/libpcap/gencode.c

https://github.com/prakashgamit/nmap · C · 8501 lines · 5198 code · 1062 blank · 2241 comment · 529 complexity · 44fe5c8211cd324861364c01828d4ed0 MD5 · raw file

Large files are truncated click here to view the full file

  1. /*#define CHASE_CHAIN*/
  2. /*
  3. * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
  4. * The Regents of the University of California. All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without
  7. * modification, are permitted provided that: (1) source code distributions
  8. * retain the above copyright notice and this paragraph in its entirety, (2)
  9. * distributions including binary code include the above copyright notice and
  10. * this paragraph in its entirety in the documentation or other materials
  11. * provided with the distribution, and (3) all advertising materials mentioning
  12. * features or use of this software display the following acknowledgement:
  13. * ``This product includes software developed by the University of California,
  14. * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
  15. * the University nor the names of its contributors may be used to endorse
  16. * or promote products derived from this software without specific prior
  17. * written permission.
  18. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
  19. * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  20. * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  21. */
  22. #ifndef lint
  23. static const char rcsid[] _U_ =
  24. "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)";
  25. #endif
  26. #ifdef HAVE_CONFIG_H
  27. #include "config.h"
  28. #endif
  29. #ifdef WIN32
  30. #include <pcap-stdinc.h>
  31. #else /* WIN32 */
  32. #if HAVE_INTTYPES_H
  33. #include <inttypes.h>
  34. #elif HAVE_STDINT_H
  35. #include <stdint.h>
  36. #endif
  37. #ifdef HAVE_SYS_BITYPES_H
  38. #include <sys/bitypes.h>
  39. #endif
  40. #include <sys/types.h>
  41. #include <sys/socket.h>
  42. #endif /* WIN32 */
  43. /*
  44. * XXX - why was this included even on UNIX?
  45. */
  46. #ifdef __MINGW32__
  47. #include "ip6_misc.h"
  48. #endif
  49. #ifndef WIN32
  50. #ifdef __NetBSD__
  51. #include <sys/param.h>
  52. #endif
  53. #include <netinet/in.h>
  54. #include <arpa/inet.h>
  55. #endif /* WIN32 */
  56. #include <stdlib.h>
  57. #include <string.h>
  58. #include <memory.h>
  59. #include <setjmp.h>
  60. #include <stdarg.h>
  61. #ifdef MSDOS
  62. #include "pcap-dos.h"
  63. #endif
  64. #include "pcap-int.h"
  65. #include "ethertype.h"
  66. #include "nlpid.h"
  67. #include "llc.h"
  68. #include "gencode.h"
  69. #include "ieee80211.h"
  70. #include "atmuni31.h"
  71. #include "sunatmpos.h"
  72. #include "ppp.h"
  73. #include "pcap/sll.h"
  74. #include "pcap/ipnet.h"
  75. #include "arcnet.h"
  76. #ifdef HAVE_NET_PFVAR_H
  77. #include <sys/socket.h>
  78. #include <net/if.h>
  79. #include <net/pfvar.h>
  80. #include <net/if_pflog.h>
  81. #endif
  82. #ifndef offsetof
  83. #define offsetof(s, e) ((size_t)&((s *)0)->e)
  84. #endif
  85. #ifdef INET6
  86. #ifndef WIN32
  87. #include <netdb.h> /* for "struct addrinfo" */
  88. #endif /* WIN32 */
  89. #endif /*INET6*/
  90. #include <pcap/namedb.h>
  91. #define ETHERMTU 1500
  92. #ifndef IPPROTO_SCTP
  93. #define IPPROTO_SCTP 132
  94. #endif
  95. #ifdef HAVE_OS_PROTO_H
  96. #include "os-proto.h"
  97. #endif
  98. #define JMP(c) ((c)|BPF_JMP|BPF_K)
  99. /* Locals */
  100. static jmp_buf top_ctx;
  101. static pcap_t *bpf_pcap;
  102. /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
  103. #ifdef WIN32
  104. static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
  105. #else
  106. static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
  107. #endif
  108. /* XXX */
  109. #ifdef PCAP_FDDIPAD
  110. static int pcap_fddipad;
  111. #endif
  112. /* VARARGS */
  113. void
  114. bpf_error(const char *fmt, ...)
  115. {
  116. va_list ap;
  117. va_start(ap, fmt);
  118. if (bpf_pcap != NULL)
  119. (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
  120. fmt, ap);
  121. va_end(ap);
  122. longjmp(top_ctx, 1);
  123. /* NOTREACHED */
  124. }
  125. static void init_linktype(pcap_t *);
  126. static void init_regs(void);
  127. static int alloc_reg(void);
  128. static void free_reg(int);
  129. static struct block *root;
  130. /*
  131. * Value passed to gen_load_a() to indicate what the offset argument
  132. * is relative to.
  133. */
  134. enum e_offrel {
  135. OR_PACKET, /* relative to the beginning of the packet */
  136. OR_LINK, /* relative to the beginning of the link-layer header */
  137. OR_MACPL, /* relative to the end of the MAC-layer header */
  138. OR_NET, /* relative to the network-layer header */
  139. OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
  140. OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
  141. OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
  142. };
  143. #ifdef INET6
  144. /*
  145. * As errors are handled by a longjmp, anything allocated must be freed
  146. * in the longjmp handler, so it must be reachable from that handler.
  147. * One thing that's allocated is the result of pcap_nametoaddrinfo();
  148. * it must be freed with freeaddrinfo(). This variable points to any
  149. * addrinfo structure that would need to be freed.
  150. */
  151. static struct addrinfo *ai;
  152. #endif
  153. /*
  154. * We divy out chunks of memory rather than call malloc each time so
  155. * we don't have to worry about leaking memory. It's probably
  156. * not a big deal if all this memory was wasted but if this ever
  157. * goes into a library that would probably not be a good idea.
  158. *
  159. * XXX - this *is* in a library....
