, int idx, bpf_u_int32 val)
8297 {
8298 struct block *b;
8299 struct slist *s;
8300
8301 /*
8302 * Catch errors reported by us and routines below us, and return NULL
8303 * on an error.
8304 */
8305 if (setjmp(cstate->top_ctx))
8306 return (NULL);
8307
8308 switch (op) {
8309 default:
8310 abort();
8311
8312 case '=':
8313 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8314
8315 case '<':
8316 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8317 return b;
8318
8319 case '>':
8320 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8321 return b;
8322
8323 case '|':
8324 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
8325 break;
8326
8327 case '&':
8328 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
8329 break;
8330 }
8331 s->s.k = val;
8332 b = new_block(cstate, JMP(BPF_JEQ));
8333 b->stmts = s;
8334 gen_not(b);
8335
8336 return b;
8337 }
8338
8339 struct block *
gen_broadcast(compiler_state_t * cstate,int proto)8340 gen_broadcast(compiler_state_t *cstate, int proto)
8341 {
8342 bpf_u_int32 hostmask;
8343 struct block *b0, *b1, *b2;
8344 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
8345
8346 /*
8347 * Catch errors reported by us and routines below us, and return NULL
8348 * on an error.
8349 */
8350 if (setjmp(cstate->top_ctx))
8351 return (NULL);
8352
8353 switch (proto) {
8354
8355 case Q_DEFAULT:
8356 case Q_LINK:
8357 switch (cstate->linktype) {
8358 case DLT_ARCNET:
8359 case DLT_ARCNET_LINUX:
8360 // ARCnet broadcast is [8-bit] destination address 0.
8361 return gen_ahostop(cstate, 0, Q_DST);
8362 case DLT_EN10MB:
8363 case DLT_NETANALYZER:
8364 case DLT_NETANALYZER_TRANSPARENT:
8365 b1 = gen_prevlinkhdr_check(cstate);
8366 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
8367 if (b1 != NULL)
8368 gen_and(b1, b0);
8369 return b0;
8370 case DLT_FDDI:
8371 return gen_fhostop(cstate, ebroadcast, Q_DST);
8372 case DLT_IEEE802:
8373 return gen_thostop(cstate, ebroadcast, Q_DST);
8374 case DLT_IEEE802_11:
8375 case DLT_PRISM_HEADER:
8376 case DLT_IEEE802_11_RADIO_AVS:
8377 case DLT_IEEE802_11_RADIO:
8378 case DLT_PPI:
8379 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
8380 case DLT_IP_OVER_FC:
8381 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
8382 default:
8383 bpf_error(cstate, "not a broadcast link");
8384 }
8385 /*NOTREACHED*/
8386
8387 case Q_IP:
8388 /*
8389 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
8390 * as an indication that we don't know the netmask, and fail
8391 * in that case.
8392 */
8393 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
8394 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
8395 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8396 hostmask = ~cstate->netmask;
8397 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 0, hostmask);
8398 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W,
8399 ~0 & hostmask, hostmask);
8400 gen_or(b1, b2);
8401 gen_and(b0, b2);
8402 return b2;
8403 }
8404 bpf_error(cstate, "only link-layer/IP broadcast filters supported");
8405 /*NOTREACHED*/
8406 }
8407
8408 /*
8409 * Generate code to test the low-order bit of a MAC address (that's
8410 * the bottom bit of the *first* byte).
8411 */
8412 static struct block *
gen_mac_multicast(compiler_state_t * cstate,int offset)8413 gen_mac_multicast(compiler_state_t *cstate, int offset)
8414 {
8415 register struct block *b0;
8416 register struct slist *s;
8417
8418 /* link[offset] & 1 != 0 */
8419 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
8420 b0 = new_block(cstate, JMP(BPF_JSET));
8421 b0->s.k = 1;
8422 b0->stmts = s;
8423 return b0;
8424 }
8425
8426 struct block *
gen_multicast(compiler_state_t * cstate,int proto)8427 gen_multicast(compiler_state_t *cstate, int proto)
8428 {
8429 register struct block *b0, *b1, *b2;
8430 register struct slist *s;
8431
8432 /*
8433 * Catch errors reported by us and routines below us, and return NULL
8434 * on an error.
8435 */
8436 if (setjmp(cstate->top_ctx))
8437 return (NULL);
8438
8439 switch (proto) {
8440
8441 case Q_DEFAULT:
8442 case Q_LINK:
8443 switch (cstate->linktype) {
8444 case DLT_ARCNET:
8445 case DLT_ARCNET_LINUX:
8446 // ARCnet multicast is the same as broadcast.
8447 return gen_ahostop(cstate, 0, Q_DST);
8448 case DLT_EN10MB:
8449 case DLT_NETANALYZER:
8450 case DLT_NETANALYZER_TRANSPARENT:
8451 b1 = gen_prevlinkhdr_check(cstate);
8452 /* ether[0] & 1 != 0 */
8453 b0 = gen_mac_multicast(cstate, 0);
8454 if (b1 != NULL)
8455 gen_and(b1, b0);
8456 return b0;
8457 case DLT_FDDI:
8458 /*
8459 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
8460 *
8461 * XXX - was that referring to bit-order issues?
8462 */
8463 /* fddi[1] & 1 != 0 */
8464 return gen_mac_multicast(cstate, 1);
8465 case DLT_IEEE802:
8466 /* tr[2] & 1 != 0 */
8467 return gen_mac_multicast(cstate, 2);
8468 case DLT_IEEE802_11:
8469 case DLT_PRISM_HEADER:
8470 case DLT_IEEE802_11_RADIO_AVS:
8471 case DLT_IEEE802_11_RADIO:
8472 case DLT_PPI:
8473 /*
8474 * Oh, yuk.
8475 *
8476 * For control frames, there is no DA.
8477 *
8478 * For management frames, DA is at an
8479 * offset of 4 from the beginning of
8480 * the packet.
8481 *
8482 * For data frames, DA is at an offset
8483 * of 4 from the beginning of the packet
8484 * if To DS is clear and at an offset of
8485 * 16 from the beginning of the packet
8486 * if To DS is set.
8487 */
8488
8489 /*
8490 * Generate the tests to be done for data frames.
8491 *
8492 * First, check for To DS set, i.e. "link[1] & 0x01".
8493 */
8494 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8495 b1 = new_block(cstate, JMP(BPF_JSET));
8496 b1->s.k = 0x01; /* To DS */
8497 b1->stmts = s;
8498
8499 /*
8500 * If To DS is set, the DA is at 16.
8501 */
8502 b0 = gen_mac_multicast(cstate, 16);
8503 gen_and(b1, b0);
8504
8505 /*
8506 * Now, check for To DS not set, i.e. check
8507 * "!(link[1] & 0x01)".
8508 */
8509 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8510 b2 = new_block(cstate, JMP(BPF_JSET));
8511 b2->s.k = 0x01; /* To DS */
8512 b2->stmts = s;
8513 gen_not(b2);
8514
8515 /*
8516 * If To DS is not set, the DA is at 4.
8517 */
8518 b1 = gen_mac_multicast(cstate, 4);
8519 gen_and(b2, b1);
8520
8521 /*
8522 * Now OR together the last two checks. That gives
8523 * the complete set of checks for data frames.
8524 */
8525 gen_or(b1, b0);
8526
8527 /*
8528 * Now check for a data frame.
8529 * I.e, check "link[0] & 0x08".
8530 */
8531 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8532 b1 = new_block(cstate, JMP(BPF_JSET));
8533 b1->s.k = 0x08;
8534 b1->stmts = s;
8535
8536 /*
8537 * AND that with the checks done for data frames.
8538 */
8539 gen_and(b1, b0);
8540
8541 /*
8542 * If the high-order bit of the type value is 0, this
8543 * is a management frame.
8544 * I.e, check "!(link[0] & 0x08)".
8545 */
8546 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8547 b2 = new_block(cstate, JMP(BPF_JSET));
8548 b2->s.k = 0x08;
8549 b2->stmts = s;
8550 gen_not(b2);
8551
8552 /*
8553 * For management frames, the DA is at 4.
8554 */
8555 b1 = gen_mac_multicast(cstate, 4);
8556 gen_and(b2, b1);
8557
8558 /*
8559 * OR that with the checks done for data frames.
8560 * That gives the checks done for management and
8561 * data frames.
8562 */
8563 gen_or(b1, b0);
8564
8565 /*
8566 * If the low-order bit of the type value is 1,
8567 * this is either a control frame or a frame
8568 * with a reserved type, and thus not a
8569 * frame with an SA.
8570 *
8571 * I.e., check "!(link[0] & 0x04)".
8572 */
8573 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8574 b1 = new_block(cstate, JMP(BPF_JSET));
8575 b1->s.k = 0x04;
8576 b1->stmts = s;
8577 gen_not(b1);
8578
8579 /*
8580 * AND that with the checks for data and management
8581 * frames.
