xref: /freebsd/contrib/libpcap/gencode.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*#define CHASE_CHAIN*/
2 /*
3  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4  *	The Regents of the University of California.  All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that: (1) source code distributions
8  * retain the above copyright notice and this paragraph in its entirety, (2)
9  * distributions including binary code include the above copyright notice and
10  * this paragraph in its entirety in the documentation or other materials
11  * provided with the distribution, and (3) all advertising materials mentioning
12  * features or use of this software display the following acknowledgement:
13  * ``This product includes software developed by the University of California,
14  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15  * the University nor the names of its contributors may be used to endorse
16  * or promote products derived from this software without specific prior
17  * written permission.
18  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21  *
22  * $FreeBSD$
23  */
24 #ifndef lint
25 static const char rcsid[] _U_ =
26     "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.53 2007/09/12 19:17:24 guy Exp $ (LBL)";
27 #endif
28 
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32 
33 #ifdef WIN32
34 #include <pcap-stdinc.h>
35 #else /* WIN32 */
36 #include <sys/types.h>
37 #include <sys/socket.h>
38 #endif /* WIN32 */
39 
40 /*
41  * XXX - why was this included even on UNIX?
42  */
43 #ifdef __MINGW32__
44 #include "IP6_misc.h"
45 #endif
46 
47 #ifndef WIN32
48 
49 #ifdef __NetBSD__
50 #include <sys/param.h>
51 #endif
52 
53 #include <netinet/in.h>
54 
55 #endif /* WIN32 */
56 
57 #include <stdlib.h>
58 #include <string.h>
59 #include <memory.h>
60 #include <setjmp.h>
61 #include <stdarg.h>
62 
63 #ifdef MSDOS
64 #include "pcap-dos.h"
65 #endif
66 
67 #include "pcap-int.h"
68 
69 #include "ethertype.h"
70 #include "nlpid.h"
71 #include "llc.h"
72 #include "gencode.h"
73 #include "atmuni31.h"
74 #include "sunatmpos.h"
75 #include "ppp.h"
76 #include "sll.h"
77 #include "arcnet.h"
78 #ifdef HAVE_NET_PFVAR_H
79 #include <sys/socket.h>
80 #include <net/if.h>
81 #include <net/pfvar.h>
82 #include <net/if_pflog.h>
83 #endif
84 #ifndef offsetof
85 #define offsetof(s, e) ((size_t)&((s *)0)->e)
86 #endif
87 #ifdef INET6
88 #ifndef WIN32
89 #include <netdb.h>	/* for "struct addrinfo" */
90 #endif /* WIN32 */
91 #endif /*INET6*/
92 #include <pcap-namedb.h>
93 
94 #define ETHERMTU	1500
95 
96 #ifndef IPPROTO_SCTP
97 #define IPPROTO_SCTP 132
98 #endif
99 
100 #ifdef HAVE_OS_PROTO_H
101 #include "os-proto.h"
102 #endif
103 
104 #define JMP(c) ((c)|BPF_JMP|BPF_K)
105 
106 /* Locals */
107 static jmp_buf top_ctx;
108 static pcap_t *bpf_pcap;
109 
110 #ifdef WIN32
111 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
112 static u_int	orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
113 #else
114 static u_int	orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
115 #endif
116 
117 /* XXX */
118 #ifdef PCAP_FDDIPAD
119 static int	pcap_fddipad;
120 #endif
121 
122 /* VARARGS */
123 void
124 bpf_error(const char *fmt, ...)
125 {
126 	va_list ap;
127 
128 	va_start(ap, fmt);
129 	if (bpf_pcap != NULL)
130 		(void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
131 		    fmt, ap);
132 	va_end(ap);
133 	longjmp(top_ctx, 1);
134 	/* NOTREACHED */
135 }
136 
137 static void init_linktype(pcap_t *);
138 
139 static int alloc_reg(void);
140 static void free_reg(int);
141 
142 static struct block *root;
143 
144 /*
145  * Value passed to gen_load_a() to indicate what the offset argument
146  * is relative to.
147  */
148 enum e_offrel {
149 	OR_PACKET,	/* relative to the beginning of the packet */
150 	OR_LINK,	/* relative to the link-layer header */
151 	OR_NET,		/* relative to the network-layer header */
152 	OR_NET_NOSNAP,	/* relative to the network-layer header, with no SNAP header at the link layer */
153 	OR_TRAN_IPV4,	/* relative to the transport-layer header, with IPv4 network layer */
154 	OR_TRAN_IPV6	/* relative to the transport-layer header, with IPv6 network layer */
155 };
156 
157 /*
158  * We divy out chunks of memory rather than call malloc each time so
159  * we don't have to worry about leaking memory.  It's probably
160  * not a big deal if all this memory was wasted but if this ever
161  * goes into a library that would probably not be a good idea.
162  *
163  * XXX - this *is* in a library....
164  */
165 #define NCHUNKS 16
166 #define CHUNK0SIZE 1024
167 struct chunk {
168 	u_int n_left;
169 	void *m;
170 };
171 
172 static struct chunk chunks[NCHUNKS];
173 static int cur_chunk;
174 
175 static void *newchunk(u_int);
176 static void freechunks(void);
177 static inline struct block *new_block(int);
178 static inline struct slist *new_stmt(int);
179 static struct block *gen_retblk(int);
180 static inline void syntax(void);
181 
182 static void backpatch(struct block *, struct block *);
183 static void merge(struct block *, struct block *);
184 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
185 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
186 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
187 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
188 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
189 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
190     bpf_u_int32);
191 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
192 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
193     bpf_u_int32, bpf_u_int32, int, bpf_int32);
194 static struct slist *gen_load_llrel(u_int, u_int);
195 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
196 static struct slist *gen_loadx_iphdrlen(void);
197 static struct block *gen_uncond(int);
198 static inline struct block *gen_true(void);
199 static inline struct block *gen_false(void);
200 static struct block *gen_ether_linktype(int);
201 static struct block *gen_linux_sll_linktype(int);
202 static void insert_radiotap_load_llprefixlen(struct block *);
203 static void insert_ppi_load_llprefixlen(struct block *);
204 static void insert_load_llprefixlen(struct block *);
205 static struct slist *gen_llprefixlen(void);
206 static struct block *gen_linktype(int);
207 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
208 static struct block *gen_llc_linktype(int);
209 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
210 #ifdef INET6
211 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
212 #endif
213 static struct block *gen_ahostop(const u_char *, int);
214 static struct block *gen_ehostop(const u_char *, int);
215 static struct block *gen_fhostop(const u_char *, int);
216 static struct block *gen_thostop(const u_char *, int);
217 static struct block *gen_wlanhostop(const u_char *, int);
218 static struct block *gen_ipfchostop(const u_char *, int);
219 static struct block *gen_dnhostop(bpf_u_int32, int);
220 static struct block *gen_mpls_linktype(int);
221 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
222 #ifdef INET6
223 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
224 #endif
225 #ifndef INET6
226 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
227 #endif
228 static struct block *gen_ipfrag(void);
229 static struct block *gen_portatom(int, bpf_int32);
230 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
231 #ifdef INET6
232 static struct block *gen_portatom6(int, bpf_int32);
233 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
234 #endif
235 struct block *gen_portop(int, int, int);
236 static struct block *gen_port(int, int, int);
237 struct block *gen_portrangeop(int, int, int, int);
238 static struct block *gen_portrange(int, int, int, int);
239 #ifdef INET6
240 struct block *gen_portop6(int, int, int);
241 static struct block *gen_port6(int, int, int);
242 struct block *gen_portrangeop6(int, int, int, int);
243 static struct block *gen_portrange6(int, int, int, int);
244 #endif
245 static int lookup_proto(const char *, int);
246 static struct block *gen_protochain(int, int, int);
247 static struct block *gen_proto(int, int, int);
248 static struct slist *xfer_to_x(struct arth *);
249 static struct slist *xfer_to_a(struct arth *);
250 static struct block *gen_mac_multicast(int);
251 static struct block *gen_len(int, int);
252 
253 static struct block *gen_ppi_dlt_check(void);
254 static struct block *gen_msg_abbrev(int type);
255 
256 static void *
257 newchunk(n)
258 	u_int n;
259 {
260 	struct chunk *cp;
261 	int k;
262 	size_t size;
263 
264 #ifndef __NetBSD__
265 	/* XXX Round up to nearest long. */
266 	n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
267 #else
268 	/* XXX Round up to structure boundary. */
269 	n = ALIGN(n);
270 #endif
271 
272 	cp = &chunks[cur_chunk];
273 	if (n > cp->n_left) {
274 		++cp, k = ++cur_chunk;
275 		if (k >= NCHUNKS)
276 			bpf_error("out of memory");
277 		size = CHUNK0SIZE << k;
278 		cp->m = (void *)malloc(size);
279 		if (cp->m == NULL)
280 			bpf_error("out of memory");
281 		memset((char *)cp->m, 0, size);
282 		cp->n_left = size;
283 		if (n > size)
284 			bpf_error("out of memory");
285 	}
286 	cp->n_left -= n;
287 	return (void *)((char *)cp->m + cp->n_left);
288 }
289 
290 static void
291 freechunks()
292 {
293 	int i;
294 
295 	cur_chunk = 0;
296 	for (i = 0; i < NCHUNKS; ++i)
297 		if (chunks[i].m != NULL) {
298 			free(chunks[i].m);
299 			chunks[i].m = NULL;
300 		}
301 }
302 
303 /*
304  * A strdup whose allocations are freed after code generation is over.
305  */
306 char *
307 sdup(s)
308 	register const char *s;
309 {
310 	int n = strlen(s) + 1;
311 	char *cp = newchunk(n);
312 
313 	strlcpy(cp, s, n);
314 	return (cp);
315 }
316 
317 static inline struct block *
318 new_block(code)
319 	int code;
320 {
321 	struct block *p;
322 
323 	p = (struct block *)newchunk(sizeof(*p));
324 	p->s.code = code;
325 	p->head = p;
326 
327 	return p;
328 }
329 
330 static inline struct slist *
331 new_stmt(code)
332 	int code;
333 {
334 	struct slist *p;
335 
336 	p = (struct slist *)newchunk(sizeof(*p));
337 	p->s.code = code;
338 
339 	return p;
340 }
341 
342 static struct block *
343 gen_retblk(v)
344 	int v;
345 {
346 	struct block *b = new_block(BPF_RET|BPF_K);
347 
348 	b->s.k = v;
349 	return b;
350 }
351 
352 static inline void
353 syntax()
354 {
355 	bpf_error("syntax error in filter expression");
356 }
357 
358 static bpf_u_int32 netmask;
359 static int snaplen;
360 int no_optimize;
361 
362 int
363 pcap_compile(pcap_t *p, struct bpf_program *program,
364 	     const char *buf, int optimize, bpf_u_int32 mask)
365 {
366 	extern int n_errors;
367 	const char * volatile xbuf = buf;
368 	int len;
369 
370 	no_optimize = 0;
371 	n_errors = 0;
372 	root = NULL;
373 	bpf_pcap = p;
374 	if (setjmp(top_ctx)) {
375 		lex_cleanup();
376 		freechunks();
377 		return (-1);
378 	}
379 
380 	netmask = mask;
381 
382 	snaplen = pcap_snapshot(p);
383 	if (snaplen == 0) {
384 		snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
385 			 "snaplen of 0 rejects all packets");
386 		return -1;
387 	}
388 
389 	lex_init(xbuf ? xbuf : "");
390 	init_linktype(p);
391 	(void)pcap_parse();
392 
393 	if (n_errors)
394 		syntax();
395 
396 	if (root == NULL)
397 		root = gen_retblk(snaplen);
398 
399 	if (optimize && !no_optimize) {
400 		bpf_optimize(&root);
401 		if (root == NULL ||
402 		    (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
403 			bpf_error("expression rejects all packets");
404 	}
405 	program->bf_insns = icode_to_fcode(root, &len);
406 	program->bf_len = len;
407 
408 	lex_cleanup();
409 	freechunks();
410 	return (0);
411 }
412 
413 /*
414  * entry point for using the compiler with no pcap open
415  * pass in all the stuff that is needed explicitly instead.
416  */
417 int
418 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
419 		    struct bpf_program *program,
420 	     const char *buf, int optimize, bpf_u_int32 mask)
421 {
422 	pcap_t *p;
423 	int ret;
424 
425 	p = pcap_open_dead(linktype_arg, snaplen_arg);
426 	if (p == NULL)
427 		return (-1);
428 	ret = pcap_compile(p, program, buf, optimize, mask);
429 	pcap_close(p);
430 	return (ret);
431 }
432 
433 /*
434  * Clean up a "struct bpf_program" by freeing all the memory allocated
435  * in it.
436  */
437 void
438 pcap_freecode(struct bpf_program *program)
439 {
440 	program->bf_len = 0;
441 	if (program->bf_insns != NULL) {
442 		free((char *)program->bf_insns);
443 		program->bf_insns = NULL;
444 	}
445 }
446 
447 /*
448  * Backpatch the blocks in 'list' to 'target'.  The 'sense' field indicates
449  * which of the jt and jf fields has been resolved and which is a pointer
450  * back to another unresolved block (or nil).  At least one of the fields
451  * in each block is already resolved.
452  */
453 static void
454 backpatch(list, target)
455 	struct block *list, *target;
456 {
457 	struct block *next;
458 
459 	while (list) {
460 		if (!list->sense) {
461 			next = JT(list);
462 			JT(list) = target;
463 		} else {
464 			next = JF(list);
465 			JF(list) = target;
466 		}
467 		list = next;
468 	}
469 }
470 
471 /*
472  * Merge the lists in b0 and b1, using the 'sense' field to indicate
473  * which of jt and jf is the link.
474  */
475 static void
476 merge(b0, b1)
477 	struct block *b0, *b1;
478 {
479 	register struct block **p = &b0;
480 
481 	/* Find end of list. */
482 	while (*p)
483 		p = !((*p)->sense) ? &JT(*p) : &JF(*p);
484 
485 	/* Concatenate the lists. */
486 	*p = b1;
487 }
488 
489 
490 void
491 finish_parse(p)
492 	struct block *p;
493 {
494 	struct block *ppi_dlt_check;
495 
496 	ppi_dlt_check = gen_ppi_dlt_check();
497 
498 	if (ppi_dlt_check != NULL)
499 	{
500 		gen_and(ppi_dlt_check, p);
501 	}
502 
503 	backpatch(p, gen_retblk(snaplen));
504 	p->sense = !p->sense;
505 	backpatch(p, gen_retblk(0));
506 	root = p->head;
507 
508 	/*
509 	 * Insert before the statements of the first (root) block any
510 	 * statements needed to load the lengths of any variable-length
511 	 * headers into registers.
512 	 *
513 	 * XXX - a fancier strategy would be to insert those before the
514 	 * statements of all blocks that use those lengths and that
515 	 * have no predecessors that use them, so that we only compute
516 	 * the lengths if we need them.  There might be even better
517 	 * approaches than that.  However, as we're currently only
518 	 * handling variable-length radiotap headers, and as all
519 	 * filtering expressions other than raw link[M:N] tests
520 	 * require the length of that header, doing more for that
521 	 * header length isn't really worth the effort.
522 	 */
523 
524 	insert_load_llprefixlen(root);
525 }
526 
527 void
528 gen_and(b0, b1)
529 	struct block *b0, *b1;
530 {
531 	backpatch(b0, b1->head);
532 	b0->sense = !b0->sense;
533 	b1->sense = !b1->sense;
534 	merge(b1, b0);
535 	b1->sense = !b1->sense;
536 	b1->head = b0->head;
537 }
538 
539 void
540 gen_or(b0, b1)
541 	struct block *b0, *b1;
542 {
543 	b0->sense = !b0->sense;
544 	backpatch(b0, b1->head);
545 	b0->sense = !b0->sense;
546 	merge(b1, b0);
547 	b1->head = b0->head;
548 }
549 
550 void
551 gen_not(b)
552 	struct block *b;
553 {
554 	b->sense = !b->sense;
555 }
556 
557 static struct block *
558 gen_cmp(offrel, offset, size, v)
559 	enum e_offrel offrel;
560 	u_int offset, size;
561 	bpf_int32 v;
562 {
563 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
564 }
565 
566 static struct block *
567 gen_cmp_gt(offrel, offset, size, v)
568 	enum e_offrel offrel;
569 	u_int offset, size;
570 	bpf_int32 v;
571 {
572 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
573 }
574 
575 static struct block *
576 gen_cmp_ge(offrel, offset, size, v)
577 	enum e_offrel offrel;
578 	u_int offset, size;
579 	bpf_int32 v;
580 {
581 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
582 }
583 
584 static struct block *
585 gen_cmp_lt(offrel, offset, size, v)
586 	enum e_offrel offrel;
587 	u_int offset, size;
588 	bpf_int32 v;
589 {
590 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
591 }
592 
593 static struct block *
594 gen_cmp_le(offrel, offset, size, v)
595 	enum e_offrel offrel;
596 	u_int offset, size;
597 	bpf_int32 v;
598 {
599 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
600 }
601 
602 static struct block *
603 gen_mcmp(offrel, offset, size, v, mask)
604 	enum e_offrel offrel;
605 	u_int offset, size;
606 	bpf_int32 v;
607 	bpf_u_int32 mask;
608 {
609 	return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
610 }
611 
612 static struct block *
613 gen_bcmp(offrel, offset, size, v)
614 	enum e_offrel offrel;
615 	register u_int offset, size;
616 	register const u_char *v;
617 {
618 	register struct block *b, *tmp;
619 
620 	b = NULL;
621 	while (size >= 4) {
622 		register const u_char *p = &v[size - 4];
623 		bpf_int32 w = ((bpf_int32)p[0] << 24) |
624 		    ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
625 
626 		tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
627 		if (b != NULL)
628 			gen_and(b, tmp);
629 		b = tmp;
630 		size -= 4;
631 	}
632 	while (size >= 2) {
633 		register const u_char *p = &v[size - 2];
634 		bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
635 
636 		tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
637 		if (b != NULL)
638 			gen_and(b, tmp);
639 		b = tmp;
640 		size -= 2;
641 	}
642 	if (size > 0) {
643 		tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
644 		if (b != NULL)
645 			gen_and(b, tmp);
646 		b = tmp;
647 	}
648 	return b;
649 }
650 
651 /*
652  * AND the field of size "size" at offset "offset" relative to the header
653  * specified by "offrel" with "mask", and compare it with the value "v"
654  * with the test specified by "jtype"; if "reverse" is true, the test
655  * should test the opposite of "jtype".
656  */
657 static struct block *
658 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
659 	enum e_offrel offrel;
660 	bpf_int32 v;
661 	bpf_u_int32 offset, size, mask, jtype;
662 	int reverse;
663 {
664 	struct slist *s, *s2;
665 	struct block *b;
666 
667 	s = gen_load_a(offrel, offset, size);
668 
669 	if (mask != 0xffffffff) {
670 		s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
671 		s2->s.k = mask;
672 		sappend(s, s2);
673 	}
674 
675 	b = new_block(JMP(jtype));
676 	b->stmts = s;
677 	b->s.k = v;
678 	if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
679 		gen_not(b);
680 	return b;
681 }
682 
683 /*
684  * Various code constructs need to know the layout of the data link
685  * layer.  These variables give the necessary offsets from the beginning
686  * of the packet data.
687  *
688  * If the link layer has variable_length headers, the offsets are offsets
689  * from the end of the link-link-layer header, and "reg_ll_size" is
690  * the register number for a register containing the length of the
691  * link-layer header.  Otherwise, "reg_ll_size" is -1.
692  */
693 static int reg_ll_size;
694 
695 /*
696  * This is the offset of the beginning of the link-layer header from
697  * the beginning of the raw packet data.
698  *
699  * It's usually 0, except for 802.11 with a fixed-length radio header.
700  * (For 802.11 with a variable-length radio header, we have to generate
701  * code to compute that offset; off_ll is 0 in that case.)
702  */
703 static u_int off_ll;
704 
705 /*
706  * This is the offset of the beginning of the MAC-layer header.
707  * It's usually 0, except for ATM LANE, where it's the offset, relative
708  * to the beginning of the raw packet data, of the Ethernet header.
709  */
710 static u_int off_mac;
711 
712 /*
713  * "off_linktype" is the offset to information in the link-layer header
714  * giving the packet type.  This offset is relative to the beginning
715  * of the link-layer header (i.e., it doesn't include off_ll).
716  *
717  * For Ethernet, it's the offset of the Ethernet type field.
718  *
719  * For link-layer types that always use 802.2 headers, it's the
720  * offset of the LLC header.
721  *
722  * For PPP, it's the offset of the PPP type field.
723  *
724  * For Cisco HDLC, it's the offset of the CHDLC type field.
725  *
726  * For BSD loopback, it's the offset of the AF_ value.
727  *
728  * For Linux cooked sockets, it's the offset of the type field.
729  *
730  * It's set to -1 for no encapsulation, in which case, IP is assumed.
731  */
732 static u_int off_linktype;
733 
734 /*
735  * TRUE if the link layer includes an ATM pseudo-header.
736  */
737 static int is_atm = 0;
738 
739 /*
740  * TRUE if "lane" appeared in the filter; it causes us to generate
741  * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
742  */
743 static int is_lane = 0;
744 
745 /*
746  * These are offsets for the ATM pseudo-header.
747  */
748 static u_int off_vpi;
749 static u_int off_vci;
750 static u_int off_proto;
751 
752 /*
753  * These are offsets for the MTP2 fields.
754  */
755 static u_int off_li;
756 
757 /*
758  * These are offsets for the MTP3 fields.
759  */
760 static u_int off_sio;
761 static u_int off_opc;
762 static u_int off_dpc;
763 static u_int off_sls;
764 
765 /*
766  * This is the offset of the first byte after the ATM pseudo_header,
767  * or -1 if there is no ATM pseudo-header.
768  */
769 static u_int off_payload;
770 
771 /*
772  * These are offsets to the beginning of the network-layer header.
773  * They are relative to the beginning of the link-layer header (i.e.,
774  * they don't include off_ll).
775  *
776  * If the link layer never uses 802.2 LLC:
777  *
778  *	"off_nl" and "off_nl_nosnap" are the same.
779  *
780  * If the link layer always uses 802.2 LLC:
781  *
782  *	"off_nl" is the offset if there's a SNAP header following
783  *	the 802.2 header;
784  *
785  *	"off_nl_nosnap" is the offset if there's no SNAP header.
786  *
787  * If the link layer is Ethernet:
788  *
789  *	"off_nl" is the offset if the packet is an Ethernet II packet
790  *	(we assume no 802.3+802.2+SNAP);
791  *
792  *	"off_nl_nosnap" is the offset if the packet is an 802.3 packet
793  *	with an 802.2 header following it.
794  */
795 static u_int off_nl;
796 static u_int off_nl_nosnap;
797 
798 static int linktype;
799 
800 static void
801 init_linktype(p)
802 	pcap_t *p;
803 {
804 	linktype = pcap_datalink(p);
805 #ifdef PCAP_FDDIPAD
806 	pcap_fddipad = p->fddipad;
807 #endif
808 
809 	/*
810 	 * Assume it's not raw ATM with a pseudo-header, for now.
811 	 */
812 	off_mac = 0;
813 	is_atm = 0;
814 	is_lane = 0;
815 	off_vpi = -1;
816 	off_vci = -1;
817 	off_proto = -1;
818 	off_payload = -1;
819 
820 	/*
821 	 * And assume we're not doing SS7.
822 	 */
823 	off_li = -1;
824 	off_sio = -1;
825 	off_opc = -1;
826 	off_dpc = -1;
827 	off_sls = -1;
828 
829 	/*
830 	 * Also assume it's not 802.11 with a fixed-length radio header.
831 	 */
832 	off_ll = 0;
833 
834 	orig_linktype = -1;
835 	orig_nl = -1;
836         label_stack_depth = 0;
837 
838 	reg_ll_size = -1;
839 
840 	switch (linktype) {
841 
842 	case DLT_ARCNET:
843 		off_linktype = 2;
844 		off_nl = 6;		/* XXX in reality, variable! */
845 		off_nl_nosnap = 6;	/* no 802.2 LLC */
846 		return;
847 
848 	case DLT_ARCNET_LINUX:
849 		off_linktype = 4;
850 		off_nl = 8;		/* XXX in reality, variable! */
851 		off_nl_nosnap = 8;	/* no 802.2 LLC */
852 		return;
853 
854 	case DLT_EN10MB:
855 		off_linktype = 12;
856 		off_nl = 14;		/* Ethernet II */
857 		off_nl_nosnap = 17;	/* 802.3+802.2 */
858 		return;
859 
860 	case DLT_SLIP:
861 		/*
862 		 * SLIP doesn't have a link level type.  The 16 byte
863 		 * header is hacked into our SLIP driver.
864 		 */
865 		off_linktype = -1;
866 		off_nl = 16;
867 		off_nl_nosnap = 16;	/* no 802.2 LLC */
868 		return;
869 
870 	case DLT_SLIP_BSDOS:
871 		/* XXX this may be the same as the DLT_PPP_BSDOS case */
872 		off_linktype = -1;
873 		/* XXX end */
874 		off_nl = 24;
875 		off_nl_nosnap = 24;	/* no 802.2 LLC */
876 		return;
877 
878 	case DLT_NULL:
879 	case DLT_LOOP:
880 		off_linktype = 0;
881 		off_nl = 4;
882 		off_nl_nosnap = 4;	/* no 802.2 LLC */
883 		return;
884 
885 	case DLT_ENC:
886 		off_linktype = 0;
887 		off_nl = 12;
888 		off_nl_nosnap = 12;	/* no 802.2 LLC */
889 		return;
890 
891 	case DLT_PPP:
892 	case DLT_PPP_PPPD:
893 	case DLT_C_HDLC:		/* BSD/OS Cisco HDLC */
894 	case DLT_PPP_SERIAL:		/* NetBSD sync/async serial PPP */
895 		off_linktype = 2;
896 		off_nl = 4;
897 		off_nl_nosnap = 4;	/* no 802.2 LLC */
898 		return;
899 
900 	case DLT_PPP_ETHER:
901 		/*
902 		 * This does no include the Ethernet header, and
903 		 * only covers session state.
904 		 */
905 		off_linktype = 6;
906 		off_nl = 8;
907 		off_nl_nosnap = 8;	/* no 802.2 LLC */
908 		return;
909 
910 	case DLT_PPP_BSDOS:
911 		off_linktype = 5;
912 		off_nl = 24;
913 		off_nl_nosnap = 24;	/* no 802.2 LLC */
914 		return;
915 
916 	case DLT_FDDI:
917 		/*
918 		 * FDDI doesn't really have a link-level type field.
919 		 * We set "off_linktype" to the offset of the LLC header.
920 		 *
921 		 * To check for Ethernet types, we assume that SSAP = SNAP
922 		 * is being used and pick out the encapsulated Ethernet type.
923 		 * XXX - should we generate code to check for SNAP?
924 		 */
925 		off_linktype = 13;
926 #ifdef PCAP_FDDIPAD
927 		off_linktype += pcap_fddipad;
928 #endif
929 		off_nl = 21;		/* FDDI+802.2+SNAP */
930 		off_nl_nosnap = 16;	/* FDDI+802.2 */
931 #ifdef PCAP_FDDIPAD
932 		off_nl += pcap_fddipad;
933 		off_nl_nosnap += pcap_fddipad;
934 #endif
935 		return;
936 
937 	case DLT_IEEE802:
938 		/*
939 		 * Token Ring doesn't really have a link-level type field.
940 		 * We set "off_linktype" to the offset of the LLC header.
941 		 *
942 		 * To check for Ethernet types, we assume that SSAP = SNAP
943 		 * is being used and pick out the encapsulated Ethernet type.
944 		 * XXX - should we generate code to check for SNAP?
945 		 *
946 		 * XXX - the header is actually variable-length.
947 		 * Some various Linux patched versions gave 38
948 		 * as "off_linktype" and 40 as "off_nl"; however,
949 		 * if a token ring packet has *no* routing
950 		 * information, i.e. is not source-routed, the correct
951 		 * values are 20 and 22, as they are in the vanilla code.
952 		 *
953 		 * A packet is source-routed iff the uppermost bit
954 		 * of the first byte of the source address, at an
955 		 * offset of 8, has the uppermost bit set.  If the
956 		 * packet is source-routed, the total number of bytes
957 		 * of routing information is 2 plus bits 0x1F00 of
958 		 * the 16-bit value at an offset of 14 (shifted right
959 		 * 8 - figure out which byte that is).
960 		 */
961 		off_linktype = 14;
962 		off_nl = 22;		/* Token Ring+802.2+SNAP */
963 		off_nl_nosnap = 17;	/* Token Ring+802.2 */
964 		return;
965 
966 	case DLT_IEEE802_11:
967 		/*
968 		 * 802.11 doesn't really have a link-level type field.
969 		 * We set "off_linktype" to the offset of the LLC header.
970 		 *
971 		 * To check for Ethernet types, we assume that SSAP = SNAP
972 		 * is being used and pick out the encapsulated Ethernet type.
973 		 * XXX - should we generate code to check for SNAP?
974 		 *
975 		 * XXX - the header is actually variable-length.  We
976 		 * assume a 24-byte link-layer header, as appears in
977 		 * data frames in networks with no bridges.  If the
978 		 * fromds and tods 802.11 header bits are both set,
979 		 * it's actually supposed to be 30 bytes.