  160. */
  161. #define NCHUNKS 16
  162. #define CHUNK0SIZE 1024
  163. struct chunk {
  164. u_int n_left;
  165. void *m;
  166. };
  167. static struct chunk chunks[NCHUNKS];
  168. static int cur_chunk;
  169. static void *newchunk(u_int);
  170. static void freechunks(void);
  171. static inline struct block *new_block(int);
  172. static inline struct slist *new_stmt(int);
  173. static struct block *gen_retblk(int);
  174. static inline void syntax(void);
  175. static void backpatch(struct block *, struct block *);
  176. static void merge(struct block *, struct block *);
  177. static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
  178. static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
  179. static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
  180. static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
  181. static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
  182. static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
  183. bpf_u_int32);
  184. static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
  185. static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
  186. bpf_u_int32, bpf_u_int32, int, bpf_int32);
  187. static struct slist *gen_load_llrel(u_int, u_int);
  188. static struct slist *gen_load_macplrel(u_int, u_int);
  189. static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
  190. static struct slist *gen_loadx_iphdrlen(void);
  191. static struct block *gen_uncond(int);
  192. static inline struct block *gen_true(void);
  193. static inline struct block *gen_false(void);
  194. static struct block *gen_ether_linktype(int);
  195. static struct block *gen_ipnet_linktype(int);
  196. static struct block *gen_linux_sll_linktype(int);
  197. static struct slist *gen_load_prism_llprefixlen(void);
  198. static struct slist *gen_load_avs_llprefixlen(void);
  199. static struct slist *gen_load_radiotap_llprefixlen(void);
  200. static struct slist *gen_load_ppi_llprefixlen(void);
  201. static void insert_compute_vloffsets(struct block *);
  202. static struct slist *gen_llprefixlen(void);
  203. static struct slist *gen_off_macpl(void);
  204. static int ethertype_to_ppptype(int);
  205. static struct block *gen_linktype(int);
  206. static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
  207. static struct block *gen_llc_linktype(int);
  208. static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
  209. #ifdef INET6
  210. static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
  211. #endif
  212. static struct block *gen_ahostop(const u_char *, int);
  213. static struct block *gen_ehostop(const u_char *, int);
  214. static struct block *gen_fhostop(const u_char *, int);
  215. static struct block *gen_thostop(const u_char *, int);
  216. static struct block *gen_wlanhostop(const u_char *, int);
  217. static struct block *gen_ipfchostop(const u_char *, int);
  218. static struct block *gen_dnhostop(bpf_u_int32, int);
  219. static struct block *gen_mpls_linktype(int);
  220. static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
  221. #ifdef INET6
  222. static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
  223. #endif
  224. #ifndef INET6
  225. static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
  226. #endif
  227. static struct block *gen_ipfrag(void);
  228. static struct block *gen_portatom(int, bpf_int32);
  229. static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
  230. #ifdef INET6
  231. static struct block *gen_portatom6(int, bpf_int32);
  232. static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
  233. #endif
  234. struct block *gen_portop(int, int, int);
  235. static struct block *gen_port(int, int, int);
  236. struct block *gen_portrangeop(int, int, int, int);
  237. static struct block *gen_portrange(int, int, int, int);
  238. #ifdef INET6
  239. struct block *gen_portop6(int, int, int);
  240. static struct block *gen_port6(int, int, int);
  241. struct block *gen_portrangeop6(int, int, int, int);
  242. static struct block *gen_portrange6(int, int, int, int);
  243. #endif
  244. static int lookup_proto(const char *, int);
  245. static struct block *gen_protochain(int, int, int);
  246. static struct block *gen_proto(int, int, int);
  247. static struct slist *xfer_to_x(struct arth *);
  248. static struct slist *xfer_to_a(struct arth *);
  249. static struct block *gen_mac_multicast(int);
  250. static struct block *gen_len(int, int);
  251. static struct block *gen_check_802_11_data_frame(void);
  252. static struct block *gen_ppi_dlt_check(void);
  253. static struct block *gen_msg_abbrev(int type);
  254. static void *
  255. newchunk(n)
  256. u_int n;
  257. {
  258. struct chunk *cp;
  259. int k;
  260. size_t size;
  261. #ifndef __NetBSD__
  262. /* XXX Round up to nearest long. */
  263. n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
  264. #else
  265. /* XXX Round up to structure boundary. */
  266. n = ALIGN(n);
  267. #endif
  268. cp = &chunks[cur_chunk];
  269. if (n > cp->n_left) {
  270. ++cp, k = ++cur_chunk;
  271. if (k >= NCHUNKS)
  272. bpf_error("out of memory");
  273. size = CHUNK0SIZE << k;
  274. cp->m = (void *)malloc(size);
  275. if (cp->m == NULL)
  276. bpf_error("out of memory");
  277. memset((char *)cp->m, 0, size);
  278. cp->n_left = size;
  279. if (n > size)
  280. bpf_error("out of memory");
  281. }
  282. cp->n_left -= n;
  283. return (void *)((char *)cp->m + cp->n_left);
  284. }
  285. static void
  286. freechunks()
  287. {
  288. int i;
  289. cur_chunk = 0;
  290. for (i = 0; i < NCHUNKS; ++i)
  291. if (chunks[i].m != NULL) {
  292. free(chunks[i].m);
  293. chunks[i].m = NULL;
  294. }
  295. }
  296. /*
  297. * A strdup whose allocations are freed after code generation is over.
  298. */
  299. char *
  300. sdup(s)
  301. register const char *s;
  302. {
  303. int n = strlen(s) + 1;
  304. char *cp = newchunk(n);
  305. strlcpy(cp, s, n);
  306. return (cp);
  307. }
  308. static inline struct block *
  309. new_block(code)
  310. int code;
  311. {
  312. struct block *p;
  313. p = (struct block *)newchunk(sizeof(*p));
  314. p->s.code = code;
  315. p->head = p;
  316. return p;
  317. }
  318. static inline struct slist *
  319. new_stmt(code)
  320. int code;
  321. {
  322. struct slist *p;
  323. p = (struct slist *)newchunk(sizeof(*p));
  324. p->s.code = code;
  325. return p;
  326. }
  327. static struct block *
  328. gen_retblk(v)
  329. int v;
  330. {
  331. struct block *b = new_block(BPF_RET|BPF_K);
  332. b->s.k = v;
  333. return b;
  334. }
  335. static inline void
  336. syntax()
  337. {
  338. bpf_error("syntax error in filter expression");
  339. }
  340. static bpf_u_int32 netmask;
  341. static int snaplen;
  342. int no_optimize;
  343. #ifdef WIN32
  344. static int
  345. pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
  346. const char *buf, int optimize, bpf_u_int32 mask);
  347. int
  348. pcap_compile(pcap_t *p, struct bpf_program *program,
  349. const char *buf, int optimize, bpf_u_int32 mask)
  350. {
  351. int result;
  352. EnterCriticalSection(&g_PcapCompileCriticalSection);
  353. result = pcap_compile_unsafe(p, program, buf, optimize, mask);
  354. LeaveCriticalSection(&g_PcapCompileCriticalSection);
  355. return result;
  356. }
  357. static int
  358. pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
  359. const char *buf, int optimize, bpf_u_int32 mask)
  360. #else /* WIN32 */
  361. int
  362. pcap_compile(pcap_t *p, struct bpf_program *program,
  363. const char *buf, int optimize, bpf_u_int32 mask)
  364. #endif /* WIN32 */
  365. {
  366. extern int n_errors;
  367. const char * volatile xbuf = buf;
  368. int len;
  369. no_optimize = 0;
  370. n_errors = 0;
  371. root = NULL;
  372. bpf_pcap = p;
  373. init_regs();
  374. if (setjmp(top_ctx)) {
  375. #ifdef INET6
  376. if (ai != NULL) {
  377. freeaddrinfo(ai);
  378. ai = NULL;
  379. }
  380. #endif
  381. lex_cleanup();
  382. freechunks();
  383. return (-1);
  384. }
  385. netmask = mask;
  386. snaplen = pcap_snapshot(p);
  387. if (snaplen == 0) {
  388. snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  389. "snaplen of 0 rejects all packets");
  390. return -1;
  391. }
  392. lex_init(xbuf ? xbuf : "");
  393. init_linktype(p);
  394. (void)pcap_parse();
  395. if (n_errors)
  396. syntax();
  397. if (root == NULL)
  398. root = gen_retblk(snaplen);
  399. if (optimize && !no_optimize) {
  400. bpf_optimize(&root);
  401. if (root == NULL ||
  402. (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
  403. bpf_error("expression rejects all packets");
  404. }
  405. program->bf_insns = icode_to_fcode(root, &len);
  406. program->bf_len = len;
  407. lex_cleanup();
  408. freechunks();
  409. return (0);
  410. }
  411. /*
  412. * entry point for using the compiler with no pcap open
  413. * pass in all the stuff that is needed explicitly instead.
  414. */
  415. int
  416. pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
  417. struct bpf_program *program,
  418. const char *buf, int optimize, bpf_u_int32 mask)
  419. {
  420. pcap_t *p;
  421. int ret;
  422. p = pcap_open_dead(linktype_arg, snaplen_arg);
  423. if (p == NULL)
  424. return (-1);
  425. ret = pcap_compile(p, program, buf, optimize, mask);
  426. pcap_close(p);
  427. return (ret);
  428. }
  429. /*
  430. * Clean up a "struct bpf_program" by freeing all the memory allocated
  431. * in it.
  432. */
  433. void
  434. pcap_freecode(struct bpf_program *program)
  435. {
  436. program->bf_len = 0;
  437. if (program->bf_insns != NULL) {
  438. free((char *)program->bf_insns);
  439. program->bf_insns = NULL;
  440. }
  441. }
  442. /*
  443. * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
  444. * which of the jt and jf fields has been resolved and which is a pointer
  445. * back to another unresolved block (or nil). At least one of the fields
  446. * in each block is already resolved.
  447. */
  448. static void
  449. backpatch(list, target)
  450. struct block *list, *target;
  451. {
  452. struct block *next;
  453. while (list) {
  454. if (!list->sense) {
  455. next = JT(list);
  456. JT(list) = target;
  457. } else {
  458. next = JF(list);
  459. JF(list) = target;
  460. }
  461. list = next;
  462. }
  463. }
  464. /*
  465. * Merge the lists in b0 and b1, using the 'sense' field to indicate
  466. * which of jt and jf is the link.