8582 */
8583 gen_and(b1, b0);
8584 return b0;
8585 case DLT_IP_OVER_FC:
8586 b0 = gen_mac_multicast(cstate, 2);
8587 return b0;
8588 default:
8589 break;
8590 }
8591 /* Link not known to support multicasts */
8592 break;
8593
8594 case Q_IP:
8595 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8596
8597 /*
8598 * Compare address with 224.0.0.0/4
8599 */
8600 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_B, 0xe0, 0xf0);
8601
8602 gen_and(b0, b1);
8603 return b1;
8604
8605 case Q_IPV6:
8606 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
8607 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, 255);
8608 gen_and(b0, b1);
8609 return b1;
8610 }
8611 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
8612 /*NOTREACHED*/
8613 }
8614
8615 struct block *
gen_ifindex(compiler_state_t * cstate,int ifindex)8616 gen_ifindex(compiler_state_t *cstate, int ifindex)
8617 {
8618 register struct block *b0;
8619
8620 /*
8621 * Catch errors reported by us and routines below us, and return NULL
8622 * on an error.
8623 */
8624 if (setjmp(cstate->top_ctx))
8625 return (NULL);
8626
8627 /*
8628 * Only some data link types support ifindex qualifiers.
8629 */
8630 switch (cstate->linktype) {
8631 case DLT_LINUX_SLL2:
8632 /* match packets on this interface */
8633 b0 = gen_cmp(cstate, OR_LINKHDR, 4, BPF_W, ifindex);
8634 break;
8635 default:
8636 #if defined(__linux__)
8637 /*
8638 * This is Linux; we require PF_PACKET support.
8639 * If this is a *live* capture, we can look at
8640 * special meta-data in the filter expression;
8641 * if it's a savefile, we can't.
8642 */
8643 if (cstate->bpf_pcap->rfile != NULL) {
8644 /* We have a FILE *, so this is a savefile */
8645 bpf_error(cstate, "ifindex not supported on %s when reading savefiles",
8646 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8647 /*NOTREACHED*/
8648 }
8649 /* match ifindex */
8650 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_IFINDEX, BPF_W,
8651 ifindex);
8652 #else /* defined(__linux__) */
8653 bpf_error(cstate, "ifindex not supported on %s",
8654 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8655 /*NOTREACHED*/
8656 #endif /* defined(__linux__) */
8657 }
8658 return (b0);
8659 }
8660
8661 /*
8662 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
8663 * Outbound traffic is sent by this machine, while inbound traffic is
8664 * sent by a remote machine (and may include packets destined for a
8665 * unicast or multicast link-layer address we are not subscribing to).
8666 * These are the same definitions implemented by pcap_setdirection().
8667 * Capturing only unicast traffic destined for this host is probably
8668 * better accomplished using a higher-layer filter.
8669 */
8670 struct block *
gen_inbound(compiler_state_t * cstate,int dir)8671 gen_inbound(compiler_state_t *cstate, int dir)
8672 {
8673 register struct block *b0;
8674
8675 /*
8676 * Catch errors reported by us and routines below us, and return NULL
8677 * on an error.
8678 */
8679 if (setjmp(cstate->top_ctx))
8680 return (NULL);
8681
8682 /*
8683 * Only some data link types support inbound/outbound qualifiers.
8684 */
8685 switch (cstate->linktype) {
8686 case DLT_SLIP:
8687 b0 = gen_relation_internal(cstate, BPF_JEQ,
8688 gen_load_internal(cstate, Q_LINK, gen_loadi_internal(cstate, 0), 1),
8689 gen_loadi_internal(cstate, 0),
8690 dir);
8691 break;
8692
8693 case DLT_IPNET:
8694 if (dir) {
8695 /* match outgoing packets */
8696 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND);
8697 } else {
8698 /* match incoming packets */
8699 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND);
8700 }
8701 break;
8702
8703 case DLT_LINUX_SLL:
8704 /* match outgoing packets */
8705 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
8706 if (!dir) {
8707 /* to filter on inbound traffic, invert the match */
8708 gen_not(b0);
8709 }
8710 break;
8711
8712 case DLT_LINUX_SLL2:
8713 /* match outgoing packets */
8714 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING);
8715 if (!dir) {
8716 /* to filter on inbound traffic, invert the match */
8717 gen_not(b0);
8718 }
8719 break;
8720
8721 case DLT_PFLOG:
8722 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
8723 ((dir == 0) ? PF_IN : PF_OUT));
8724 break;
8725
8726 case DLT_PPP_PPPD:
8727 if (dir) {
8728 /* match outgoing packets */
8729 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT);
8730 } else {
8731 /* match incoming packets */
8732 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN);
8733 }
8734 break;
8735
8736 case DLT_JUNIPER_MFR:
8737 case DLT_JUNIPER_MLFR:
8738 case DLT_JUNIPER_MLPPP:
8739 case DLT_JUNIPER_ATM1:
8740 case DLT_JUNIPER_ATM2:
8741 case DLT_JUNIPER_PPPOE:
8742 case DLT_JUNIPER_PPPOE_ATM:
8743 case DLT_JUNIPER_GGSN:
8744 case DLT_JUNIPER_ES:
8745 case DLT_JUNIPER_MONITOR:
8746 case DLT_JUNIPER_SERVICES:
8747 case DLT_JUNIPER_ETHER:
8748 case DLT_JUNIPER_PPP:
8749 case DLT_JUNIPER_FRELAY:
8750 case DLT_JUNIPER_CHDLC:
8751 case DLT_JUNIPER_VP:
8752 case DLT_JUNIPER_ST:
8753 case DLT_JUNIPER_ISM:
8754 case DLT_JUNIPER_VS:
8755 case DLT_JUNIPER_SRX_E2E:
8756 case DLT_JUNIPER_FIBRECHANNEL:
8757 case DLT_JUNIPER_ATM_CEMIC:
8758
8759 /* juniper flags (including direction) are stored
8760 * the byte after the 3-byte magic number */
8761 if (dir) {
8762 /* match outgoing packets */
8763 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01);
8764 } else {
8765 /* match incoming packets */
8766 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01);
8767 }
8768 break;
8769
8770 default:
8771 /*
8772 * If we have packet meta-data indicating a direction,
8773 * and that metadata can be checked by BPF code, check
8774 * it. Otherwise, give up, as this link-layer type has
8775 * nothing in the packet data.
8776 *
8777 * Currently, the only platform where a BPF filter can
8778 * check that metadata is Linux with the in-kernel
8779 * BPF interpreter. If other packet capture mechanisms
8780 * and BPF filters also supported this, it would be
8781 * nice. It would be even better if they made that
8782 * metadata available so that we could provide it
8783 * with newer capture APIs, allowing it to be saved
8784 * in pcapng files.
8785 */
8786 #if defined(__linux__)
8787 /*
8788 * This is Linux; we require PF_PACKET support.
8789 * If this is a *live* capture, we can look at
8790 * special meta-data in the filter expression;
8791 * if it's a savefile, we can't.
8792 */
8793 if (cstate->bpf_pcap->rfile != NULL) {
8794 /* We have a FILE *, so this is a savefile */
8795 bpf_error(cstate, "inbound/outbound not supported on %s when reading savefiles",
8796 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8797 /*NOTREACHED*/
8798 }
8799 /* match outgoing packets */
8800 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
8801 PACKET_OUTGOING);
8802 if (!dir) {
8803 /* to filter on inbound traffic, invert the match */
8804 gen_not(b0);
8805 }
8806 #else /* defined(__linux__) */
8807 bpf_error(cstate, "inbound/outbound not supported on %s",
8808 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8809 /*NOTREACHED*/
8810 #endif /* defined(__linux__) */
8811 }
8812 return (b0);
8813 }
8814
8815 /* PF firewall log matched interface */
8816 struct block *
gen_pf_ifname(compiler_state_t * cstate,const char * ifname)8817 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
8818 {
8819 struct block *b0;
8820 u_int len, off;
8821
8822 /*
8823 * Catch errors reported by us and routines below us, and return NULL
8824 * on an error.
8825 */
8826 if (setjmp(cstate->top_ctx))
8827 return (NULL);
8828
8829 if (cstate->linktype != DLT_PFLOG) {
8830 bpf_error(cstate, "ifname supported only on PF linktype");
8831 /*NOTREACHED*/
8832 }
8833 len = sizeof(((struct pfloghdr *)0)->ifname);
8834 off = offsetof(struct pfloghdr, ifname);
8835 if (strlen(ifname) >= len) {
8836 bpf_error(cstate, "ifname interface names can only be %d characters",
8837 len-1);
8838 /*NOTREACHED*/
8839 }
8840 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname),
8841 (const u_char *)ifname);
8842 return (b0);
8843 }
8844
8845 /* PF firewall log ruleset name */
8846 struct block *
gen_pf_ruleset(compiler_state_t * cstate,char * ruleset)8847 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
8848 {
8849 struct block *b0;
8850
8851 /*
8852 * Catch errors reported by us and routines below us, and return NULL
8853 * on an error.