980 		 */
981 		off_linktype = 24;
982 		off_nl = 32;		/* 802.11+802.2+SNAP */
983 		off_nl_nosnap = 27;	/* 802.11+802.2 */
984 		return;
985 
986 	case DLT_PRISM_HEADER:
987 		/*
988 		 * Same as 802.11, but with an additional header before
989 		 * the 802.11 header, containing a bunch of additional
990 		 * information including radio-level information.
991 		 *
992 		 * The header is 144 bytes long.
993 		 *
994 		 * XXX - same variable-length header problem; at least
995 		 * the Prism header is fixed-length.
996 		 */
997 		off_ll = 144;
998 		off_linktype = 24;
999 		off_nl = 32;	/* Prism+802.11+802.2+SNAP */
1000 		off_nl_nosnap = 27;	/* Prism+802.11+802.2 */
1001 		return;
1002 
1003 	case DLT_IEEE802_11_RADIO_AVS:
1004 		/*
1005 		 * Same as 802.11, but with an additional header before
1006 		 * the 802.11 header, containing a bunch of additional
1007 		 * information including radio-level information.
1008 		 *
1009 		 * The header is 64 bytes long, at least in its
1010 		 * current incarnation.
1011 		 *
1012 		 * XXX - same variable-length header problem, only
1013 		 * more so; this header is also variable-length,
1014 		 * with the length being the 32-bit big-endian
1015 		 * number at an offset of 4 from the beginning
1016 		 * of the radio header.  We should handle that the
1017 		 * same way we handle the length at the beginning
1018 		 * of the radiotap header.
1019 		 *
1020 		 * XXX - in Linux, do any drivers that supply an AVS
1021 		 * header supply a link-layer type other than
1022 		 * ARPHRD_IEEE80211_PRISM?  If so, we should map that
1023 		 * to DLT_IEEE802_11_RADIO_AVS; if not, or if there are
1024 		 * any drivers that supply an AVS header but supply
1025 		 * an ARPHRD value of ARPHRD_IEEE80211_PRISM, we'll
1026 		 * have to check the header in the generated code to
1027 		 * determine whether it's Prism or AVS.
1028 		 */
1029 		off_ll = 64;
1030 		off_linktype = 24;
1031 		off_nl = 32;		/* Radio+802.11+802.2+SNAP */
1032 		off_nl_nosnap = 27;	/* Radio+802.11+802.2 */
1033 		return;
1034 
1035 
1036 		/*
1037 		 * At the moment we treat PPI as normal Radiotap encoded
1038 		 * packets. The difference is in the function that generates
1039 		 * the code at the beginning to compute the header length.
1040 		 * Since this code generator of PPI supports bare 802.11
1041 		 * encapsulation only (i.e. the encapsulated DLT should be
1042 		 * DLT_IEEE802_11) we generate code to check for this too.
1043 		 */
1044 	case DLT_PPI:
1045 	case DLT_IEEE802_11_RADIO:
1046 		/*
1047 		 * Same as 802.11, but with an additional header before
1048 		 * the 802.11 header, containing a bunch of additional
1049 		 * information including radio-level information.
1050 		 *
1051 		 * The radiotap header is variable length, and we
1052 		 * generate code to compute its length and store it
1053 		 * in a register.  These offsets are relative to the
1054 		 * beginning of the 802.11 header.
1055 		 */
1056 		off_linktype = 24;
1057 		off_nl = 32;		/* 802.11+802.2+SNAP */
1058 		off_nl_nosnap = 27;	/* 802.11+802.2 */
1059 		return;
1060 
1061 	case DLT_ATM_RFC1483:
1062 	case DLT_ATM_CLIP:	/* Linux ATM defines this */
1063 		/*
1064 		 * assume routed, non-ISO PDUs
1065 		 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1066 		 *
1067 		 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1068 		 * or PPP with the PPP NLPID (e.g., PPPoA)?  The
1069 		 * latter would presumably be treated the way PPPoE
1070 		 * should be, so you can do "pppoe and udp port 2049"
1071 		 * or "pppoa and tcp port 80" and have it check for
1072 		 * PPPo{A,E} and a PPP protocol of IP and....
1073 		 */
1074 		off_linktype = 0;
1075 		off_nl = 8;		/* 802.2+SNAP */
1076 		off_nl_nosnap = 3;	/* 802.2 */
1077 		return;
1078 
1079 	case DLT_SUNATM:
1080 		/*
1081 		 * Full Frontal ATM; you get AALn PDUs with an ATM
1082 		 * pseudo-header.
1083 		 */
1084 		is_atm = 1;
1085 		off_vpi = SUNATM_VPI_POS;
1086 		off_vci = SUNATM_VCI_POS;
1087 		off_proto = PROTO_POS;
1088 		off_mac = -1;	/* LLC-encapsulated, so no MAC-layer header */
1089 		off_payload = SUNATM_PKT_BEGIN_POS;
1090 		off_linktype = off_payload;
1091 		off_nl = off_payload+8;		/* 802.2+SNAP */
1092 		off_nl_nosnap = off_payload+3;	/* 802.2 */
1093 		return;
1094 
1095 	case DLT_RAW:
1096 		off_linktype = -1;
1097 		off_nl = 0;
1098 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1099 		return;
1100 
1101 	case DLT_LINUX_SLL:	/* fake header for Linux cooked socket */
1102 		off_linktype = 14;
1103 		off_nl = 16;
1104 		off_nl_nosnap = 16;	/* no 802.2 LLC */
1105 		return;
1106 
1107 	case DLT_LTALK:
1108 		/*
1109 		 * LocalTalk does have a 1-byte type field in the LLAP header,
1110 		 * but really it just indicates whether there is a "short" or
1111 		 * "long" DDP packet following.
1112 		 */
1113 		off_linktype = -1;
1114 		off_nl = 0;
1115 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1116 		return;
1117 
1118 	case DLT_IP_OVER_FC:
1119 		/*
1120 		 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1121 		 * link-level type field.  We set "off_linktype" to the
1122 		 * offset of the LLC header.
1123 		 *
1124 		 * To check for Ethernet types, we assume that SSAP = SNAP
1125 		 * is being used and pick out the encapsulated Ethernet type.
1126 		 * XXX - should we generate code to check for SNAP? RFC
1127 		 * 2625 says SNAP should be used.
1128 		 */
1129 		off_linktype = 16;
1130 		off_nl = 24;		/* IPFC+802.2+SNAP */
1131 		off_nl_nosnap = 19;	/* IPFC+802.2 */
1132 		return;
1133 
1134 	case DLT_FRELAY:
1135 		/*
1136 		 * XXX - we should set this to handle SNAP-encapsulated
1137 		 * frames (NLPID of 0x80).
1138 		 */
1139 		off_linktype = -1;
1140 		off_nl = 0;
1141 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1142 		return;
1143 
1144                 /*
1145                  * the only BPF-interesting FRF.16 frames are non-control frames;
1146                  * Frame Relay has a variable length link-layer
1147                  * so lets start with offset 4 for now and increments later on (FIXME);
1148                  */
1149 	case DLT_MFR:
1150 		off_linktype = -1;
1151 		off_nl = 4;
1152 		off_nl_nosnap = 0;	/* XXX - for now -> no 802.2 LLC */
1153 		return;
1154 
1155 	case DLT_APPLE_IP_OVER_IEEE1394:
1156 		off_linktype = 16;
1157 		off_nl = 18;
1158 		off_nl_nosnap = 18;	/* no 802.2 LLC */
1159 		return;
1160 
1161 	case DLT_LINUX_IRDA:
1162 		/*
1163 		 * Currently, only raw "link[N:M]" filtering is supported.
1164 		 */
1165 		off_linktype = -1;
1166 		off_nl = -1;
1167 		off_nl_nosnap = -1;
1168 		return;
1169 
1170 	case DLT_DOCSIS:
1171 		/*
1172 		 * Currently, only raw "link[N:M]" filtering is supported.
1173 		 */
1174 		off_linktype = -1;
1175 		off_nl = -1;
1176 		off_nl_nosnap = -1;
1177 		return;
1178 
1179 	case DLT_SYMANTEC_FIREWALL:
1180 		off_linktype = 6;
1181 		off_nl = 44;		/* Ethernet II */
1182 		off_nl_nosnap = 44;	/* XXX - what does it do with 802.3 packets? */
1183 		return;
1184 
1185 #ifdef HAVE_NET_PFVAR_H
1186 	case DLT_PFLOG:
1187 		off_linktype = 0;
1188 		off_nl = PFLOG_HDRLEN;
1189 		off_nl_nosnap = PFLOG_HDRLEN;	/* no 802.2 LLC */
1190 		return;
1191 #endif
1192 
1193         case DLT_JUNIPER_MFR:
1194         case DLT_JUNIPER_MLFR:
1195         case DLT_JUNIPER_MLPPP:
1196         case DLT_JUNIPER_PPP:
1197         case DLT_JUNIPER_CHDLC:
1198         case DLT_JUNIPER_FRELAY:
1199                 off_linktype = 4;
1200 		off_nl = 4;
1201 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1202                 return;
1203 
1204 	case DLT_JUNIPER_ATM1:
1205 		off_linktype = 4; /* in reality variable between 4-8 */
1206 		off_nl = 4;
1207 		off_nl_nosnap = 14;
1208 		return;
1209 
1210 	case DLT_JUNIPER_ATM2:
1211 		off_linktype = 8; /* in reality variable between 8-12 */
1212 		off_nl = 8;
1213 		off_nl_nosnap = 18;
1214 		return;
1215 
1216 		/* frames captured on a Juniper PPPoE service PIC
1217 		 * contain raw ethernet frames */
1218 	case DLT_JUNIPER_PPPOE:
1219         case DLT_JUNIPER_ETHER:
1220 		off_linktype = 16;
1221 		off_nl = 18;		/* Ethernet II */
1222 		off_nl_nosnap = 21;	/* 802.3+802.2 */
1223 		return;
1224 
1225 	case DLT_JUNIPER_PPPOE_ATM:
1226 		off_linktype = 4;
1227 		off_nl = 6;
1228 		off_nl_nosnap = -1;	 /* no 802.2 LLC */
1229 		return;
1230 
1231 	case DLT_JUNIPER_GGSN:
1232 		off_linktype = 6;
1233 		off_nl = 12;
1234 		off_nl_nosnap = -1;	 /* no 802.2 LLC */
1235 		return;
1236 
1237 	case DLT_JUNIPER_ES:
1238 		off_linktype = 6;
1239 		off_nl = -1;		/* not really a network layer but raw IP adresses */
1240 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1241 		return;
1242 
1243 	case DLT_JUNIPER_MONITOR:
1244 		off_linktype = 12;
1245 		off_nl = 12;		/* raw IP/IP6 header */
1246 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1247 		return;
1248 
1249 	case DLT_JUNIPER_SERVICES:
1250 		off_linktype = 12;
1251 		off_nl = -1;		/* L3 proto location dep. on cookie type */
1252 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1253 		return;
1254 
1255 	case DLT_JUNIPER_VP:
1256 		off_linktype = 18;
1257 		off_nl = -1;
1258 		off_nl_nosnap = -1;
1259 		return;
1260 
1261 	case DLT_MTP2:
1262 		off_li = 2;
1263 		off_sio = 3;
1264 		off_opc = 4;
1265 		off_dpc = 4;
1266 		off_sls = 7;
1267 		off_linktype = -1;
1268 		off_nl = -1;
1269 		off_nl_nosnap = -1;
1270 		return;
1271 
1272 	case DLT_MTP2_WITH_PHDR:
1273 		off_li = 6;
1274 		off_sio = 7;
1275 		off_opc = 8;
1276 		off_dpc = 8;
1277 		off_sls = 11;
1278 		off_linktype = -1;
1279 		off_nl = -1;
1280 		off_nl_nosnap = -1;
1281 		return;
1282 
1283 #ifdef DLT_PFSYNC
1284 	case DLT_PFSYNC:
1285 		off_linktype = -1;
1286 		off_nl = 4;
1287 		off_nl_nosnap = 4;
1288 		return;
1289 #endif
1290 
1291 	case DLT_LINUX_LAPD:
1292 		/*
1293 		 * Currently, only raw "link[N:M]" filtering is supported.
1294 		 */
1295 		off_linktype = -1;
1296 		off_nl = -1;
1297 		off_nl_nosnap = -1;
1298 		return;
1299 
1300 	case DLT_USB:
1301 		/*
1302 		 * Currently, only raw "link[N:M]" filtering is supported.
1303 		 */
1304 		off_linktype = -1;
1305 		off_nl = -1;
1306 		off_nl_nosnap = -1;
1307 		return;
1308 
1309 	case DLT_BLUETOOTH_HCI_H4:
1310 		/*
1311 		 * Currently, only raw "link[N:M]" filtering is supported.
1312 		 */
1313 		off_linktype = -1;
1314 		off_nl = -1;
1315 		off_nl_nosnap = -1;
1316 		return;
1317 	}
1318 	bpf_error("unknown data link type %d", linktype);
1319 	/* NOTREACHED */
1320 }
1321 
1322 /*
1323  * Load a value relative to the beginning of the link-layer header.
1324  * The link-layer header doesn't necessarily begin at the beginning
1325  * of the packet data; there might be a variable-length prefix containing
1326  * radio information.
1327  */
1328 static struct slist *
1329 gen_load_llrel(offset, size)
1330 	u_int offset, size;
1331 {
1332 	struct slist *s, *s2;
1333 
1334 	s = gen_llprefixlen();
1335 
1336 	/*
1337 	 * If "s" is non-null, it has code to arrange that the X register
1338 	 * contains the length of the prefix preceding the link-layer
1339 	 * header.
1340 	 *
1341 	 * Otherwise, the length of the prefix preceding the link-layer
1342 	 * header is "off_ll".
1343 	 */
1344 	if (s != NULL) {
1345 		/*
1346 		 * There's a variable-length prefix preceding the
1347 		 * link-layer header.  "s" points to a list of statements
1348 		 * that put the length of that prefix into the X register.
1349 		 * do an indirect load, to use the X register as an offset.
1350 		 */
1351 		s2 = new_stmt(BPF_LD|BPF_IND|size);
1352 		s2->s.k = offset;
1353 		sappend(s, s2);
1354 	} else {
1355 		/*
1356 		 * There is no variable-length header preceding the
1357 		 * link-layer header; add in off_ll, which, if there's
1358 		 * a fixed-length header preceding the link-layer header,
1359 		 * is the length of that header.
1360 		 */
1361 		s = new_stmt(BPF_LD|BPF_ABS|size);
1362 		s->s.k = offset + off_ll;
1363 	}
1364 	return s;
1365 }
1366 
1367 
1368 /*
1369  * Load a value relative to the beginning of the specified header.
1370  */
1371 static struct slist *
1372 gen_load_a(offrel, offset, size)
1373 	enum e_offrel offrel;
1374 	u_int offset, size;
1375 {
1376 	struct slist *s, *s2;
1377 
1378 	switch (offrel) {
1379 
1380 	case OR_PACKET:
1381                 s = new_stmt(BPF_LD|BPF_ABS|size);
1382                 s->s.k = offset;
1383 		break;
1384 
1385 	case OR_LINK:
1386 		s = gen_load_llrel(offset, size);
1387 		break;
1388 
1389 	case OR_NET:
1390 		s = gen_load_llrel(off_nl + offset, size);
1391 		break;
1392 
1393 	case OR_NET_NOSNAP:
1394 		s = gen_load_llrel(off_nl_nosnap + offset, size);
1395 		break;
1396 
1397 	case OR_TRAN_IPV4:
1398 		/*
1399 		 * Load the X register with the length of the IPv4 header
1400 		 * (plus the offset of the link-layer header, if it's
1401 		 * preceded by a variable-length header such as a radio
1402 		 * header), in bytes.
1403 		 */
1404 		s = gen_loadx_iphdrlen();
1405 
1406 		/*
1407 		 * Load the item at {offset of the link-layer header} +
1408 		 * {offset, relative to the start of the link-layer
1409 		 * header, of the IPv4 header} + {length of the IPv4 header} +
1410 		 * {specified offset}.
1411 		 *
1412 		 * (If the link-layer is variable-length, it's included
1413 		 * in the value in the X register, and off_ll is 0.)
1414 		 */
1415 		s2 = new_stmt(BPF_LD|BPF_IND|size);
1416 		s2->s.k = off_ll + off_nl + offset;
1417 		sappend(s, s2);
1418 		break;
1419 
1420 	case OR_TRAN_IPV6:
1421 		s = gen_load_llrel(off_nl + 40 + offset, size);
1422 		break;
1423 
1424 	default:
1425 		abort();
1426 		return NULL;
1427 	}
1428 	return s;
1429 }
1430 
1431 /*
1432  * Generate code to load into the X register the sum of the length of
1433  * the IPv4 header and any variable-length header preceding the link-layer
1434  * header.
1435  */
1436 static struct slist *
1437 gen_loadx_iphdrlen()
1438 {
1439 	struct slist *s, *s2;
1440 
1441 	s = gen_llprefixlen();
1442 	if (s != NULL) {
1443 		/*
1444 		 * There's a variable-length prefix preceding the
1445 		 * link-layer header.  "s" points to a list of statements
1446 		 * that put the length of that prefix into the X register.
1447 		 * The 4*([k]&0xf) addressing mode can't be used, as we
1448 		 * don't have a constant offset, so we have to load the
1449 		 * value in question into the A register and add to it
1450 		 * the value from the X register.
1451 		 */
1452 		s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1453 		s2->s.k = off_nl;
1454 		sappend(s, s2);
1455 		s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1456 		s2->s.k = 0xf;
1457 		sappend(s, s2);
1458 		s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1459 		s2->s.k = 2;
1460 		sappend(s, s2);
1461 
1462 		/*
1463 		 * The A register now contains the length of the
1464 		 * IP header.  We need to add to it the length
1465 		 * of the prefix preceding the link-layer
1466 		 * header, which is still in the X register, and
1467 		 * move the result into the X register.
1468 		 */
1469 		sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1470 		sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1471 	} else {
1472 		/*
1473 		 * There is no variable-length header preceding the
1474 		 * link-layer header; add in off_ll, which, if there's
1475 		 * a fixed-length header preceding the link-layer header,
1476 		 * is the length of that header.
1477 		 */
1478 		s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1479 		s->s.k = off_ll + off_nl;
1480 	}
1481 	return s;
1482 }
1483 
1484 static struct block *
1485 gen_uncond(rsense)
1486 	int rsense;
1487 {
1488 	struct block *b;
1489 	struct slist *s;
1490 
1491 	s = new_stmt(BPF_LD|BPF_IMM);
1492 	s->s.k = !rsense;
1493 	b = new_block(JMP(BPF_JEQ));
1494 	b->stmts = s;
1495 
1496 	return b;
1497 }
1498 
1499 static inline struct block *
1500 gen_true()
1501 {
1502 	return gen_uncond(1);
1503 }
1504 
1505 static inline struct block *
1506 gen_false()
1507 {
1508 	return gen_uncond(0);
1509 }
1510 
1511 /*
1512  * Byte-swap a 32-bit number.
1513  * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1514  * big-endian platforms.)
1515  */
1516 #define	SWAPLONG(y) \
1517 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1518 
1519 /*
1520  * Generate code to match a particular packet type.
1521  *
1522  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1523  * value, if <= ETHERMTU.  We use that to determine whether to
1524  * match the type/length field or to check the type/length field for
1525  * a value <= ETHERMTU to see whether it's a type field and then do
1526  * the appropriate test.
1527  */
1528 static struct block *
1529 gen_ether_linktype(proto)
1530 	register int proto;
1531 {
1532 	struct block *b0, *b1;
1533 
1534 	switch (proto) {
1535 
1536 	case LLCSAP_ISONS:
1537 	case LLCSAP_IP:
1538 	case LLCSAP_NETBEUI:
1539 		/*
1540 		 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1541 		 * so we check the DSAP and SSAP.
1542 		 *
1543 		 * LLCSAP_IP checks for IP-over-802.2, rather
1544 		 * than IP-over-Ethernet or IP-over-SNAP.
1545 		 *
1546 		 * XXX - should we check both the DSAP and the
1547 		 * SSAP, like this, or should we check just the
1548 		 * DSAP, as we do for other types <= ETHERMTU
1549 		 * (i.e., other SAP values)?
1550 		 */
1551 		b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1552 		gen_not(b0);
1553 		b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1554 			     ((proto << 8) | proto));
1555 		gen_and(b0, b1);
1556 		return b1;
1557 
1558 	case LLCSAP_IPX:
1559 		/*
1560 		 * Check for;
1561 		 *
1562 		 *	Ethernet_II frames, which are Ethernet
1563 		 *	frames with a frame type of ETHERTYPE_IPX;
1564 		 *
1565 		 *	Ethernet_802.3 frames, which are 802.3
1566 		 *	frames (i.e., the type/length field is
1567 		 *	a length field, <= ETHERMTU, rather than
1568 		 *	a type field) with the first two bytes
1569 		 *	after the Ethernet/802.3 header being
1570 		 *	0xFFFF;
1571 		 *
1572 		 *	Ethernet_802.2 frames, which are 802.3
1573 		 *	frames with an 802.2 LLC header and
1574 		 *	with the IPX LSAP as the DSAP in the LLC
1575 		 *	header;
1576 		 *
1577 		 *	Ethernet_SNAP frames, which are 802.3
1578 		 *	frames with an LLC header and a SNAP
1579 		 *	header and with an OUI of 0x000000
1580 		 *	(encapsulated Ethernet) and a protocol
1581 		 *	ID of ETHERTYPE_IPX in the SNAP header.
1582 		 *
1583 		 * XXX - should we generate the same code both
1584 		 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1585 		 */
1586 
1587 		/*
1588 		 * This generates code to check both for the
1589 		 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1590 		 */
1591 		b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1592 		    (bpf_int32)LLCSAP_IPX);
1593 		b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H,
1594 		    (bpf_int32)0xFFFF);
1595 		gen_or(b0, b1);
1596 
1597 		/*
1598 		 * Now we add code to check for SNAP frames with
1599 		 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1600 		 */
1601 		b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1602 		gen_or(b0, b1);
1603 
1604 		/*
1605 		 * Now we generate code to check for 802.3
1606 		 * frames in general.
1607 		 */
1608 		b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1609 		gen_not(b0);
1610 
1611 		/*
1612 		 * Now add the check for 802.3 frames before the
1613 		 * check for Ethernet_802.2 and Ethernet_802.3,
1614 		 * as those checks should only be done on 802.3
1615 		 * frames, not on Ethernet frames.
1616 		 */
1617 		gen_and(b0, b1);
1618 
1619 		/*
1620 		 * Now add the check for Ethernet_II frames, and
1621 		 * do that before checking for the other frame
1622 		 * types.
1623 		 */
1624 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1625 		    (bpf_int32)ETHERTYPE_IPX);
1626 		gen_or(b0, b1);
1627 		return b1;
1628 
1629 	case ETHERTYPE_ATALK:
1630 	case ETHERTYPE_AARP:
1631 		/*
1632 		 * EtherTalk (AppleTalk protocols on Ethernet link
1633 		 * layer) may use 802.2 encapsulation.
1634 		 */
1635 
1636 		/*
1637 		 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1638 		 * we check for an Ethernet type field less than
1639 		 * 1500, which means it's an 802.3 length field.
1640 		 */
1641 		b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1642 		gen_not(b0);
1643 
1644 		/*
1645 		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1646 		 * SNAP packets with an organization code of
1647 		 * 0x080007 (Apple, for Appletalk) and a protocol
1648 		 * type of ETHERTYPE_ATALK (Appletalk).
1649 		 *
1650 		 * 802.2-encapsulated ETHERTYPE_AARP packets are
1651 		 * SNAP packets with an organization code of
1652 		 * 0x000000 (encapsulated Ethernet) and a protocol
1653 		 * type of ETHERTYPE_AARP (Appletalk ARP).
1654 		 */
1655 		if (proto == ETHERTYPE_ATALK)
1656 			b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1657 		else	/* proto == ETHERTYPE_AARP */
1658 			b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1659 		gen_and(b0, b1);
1660 
1661 		/*
1662 		 * Check for Ethernet encapsulation (Ethertalk
1663 		 * phase 1?); we just check for the Ethernet
1664 		 * protocol type.
1665 		 */
1666 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1667 
1668 		gen_or(b0, b1);
1669 		return b1;
1670 
1671 	default:
1672 		if (proto <= ETHERMTU) {
1673 			/*
1674 			 * This is an LLC SAP value, so the frames
1675 			 * that match would be 802.2 frames.
1676 			 * Check that the frame is an 802.2 frame
1677 			 * (i.e., that the length/type field is
1678 			 * a length field, <= ETHERMTU) and
1679 			 * then check the DSAP.
1680 			 */
1681 			b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1682 			gen_not(b0);
1683 			b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1684 			    (bpf_int32)proto);
1685 			gen_and(b0, b1);
1686 			return b1;
1687 		} else {
1688 			/*
1689 			 * This is an Ethernet type, so compare
1690 			 * the length/type field with it (if
1691 			 * the frame is an 802.2 frame, the length
1692 			 * field will be <= ETHERMTU, and, as
1693 			 * "proto" is > ETHERMTU, this test
1694 			 * will fail and the frame won't match,
1695 			 * which is what we want).
1696 			 */
1697 			return gen_cmp(OR_LINK, off_linktype, BPF_H,
1698 			    (bpf_int32)proto);
1699 		}
1700 	}
1701 }
1702 
1703 /*
1704  * Generate code to match a particular packet type.
1705  *
1706  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1707  * value, if <= ETHERMTU.  We use that to determine whether to
1708  * match the type field or to check the type field for the special
1709  * LINUX_SLL_P_802_2 value and then do the appropriate test.
1710  */
1711 static struct block *
1712 gen_linux_sll_linktype(proto)
1713 	register int proto;
1714 {
1715 	struct block *b0, *b1;
1716 
1717 	switch (proto) {
1718 
1719 	case LLCSAP_ISONS:
1720 	case LLCSAP_IP:
1721 	case LLCSAP_NETBEUI:
1722 		/*
1723 		 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1724 		 * so we check the DSAP and SSAP.
1725 		 *
1726 		 * LLCSAP_IP checks for IP-over-802.2, rather
1727 		 * than IP-over-Ethernet or IP-over-SNAP.
1728 		 *
1729 		 * XXX - should we check both the DSAP and the
1730 		 * SSAP, like this, or should we check just the
1731 		 * DSAP, as we do for other types <= ETHERMTU
1732 		 * (i.e., other SAP values)?
1733 		 */
1734 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1735 		b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1736 			     ((proto << 8) | proto));
1737 		gen_and(b0, b1);
1738 		return b1;
1739 
1740 	case LLCSAP_IPX:
1741 		/*
1742 		 *	Ethernet_II frames, which are Ethernet
1743 		 *	frames with a frame type of ETHERTYPE_IPX;
1744 		 *
1745 		 *	Ethernet_802.3 frames, which have a frame
1746 		 *	type of LINUX_SLL_P_802_3;
1747 		 *
1748 		 *	Ethernet_802.2 frames, which are 802.3
1749 		 *	frames with an 802.2 LLC header (i.e, have
1750 		 *	a frame type of LINUX_SLL_P_802_2) and
1751 		 *	with the IPX LSAP as the DSAP in the LLC
1752 		 *	header;
1753 		 *
1754 		 *	Ethernet_SNAP frames, which are 802.3
1755 		 *	frames with an LLC header and a SNAP
1756 		 *	header and with an OUI of 0x000000
1757 		 *	(encapsulated Ethernet) and a protocol
1758 		 *	ID of ETHERTYPE_IPX in the SNAP header.
1759 		 *
1760 		 * First, do the checks on LINUX_SLL_P_802_2
1761 		 * frames; generate the check for either
1762 		 * Ethernet_802.2 or Ethernet_SNAP frames, and
1763 		 * then put a check for LINUX_SLL_P_802_2 frames
1764 		 * before it.
1765 		 */
1766 		b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1767 		    (bpf_int32)LLCSAP_IPX);
1768 		b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1769 		    off_linktype + 2);
1770 		gen_or(b0, b1);
1771 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1772 		gen_and(b0, b1);
1773 
1774 		/*
1775 		 * Now check for 802.3 frames and OR that with
1776 		 * the previous test.
1777 		 */
1778 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1779 		gen_or(b0, b1);
1780 
1781 		/*
1782 		 * Now add the check for Ethernet_II frames, and
1783 		 * do that before checking for the other frame
1784 		 * types.
1785 		 */
1786 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1787 		    (bpf_int32)ETHERTYPE_IPX);
1788 		gen_or(b0, b1);
1789 		return b1;
1790 
1791 	case ETHERTYPE_ATALK:
1792 	case ETHERTYPE_AARP:
1793 		/*
1794 		 * EtherTalk (AppleTalk protocols on Ethernet link
1795 		 * layer) may use 802.2 encapsulation.
1796 		 */
1797 
1798 		/*
1799 		 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1800 		 * we check for the 802.2 protocol type in the
1801 		 * "Ethernet type" field.
1802 		 */
1803 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1804 
1805 		/*
1806 		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1807 		 * SNAP packets with an organization code of
1808 		 * 0x080007 (Apple, for Appletalk) and a protocol
1809 		 * type of ETHERTYPE_ATALK (Appletalk).
1810 		 *
1811 		 * 802.2-encapsulated ETHERTYPE_AARP packets are
1812 		 * SNAP packets with an organization code of
1813 		 * 0x000000 (encapsulated Ethernet) and a protocol
1814 		 * type of ETHERTYPE_AARP (Appletalk ARP).