  467. */
  468. static void
  469. merge(b0, b1)
  470. struct block *b0, *b1;
  471. {
  472. register struct block **p = &b0;
  473. /* Find end of list. */
  474. while (*p)
  475. p = !((*p)->sense) ? &JT(*p) : &JF(*p);
  476. /* Concatenate the lists. */
  477. *p = b1;
  478. }
  479. void
  480. finish_parse(p)
  481. struct block *p;
  482. {
  483. struct block *ppi_dlt_check;
  484. /*
  485. * Insert before the statements of the first (root) block any
  486. * statements needed to load the lengths of any variable-length
  487. * headers into registers.
  488. *
  489. * XXX - a fancier strategy would be to insert those before the
  490. * statements of all blocks that use those lengths and that
  491. * have no predecessors that use them, so that we only compute
  492. * the lengths if we need them. There might be even better
  493. * approaches than that.
  494. *
  495. * However, those strategies would be more complicated, and
  496. * as we don't generate code to compute a length if the
  497. * program has no tests that use the length, and as most
  498. * tests will probably use those lengths, we would just
  499. * postpone computing the lengths so that it's not done
  500. * for tests that fail early, and it's not clear that's
  501. * worth the effort.
  502. */
  503. insert_compute_vloffsets(p->head);
  504. /*
  505. * For DLT_PPI captures, generate a check of the per-packet
  506. * DLT value to make sure it's DLT_IEEE802_11.
  507. */
  508. ppi_dlt_check = gen_ppi_dlt_check();
  509. if (ppi_dlt_check != NULL)
  510. gen_and(ppi_dlt_check, p);
  511. backpatch(p, gen_retblk(snaplen));
  512. p->sense = !p->sense;
  513. backpatch(p, gen_retblk(0));
  514. root = p->head;
  515. }
  516. void
  517. gen_and(b0, b1)
  518. struct block *b0, *b1;
  519. {
  520. backpatch(b0, b1->head);
  521. b0->sense = !b0->sense;
  522. b1->sense = !b1->sense;
  523. merge(b1, b0);
  524. b1->sense = !b1->sense;
  525. b1->head = b0->head;
  526. }
  527. void
  528. gen_or(b0, b1)
  529. struct block *b0, *b1;
  530. {
  531. b0->sense = !b0->sense;
  532. backpatch(b0, b1->head);
  533. b0->sense = !b0->sense;
  534. merge(b1, b0);
  535. b1->head = b0->head;
  536. }
  537. void
  538. gen_not(b)
  539. struct block *b;
  540. {
  541. b->sense = !b->sense;
  542. }
  543. static struct block *
  544. gen_cmp(offrel, offset, size, v)
  545. enum e_offrel offrel;
  546. u_int offset, size;
  547. bpf_int32 v;
  548. {
  549. return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
  550. }
  551. static struct block *
  552. gen_cmp_gt(offrel, offset, size, v)
  553. enum e_offrel offrel;
  554. u_int offset, size;
  555. bpf_int32 v;
  556. {
  557. return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
  558. }
  559. static struct block *
  560. gen_cmp_ge(offrel, offset, size, v)
  561. enum e_offrel offrel;
  562. u_int offset, size;
  563. bpf_int32 v;
  564. {
  565. return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
  566. }
  567. static struct block *
  568. gen_cmp_lt(offrel, offset, size, v)
  569. enum e_offrel offrel;
  570. u_int offset, size;
  571. bpf_int32 v;
  572. {
  573. return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
  574. }
  575. static struct block *
  576. gen_cmp_le(offrel, offset, size, v)
  577. enum e_offrel offrel;
  578. u_int offset, size;
  579. bpf_int32 v;
  580. {
  581. return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
  582. }
  583. static struct block *
  584. gen_mcmp(offrel, offset, size, v, mask)
  585. enum e_offrel offrel;
  586. u_int offset, size;
  587. bpf_int32 v;
  588. bpf_u_int32 mask;
  589. {
  590. return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
  591. }
  592. static struct block *
  593. gen_bcmp(offrel, offset, size, v)
  594. enum e_offrel offrel;
  595. register u_int offset, size;
  596. register const u_char *v;
  597. {
  598. register struct block *b, *tmp;
  599. b = NULL;
  600. while (size >= 4) {
  601. register const u_char *p = &v[size - 4];
  602. bpf_int32 w = ((bpf_int32)p[0] << 24) |
  603. ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
  604. tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
  605. if (b != NULL)
  606. gen_and(b, tmp);
  607. b = tmp;
  608. size -= 4;
  609. }
  610. while (size >= 2) {
  611. register const u_char *p = &v[size - 2];
  612. bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
  613. tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
  614. if (b != NULL)
  615. gen_and(b, tmp);
  616. b = tmp;
  617. size -= 2;
  618. }
  619. if (size > 0) {
  620. tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
  621. if (b != NULL)
  622. gen_and(b, tmp);
  623. b = tmp;
  624. }
  625. return b;
  626. }
  627. /*
  628. * AND the field of size "size" at offset "offset" relative to the header
  629. * specified by "offrel" with "mask", and compare it with the value "v"
  630. * with the test specified by "jtype"; if "reverse" is true, the test
  631. * should test the opposite of "jtype".
  632. */
  633. static struct block *
  634. gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
  635. enum e_offrel offrel;
  636. bpf_int32 v;
  637. bpf_u_int32 offset, size, mask, jtype;
  638. int reverse;
  639. {
  640. struct slist *s, *s2;
  641. struct block *b;
  642. s = gen_load_a(offrel, offset, size);
  643. if (mask != 0xffffffff) {
  644. s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
  645. s2->s.k = mask;
  646. sappend(s, s2);
  647. }
  648. b = new_block(JMP(jtype));
  649. b->stmts = s;
  650. b->s.k = v;
  651. if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
  652. gen_not(b);
  653. return b;
  654. }
  655. /*
  656. * Various code constructs need to know the layout of the data link
  657. * layer. These variables give the necessary offsets from the beginning
  658. * of the packet data.
  659. */
  660. /*
  661. * This is the offset of the beginning of the link-layer header from
  662. * the beginning of the raw packet data.
  663. *
  664. * It's usually 0, except for 802.11 with a fixed-length radio header.
  665. * (For 802.11 with a variable-length radio header, we have to generate
  666. * code to compute that offset; off_ll is 0 in that case.)
  667. */
  668. static u_int off_ll;
  669. /*
  670. * If there's a variable-length header preceding the link-layer header,
  671. * "reg_off_ll" is the register number for a register containing the
  672. * length of that header, and therefore the offset of the link-layer
  673. * header from the beginning of the raw packet data. Otherwise,
  674. * "reg_off_ll" is -1.
  675. */
  676. static int reg_off_ll;
  677. /*
  678. * This is the offset of the beginning of the MAC-layer header from
  679. * the beginning of the link-layer header.
  680. * It's usually 0, except for ATM LANE, where it's the offset, relative
  681. * to the beginning of the raw packet data, of the Ethernet header, and
  682. * for Ethernet with various additional information.
  683. */
  684. static u_int off_mac;
  685. /*
  686. * This is the offset of the beginning of the MAC-layer payload,
  687. * from the beginning of the raw packet data.
  688. *
  689. * I.e., it's the sum of the length of the link-layer header (without,
  690. * for example, any 802.2 LLC header, so it's the MAC-layer
  691. * portion of that header), plus any prefix preceding the
  692. * link-layer header.
  693. */
  694. static u_int off_macpl;
  695. /*
  696. * This is 1 if the offset of the beginning of the MAC-layer payload
  697. * from the beginning of the link-layer header is variable-length.
  698. */
  699. static int off_macpl_is_variable;
  700. /*
  701. * If the link layer has variable_length headers, "reg_off_macpl"
  702. * is the register number for a register containing the length of the
  703. * link-layer header plus the length of any variable-length header
  704. * preceding the link-layer header. Otherwise, "reg_off_macpl"
  705. * is -1.
  706. */
  707. static int reg_off_macpl;
  708. /*
  709. * "off_linktype" is the offset to information in the link-layer header
  710. * giving the packet type. This offset is relative to the beginning
  711. * of the link-layer header (i.e., it doesn't include off_ll).