8854 */
8855 if (setjmp(cstate->top_ctx))
8856 return (NULL);
8857
8858 if (cstate->linktype != DLT_PFLOG) {
8859 bpf_error(cstate, "ruleset supported only on PF linktype");
8860 /*NOTREACHED*/
8861 }
8862
8863 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
8864 bpf_error(cstate, "ruleset names can only be %ld characters",
8865 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
8866 /*NOTREACHED*/
8867 }
8868
8869 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
8870 (u_int)strlen(ruleset), (const u_char *)ruleset);
8871 return (b0);
8872 }
8873
8874 /* PF firewall log rule number */
8875 struct block *
gen_pf_rnr(compiler_state_t * cstate,int rnr)8876 gen_pf_rnr(compiler_state_t *cstate, int rnr)
8877 {
8878 struct block *b0;
8879
8880 /*
8881 * Catch errors reported by us and routines below us, and return NULL
8882 * on an error.
8883 */
8884 if (setjmp(cstate->top_ctx))
8885 return (NULL);
8886
8887 if (cstate->linktype != DLT_PFLOG) {
8888 bpf_error(cstate, "rnr supported only on PF linktype");
8889 /*NOTREACHED*/
8890 }
8891
8892 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
8893 (bpf_u_int32)rnr);
8894 return (b0);
8895 }
8896
8897 /* PF firewall log sub-rule number */
8898 struct block *
gen_pf_srnr(compiler_state_t * cstate,int srnr)8899 gen_pf_srnr(compiler_state_t *cstate, int srnr)
8900 {
8901 struct block *b0;
8902
8903 /*
8904 * Catch errors reported by us and routines below us, and return NULL
8905 * on an error.
8906 */
8907 if (setjmp(cstate->top_ctx))
8908 return (NULL);
8909
8910 if (cstate->linktype != DLT_PFLOG) {
8911 bpf_error(cstate, "srnr supported only on PF linktype");
8912 /*NOTREACHED*/
8913 }
8914
8915 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
8916 (bpf_u_int32)srnr);
8917 return (b0);
8918 }
8919
8920 /* PF firewall log reason code */
8921 struct block *
gen_pf_reason(compiler_state_t * cstate,int reason)8922 gen_pf_reason(compiler_state_t *cstate, int reason)
8923 {
8924 struct block *b0;
8925
8926 /*
8927 * Catch errors reported by us and routines below us, and return NULL
8928 * on an error.
8929 */
8930 if (setjmp(cstate->top_ctx))
8931 return (NULL);
8932
8933 if (cstate->linktype != DLT_PFLOG) {
8934 bpf_error(cstate, "reason supported only on PF linktype");
8935 /*NOTREACHED*/
8936 }
8937
8938 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
8939 (bpf_u_int32)reason);
8940 return (b0);
8941 }
8942
8943 /* PF firewall log action */
8944 struct block *
gen_pf_action(compiler_state_t * cstate,int action)8945 gen_pf_action(compiler_state_t *cstate, int action)
8946 {
8947 struct block *b0;
8948
8949 /*
8950 * Catch errors reported by us and routines below us, and return NULL
8951 * on an error.
8952 */
8953 if (setjmp(cstate->top_ctx))
8954 return (NULL);
8955
8956 if (cstate->linktype != DLT_PFLOG) {
8957 bpf_error(cstate, "action supported only on PF linktype");
8958 /*NOTREACHED*/
8959 }
8960
8961 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
8962 (bpf_u_int32)action);
8963 return (b0);
8964 }
8965
8966 /* IEEE 802.11 wireless header */
8967 struct block *
gen_p80211_type(compiler_state_t * cstate,bpf_u_int32 type,bpf_u_int32 mask)8968 gen_p80211_type(compiler_state_t *cstate, bpf_u_int32 type, bpf_u_int32 mask)
8969 {
8970 struct block *b0;
8971
8972 /*
8973 * Catch errors reported by us and routines below us, and return NULL
8974 * on an error.
8975 */
8976 if (setjmp(cstate->top_ctx))
8977 return (NULL);
8978
8979 switch (cstate->linktype) {
8980
8981 case DLT_IEEE802_11:
8982 case DLT_PRISM_HEADER:
8983 case DLT_IEEE802_11_RADIO_AVS:
8984 case DLT_IEEE802_11_RADIO:
8985 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, type, mask);
8986 break;
8987
8988 default:
8989 bpf_error(cstate, "802.11 link-layer types supported only on 802.11");
8990 /*NOTREACHED*/
8991 }
8992
8993 return (b0);
8994 }
8995
8996 struct block *
gen_p80211_fcdir(compiler_state_t * cstate,bpf_u_int32 fcdir)8997 gen_p80211_fcdir(compiler_state_t *cstate, bpf_u_int32 fcdir)
8998 {
8999 struct block *b0;
9000
9001 /*
9002 * Catch errors reported by us and routines below us, and return NULL
9003 * on an error.
9004 */
9005 if (setjmp(cstate->top_ctx))
9006 return (NULL);
9007
9008 switch (cstate->linktype) {
9009
9010 case DLT_IEEE802_11:
9011 case DLT_PRISM_HEADER:
9012 case DLT_IEEE802_11_RADIO_AVS:
9013 case DLT_IEEE802_11_RADIO:
9014 break;
9015
9016 default:
9017 bpf_error(cstate, "frame direction supported only with 802.11 headers");
9018 /*NOTREACHED*/
9019 }
9020
9021 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, fcdir,
9022 IEEE80211_FC1_DIR_MASK);
9023
9024 return (b0);
9025 }
9026
9027 // Process an ARCnet host address string.
9028 struct block *
gen_acode(compiler_state_t * cstate,const char * s,struct qual q)9029 gen_acode(compiler_state_t *cstate, const char *s, struct qual q)
9030 {
9031 /*
9032 * Catch errors reported by us and routines below us, and return NULL
9033 * on an error.
9034 */
9035 if (setjmp(cstate->top_ctx))
9036 return (NULL);
9037
9038 switch (cstate->linktype) {
9039
9040 case DLT_ARCNET:
9041 case DLT_ARCNET_LINUX:
9042 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
9043 q.proto == Q_LINK) {
9044 uint8_t addr;
9045 /*
9046 * The lexer currently defines the address format in a
9047 * way that makes this error condition never true.
9048 * Let's check it anyway in case this part of the lexer
9049 * changes in future.
9050 */
9051 if (! pcapint_atoan(s, &addr))
9052 bpf_error(cstate, "invalid ARCnet address '%s'", s);
9053 return gen_ahostop(cstate, addr, (int)q.dir);
9054 } else
9055 bpf_error(cstate, "ARCnet address used in non-arc expression");
9056 /*NOTREACHED*/
9057
9058 default:
9059 bpf_error(cstate, "aid supported only on ARCnet");
9060 /*NOTREACHED*/
9061 }
9062 }
9063
9064 // Compare an ARCnet host address with the given value.
9065 static struct block *
gen_ahostop(compiler_state_t * cstate,const uint8_t eaddr,int dir)9066 gen_ahostop(compiler_state_t *cstate, const uint8_t eaddr, int dir)
9067 {
9068 register struct block *b0, *b1;
9069
9070 switch (dir) {
9071 /*
9072 * ARCnet is different from Ethernet: the source address comes before
9073 * the destination address, each is one byte long. This holds for all
9074 * three "buffer formats" in RFC 1201 Section 2.1, see also page 4-10
9075 * in the 1983 edition of the "ARCNET Designer's Handbook" published
9076 * by Datapoint (document number 61610-01).