1815 		 */
1816 		if (proto == ETHERTYPE_ATALK)
1817 			b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1818 			    off_linktype + 2);
1819 		else	/* proto == ETHERTYPE_AARP */
1820 			b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1821 			    off_linktype + 2);
1822 		gen_and(b0, b1);
1823 
1824 		/*
1825 		 * Check for Ethernet encapsulation (Ethertalk
1826 		 * phase 1?); we just check for the Ethernet
1827 		 * protocol type.
1828 		 */
1829 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1830 
1831 		gen_or(b0, b1);
1832 		return b1;
1833 
1834 	default:
1835 		if (proto <= ETHERMTU) {
1836 			/*
1837 			 * This is an LLC SAP value, so the frames
1838 			 * that match would be 802.2 frames.
1839 			 * Check for the 802.2 protocol type
1840 			 * in the "Ethernet type" field, and
1841 			 * then check the DSAP.
1842 			 */
1843 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1844 			    LINUX_SLL_P_802_2);
1845 			b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1846 			     (bpf_int32)proto);
1847 			gen_and(b0, b1);
1848 			return b1;
1849 		} else {
1850 			/*
1851 			 * This is an Ethernet type, so compare
1852 			 * the length/type field with it (if
1853 			 * the frame is an 802.2 frame, the length
1854 			 * field will be <= ETHERMTU, and, as
1855 			 * "proto" is > ETHERMTU, this test
1856 			 * will fail and the frame won't match,
1857 			 * which is what we want).
1858 			 */
1859 			return gen_cmp(OR_LINK, off_linktype, BPF_H,
1860 			    (bpf_int32)proto);
1861 		}
1862 	}
1863 }
1864 
1865 static void
1866 insert_radiotap_load_llprefixlen(b)
1867 	struct block *b;
1868 {
1869 	struct slist *s1, *s2;
1870 
1871 	/*
1872 	 * Prepend to the statements in this block code to load the
1873 	 * length of the radiotap header into the register assigned
1874 	 * to hold that length, if one has been assigned.
1875 	 */
1876 	if (reg_ll_size != -1) {
1877 		/*
1878 		 * The 2 bytes at offsets of 2 and 3 from the beginning
1879 		 * of the radiotap header are the length of the radiotap
1880 		 * header; unfortunately, it's little-endian, so we have
1881 		 * to load it a byte at a time and construct the value.
1882 		 */
1883 
1884 		/*
1885 		 * Load the high-order byte, at an offset of 3, shift it
1886 		 * left a byte, and put the result in the X register.
1887 		 */
1888 		s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1889 		s1->s.k = 3;
1890 		s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1891 		sappend(s1, s2);
1892 		s2->s.k = 8;
1893 		s2 = new_stmt(BPF_MISC|BPF_TAX);
1894 		sappend(s1, s2);
1895 
1896 		/*
1897 		 * Load the next byte, at an offset of 2, and OR the
1898 		 * value from the X register into it.
1899 		 */
1900 		s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1901 		sappend(s1, s2);
1902 		s2->s.k = 2;
1903 		s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
1904 		sappend(s1, s2);
1905 
1906 		/*
1907 		 * Now allocate a register to hold that value and store
1908 		 * it.
1909 		 */
1910 		s2 = new_stmt(BPF_ST);
1911 		s2->s.k = reg_ll_size;
1912 		sappend(s1, s2);
1913 
1914 		/*
1915 		 * Now move it into the X register.
1916 		 */
1917 		s2 = new_stmt(BPF_MISC|BPF_TAX);
1918 		sappend(s1, s2);
1919 
1920 		/*
1921 		 * Now append all the existing statements in this
1922 		 * block to these statements.
1923 		 */
1924 		sappend(s1, b->stmts);
1925 		b->stmts = s1;
1926 	}
1927 }
1928 
1929 /*
1930  * At the moment we treat PPI as normal Radiotap encoded
1931  * packets. The difference is in the function that generates
1932  * the code at the beginning to compute the header length.
1933  * Since this code generator of PPI supports bare 802.11
1934  * encapsulation only (i.e. the encapsulated DLT should be
1935  * DLT_IEEE802_11) we generate code to check for this too.
1936  */
1937 static void
1938 insert_ppi_load_llprefixlen(b)
1939 	struct block *b;
1940 {
1941 	struct slist *s1, *s2;
1942 
1943 	/*
1944 	 * Prepend to the statements in this block code to load the
1945 	 * length of the radiotap header into the register assigned
1946 	 * to hold that length, if one has been assigned.
1947 	 */
1948 	if (reg_ll_size != -1) {
1949 	    /*
1950 		 * The 2 bytes at offsets of 2 and 3 from the beginning
1951 		 * of the radiotap header are the length of the radiotap
1952 		 * header; unfortunately, it's little-endian, so we have
1953 		 * to load it a byte at a time and construct the value.
1954 		 */
1955 
1956 		/*
1957 		 * Load the high-order byte, at an offset of 3, shift it
1958 		 * left a byte, and put the result in the X register.
1959 		 */
1960 		s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1961 		s1->s.k = 3;
1962 		s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1963 		sappend(s1, s2);
1964 		s2->s.k = 8;
1965 		s2 = new_stmt(BPF_MISC|BPF_TAX);
1966 		sappend(s1, s2);
1967 
1968 		/*
1969 		 * Load the next byte, at an offset of 2, and OR the
1970 		 * value from the X register into it.
1971 		 */
1972 		s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1973 		sappend(s1, s2);
1974 		s2->s.k = 2;
1975 		s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
1976 		sappend(s1, s2);
1977 
1978 		/*
1979 		 * Now allocate a register to hold that value and store
1980 		 * it.
1981 		 */
1982 		s2 = new_stmt(BPF_ST);
1983 		s2->s.k = reg_ll_size;
1984 		sappend(s1, s2);
1985 
1986 		/*
1987 		 * Now move it into the X register.
1988 		 */
1989 		s2 = new_stmt(BPF_MISC|BPF_TAX);
1990 		sappend(s1, s2);
1991 
1992 		/*
1993 		 * Now append all the existing statements in this
1994 		 * block to these statements.
1995 		 */
1996 		sappend(s1, b->stmts);
1997 		b->stmts = s1;
1998 
1999 	}
2000 }
2001 
2002 static struct block *
2003 gen_ppi_dlt_check(void)
2004 {
2005 	struct slist *s_load_dlt;
2006 	struct block *b;
2007 
2008 	if (linktype == DLT_PPI)
2009 	{
2010 		/* Create the statements that check for the DLT
2011 		 */
2012 		s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2013 		s_load_dlt->s.k = 4;
2014 
2015 		b = new_block(JMP(BPF_JEQ));
2016 
2017 		b->stmts = s_load_dlt;
2018 		b->s.k = SWAPLONG(DLT_IEEE802_11);
2019 	}
2020 	else
2021 	{
2022 		b = NULL;
2023 	}
2024 
2025 	return b;
2026 }
2027 
2028 static void
2029 insert_load_llprefixlen(b)
2030 	struct block *b;
2031 {
2032 	switch (linktype) {
2033 
2034 	/*
2035 	 * At the moment we treat PPI as normal Radiotap encoded
2036 	 * packets. The difference is in the function that generates
2037 	 * the code at the beginning to compute the header length.
2038 	 * Since this code generator of PPI supports bare 802.11
2039 	 * encapsulation only (i.e. the encapsulated DLT should be
2040 	 * DLT_IEEE802_11) we generate code to check for this too.
2041 	 */
2042 	case DLT_PPI:
2043 		insert_ppi_load_llprefixlen(b);
2044 		break;
2045 
2046 	case DLT_IEEE802_11_RADIO:
2047 		insert_radiotap_load_llprefixlen(b);
2048 		break;
2049 	}
2050 }
2051 
2052 
2053 static struct slist *
2054 gen_radiotap_llprefixlen(void)
2055 {
2056 	struct slist *s;
2057 
2058 	if (reg_ll_size == -1) {
2059 		/*
2060 		 * We haven't yet assigned a register for the length
2061 		 * of the radiotap header; allocate one.
2062 		 */
2063 		reg_ll_size = alloc_reg();
2064 	}
2065 
2066 	/*
2067 	 * Load the register containing the radiotap length
2068 	 * into the X register.
2069 	 */
2070 	s = new_stmt(BPF_LDX|BPF_MEM);
2071 	s->s.k = reg_ll_size;
2072 	return s;
2073 }
2074 
2075 /*
2076  * At the moment we treat PPI as normal Radiotap encoded
2077  * packets. The difference is in the function that generates
2078  * the code at the beginning to compute the header length.
2079  * Since this code generator of PPI supports bare 802.11
2080  * encapsulation only (i.e. the encapsulated DLT should be
2081  * DLT_IEEE802_11) we generate code to check for this too.
2082  */
2083 static struct slist *
2084 gen_ppi_llprefixlen(void)
2085 {
2086 	struct slist *s;
2087 
2088 	if (reg_ll_size == -1) {
2089 		/*
2090 		 * We haven't yet assigned a register for the length
2091 		 * of the radiotap header; allocate one.
2092 		 */
2093 		reg_ll_size = alloc_reg();
2094 	}
2095 
2096 	/*
2097 	 * Load the register containing the radiotap length
2098 	 * into the X register.
2099 	 */
2100 	s = new_stmt(BPF_LDX|BPF_MEM);
2101 	s->s.k = reg_ll_size;
2102 	return s;
2103 }
2104 
2105 
2106 
2107 /*
2108  * Generate code to compute the link-layer header length, if necessary,
2109  * putting it into the X register, and to return either a pointer to a
2110  * "struct slist" for the list of statements in that code, or NULL if
2111  * no code is necessary.
2112  */
2113 static struct slist *
2114 gen_llprefixlen(void)
2115 {
2116 	switch (linktype) {
2117 
2118 	case DLT_PPI:
2119 		return gen_ppi_llprefixlen();
2120 
2121 
2122 	case DLT_IEEE802_11_RADIO:
2123 		return gen_radiotap_llprefixlen();
2124 
2125 	default:
2126 		return NULL;
2127 	}
2128 }
2129 
2130 /*
2131  * Generate code to match a particular packet type by matching the
2132  * link-layer type field or fields in the 802.2 LLC header.
2133  *
2134  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2135  * value, if <= ETHERMTU.
2136  */
2137 static struct block *
2138 gen_linktype(proto)
2139 	register int proto;
2140 {
2141 	struct block *b0, *b1, *b2;
2142 
2143 	/* are we checking MPLS-encapsulated packets? */
2144 	if (label_stack_depth > 0) {
2145 		switch (proto) {
2146 		case ETHERTYPE_IP:
2147 		case PPP_IP:
2148 		/* FIXME add other L3 proto IDs */
2149 			return gen_mpls_linktype(Q_IP);
2150 
2151 		case ETHERTYPE_IPV6:
2152 		case PPP_IPV6:
2153 		/* FIXME add other L3 proto IDs */
2154 			return gen_mpls_linktype(Q_IPV6);
2155 
2156 		default:
2157 			bpf_error("unsupported protocol over mpls");
2158 			/* NOTREACHED */
2159 		}
2160 	}
2161 
2162 	switch (linktype) {
2163 
2164 	case DLT_EN10MB:
2165 		return gen_ether_linktype(proto);
2166 		/*NOTREACHED*/
2167 		break;
2168 
2169 	case DLT_C_HDLC:
2170 		switch (proto) {
2171 
2172 		case LLCSAP_ISONS:
2173 			proto = (proto << 8 | LLCSAP_ISONS);
2174 			/* fall through */
2175 
2176 		default:
2177 			return gen_cmp(OR_LINK, off_linktype, BPF_H,
2178 			    (bpf_int32)proto);
2179 			/*NOTREACHED*/
2180 			break;
2181 		}
2182 		break;
2183 
2184 	case DLT_PPI:
2185 	case DLT_FDDI:
2186 	case DLT_IEEE802:
2187 	case DLT_IEEE802_11:
2188 	case DLT_IEEE802_11_RADIO_AVS:
2189 	case DLT_IEEE802_11_RADIO:
2190 	case DLT_PRISM_HEADER:
2191 	case DLT_ATM_RFC1483:
2192 	case DLT_ATM_CLIP:
2193 	case DLT_IP_OVER_FC:
2194 		return gen_llc_linktype(proto);
2195 		/*NOTREACHED*/
2196 		break;
2197 
2198 	case DLT_SUNATM:
2199 		/*
2200 		 * If "is_lane" is set, check for a LANE-encapsulated
2201 		 * version of this protocol, otherwise check for an
2202 		 * LLC-encapsulated version of this protocol.
2203 		 *
2204 		 * We assume LANE means Ethernet, not Token Ring.
2205 		 */
2206 		if (is_lane) {
2207 			/*
2208 			 * Check that the packet doesn't begin with an
2209 			 * LE Control marker.  (We've already generated
2210 			 * a test for LANE.)
2211 			 */
2212 			b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
2213 			    0xFF00);
2214 			gen_not(b0);
2215 
2216 			/*
2217 			 * Now generate an Ethernet test.
2218 			 */
2219 			b1 = gen_ether_linktype(proto);
2220 			gen_and(b0, b1);
2221 			return b1;
2222 		} else {
2223 			/*
2224 			 * Check for LLC encapsulation and then check the
2225 			 * protocol.
2226 			 */
2227 			b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
2228 			b1 = gen_llc_linktype(proto);
2229 			gen_and(b0, b1);
2230 			return b1;
2231 		}
2232 		/*NOTREACHED*/
2233 		break;
2234 
2235 	case DLT_LINUX_SLL:
2236 		return gen_linux_sll_linktype(proto);
2237 		/*NOTREACHED*/
2238 		break;
2239 
2240 	case DLT_SLIP:
2241 	case DLT_SLIP_BSDOS:
2242 	case DLT_RAW:
2243 		/*
2244 		 * These types don't provide any type field; packets
2245 		 * are always IPv4 or IPv6.
2246 		 *
2247 		 * XXX - for IPv4, check for a version number of 4, and,
2248 		 * for IPv6, check for a version number of 6?
2249 		 */
2250 		switch (proto) {
2251 
2252 		case ETHERTYPE_IP:
2253 			/* Check for a version number of 4. */
2254 			return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
2255 #ifdef INET6
2256 		case ETHERTYPE_IPV6:
2257 			/* Check for a version number of 6. */
2258 			return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
2259 #endif
2260 
2261 		default:
2262 			return gen_false();		/* always false */
2263 		}
2264 		/*NOTREACHED*/
2265 		break;
2266 
2267 	case DLT_PPP:
2268 	case DLT_PPP_PPPD:
2269 	case DLT_PPP_SERIAL:
2270 	case DLT_PPP_ETHER:
2271 		/*
2272 		 * We use Ethernet protocol types inside libpcap;
2273 		 * map them to the corresponding PPP protocol types.
2274 		 */
2275 		switch (proto) {
2276 
2277 		case ETHERTYPE_IP:
2278 			proto = PPP_IP;
2279 			break;
2280 
2281 #ifdef INET6
2282 		case ETHERTYPE_IPV6:
2283 			proto = PPP_IPV6;
2284 			break;
2285 #endif
2286 
2287 		case ETHERTYPE_DN:
2288 			proto = PPP_DECNET;
2289 			break;
2290 
2291 		case ETHERTYPE_ATALK:
2292 			proto = PPP_APPLE;
2293 			break;
2294 
2295 		case ETHERTYPE_NS:
2296 			proto = PPP_NS;
2297 			break;
2298 
2299 		case LLCSAP_ISONS:
2300 			proto = PPP_OSI;
2301 			break;
2302 
2303 		case LLCSAP_8021D:
2304 			/*
2305 			 * I'm assuming the "Bridging PDU"s that go
2306 			 * over PPP are Spanning Tree Protocol
2307 			 * Bridging PDUs.
2308 			 */
2309 			proto = PPP_BRPDU;
2310 			break;
2311 
2312 		case LLCSAP_IPX:
2313 			proto = PPP_IPX;
2314 			break;
2315 		}
2316 		break;
2317 
2318 	case DLT_PPP_BSDOS:
2319 		/*
2320 		 * We use Ethernet protocol types inside libpcap;
2321 		 * map them to the corresponding PPP protocol types.
2322 		 */
2323 		switch (proto) {
2324 
2325 		case ETHERTYPE_IP:
2326 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
2327 			b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
2328 			gen_or(b0, b1);
2329 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
2330 			gen_or(b1, b0);
2331 			return b0;
2332 
2333 #ifdef INET6
2334 		case ETHERTYPE_IPV6:
2335 			proto = PPP_IPV6;
2336 			/* more to go? */
2337 			break;
2338 #endif
2339 
2340 		case ETHERTYPE_DN:
2341 			proto = PPP_DECNET;
2342 			break;
2343 
2344 		case ETHERTYPE_ATALK:
2345 			proto = PPP_APPLE;
2346 			break;
2347 
2348 		case ETHERTYPE_NS:
2349 			proto = PPP_NS;
2350 			break;
2351 
2352 		case LLCSAP_ISONS:
2353 			proto = PPP_OSI;
2354 			break;
2355 
2356 		case LLCSAP_8021D:
2357 			/*
2358 			 * I'm assuming the "Bridging PDU"s that go
2359 			 * over PPP are Spanning Tree Protocol
2360 			 * Bridging PDUs.
2361 			 */
2362 			proto = PPP_BRPDU;
2363 			break;
2364 
2365 		case LLCSAP_IPX:
2366 			proto = PPP_IPX;
2367 			break;
2368 		}
2369 		break;
2370 
2371 	case DLT_NULL:
2372 	case DLT_LOOP:
2373 	case DLT_ENC:
2374 		/*
2375 		 * For DLT_NULL, the link-layer header is a 32-bit
2376 		 * word containing an AF_ value in *host* byte order,
2377 		 * and for DLT_ENC, the link-layer header begins
2378 		 * with a 32-bit work containing an AF_ value in
2379 		 * host byte order.
2380 		 *
2381 		 * In addition, if we're reading a saved capture file,
2382 		 * the host byte order in the capture may not be the
2383 		 * same as the host byte order on this machine.
2384 		 *
2385 		 * For DLT_LOOP, the link-layer header is a 32-bit
2386 		 * word containing an AF_ value in *network* byte order.
2387 		 *
2388 		 * XXX - AF_ values may, unfortunately, be platform-
2389 		 * dependent; for example, FreeBSD's AF_INET6 is 24
2390 		 * whilst NetBSD's and OpenBSD's is 26.
2391 		 *
2392 		 * This means that, when reading a capture file, just
2393 		 * checking for our AF_INET6 value won't work if the
2394 		 * capture file came from another OS.
2395 		 */
2396 		switch (proto) {
2397 
2398 		case ETHERTYPE_IP:
2399 			proto = AF_INET;
2400 			break;
2401 
2402 #ifdef INET6
2403 		case ETHERTYPE_IPV6:
2404 			proto = AF_INET6;
2405 			break;
2406 #endif
2407 
2408 		default:
2409 			/*
2410 			 * Not a type on which we support filtering.
2411 			 * XXX - support those that have AF_ values
2412 			 * #defined on this platform, at least?
2413 			 */
2414 			return gen_false();
2415 		}
2416 
2417 		if (linktype == DLT_NULL || linktype == DLT_ENC) {
2418 			/*
2419 			 * The AF_ value is in host byte order, but
2420 			 * the BPF interpreter will convert it to
2421 			 * network byte order.
2422 			 *
2423 			 * If this is a save file, and it's from a
2424 			 * machine with the opposite byte order to
2425 			 * ours, we byte-swap the AF_ value.
2426 			 *
2427 			 * Then we run it through "htonl()", and
2428 			 * generate code to compare against the result.
2429 			 */
2430 			if (bpf_pcap->sf.rfile != NULL &&
2431 			    bpf_pcap->sf.swapped)
2432 				proto = SWAPLONG(proto);
2433 			proto = htonl(proto);
2434 		}
2435 		return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
2436 
2437 #ifdef HAVE_NET_PFVAR_H
2438 	case DLT_PFLOG:
2439 		/*
2440 		 * af field is host byte order in contrast to the rest of
2441 		 * the packet.
2442 		 */
2443 		if (proto == ETHERTYPE_IP)
2444 			return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2445 			    BPF_B, (bpf_int32)AF_INET));
2446 #ifdef INET6
2447 		else if (proto == ETHERTYPE_IPV6)
2448 			return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2449 			    BPF_B, (bpf_int32)AF_INET6));
2450 #endif /* INET6 */
2451 		else
2452 			return gen_false();
2453 		/*NOTREACHED*/
2454 		break;
2455 #endif /* HAVE_NET_PFVAR_H */
2456 
2457 	case DLT_ARCNET:
2458 	case DLT_ARCNET_LINUX:
2459 		/*
2460 		 * XXX should we check for first fragment if the protocol
2461 		 * uses PHDS?
2462 		 */
2463 		switch (proto) {
2464 
2465 		default:
2466 			return gen_false();
2467 
2468 #ifdef INET6
2469 		case ETHERTYPE_IPV6:
2470 			return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2471 				(bpf_int32)ARCTYPE_INET6));
2472 #endif /* INET6 */
2473 
2474 		case ETHERTYPE_IP:
2475 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2476 				     (bpf_int32)ARCTYPE_IP);
2477 			b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2478 				     (bpf_int32)ARCTYPE_IP_OLD);
2479 			gen_or(b0, b1);
2480 			return (b1);
2481 
2482 		case ETHERTYPE_ARP:
2483 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2484 				     (bpf_int32)ARCTYPE_ARP);
2485 			b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2486 				     (bpf_int32)ARCTYPE_ARP_OLD);
2487 			gen_or(b0, b1);
2488 			return (b1);
2489 
2490 		case ETHERTYPE_REVARP:
2491 			return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2492 					(bpf_int32)ARCTYPE_REVARP));
2493 
2494 		case ETHERTYPE_ATALK:
2495 			return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2496 					(bpf_int32)ARCTYPE_ATALK));
2497 		}
2498 		/*NOTREACHED*/
2499 		break;
2500 
2501 	case DLT_LTALK:
2502 		switch (proto) {
2503 		case ETHERTYPE_ATALK:
2504 			return gen_true();
2505 		default:
2506 			return gen_false();
2507 		}
2508 		/*NOTREACHED*/
2509 		break;
2510 
2511 	case DLT_FRELAY:
2512 		/*
2513 		 * XXX - assumes a 2-byte Frame Relay header with
2514 		 * DLCI and flags.  What if the address is longer?
2515 		 */
2516 		switch (proto) {
2517 
2518 		case ETHERTYPE_IP:
2519 			/*
2520 			 * Check for the special NLPID for IP.
2521 			 */
2522 			return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
2523 
2524 #ifdef INET6
2525 		case ETHERTYPE_IPV6:
2526 			/*
2527 			 * Check for the special NLPID for IPv6.
2528 			 */
2529 			return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
2530 #endif
2531 
2532 		case LLCSAP_ISONS:
2533 			/*
2534 			 * Check for several OSI protocols.
2535 			 *
2536 			 * Frame Relay packets typically have an OSI
2537 			 * NLPID at the beginning; we check for each
2538 			 * of them.
2539 			 *
2540 			 * What we check for is the NLPID and a frame
2541 			 * control field of UI, i.e. 0x03 followed
2542 			 * by the NLPID.
2543 			 */
2544 			b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
2545 			b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
2546 			b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
2547 			gen_or(b1, b2);
2548 			gen_or(b0, b2);
2549 			return b2;
2550 
2551 		default:
2552 			return gen_false();
2553 		}
2554 		/*NOTREACHED*/
2555 		break;
2556 
2557         case DLT_JUNIPER_MFR:
2558         case DLT_JUNIPER_MLFR:
2559         case DLT_JUNIPER_MLPPP:
2560 	case DLT_JUNIPER_ATM1:
2561 	case DLT_JUNIPER_ATM2:
2562 	case DLT_JUNIPER_PPPOE:
2563 	case DLT_JUNIPER_PPPOE_ATM:
2564         case DLT_JUNIPER_GGSN:
2565         case DLT_JUNIPER_ES:
2566         case DLT_JUNIPER_MONITOR:
2567         case DLT_JUNIPER_SERVICES:
2568         case DLT_JUNIPER_ETHER:
2569         case DLT_JUNIPER_PPP:
2570         case DLT_JUNIPER_FRELAY:
2571         case DLT_JUNIPER_CHDLC:
2572         case DLT_JUNIPER_VP:
2573 		/* just lets verify the magic number for now -
2574 		 * on ATM we may have up to 6 different encapsulations on the wire
2575 		 * and need a lot of heuristics to figure out that the payload
2576 		 * might be;
2577 		 *
2578 		 * FIXME encapsulation specific BPF_ filters
2579 		 */
2580 		return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
2581 
2582 	case DLT_LINUX_IRDA:
2583 		bpf_error("IrDA link-layer type filtering not implemented");
2584 
2585 	case DLT_DOCSIS:
2586 		bpf_error("DOCSIS link-layer type filtering not implemented");
2587 
2588 	case DLT_LINUX_LAPD:
2589 		bpf_error("LAPD link-layer type filtering not implemented");
2590 	}
2591 
2592 	/*
2593 	 * All the types that have no encapsulation should either be
2594 	 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
2595 	 * all packets are IP packets, or should be handled in some
2596 	 * special case, if none of them are (if some are and some
2597 	 * aren't, the lack of encapsulation is a problem, as we'd
2598 	 * have to find some other way of determining the packet type).
2599 	 *
2600 	 * Therefore, if "off_linktype" is -1, there's an error.
2601 	 */
2602 	if (off_linktype == (u_int)-1)
2603 		abort();
2604 
2605 	/*
2606 	 * Any type not handled above should always have an Ethernet
2607 	 * type at an offset of "off_linktype".  (PPP is partially
2608 	 * handled above - the protocol type is mapped from the
2609 	 * Ethernet and LLC types we use internally to the corresponding
2610 	 * PPP type - but the PPP type is always specified by a value
2611 	 * at "off_linktype", so we don't have to do the code generation
2612 	 * above.)
2613 	 */
2614 	return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2615 }
2616 
2617 /*
2618  * Check for an LLC SNAP packet with a given organization code and
2619  * protocol type; we check the entire contents of the 802.2 LLC and
2620  * snap headers, checking for DSAP and SSAP of SNAP and a control
2621  * field of 0x03 in the LLC header, and for the specified organization
2622  * code and protocol type in the SNAP header.
2623  */
2624 static struct block *
2625 gen_snap(orgcode, ptype, offset)
2626 	bpf_u_int32 orgcode;
2627 	bpf_u_int32 ptype;
2628 	u_int offset;
2629 {
2630 	u_char snapblock[8];
2631 
2632 	snapblock[0] = LLCSAP_SNAP;	/* DSAP = SNAP */
2633 	snapblock[1] = LLCSAP_SNAP;	/* SSAP = SNAP */
2634 	snapblock[2] = 0x03;		/* control = UI */
2635 	snapblock[3] = (orgcode >> 16);	/* upper 8 bits of organization code */
2636 	snapblock[4] = (orgcode >> 8);	/* middle 8 bits of organization code */
2637 	snapblock[5] = (orgcode >> 0);	/* lower 8 bits of organization code */
2638 	snapblock[6] = (ptype >> 8);	/* upper 8 bits of protocol type */
2639 	snapblock[7] = (ptype >> 0);	/* lower 8 bits of protocol type */
2640 	return gen_bcmp(OR_LINK, offset, 8, snapblock);
2641 }
2642 
2643 /*
2644  * Generate code to match a particular packet type, for link-layer types
2645  * using 802.2 LLC headers.
2646  *
2647  * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
2648  * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
2649  *
2650  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2651  * value, if <= ETHERMTU.  We use that to determine whether to
2652  * match the DSAP or both DSAP and LSAP or to check the OUI and
2653  * protocol ID in a SNAP header.
2654  */
2655 static struct block *
2656 gen_llc_linktype(proto)
2657 	int proto;
2658 {
2659 	/*
2660 	 * XXX - handle token-ring variable-length header.
2661 	 */
2662 	switch (proto) {
2663 
2664 	case LLCSAP_IP:
2665 	case LLCSAP_ISONS:
2666 	case LLCSAP_NETBEUI:
2667 		/*
2668 		 * XXX - should we check both the DSAP and the
2669 		 * SSAP, like this, or should we check just the
2670 		 * DSAP, as we do for other types <= ETHERMTU
2671 		 * (i.e., other SAP values)?
2672 		 */
2673 		return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32)
2674 			     ((proto << 8) | proto));
2675 
2676 	case LLCSAP_IPX:
2677 		/*
2678 		 * XXX - are there ever SNAP frames for IPX on
2679 		 * non-Ethernet 802.x networks?
2680 		 */
2681 		return gen_cmp(OR_LINK, off_linktype, BPF_B,
2682 		    (bpf_int32)LLCSAP_IPX);
2683 
2684 	case ETHERTYPE_ATALK:
2685 		/*
2686 		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2687 		 * SNAP packets with an organization code of
2688 		 * 0x080007 (Apple, for Appletalk) and a protocol
2689 		 * type of ETHERTYPE_ATALK (Appletalk).
2690 		 *
2691 		 * XXX - check for an organization code of
2692 		 * encapsulated Ethernet as well?
2693 		 */
2694 		return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
2695 
2696 	default:
2697 		/*
2698 		 * XXX - we don't have to check for IPX 802.3
2699 		 * here, but should we check for the IPX Ethertype?