  712. *
  713. * For Ethernet, it's the offset of the Ethernet type field.
  714. *
  715. * For link-layer types that always use 802.2 headers, it's the
  716. * offset of the LLC header.
  717. *
  718. * For PPP, it's the offset of the PPP type field.
  719. *
  720. * For Cisco HDLC, it's the offset of the CHDLC type field.
  721. *
  722. * For BSD loopback, it's the offset of the AF_ value.
  723. *
  724. * For Linux cooked sockets, it's the offset of the type field.
  725. *
  726. * It's set to -1 for no encapsulation, in which case, IP is assumed.
  727. */
  728. static u_int off_linktype;
  729. /*
  730. * TRUE if "pppoes" appeared in the filter; it causes link-layer type
  731. * checks to check the PPP header, assumed to follow a LAN-style link-
  732. * layer header and a PPPoE session header.
  733. */
  734. static int is_pppoes = 0;
  735. /*
  736. * TRUE if the link layer includes an ATM pseudo-header.
  737. */
  738. static int is_atm = 0;
  739. /*
  740. * TRUE if "lane" appeared in the filter; it causes us to generate
  741. * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
  742. */
  743. static int is_lane = 0;
  744. /*
  745. * These are offsets for the ATM pseudo-header.
  746. */
  747. static u_int off_vpi;
  748. static u_int off_vci;
  749. static u_int off_proto;
  750. /*
  751. * These are offsets for the MTP2 fields.
  752. */
  753. static u_int off_li;
  754. /*
  755. * These are offsets for the MTP3 fields.
  756. */
  757. static u_int off_sio;
  758. static u_int off_opc;
  759. static u_int off_dpc;
  760. static u_int off_sls;
  761. /*
  762. * This is the offset of the first byte after the ATM pseudo_header,
  763. * or -1 if there is no ATM pseudo-header.
  764. */
  765. static u_int off_payload;
  766. /*
  767. * These are offsets to the beginning of the network-layer header.
  768. * They are relative to the beginning of the MAC-layer payload (i.e.,
  769. * they don't include off_ll or off_macpl).
  770. *
  771. * If the link layer never uses 802.2 LLC:
  772. *
  773. * "off_nl" and "off_nl_nosnap" are the same.
  774. *
  775. * If the link layer always uses 802.2 LLC:
  776. *
  777. * "off_nl" is the offset if there's a SNAP header following
  778. * the 802.2 header;
  779. *
  780. * "off_nl_nosnap" is the offset if there's no SNAP header.
  781. *
  782. * If the link layer is Ethernet:
  783. *
  784. * "off_nl" is the offset if the packet is an Ethernet II packet
  785. * (we assume no 802.3+802.2+SNAP);
  786. *
  787. * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
  788. * with an 802.2 header following it.
  789. */
  790. static u_int off_nl;
  791. static u_int off_nl_nosnap;
  792. static int linktype;
  793. static void
  794. init_linktype(p)
  795. pcap_t *p;
  796. {
  797. linktype = pcap_datalink(p);
  798. #ifdef PCAP_FDDIPAD
  799. pcap_fddipad = p->fddipad;
  800. #endif
  801. /*
  802. * Assume it's not raw ATM with a pseudo-header, for now.
  803. */
  804. off_mac = 0;
  805. is_atm = 0;
  806. is_lane = 0;
  807. off_vpi = -1;
  808. off_vci = -1;
  809. off_proto = -1;
  810. off_payload = -1;
  811. /*
  812. * And that we're not doing PPPoE.
  813. */
  814. is_pppoes = 0;
  815. /*
  816. * And assume we're not doing SS7.
  817. */
  818. off_li = -1;
  819. off_sio = -1;
  820. off_opc = -1;
  821. off_dpc = -1;
  822. off_sls = -1;
  823. /*
  824. * Also assume it's not 802.11.
  825. */
  826. off_ll = 0;
  827. off_macpl = 0;
  828. off_macpl_is_variable = 0;
  829. orig_linktype = -1;
  830. orig_nl = -1;
  831. label_stack_depth = 0;
  832. reg_off_ll = -1;
  833. reg_off_macpl = -1;
  834. switch (linktype) {
  835. case DLT_ARCNET:
  836. off_linktype = 2;
  837. off_macpl = 6;
  838. off_nl = 0; /* XXX in reality, variable! */
  839. off_nl_nosnap = 0; /* no 802.2 LLC */
  840. return;
  841. case DLT_ARCNET_LINUX:
  842. off_linktype = 4;
  843. off_macpl = 8;
  844. off_nl = 0; /* XXX in reality, variable! */
  845. off_nl_nosnap = 0; /* no 802.2 LLC */
  846. return;
  847. case DLT_EN10MB:
  848. off_linktype = 12;
  849. off_macpl = 14; /* Ethernet header length */
  850. off_nl = 0; /* Ethernet II */
  851. off_nl_nosnap = 3; /* 802.3+802.2 */
  852. return;
  853. case DLT_SLIP:
  854. /*
  855. * SLIP doesn't have a link level type. The 16 byte
  856. * header is hacked into our SLIP driver.
  857. */
  858. off_linktype = -1;
  859. off_macpl = 16;
  860. off_nl = 0;
  861. off_nl_nosnap = 0; /* no 802.2 LLC */
  862. return;
  863. case DLT_SLIP_BSDOS:
  864. /* XXX this may be the same as the DLT_PPP_BSDOS case */
  865. off_linktype = -1;
  866. /* XXX end */
  867. off_macpl = 24;
  868. off_nl = 0;
  869. off_nl_nosnap = 0; /* no 802.2 LLC */
  870. return;
  871. case DLT_NULL:
  872. case DLT_LOOP:
  873. off_linktype = 0;
  874. off_macpl = 4;
  875. off_nl = 0;
  876. off_nl_nosnap = 0; /* no 802.2 LLC */
  877. return;
  878. case DLT_ENC:
  879. off_linktype = 0;
  880. off_macpl = 12;
  881. off_nl = 0;
  882. off_nl_nosnap = 0; /* no 802.2 LLC */
  883. return;
  884. case DLT_PPP:
  885. case DLT_PPP_PPPD:
  886. case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
  887. case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
  888. off_linktype = 2;
  889. off_macpl = 4;
  890. off_nl = 0;
  891. off_nl_nosnap = 0; /* no 802.2 LLC */
  892. return;
  893. case DLT_PPP_ETHER:
  894. /*
  895. * This does no include the Ethernet header, and
  896. * only covers session state.
  897. */
  898. off_linktype = 6;
  899. off_macpl = 8;
  900. off_nl = 0;
  901. off_nl_nosnap = 0; /* no 802.2 LLC */
  902. return;
  903. case DLT_PPP_BSDOS:
  904. off_linktype = 5;
  905. off_macpl = 24;
  906. off_nl = 0;
  907. off_nl_nosnap = 0; /* no 802.2 LLC */
  908. return;
  909. case DLT_FDDI:
  910. /*
  911. * FDDI doesn't really have a link-level type field.
  912. * We set "off_linktype" to the offset of the LLC header.
  913. *
  914. * To check for Ethernet types, we assume that SSAP = SNAP
  915. * is being used and pick out the encapsulated Ethernet type.
  916. * XXX - should we generate code to check for SNAP?
  917. */
  918. off_linktype = 13;
  919. #ifdef PCAP_FDDIPAD
  920. off_linktype += pcap_fddipad;
  921. #endif
  922. off_macpl = 13; /* FDDI MAC header length */
  923. #ifdef PCAP_FDDIPAD
  924. off_macpl += pcap_fddipad;
  925. #endif
  926. off_nl = 8; /* 802.2+SNAP */
  927. off_nl_nosnap = 3; /* 802.2 */
  928. return;
  929. case DLT_IEEE802:
  930. /*
  931. * Token Ring doesn't really have a link-level type field.
  932. * We set "off_linktype" to the offset of the LLC header.
  933. *
  934. * To check for Ethernet types, we assume that SSAP = SNAP
  935. * is being used and pick out the encapsulated Ethernet type.