9077 */
9078 case Q_SRC:
9079 return gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, eaddr);
9080
9081 case Q_DST:
9082 return gen_cmp(cstate, OR_LINKHDR, 1, BPF_B, eaddr);
9083
9084 case Q_AND:
9085 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
9086 b1 = gen_ahostop(cstate, eaddr, Q_DST);
9087 gen_and(b0, b1);
9088 return b1;
9089
9090 case Q_DEFAULT:
9091 case Q_OR:
9092 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
9093 b1 = gen_ahostop(cstate, eaddr, Q_DST);
9094 gen_or(b0, b1);
9095 return b1;
9096
9097 case Q_ADDR1:
9098 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
9099 /*NOTREACHED*/
9100
9101 case Q_ADDR2:
9102 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
9103 /*NOTREACHED*/
9104
9105 case Q_ADDR3:
9106 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
9107 /*NOTREACHED*/
9108
9109 case Q_ADDR4:
9110 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
9111 /*NOTREACHED*/
9112
9113 case Q_RA:
9114 bpf_error(cstate, "'ra' is only supported on 802.11");
9115 /*NOTREACHED*/
9116
9117 case Q_TA:
9118 bpf_error(cstate, "'ta' is only supported on 802.11");
9119 /*NOTREACHED*/
9120 }
9121 abort();
9122 /*NOTREACHED*/
9123 }
9124
9125 static struct block *
gen_vlan_tpid_test(compiler_state_t * cstate)9126 gen_vlan_tpid_test(compiler_state_t *cstate)
9127 {
9128 struct block *b0, *b1;
9129
9130 /* check for VLAN, including 802.1ad and QinQ */
9131 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
9132 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
9133 gen_or(b0,b1);
9134 b0 = b1;
9135 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
9136 gen_or(b0,b1);
9137
9138 return b1;
9139 }
9140
9141 static struct block *
gen_vlan_vid_test(compiler_state_t * cstate,bpf_u_int32 vlan_num)9142 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num)
9143 {
9144 if (vlan_num > 0x0fff) {
9145 bpf_error(cstate, "VLAN tag %u greater than maximum %u",
9146 vlan_num, 0x0fff);
9147 }
9148 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, vlan_num, 0x0fff);
9149 }
9150
9151 static struct block *
gen_vlan_no_bpf_extensions(compiler_state_t * cstate,bpf_u_int32 vlan_num,int has_vlan_tag)9152 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
9153 int has_vlan_tag)
9154 {
9155 struct block *b0, *b1;
9156
9157 b0 = gen_vlan_tpid_test(cstate);
9158
9159 if (has_vlan_tag) {
9160 b1 = gen_vlan_vid_test(cstate, vlan_num);
9161 gen_and(b0, b1);
9162 b0 = b1;
9163 }
9164
9165 /*
9166 * Both payload and link header type follow the VLAN tags so that
9167 * both need to be updated.
9168 */
9169 cstate->off_linkpl.constant_part += 4;
9170 cstate->off_linktype.constant_part += 4;
9171
9172 return b0;
9173 }
9174
9175 #if defined(SKF_AD_VLAN_TAG_PRESENT)
9176 /* add v to variable part of off */
9177 static void
gen_vlan_vloffset_add(compiler_state_t * cstate,bpf_abs_offset * off,bpf_u_int32 v,struct slist * s)9178 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off,
9179 bpf_u_int32 v, struct slist *s)
9180 {
9181 struct slist *s2;
9182
9183 if (!off->is_variable)
9184 off->is_variable = 1;
9185 if (off->reg == -1)
9186 off->reg = alloc_reg(cstate);
9187
9188 s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
9189 s2->s.k = off->reg;
9190 sappend(s, s2);
9191 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
9192 s2->s.k = v;
9193 sappend(s, s2);
9194 s2 = new_stmt(cstate, BPF_ST);
9195 s2->s.k = off->reg;
9196 sappend(s, s2);
9197 }
9198
9199 /*
9200 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload
9201 * and link type offsets first
9202 */
9203 static void
gen_vlan_patch_tpid_test(compiler_state_t * cstate,struct block * b_tpid)9204 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid)
9205 {
9206 struct slist s;
9207
9208 /* offset determined at run time, shift variable part */
9209 s.next = NULL;
9210 cstate->is_vlan_vloffset = 1;
9211 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s);
9212 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s);
9213
9214 /* we get a pointer to a chain of or-ed blocks, patch first of them */
9215 sappend(s.next, b_tpid->head->stmts);
9216 b_tpid->head->stmts = s.next;
9217 }
9218
9219 /*
9220 * patch block b_vid (VLAN id test) to load VID value either from packet
9221 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true
9222 */
9223 static void
gen_vlan_patch_vid_test(compiler_state_t * cstate,struct block * b_vid)9224 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid)
9225 {
9226 struct slist *s, *s2, *sjeq;
9227 unsigned cnt;
9228
9229 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
9230 s->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT);
9231
9232 /* true -> next instructions, false -> beginning of b_vid */
9233 sjeq = new_stmt(cstate, JMP(BPF_JEQ));
9234 sjeq->s.k = 1;
9235 sjeq->s.jf = b_vid->stmts;
9236 sappend(s, sjeq);
9237
9238 s2 = new_stmt(cstate, BPF_LD|BPF_H|BPF_ABS);
9239 s2->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG);
9240 sappend(s, s2);
9241 sjeq->s.jt = s2;
9242
9243 /* Jump to the test in b_vid. We need to jump one instruction before
9244 * the end of the b_vid block so that we only skip loading the TCI
9245 * from packet data and not the 'and' instruction extracting VID.
9246 */
9247 cnt = 0;
9248 for (s2 = b_vid->stmts; s2; s2 = s2->next)
9249 cnt++;
9250 s2 = new_stmt(cstate, JMP(BPF_JA));
9251 s2->s.k = cnt - 1;
9252 sappend(s, s2);
9253
9254 /* insert our statements at the beginning of b_vid */
9255 sappend(s, b_vid->stmts);
9256 b_vid->stmts = s;
9257 }
9258
9259 /*
9260 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF
9261 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN
9262 * tag can be either in metadata or in packet data; therefore if the
9263 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link
9264 * header for VLAN tag. As the decision is done at run time, we need
9265 * update variable part of the offsets
9266 */
9267 static struct block *
gen_vlan_bpf_extensions(compiler_state_t * cstate,bpf_u_int32 vlan_num,int has_vlan_tag)9268 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
9269 int has_vlan_tag)
9270 {
9271 struct block *b0, *b_tpid, *b_vid = NULL;
9272 struct slist *s;
9273
9274 /* generate new filter code based on extracting packet
9275 * metadata */
9276 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
9277 s->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT);
9278
9279 b0 = new_block(cstate, JMP(BPF_JEQ));
9280 b0->stmts = s;
9281 b0->s.k = 1;
9282
9283 /*
9284 * This is tricky. We need to insert the statements updating variable
9285 * parts of offsets before the traditional TPID and VID tests so
9286 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but
9287 * we do not want this update to affect those checks. That's why we
9288 * generate both test blocks first and insert the statements updating
9289 * variable parts of both offsets after that. This wouldn't work if
9290 * there already were variable length link header when entering this
9291 * function but gen_vlan_bpf_extensions() isn't called in that case.
9292 */
9293 b_tpid = gen_vlan_tpid_test(cstate);
9294 if (has_vlan_tag)
9295 b_vid = gen_vlan_vid_test(cstate, vlan_num);
9296
9297 gen_vlan_patch_tpid_test(cstate, b_tpid);
9298 gen_or(b0, b_tpid);
9299 b0 = b_tpid;
9300
9301 if (has_vlan_tag) {
9302 gen_vlan_patch_vid_test(cstate, b_vid);
9303 gen_and(b0, b_vid);
9304 b0 = b_vid;
9305 }
9306
9307 return b0;
9308 }
9309 #endif
9310
9311 /*
9312 * support IEEE 802.1Q VLAN trunk over ethernet
9313 */
9314 struct block *
gen_vlan(compiler_state_t * cstate,bpf_u_int32 vlan_num,int has_vlan_tag)9315 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag)
9316 {
9317 struct block *b0;
9318
9319 /*
9320 * Catch errors reported by us and routines below us, and return NULL
9321 * on an error.
9322 */
9323 if (setjmp(cstate->top_ctx))
9324 return (NULL);
9325
9326 /* can't check for VLAN-encapsulated packets inside MPLS */
9327 if (cstate->label_stack_depth > 0)
9328 bpf_error(cstate, "no VLAN match after MPLS");
9329
9330 /*
9331 * Check for a VLAN packet, and then change the offsets to point
9332 * to the type and data fields within the VLAN packet. Just
9333 * increment the offsets, so that we can support a hierarchy, e.g.
9334 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
9335 * VLAN 100.
9336 *
9337 * XXX - this is a bit of a kludge. If we were to split the
9338 * compiler into a parser that parses an expression and
9339 * generates an expression tree, and a code generator that
9340 * takes an expression tree (which could come from our
9341 * parser or from some other parser) and generates BPF code,
9342 * we could perhaps make the offsets parameters of routines
9343 * and, in the handler for an "AND" node, pass to subnodes
9344 * other than the VLAN node the adjusted offsets.
9345 *
9346 * This would mean that "vlan" would, instead of changing the
9347 * behavior of *all* tests after it, change only the behavior
9348 * of tests ANDed with it. That would change the documented
9349 * semantics of "vlan", which might break some expressions.