2700 		 */
2701 		if (proto <= ETHERMTU) {
2702 			/*
2703 			 * This is an LLC SAP value, so check
2704 			 * the DSAP.
2705 			 */
2706 			return gen_cmp(OR_LINK, off_linktype, BPF_B,
2707 			    (bpf_int32)proto);
2708 		} else {
2709 			/*
2710 			 * This is an Ethernet type; we assume that it's
2711 			 * unlikely that it'll appear in the right place
2712 			 * at random, and therefore check only the
2713 			 * location that would hold the Ethernet type
2714 			 * in a SNAP frame with an organization code of
2715 			 * 0x000000 (encapsulated Ethernet).
2716 			 *
2717 			 * XXX - if we were to check for the SNAP DSAP and
2718 			 * LSAP, as per XXX, and were also to check for an
2719 			 * organization code of 0x000000 (encapsulated
2720 			 * Ethernet), we'd do
2721 			 *
2722 			 *	return gen_snap(0x000000, proto,
2723 			 *	    off_linktype);
2724 			 *
2725 			 * here; for now, we don't, as per the above.
2726 			 * I don't know whether it's worth the extra CPU
2727 			 * time to do the right check or not.
2728 			 */
2729 			return gen_cmp(OR_LINK, off_linktype+6, BPF_H,
2730 			    (bpf_int32)proto);
2731 		}
2732 	}
2733 }
2734 
2735 static struct block *
2736 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
2737 	bpf_u_int32 addr;
2738 	bpf_u_int32 mask;
2739 	int dir, proto;
2740 	u_int src_off, dst_off;
2741 {
2742 	struct block *b0, *b1;
2743 	u_int offset;
2744 
2745 	switch (dir) {
2746 
2747 	case Q_SRC:
2748 		offset = src_off;
2749 		break;
2750 
2751 	case Q_DST:
2752 		offset = dst_off;
2753 		break;
2754 
2755 	case Q_AND:
2756 		b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2757 		b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2758 		gen_and(b0, b1);
2759 		return b1;
2760 
2761 	case Q_OR:
2762 	case Q_DEFAULT:
2763 		b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2764 		b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2765 		gen_or(b0, b1);
2766 		return b1;
2767 
2768 	default:
2769 		abort();
2770 	}
2771 	b0 = gen_linktype(proto);
2772 	b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
2773 	gen_and(b0, b1);
2774 	return b1;
2775 }
2776 
2777 #ifdef INET6
2778 static struct block *
2779 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2780 	struct in6_addr *addr;
2781 	struct in6_addr *mask;
2782 	int dir, proto;
2783 	u_int src_off, dst_off;
2784 {
2785 	struct block *b0, *b1;
2786 	u_int offset;
2787 	u_int32_t *a, *m;
2788 
2789 	switch (dir) {
2790 
2791 	case Q_SRC:
2792 		offset = src_off;
2793 		break;
2794 
2795 	case Q_DST:
2796 		offset = dst_off;
2797 		break;
2798 
2799 	case Q_AND:
2800 		b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2801 		b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2802 		gen_and(b0, b1);
2803 		return b1;
2804 
2805 	case Q_OR:
2806 	case Q_DEFAULT:
2807 		b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2808 		b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2809 		gen_or(b0, b1);
2810 		return b1;
2811 
2812 	default:
2813 		abort();
2814 	}
2815 	/* this order is important */
2816 	a = (u_int32_t *)addr;
2817 	m = (u_int32_t *)mask;
2818 	b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2819 	b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2820 	gen_and(b0, b1);
2821 	b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2822 	gen_and(b0, b1);
2823 	b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2824 	gen_and(b0, b1);
2825 	b0 = gen_linktype(proto);
2826 	gen_and(b0, b1);
2827 	return b1;
2828 }
2829 #endif /*INET6*/
2830 
2831 static struct block *
2832 gen_ehostop(eaddr, dir)
2833 	register const u_char *eaddr;
2834 	register int dir;
2835 {
2836 	register struct block *b0, *b1;
2837 
2838 	switch (dir) {
2839 	case Q_SRC:
2840 		return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
2841 
2842 	case Q_DST:
2843 		return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
2844 
2845 	case Q_AND:
2846 		b0 = gen_ehostop(eaddr, Q_SRC);
2847 		b1 = gen_ehostop(eaddr, Q_DST);
2848 		gen_and(b0, b1);
2849 		return b1;
2850 
2851 	case Q_DEFAULT:
2852 	case Q_OR:
2853 		b0 = gen_ehostop(eaddr, Q_SRC);
2854 		b1 = gen_ehostop(eaddr, Q_DST);
2855 		gen_or(b0, b1);
2856 		return b1;
2857 	}
2858 	abort();
2859 	/* NOTREACHED */
2860 }
2861 
2862 /*
2863  * Like gen_ehostop, but for DLT_FDDI
2864  */
2865 static struct block *
2866 gen_fhostop(eaddr, dir)
2867 	register const u_char *eaddr;
2868 	register int dir;
2869 {
2870 	struct block *b0, *b1;
2871 
2872 	switch (dir) {
2873 	case Q_SRC:
2874 #ifdef PCAP_FDDIPAD
2875 		return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
2876 #else
2877 		return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
2878 #endif
2879 
2880 	case Q_DST:
2881 #ifdef PCAP_FDDIPAD
2882 		return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
2883 #else
2884 		return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
2885 #endif
2886 
2887 	case Q_AND:
2888 		b0 = gen_fhostop(eaddr, Q_SRC);
2889 		b1 = gen_fhostop(eaddr, Q_DST);
2890 		gen_and(b0, b1);
2891 		return b1;
2892 
2893 	case Q_DEFAULT:
2894 	case Q_OR:
2895 		b0 = gen_fhostop(eaddr, Q_SRC);
2896 		b1 = gen_fhostop(eaddr, Q_DST);
2897 		gen_or(b0, b1);
2898 		return b1;
2899 	}
2900 	abort();
2901 	/* NOTREACHED */
2902 }
2903 
2904 /*
2905  * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2906  */
2907 static struct block *
2908 gen_thostop(eaddr, dir)
2909 	register const u_char *eaddr;
2910 	register int dir;
2911 {
2912 	register struct block *b0, *b1;
2913 
2914 	switch (dir) {
2915 	case Q_SRC:
2916 		return gen_bcmp(OR_LINK, 8, 6, eaddr);
2917 
2918 	case Q_DST:
2919 		return gen_bcmp(OR_LINK, 2, 6, eaddr);
2920 
2921 	case Q_AND:
2922 		b0 = gen_thostop(eaddr, Q_SRC);
2923 		b1 = gen_thostop(eaddr, Q_DST);
2924 		gen_and(b0, b1);
2925 		return b1;
2926 
2927 	case Q_DEFAULT:
2928 	case Q_OR:
2929 		b0 = gen_thostop(eaddr, Q_SRC);
2930 		b1 = gen_thostop(eaddr, Q_DST);
2931 		gen_or(b0, b1);
2932 		return b1;
2933 	}
2934 	abort();
2935 	/* NOTREACHED */
2936 }
2937 
2938 /*
2939  * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2940  */
2941 static struct block *
2942 gen_wlanhostop(eaddr, dir)
2943 	register const u_char *eaddr;
2944 	register int dir;
2945 {
2946 	register struct block *b0, *b1, *b2;
2947 	register struct slist *s;
2948 
2949 	switch (dir) {
2950 	case Q_SRC:
2951 		/*
2952 		 * Oh, yuk.
2953 		 *
2954 		 *	For control frames, there is no SA.
2955 		 *
2956 		 *	For management frames, SA is at an
2957 		 *	offset of 10 from the beginning of
2958 		 *	the packet.
2959 		 *
2960 		 *	For data frames, SA is at an offset
2961 		 *	of 10 from the beginning of the packet
2962 		 *	if From DS is clear, at an offset of
2963 		 *	16 from the beginning of the packet
2964 		 *	if From DS is set and To DS is clear,
2965 		 *	and an offset of 24 from the beginning
2966 		 *	of the packet if From DS is set and To DS
2967 		 *	is set.
2968 		 */
2969 
2970 		/*
2971 		 * Generate the tests to be done for data frames
2972 		 * with From DS set.
2973 		 *
2974 		 * First, check for To DS set, i.e. check "link[1] & 0x01".
2975 		 */
2976 		s = gen_load_a(OR_LINK, 1, BPF_B);
2977 		b1 = new_block(JMP(BPF_JSET));
2978 		b1->s.k = 0x01;	/* To DS */
2979 		b1->stmts = s;
2980 
2981 		/*
2982 		 * If To DS is set, the SA is at 24.
2983 		 */
2984 		b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
2985 		gen_and(b1, b0);
2986 
2987 		/*
2988 		 * Now, check for To DS not set, i.e. check
2989 		 * "!(link[1] & 0x01)".
2990 		 */
2991 		s = gen_load_a(OR_LINK, 1, BPF_B);
2992 		b2 = new_block(JMP(BPF_JSET));
2993 		b2->s.k = 0x01;	/* To DS */
2994 		b2->stmts = s;
2995 		gen_not(b2);
2996 
2997 		/*
2998 		 * If To DS is not set, the SA is at 16.
2999 		 */
3000 		b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3001 		gen_and(b2, b1);
3002 
3003 		/*
3004 		 * Now OR together the last two checks.  That gives
3005 		 * the complete set of checks for data frames with
3006 		 * From DS set.
3007 		 */
3008 		gen_or(b1, b0);
3009 
3010 		/*
3011 		 * Now check for From DS being set, and AND that with
3012 		 * the ORed-together checks.
3013 		 */
3014 		s = gen_load_a(OR_LINK, 1, BPF_B);
3015 		b1 = new_block(JMP(BPF_JSET));
3016 		b1->s.k = 0x02;	/* From DS */
3017 		b1->stmts = s;
3018 		gen_and(b1, b0);
3019 
3020 		/*
3021 		 * Now check for data frames with From DS not set.
3022 		 */
3023 		s = gen_load_a(OR_LINK, 1, BPF_B);
3024 		b2 = new_block(JMP(BPF_JSET));
3025 		b2->s.k = 0x02;	/* From DS */
3026 		b2->stmts = s;
3027 		gen_not(b2);
3028 
3029 		/*
3030 		 * If From DS isn't set, the SA is at 10.
3031 		 */
3032 		b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3033 		gen_and(b2, b1);
3034 
3035 		/*
3036 		 * Now OR together the checks for data frames with
3037 		 * From DS not set and for data frames with From DS
3038 		 * set; that gives the checks done for data frames.
3039 		 */
3040 		gen_or(b1, b0);
3041 
3042 		/*
3043 		 * Now check for a data frame.
3044 		 * I.e, check "link[0] & 0x08".
3045 		 */
3046 		gen_load_a(OR_LINK, 0, BPF_B);
3047 		b1 = new_block(JMP(BPF_JSET));
3048 		b1->s.k = 0x08;
3049 		b1->stmts = s;
3050 
3051 		/*
3052 		 * AND that with the checks done for data frames.
3053 		 */
3054 		gen_and(b1, b0);
3055 
3056 		/*
3057 		 * If the high-order bit of the type value is 0, this
3058 		 * is a management frame.
3059 		 * I.e, check "!(link[0] & 0x08)".
3060 		 */
3061 		s = gen_load_a(OR_LINK, 0, BPF_B);
3062 		b2 = new_block(JMP(BPF_JSET));
3063 		b2->s.k = 0x08;
3064 		b2->stmts = s;
3065 		gen_not(b2);
3066 
3067 		/*
3068 		 * For management frames, the SA is at 10.
3069 		 */
3070 		b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3071 		gen_and(b2, b1);
3072 
3073 		/*
3074 		 * OR that with the checks done for data frames.
3075 		 * That gives the checks done for management and
3076 		 * data frames.
3077 		 */
3078 		gen_or(b1, b0);
3079 
3080 		/*
3081 		 * If the low-order bit of the type value is 1,
3082 		 * this is either a control frame or a frame
3083 		 * with a reserved type, and thus not a
3084 		 * frame with an SA.
3085 		 *
3086 		 * I.e., check "!(link[0] & 0x04)".
3087 		 */
3088 		s = gen_load_a(OR_LINK, 0, BPF_B);
3089 		b1 = new_block(JMP(BPF_JSET));
3090 		b1->s.k = 0x04;
3091 		b1->stmts = s;
3092 		gen_not(b1);
3093 
3094 		/*
3095 		 * AND that with the checks for data and management
3096 		 * frames.
3097 		 */
3098 		gen_and(b1, b0);
3099 		return b0;
3100 
3101 	case Q_DST:
3102 		/*
3103 		 * Oh, yuk.
3104 		 *
3105 		 *	For control frames, there is no DA.
3106 		 *
3107 		 *	For management frames, DA is at an
3108 		 *	offset of 4 from the beginning of
3109 		 *	the packet.
3110 		 *
3111 		 *	For data frames, DA is at an offset
3112 		 *	of 4 from the beginning of the packet
3113 		 *	if To DS is clear and at an offset of
3114 		 *	16 from the beginning of the packet
3115 		 *	if To DS is set.
3116 		 */
3117 
3118 		/*
3119 		 * Generate the tests to be done for data frames.
3120 		 *
3121 		 * First, check for To DS set, i.e. "link[1] & 0x01".
3122 		 */
3123 		s = gen_load_a(OR_LINK, 1, BPF_B);
3124 		b1 = new_block(JMP(BPF_JSET));
3125 		b1->s.k = 0x01;	/* To DS */
3126 		b1->stmts = s;
3127 
3128 		/*
3129 		 * If To DS is set, the DA is at 16.
3130 		 */
3131 		b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3132 		gen_and(b1, b0);
3133 
3134 		/*
3135 		 * Now, check for To DS not set, i.e. check
3136 		 * "!(link[1] & 0x01)".
3137 		 */
3138 		s = gen_load_a(OR_LINK, 1, BPF_B);
3139 		b2 = new_block(JMP(BPF_JSET));
3140 		b2->s.k = 0x01;	/* To DS */
3141 		b2->stmts = s;
3142 		gen_not(b2);
3143 
3144 		/*
3145 		 * If To DS is not set, the DA is at 4.
3146 		 */
3147 		b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
3148 		gen_and(b2, b1);
3149 
3150 		/*
3151 		 * Now OR together the last two checks.  That gives
3152 		 * the complete set of checks for data frames.
3153 		 */
3154 		gen_or(b1, b0);
3155 
3156 		/*
3157 		 * Now check for a data frame.
3158 		 * I.e, check "link[0] & 0x08".
3159 		 */
3160 		s = gen_load_a(OR_LINK, 0, BPF_B);
3161 		b1 = new_block(JMP(BPF_JSET));
3162 		b1->s.k = 0x08;
3163 		b1->stmts = s;
3164 
3165 		/*
3166 		 * AND that with the checks done for data frames.
3167 		 */
3168 		gen_and(b1, b0);
3169 
3170 		/*
3171 		 * If the high-order bit of the type value is 0, this
3172 		 * is a management frame.
3173 		 * I.e, check "!(link[0] & 0x08)".
3174 		 */
3175 		s = gen_load_a(OR_LINK, 0, BPF_B);
3176 		b2 = new_block(JMP(BPF_JSET));
3177 		b2->s.k = 0x08;
3178 		b2->stmts = s;
3179 		gen_not(b2);
3180 
3181 		/*
3182 		 * For management frames, the DA is at 4.
3183 		 */
3184 		b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
3185 		gen_and(b2, b1);
3186 
3187 		/*
3188 		 * OR that with the checks done for data frames.
3189 		 * That gives the checks done for management and
3190 		 * data frames.
3191 		 */
3192 		gen_or(b1, b0);
3193 
3194 		/*
3195 		 * If the low-order bit of the type value is 1,
3196 		 * this is either a control frame or a frame
3197 		 * with a reserved type, and thus not a
3198 		 * frame with an SA.
3199 		 *
3200 		 * I.e., check "!(link[0] & 0x04)".
3201 		 */
3202 		s = gen_load_a(OR_LINK, 0, BPF_B);
3203 		b1 = new_block(JMP(BPF_JSET));
3204 		b1->s.k = 0x04;
3205 		b1->stmts = s;
3206 		gen_not(b1);
3207 
3208 		/*
3209 		 * AND that with the checks for data and management
3210 		 * frames.
3211 		 */
3212 		gen_and(b1, b0);
3213 		return b0;
3214 
3215 	case Q_AND:
3216 		b0 = gen_wlanhostop(eaddr, Q_SRC);
3217 		b1 = gen_wlanhostop(eaddr, Q_DST);
3218 		gen_and(b0, b1);
3219 		return b1;
3220 
3221 	case Q_DEFAULT:
3222 	case Q_OR:
3223 		b0 = gen_wlanhostop(eaddr, Q_SRC);
3224 		b1 = gen_wlanhostop(eaddr, Q_DST);
3225 		gen_or(b0, b1);
3226 		return b1;
3227 	}
3228 	abort();
3229 	/* NOTREACHED */
3230 }
3231 
3232 /*
3233  * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
3234  * (We assume that the addresses are IEEE 48-bit MAC addresses,
3235  * as the RFC states.)
3236  */
3237 static struct block *
3238 gen_ipfchostop(eaddr, dir)
3239 	register const u_char *eaddr;
3240 	register int dir;
3241 {
3242 	register struct block *b0, *b1;
3243 
3244 	switch (dir) {
3245 	case Q_SRC:
3246 		return gen_bcmp(OR_LINK, 10, 6, eaddr);
3247 
3248 	case Q_DST:
3249 		return gen_bcmp(OR_LINK, 2, 6, eaddr);
3250 
3251 	case Q_AND:
3252 		b0 = gen_ipfchostop(eaddr, Q_SRC);
3253 		b1 = gen_ipfchostop(eaddr, Q_DST);
3254 		gen_and(b0, b1);
3255 		return b1;
3256 
3257 	case Q_DEFAULT:
3258 	case Q_OR:
3259 		b0 = gen_ipfchostop(eaddr, Q_SRC);
3260 		b1 = gen_ipfchostop(eaddr, Q_DST);
3261 		gen_or(b0, b1);
3262 		return b1;
3263 	}
3264 	abort();
3265 	/* NOTREACHED */
3266 }
3267 
3268 /*
3269  * This is quite tricky because there may be pad bytes in front of the
3270  * DECNET header, and then there are two possible data packet formats that
3271  * carry both src and dst addresses, plus 5 packet types in a format that
3272  * carries only the src node, plus 2 types that use a different format and
3273  * also carry just the src node.
3274  *
3275  * Yuck.
3276  *
3277  * Instead of doing those all right, we just look for data packets with
3278  * 0 or 1 bytes of padding.  If you want to look at other packets, that
3279  * will require a lot more hacking.
3280  *
3281  * To add support for filtering on DECNET "areas" (network numbers)
3282  * one would want to add a "mask" argument to this routine.  That would
3283  * make the filter even more inefficient, although one could be clever
3284  * and not generate masking instructions if the mask is 0xFFFF.
3285  */
3286 static struct block *
3287 gen_dnhostop(addr, dir)
3288 	bpf_u_int32 addr;
3289 	int dir;
3290 {
3291 	struct block *b0, *b1, *b2, *tmp;
3292 	u_int offset_lh;	/* offset if long header is received */
3293 	u_int offset_sh;	/* offset if short header is received */
3294 
3295 	switch (dir) {
3296 
3297 	case Q_DST:
3298 		offset_sh = 1;	/* follows flags */
3299 		offset_lh = 7;	/* flgs,darea,dsubarea,HIORD */
3300 		break;
3301 
3302 	case Q_SRC:
3303 		offset_sh = 3;	/* follows flags, dstnode */
3304 		offset_lh = 15;	/* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
3305 		break;
3306 
3307 	case Q_AND:
3308 		/* Inefficient because we do our Calvinball dance twice */
3309 		b0 = gen_dnhostop(addr, Q_SRC);
3310 		b1 = gen_dnhostop(addr, Q_DST);
3311 		gen_and(b0, b1);
3312 		return b1;
3313 
3314 	case Q_OR:
3315 	case Q_DEFAULT:
3316 		/* Inefficient because we do our Calvinball dance twice */
3317 		b0 = gen_dnhostop(addr, Q_SRC);
3318 		b1 = gen_dnhostop(addr, Q_DST);
3319 		gen_or(b0, b1);
3320 		return b1;
3321 
3322 	case Q_ISO:
3323 		bpf_error("ISO host filtering not implemented");
3324 
3325 	default:
3326 		abort();
3327 	}
3328 	b0 = gen_linktype(ETHERTYPE_DN);
3329 	/* Check for pad = 1, long header case */
3330 	tmp = gen_mcmp(OR_NET, 2, BPF_H,
3331 	    (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
3332 	b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
3333 	    BPF_H, (bpf_int32)ntohs((u_short)addr));
3334 	gen_and(tmp, b1);
3335 	/* Check for pad = 0, long header case */
3336 	tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
3337 	b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3338 	gen_and(tmp, b2);
3339 	gen_or(b2, b1);
3340 	/* Check for pad = 1, short header case */
3341 	tmp = gen_mcmp(OR_NET, 2, BPF_H,
3342 	    (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
3343 	b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3344 	gen_and(tmp, b2);
3345 	gen_or(b2, b1);
3346 	/* Check for pad = 0, short header case */
3347 	tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
3348 	b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3349 	gen_and(tmp, b2);
3350 	gen_or(b2, b1);
3351 
3352 	/* Combine with test for linktype */
3353 	gen_and(b0, b1);
3354 	return b1;
3355 }
3356 
3357 /*
3358  * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
3359  * test the bottom-of-stack bit, and then check the version number
3360  * field in the IP header.
3361  */
3362 static struct block *
3363 gen_mpls_linktype(proto)
3364 	int proto;
3365 {
3366 	struct block *b0, *b1;
3367 
3368         switch (proto) {
3369 
3370         case Q_IP:
3371                 /* match the bottom-of-stack bit */
3372                 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3373                 /* match the IPv4 version number */
3374                 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
3375                 gen_and(b0, b1);
3376                 return b1;
3377 
3378        case Q_IPV6:
3379                 /* match the bottom-of-stack bit */
3380                 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3381                 /* match the IPv4 version number */
3382                 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
3383                 gen_and(b0, b1);
3384                 return b1;
3385 
3386        default:
3387                 abort();
3388         }
3389 }
3390 
3391 static struct block *
3392 gen_host(addr, mask, proto, dir, type)
3393 	bpf_u_int32 addr;
3394 	bpf_u_int32 mask;
3395 	int proto;
3396 	int dir;
3397 	int type;
3398 {
3399 	struct block *b0, *b1;
3400 	const char *typestr;
3401 
3402 	if (type == Q_NET)
3403 		typestr = "net";
3404 	else
3405 		typestr = "host";
3406 
3407 	switch (proto) {
3408 
3409 	case Q_DEFAULT:
3410 		b0 = gen_host(addr, mask, Q_IP, dir, type);
3411 		/*
3412 		 * Only check for non-IPv4 addresses if we're not
3413 		 * checking MPLS-encapsulated packets.
3414 		 */
3415 		if (label_stack_depth == 0) {
3416 			b1 = gen_host(addr, mask, Q_ARP, dir, type);
3417 			gen_or(b0, b1);
3418 			b0 = gen_host(addr, mask, Q_RARP, dir, type);
3419 			gen_or(b1, b0);
3420 		}
3421 		return b0;
3422 
3423 	case Q_IP:
3424 		return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
3425 
3426 	case Q_RARP:
3427 		return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
3428 
3429 	case Q_ARP:
3430 		return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
3431 
3432 	case Q_TCP:
3433 		bpf_error("'tcp' modifier applied to %s", typestr);
3434 
3435 	case Q_SCTP:
3436 		bpf_error("'sctp' modifier applied to %s", typestr);
3437 
3438 	case Q_UDP:
3439 		bpf_error("'udp' modifier applied to %s", typestr);
3440 
3441 	case Q_ICMP:
3442 		bpf_error("'icmp' modifier applied to %s", typestr);
3443 
3444 	case Q_IGMP:
3445 		bpf_error("'igmp' modifier applied to %s", typestr);
3446 
3447 	case Q_IGRP:
3448 		bpf_error("'igrp' modifier applied to %s", typestr);
3449 
3450 	case Q_PIM:
3451 		bpf_error("'pim' modifier applied to %s", typestr);
3452 
3453 	case Q_VRRP:
3454 		bpf_error("'vrrp' modifier applied to %s", typestr);
3455 
3456 	case Q_ATALK:
3457 		bpf_error("ATALK host filtering not implemented");
3458 
3459 	case Q_AARP:
3460 		bpf_error("AARP host filtering not implemented");
3461 
3462 	case Q_DECNET:
3463 		return gen_dnhostop(addr, dir);
3464 
3465 	case Q_SCA:
3466 		bpf_error("SCA host filtering not implemented");
3467 
3468 	case Q_LAT:
3469 		bpf_error("LAT host filtering not implemented");
3470 
3471 	case Q_MOPDL:
3472 		bpf_error("MOPDL host filtering not implemented");
3473 
3474 	case Q_MOPRC:
3475 		bpf_error("MOPRC host filtering not implemented");
3476 
3477 #ifdef INET6
3478 	case Q_IPV6:
3479 		bpf_error("'ip6' modifier applied to ip host");
3480 
3481 	case Q_ICMPV6:
3482 		bpf_error("'icmp6' modifier applied to %s", typestr);
3483 #endif /* INET6 */
3484 
3485 	case Q_AH:
3486 		bpf_error("'ah' modifier applied to %s", typestr);
3487 
3488 	case Q_ESP:
3489 		bpf_error("'esp' modifier applied to %s", typestr);
3490 
3491 	case Q_ISO:
3492 		bpf_error("ISO host filtering not implemented");
3493 
3494 	case Q_ESIS:
3495 		bpf_error("'esis' modifier applied to %s", typestr);
3496 
3497 	case Q_ISIS:
3498 		bpf_error("'isis' modifier applied to %s", typestr);
3499 
3500 	case Q_CLNP:
3501 		bpf_error("'clnp' modifier applied to %s", typestr);
3502 
3503 	case Q_STP:
3504 		bpf_error("'stp' modifier applied to %s", typestr);
3505 
3506 	case Q_IPX:
3507 		bpf_error("IPX host filtering not implemented");
3508 
3509 	case Q_NETBEUI:
3510 		bpf_error("'netbeui' modifier applied to %s", typestr);
3511 
3512 	case Q_RADIO:
3513 		bpf_error("'radio' modifier applied to %s", typestr);
3514 
3515 	default:
3516 		abort();
3517 	}
3518 	/* NOTREACHED */
3519 }
3520 
3521 #ifdef INET6
3522 static struct block *
3523 gen_host6(addr, mask, proto, dir, type)
3524 	struct in6_addr *addr;
3525 	struct in6_addr *mask;
3526 	int proto;
3527 	int dir;
3528 	int type;
3529 {
3530 	const char *typestr;
3531 
3532 	if (type == Q_NET)
3533 		typestr = "net";
3534 	else
3535 		typestr = "host";
3536 
3537 	switch (proto) {
3538 
3539 	case Q_DEFAULT:
3540 		return gen_host6(addr, mask, Q_IPV6, dir, type);
3541 
3542 	case Q_IP:
3543 		bpf_error("'ip' modifier applied to ip6 %s", typestr);
3544 
3545 	case Q_RARP:
3546 		bpf_error("'rarp' modifier applied to ip6 %s", typestr);
3547 
3548 	case Q_ARP:
3549 		bpf_error("'arp' modifier applied to ip6 %s", typestr);
3550 
3551 	case Q_SCTP:
3552 		bpf_error("'sctp' modifier applied to %s", typestr);
3553 
3554 	case Q_TCP:
3555 		bpf_error("'tcp' modifier applied to %s", typestr);
3556 
3557 	case Q_UDP:
3558 		bpf_error("'udp' modifier applied to %s", typestr);
3559 
3560 	case Q_ICMP:
3561 		bpf_error("'icmp' modifier applied to %s", typestr);
3562 
3563 	case Q_IGMP:
3564 		bpf_error("'igmp' modifier applied to %s", typestr);
3565 
3566 	case Q_IGRP:
3567 		bpf_error("'igrp' modifier applied to %s", typestr);
3568 
3569 	case Q_PIM:
3570 		bpf_error("'pim' modifier applied to %s", typestr);
3571 
3572 	case Q_VRRP:
3573 		bpf_error("'vrrp' modifier applied to %s", typestr);
3574 
3575 	case Q_ATALK:
3576 		bpf_error("ATALK host filtering not implemented");
3577 
3578 	case Q_AARP:
3579 		bpf_error("AARP host filtering not implemented");
3580 
3581 	case Q_DECNET:
3582 		bpf_error("'decnet' modifier applied to ip6 %s", typestr);
3583 
3584 	case Q_SCA:
3585 		bpf_error("SCA host filtering not implemented");
3586 
3587 	case Q_LAT:
3588 		bpf_error("LAT host filtering not implemented");
3589 
3590 	case Q_MOPDL:
3591 		bpf_error("MOPDL host filtering not implemented");
3592 
3593 	case Q_MOPRC:
3594 		bpf_error("MOPRC host filtering not implemented");
3595 
3596 	case Q_IPV6:
3597 		return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
3598 
3599 	case Q_ICMPV6:
3600 		bpf_error("'icmp6' modifier applied to %s", typestr);
3601 
3602 	case Q_AH:
3603 		bpf_error("'ah' modifier applied to %s", typestr);
3604 
3605 	case Q_ESP:
3606 		bpf_error("'esp' modifier applied to %s", typestr);
3607 
3608 	case Q_ISO:
3609 		bpf_error("ISO host filtering not implemented");
3610 
3611 	case Q_ESIS:
3612 		bpf_error("'esis' modifier applied to %s", typestr);
3613 
3614 	case Q_ISIS:
3615 		bpf_error("'isis' modifier applied to %s", typestr);
3616 
3617 	case Q_CLNP:
3618 		bpf_error("'clnp' modifier applied to %s", typestr);
3619 
3620 	case Q_STP:
3621 		bpf_error("'stp' modifier applied to %s", typestr);
3622 
3623 	case Q_IPX:
3624 		bpf_error("IPX host filtering not implemented");
3625 
3626 	case Q_NETBEUI:
3627 		bpf_error("'netbeui' modifier applied to %s", typestr);
3628 
3629 	case Q_RADIO:
3630 		bpf_error("'radio' modifier applied to %s", typestr);
3631 
3632 	default:
3633 		abort();
3634 	}
3635 	/* NOTREACHED */
3636 }
3637 #endif /*INET6*/
3638 
3639 #ifndef INET6
3640 static struct block *
3641 gen_gateway(eaddr, alist, proto, dir)
3642 	const u_char *eaddr;
3643 	bpf_u_int32 **alist;
3644 	int proto;
3645 	int dir;
3646 {
3647 	struct block *b0, *b1, *tmp;
3648 
3649 	if (dir != 0)
3650 		bpf_error("direction applied to 'gateway'");
3651 
3652 	switch (proto) {
3653 	case Q_DEFAULT:
3654 	case Q_IP:
3655 	case Q_ARP:
3656 	case Q_RARP:
3657                 switch (linktype) {
3658                 case DLT_EN10MB:
3659                     b0 = gen_ehostop(eaddr, Q_OR);
3660                     break;
3661                 case DLT_FDDI:
3662                     b0 = gen_fhostop(eaddr, Q_OR);
3663                     break;
3664 		case DLT_IEEE802:
3665                     b0 = gen_thostop(eaddr, Q_OR);
3666                     break;
3667 		case DLT_IEEE802_11:
3668 		case DLT_IEEE802_11_RADIO_AVS:
3669 		case DLT_PPI:
3670 		case DLT_IEEE802_11_RADIO:
3671 		case DLT_PRISM_HEADER:
3672                     b0 = gen_wlanhostop(eaddr, Q_OR);
3673                     break;
3674                 case DLT_SUNATM:
3675                     if (is_lane) {
3676 			/*
3677 			 * Check that the packet doesn't begin with an
3678 			 * LE Control marker.  (We've already generated
3679 			 * a test for LANE.)