  936. * XXX - should we generate code to check for SNAP?
  937. *
  938. * XXX - the header is actually variable-length.
  939. * Some various Linux patched versions gave 38
  940. * as "off_linktype" and 40 as "off_nl"; however,
  941. * if a token ring packet has *no* routing
  942. * information, i.e. is not source-routed, the correct
  943. * values are 20 and 22, as they are in the vanilla code.
  944. *
  945. * A packet is source-routed iff the uppermost bit
  946. * of the first byte of the source address, at an
  947. * offset of 8, has the uppermost bit set. If the
  948. * packet is source-routed, the total number of bytes
  949. * of routing information is 2 plus bits 0x1F00 of
  950. * the 16-bit value at an offset of 14 (shifted right
  951. * 8 - figure out which byte that is).
  952. */
  953. off_linktype = 14;
  954. off_macpl = 14; /* Token Ring MAC header length */
  955. off_nl = 8; /* 802.2+SNAP */
  956. off_nl_nosnap = 3; /* 802.2 */
  957. return;
  958. case DLT_IEEE802_11:
  959. case DLT_PRISM_HEADER:
  960. case DLT_IEEE802_11_RADIO_AVS:
  961. case DLT_IEEE802_11_RADIO:
  962. /*
  963. * 802.11 doesn't really have a link-level type field.
  964. * We set "off_linktype" to the offset of the LLC header.
  965. *
  966. * To check for Ethernet types, we assume that SSAP = SNAP
  967. * is being used and pick out the encapsulated Ethernet type.
  968. * XXX - should we generate code to check for SNAP?
  969. *
  970. * We also handle variable-length radio headers here.
  971. * The Prism header is in theory variable-length, but in
  972. * practice it's always 144 bytes long. However, some
  973. * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
  974. * sometimes or always supply an AVS header, so we
  975. * have to check whether the radio header is a Prism
  976. * header or an AVS header, so, in practice, it's
  977. * variable-length.
  978. */
  979. off_linktype = 24;
  980. off_macpl = 0; /* link-layer header is variable-length */
  981. off_macpl_is_variable = 1;
  982. off_nl = 8; /* 802.2+SNAP */
  983. off_nl_nosnap = 3; /* 802.2 */
  984. return;
  985. case DLT_PPI:
  986. /*
  987. * At the moment we treat PPI the same way that we treat
  988. * normal Radiotap encoded packets. The difference is in
  989. * the function that generates the code at the beginning
  990. * to compute the header length. Since this code generator
  991. * of PPI supports bare 802.11 encapsulation only (i.e.
  992. * the encapsulated DLT should be DLT_IEEE802_11) we
  993. * generate code to check for this too.
  994. */
  995. off_linktype = 24;
  996. off_macpl = 0; /* link-layer header is variable-length */
  997. off_macpl_is_variable = 1;
  998. off_nl = 8; /* 802.2+SNAP */
  999. off_nl_nosnap = 3; /* 802.2 */
  1000. return;
  1001. case DLT_ATM_RFC1483:
  1002. case DLT_ATM_CLIP: /* Linux ATM defines this */
  1003. /*
  1004. * assume routed, non-ISO PDUs
  1005. * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
  1006. *
  1007. * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
  1008. * or PPP with the PPP NLPID (e.g., PPPoA)? The
  1009. * latter would presumably be treated the way PPPoE
  1010. * should be, so you can do "pppoe and udp port 2049"
  1011. * or "pppoa and tcp port 80" and have it check for
  1012. * PPPo{A,E} and a PPP protocol of IP and....
  1013. */
  1014. off_linktype = 0;
  1015. off_macpl = 0; /* packet begins with LLC header */
  1016. off_nl = 8; /* 802.2+SNAP */
  1017. off_nl_nosnap = 3; /* 802.2 */
  1018. return;
  1019. case DLT_SUNATM:
  1020. /*
  1021. * Full Frontal ATM; you get AALn PDUs with an ATM
  1022. * pseudo-header.
  1023. */
  1024. is_atm = 1;
  1025. off_vpi = SUNATM_VPI_POS;
  1026. off_vci = SUNATM_VCI_POS;
  1027. off_proto = PROTO_POS;
  1028. off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
  1029. off_payload = SUNATM_PKT_BEGIN_POS;
  1030. off_linktype = off_payload;
  1031. off_macpl = off_payload; /* if LLC-encapsulated */
  1032. off_nl = 8; /* 802.2+SNAP */
  1033. off_nl_nosnap = 3; /* 802.2 */
  1034. return;
  1035. case DLT_RAW:
  1036. case DLT_IPV4:
  1037. case DLT_IPV6:
  1038. off_linktype = -1;
  1039. off_macpl = 0;
  1040. off_nl = 0;
  1041. off_nl_nosnap = 0; /* no 802.2 LLC */
  1042. return;
  1043. case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
  1044. off_linktype = 14;
  1045. off_macpl = 16;
  1046. off_nl = 0;
  1047. off_nl_nosnap = 0; /* no 802.2 LLC */
  1048. return;
  1049. case DLT_LTALK:
  1050. /*
  1051. * LocalTalk does have a 1-byte type field in the LLAP header,
  1052. * but really it just indicates whether there is a "short" or
  1053. * "long" DDP packet following.
  1054. */
  1055. off_linktype = -1;
  1056. off_macpl = 0;
  1057. off_nl = 0;
  1058. off_nl_nosnap = 0; /* no 802.2 LLC */
  1059. return;
  1060. case DLT_IP_OVER_FC:
  1061. /*
  1062. * RFC 2625 IP-over-Fibre-Channel doesn't really have a
  1063. * link-level type field. We set "off_linktype" to the
  1064. * offset of the LLC header.
  1065. *
  1066. * To check for Ethernet types, we assume that SSAP = SNAP
  1067. * is being used and pick out the encapsulated Ethernet type.
  1068. * XXX - should we generate code to check for SNAP? RFC
  1069. * 2625 says SNAP should be used.
  1070. */
  1071. off_linktype = 16;
  1072. off_macpl = 16;
  1073. off_nl = 8; /* 802.2+SNAP */
  1074. off_nl_nosnap = 3; /* 802.2 */
  1075. return;
  1076. case DLT_FRELAY:
  1077. /*
  1078. * XXX - we should set this to handle SNAP-encapsulated
  1079. * frames (NLPID of 0x80).