9350 * However, it would mean that "(vlan and ip) or ip" would check
9351 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
9352 * checking only for VLAN-encapsulated IP, so that could still
9353 * be considered worth doing; it wouldn't break expressions
9354 * that are of the form "vlan and ..." or "vlan N and ...",
9355 * which I suspect are the most common expressions involving
9356 * "vlan". "vlan or ..." doesn't necessarily do what the user
9357 * would really want, now, as all the "or ..." tests would
9358 * be done assuming a VLAN, even though the "or" could be viewed
9359 * as meaning "or, if this isn't a VLAN packet...".
9360 */
9361 switch (cstate->linktype) {
9362
9363 case DLT_EN10MB:
9364 case DLT_NETANALYZER:
9365 case DLT_NETANALYZER_TRANSPARENT:
9366 #if defined(SKF_AD_VLAN_TAG_PRESENT)
9367 /* Verify that this is the outer part of the packet and
9368 * not encapsulated somehow. */
9369 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
9370 cstate->off_linkhdr.constant_part ==
9371 cstate->off_outermostlinkhdr.constant_part) {
9372 /*
9373 * Do we need special VLAN handling?
9374 */
9375 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
9376 b0 = gen_vlan_bpf_extensions(cstate, vlan_num,
9377 has_vlan_tag);
9378 else
9379 b0 = gen_vlan_no_bpf_extensions(cstate,
9380 vlan_num, has_vlan_tag);
9381 } else
9382 #endif
9383 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num,
9384 has_vlan_tag);
9385 break;
9386
9387 case DLT_IEEE802_11:
9388 case DLT_PRISM_HEADER:
9389 case DLT_IEEE802_11_RADIO_AVS:
9390 case DLT_IEEE802_11_RADIO:
9391 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag);
9392 break;
9393
9394 default:
9395 bpf_error(cstate, "no VLAN support for %s",
9396 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9397 /*NOTREACHED*/
9398 }
9399
9400 cstate->vlan_stack_depth++;
9401
9402 return (b0);
9403 }
9404
9405 /*
9406 * support for MPLS
9407 *
9408 * The label_num_arg dance is to avoid annoying whining by compilers that
9409 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9410 * It's not *used* after setjmp returns.
9411 */
9412 static struct block *
gen_mpls_internal(compiler_state_t * cstate,bpf_u_int32 label_num,int has_label_num)9413 gen_mpls_internal(compiler_state_t *cstate, bpf_u_int32 label_num,
9414 int has_label_num)
9415 {
9416 struct block *b0, *b1;
9417
9418 if (cstate->label_stack_depth > 0) {
9419 /* just match the bottom-of-stack bit clear */
9420 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
9421 } else {
9422 /*
9423 * We're not in an MPLS stack yet, so check the link-layer
9424 * type against MPLS.
9425 */
9426 switch (cstate->linktype) {
9427
9428 case DLT_C_HDLC: /* fall through */
9429 case DLT_HDLC:
9430 case DLT_EN10MB:
9431 case DLT_NETANALYZER:
9432 case DLT_NETANALYZER_TRANSPARENT:
9433 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
9434 break;
9435
9436 case DLT_PPP:
9437 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
9438 break;
9439
9440 /* FIXME add other DLT_s ...
9441 * for Frame-Relay/and ATM this may get messy due to SNAP headers
9442 * leave it for now */
9443
9444 default:
9445 bpf_error(cstate, "no MPLS support for %s",
9446 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9447 /*NOTREACHED*/
9448 }
9449 }
9450
9451 /* If a specific MPLS label is requested, check it */
9452 if (has_label_num) {
9453 if (label_num > 0xFFFFF) {
9454 bpf_error(cstate, "MPLS label %u greater than maximum %u",
9455 label_num, 0xFFFFF);
9456 }
9457 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
9458 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, label_num,
9459 0xfffff000); /* only compare the first 20 bits */
9460 gen_and(b0, b1);
9461 b0 = b1;
9462 }
9463
9464 /*
9465 * Change the offsets to point to the type and data fields within
9466 * the MPLS packet. Just increment the offsets, so that we
9467 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
9468 * capture packets with an outer label of 100000 and an inner
9469 * label of 1024.
9470 *
9471 * Increment the MPLS stack depth as well; this indicates that
9472 * we're checking MPLS-encapsulated headers, to make sure higher
9473 * level code generators don't try to match against IP-related
9474 * protocols such as Q_ARP, Q_RARP etc.
9475 *
9476 * XXX - this is a bit of a kludge. See comments in gen_vlan().
9477 */
9478 cstate->off_nl_nosnap += 4;
9479 cstate->off_nl += 4;
9480 cstate->label_stack_depth++;
9481 return (b0);
9482 }
9483
9484 struct block *
gen_mpls(compiler_state_t * cstate,bpf_u_int32 label_num,int has_label_num)9485 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num, int has_label_num)
9486 {
9487 /*
9488 * Catch errors reported by us and routines below us, and return NULL
9489 * on an error.
9490 */
9491 if (setjmp(cstate->top_ctx))
9492 return (NULL);
9493
9494 return gen_mpls_internal(cstate, label_num, has_label_num);
9495 }
9496
9497 /*
9498 * Support PPPOE discovery and session.
9499 */
9500 struct block *
gen_pppoed(compiler_state_t * cstate)9501 gen_pppoed(compiler_state_t *cstate)
9502 {
9503 /*
9504 * Catch errors reported by us and routines below us, and return NULL
9505 * on an error.
9506 */
9507 if (setjmp(cstate->top_ctx))
9508 return (NULL);
9509
9510 /* check for PPPoE discovery */
9511 return gen_linktype(cstate, ETHERTYPE_PPPOED);
9512 }
9513
9514 struct block *
gen_pppoes(compiler_state_t * cstate,bpf_u_int32 sess_num,int has_sess_num)9515 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num)
9516 {
9517 struct block *b0, *b1;
9518
9519 /*
9520 * Catch errors reported by us and routines below us, and return NULL
9521 * on an error.
9522 */
9523 if (setjmp(cstate->top_ctx))
9524 return (NULL);
9525
9526 /*
9527 * Test against the PPPoE session link-layer type.
9528 */
9529 b0 = gen_linktype(cstate, ETHERTYPE_PPPOES);
9530
9531 /* If a specific session is requested, check PPPoE session id */
9532 if (has_sess_num) {
9533 if (sess_num > 0x0000ffff) {
9534 bpf_error(cstate, "PPPoE session number %u greater than maximum %u",
9535 sess_num, 0x0000ffff);
9536 }
9537 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, sess_num, 0x0000ffff);
9538 gen_and(b0, b1);
9539 b0 = b1;
9540 }
9541
9542 /*
9543 * Change the offsets to point to the type and data fields within
9544 * the PPP packet, and note that this is PPPoE rather than
9545 * raw PPP.
9546 *
9547 * XXX - this is a bit of a kludge. See the comments in
9548 * gen_vlan().
9549 *
9550 * The "network-layer" protocol is PPPoE, which has a 6-byte
9551 * PPPoE header, followed by a PPP packet.
9552 *
9553 * There is no HDLC encapsulation for the PPP packet (it's
9554 * encapsulated in PPPoES instead), so the link-layer type
9555 * starts at the first byte of the PPP packet. For PPPoE,
9556 * that offset is relative to the beginning of the total
9557 * link-layer payload, including any 802.2 LLC header, so
9558 * it's 6 bytes past cstate->off_nl.
9559 */
9560 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
9561 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
9562 cstate->off_linkpl.reg);
9563
9564 cstate->off_linktype = cstate->off_linkhdr;
9565 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
9566
9567 cstate->off_nl = 0;
9568 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
9569
9570 return b0;
9571 }
9572
9573 /* Check that this is Geneve and the VNI is correct if
9574 * specified. Parameterized to handle both IPv4 and IPv6. */
9575 static struct block *
gen_geneve_check(compiler_state_t * cstate,struct block * (* gen_portfn)(compiler_state_t *,u_int,int,int),enum e_offrel offrel,bpf_u_int32 vni,int has_vni)9576 gen_geneve_check(compiler_state_t *cstate,
9577 struct block *(*gen_portfn)(compiler_state_t *, u_int, int, int),
9578 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9579 {
9580 struct block *b0, *b1;
9581
9582 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
9583
9584 /* Check that we are operating on version 0. Otherwise, we
9585 * can't decode the rest of the fields. The version is 2 bits
9586 * in the first byte of the Geneve header. */
9587 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, 0, 0xc0);
9588 gen_and(b0, b1);
9589 b0 = b1;
9590
9591 if (has_vni) {
9592 if (vni > 0xffffff) {
9593 bpf_error(cstate, "Geneve VNI %u greater than maximum %u",
9594 vni, 0xffffff);
9595 }
9596 vni <<= 8; /* VNI is in the upper 3 bytes */
9597 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00);
9598 gen_and(b0, b1);
9599 b0 = b1;
9600 }
9601
9602 return b0;
9603 }
9604
9605 /* The IPv4 and IPv6 Geneve checks need to do two things:
9606 * - Verify that this actually is Geneve with the right VNI.