3680 			 */
3681 			b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3682 			    0xFF00);
3683 			gen_not(b1);
3684 
3685 			/*
3686 			 * Now check the MAC address.
3687 			 */
3688 			b0 = gen_ehostop(eaddr, Q_OR);
3689 			gen_and(b1, b0);
3690                     }
3691                     break;
3692 		case DLT_IP_OVER_FC:
3693                     b0 = gen_ipfchostop(eaddr, Q_OR);
3694                     break;
3695                 default:
3696                     bpf_error(
3697 			    "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
3698                 }
3699 		b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
3700 		while (*alist) {
3701 			tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
3702 			    Q_HOST);
3703 			gen_or(b1, tmp);
3704 			b1 = tmp;
3705 		}
3706 		gen_not(b1);
3707 		gen_and(b0, b1);
3708 		return b1;
3709 	}
3710 	bpf_error("illegal modifier of 'gateway'");
3711 	/* NOTREACHED */
3712 }
3713 #endif
3714 
3715 struct block *
3716 gen_proto_abbrev(proto)
3717 	int proto;
3718 {
3719 	struct block *b0;
3720 	struct block *b1;
3721 
3722 	switch (proto) {
3723 
3724 	case Q_SCTP:
3725 		b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
3726 #ifdef INET6
3727 		b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
3728 		gen_or(b0, b1);
3729 #endif
3730 		break;
3731 
3732 	case Q_TCP:
3733 		b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
3734 #ifdef INET6
3735 		b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
3736 		gen_or(b0, b1);
3737 #endif
3738 		break;
3739 
3740 	case Q_UDP:
3741 		b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
3742 #ifdef INET6
3743 		b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
3744 		gen_or(b0, b1);
3745 #endif
3746 		break;
3747 
3748 	case Q_ICMP:
3749 		b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
3750 		break;
3751 
3752 #ifndef	IPPROTO_IGMP
3753 #define	IPPROTO_IGMP	2
3754 #endif
3755 
3756 	case Q_IGMP:
3757 		b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
3758 		break;
3759 
3760 #ifndef	IPPROTO_IGRP
3761 #define	IPPROTO_IGRP	9
3762 #endif
3763 	case Q_IGRP:
3764 		b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
3765 		break;
3766 
3767 #ifndef IPPROTO_PIM
3768 #define IPPROTO_PIM	103
3769 #endif
3770 
3771 	case Q_PIM:
3772 		b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
3773 #ifdef INET6
3774 		b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
3775 		gen_or(b0, b1);
3776 #endif
3777 		break;
3778 
3779 #ifndef IPPROTO_VRRP
3780 #define IPPROTO_VRRP	112
3781 #endif
3782 
3783 	case Q_VRRP:
3784 		b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
3785 		break;
3786 
3787 	case Q_IP:
3788 		b1 =  gen_linktype(ETHERTYPE_IP);
3789 		break;
3790 
3791 	case Q_ARP:
3792 		b1 =  gen_linktype(ETHERTYPE_ARP);
3793 		break;
3794 
3795 	case Q_RARP:
3796 		b1 =  gen_linktype(ETHERTYPE_REVARP);
3797 		break;
3798 
3799 	case Q_LINK:
3800 		bpf_error("link layer applied in wrong context");
3801 
3802 	case Q_ATALK:
3803 		b1 =  gen_linktype(ETHERTYPE_ATALK);
3804 		break;
3805 
3806 	case Q_AARP:
3807 		b1 =  gen_linktype(ETHERTYPE_AARP);
3808 		break;
3809 
3810 	case Q_DECNET:
3811 		b1 =  gen_linktype(ETHERTYPE_DN);
3812 		break;
3813 
3814 	case Q_SCA:
3815 		b1 =  gen_linktype(ETHERTYPE_SCA);
3816 		break;
3817 
3818 	case Q_LAT:
3819 		b1 =  gen_linktype(ETHERTYPE_LAT);
3820 		break;
3821 
3822 	case Q_MOPDL:
3823 		b1 =  gen_linktype(ETHERTYPE_MOPDL);
3824 		break;
3825 
3826 	case Q_MOPRC:
3827 		b1 =  gen_linktype(ETHERTYPE_MOPRC);
3828 		break;
3829 
3830 #ifdef INET6
3831 	case Q_IPV6:
3832 		b1 = gen_linktype(ETHERTYPE_IPV6);
3833 		break;
3834 
3835 #ifndef IPPROTO_ICMPV6
3836 #define IPPROTO_ICMPV6	58
3837 #endif
3838 	case Q_ICMPV6:
3839 		b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3840 		break;
3841 #endif /* INET6 */
3842 
3843 #ifndef IPPROTO_AH
3844 #define IPPROTO_AH	51
3845 #endif
3846 	case Q_AH:
3847 		b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3848 #ifdef INET6
3849 		b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3850 		gen_or(b0, b1);
3851 #endif
3852 		break;
3853 
3854 #ifndef IPPROTO_ESP
3855 #define IPPROTO_ESP	50
3856 #endif
3857 	case Q_ESP:
3858 		b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3859 #ifdef INET6
3860 		b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3861 		gen_or(b0, b1);
3862 #endif
3863 		break;
3864 
3865 	case Q_ISO:
3866 		b1 = gen_linktype(LLCSAP_ISONS);
3867 		break;
3868 
3869 	case Q_ESIS:
3870 		b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3871 		break;
3872 
3873 	case Q_ISIS:
3874 		b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3875 		break;
3876 
3877 	case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3878 		b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3879 		b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3880 		gen_or(b0, b1);
3881 		b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3882 		gen_or(b0, b1);
3883 		b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3884 		gen_or(b0, b1);
3885 		b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3886 		gen_or(b0, b1);
3887 		break;
3888 
3889 	case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3890 		b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3891 		b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3892 		gen_or(b0, b1);
3893 		b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3894 		gen_or(b0, b1);
3895 		b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3896 		gen_or(b0, b1);
3897 		b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3898 		gen_or(b0, b1);
3899 		break;
3900 
3901 	case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3902 		b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3903 		b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3904 		gen_or(b0, b1);
3905 		b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3906 		gen_or(b0, b1);
3907 		break;
3908 
3909 	case Q_ISIS_LSP:
3910 		b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3911 		b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3912 		gen_or(b0, b1);
3913 		break;
3914 
3915 	case Q_ISIS_SNP:
3916 		b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3917 		b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3918 		gen_or(b0, b1);
3919 		b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3920 		gen_or(b0, b1);
3921 		b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3922 		gen_or(b0, b1);
3923 		break;
3924 
3925 	case Q_ISIS_CSNP:
3926 		b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3927 		b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3928 		gen_or(b0, b1);
3929 		break;
3930 
3931 	case Q_ISIS_PSNP:
3932 		b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3933 		b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3934 		gen_or(b0, b1);
3935 		break;
3936 
3937 	case Q_CLNP:
3938 		b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3939 		break;
3940 
3941 	case Q_STP:
3942 		b1 = gen_linktype(LLCSAP_8021D);
3943 		break;
3944 
3945 	case Q_IPX:
3946 		b1 = gen_linktype(LLCSAP_IPX);
3947 		break;
3948 
3949 	case Q_NETBEUI:
3950 		b1 = gen_linktype(LLCSAP_NETBEUI);
3951 		break;
3952 
3953 	case Q_RADIO:
3954 		bpf_error("'radio' is not a valid protocol type");
3955 
3956 	default:
3957 		abort();
3958 	}
3959 	return b1;
3960 }
3961 
3962 static struct block *
3963 gen_ipfrag()
3964 {
3965 	struct slist *s;
3966 	struct block *b;
3967 
3968 	/* not ip frag */
3969 	s = gen_load_a(OR_NET, 6, BPF_H);
3970 	b = new_block(JMP(BPF_JSET));
3971 	b->s.k = 0x1fff;
3972 	b->stmts = s;
3973 	gen_not(b);
3974 
3975 	return b;
3976 }
3977 
3978 /*
3979  * Generate a comparison to a port value in the transport-layer header
3980  * at the specified offset from the beginning of that header.
3981  *
3982  * XXX - this handles a variable-length prefix preceding the link-layer
3983  * header, such as the radiotap or AVS radio prefix, but doesn't handle
3984  * variable-length link-layer headers (such as Token Ring or 802.11
3985  * headers).
3986  */
3987 static struct block *
3988 gen_portatom(off, v)
3989 	int off;
3990 	bpf_int32 v;
3991 {
3992 	return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
3993 }
3994 
3995 #ifdef INET6
3996 static struct block *
3997 gen_portatom6(off, v)
3998 	int off;
3999 	bpf_int32 v;
4000 {
4001 	return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
4002 }
4003 #endif/*INET6*/
4004 
4005 struct block *
4006 gen_portop(port, proto, dir)
4007 	int port, proto, dir;
4008 {
4009 	struct block *b0, *b1, *tmp;
4010 
4011 	/* ip proto 'proto' */
4012 	tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4013 	b0 = gen_ipfrag();
4014 	gen_and(tmp, b0);
4015 
4016 	switch (dir) {
4017 	case Q_SRC:
4018 		b1 = gen_portatom(0, (bpf_int32)port);
4019 		break;
4020 
4021 	case Q_DST:
4022 		b1 = gen_portatom(2, (bpf_int32)port);
4023 		break;
4024 
4025 	case Q_OR:
4026 	case Q_DEFAULT:
4027 		tmp = gen_portatom(0, (bpf_int32)port);
4028 		b1 = gen_portatom(2, (bpf_int32)port);
4029 		gen_or(tmp, b1);
4030 		break;
4031 
4032 	case Q_AND:
4033 		tmp = gen_portatom(0, (bpf_int32)port);
4034 		b1 = gen_portatom(2, (bpf_int32)port);
4035 		gen_and(tmp, b1);
4036 		break;
4037 
4038 	default:
4039 		abort();
4040 	}
4041 	gen_and(b0, b1);
4042 
4043 	return b1;
4044 }
4045 
4046 static struct block *
4047 gen_port(port, ip_proto, dir)
4048 	int port;
4049 	int ip_proto;
4050 	int dir;
4051 {
4052 	struct block *b0, *b1, *tmp;
4053 
4054 	/*
4055 	 * ether proto ip
4056 	 *
4057 	 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4058 	 * not LLC encapsulation with LLCSAP_IP.
4059 	 *
4060 	 * For IEEE 802 networks - which includes 802.5 token ring
4061 	 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4062 	 * says that SNAP encapsulation is used, not LLC encapsulation
4063 	 * with LLCSAP_IP.
4064 	 *
4065 	 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4066 	 * RFC 2225 say that SNAP encapsulation is used, not LLC
4067 	 * encapsulation with LLCSAP_IP.
4068 	 *
4069 	 * So we always check for ETHERTYPE_IP.
4070 	 */
4071 	b0 =  gen_linktype(ETHERTYPE_IP);
4072 
4073 	switch (ip_proto) {
4074 	case IPPROTO_UDP:
4075 	case IPPROTO_TCP:
4076 	case IPPROTO_SCTP:
4077 		b1 = gen_portop(port, ip_proto, dir);
4078 		break;
4079 
4080 	case PROTO_UNDEF:
4081 		tmp = gen_portop(port, IPPROTO_TCP, dir);
4082 		b1 = gen_portop(port, IPPROTO_UDP, dir);
4083 		gen_or(tmp, b1);
4084 		tmp = gen_portop(port, IPPROTO_SCTP, dir);
4085 		gen_or(tmp, b1);
4086 		break;
4087 
4088 	default:
4089 		abort();
4090 	}
4091 	gen_and(b0, b1);
4092 	return b1;
4093 }
4094 
4095 #ifdef INET6
4096 struct block *
4097 gen_portop6(port, proto, dir)
4098 	int port, proto, dir;
4099 {
4100 	struct block *b0, *b1, *tmp;
4101 
4102 	/* ip6 proto 'proto' */
4103 	b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
4104 
4105 	switch (dir) {
4106 	case Q_SRC:
4107 		b1 = gen_portatom6(0, (bpf_int32)port);
4108 		break;
4109 
4110 	case Q_DST:
4111 		b1 = gen_portatom6(2, (bpf_int32)port);
4112 		break;
4113 
4114 	case Q_OR:
4115 	case Q_DEFAULT:
4116 		tmp = gen_portatom6(0, (bpf_int32)port);
4117 		b1 = gen_portatom6(2, (bpf_int32)port);
4118 		gen_or(tmp, b1);
4119 		break;
4120 
4121 	case Q_AND:
4122 		tmp = gen_portatom6(0, (bpf_int32)port);
4123 		b1 = gen_portatom6(2, (bpf_int32)port);
4124 		gen_and(tmp, b1);
4125 		break;
4126 
4127 	default:
4128 		abort();
4129 	}
4130 	gen_and(b0, b1);
4131 
4132 	return b1;
4133 }
4134 
4135 static struct block *
4136 gen_port6(port, ip_proto, dir)
4137 	int port;
4138 	int ip_proto;
4139 	int dir;
4140 {
4141 	struct block *b0, *b1, *tmp;
4142 
4143 	/* link proto ip6 */
4144 	b0 =  gen_linktype(ETHERTYPE_IPV6);
4145 
4146 	switch (ip_proto) {
4147 	case IPPROTO_UDP:
4148 	case IPPROTO_TCP:
4149 	case IPPROTO_SCTP:
4150 		b1 = gen_portop6(port, ip_proto, dir);
4151 		break;
4152 
4153 	case PROTO_UNDEF:
4154 		tmp = gen_portop6(port, IPPROTO_TCP, dir);
4155 		b1 = gen_portop6(port, IPPROTO_UDP, dir);
4156 		gen_or(tmp, b1);
4157 		tmp = gen_portop6(port, IPPROTO_SCTP, dir);
4158 		gen_or(tmp, b1);
4159 		break;
4160 
4161 	default:
4162 		abort();
4163 	}
4164 	gen_and(b0, b1);
4165 	return b1;
4166 }
4167 #endif /* INET6 */
4168 
4169 /* gen_portrange code */
4170 static struct block *
4171 gen_portrangeatom(off, v1, v2)
4172 	int off;
4173 	bpf_int32 v1, v2;
4174 {
4175 	struct block *b1, *b2;
4176 
4177 	if (v1 > v2) {
4178 		/*
4179 		 * Reverse the order of the ports, so v1 is the lower one.
4180 		 */
4181 		bpf_int32 vtemp;
4182 
4183 		vtemp = v1;
4184 		v1 = v2;
4185 		v2 = vtemp;
4186 	}
4187 
4188 	b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
4189 	b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
4190 
4191 	gen_and(b1, b2);
4192 
4193 	return b2;
4194 }
4195 
4196 struct block *
4197 gen_portrangeop(port1, port2, proto, dir)
4198 	int port1, port2;
4199 	int proto;
4200 	int dir;
4201 {
4202 	struct block *b0, *b1, *tmp;
4203 
4204 	/* ip proto 'proto' */
4205 	tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4206 	b0 = gen_ipfrag();
4207 	gen_and(tmp, b0);
4208 
4209 	switch (dir) {
4210 	case Q_SRC:
4211 		b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4212 		break;
4213 
4214 	case Q_DST:
4215 		b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4216 		break;
4217 
4218 	case Q_OR:
4219 	case Q_DEFAULT:
4220 		tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4221 		b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4222 		gen_or(tmp, b1);
4223 		break;
4224 
4225 	case Q_AND:
4226 		tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4227 		b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4228 		gen_and(tmp, b1);
4229 		break;
4230 
4231 	default:
4232 		abort();
4233 	}
4234 	gen_and(b0, b1);
4235 
4236 	return b1;
4237 }
4238 
4239 static struct block *
4240 gen_portrange(port1, port2, ip_proto, dir)
4241 	int port1, port2;
4242 	int ip_proto;
4243 	int dir;
4244 {
4245 	struct block *b0, *b1, *tmp;
4246 
4247 	/* link proto ip */
4248 	b0 =  gen_linktype(ETHERTYPE_IP);
4249 
4250 	switch (ip_proto) {
4251 	case IPPROTO_UDP:
4252 	case IPPROTO_TCP:
4253 	case IPPROTO_SCTP:
4254 		b1 = gen_portrangeop(port1, port2, ip_proto, dir);
4255 		break;
4256 
4257 	case PROTO_UNDEF:
4258 		tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
4259 		b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
4260 		gen_or(tmp, b1);
4261 		tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
4262 		gen_or(tmp, b1);
4263 		break;
4264 
4265 	default:
4266 		abort();
4267 	}
4268 	gen_and(b0, b1);
4269 	return b1;
4270 }
4271 
4272 #ifdef INET6
4273 static struct block *
4274 gen_portrangeatom6(off, v1, v2)
4275 	int off;
4276 	bpf_int32 v1, v2;
4277 {
4278 	struct block *b1, *b2;
4279 
4280 	if (v1 > v2) {
4281 		/*
4282 		 * Reverse the order of the ports, so v1 is the lower one.
4283 		 */
4284 		bpf_int32 vtemp;
4285 
4286 		vtemp = v1;
4287 		v1 = v2;
4288 		v2 = vtemp;
4289 	}
4290 
4291 	b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
4292 	b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
4293 
4294 	gen_and(b1, b2);
4295 
4296 	return b2;
4297 }
4298 
4299 struct block *
4300 gen_portrangeop6(port1, port2, proto, dir)
4301 	int port1, port2;
4302 	int proto;
4303 	int dir;
4304 {
4305 	struct block *b0, *b1, *tmp;
4306 
4307 	/* ip6 proto 'proto' */
4308 	b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
4309 
4310 	switch (dir) {
4311 	case Q_SRC:
4312 		b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4313 		break;
4314 
4315 	case Q_DST:
4316 		b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4317 		break;
4318 
4319 	case Q_OR:
4320 	case Q_DEFAULT:
4321 		tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4322 		b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4323 		gen_or(tmp, b1);
4324 		break;
4325 
4326 	case Q_AND:
4327 		tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4328 		b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4329 		gen_and(tmp, b1);
4330 		break;
4331 
4332 	default:
4333 		abort();
4334 	}
4335 	gen_and(b0, b1);
4336 
4337 	return b1;
4338 }
4339 
4340 static struct block *
4341 gen_portrange6(port1, port2, ip_proto, dir)
4342 	int port1, port2;
4343 	int ip_proto;
4344 	int dir;
4345 {
4346 	struct block *b0, *b1, *tmp;
4347 
4348 	/* link proto ip6 */
4349 	b0 =  gen_linktype(ETHERTYPE_IPV6);
4350 
4351 	switch (ip_proto) {
4352 	case IPPROTO_UDP:
4353 	case IPPROTO_TCP:
4354 	case IPPROTO_SCTP:
4355 		b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
4356 		break;
4357 
4358 	case PROTO_UNDEF:
4359 		tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
4360 		b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
4361 		gen_or(tmp, b1);
4362 		tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
4363 		gen_or(tmp, b1);
4364 		break;
4365 
4366 	default:
4367 		abort();
4368 	}
4369 	gen_and(b0, b1);
4370 	return b1;
4371 }
4372 #endif /* INET6 */
4373 
4374 static int
4375 lookup_proto(name, proto)
4376 	register const char *name;
4377 	register int proto;
4378 {
4379 	register int v;
4380 
4381 	switch (proto) {
4382 
4383 	case Q_DEFAULT:
4384 	case Q_IP:
4385 	case Q_IPV6:
4386 		v = pcap_nametoproto(name);
4387 		if (v == PROTO_UNDEF)
4388 			bpf_error("unknown ip proto '%s'", name);
4389 		break;
4390 
4391 	case Q_LINK:
4392 		/* XXX should look up h/w protocol type based on linktype */
4393 		v = pcap_nametoeproto(name);
4394 		if (v == PROTO_UNDEF) {
4395 			v = pcap_nametollc(name);
4396 			if (v == PROTO_UNDEF)
4397 				bpf_error("unknown ether proto '%s'", name);
4398 		}
4399 		break;
4400 
4401 	case Q_ISO:
4402 		if (strcmp(name, "esis") == 0)
4403 			v = ISO9542_ESIS;
4404 		else if (strcmp(name, "isis") == 0)
4405 			v = ISO10589_ISIS;
4406 		else if (strcmp(name, "clnp") == 0)
4407 			v = ISO8473_CLNP;
4408 		else
4409 			bpf_error("unknown osi proto '%s'", name);
4410 		break;
4411 
4412 	default:
4413 		v = PROTO_UNDEF;
4414 		break;
4415 	}
4416 	return v;
4417 }
4418 
4419 #if 0
4420 struct stmt *
4421 gen_joinsp(s, n)
4422 	struct stmt **s;
4423 	int n;
4424 {
4425 	return NULL;
4426 }
4427 #endif
4428 
4429 static struct block *
4430 gen_protochain(v, proto, dir)
4431 	int v;
4432 	int proto;
4433 	int dir;
4434 {
4435 #ifdef NO_PROTOCHAIN
4436 	return gen_proto(v, proto, dir);
4437 #else
4438 	struct block *b0, *b;
4439 	struct slist *s[100];
4440 	int fix2, fix3, fix4, fix5;
4441 	int ahcheck, again, end;
4442 	int i, max;
4443 	int reg2 = alloc_reg();
4444 
4445 	memset(s, 0, sizeof(s));
4446 	fix2 = fix3 = fix4 = fix5 = 0;
4447 
4448 	switch (proto) {
4449 	case Q_IP:
4450 	case Q_IPV6:
4451 		break;
4452 	case Q_DEFAULT:
4453 		b0 = gen_protochain(v, Q_IP, dir);
4454 		b = gen_protochain(v, Q_IPV6, dir);
4455 		gen_or(b0, b);
4456 		return b;
4457 	default:
4458 		bpf_error("bad protocol applied for 'protochain'");
4459 		/*NOTREACHED*/
4460 	}
4461 
4462 	/*
4463 	 * We don't handle variable-length radiotap here headers yet.
4464 	 * We might want to add BPF instructions to do the protochain
4465 	 * work, to simplify that and, on platforms that have a BPF
4466 	 * interpreter with the new instructions, let the filtering
4467 	 * be done in the kernel.  (We already require a modified BPF
4468 	 * engine to do the protochain stuff, to support backward
4469 	 * branches, and backward branch support is unlikely to appear
4470 	 * in kernel BPF engines.)
4471 	 */
4472 	if (linktype == DLT_IEEE802_11_RADIO)
4473 		bpf_error("'protochain' not supported with radiotap headers");
4474 
4475 	if (linktype == DLT_PPI)
4476 		bpf_error("'protochain' not supported with PPI headers");
4477 
4478 	no_optimize = 1; /*this code is not compatible with optimzer yet */
4479 
4480 	/*
4481 	 * s[0] is a dummy entry to protect other BPF insn from damage
4482 	 * by s[fix] = foo with uninitialized variable "fix".  It is somewhat
4483 	 * hard to find interdependency made by jump table fixup.