  1080. */
  1081. off_linktype = -1;
  1082. off_macpl = 0;
  1083. off_nl = 0;
  1084. off_nl_nosnap = 0; /* no 802.2 LLC */
  1085. return;
  1086. /*
  1087. * the only BPF-interesting FRF.16 frames are non-control frames;
  1088. * Frame Relay has a variable length link-layer
  1089. * so lets start with offset 4 for now and increments later on (FIXME);
  1090. */
  1091. case DLT_MFR:
  1092. off_linktype = -1;
  1093. off_macpl = 0;
  1094. off_nl = 4;
  1095. off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
  1096. return;
  1097. case DLT_APPLE_IP_OVER_IEEE1394:
  1098. off_linktype = 16;
  1099. off_macpl = 18;
  1100. off_nl = 0;
  1101. off_nl_nosnap = 0; /* no 802.2 LLC */
  1102. return;
  1103. case DLT_SYMANTEC_FIREWALL:
  1104. off_linktype = 6;
  1105. off_macpl = 44;
  1106. off_nl = 0; /* Ethernet II */
  1107. off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
  1108. return;
  1109. #ifdef HAVE_NET_PFVAR_H
  1110. case DLT_PFLOG:
  1111. off_linktype = 0;
  1112. off_macpl = PFLOG_HDRLEN;
  1113. off_nl = 0;
  1114. off_nl_nosnap = 0; /* no 802.2 LLC */
  1115. return;
  1116. #endif
  1117. case DLT_JUNIPER_MFR:
  1118. case DLT_JUNIPER_MLFR:
  1119. case DLT_JUNIPER_MLPPP:
  1120. case DLT_JUNIPER_PPP:
  1121. case DLT_JUNIPER_CHDLC:
  1122. case DLT_JUNIPER_FRELAY:
  1123. off_linktype = 4;
  1124. off_macpl = 4;
  1125. off_nl = 0;
  1126. off_nl_nosnap = -1; /* no 802.2 LLC */
  1127. return;
  1128. case DLT_JUNIPER_ATM1:
  1129. off_linktype = 4; /* in reality variable between 4-8 */
  1130. off_macpl = 4; /* in reality variable between 4-8 */
  1131. off_nl = 0;
  1132. off_nl_nosnap = 10;
  1133. return;
  1134. case DLT_JUNIPER_ATM2:
  1135. off_linktype = 8; /* in reality variable between 8-12 */
  1136. off_macpl = 8; /* in reality variable between 8-12 */
  1137. off_nl = 0;
  1138. off_nl_nosnap = 10;
  1139. return;
  1140. /* frames captured on a Juniper PPPoE service PIC
  1141. * contain raw ethernet frames */
  1142. case DLT_JUNIPER_PPPOE:
  1143. case DLT_JUNIPER_ETHER:
  1144. off_macpl = 14;
  1145. off_linktype = 16;
  1146. off_nl = 18; /* Ethernet II */
  1147. off_nl_nosnap = 21; /* 802.3+802.2 */
  1148. return;
  1149. case DLT_JUNIPER_PPPOE_ATM:
  1150. off_linktype = 4;
  1151. off_macpl = 6;
  1152. off_nl = 0;
  1153. off_nl_nosnap = -1; /* no 802.2 LLC */
  1154. return;
  1155. case DLT_JUNIPER_GGSN:
  1156. off_linktype = 6;
  1157. off_macpl = 12;
  1158. off_nl = 0;
  1159. off_nl_nosnap = -1; /* no 802.2 LLC */
  1160. return;
  1161. case DLT_JUNIPER_ES:
  1162. off_linktype = 6;
  1163. off_macpl = -1; /* not really a network layer but raw IP addresses */
  1164. off_nl = -1; /* not really a network layer but raw IP addresses */
  1165. off_nl_nosnap = -1; /* no 802.2 LLC */
  1166. return;
  1167. case DLT_JUNIPER_MONITOR:
  1168. off_linktype = 12;
  1169. off_macpl = 12;
  1170. off_nl = 0; /* raw IP/IP6 header */
  1171. off_nl_nosnap = -1; /* no 802.2 LLC */
  1172. return;
  1173. case DLT_JUNIPER_SERVICES:
  1174. off_linktype = 12;
  1175. off_macpl = -1; /* L3 proto location dep. on cookie type */
  1176. off_nl = -1; /* L3 proto location dep. on cookie type */
  1177. off_nl_nosnap = -1; /* no 802.2 LLC */
  1178. return;
  1179. case DLT_JUNIPER_VP:
  1180. off_linktype = 18;
  1181. off_macpl = -1;
  1182. off_nl = -1;
  1183. off_nl_nosnap = -1;
  1184. return;
  1185. case DLT_JUNIPER_ST:
  1186. off_linktype = 18;
  1187. off_macpl = -1;
  1188. off_nl = -1;
  1189. off_nl_nosnap = -1;
  1190. return;
  1191. case DLT_JUNIPER_ISM:
  1192. off_linktype = 8;
  1193. off_macpl = -1;
  1194. off_nl = -1;
  1195. off_nl_nosnap = -1;
  1196. return;
  1197. case DLT_JUNIPER_VS:
  1198. case DLT_JUNIPER_SRX_E2E:
  1199. case DLT_JUNIPER_FIBRECHANNEL:
  1200. case DLT_JUNIPER_ATM_CEMIC:
  1201. off_linktype = 8;
  1202. off_macpl = -1;
  1203. off_nl = -1;
  1204. off_nl_nosnap = -1;
  1205. return;
  1206. case DLT_MTP2:
  1207. off_li = 2;
  1208. off_sio = 3;
  1209. off_opc = 4;
  1210. off_dpc = 4;
  1211. off_sls = 7;
  1212. off_linktype = -1;
  1213. off_macpl = -1;
  1214. off_nl = -1;
  1215. off_nl_nosnap = -1;
  1216. return;
  1217. case DLT_MTP2_WITH_PHDR:
  1218. off_li = 6;
  1219. off_sio = 7;
  1220. off_opc = 8;
  1221. off_dpc = 8;
  1222. off_sls = 11;
  1223. off_linktype = -1;
  1224. off_macpl = -1;
  1225. off_nl = -1;
  1226. off_nl_nosnap = -1;
  1227. return;
  1228. case DLT_ERF:
  1229. off_li = 22;
  1230. off_sio = 23;
  1231. off_opc = 24;
  1232. off_dpc = 24;
  1233. off_sls = 27;
  1234. off_linktype = -1;
  1235. off_macpl = -1;
  1236. off_nl = -1;
  1237. off_nl_nosnap = -1;
  1238. return;
  1239. #ifdef DLT_PFSYNC
  1240. case DLT_PFSYNC:
  1241. off_linktype = -1;
  1242. off_macpl = 4;
  1243. off_nl = 0;
  1244. off_nl_nosnap = 0;
  1245. return;
  1246. #endif
  1247. case DLT_AX25_KISS:
  1248. /*
  1249. * Currently, only raw "link[N:M]" filtering is supported.
  1250. */
  1251. off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
  1252. off_macpl = -1;
  1253. off_nl = -1; /* variable, min 16, max 71 steps of 7 */
  1254. off_nl_nosnap = -1; /* no 802.2 LLC */
  1255. off_mac = 1; /* step over the kiss length byte */
  1256. return;
  1257. case DLT_IPNET:
  1258. off_linktype = 1;
  1259. off_macpl = 24; /* ipnet header length */
  1260. off_nl = 0;
  1261. off_nl_nosnap = -1;
  1262. return;
  1263. case DLT_NETANALYZER:
  1264. off_mac = 4; /* MAC header is past 4-byte pseudo-header */
  1265. off_linktype = 16; /* includes 4-byte pseudo-header */
  1266. off_macpl = 18; /* pseudo-header+Ethernet header length */
  1267. off_nl = 0; /* Ethernet II */
  1268. off_nl_nosnap = 3; /* 802.3+802.2 */
  1269. return;
  1270. case DLT_NETANALYZER_TRANSPARENT:
  1271. off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
  1272. off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */
  1273. off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */
  1274. off_nl = 0; /* Ethernet II */
  1275. off_nl_nosnap = 3; /* 802.3+802.2 */
  1276. return;
  1277. default:
  1278. /*
  1279. * For values in the range in which we've assigned new
  1280. * DLT_ values, only raw "link[N:M]" filtering is supported.
  1281. */
  1282. if (linktype >= DLT_MATCHING_MIN &&
  1283. linktype <= DLT_MATCHING_MAX) {
  1284. off_linktype = -1;
  1285. off_macpl = -1;
  1286. off_nl = -1;
  1287. off_nl_nosnap = -1;
  1288. return;
  1289. }
  1290. }
  1291. bpf_error("unknown data link type %d", linktype);
  1292. /* NOTREACHED */
  1293. }
  1294. /*
  1295. * Load a value relative to the beginning of the link-layer header.
  1296. * The link-layer header doesn't necessarily begin at the beginning
  1297. * of the packet data; there might be a variable-length prefix containing
  1298. * radio information.
  1299. */
  1300. static struct slist *
  1301. gen_load_llrel(offset, size)
  1302. u_int offset, size;
  1303. {
  1304. struct slist *s, *s2;
  1305. s = gen_llprefixlen();
  1306. /*
  1307. * If "s" is non-null, it has code to arrange that the X register
  1308. * contains the length of the prefix preceding the link-layer
  1309. * header.
  1310. *
  1311. * Otherwise, the length of the prefix preceding the link-layer
  1312. * header is "off_ll".
  1313. */
  1314. if (s != NULL) {
  1315. /*
  1316. * There's a variable-length prefix preceding the
  1317. * link-layer header. "s" points to a list of statements
  1318. * that put the length of that prefix into the X register.
  1319. * do an indirect load, to use the X register as an offset.