9607 * - Place the IP header length (plus variable link prefix if
9608 * needed) into register A to be used later to compute
9609 * the inner packet offsets. */
9610 static struct block *
gen_geneve4(compiler_state_t * cstate,bpf_u_int32 vni,int has_vni)9611 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9612 {
9613 struct block *b0, *b1;
9614 struct slist *s, *s1;
9615
9616 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9617
9618 /* Load the IP header length into A. */
9619 s = gen_loadx_iphdrlen(cstate);
9620
9621 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9622 sappend(s, s1);
9623
9624 /* Forcibly append these statements to the true condition
9625 * of the protocol check by creating a new block that is
9626 * always true and ANDing them. */
9627 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9628 b1->stmts = s;
9629 b1->s.k = 0;
9630
9631 gen_and(b0, b1);
9632
9633 return b1;
9634 }
9635
9636 static struct block *
gen_geneve6(compiler_state_t * cstate,bpf_u_int32 vni,int has_vni)9637 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9638 {
9639 struct block *b0, *b1;
9640 struct slist *s, *s1;
9641
9642 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9643
9644 /* Load the IP header length. We need to account for a
9645 * variable length link prefix if there is one. */
9646 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9647 if (s) {
9648 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9649 s1->s.k = 40;
9650 sappend(s, s1);
9651
9652 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9653 s1->s.k = 0;
9654 sappend(s, s1);
9655 } else {
9656 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9657 s->s.k = 40;
9658 }
9659
9660 /* Forcibly append these statements to the true condition
9661 * of the protocol check by creating a new block that is
9662 * always true and ANDing them. */
9663 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9664 sappend(s, s1);
9665
9666 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9667 b1->stmts = s;
9668 b1->s.k = 0;
9669
9670 gen_and(b0, b1);
9671
9672 return b1;
9673 }
9674
9675 /* We need to store three values based on the Geneve header::
9676 * - The offset of the linktype.
9677 * - The offset of the end of the Geneve header.
9678 * - The offset of the end of the encapsulated MAC header. */
9679 static struct slist *
gen_geneve_offsets(compiler_state_t * cstate)9680 gen_geneve_offsets(compiler_state_t *cstate)
9681 {
9682 struct slist *s, *s1, *s_proto;
9683
9684 /* First we need to calculate the offset of the Geneve header
9685 * itself. This is composed of the IP header previously calculated
9686 * (include any variable link prefix) and stored in A plus the
9687 * fixed sized headers (fixed link prefix, MAC length, and UDP
9688 * header). */
9689 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9690 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9691
9692 /* Stash this in X since we'll need it later. */
9693 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9694 sappend(s, s1);
9695
9696 /* The EtherType in Geneve is 2 bytes in. Calculate this and
9697 * store it. */
9698 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9699 s1->s.k = 2;
9700 sappend(s, s1);
9701
9702 cstate->off_linktype.reg = alloc_reg(cstate);
9703 cstate->off_linktype.is_variable = 1;
9704 cstate->off_linktype.constant_part = 0;
9705
9706 s1 = new_stmt(cstate, BPF_ST);
9707 s1->s.k = cstate->off_linktype.reg;
9708 sappend(s, s1);
9709
9710 /* Load the Geneve option length and mask and shift to get the
9711 * number of bytes. It is stored in the first byte of the Geneve
9712 * header. */
9713 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
9714 s1->s.k = 0;
9715 sappend(s, s1);
9716
9717 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
9718 s1->s.k = 0x3f;
9719 sappend(s, s1);
9720
9721 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
9722 s1->s.k = 4;
9723 sappend(s, s1);
9724
9725 /* Add in the rest of the Geneve base header. */
9726 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9727 s1->s.k = 8;
9728 sappend(s, s1);
9729
9730 /* Add the Geneve header length to its offset and store. */
9731 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9732 s1->s.k = 0;
9733 sappend(s, s1);
9734
9735 /* Set the encapsulated type as Ethernet. Even though we may
9736 * not actually have Ethernet inside there are two reasons this
9737 * is useful:
9738 * - The linktype field is always in EtherType format regardless
9739 * of whether it is in Geneve or an inner Ethernet frame.
9740 * - The only link layer that we have specific support for is
9741 * Ethernet. We will confirm that the packet actually is
9742 * Ethernet at runtime before executing these checks. */
9743 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9744
9745 s1 = new_stmt(cstate, BPF_ST);
9746 s1->s.k = cstate->off_linkhdr.reg;
9747 sappend(s, s1);
9748
9749 /* Calculate whether we have an Ethernet header or just raw IP/
9750 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
9751 * and linktype by 14 bytes so that the network header can be found
9752 * seamlessly. Otherwise, keep what we've calculated already. */
9753
9754 /* We have a bare jmp so we can't use the optimizer. */
9755 cstate->no_optimize = 1;
9756
9757 /* Load the EtherType in the Geneve header, 2 bytes in. */
9758 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
9759 s1->s.k = 2;
9760 sappend(s, s1);
9761
9762 /* Load X with the end of the Geneve header. */
9763 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9764 s1->s.k = cstate->off_linkhdr.reg;
9765 sappend(s, s1);
9766
9767 /* Check if the EtherType is Transparent Ethernet Bridging. At the
9768 * end of this check, we should have the total length in X. In
9769 * the non-Ethernet case, it's already there. */
9770 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
9771 s_proto->s.k = ETHERTYPE_TEB;
9772 sappend(s, s_proto);
9773
9774 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9775 sappend(s, s1);
9776 s_proto->s.jt = s1;
9777
9778 /* Since this is Ethernet, use the EtherType of the payload
9779 * directly as the linktype. Overwrite what we already have. */
9780 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9781 s1->s.k = 12;
9782 sappend(s, s1);
9783
9784 s1 = new_stmt(cstate, BPF_ST);
9785 s1->s.k = cstate->off_linktype.reg;
9786 sappend(s, s1);
9787
9788 /* Advance two bytes further to get the end of the Ethernet
9789 * header. */
9790 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9791 s1->s.k = 2;
9792 sappend(s, s1);
9793
9794 /* Move the result to X. */
9795 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9796 sappend(s, s1);
9797
9798 /* Store the final result of our linkpl calculation. */
9799 cstate->off_linkpl.reg = alloc_reg(cstate);
9800 cstate->off_linkpl.is_variable = 1;
9801 cstate->off_linkpl.constant_part = 0;
9802
9803 s1 = new_stmt(cstate, BPF_STX);
9804 s1->s.k = cstate->off_linkpl.reg;
9805 sappend(s, s1);
9806 s_proto->s.jf = s1;
9807
9808 cstate->off_nl = 0;
9809
9810 return s;
9811 }
9812
9813 /* Check to see if this is a Geneve packet. */
9814 struct block *
gen_geneve(compiler_state_t * cstate,bpf_u_int32 vni,int has_vni)9815 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9816 {
9817 struct block *b0, *b1;
9818 struct slist *s;
9819
9820 /*
9821 * Catch errors reported by us and routines below us, and return NULL
9822 * on an error.