4484 	 */
4485 	i = 0;
4486 	s[i] = new_stmt(0);	/*dummy*/
4487 	i++;
4488 
4489 	switch (proto) {
4490 	case Q_IP:
4491 		b0 = gen_linktype(ETHERTYPE_IP);
4492 
4493 		/* A = ip->ip_p */
4494 		s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4495 		s[i]->s.k = off_ll + off_nl + 9;
4496 		i++;
4497 		/* X = ip->ip_hl << 2 */
4498 		s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4499 		s[i]->s.k = off_ll + off_nl;
4500 		i++;
4501 		break;
4502 #ifdef INET6
4503 	case Q_IPV6:
4504 		b0 = gen_linktype(ETHERTYPE_IPV6);
4505 
4506 		/* A = ip6->ip_nxt */
4507 		s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4508 		s[i]->s.k = off_ll + off_nl + 6;
4509 		i++;
4510 		/* X = sizeof(struct ip6_hdr) */
4511 		s[i] = new_stmt(BPF_LDX|BPF_IMM);
4512 		s[i]->s.k = 40;
4513 		i++;
4514 		break;
4515 #endif
4516 	default:
4517 		bpf_error("unsupported proto to gen_protochain");
4518 		/*NOTREACHED*/
4519 	}
4520 
4521 	/* again: if (A == v) goto end; else fall through; */
4522 	again = i;
4523 	s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4524 	s[i]->s.k = v;
4525 	s[i]->s.jt = NULL;		/*later*/
4526 	s[i]->s.jf = NULL;		/*update in next stmt*/
4527 	fix5 = i;
4528 	i++;
4529 
4530 #ifndef IPPROTO_NONE
4531 #define IPPROTO_NONE	59
4532 #endif
4533 	/* if (A == IPPROTO_NONE) goto end */
4534 	s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4535 	s[i]->s.jt = NULL;	/*later*/
4536 	s[i]->s.jf = NULL;	/*update in next stmt*/
4537 	s[i]->s.k = IPPROTO_NONE;
4538 	s[fix5]->s.jf = s[i];
4539 	fix2 = i;
4540 	i++;
4541 
4542 #ifdef INET6
4543 	if (proto == Q_IPV6) {
4544 		int v6start, v6end, v6advance, j;
4545 
4546 		v6start = i;
4547 		/* if (A == IPPROTO_HOPOPTS) goto v6advance */
4548 		s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4549 		s[i]->s.jt = NULL;	/*later*/
4550 		s[i]->s.jf = NULL;	/*update in next stmt*/
4551 		s[i]->s.k = IPPROTO_HOPOPTS;
4552 		s[fix2]->s.jf = s[i];
4553 		i++;
4554 		/* if (A == IPPROTO_DSTOPTS) goto v6advance */
4555 		s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4556 		s[i]->s.jt = NULL;	/*later*/
4557 		s[i]->s.jf = NULL;	/*update in next stmt*/
4558 		s[i]->s.k = IPPROTO_DSTOPTS;
4559 		i++;
4560 		/* if (A == IPPROTO_ROUTING) goto v6advance */
4561 		s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4562 		s[i]->s.jt = NULL;	/*later*/
4563 		s[i]->s.jf = NULL;	/*update in next stmt*/
4564 		s[i]->s.k = IPPROTO_ROUTING;
4565 		i++;
4566 		/* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
4567 		s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4568 		s[i]->s.jt = NULL;	/*later*/
4569 		s[i]->s.jf = NULL;	/*later*/
4570 		s[i]->s.k = IPPROTO_FRAGMENT;
4571 		fix3 = i;
4572 		v6end = i;
4573 		i++;
4574 
4575 		/* v6advance: */
4576 		v6advance = i;
4577 
4578 		/*
4579 		 * in short,
4580 		 * A = P[X];
4581 		 * X = X + (P[X + 1] + 1) * 8;
4582 		 */
4583 		/* A = X */
4584 		s[i] = new_stmt(BPF_MISC|BPF_TXA);
4585 		i++;
4586 		/* A = P[X + packet head] */
4587 		s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4588 		s[i]->s.k = off_ll + off_nl;
4589 		i++;
4590 		/* MEM[reg2] = A */
4591 		s[i] = new_stmt(BPF_ST);
4592 		s[i]->s.k = reg2;
4593 		i++;
4594 		/* A = X */
4595 		s[i] = new_stmt(BPF_MISC|BPF_TXA);
4596 		i++;
4597 		/* A += 1 */
4598 		s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4599 		s[i]->s.k = 1;
4600 		i++;
4601 		/* X = A */
4602 		s[i] = new_stmt(BPF_MISC|BPF_TAX);
4603 		i++;
4604 		/* A = P[X + packet head]; */
4605 		s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4606 		s[i]->s.k = off_ll + off_nl;
4607 		i++;
4608 		/* A += 1 */
4609 		s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4610 		s[i]->s.k = 1;
4611 		i++;
4612 		/* A *= 8 */
4613 		s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4614 		s[i]->s.k = 8;
4615 		i++;
4616 		/* X = A; */
4617 		s[i] = new_stmt(BPF_MISC|BPF_TAX);
4618 		i++;
4619 		/* A = MEM[reg2] */
4620 		s[i] = new_stmt(BPF_LD|BPF_MEM);
4621 		s[i]->s.k = reg2;
4622 		i++;
4623 
4624 		/* goto again; (must use BPF_JA for backward jump) */
4625 		s[i] = new_stmt(BPF_JMP|BPF_JA);
4626 		s[i]->s.k = again - i - 1;
4627 		s[i - 1]->s.jf = s[i];
4628 		i++;
4629 
4630 		/* fixup */
4631 		for (j = v6start; j <= v6end; j++)
4632 			s[j]->s.jt = s[v6advance];
4633 	} else
4634 #endif
4635 	{
4636 		/* nop */
4637 		s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4638 		s[i]->s.k = 0;
4639 		s[fix2]->s.jf = s[i];
4640 		i++;
4641 	}
4642 
4643 	/* ahcheck: */
4644 	ahcheck = i;
4645 	/* if (A == IPPROTO_AH) then fall through; else goto end; */
4646 	s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4647 	s[i]->s.jt = NULL;	/*later*/
4648 	s[i]->s.jf = NULL;	/*later*/
4649 	s[i]->s.k = IPPROTO_AH;
4650 	if (fix3)
4651 		s[fix3]->s.jf = s[ahcheck];
4652 	fix4 = i;
4653 	i++;
4654 
4655 	/*
4656 	 * in short,
4657 	 * A = P[X];
4658 	 * X = X + (P[X + 1] + 2) * 4;
4659 	 */
4660 	/* A = X */
4661 	s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4662 	i++;
4663 	/* A = P[X + packet head]; */
4664 	s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4665 	s[i]->s.k = off_ll + off_nl;
4666 	i++;
4667 	/* MEM[reg2] = A */
4668 	s[i] = new_stmt(BPF_ST);
4669 	s[i]->s.k = reg2;
4670 	i++;
4671 	/* A = X */
4672 	s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4673 	i++;
4674 	/* A += 1 */
4675 	s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4676 	s[i]->s.k = 1;
4677 	i++;
4678 	/* X = A */
4679 	s[i] = new_stmt(BPF_MISC|BPF_TAX);
4680 	i++;
4681 	/* A = P[X + packet head] */
4682 	s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4683 	s[i]->s.k = off_ll + off_nl;
4684 	i++;
4685 	/* A += 2 */
4686 	s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4687 	s[i]->s.k = 2;
4688 	i++;
4689 	/* A *= 4 */
4690 	s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4691 	s[i]->s.k = 4;
4692 	i++;
4693 	/* X = A; */
4694 	s[i] = new_stmt(BPF_MISC|BPF_TAX);
4695 	i++;
4696 	/* A = MEM[reg2] */
4697 	s[i] = new_stmt(BPF_LD|BPF_MEM);
4698 	s[i]->s.k = reg2;
4699 	i++;
4700 
4701 	/* goto again; (must use BPF_JA for backward jump) */
4702 	s[i] = new_stmt(BPF_JMP|BPF_JA);
4703 	s[i]->s.k = again - i - 1;
4704 	i++;
4705 
4706 	/* end: nop */
4707 	end = i;
4708 	s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4709 	s[i]->s.k = 0;
4710 	s[fix2]->s.jt = s[end];
4711 	s[fix4]->s.jf = s[end];
4712 	s[fix5]->s.jt = s[end];
4713 	i++;
4714 
4715 	/*
4716 	 * make slist chain
4717 	 */
4718 	max = i;
4719 	for (i = 0; i < max - 1; i++)
4720 		s[i]->next = s[i + 1];
4721 	s[max - 1]->next = NULL;
4722 
4723 	/*
4724 	 * emit final check
4725 	 */
4726 	b = new_block(JMP(BPF_JEQ));
4727 	b->stmts = s[1];	/*remember, s[0] is dummy*/
4728 	b->s.k = v;
4729 
4730 	free_reg(reg2);
4731 
4732 	gen_and(b0, b);
4733 	return b;
4734 #endif
4735 }
4736 
4737 
4738 /*
4739  * Generate code that checks whether the packet is a packet for protocol
4740  * <proto> and whether the type field in that protocol's header has
4741  * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
4742  * IP packet and checks the protocol number in the IP header against <v>.
4743  *
4744  * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
4745  * against Q_IP and Q_IPV6.
4746  */
4747 static struct block *
4748 gen_proto(v, proto, dir)
4749 	int v;
4750 	int proto;
4751 	int dir;
4752 {
4753 	struct block *b0, *b1;
4754 
4755 	if (dir != Q_DEFAULT)
4756 		bpf_error("direction applied to 'proto'");
4757 
4758 	switch (proto) {
4759 	case Q_DEFAULT:
4760 #ifdef INET6
4761 		b0 = gen_proto(v, Q_IP, dir);
4762 		b1 = gen_proto(v, Q_IPV6, dir);
4763 		gen_or(b0, b1);
4764 		return b1;
4765 #else
4766 		/*FALLTHROUGH*/
4767 #endif
4768 	case Q_IP:
4769 		/*
4770 		 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4771 		 * not LLC encapsulation with LLCSAP_IP.
4772 		 *
4773 		 * For IEEE 802 networks - which includes 802.5 token ring
4774 		 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4775 		 * says that SNAP encapsulation is used, not LLC encapsulation
4776 		 * with LLCSAP_IP.
4777 		 *
4778 		 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4779 		 * RFC 2225 say that SNAP encapsulation is used, not LLC
4780 		 * encapsulation with LLCSAP_IP.
4781 		 *
4782 		 * So we always check for ETHERTYPE_IP.
4783 		 */
4784 		b0 = gen_linktype(ETHERTYPE_IP);
4785 #ifndef CHASE_CHAIN
4786 		b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
4787 #else
4788 		b1 = gen_protochain(v, Q_IP);
4789 #endif
4790 		gen_and(b0, b1);
4791 		return b1;
4792 
4793 	case Q_ISO:
4794 		switch (linktype) {
4795 
4796 		case DLT_FRELAY:
4797 			/*
4798 			 * Frame Relay packets typically have an OSI
4799 			 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
4800 			 * generates code to check for all the OSI
4801 			 * NLPIDs, so calling it and then adding a check
4802 			 * for the particular NLPID for which we're
4803 			 * looking is bogus, as we can just check for
4804 			 * the NLPID.
4805 			 *
4806 			 * What we check for is the NLPID and a frame
4807 			 * control field value of UI, i.e. 0x03 followed
4808 			 * by the NLPID.
4809 			 *
4810 			 * XXX - assumes a 2-byte Frame Relay header with
4811 			 * DLCI and flags.  What if the address is longer?
4812 			 *
4813 			 * XXX - what about SNAP-encapsulated frames?
4814 			 */
4815 			return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
4816 			/*NOTREACHED*/
4817 			break;
4818 
4819 		case DLT_C_HDLC:
4820 			/*
4821 			 * Cisco uses an Ethertype lookalike - for OSI,
4822 			 * it's 0xfefe.
4823 			 */
4824 			b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
4825 			/* OSI in C-HDLC is stuffed with a fudge byte */
4826 			b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
4827 			gen_and(b0, b1);
4828 			return b1;
4829 
4830 		default:
4831 			b0 = gen_linktype(LLCSAP_ISONS);
4832 			b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
4833 			gen_and(b0, b1);
4834 			return b1;
4835 		}
4836 
4837 	case Q_ISIS:
4838 		b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4839 		/*
4840 		 * 4 is the offset of the PDU type relative to the IS-IS
4841 		 * header.
4842 		 */
4843 		b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
4844 		gen_and(b0, b1);
4845 		return b1;
4846 
4847 	case Q_ARP:
4848 		bpf_error("arp does not encapsulate another protocol");
4849 		/* NOTREACHED */
4850 
4851 	case Q_RARP:
4852 		bpf_error("rarp does not encapsulate another protocol");
4853 		/* NOTREACHED */
4854 
4855 	case Q_ATALK:
4856 		bpf_error("atalk encapsulation is not specifiable");
4857 		/* NOTREACHED */
4858 
4859 	case Q_DECNET:
4860 		bpf_error("decnet encapsulation is not specifiable");
4861 		/* NOTREACHED */
4862 
4863 	case Q_SCA:
4864 		bpf_error("sca does not encapsulate another protocol");
4865 		/* NOTREACHED */
4866 
4867 	case Q_LAT:
4868 		bpf_error("lat does not encapsulate another protocol");
4869 		/* NOTREACHED */
4870 
4871 	case Q_MOPRC:
4872 		bpf_error("moprc does not encapsulate another protocol");
4873 		/* NOTREACHED */
4874 
4875 	case Q_MOPDL:
4876 		bpf_error("mopdl does not encapsulate another protocol");
4877 		/* NOTREACHED */
4878 
4879 	case Q_LINK:
4880 		return gen_linktype(v);
4881 
4882 	case Q_UDP:
4883 		bpf_error("'udp proto' is bogus");
4884 		/* NOTREACHED */
4885 
4886 	case Q_TCP:
4887 		bpf_error("'tcp proto' is bogus");
4888 		/* NOTREACHED */
4889 
4890 	case Q_SCTP:
4891 		bpf_error("'sctp proto' is bogus");
4892 		/* NOTREACHED */
4893 
4894 	case Q_ICMP:
4895 		bpf_error("'icmp proto' is bogus");
4896 		/* NOTREACHED */
4897 
4898 	case Q_IGMP:
4899 		bpf_error("'igmp proto' is bogus");
4900 		/* NOTREACHED */
4901 
4902 	case Q_IGRP:
4903 		bpf_error("'igrp proto' is bogus");
4904 		/* NOTREACHED */
4905 
4906 	case Q_PIM:
4907 		bpf_error("'pim proto' is bogus");
4908 		/* NOTREACHED */
4909 
4910 	case Q_VRRP:
4911 		bpf_error("'vrrp proto' is bogus");
4912 		/* NOTREACHED */
4913 
4914 #ifdef INET6
4915 	case Q_IPV6:
4916 		b0 = gen_linktype(ETHERTYPE_IPV6);
4917 #ifndef CHASE_CHAIN
4918 		b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
4919 #else
4920 		b1 = gen_protochain(v, Q_IPV6);
4921 #endif
4922 		gen_and(b0, b1);
4923 		return b1;
4924 
4925 	case Q_ICMPV6:
4926 		bpf_error("'icmp6 proto' is bogus");
4927 #endif /* INET6 */
4928 
4929 	case Q_AH:
4930 		bpf_error("'ah proto' is bogus");
4931 
4932 	case Q_ESP:
4933 		bpf_error("'ah proto' is bogus");
4934 
4935 	case Q_STP:
4936 		bpf_error("'stp proto' is bogus");
4937 
4938 	case Q_IPX:
4939 		bpf_error("'ipx proto' is bogus");
4940 
4941 	case Q_NETBEUI:
4942 		bpf_error("'netbeui proto' is bogus");
4943 
4944 	case Q_RADIO:
4945 		bpf_error("'radio proto' is bogus");
4946 
4947 	default:
4948 		abort();
4949 		/* NOTREACHED */
4950 	}
4951 	/* NOTREACHED */
4952 }
4953 
4954 struct block *
4955 gen_scode(name, q)
4956 	register const char *name;
4957 	struct qual q;
4958 {
4959 	int proto = q.proto;
4960 	int dir = q.dir;
4961 	int tproto;
4962 	u_char *eaddr;
4963 	bpf_u_int32 mask, addr;
4964 #ifndef INET6
4965 	bpf_u_int32 **alist;
4966 #else
4967 	int tproto6;
4968 	struct sockaddr_in *sin4;
4969 	struct sockaddr_in6 *sin6;
4970 	struct addrinfo *res, *res0;
4971 	struct in6_addr mask128;
4972 #endif /*INET6*/
4973 	struct block *b, *tmp;
4974 	int port, real_proto;
4975 	int port1, port2;
4976 
4977 	switch (q.addr) {
4978 
4979 	case Q_NET:
4980 		addr = pcap_nametonetaddr(name);
4981 		if (addr == 0)
4982 			bpf_error("unknown network '%s'", name);
4983 		/* Left justify network addr and calculate its network mask */
4984 		mask = 0xffffffff;
4985 		while (addr && (addr & 0xff000000) == 0) {
4986 			addr <<= 8;
4987 			mask <<= 8;
4988 		}
4989 		return gen_host(addr, mask, proto, dir, q.addr);
4990 
4991 	case Q_DEFAULT:
4992 	case Q_HOST:
4993 		if (proto == Q_LINK) {
4994 			switch (linktype) {
4995 
4996 			case DLT_EN10MB:
4997 				eaddr = pcap_ether_hostton(name);
4998 				if (eaddr == NULL)
4999 					bpf_error(
5000 					    "unknown ether host '%s'", name);
5001 				b = gen_ehostop(eaddr, dir);
5002 				free(eaddr);
5003 				return b;
5004 
5005 			case DLT_FDDI:
5006 				eaddr = pcap_ether_hostton(name);
5007 				if (eaddr == NULL)
5008 					bpf_error(
5009 					    "unknown FDDI host '%s'", name);
5010 				b = gen_fhostop(eaddr, dir);
5011 				free(eaddr);
5012 				return b;
5013 
5014 			case DLT_IEEE802:
5015 				eaddr = pcap_ether_hostton(name);
5016 				if (eaddr == NULL)
5017 					bpf_error(
5018 					    "unknown token ring host '%s'", name);
5019 				b = gen_thostop(eaddr, dir);
5020 				free(eaddr);
5021 				return b;
5022 
5023 			case DLT_IEEE802_11:
5024 			case DLT_IEEE802_11_RADIO_AVS:
5025 			case DLT_IEEE802_11_RADIO:
5026 			case DLT_PRISM_HEADER:
5027 			case DLT_PPI:
5028 				eaddr = pcap_ether_hostton(name);
5029 				if (eaddr == NULL)
5030 					bpf_error(
5031 					    "unknown 802.11 host '%s'", name);
5032 				b = gen_wlanhostop(eaddr, dir);
5033 				free(eaddr);
5034 				return b;
5035 
5036 			case DLT_IP_OVER_FC:
5037 				eaddr = pcap_ether_hostton(name);
5038 				if (eaddr == NULL)
5039 					bpf_error(
5040 					    "unknown Fibre Channel host '%s'", name);
5041 				b = gen_ipfchostop(eaddr, dir);
5042 				free(eaddr);
5043 				return b;
5044 
5045 			case DLT_SUNATM:
5046 				if (!is_lane)
5047 					break;
5048 
5049 				/*
5050 				 * Check that the packet doesn't begin
5051 				 * with an LE Control marker.  (We've
5052 				 * already generated a test for LANE.)
5053 				 */
5054 				tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
5055 				    BPF_H, 0xFF00);
5056 				gen_not(tmp);
5057 
5058 				eaddr = pcap_ether_hostton(name);
5059 				if (eaddr == NULL)
5060 					bpf_error(
5061 					    "unknown ether host '%s'", name);
5062 				b = gen_ehostop(eaddr, dir);
5063 				gen_and(tmp, b);
5064 				free(eaddr);
5065 				return b;
5066 			}
5067 
5068 			bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
5069 		} else if (proto == Q_DECNET) {
5070 			unsigned short dn_addr = __pcap_nametodnaddr(name);
5071 			/*
5072 			 * I don't think DECNET hosts can be multihomed, so
5073 			 * there is no need to build up a list of addresses
5074 			 */
5075 			return (gen_host(dn_addr, 0, proto, dir, q.addr));
5076 		} else {
5077 #ifndef INET6
5078 			alist = pcap_nametoaddr(name);
5079 			if (alist == NULL || *alist == NULL)
5080 				bpf_error("unknown host '%s'", name);
5081 			tproto = proto;
5082 			if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
5083 				tproto = Q_IP;
5084 			b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
5085 			while (*alist) {
5086 				tmp = gen_host(**alist++, 0xffffffff,
5087 					       tproto, dir, q.addr);
5088 				gen_or(b, tmp);
5089 				b = tmp;
5090 			}
5091 			return b;
5092 #else
5093 			memset(&mask128, 0xff, sizeof(mask128));
5094 			res0 = res = pcap_nametoaddrinfo(name);
5095 			if (res == NULL)
5096 				bpf_error("unknown host '%s'", name);
5097 			b = tmp = NULL;
5098 			tproto = tproto6 = proto;
5099 			if (off_linktype == -1 && tproto == Q_DEFAULT) {
5100 				tproto = Q_IP;
5101 				tproto6 = Q_IPV6;
5102 			}
5103 			for (res = res0; res; res = res->ai_next) {
5104 				switch (res->ai_family) {
5105 				case AF_INET:
5106 					if (tproto == Q_IPV6)
5107 						continue;
5108 
5109 					sin4 = (struct sockaddr_in *)
5110 						res->ai_addr;
5111 					tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
5112 						0xffffffff, tproto, dir, q.addr);
5113 					break;
5114 				case AF_INET6:
5115 					if (tproto6 == Q_IP)
5116 						continue;
5117 
5118 					sin6 = (struct sockaddr_in6 *)
5119 						res->ai_addr;
5120 					tmp = gen_host6(&sin6->sin6_addr,
5121 						&mask128, tproto6, dir, q.addr);
5122 					break;
5123 				default:
5124 					continue;
5125 				}
5126 				if (b)
5127 					gen_or(b, tmp);
5128 				b = tmp;
5129 			}
5130 			freeaddrinfo(res0);
5131 			if (b == NULL) {
5132 				bpf_error("unknown host '%s'%s", name,
5133 				    (proto == Q_DEFAULT)
5134 					? ""
5135 					: " for specified address family");
5136 			}
5137 			return b;
5138 #endif /*INET6*/
5139 		}
5140 
5141 	case Q_PORT:
5142 		if (proto != Q_DEFAULT &&
5143 		    proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
5144 			bpf_error("illegal qualifier of 'port'");
5145 		if (pcap_nametoport(name, &port, &real_proto) == 0)
5146 			bpf_error("unknown port '%s'", name);
5147 		if (proto == Q_UDP) {
5148 			if (real_proto == IPPROTO_TCP)
5149 				bpf_error("port '%s' is tcp", name);
5150 			else if (real_proto == IPPROTO_SCTP)
5151 				bpf_error("port '%s' is sctp", name);
5152 			else
5153 				/* override PROTO_UNDEF */
5154 				real_proto = IPPROTO_UDP;
5155 		}
5156 		if (proto == Q_TCP) {
5157 			if (real_proto == IPPROTO_UDP)
5158 				bpf_error("port '%s' is udp", name);
5159 
5160 			else if (real_proto == IPPROTO_SCTP)
5161 				bpf_error("port '%s' is sctp", name);
5162 			else
5163 				/* override PROTO_UNDEF */
5164 				real_proto = IPPROTO_TCP;
5165 		}
5166 		if (proto == Q_SCTP) {
5167 			if (real_proto == IPPROTO_UDP)
5168 				bpf_error("port '%s' is udp", name);
5169 
5170 			else if (real_proto == IPPROTO_TCP)
5171 				bpf_error("port '%s' is tcp", name);
5172 			else
5173 				/* override PROTO_UNDEF */
5174 				real_proto = IPPROTO_SCTP;
5175 		}
5176 #ifndef INET6
5177 		return gen_port(port, real_proto, dir);
5178 #else
5179 		b = gen_port(port, real_proto, dir);
5180 		gen_or(gen_port6(port, real_proto, dir), b);
5181 		return b;
5182 #endif /* INET6 */
5183 
5184 	case Q_PORTRANGE:
5185 		if (proto != Q_DEFAULT &&
5186 		    proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
5187 			bpf_error("illegal qualifier of 'portrange'");
5188 		if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
5189 			bpf_error("unknown port in range '%s'", name);
5190 		if (proto == Q_UDP) {
5191 			if (real_proto == IPPROTO_TCP)
5192 				bpf_error("port in range '%s' is tcp", name);
5193 			else if (real_proto == IPPROTO_SCTP)
5194 				bpf_error("port in range '%s' is sctp", name);
5195 			else
5196 				/* override PROTO_UNDEF */
5197 				real_proto = IPPROTO_UDP;
5198 		}
5199 		if (proto == Q_TCP) {
5200 			if (real_proto == IPPROTO_UDP)
5201 				bpf_error("port in range '%s' is udp", name);
5202 			else if (real_proto == IPPROTO_SCTP)
5203 				bpf_error("port in range '%s' is sctp", name);
5204 			else
5205 				/* override PROTO_UNDEF */
5206 				real_proto = IPPROTO_TCP;
5207 		}
5208 		if (proto == Q_SCTP) {
5209 			if (real_proto == IPPROTO_UDP)
5210 				bpf_error("port in range '%s' is udp", name);
5211 			else if (real_proto == IPPROTO_TCP)
5212 				bpf_error("port in range '%s' is tcp", name);
5213 			else
5214 				/* override PROTO_UNDEF */
5215 				real_proto = IPPROTO_SCTP;
5216 		}
5217 #ifndef INET6
5218 		return gen_portrange(port1, port2, real_proto, dir);
5219 #else
5220 		b = gen_portrange(port1, port2, real_proto, dir);
5221 		gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
5222 		return b;
5223 #endif /* INET6 */
5224 
5225 	case Q_GATEWAY:
5226 #ifndef INET6
5227 		eaddr = pcap_ether_hostton(name);
5228 		if (eaddr == NULL)
5229 			bpf_error("unknown ether host: %s", name);
5230 
5231 		alist = pcap_nametoaddr(name);
5232 		if (alist == NULL || *alist == NULL)
5233 			bpf_error("unknown host '%s'", name);
5234 		b = gen_gateway(eaddr, alist, proto, dir);
5235 		free(eaddr);
5236 		return b;
5237 #else
5238 		bpf_error("'gateway' not supported in this configuration");
5239 #endif /*INET6*/
5240 
5241 	case Q_PROTO:
5242 		real_proto = lookup_proto(name, proto);
5243 		if (real_proto >= 0)
5244 			return gen_proto(real_proto, proto, dir);
5245 		else
5246 			bpf_error("unknown protocol: %s", name);
5247 
5248 	case Q_PROTOCHAIN:
5249 		real_proto = lookup_proto(name, proto);
5250 		if (real_proto >= 0)
5251 			return gen_protochain(real_proto, proto, dir);
5252 		else
5253 			bpf_error("unknown protocol: %s", name);
5254 
5255 
5256 	case Q_UNDEF:
5257 		syntax();
5258 		/* NOTREACHED */
5259 	}
5260 	abort();
5261 	/* NOTREACHED */
5262 }
5263 
5264 struct block *
5265 gen_mcode(s1, s2, masklen, q)
5266 	register const char *s1, *s2;
5267 	register int masklen;
5268 	struct qual q;
5269 {
5270 	register int nlen, mlen;
5271 	bpf_u_int32 n, m;
5272 
5273 	nlen = __pcap_atoin(s1, &n);
5274 	/* Promote short ipaddr */
5275 	n <<= 32 - nlen;
5276 
5277 	if (s2 != NULL) {
5278 		mlen = __pcap_atoin(s2, &m);
5279 		/* Promote short ipaddr */
5280 		m <<= 32 - mlen;
5281 		if ((n & ~m) != 0)
5282 			bpf_error("non-network bits set in \"%s mask %s\"",
5283 			    s1, s2);
5284 	} else {
5285 		/* Convert mask len to mask */
5286 		if (masklen > 32)
5287 			bpf_error("mask length must be <= 32");
5288 		if (masklen == 0) {
5289 			/*
5290 			 * X << 32 is not guaranteed by C to be 0; it's
5291 			 * undefined.
5292 			 */
5293 			m = 0;
5294 		} else
5295 			m = 0xffffffff << (32 - masklen);
5296 		if ((n & ~m) != 0)
5297 			bpf_error("non-network bits set in \"%s/%d\"",
5298 			    s1, masklen);
5299 	}
5300 
5301 	switch (q.addr) {
5302 
5303 	case Q_NET:
5304 		return gen_host(n, m, q.proto, q.dir, q.addr);
5305 
5306 	default:
5307 		bpf_error("Mask syntax for networks only");
5308 		/* NOTREACHED */
5309 	}
5310 	/* NOTREACHED */
5311 	return NULL;
5312 }
5313 
5314 struct block *
5315 gen_ncode(s, v, q)
5316 	register const char *s;
5317 	bpf_u_int32 v;
5318 	struct qual q;
5319 {
5320 	bpf_u_int32 mask;
5321 	int proto = q.proto;
5322 	int dir = q.dir;
5323 	register int vlen;
5324 
5325 	if (s == NULL)
5326 		vlen = 32;
5327 	else if (q.proto == Q_DECNET)
5328 		vlen = __pcap_atodn(s, &v);
5329 	else
5330 		vlen = __pcap_atoin(s, &v);
5331 
5332 	switch (q.addr) {
5333 
5334 	case Q_DEFAULT:
5335 	case Q_HOST:
5336 	case Q_NET:
5337 		if (proto == Q_DECNET)
5338 			return gen_host(v, 0, proto, dir, q.addr);
5339 		else if (proto == Q_LINK) {
5340 			bpf_error("illegal link layer address");
5341 		} else {
5342 			mask = 0xffffffff;
5343 			if (s == NULL && q.addr == Q_NET) {
5344 				/* Promote short net number */
5345 				while (v && (v & 0xff000000) == 0) {
5346 					v <<= 8;
5347 					mask <<= 8;
5348 				}
5349 			} else {
5350 				/* Promote short ipaddr */
5351 				v <<= 32 - vlen;
5352 				mask <<= 32 - vlen;
5353 			}
5354 			return gen_host(v, mask, proto, dir, q.addr);
5355 		}
5356 
5357 	case Q_PORT:
5358 		if (proto == Q_UDP)
5359 			proto = IPPROTO_UDP;
5360 		else if (proto == Q_TCP)
5361 			proto = IPPROTO_TCP;
5362 		else if (proto == Q_SCTP)
5363 			proto = IPPROTO_SCTP;
5364 		else if (proto == Q_DEFAULT)
5365 			proto = PROTO_UNDEF;
5366 		else
5367 			bpf_error("illegal qualifier of 'port'");
5368 
5369 #ifndef INET6
5370 		return gen_port((int)v, proto, dir);
5371 #else
5372 	    {
5373 		struct block *b;
5374 		b = gen_port((int)v, proto, dir);
5375 		gen_or(gen_port6((int)v, proto, dir), b);
5376 		return b;
5377 	    }
5378 #endif /* INET6 */
5379 
5380 	case Q_PORTRANGE:
5381 		if (proto == Q_UDP)
5382 			proto = IPPROTO_UDP;
5383 		else if (proto == Q_TCP)
5384 			proto = IPPROTO_TCP;
5385 		else if (proto == Q_SCTP)
5386 			proto = IPPROTO_SCTP;
5387 		else if (proto == Q_DEFAULT)
5388 			proto = PROTO_UNDEF;
5389 		else
5390 			bpf_error("illegal qualifier of 'portrange'");
5391 
5392 #ifndef INET6
5393 		return gen_portrange((int)v, (int)v, proto, dir);
5394 #else
5395 	    {
5396 		struct block *b;
5397 		b = gen_portrange((int)v, (int)v, proto, dir);
5398 		gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
5399 		return b;
5400 	    }
5401 #endif /* INET6 */
5402 
5403 	case Q_GATEWAY:
5404 		bpf_error("'gateway' requires a name");
5405 		/* NOTREACHED */
5406 
5407 	case Q_PROTO:
5408 		return gen_proto((int)v, proto, dir);
5409 
5410 	case Q_PROTOCHAIN:
5411 		return gen_protochain((int)v, proto, dir);
5412 
5413 	case Q_UNDEF:
5414 		syntax();
5415 		/* NOTREACHED */
5416 
5417 	default:
5418 		abort();
5419 		/* NOTREACHED */
5420 	}
5421 	/* NOTREACHED */
5422 }
5423 
5424 #ifdef INET6
5425 struct block *
5426 gen_mcode6(s1, s2, masklen, q)
5427 	register const char *s1, *s2;
5428 	register int masklen;
5429 	struct qual q;
5430 {
5431 	struct addrinfo *res;
5432 	struct in6_addr *addr;
5433 	struct in6_addr mask;
5434 	struct block *b;
5435 	u_int32_t *a, *m;
5436 
5437 	if (s2)
5438 		bpf_error("no mask %s supported", s2);
5439 
5440 	res = pcap_nametoaddrinfo(s1);
5441 	if (!res)
5442 		bpf_error("invalid ip6 address %s", s1);
5443 	if (res->ai_next)
5444 		bpf_error("%s resolved to multiple address", s1);
5445 	addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
5446 
5447 	if (sizeof(mask) * 8 < masklen)
5448 		bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
5449 	memset(&mask, 0, sizeof(mask));
5450 	memset(&mask, 0xff, masklen / 8);
5451 	if (masklen % 8) {
5452 		mask.s6_addr[masklen / 8] =
5453 			(0xff << (8 - masklen % 8)) & 0xff;
5454 	}
5455 
5456 	a = (u_int32_t *)addr;
5457 	m = (u_int32_t *)&mask;
5458 	if ((a[0] & ~m[0]) || (a[1] & ~m[1])
5459 	 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
5460 		bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
5461 	}
5462 
5463 	switch (q.addr) {
5464 
5465 	case Q_DEFAULT:
5466 	case Q_HOST:
5467 		if (masklen != 128)
5468 			bpf_error("Mask syntax for networks only");
5469 		/* FALLTHROUGH */
5470 
5471 	case Q_NET:
5472 		b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
5473 		freeaddrinfo(res);
5474 		return b;
5475 
5476 	default:
5477 		bpf_error("invalid qualifier against IPv6 address");
5478 		/* NOTREACHED */
5479 	}
5480 	return NULL;
5481 }
5482 #endif /*INET6*/
5483 
5484 struct block *
5485 gen_ecode(eaddr, q)
5486 	register const u_char *eaddr;
5487 	struct qual q;
5488 {
5489 	struct block *b, *tmp;
5490 
5491 	if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5492             switch (linktype) {
5493             case DLT_EN10MB:
5494                 return gen_ehostop(eaddr, (int)q.dir);
5495             case DLT_FDDI:
5496                 return gen_fhostop(eaddr, (int)q.dir);
5497             case DLT_IEEE802:
5498                 return gen_thostop(eaddr, (int)q.dir);
5499 			case DLT_IEEE802_11:
5500 			case DLT_IEEE802_11_RADIO_AVS:
5501 			case DLT_IEEE802_11_RADIO:
5502 			case DLT_PRISM_HEADER:
5503 			case DLT_PPI:
5504 				return gen_wlanhostop(eaddr, (int)q.dir);
5505 			case DLT_SUNATM:
5506 				if (is_lane) {
5507 					/*
5508 					 * Check that the packet doesn't begin with an
5509 					 * LE Control marker.  (We've already generated
5510 					 * a test for LANE.)