  1320. */
  1321. s2 = new_stmt(BPF_LD|BPF_IND|size);
  1322. s2->s.k = offset;
  1323. sappend(s, s2);
  1324. } else {
  1325. /*
  1326. * There is no variable-length header preceding the
  1327. * link-layer header; add in off_ll, which, if there's
  1328. * a fixed-length header preceding the link-layer header,
  1329. * is the length of that header.
  1330. */
  1331. s = new_stmt(BPF_LD|BPF_ABS|size);
  1332. s->s.k = offset + off_ll;
  1333. }
  1334. return s;
  1335. }
  1336. /*
  1337. * Load a value relative to the beginning of the MAC-layer payload.
  1338. */
  1339. static struct slist *
  1340. gen_load_macplrel(offset, size)
  1341. u_int offset, size;
  1342. {
  1343. struct slist *s, *s2;
  1344. s = gen_off_macpl();
  1345. /*
  1346. * If s is non-null, the offset of the MAC-layer payload is
  1347. * variable, and s points to a list of instructions that
  1348. * arrange that the X register contains that offset.
  1349. *
  1350. * Otherwise, the offset of the MAC-layer payload is constant,
  1351. * and is in off_macpl.
  1352. */
  1353. if (s != NULL) {
  1354. /*
  1355. * The offset of the MAC-layer payload is in the X
  1356. * register. Do an indirect load, to use the X register
  1357. * as an offset.
  1358. */
  1359. s2 = new_stmt(BPF_LD|BPF_IND|size);
  1360. s2->s.k = offset;
  1361. sappend(s, s2);
  1362. } else {
  1363. /*
  1364. * The offset of the MAC-layer payload is constant,
  1365. * and is in off_macpl; load the value at that offset
  1366. * plus the specified offset.
  1367. */
  1368. s = new_stmt(BPF_LD|BPF_ABS|size);
  1369. s->s.k = off_macpl + offset;
  1370. }
  1371. return s;
  1372. }
  1373. /*
  1374. * Load a value relative to the beginning of the specified header.
  1375. */
  1376. static struct slist *
  1377. gen_load_a(offrel, offset, size)
  1378. enum e_offrel offrel;
  1379. u_int offset, size;
  1380. {
  1381. struct slist *s, *s2;
  1382. switch (offrel) {
  1383. case OR_PACKET:
  1384. s = new_stmt(BPF_LD|BPF_ABS|size);
  1385. s->s.k = offset;
  1386. break;
  1387. case OR_LINK:
  1388. s = gen_load_llrel(offset, size);
  1389. break;
  1390. case OR_MACPL:
  1391. s = gen_load_macplrel(offset, size);
  1392. break;
  1393. case OR_NET:
  1394. s = gen_load_macplrel(off_nl + offset, size);
  1395. break;
  1396. case OR_NET_NOSNAP:
  1397. s = gen_load_macplrel(off_nl_nosnap + offset, size);
  1398. break;
  1399. case OR_TRAN_IPV4:
  1400. /*
  1401. * Load the X register with the length of the IPv4 header
  1402. * (plus the offset of the link-layer header, if it's
  1403. * preceded by a variable-length header such as a radio
  1404. * header), in bytes.
  1405. */
  1406. s = gen_loadx_iphdrlen();
  1407. /*
  1408. * Load the item at {offset of the MAC-layer payload} +
  1409. * {offset, relative to the start of the MAC-layer
  1410. * paylod, of the IPv4 header} + {length of the IPv4 header} +
  1411. * {specified offset}.
  1412. *
  1413. * (If the offset of the MAC-layer payload is variable,
  1414. * it's included in the value in the X register, and
  1415. * off_macpl is 0.)
  1416. */
  1417. s2 = new_stmt(BPF_LD|BPF_IND|size);
  1418. s2->s.k = off_macpl + off_nl + offset;
  1419. sappend(s, s2);
  1420. break;
  1421. case OR_TRAN_IPV6:
  1422. s = gen_load_macplrel(off_nl + 40 + offset, size);
  1423. break;
  1424. default:
  1425. abort();
  1426. return NULL;
  1427. }
  1428. return s;
  1429. }
  1430. /*
  1431. * Generate code to load into the X register the sum of the length of
  1432. * the IPv4 header and any variable-length header preceding the link-layer
  1433. * header.
  1434. */
  1435. static struct slist *
  1436. gen_loadx_iphdrlen()
  1437. {
  1438. struct slist *s, *s2;
  1439. s = gen_off_macpl();
  1440. if (s != NULL) {
  1441. /*
  1442. * There's a variable-length prefix preceding the
  1443. * link-layer header, or the link-layer header is itself
  1444. * variable-length. "s" points to a list of statements
  1445. * that put the offset of the MAC-layer payload into
  1446. * the X register.
  1447. *
  1448. * The 4*([k]&0xf) addressing mode can't be used, as we
  1449. * don't have a constant offset, so we have to load the
  1450. * value in question into the A register and add to it
  1451. * the value from the X register.
  1452. */
  1453. s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
  1454. s2->s.k = off_nl;
  1455. sappend(s, s2);
  1456. s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
  1457. s2->s.k = 0xf;
  1458. sappend(s, s2);
  1459. s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
  1460. s2->s.k = 2;
  1461. sappend(s, s2);
  1462. /*
  1463. * The A register now contains the length of the
  1464. * IP header. We need to add to it the offset of
  1465. * the MAC-layer payload, which is still in the X
  1466. * register, and move the result into the X register.
  1467. */
  1468. sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
  1469. sappend(s, new_stmt(BPF_MISC|BPF_TAX));
  1470. } else {
  1471. /*
  1472. * There is no variable-length header preceding the
  1473. * link-layer header, and the link-layer header is
  1474. * fixed-length; load the length of the IPv4 header,
  1475. * which is at an offset of off_nl from the beginning
  1476. * of the MAC-layer payload, and thus at an offset
  1477. * of off_mac_pl + off_nl from the beginning of the
  1478. * raw packet data.
  1479. */
  1480. s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
  1481. s->s.k = off_macpl + off_nl;
  1482. }
  1483. return s;
  1484. }
  1485. static struct block *
  1486. gen_uncond(rsense)
  1487. int rsense;
  1488. {
  1489. struct block *b;
  1490. struct slist *s;
  1491. s = new_stmt(BPF_LD|BPF_IMM);
  1492. s->s.k = !rsense;
  1493. b = new_block(JMP(BPF_JEQ));
  1494. b->stmts = s;
  1495. return b;
  1496. }
  1497. static inline struct block *
  1498. gen_true()
  1499. {
  1500. return gen_uncond(1);
  1501. }
  1502. static inline struct block *
  1503. gen_false()
  1504. {
  1505. return gen_uncond(0);
  1506. }
  1507. /*
  1508. * Byte-swap a 32-bit number.
  1509. * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
  1510. * big-endian platforms.)
  1511. */
  1512. #define SWAPLONG(y) \
  1513. ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
  1514. /*
  1515. * Generate code to match a particular packet type.
  1516. *
  1517. * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
  1518. * value, if <= ETHERMTU. We use that to determine whether to
  1519. * match the type/length field or to check the type/length field for
  1520. * a value <= ETHERMTU to see whether it's a type field and then do
  1521. * the appropriate test.
  1522. */
  1523. static struct block *
  1524. gen_ether_linktype(proto)
  1525. register int proto;
  1526. {
  1527. struct block *b0, *b1;
  1528. switch (proto) {
  1529. case LLCSAP_ISONS:
  1530. case LLCSAP_IP:
  1531. case LLCSAP_NETBEUI:
  1532. /*
  1533. * OSI protocols and NetBEUI always use 802.2 encapsulation,
  1534. * so we check the DSAP and SSAP.
  1535. *
  1536. * LLCSAP_IP checks for IP-over-802.2, rather
  1537. * than IP-over-Ethernet or IP-over-SNAP.
  1538. *
  1539. * XXX - should we check both the DSAP and the
  1540. * SSAP, like this, or should we check just the
  1541. * DSAP, as we do for other types <= ETHERMTU
  1542. * (i.e., other SAP values)?