9823 */
9824 if (setjmp(cstate->top_ctx))
9825 return (NULL);
9826
9827 b0 = gen_geneve4(cstate, vni, has_vni);
9828 b1 = gen_geneve6(cstate, vni, has_vni);
9829
9830 gen_or(b0, b1);
9831 b0 = b1;
9832
9833 /* Later filters should act on the payload of the Geneve frame,
9834 * update all of the header pointers. Attach this code so that
9835 * it gets executed in the event that the Geneve filter matches. */
9836 s = gen_geneve_offsets(cstate);
9837
9838 b1 = gen_true(cstate);
9839 sappend(s, b1->stmts);
9840 b1->stmts = s;
9841
9842 gen_and(b0, b1);
9843
9844 cstate->is_geneve = 1;
9845
9846 return b1;
9847 }
9848
9849 /* Check that the encapsulated frame has a link layer header
9850 * for Ethernet filters. */
9851 static struct block *
gen_geneve_ll_check(compiler_state_t * cstate)9852 gen_geneve_ll_check(compiler_state_t *cstate)
9853 {
9854 struct block *b0;
9855 struct slist *s, *s1;
9856
9857 /* The easiest way to see if there is a link layer present
9858 * is to check if the link layer header and payload are not
9859 * the same. */
9860
9861 /* Geneve always generates pure variable offsets so we can
9862 * compare only the registers. */
9863 s = new_stmt(cstate, BPF_LD|BPF_MEM);
9864 s->s.k = cstate->off_linkhdr.reg;
9865
9866 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9867 s1->s.k = cstate->off_linkpl.reg;
9868 sappend(s, s1);
9869
9870 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9871 b0->stmts = s;
9872 b0->s.k = 0;
9873 gen_not(b0);
9874
9875 return b0;
9876 }
9877
9878 static struct block *
gen_atmfield_code_internal(compiler_state_t * cstate,int atmfield,bpf_u_int32 jvalue,int jtype,int reverse)9879 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield,
9880 bpf_u_int32 jvalue, int jtype, int reverse)
9881 {
9882 struct block *b0;
9883
9884 switch (atmfield) {
9885
9886 case A_VPI:
9887 if (!cstate->is_atm)
9888 bpf_error(cstate, "'vpi' supported only on raw ATM");
9889 if (cstate->off_vpi == OFFSET_NOT_SET)
9890 abort();
9891 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B,
9892 0xffffffffU, jtype, reverse, jvalue);
9893 break;
9894
9895 case A_VCI:
9896 if (!cstate->is_atm)
9897 bpf_error(cstate, "'vci' supported only on raw ATM");
9898 if (cstate->off_vci == OFFSET_NOT_SET)
9899 abort();
9900 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H,
9901 0xffffffffU, jtype, reverse, jvalue);
9902 break;
9903
9904 case A_PROTOTYPE:
9905 if (cstate->off_proto == OFFSET_NOT_SET)
9906 abort(); /* XXX - this isn't on FreeBSD */
9907 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B,
9908 0x0fU, jtype, reverse, jvalue);
9909 break;
9910
9911 case A_MSGTYPE:
9912 if (cstate->off_payload == OFFSET_NOT_SET)
9913 abort();
9914 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B,
9915 0xffffffffU, jtype, reverse, jvalue);
9916 break;
9917
9918 case A_CALLREFTYPE:
9919 if (!cstate->is_atm)
9920 bpf_error(cstate, "'callref' supported only on raw ATM");
9921 if (cstate->off_proto == OFFSET_NOT_SET)
9922 abort();
9923 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B,
9924 0xffffffffU, jtype, reverse, jvalue);
9925 break;
9926
9927 default:
9928 abort();
9929 }
9930 return b0;
9931 }
9932
9933 static struct block *
gen_atmtype_metac(compiler_state_t * cstate)9934 gen_atmtype_metac(compiler_state_t *cstate)
9935 {
9936 struct block *b0, *b1;
9937
9938 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9939 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0);
9940 gen_and(b0, b1);
9941 return b1;
9942 }
9943
9944 static struct block *
gen_atmtype_sc(compiler_state_t * cstate)9945 gen_atmtype_sc(compiler_state_t *cstate)
9946 {
9947 struct block *b0, *b1;
9948
9949 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9950 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0);
9951 gen_and(b0, b1);
9952 return b1;
9953 }
9954
9955 static struct block *
gen_atmtype_llc(compiler_state_t * cstate)9956 gen_atmtype_llc(compiler_state_t *cstate)
9957 {
9958 struct block *b0;
9959
9960 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
9961 cstate->linktype = cstate->prevlinktype;
9962 return b0;
9963 }
9964
9965 struct block *
gen_atmfield_code(compiler_state_t * cstate,int atmfield,bpf_u_int32 jvalue,int jtype,int reverse)9966 gen_atmfield_code(compiler_state_t *cstate, int atmfield,
9967 bpf_u_int32 jvalue, int jtype, int reverse)
9968 {
9969 /*
9970 * Catch errors reported by us and routines below us, and return NULL
9971 * on an error.
9972 */
9973 if (setjmp(cstate->top_ctx))
9974 return (NULL);
9975
9976 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype,
9977 reverse);
9978 }
9979
9980 struct block *
gen_atmtype_abbrev(compiler_state_t * cstate,int type)9981 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
9982 {
9983 struct block *b0, *b1;
9984
9985 /*
9986 * Catch errors reported by us and routines below us, and return NULL
9987 * on an error.
9988 */
9989 if (setjmp(cstate->top_ctx))
9990 return (NULL);
9991
9992 switch (type) {
9993
9994 case A_METAC:
9995 /* Get all packets in Meta signalling Circuit */
9996 if (!cstate->is_atm)
9997 bpf_error(cstate, "'metac' supported only on raw ATM");
9998 b1 = gen_atmtype_metac(cstate);
9999 break;
10000
10001 case A_BCC:
10002 /* Get all packets in Broadcast Circuit*/
10003 if (!cstate->is_atm)
10004 bpf_error(cstate, "'bcc' supported only on raw ATM");
10005 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10006 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0);
10007 gen_and(b0, b1);
10008 break;
10009
10010 case A_OAMF4SC:
10011 /* Get all cells in Segment OAM F4 circuit*/
10012 if (!cstate->is_atm)
10013 bpf_error(cstate, "'oam4sc' supported only on raw ATM");
10014 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10015 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10016 gen_and(b0, b1);
10017 break;
10018
10019 case A_OAMF4EC:
10020 /* Get all cells in End-to-End OAM F4 Circuit*/
10021 if (!cstate->is_atm)
10022 bpf_error(cstate, "'oam4ec' supported only on raw ATM");
10023 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10024 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10025 gen_and(b0, b1);
10026 break;
10027
10028 case A_SC:
10029 /* Get all packets in connection Signalling Circuit */
10030 if (!cstate->is_atm)
10031 bpf_error(cstate, "'sc' supported only on raw ATM");
10032 b1 = gen_atmtype_sc(cstate);
10033 break;
10034
10035 case A_ILMIC:
10036 /* Get all packets in ILMI Circuit */
10037 if (!cstate->is_atm)
10038 bpf_error(cstate, "'ilmic' supported only on raw ATM");
10039 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10040 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0);
10041 gen_and(b0, b1);
10042 break;
10043
10044 case A_LANE:
10045 /* Get all LANE packets */
10046 if (!cstate->is_atm)
10047 bpf_error(cstate, "'lane' supported only on raw ATM");
10048 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
10049
10050 /*
10051 * Arrange that all subsequent tests assume LANE
10052 * rather than LLC-encapsulated packets, and set
10053 * the offsets appropriately for LANE-encapsulated
10054 * Ethernet.
10055 *
10056 * We assume LANE means Ethernet, not Token Ring.
10057 */
10058 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
10059 cstate->off_payload + 2, /* Ethernet header */
10060 -1);
10061 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
10062 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
10063 cstate->off_nl = 0; /* Ethernet II */
10064 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
10065 break;
10066
10067 case A_LLC:
10068 /* Get all LLC-encapsulated packets */
10069 if (!cstate->is_atm)
10070 bpf_error(cstate, "'llc' supported only on raw ATM");
10071 b1 = gen_atmtype_llc(cstate);
10072 break;
10073
10074 default:
10075 abort();
10076 }
10077 return b1;
10078 }
10079
10080 /*
10081 * Filtering for MTP2 messages based on li value
10082 * FISU, length is null
10083 * LSSU, length is 1 or 2
10084 * MSU, length is 3 or more
10085 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
10086 */
10087 struct block *
gen_mtp2type_abbrev(compiler_state_t * cstate,int type)10088 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
10089 {
10090 struct block *b0, *b1;
10091
10092 /*
10093 * Catch errors reported by us and routines below us, and return NULL
10094 * on an error.