5511 					 */
5512 					tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5513 						0xFF00);
5514 					gen_not(tmp);
5515 
5516 					/*
5517 					 * Now check the MAC address.
5518 					 */
5519 					b = gen_ehostop(eaddr, (int)q.dir);
5520 					gen_and(tmp, b);
5521 					return b;
5522 				}
5523 				break;
5524 			case DLT_IP_OVER_FC:
5525                 return gen_ipfchostop(eaddr, (int)q.dir);
5526             default:
5527 				bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5528                 break;
5529             }
5530 	}
5531 	bpf_error("ethernet address used in non-ether expression");
5532 	/* NOTREACHED */
5533 	return NULL;
5534 }
5535 
5536 void
5537 sappend(s0, s1)
5538 	struct slist *s0, *s1;
5539 {
5540 	/*
5541 	 * This is definitely not the best way to do this, but the
5542 	 * lists will rarely get long.
5543 	 */
5544 	while (s0->next)
5545 		s0 = s0->next;
5546 	s0->next = s1;
5547 }
5548 
5549 static struct slist *
5550 xfer_to_x(a)
5551 	struct arth *a;
5552 {
5553 	struct slist *s;
5554 
5555 	s = new_stmt(BPF_LDX|BPF_MEM);
5556 	s->s.k = a->regno;
5557 	return s;
5558 }
5559 
5560 static struct slist *
5561 xfer_to_a(a)
5562 	struct arth *a;
5563 {
5564 	struct slist *s;
5565 
5566 	s = new_stmt(BPF_LD|BPF_MEM);
5567 	s->s.k = a->regno;
5568 	return s;
5569 }
5570 
5571 /*
5572  * Modify "index" to use the value stored into its register as an
5573  * offset relative to the beginning of the header for the protocol
5574  * "proto", and allocate a register and put an item "size" bytes long
5575  * (1, 2, or 4) at that offset into that register, making it the register
5576  * for "index".
5577  */
5578 struct arth *
5579 gen_load(proto, inst, size)
5580 	int proto;
5581 	struct arth *inst;
5582 	int size;
5583 {
5584 	struct slist *s, *tmp;
5585 	struct block *b;
5586 	int regno = alloc_reg();
5587 
5588 	free_reg(inst->regno);
5589 	switch (size) {
5590 
5591 	default:
5592 		bpf_error("data size must be 1, 2, or 4");
5593 
5594 	case 1:
5595 		size = BPF_B;
5596 		break;
5597 
5598 	case 2:
5599 		size = BPF_H;
5600 		break;
5601 
5602 	case 4:
5603 		size = BPF_W;
5604 		break;
5605 	}
5606 	switch (proto) {
5607 	default:
5608 		bpf_error("unsupported index operation");
5609 
5610 	case Q_RADIO:
5611 		/*
5612 		 * The offset is relative to the beginning of the packet
5613 		 * data, if we have a radio header.  (If we don't, this
5614 		 * is an error.)
5615 		 */
5616 		if (linktype != DLT_IEEE802_11_RADIO_AVS &&
5617 		    linktype != DLT_IEEE802_11_RADIO &&
5618 		    linktype != DLT_PRISM_HEADER)
5619 			bpf_error("radio information not present in capture");
5620 
5621 		/*
5622 		 * Load into the X register the offset computed into the
5623 		 * register specifed by "index".
5624 		 */
5625 		s = xfer_to_x(inst);
5626 
5627 		/*
5628 		 * Load the item at that offset.
5629 		 */
5630 		tmp = new_stmt(BPF_LD|BPF_IND|size);
5631 		sappend(s, tmp);
5632 		sappend(inst->s, s);
5633 		break;
5634 
5635 	case Q_LINK:
5636 		/*
5637 		 * The offset is relative to the beginning of
5638 		 * the link-layer header.
5639 		 *
5640 		 * XXX - what about ATM LANE?  Should the index be
5641 		 * relative to the beginning of the AAL5 frame, so
5642 		 * that 0 refers to the beginning of the LE Control
5643 		 * field, or relative to the beginning of the LAN
5644 		 * frame, so that 0 refers, for Ethernet LANE, to
5645 		 * the beginning of the destination address?
5646 		 */
5647 		s = gen_llprefixlen();
5648 
5649 		/*
5650 		 * If "s" is non-null, it has code to arrange that the
5651 		 * X register contains the length of the prefix preceding
5652 		 * the link-layer header.  Add to it the offset computed
5653 		 * into the register specified by "index", and move that
5654 		 * into the X register.  Otherwise, just load into the X
5655 		 * register the offset computed into the register specifed
5656 		 * by "index".
5657 		 */
5658 		if (s != NULL) {
5659 			sappend(s, xfer_to_a(inst));
5660 			sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5661 			sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5662 		} else
5663 			s = xfer_to_x(inst);
5664 
5665 		/*
5666 		 * Load the item at the sum of the offset we've put in the
5667 		 * X register and the offset of the start of the link
5668 		 * layer header (which is 0 if the radio header is
5669 		 * variable-length; that header length is what we put
5670 		 * into the X register and then added to the index).
5671 		 */
5672 		tmp = new_stmt(BPF_LD|BPF_IND|size);
5673 		tmp->s.k = off_ll;
5674 		sappend(s, tmp);
5675 		sappend(inst->s, s);
5676 		break;
5677 
5678 	case Q_IP:
5679 	case Q_ARP:
5680 	case Q_RARP:
5681 	case Q_ATALK:
5682 	case Q_DECNET:
5683 	case Q_SCA:
5684 	case Q_LAT:
5685 	case Q_MOPRC:
5686 	case Q_MOPDL:
5687 #ifdef INET6
5688 	case Q_IPV6:
5689 #endif
5690 		/*
5691 		 * The offset is relative to the beginning of
5692 		 * the network-layer header.
5693 		 * XXX - are there any cases where we want
5694 		 * off_nl_nosnap?
5695 		 */
5696 		s = gen_llprefixlen();
5697 
5698 		/*
5699 		 * If "s" is non-null, it has code to arrange that the
5700 		 * X register contains the length of the prefix preceding
5701 		 * the link-layer header.  Add to it the offset computed
5702 		 * into the register specified by "index", and move that
5703 		 * into the X register.  Otherwise, just load into the X
5704 		 * register the offset computed into the register specifed
5705 		 * by "index".
5706 		 */
5707 		if (s != NULL) {
5708 			sappend(s, xfer_to_a(inst));
5709 			sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5710 			sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5711 		} else
5712 			s = xfer_to_x(inst);
5713 
5714 		/*
5715 		 * Load the item at the sum of the offset we've put in the
5716 		 * X register, the offset of the start of the network
5717 		 * layer header, and the offset of the start of the link
5718 		 * layer header (which is 0 if the radio header is
5719 		 * variable-length; that header length is what we put
5720 		 * into the X register and then added to the index).
5721 		 */
5722 		tmp = new_stmt(BPF_LD|BPF_IND|size);
5723 		tmp->s.k = off_ll + off_nl;
5724 		sappend(s, tmp);
5725 		sappend(inst->s, s);
5726 
5727 		/*
5728 		 * Do the computation only if the packet contains
5729 		 * the protocol in question.
5730 		 */
5731 		b = gen_proto_abbrev(proto);
5732 		if (inst->b)
5733 			gen_and(inst->b, b);
5734 		inst->b = b;
5735 		break;
5736 
5737 	case Q_SCTP:
5738 	case Q_TCP:
5739 	case Q_UDP:
5740 	case Q_ICMP:
5741 	case Q_IGMP:
5742 	case Q_IGRP:
5743 	case Q_PIM:
5744 	case Q_VRRP:
5745 		/*
5746 		 * The offset is relative to the beginning of
5747 		 * the transport-layer header.
5748 		 *
5749 		 * Load the X register with the length of the IPv4 header
5750 		 * (plus the offset of the link-layer header, if it's
5751 		 * a variable-length header), in bytes.
5752 		 *
5753 		 * XXX - are there any cases where we want
5754 		 * off_nl_nosnap?
5755 		 * XXX - we should, if we're built with
5756 		 * IPv6 support, generate code to load either
5757 		 * IPv4, IPv6, or both, as appropriate.
5758 		 */
5759 		s = gen_loadx_iphdrlen();
5760 
5761 		/*
5762 		 * The X register now contains the sum of the length
5763 		 * of any variable-length header preceding the link-layer
5764 		 * header and the length of the network-layer header.
5765 		 * Load into the A register the offset relative to
5766 		 * the beginning of the transport layer header,
5767 		 * add the X register to that, move that to the
5768 		 * X register, and load with an offset from the
5769 		 * X register equal to the offset of the network
5770 		 * layer header relative to the beginning of
5771 		 * the link-layer header plus the length of any
5772 		 * fixed-length header preceding the link-layer
5773 		 * header.
5774 		 */
5775 		sappend(s, xfer_to_a(inst));
5776 		sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5777 		sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5778 		sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
5779 		tmp->s.k = off_ll + off_nl;
5780 		sappend(inst->s, s);
5781 
5782 		/*
5783 		 * Do the computation only if the packet contains
5784 		 * the protocol in question - which is true only
5785 		 * if this is an IP datagram and is the first or
5786 		 * only fragment of that datagram.
5787 		 */
5788 		gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
5789 		if (inst->b)
5790 			gen_and(inst->b, b);
5791 #ifdef INET6
5792 		gen_and(gen_proto_abbrev(Q_IP), b);
5793 #endif
5794 		inst->b = b;
5795 		break;
5796 #ifdef INET6
5797 	case Q_ICMPV6:
5798 		bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
5799 		/*NOTREACHED*/
5800 #endif
5801 	}
5802 	inst->regno = regno;
5803 	s = new_stmt(BPF_ST);
5804 	s->s.k = regno;
5805 	sappend(inst->s, s);
5806 
5807 	return inst;
5808 }
5809 
5810 struct block *
5811 gen_relation(code, a0, a1, reversed)
5812 	int code;
5813 	struct arth *a0, *a1;
5814 	int reversed;
5815 {
5816 	struct slist *s0, *s1, *s2;
5817 	struct block *b, *tmp;
5818 
5819 	s0 = xfer_to_x(a1);
5820 	s1 = xfer_to_a(a0);
5821 	if (code == BPF_JEQ) {
5822 		s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
5823 		b = new_block(JMP(code));
5824 		sappend(s1, s2);
5825 	}
5826 	else
5827 		b = new_block(BPF_JMP|code|BPF_X);
5828 	if (reversed)
5829 		gen_not(b);
5830 
5831 	sappend(s0, s1);
5832 	sappend(a1->s, s0);
5833 	sappend(a0->s, a1->s);
5834 
5835 	b->stmts = a0->s;
5836 
5837 	free_reg(a0->regno);
5838 	free_reg(a1->regno);
5839 
5840 	/* 'and' together protocol checks */
5841 	if (a0->b) {
5842 		if (a1->b) {
5843 			gen_and(a0->b, tmp = a1->b);
5844 		}
5845 		else
5846 			tmp = a0->b;
5847 	} else
5848 		tmp = a1->b;
5849 
5850 	if (tmp)
5851 		gen_and(tmp, b);
5852 
5853 	return b;
5854 }
5855 
5856 struct arth *
5857 gen_loadlen()
5858 {
5859 	int regno = alloc_reg();
5860 	struct arth *a = (struct arth *)newchunk(sizeof(*a));
5861 	struct slist *s;
5862 
5863 	s = new_stmt(BPF_LD|BPF_LEN);
5864 	s->next = new_stmt(BPF_ST);
5865 	s->next->s.k = regno;
5866 	a->s = s;
5867 	a->regno = regno;
5868 
5869 	return a;
5870 }
5871 
5872 struct arth *
5873 gen_loadi(val)
5874 	int val;
5875 {
5876 	struct arth *a;
5877 	struct slist *s;
5878 	int reg;
5879 
5880 	a = (struct arth *)newchunk(sizeof(*a));
5881 
5882 	reg = alloc_reg();
5883 
5884 	s = new_stmt(BPF_LD|BPF_IMM);
5885 	s->s.k = val;
5886 	s->next = new_stmt(BPF_ST);
5887 	s->next->s.k = reg;
5888 	a->s = s;
5889 	a->regno = reg;
5890 
5891 	return a;
5892 }
5893 
5894 struct arth *
5895 gen_neg(a)
5896 	struct arth *a;
5897 {
5898 	struct slist *s;
5899 
5900 	s = xfer_to_a(a);
5901 	sappend(a->s, s);
5902 	s = new_stmt(BPF_ALU|BPF_NEG);
5903 	s->s.k = 0;
5904 	sappend(a->s, s);
5905 	s = new_stmt(BPF_ST);
5906 	s->s.k = a->regno;
5907 	sappend(a->s, s);
5908 
5909 	return a;
5910 }
5911 
5912 struct arth *
5913 gen_arth(code, a0, a1)
5914 	int code;
5915 	struct arth *a0, *a1;
5916 {
5917 	struct slist *s0, *s1, *s2;
5918 
5919 	s0 = xfer_to_x(a1);
5920 	s1 = xfer_to_a(a0);
5921 	s2 = new_stmt(BPF_ALU|BPF_X|code);
5922 
5923 	sappend(s1, s2);
5924 	sappend(s0, s1);
5925 	sappend(a1->s, s0);
5926 	sappend(a0->s, a1->s);
5927 
5928 	free_reg(a0->regno);
5929 	free_reg(a1->regno);
5930 
5931 	s0 = new_stmt(BPF_ST);
5932 	a0->regno = s0->s.k = alloc_reg();
5933 	sappend(a0->s, s0);
5934 
5935 	return a0;
5936 }
5937 
5938 /*
5939  * Here we handle simple allocation of the scratch registers.
5940  * If too many registers are alloc'd, the allocator punts.
5941  */
5942 static int regused[BPF_MEMWORDS];
5943 static int curreg;
5944 
5945 /*
5946  * Return the next free register.
5947  */
5948 static int
5949 alloc_reg()
5950 {
5951 	int n = BPF_MEMWORDS;
5952 
5953 	while (--n >= 0) {
5954 		if (regused[curreg])
5955 			curreg = (curreg + 1) % BPF_MEMWORDS;
5956 		else {
5957 			regused[curreg] = 1;
5958 			return curreg;
5959 		}
5960 	}
5961 	bpf_error("too many registers needed to evaluate expression");
5962 	/* NOTREACHED */
5963 	return 0;
5964 }
5965 
5966 /*
5967  * Return a register to the table so it can
5968  * be used later.
5969  */
5970 static void
5971 free_reg(n)
5972 	int n;
5973 {
5974 	regused[n] = 0;
5975 }
5976 
5977 static struct block *
5978 gen_len(jmp, n)
5979 	int jmp, n;
5980 {
5981 	struct slist *s;
5982 	struct block *b;
5983 
5984 	s = new_stmt(BPF_LD|BPF_LEN);
5985 	b = new_block(JMP(jmp));
5986 	b->stmts = s;
5987 	b->s.k = n;
5988 
5989 	return b;
5990 }
5991 
5992 struct block *
5993 gen_greater(n)
5994 	int n;
5995 {
5996 	return gen_len(BPF_JGE, n);
5997 }
5998 
5999 /*
6000  * Actually, this is less than or equal.
6001  */
6002 struct block *
6003 gen_less(n)
6004 	int n;
6005 {
6006 	struct block *b;
6007 
6008 	b = gen_len(BPF_JGT, n);
6009 	gen_not(b);
6010 
6011 	return b;
6012 }
6013 
6014 /*
6015  * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
6016  * the beginning of the link-layer header.
6017  * XXX - that means you can't test values in the radiotap header, but
6018  * as that header is difficult if not impossible to parse generally
6019  * without a loop, that might not be a severe problem.  A new keyword
6020  * "radio" could be added for that, although what you'd really want
6021  * would be a way of testing particular radio header values, which
6022  * would generate code appropriate to the radio header in question.
6023  */
6024 struct block *
6025 gen_byteop(op, idx, val)
6026 	int op, idx, val;
6027 {
6028 	struct block *b;
6029 	struct slist *s;
6030 
6031 	switch (op) {
6032 	default:
6033 		abort();
6034 
6035 	case '=':
6036 		return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6037 
6038 	case '<':
6039 		b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6040 		return b;
6041 
6042 	case '>':
6043 		b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6044 		return b;
6045 
6046 	case '|':
6047 		s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
6048 		break;
6049 
6050 	case '&':
6051 		s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
6052 		break;
6053 	}
6054 	s->s.k = val;
6055 	b = new_block(JMP(BPF_JEQ));
6056 	b->stmts = s;
6057 	gen_not(b);
6058 
6059 	return b;
6060 }
6061 
6062 static u_char abroadcast[] = { 0x0 };
6063 
6064 struct block *
6065 gen_broadcast(proto)
6066 	int proto;
6067 {
6068 	bpf_u_int32 hostmask;
6069 	struct block *b0, *b1, *b2;
6070 	static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
6071 
6072 	switch (proto) {
6073 
6074 	case Q_DEFAULT:
6075 	case Q_LINK:
6076                 switch (linktype) {
6077                 case DLT_ARCNET:
6078                 case DLT_ARCNET_LINUX:
6079                     return gen_ahostop(abroadcast, Q_DST);
6080                 case DLT_EN10MB:
6081                     return gen_ehostop(ebroadcast, Q_DST);
6082                 case DLT_FDDI:
6083                     return gen_fhostop(ebroadcast, Q_DST);
6084                 case DLT_IEEE802:
6085                     return gen_thostop(ebroadcast, Q_DST);
6086                 case DLT_IEEE802_11:
6087                 case DLT_IEEE802_11_RADIO_AVS:
6088                 case DLT_IEEE802_11_RADIO:
6089 				case DLT_PPI:
6090                 case DLT_PRISM_HEADER:
6091                     return gen_wlanhostop(ebroadcast, Q_DST);
6092                 case DLT_IP_OVER_FC:
6093                     return gen_ipfchostop(ebroadcast, Q_DST);
6094                 case DLT_SUNATM:
6095                     if (is_lane) {
6096 			/*
6097 			 * Check that the packet doesn't begin with an
6098 			 * LE Control marker.  (We've already generated
6099 			 * a test for LANE.)
6100 			 */
6101 			b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6102 			    0xFF00);
6103 			gen_not(b1);
6104 
6105 			/*
6106 			 * Now check the MAC address.
6107 			 */
6108 			b0 = gen_ehostop(ebroadcast, Q_DST);
6109 			gen_and(b1, b0);
6110 			return b0;
6111                     }
6112                     break;
6113                 default:
6114                     bpf_error("not a broadcast link");
6115                 }
6116 		break;
6117 
6118 	case Q_IP:
6119 		b0 = gen_linktype(ETHERTYPE_IP);
6120 		hostmask = ~netmask;
6121 		b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
6122 		b2 = gen_mcmp(OR_NET, 16, BPF_W,
6123 			      (bpf_int32)(~0 & hostmask), hostmask);
6124 		gen_or(b1, b2);
6125 		gen_and(b0, b2);
6126 		return b2;
6127 	}
6128 	bpf_error("only link-layer/IP broadcast filters supported");
6129 	/* NOTREACHED */
6130 	return NULL;
6131 }
6132 
6133 /*
6134  * Generate code to test the low-order bit of a MAC address (that's
6135  * the bottom bit of the *first* byte).
6136  */
6137 static struct block *
6138 gen_mac_multicast(offset)
6139 	int offset;
6140 {
6141 	register struct block *b0;
6142 	register struct slist *s;
6143 
6144 	/* link[offset] & 1 != 0 */
6145 	s = gen_load_a(OR_LINK, offset, BPF_B);
6146 	b0 = new_block(JMP(BPF_JSET));
6147 	b0->s.k = 1;
6148 	b0->stmts = s;
6149 	return b0;
6150 }
6151 
6152 struct block *
6153 gen_multicast(proto)
6154 	int proto;
6155 {
6156 	register struct block *b0, *b1, *b2;
6157 	register struct slist *s;
6158 
6159 	switch (proto) {
6160 
6161 	case Q_DEFAULT:
6162 	case Q_LINK:
6163                 switch (linktype) {
6164                 case DLT_ARCNET:
6165                 case DLT_ARCNET_LINUX:
6166                     /* all ARCnet multicasts use the same address */
6167                     return gen_ahostop(abroadcast, Q_DST);
6168                 case  DLT_EN10MB:
6169                     /* ether[0] & 1 != 0 */
6170                     return gen_mac_multicast(0);
6171                 case DLT_FDDI:
6172                     /*
6173                      * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
6174                      *
6175                      * XXX - was that referring to bit-order issues?
6176                      */
6177                     /* fddi[1] & 1 != 0 */
6178                     return gen_mac_multicast(1);
6179                 case DLT_IEEE802:
6180                     /* tr[2] & 1 != 0 */
6181                     return gen_mac_multicast(2);
6182                 case DLT_IEEE802_11:
6183                 case DLT_IEEE802_11_RADIO_AVS:
6184 				case DLT_PPI:
6185                 case DLT_IEEE802_11_RADIO:
6186                 case DLT_PRISM_HEADER:
6187                     /*
6188                      * Oh, yuk.
6189                      *
6190                      *	For control frames, there is no DA.
6191                      *
6192                      *	For management frames, DA is at an
6193                      *	offset of 4 from the beginning of
6194                      *	the packet.
6195                      *
6196                      *	For data frames, DA is at an offset
6197                      *	of 4 from the beginning of the packet
6198                      *	if To DS is clear and at an offset of
6199                      *	16 from the beginning of the packet
6200                      *	if To DS is set.
6201                      */
6202 
6203                     /*
6204                      * Generate the tests to be done for data frames.
6205                      *
6206                      * First, check for To DS set, i.e. "link[1] & 0x01".
6207                      */
6208                     s = gen_load_a(OR_LINK, 1, BPF_B);
6209                     b1 = new_block(JMP(BPF_JSET));
6210                     b1->s.k = 0x01;	/* To DS */
6211                     b1->stmts = s;
6212 
6213                     /*
6214                      * If To DS is set, the DA is at 16.
6215                      */
6216                     b0 = gen_mac_multicast(16);
6217                     gen_and(b1, b0);
6218 
6219                     /*
6220                      * Now, check for To DS not set, i.e. check
6221                      * "!(link[1] & 0x01)".
6222                      */
6223                     s = gen_load_a(OR_LINK, 1, BPF_B);
6224                     b2 = new_block(JMP(BPF_JSET));
6225                     b2->s.k = 0x01;	/* To DS */
6226                     b2->stmts = s;
6227                     gen_not(b2);
6228 
6229                     /*
6230                      * If To DS is not set, the DA is at 4.
6231                      */
6232                     b1 = gen_mac_multicast(4);
6233                     gen_and(b2, b1);
6234 
6235                     /*
6236                      * Now OR together the last two checks.  That gives
6237                      * the complete set of checks for data frames.
6238                      */
6239                     gen_or(b1, b0);
6240 
6241                     /*
6242                      * Now check for a data frame.
6243                      * I.e, check "link[0] & 0x08".
6244                      */
6245                     s = gen_load_a(OR_LINK, 0, BPF_B);
6246                     b1 = new_block(JMP(BPF_JSET));
6247                     b1->s.k = 0x08;
6248                     b1->stmts = s;
6249 
6250                     /*
6251                      * AND that with the checks done for data frames.
6252                      */
6253                     gen_and(b1, b0);
6254 
6255                     /*
6256                      * If the high-order bit of the type value is 0, this
6257                      * is a management frame.
6258                      * I.e, check "!(link[0] & 0x08)".
6259                      */
6260                     s = gen_load_a(OR_LINK, 0, BPF_B);
6261                     b2 = new_block(JMP(BPF_JSET));
6262                     b2->s.k = 0x08;
6263                     b2->stmts = s;
6264                     gen_not(b2);
6265 
6266                     /*
6267                      * For management frames, the DA is at 4.
6268                      */
6269                     b1 = gen_mac_multicast(4);
6270                     gen_and(b2, b1);
6271 
6272                     /*
6273                      * OR that with the checks done for data frames.
6274                      * That gives the checks done for management and
6275                      * data frames.
6276                      */
6277                     gen_or(b1, b0);
6278 
6279                     /*
6280                      * If the low-order bit of the type value is 1,
6281                      * this is either a control frame or a frame
6282                      * with a reserved type, and thus not a
6283                      * frame with an SA.
6284                      *
6285                      * I.e., check "!(link[0] & 0x04)".
6286                      */
6287                     s = gen_load_a(OR_LINK, 0, BPF_B);
6288                     b1 = new_block(JMP(BPF_JSET));
6289                     b1->s.k = 0x04;
6290                     b1->stmts = s;
6291                     gen_not(b1);
6292 
6293                     /*
6294                      * AND that with the checks for data and management
6295                      * frames.
6296                      */
6297                     gen_and(b1, b0);
6298                     return b0;
6299                 case DLT_IP_OVER_FC:
6300                     b0 = gen_mac_multicast(2);
6301                     return b0;
6302                 case DLT_SUNATM:
6303                     if (is_lane) {
6304 			/*
6305 			 * Check that the packet doesn't begin with an
6306 			 * LE Control marker.  (We've already generated
6307 			 * a test for LANE.)
6308 			 */
6309 			b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6310 			    0xFF00);
6311 			gen_not(b1);
6312 
6313 			/* ether[off_mac] & 1 != 0 */
6314 			b0 = gen_mac_multicast(off_mac);
6315 			gen_and(b1, b0);
6316 			return b0;
6317                     }
6318                     break;
6319                 default:
6320                     break;
6321                 }
6322                 /* Link not known to support multicasts */
6323                 break;
6324 
6325 	case Q_IP:
6326 		b0 = gen_linktype(ETHERTYPE_IP);
6327 		b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
6328 		gen_and(b0, b1);
6329 		return b1;
6330 
6331 #ifdef INET6
6332 	case Q_IPV6:
6333 		b0 = gen_linktype(ETHERTYPE_IPV6);
6334 		b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
6335 		gen_and(b0, b1);
6336 		return b1;
6337 #endif /* INET6 */
6338 	}
6339 	bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
6340 	/* NOTREACHED */
6341 	return NULL;
6342 }
6343 
6344 /*
6345  * generate command for inbound/outbound.  It's here so we can
6346  * make it link-type specific.  'dir' = 0 implies "inbound",
6347  * = 1 implies "outbound".
6348  */
6349 struct block *
6350 gen_inbound(dir)
6351 	int dir;
6352 {
6353 	register struct block *b0;
6354 
6355 	/*
6356 	 * Only some data link types support inbound/outbound qualifiers.
6357 	 */
6358 	switch (linktype) {
6359 	case DLT_SLIP:
6360 		b0 = gen_relation(BPF_JEQ,
6361 			  gen_load(Q_LINK, gen_loadi(0), 1),
6362 			  gen_loadi(0),
6363 			  dir);
6364 		break;
6365 
6366 	case DLT_LINUX_SLL:
6367 		if (dir) {
6368 			/*
6369 			 * Match packets sent by this machine.