  1543. */
  1544. b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
  1545. gen_not(b0);
  1546. b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
  1547. ((proto << 8) | proto));
  1548. gen_and(b0, b1);
  1549. return b1;
  1550. case LLCSAP_IPX:
  1551. /*
  1552. * Check for;
  1553. *
  1554. * Ethernet_II frames, which are Ethernet
  1555. * frames with a frame type of ETHERTYPE_IPX;
  1556. *
  1557. * Ethernet_802.3 frames, which are 802.3
  1558. * frames (i.e., the type/length field is
  1559. * a length field, <= ETHERMTU, rather than
  1560. * a type field) with the first two bytes
  1561. * after the Ethernet/802.3 header being
  1562. * 0xFFFF;
  1563. *
  1564. * Ethernet_802.2 frames, which are 802.3
  1565. * frames with an 802.2 LLC header and
  1566. * with the IPX LSAP as the DSAP in the LLC
  1567. * header;
  1568. *
  1569. * Ethernet_SNAP frames, which are 802.3
  1570. * frames with an LLC header and a SNAP
  1571. * header and with an OUI of 0x000000
  1572. * (encapsulated Ethernet) and a protocol
  1573. * ID of ETHERTYPE_IPX in the SNAP header.
  1574. *
  1575. * XXX - should we generate the same code both
  1576. * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
  1577. */
  1578. /*
  1579. * This generates code to check both for the
  1580. * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
  1581. */
  1582. b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
  1583. b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
  1584. gen_or(b0, b1);
  1585. /*
  1586. * Now we add code to check for SNAP frames with
  1587. * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
  1588. */
  1589. b0 = gen_snap(0x000000, ETHERTYPE_IPX);
  1590. gen_or(b0, b1);
  1591. /*
  1592. * Now we generate code to check for 802.3
  1593. * frames in general.
  1594. */
  1595. b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
  1596. gen_not(b0);
  1597. /*
  1598. * Now add the check for 802.3 frames before the
  1599. * check for Ethernet_802.2 and Ethernet_802.3,
  1600. * as those checks should only be done on 802.3
  1601. * frames, not on Ethernet frames.
  1602. */
  1603. gen_and(b0, b1);
  1604. /*
  1605. * Now add the check for Ethernet_II frames, and
  1606. * do that before checking for the other frame
  1607. * types.
  1608. */
  1609. b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
  1610. (bpf_int32)ETHERTYPE_IPX);
  1611. gen_or(b0, b1);
  1612. return b1;
  1613. case ETHERTYPE_ATALK:
  1614. case ETHERTYPE_AARP:
  1615. /*
  1616. * EtherTalk (AppleTalk protocols on Ethernet link
  1617. * layer) may use 802.2 encapsulation.
  1618. */
  1619. /*
  1620. * Check for 802.2 encapsulation (EtherTalk phase 2?);
  1621. * we check for an Ethernet type field less than
  1622. * 1500, which means it's an 802.3 length field.
  1623. */
  1624. b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
  1625. gen_not(b0);
  1626. /*
  1627. * 802.2-encapsulated ETHERTYPE_ATALK packets are
  1628. * SNAP packets with an organization code of
  1629. * 0x080007 (Apple, for Appletalk) and a protocol
  1630. * type of ETHERTYPE_ATALK (Appletalk).
  1631. *
  1632. * 802.2-encapsulated ETHERTYPE_AARP packets are
  1633. * SNAP packets with an organization code of
  1634. * 0x000000 (encapsulated Ethernet) and a protocol
  1635. * type of ETHERTYPE_AARP (Appletalk ARP).
  1636. */
  1637. if (proto == ETHERTYPE_ATALK)
  1638. b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
  1639. else /* proto == ETHERTYPE_AARP */
  1640. b1 = gen_snap(0x000000, ETHERTYPE_AARP);
  1641. gen_and(b0, b1);
  1642. /*
  1643. * Check for Ethernet encapsulation (Ethertalk
  1644. * phase 1?); we just check for the Ethernet
  1645. * protocol type.
  1646. */
  1647. b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
  1648. gen_or(b0, b1);
  1649. return b1;
  1650. default:
  1651. if (proto <= ETHERMTU) {
  1652. /*
  1653. * This is an LLC SAP value, so the frames
  1654. * that match would be 802.2 frames.
  1655. * Check that the frame is an 802.2 frame
  1656. * (i.e., that the length/type field is
  1657. * a length field, <= ETHERMTU) and
  1658. * then check the DSAP.
  1659. */
  1660. b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
  1661. gen_not(b0);
  1662. b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
  1663. (bpf_int32)proto);
  1664. gen_and(b0, b1);
  1665. return b1;
  1666. } else {
  1667. /*
  1668. * This is an Ethernet type, so compare
  1669. * the length/type field with it (if
  1670. * the frame is an 802.2 frame, the length
  1671. * field will be <= ETHERMTU, and, as
  1672. * "proto" is > ETHERMTU, this test
  1673. * will fail and the frame won't match,
  1674. * which is what we want).
  1675. */
  1676. return gen_cmp(OR_LINK, off_linktype, BPF_H,
  1677. (bpf_int32)proto);
  1678. }
  1679. }
  1680. }
  1681. /*
  1682. * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
  1683. * or IPv6 then we have an error.
  1684. */
  1685. static struct block *
  1686. gen_ipnet_linktype(proto)
  1687. register int proto;
  1688. {
  1689. switch (proto) {
  1690. case ETHERTYPE_IP:
  1691. return gen_cmp(OR_LINK, off_linktype, BPF_B,
  1692. (bpf_int32)IPH_AF_INET);
  1693. /* NOTREACHED */
  1694. case ETHERTYPE_IPV6:
  1695. return gen_cmp(OR_LINK, off_linktype, BPF_B,
  1696. (bpf_int32)IPH_AF_INET6);
  1697. /* NOTREACHED */
  1698. default:
  1699. break;
  1700. }
  1701. return gen_false();
  1702. }
  1703. /*
  1704. * Generate code to match a particular packet type.
  1705. *
  1706. * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
  1707. * value, if <= ETHERMTU. We use that to determine whether to
  1708. * match the type field or to check the type field for the special
  1709. * LINUX_SLL_P_802_2 value and then do the appropriate test.
  1710. */
  1711. static struct block *
  1712. gen_linux_sll_linktype(proto)
  1713. register int proto;
  1714. {
  1715. struct block *b0, *b1;
  1716. switch (proto) {
  1717. case LLCSAP_ISONS:
  1718. case LLCSAP_IP:
  1719. case LLCSAP_NETBEUI:
  1720. /*
  1721. * OSI protocols and NetBEUI always use 802.2 encapsulation,
  1722. * so we check the DSAP and SSAP.
  1723. *
  1724. * LLCSAP_IP checks for IP-over-802.2, rather
  1725. * than IP-over-Ethernet or IP-over-SNAP.
  1726. *
  1727. * XXX - should we check both the DSAP and the
  1728. * SSAP, like this, or should we check just the
  1729. * DSAP, as we do for other types <= ETHERMTU
  1730. * (i.e., other SAP values)?
  1731. */
  1732. b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
  1733. b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
  1734. ((proto << 8) | proto));
  1735. gen_and(b0, b1);
  1736. return b1;
  1737. case LLCSAP_IPX:
  1738. /*
  1739. * Ethernet_II frames, which are Ethernet
  1740. * frames with a frame type of ETHERTYPE_IPX;
  1741. *
  1742. * Ethernet_802.3 frames, which have a frame
  1743. * type of LINUX_SLL_P_802_3;
  1744. *
  1745. * Ethernet_802.2 frames, which are 802.3
  1746. * frames with an 802.2 LLC header (i.e, have
  1747. * a frame type of LINUX_SLL_P_802_2) and
  1748. * with the IPX LSAP as the DSAP in the LLC
  1749. * header;
  1750. *
  1751. * Ethernet_SNAP frames, which are 802.3
  1752. * frames with an LLC header and a SNAP
  1753. * header and with an OUI of 0x000000
  1754. * (encapsulated Ethernet) and a protocol
  1755. * ID of ETHERTYPE_IPX in the SNAP header.
  1756. *
  1757. * First, do the checks on LINUX_SLL_P_802_2
  1758. * frames; generate the check for either
  1759. * Ethernet_802.2 or Ethernet_SNAP frames, and
  1760. * then put a check for LINUX_SLL_P_…