10095 */
10096 if (setjmp(cstate->top_ctx))
10097 return (NULL);
10098
10099 switch (type) {
10100
10101 case M_FISU:
10102 if ( (cstate->linktype != DLT_MTP2) &&
10103 (cstate->linktype != DLT_ERF) &&
10104 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10105 bpf_error(cstate, "'fisu' supported only on MTP2");
10106 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
10107 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10108 0x3fU, BPF_JEQ, 0, 0U);
10109 break;
10110
10111 case M_LSSU:
10112 if ( (cstate->linktype != DLT_MTP2) &&
10113 (cstate->linktype != DLT_ERF) &&
10114 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10115 bpf_error(cstate, "'lssu' supported only on MTP2");
10116 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10117 0x3fU, BPF_JGT, 1, 2U);
10118 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10119 0x3fU, BPF_JGT, 0, 0U);
10120 gen_and(b1, b0);
10121 break;
10122
10123 case M_MSU:
10124 if ( (cstate->linktype != DLT_MTP2) &&
10125 (cstate->linktype != DLT_ERF) &&
10126 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10127 bpf_error(cstate, "'msu' supported only on MTP2");
10128 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10129 0x3fU, BPF_JGT, 0, 2U);
10130 break;
10131
10132 case MH_FISU:
10133 if ( (cstate->linktype != DLT_MTP2) &&
10134 (cstate->linktype != DLT_ERF) &&
10135 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10136 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL");
10137 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
10138 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10139 0xff80U, BPF_JEQ, 0, 0U);
10140 break;
10141
10142 case MH_LSSU:
10143 if ( (cstate->linktype != DLT_MTP2) &&
10144 (cstate->linktype != DLT_ERF) &&
10145 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10146 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL");
10147 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10148 0xff80U, BPF_JGT, 1, 0x0100U);
10149 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10150 0xff80U, BPF_JGT, 0, 0U);
10151 gen_and(b1, b0);
10152 break;
10153
10154 case MH_MSU:
10155 if ( (cstate->linktype != DLT_MTP2) &&
10156 (cstate->linktype != DLT_ERF) &&
10157 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
10158 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL");
10159 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10160 0xff80U, BPF_JGT, 0, 0x0100U);
10161 break;
10162
10163 default:
10164 abort();
10165 }
10166 return b0;
10167 }
10168
10169 static struct block *
gen_mtp3field_code_internal(compiler_state_t * cstate,int mtp3field,bpf_u_int32 jvalue,int jtype,int reverse)10170 gen_mtp3field_code_internal(compiler_state_t *cstate, int mtp3field,
10171 bpf_u_int32 jvalue, int jtype, int reverse)
10172 {
10173 struct block *b0;
10174 bpf_u_int32 val1 , val2 , val3;
10175 u_int newoff_sio;
10176 u_int newoff_opc;
10177 u_int newoff_dpc;
10178 u_int newoff_sls;
10179
10180 newoff_sio = cstate->off_sio;
10181 newoff_opc = cstate->off_opc;
10182 newoff_dpc = cstate->off_dpc;
10183 newoff_sls = cstate->off_sls;
10184 switch (mtp3field) {
10185
10186 case MH_SIO:
10187 newoff_sio += 3; /* offset for MTP2_HSL */
10188 /* FALLTHROUGH */
10189
10190 case M_SIO:
10191 if (cstate->off_sio == OFFSET_NOT_SET)
10192 bpf_error(cstate, "'sio' supported only on SS7");
10193 /* sio coded on 1 byte so max value 255 */
10194 if(jvalue > 255)
10195 bpf_error(cstate, "sio value %u too big; max value = 255",
10196 jvalue);
10197 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffffU,
10198 jtype, reverse, jvalue);
10199 break;
10200
10201 case MH_OPC:
10202 newoff_opc += 3;
10203
10204 /* FALLTHROUGH */
10205 case M_OPC:
10206 if (cstate->off_opc == OFFSET_NOT_SET)
10207 bpf_error(cstate, "'opc' supported only on SS7");
10208 /* opc coded on 14 bits so max value 16383 */
10209 if (jvalue > 16383)
10210 bpf_error(cstate, "opc value %u too big; max value = 16383",
10211 jvalue);
10212 /* the following instructions are made to convert jvalue
10213 * to the form used to write opc in an ss7 message*/
10214 val1 = jvalue & 0x00003c00;
10215 val1 = val1 >>10;
10216 val2 = jvalue & 0x000003fc;
10217 val2 = val2 <<6;
10218 val3 = jvalue & 0x00000003;
10219 val3 = val3 <<22;
10220 jvalue = val1 + val2 + val3;
10221 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0fU,
10222 jtype, reverse, jvalue);
10223 break;
10224
10225 case MH_DPC:
10226 newoff_dpc += 3;
10227 /* FALLTHROUGH */
10228
10229 case M_DPC:
10230 if (cstate->off_dpc == OFFSET_NOT_SET)
10231 bpf_error(cstate, "'dpc' supported only on SS7");
10232 /* dpc coded on 14 bits so max value 16383 */
10233 if (jvalue > 16383)
10234 bpf_error(cstate, "dpc value %u too big; max value = 16383",
10235 jvalue);
10236 /* the following instructions are made to convert jvalue
10237 * to the forme used to write dpc in an ss7 message*/
10238 val1 = jvalue & 0x000000ff;
10239 val1 = val1 << 24;
10240 val2 = jvalue & 0x00003f00;
10241 val2 = val2 << 8;
10242 jvalue = val1 + val2;
10243 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000U,
10244 jtype, reverse, jvalue);
10245 break;
10246
10247 case MH_SLS:
10248 newoff_sls += 3;
10249 /* FALLTHROUGH */
10250
10251 case M_SLS:
10252 if (cstate->off_sls == OFFSET_NOT_SET)
10253 bpf_error(cstate, "'sls' supported only on SS7");
10254 /* sls coded on 4 bits so max value 15 */
10255 if (jvalue > 15)
10256 bpf_error(cstate, "sls value %u too big; max value = 15",
10257 jvalue);
10258 /* the following instruction is made to convert jvalue
10259 * to the forme used to write sls in an ss7 message*/
10260 jvalue = jvalue << 4;
10261 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0U,
10262 jtype, reverse, jvalue);
10263 break;
10264
10265 default:
10266 abort();
10267 }
10268 return b0;
10269 }
10270
10271 struct block *
gen_mtp3field_code(compiler_state_t * cstate,int mtp3field,bpf_u_int32 jvalue,int jtype,int reverse)10272 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field,
10273 bpf_u_int32 jvalue, int jtype, int reverse)
10274 {
10275 /*
10276 * Catch errors reported by us and routines below us, and return NULL
10277 * on an error.
10278 */
10279 if (setjmp(cstate->top_ctx))
10280 return (NULL);
10281
10282 return gen_mtp3field_code_internal(cstate, mtp3field, jvalue, jtype,
10283 reverse);
10284 }
10285
10286 static struct block *
gen_msg_abbrev(compiler_state_t * cstate,int type)10287 gen_msg_abbrev(compiler_state_t *cstate, int type)
10288 {
10289 struct block *b1;
10290
10291 /*
10292 * Q.2931 signalling protocol messages for handling virtual circuits
10293 * establishment and teardown
10294 */
10295 switch (type) {
10296
10297 case A_SETUP:
10298 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0);
10299 break;
10300
10301 case A_CALLPROCEED:
10302 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
10303 break;
10304
10305 case A_CONNECT:
10306 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0);
10307 break;
10308
10309 case A_CONNECTACK:
10310 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
10311 break;
10312
10313 case A_RELEASE:
10314 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0);
10315 break;
10316
10317 case A_RELEASE_DONE:
10318 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
10319 break;
10320
10321 default:
10322 abort();
10323 }
10324 return b1;
10325 }
10326
10327 struct block *
gen_atmmulti_abbrev(compiler_state_t * cstate,int type)10328 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
10329 {
10330 struct block *b0, *b1;
10331
10332 /*
10333 * Catch errors reported by us and routines below us, and return NULL
10334 * on an error.
10335 */
10336 if (setjmp(cstate->top_ctx))
10337 return (NULL);
10338
10339 switch (type) {
10340
10341 case A_OAM:
10342 if (!cstate->is_atm)
10343 bpf_error(cstate, "'oam' supported only on raw ATM");
10344 /* OAM F4 type */
10345 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10346 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10347 gen_or(b0, b1);
10348 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10349 gen_and(b0, b1);
10350 break;
10351
10352 case A_OAMF4:
10353 if (!cstate->is_atm)
10354 bpf_error(cstate, "'oamf4' supported only on raw ATM");
10355 /* OAM F4 type */
10356 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10357 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10358 gen_or(b0, b1);
10359 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10360 gen_and(b0, b1);
10361 break;
10362
10363 case A_CONNECTMSG:
10364 /*
10365 * Get Q.2931 signalling messages for switched
10366 * virtual connection
10367 */
10368 if (!cstate->is_atm)
10369 bpf_error(cstate, "'connectmsg' supported only on raw ATM");
10370 b0 = gen_msg_abbrev(cstate, A_SETUP);
10371 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
10372 gen_or(b0, b1);
10373 b0 = gen_msg_abbrev(cstate, A_CONNECT);
10374 gen_or(b0, b1);
10375 b0 = gen_msg_abbrev(cstate, A_CONNECTACK);
10376 gen_or(b0, b1);
10377 b0 = gen_msg_abbrev(cstate, A_RELEASE);
10378 gen_or(b0, b1);
10379 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
10380 gen_or(b0, b1);
10381 b0 = gen_atmtype_sc(cstate);
10382 gen_and(b0, b1);
10383 break;
10384
10385 case A_METACONNECT:
10386 if (!cstate->is_atm)
10387 bpf_error(cstate, "'metaconnect' supported only on raw ATM");
10388 b0 = gen_msg_abbrev(cstate, A_SETUP);
10389 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
10390 gen_or(b0, b1);
10391 b0 = gen_msg_abbrev(cstate, A_CONNECT);
10392 gen_or(b0, b1);
10393 b0 = gen_msg_abbrev(cstate, A_RELEASE);
10394 gen_or(b0, b1);
10395 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
10396 gen_or(b0, b1);
10397 b0 = gen_atmtype_metac(cstate);
10398 gen_and(b0, b1);
10399 break;
10400
10401 default:
10402 abort();
10403 }
10404 return b1;
10405 }
10406