6370 			 */
6371 			b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
6372 		} else {
6373 			/*
6374 			 * Match packets sent to this machine.
6375 			 * (No broadcast or multicast packets, or
6376 			 * packets sent to some other machine and
6377 			 * received promiscuously.)
6378 			 *
6379 			 * XXX - packets sent to other machines probably
6380 			 * shouldn't be matched, but what about broadcast
6381 			 * or multicast packets we received?
6382 			 */
6383 			b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
6384 		}
6385 		break;
6386 
6387 #ifdef HAVE_NET_PFVAR_H
6388 	case DLT_PFLOG:
6389 		b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
6390 		    (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
6391 		break;
6392 #endif
6393 
6394 	case DLT_PPP_PPPD:
6395 		if (dir) {
6396 			/* match outgoing packets */
6397 			b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
6398 		} else {
6399 			/* match incoming packets */
6400 			b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
6401 		}
6402 		break;
6403 
6404         case DLT_JUNIPER_MFR:
6405         case DLT_JUNIPER_MLFR:
6406         case DLT_JUNIPER_MLPPP:
6407 	case DLT_JUNIPER_ATM1:
6408 	case DLT_JUNIPER_ATM2:
6409 	case DLT_JUNIPER_PPPOE:
6410 	case DLT_JUNIPER_PPPOE_ATM:
6411         case DLT_JUNIPER_GGSN:
6412         case DLT_JUNIPER_ES:
6413         case DLT_JUNIPER_MONITOR:
6414         case DLT_JUNIPER_SERVICES:
6415         case DLT_JUNIPER_ETHER:
6416         case DLT_JUNIPER_PPP:
6417         case DLT_JUNIPER_FRELAY:
6418         case DLT_JUNIPER_CHDLC:
6419         case DLT_JUNIPER_VP:
6420 		/* juniper flags (including direction) are stored
6421 		 * the byte after the 3-byte magic number */
6422 		if (dir) {
6423 			/* match outgoing packets */
6424 			b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
6425 		} else {
6426 			/* match incoming packets */
6427 			b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
6428 		}
6429 	    break;
6430 
6431 	default:
6432 		bpf_error("inbound/outbound not supported on linktype %d",
6433 		    linktype);
6434 		b0 = NULL;
6435 		/* NOTREACHED */
6436 	}
6437 	return (b0);
6438 }
6439 
6440 #ifdef HAVE_NET_PFVAR_H
6441 /* PF firewall log matched interface */
6442 struct block *
6443 gen_pf_ifname(const char *ifname)
6444 {
6445 	struct block *b0;
6446 	u_int len, off;
6447 
6448 	if (linktype == DLT_PFLOG) {
6449 		len = sizeof(((struct pfloghdr *)0)->ifname);
6450 		off = offsetof(struct pfloghdr, ifname);
6451 	} else {
6452 		bpf_error("ifname not supported on linktype 0x%x", linktype);
6453 		/* NOTREACHED */
6454 	}
6455 	if (strlen(ifname) >= len) {
6456 		bpf_error("ifname interface names can only be %d characters",
6457 		    len-1);
6458 		/* NOTREACHED */
6459 	}
6460 	b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
6461 	return (b0);
6462 }
6463 
6464 /* PF firewall log ruleset name */
6465 struct block *
6466 gen_pf_ruleset(char *ruleset)
6467 {
6468 	struct block *b0;
6469 
6470 	if (linktype != DLT_PFLOG) {
6471 		bpf_error("ruleset not supported on linktype 0x%x", linktype);
6472 		/* NOTREACHED */
6473 	}
6474 	if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
6475 		bpf_error("ruleset names can only be %ld characters",
6476 		    (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
6477 		/* NOTREACHED */
6478 	}
6479 	b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
6480 	    strlen(ruleset), (const u_char *)ruleset);
6481 	return (b0);
6482 }
6483 
6484 /* PF firewall log rule number */
6485 struct block *
6486 gen_pf_rnr(int rnr)
6487 {
6488 	struct block *b0;
6489 
6490 	if (linktype == DLT_PFLOG) {
6491 		b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
6492 			 (bpf_int32)rnr);
6493 	} else {
6494 		bpf_error("rnr not supported on linktype 0x%x", linktype);
6495 		/* NOTREACHED */
6496 	}
6497 
6498 	return (b0);
6499 }
6500 
6501 /* PF firewall log sub-rule number */
6502 struct block *
6503 gen_pf_srnr(int srnr)
6504 {
6505 	struct block *b0;
6506 
6507 	if (linktype != DLT_PFLOG) {
6508 		bpf_error("srnr not supported on linktype 0x%x", linktype);
6509 		/* NOTREACHED */
6510 	}
6511 
6512 	b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
6513 	    (bpf_int32)srnr);
6514 	return (b0);
6515 }
6516 
6517 /* PF firewall log reason code */
6518 struct block *
6519 gen_pf_reason(int reason)
6520 {
6521 	struct block *b0;
6522 
6523 	if (linktype == DLT_PFLOG) {
6524 		b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
6525 		    (bpf_int32)reason);
6526 	} else {
6527 		bpf_error("reason not supported on linktype 0x%x", linktype);
6528 		/* NOTREACHED */
6529 	}
6530 
6531 	return (b0);
6532 }
6533 
6534 /* PF firewall log action */
6535 struct block *
6536 gen_pf_action(int action)
6537 {
6538 	struct block *b0;
6539 
6540 	if (linktype == DLT_PFLOG) {
6541 		b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
6542 		    (bpf_int32)action);
6543 	} else {
6544 		bpf_error("action not supported on linktype 0x%x", linktype);
6545 		/* NOTREACHED */
6546 	}
6547 
6548 	return (b0);
6549 }
6550 #else /* !HAVE_NET_PFVAR_H */
6551 struct block *
6552 gen_pf_ifname(const char *ifname)
6553 {
6554 	bpf_error("libpcap was compiled without pf support");
6555 	/* NOTREACHED */
6556 	return (NULL);
6557 }
6558 
6559 struct block *
6560 gen_pf_ruleset(char *ruleset)
6561 {
6562 	bpf_error("libpcap was compiled on a machine without pf support");
6563 	/* NOTREACHED */
6564 	return (NULL);
6565 }
6566 
6567 struct block *
6568 gen_pf_rnr(int rnr)
6569 {
6570 	bpf_error("libpcap was compiled on a machine without pf support");
6571 	/* NOTREACHED */
6572 	return (NULL);
6573 }
6574 
6575 struct block *
6576 gen_pf_srnr(int srnr)
6577 {
6578 	bpf_error("libpcap was compiled on a machine without pf support");
6579 	/* NOTREACHED */
6580 	return (NULL);
6581 }
6582 
6583 struct block *
6584 gen_pf_reason(int reason)
6585 {
6586 	bpf_error("libpcap was compiled on a machine without pf support");
6587 	/* NOTREACHED */
6588 	return (NULL);
6589 }
6590 
6591 struct block *
6592 gen_pf_action(int action)
6593 {
6594 	bpf_error("libpcap was compiled on a machine without pf support");
6595 	/* NOTREACHED */
6596 	return (NULL);
6597 }
6598 #endif /* HAVE_NET_PFVAR_H */
6599 
6600 struct block *
6601 gen_acode(eaddr, q)
6602 	register const u_char *eaddr;
6603 	struct qual q;
6604 {
6605 	if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6606 		if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
6607 			return gen_ahostop(eaddr, (int)q.dir);
6608 	}
6609 	bpf_error("ARCnet address used in non-arc expression");
6610 	/* NOTREACHED */
6611 	return NULL;
6612 }
6613 
6614 static struct block *
6615 gen_ahostop(eaddr, dir)
6616 	register const u_char *eaddr;
6617 	register int dir;
6618 {
6619 	register struct block *b0, *b1;
6620 
6621 	switch (dir) {
6622 	/* src comes first, different from Ethernet */
6623 	case Q_SRC:
6624 		return gen_bcmp(OR_LINK, 0, 1, eaddr);
6625 
6626 	case Q_DST:
6627 		return gen_bcmp(OR_LINK, 1, 1, eaddr);
6628 
6629 	case Q_AND:
6630 		b0 = gen_ahostop(eaddr, Q_SRC);
6631 		b1 = gen_ahostop(eaddr, Q_DST);
6632 		gen_and(b0, b1);
6633 		return b1;
6634 
6635 	case Q_DEFAULT:
6636 	case Q_OR:
6637 		b0 = gen_ahostop(eaddr, Q_SRC);
6638 		b1 = gen_ahostop(eaddr, Q_DST);
6639 		gen_or(b0, b1);
6640 		return b1;
6641 	}
6642 	abort();
6643 	/* NOTREACHED */
6644 }
6645 
6646 /*
6647  * support IEEE 802.1Q VLAN trunk over ethernet
6648  */
6649 struct block *
6650 gen_vlan(vlan_num)
6651 	int vlan_num;
6652 {
6653 	struct	block	*b0, *b1;
6654 
6655 	/* can't check for VLAN-encapsulated packets inside MPLS */
6656 	if (label_stack_depth > 0)
6657 		bpf_error("no VLAN match after MPLS");
6658 
6659 	/*
6660 	 * Change the offsets to point to the type and data fields within
6661 	 * the VLAN packet.  Just increment the offsets, so that we
6662 	 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to
6663 	 * capture VLAN 200 encapsulated within VLAN 100.
6664 	 *
6665 	 * XXX - this is a bit of a kludge.  If we were to split the
6666 	 * compiler into a parser that parses an expression and
6667 	 * generates an expression tree, and a code generator that
6668 	 * takes an expression tree (which could come from our
6669 	 * parser or from some other parser) and generates BPF code,
6670 	 * we could perhaps make the offsets parameters of routines
6671 	 * and, in the handler for an "AND" node, pass to subnodes
6672 	 * other than the VLAN node the adjusted offsets.
6673 	 *
6674 	 * This would mean that "vlan" would, instead of changing the
6675 	 * behavior of *all* tests after it, change only the behavior
6676 	 * of tests ANDed with it.  That would change the documented
6677 	 * semantics of "vlan", which might break some expressions.
6678 	 * However, it would mean that "(vlan and ip) or ip" would check
6679 	 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6680 	 * checking only for VLAN-encapsulated IP, so that could still
6681 	 * be considered worth doing; it wouldn't break expressions
6682 	 * that are of the form "vlan and ..." or "vlan N and ...",
6683 	 * which I suspect are the most common expressions involving
6684 	 * "vlan".  "vlan or ..." doesn't necessarily do what the user
6685 	 * would really want, now, as all the "or ..." tests would
6686 	 * be done assuming a VLAN, even though the "or" could be viewed
6687 	 * as meaning "or, if this isn't a VLAN packet...".
6688 	 */
6689 	orig_linktype = off_linktype;	/* save original values */
6690 	orig_nl = off_nl;
6691 
6692 	switch (linktype) {
6693 
6694 	case DLT_EN10MB:
6695 		off_linktype += 4;
6696 		off_nl_nosnap += 4;
6697 		off_nl += 4;
6698 		break;
6699 
6700 	default:
6701 		bpf_error("no VLAN support for data link type %d",
6702 		      linktype);
6703 		/*NOTREACHED*/
6704 	}
6705 
6706 	/* check for VLAN */
6707 	b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
6708 
6709 	/* If a specific VLAN is requested, check VLAN id */
6710 	if (vlan_num >= 0) {
6711 		b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num,
6712 		    0x0fff);
6713 		gen_and(b0, b1);
6714 		b0 = b1;
6715 	}
6716 
6717 	return (b0);
6718 }
6719 
6720 /*
6721  * support for MPLS
6722  */
6723 struct block *
6724 gen_mpls(label_num)
6725 	int label_num;
6726 {
6727 	struct	block	*b0,*b1;
6728 
6729 	/*
6730 	 * Change the offsets to point to the type and data fields within
6731 	 * the MPLS packet.  Just increment the offsets, so that we
6732 	 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
6733 	 * capture packets with an outer label of 100000 and an inner
6734 	 * label of 1024.
6735 	 *
6736 	 * XXX - this is a bit of a kludge.  See comments in gen_vlan().
6737 	 */
6738         orig_nl = off_nl;
6739 
6740         if (label_stack_depth > 0) {
6741             /* just match the bottom-of-stack bit clear */
6742             b0 = gen_mcmp(OR_LINK, orig_nl-2, BPF_B, 0, 0x01);
6743         } else {
6744             /*
6745              * Indicate that we're checking MPLS-encapsulated headers,
6746              * to make sure higher level code generators don't try to
6747              * match against IP-related protocols such as Q_ARP, Q_RARP
6748              * etc.
6749              */
6750             switch (linktype) {
6751 
6752             case DLT_C_HDLC: /* fall through */
6753             case DLT_EN10MB:
6754                     b0 = gen_linktype(ETHERTYPE_MPLS);
6755                     break;
6756 
6757             case DLT_PPP:
6758                     b0 = gen_linktype(PPP_MPLS_UCAST);
6759                     break;
6760 
6761                     /* FIXME add other DLT_s ...
6762                      * for Frame-Relay/and ATM this may get messy due to SNAP headers
6763                      * leave it for now */
6764 
6765             default:
6766                     bpf_error("no MPLS support for data link type %d",
6767                           linktype);
6768                     b0 = NULL;
6769                     /*NOTREACHED*/
6770                     break;
6771             }
6772         }
6773 
6774 	/* If a specific MPLS label is requested, check it */
6775 	if (label_num >= 0) {
6776 		label_num = label_num << 12; /* label is shifted 12 bits on the wire */
6777 		b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num,
6778 		    0xfffff000); /* only compare the first 20 bits */
6779 		gen_and(b0, b1);
6780 		b0 = b1;
6781 	}
6782 
6783         off_nl_nosnap += 4;
6784         off_nl += 4;
6785         label_stack_depth++;
6786 	return (b0);
6787 }
6788 
6789 /*
6790  * Support PPPOE discovery and session.
6791  */
6792 struct block *
6793 gen_pppoed()
6794 {
6795 	/* check for PPPoE discovery */
6796 	return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
6797 }
6798 
6799 struct block *
6800 gen_pppoes()
6801 {
6802 	struct block *b0;
6803 
6804 	/*
6805 	 * Test against the PPPoE session link-layer type.
6806 	 */
6807 	b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
6808 
6809 	/*
6810 	 * Change the offsets to point to the type and data fields within
6811 	 * the PPP packet.
6812 	 *
6813 	 * XXX - this is a bit of a kludge.  If we were to split the
6814 	 * compiler into a parser that parses an expression and
6815 	 * generates an expression tree, and a code generator that
6816 	 * takes an expression tree (which could come from our
6817 	 * parser or from some other parser) and generates BPF code,
6818 	 * we could perhaps make the offsets parameters of routines
6819 	 * and, in the handler for an "AND" node, pass to subnodes
6820 	 * other than the PPPoE node the adjusted offsets.
6821 	 *
6822 	 * This would mean that "pppoes" would, instead of changing the
6823 	 * behavior of *all* tests after it, change only the behavior
6824 	 * of tests ANDed with it.  That would change the documented
6825 	 * semantics of "pppoes", which might break some expressions.
6826 	 * However, it would mean that "(pppoes and ip) or ip" would check
6827 	 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6828 	 * checking only for VLAN-encapsulated IP, so that could still
6829 	 * be considered worth doing; it wouldn't break expressions
6830 	 * that are of the form "pppoes and ..." which I suspect are the
6831 	 * most common expressions involving "pppoes".  "pppoes or ..."
6832 	 * doesn't necessarily do what the user would really want, now,
6833 	 * as all the "or ..." tests would be done assuming PPPoE, even
6834 	 * though the "or" could be viewed as meaning "or, if this isn't
6835 	 * a PPPoE packet...".
6836 	 */
6837 	orig_linktype = off_linktype;	/* save original values */
6838 	orig_nl = off_nl;
6839 
6840 	/*
6841 	 * The "network-layer" protocol is PPPoE, which has a 6-byte
6842 	 * PPPoE header, followed by PPP payload, so we set the
6843 	 * offsets to the network layer offset plus 6 bytes for
6844 	 * the PPPoE header plus the values appropriate for PPP when
6845 	 * encapsulated in Ethernet (which means there's no HDLC
6846 	 * encapsulation).
6847 	 */
6848 	off_linktype = orig_nl + 6;
6849 	off_nl = orig_nl + 6 + 2;
6850 	off_nl_nosnap = orig_nl + 6 + 2;
6851 
6852 	/*
6853 	 * Set the link-layer type to PPP, as all subsequent tests will
6854 	 * be on the encapsulated PPP header.
6855 	 */
6856 	linktype = DLT_PPP;
6857 
6858 	return b0;
6859 }
6860 
6861 struct block *
6862 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
6863 	int atmfield;
6864 	bpf_int32 jvalue;
6865 	bpf_u_int32 jtype;
6866 	int reverse;
6867 {
6868 	struct block *b0;
6869 
6870 	switch (atmfield) {
6871 
6872 	case A_VPI:
6873 		if (!is_atm)
6874 			bpf_error("'vpi' supported only on raw ATM");
6875 		if (off_vpi == (u_int)-1)
6876 			abort();
6877 		b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
6878 		    reverse, jvalue);
6879 		break;
6880 
6881 	case A_VCI:
6882 		if (!is_atm)
6883 			bpf_error("'vci' supported only on raw ATM");
6884 		if (off_vci == (u_int)-1)
6885 			abort();
6886 		b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
6887 		    reverse, jvalue);
6888 		break;
6889 
6890 	case A_PROTOTYPE:
6891 		if (off_proto == (u_int)-1)
6892 			abort();	/* XXX - this isn't on FreeBSD */
6893 		b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
6894 		    reverse, jvalue);
6895 		break;
6896 
6897 	case A_MSGTYPE:
6898 		if (off_payload == (u_int)-1)
6899 			abort();
6900 		b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
6901 		    0xffffffff, jtype, reverse, jvalue);
6902 		break;
6903 
6904 	case A_CALLREFTYPE:
6905 		if (!is_atm)
6906 			bpf_error("'callref' supported only on raw ATM");
6907 		if (off_proto == (u_int)-1)
6908 			abort();
6909 		b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
6910 		    jtype, reverse, jvalue);
6911 		break;
6912 
6913 	default:
6914 		abort();
6915 	}
6916 	return b0;
6917 }
6918 
6919 struct block *
6920 gen_atmtype_abbrev(type)
6921 	int type;
6922 {
6923 	struct block *b0, *b1;
6924 
6925 	switch (type) {
6926 
6927 	case A_METAC:
6928 		/* Get all packets in Meta signalling Circuit */
6929 		if (!is_atm)
6930 			bpf_error("'metac' supported only on raw ATM");
6931 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6932 		b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
6933 		gen_and(b0, b1);
6934 		break;
6935 
6936 	case A_BCC:
6937 		/* Get all packets in Broadcast Circuit*/
6938 		if (!is_atm)
6939 			bpf_error("'bcc' supported only on raw ATM");
6940 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6941 		b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
6942 		gen_and(b0, b1);
6943 		break;
6944 
6945 	case A_OAMF4SC:
6946 		/* Get all cells in Segment OAM F4 circuit*/
6947 		if (!is_atm)
6948 			bpf_error("'oam4sc' supported only on raw ATM");
6949 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6950 		b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
6951 		gen_and(b0, b1);
6952 		break;
6953 
6954 	case A_OAMF4EC:
6955 		/* Get all cells in End-to-End OAM F4 Circuit*/
6956 		if (!is_atm)
6957 			bpf_error("'oam4ec' supported only on raw ATM");
6958 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6959 		b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
6960 		gen_and(b0, b1);
6961 		break;
6962 
6963 	case A_SC:
6964 		/*  Get all packets in connection Signalling Circuit */
6965 		if (!is_atm)
6966 			bpf_error("'sc' supported only on raw ATM");
6967 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6968 		b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
6969 		gen_and(b0, b1);
6970 		break;
6971 
6972 	case A_ILMIC:
6973 		/* Get all packets in ILMI Circuit */
6974 		if (!is_atm)
6975 			bpf_error("'ilmic' supported only on raw ATM");
6976 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6977 		b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
6978 		gen_and(b0, b1);
6979 		break;
6980 
6981 	case A_LANE:
6982 		/* Get all LANE packets */
6983 		if (!is_atm)
6984 			bpf_error("'lane' supported only on raw ATM");
6985 		b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
6986 
6987 		/*
6988 		 * Arrange that all subsequent tests assume LANE
6989 		 * rather than LLC-encapsulated packets, and set
6990 		 * the offsets appropriately for LANE-encapsulated
6991 		 * Ethernet.
6992 		 *
6993 		 * "off_mac" is the offset of the Ethernet header,
6994 		 * which is 2 bytes past the ATM pseudo-header
6995 		 * (skipping the pseudo-header and 2-byte LE Client
6996 		 * field).  The other offsets are Ethernet offsets
6997 		 * relative to "off_mac".
6998 		 */
6999 		is_lane = 1;
7000 		off_mac = off_payload + 2;	/* MAC header */
7001 		off_linktype = off_mac + 12;
7002 		off_nl = off_mac + 14;		/* Ethernet II */
7003 		off_nl_nosnap = off_mac + 17;	/* 802.3+802.2 */
7004 		break;
7005 
7006 	case A_LLC:
7007 		/* Get all LLC-encapsulated packets */
7008 		if (!is_atm)
7009 			bpf_error("'llc' supported only on raw ATM");
7010 		b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
7011 		is_lane = 0;
7012 		break;
7013 
7014 	default:
7015 		abort();
7016 	}
7017 	return b1;
7018 }
7019 
7020 /*
7021  * Filtering for MTP2 messages based on li value
7022  * FISU, length is null
7023  * LSSU, length is 1 or 2
7024  * MSU, length is 3 or more
7025  */
7026 struct block *
7027 gen_mtp2type_abbrev(type)
7028 	int type;
7029 {
7030 	struct block *b0, *b1;
7031 
7032 	switch (type) {
7033 
7034 	case M_FISU:
7035 		if ( (linktype != DLT_MTP2) &&
7036 		     (linktype != DLT_MTP2_WITH_PHDR) )
7037 			bpf_error("'fisu' supported only on MTP2");
7038 		/* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
7039 		b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
7040 		break;
7041 
7042 	case M_LSSU:
7043 		if ( (linktype != DLT_MTP2) &&
7044 		     (linktype != DLT_MTP2_WITH_PHDR) )
7045 			bpf_error("'lssu' supported only on MTP2");
7046 		b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
7047 		b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
7048 		gen_and(b1, b0);
7049 		break;
7050 
7051 	case M_MSU:
7052 		if ( (linktype != DLT_MTP2) &&
7053 		     (linktype != DLT_MTP2_WITH_PHDR) )
7054 			bpf_error("'msu' supported only on MTP2");
7055 		b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
7056 		break;
7057 
7058 	default:
7059 		abort();
7060 	}
7061 	return b0;
7062 }
7063 
7064 struct block *
7065 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
7066 	int mtp3field;
7067 	bpf_u_int32 jvalue;
7068 	bpf_u_int32 jtype;
7069 	int reverse;
7070 {
7071 	struct block *b0;
7072 	bpf_u_int32 val1 , val2 , val3;
7073 
7074 	switch (mtp3field) {
7075 
7076 	case M_SIO:
7077 		if (off_sio == (u_int)-1)
7078 			bpf_error("'sio' supported only on SS7");
7079 		/* sio coded on 1 byte so max value 255 */
7080 		if(jvalue > 255)
7081 		        bpf_error("sio value %u too big; max value = 255",
7082 		            jvalue);
7083 		b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
7084 		    (u_int)jtype, reverse, (u_int)jvalue);
7085 		break;
7086 
7087         case M_OPC:
7088 	        if (off_opc == (u_int)-1)
7089 			bpf_error("'opc' supported only on SS7");
7090 		/* opc coded on 14 bits so max value 16383 */
7091 		if (jvalue > 16383)
7092 		        bpf_error("opc value %u too big; max value = 16383",
7093 		            jvalue);
7094 		/* the following instructions are made to convert jvalue
7095 		 * to the form used to write opc in an ss7 message*/
7096 		val1 = jvalue & 0x00003c00;
7097 		val1 = val1 >>10;
7098 		val2 = jvalue & 0x000003fc;
7099 		val2 = val2 <<6;
7100 		val3 = jvalue & 0x00000003;
7101 		val3 = val3 <<22;
7102 		jvalue = val1 + val2 + val3;
7103 		b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
7104 		    (u_int)jtype, reverse, (u_int)jvalue);
7105 		break;
7106 
7107 	case M_DPC:
7108 	        if (off_dpc == (u_int)-1)
7109 			bpf_error("'dpc' supported only on SS7");
7110 		/* dpc coded on 14 bits so max value 16383 */
7111 		if (jvalue > 16383)
7112 		        bpf_error("dpc value %u too big; max value = 16383",
7113 		            jvalue);
7114 		/* the following instructions are made to convert jvalue
7115 		 * to the forme used to write dpc in an ss7 message*/
7116 		val1 = jvalue & 0x000000ff;
7117 		val1 = val1 << 24;
7118 		val2 = jvalue & 0x00003f00;
7119 		val2 = val2 << 8;
7120 		jvalue = val1 + val2;
7121 		b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
7122 		    (u_int)jtype, reverse, (u_int)jvalue);
7123 		break;
7124 
7125 	case M_SLS:
7126 	        if (off_sls == (u_int)-1)
7127 			bpf_error("'sls' supported only on SS7");
7128 		/* sls coded on 4 bits so max value 15 */
7129 		if (jvalue > 15)
7130 		         bpf_error("sls value %u too big; max value = 15",
7131 		             jvalue);
7132 		/* the following instruction is made to convert jvalue
7133 		 * to the forme used to write sls in an ss7 message*/
7134 		jvalue = jvalue << 4;
7135 		b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
7136 		    (u_int)jtype,reverse, (u_int)jvalue);
7137 		break;
7138 
7139 	default:
7140 		abort();
7141 	}
7142 	return b0;
7143 }
7144 
7145 static struct block *
7146 gen_msg_abbrev(type)
7147 	int type;
7148 {
7149 	struct block *b1;
7150 
7151 	/*
7152 	 * Q.2931 signalling protocol messages for handling virtual circuits
7153 	 * establishment and teardown
7154 	 */
7155 	switch (type) {
7156 
7157 	case A_SETUP:
7158 		b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
7159 		break;
7160 
7161 	case A_CALLPROCEED:
7162 		b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
7163 		break;
7164 
7165 	case A_CONNECT:
7166 		b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
7167 		break;
7168 
7169 	case A_CONNECTACK:
7170 		b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
7171 		break;
7172 
7173 	case A_RELEASE:
7174 		b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
7175 		break;
7176 
7177 	case A_RELEASE_DONE:
7178 		b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
7179 		break;
7180 
7181 	default:
7182 		abort();
7183 	}
7184 	return b1;
7185 }
7186 
7187 struct block *
7188 gen_atmmulti_abbrev(type)
7189 	int type;
7190 {
7191 	struct block *b0, *b1;
7192 
7193 	switch (type) {
7194 
7195 	case A_OAM:
7196 		if (!is_atm)
7197 			bpf_error("'oam' supported only on raw ATM");
7198 		b1 = gen_atmmulti_abbrev(A_OAMF4);
7199 		break;
7200 
7201 	case A_OAMF4:
7202 		if (!is_atm)
7203 			bpf_error("'oamf4' supported only on raw ATM");
7204 		/* OAM F4 type */
7205 		b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
7206 		b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
7207 		gen_or(b0, b1);
7208 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7209 		gen_and(b0, b1);
7210 		break;
7211 
7212 	case A_CONNECTMSG:
7213 		/*
7214 		 * Get Q.2931 signalling messages for switched
7215 		 * virtual connection
7216 		 */
7217 		if (!is_atm)
7218 			bpf_error("'connectmsg' supported only on raw ATM");
7219 		b0 = gen_msg_abbrev(A_SETUP);
7220 		b1 = gen_msg_abbrev(A_CALLPROCEED);
7221 		gen_or(b0, b1);
7222 		b0 = gen_msg_abbrev(A_CONNECT);
7223 		gen_or(b0, b1);
7224 		b0 = gen_msg_abbrev(A_CONNECTACK);
7225 		gen_or(b0, b1);
7226 		b0 = gen_msg_abbrev(A_RELEASE);
7227 		gen_or(b0, b1);
7228 		b0 = gen_msg_abbrev(A_RELEASE_DONE);
7229 		gen_or(b0, b1);
7230 		b0 = gen_atmtype_abbrev(A_SC);
7231 		gen_and(b0, b1);
7232 		break;
7233 
7234 	case A_METACONNECT:
7235 		if (!is_atm)
7236 			bpf_error("'metaconnect' supported only on raw ATM");
7237 		b0 = gen_msg_abbrev(A_SETUP);
7238 		b1 = gen_msg_abbrev(A_CALLPROCEED);
7239 		gen_or(b0, b1);
7240 		b0 = gen_msg_abbrev(A_CONNECT);
7241 		gen_or(b0, b1);
7242 		b0 = gen_msg_abbrev(A_RELEASE);
7243 		gen_or(b0, b1);
7244 		b0 = gen_msg_abbrev(A_RELEASE_DONE);
7245 		gen_or(b0, b1);
7246 		b0 = gen_atmtype_abbrev(A_METAC);
7247 		gen_and(b0, b1);
7248 		break;
7249 
7250 	default:
7251 		abort();
7252 	}
7253 	return b1;
7254 }
7255