xref: /freebsd/contrib/libpcap/gencode.c (revision 282a3889ebf826db9839be296ff1dd903f6d6d6e)
1 /*#define CHASE_CHAIN*/
2 /*
3  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4  *	The Regents of the University of California.  All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that: (1) source code distributions
8  * retain the above copyright notice and this paragraph in its entirety, (2)
9  * distributions including binary code include the above copyright notice and
10  * this paragraph in its entirety in the documentation or other materials
11  * provided with the distribution, and (3) all advertising materials mentioning
12  * features or use of this software display the following acknowledgement:
13  * ``This product includes software developed by the University of California,
14  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15  * the University nor the names of its contributors may be used to endorse
16  * or promote products derived from this software without specific prior
17  * written permission.
18  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21  *
22  * $FreeBSD$
23  */
24 #ifndef lint
25 static const char rcsid[] _U_ =
26     "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.34 2005/09/05 09:08:04 guy Exp $ (LBL)";
27 #endif
28 
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32 
33 #ifdef WIN32
34 #include <pcap-stdinc.h>
35 #else /* WIN32 */
36 #include <sys/types.h>
37 #include <sys/socket.h>
38 #endif /* WIN32 */
39 
40 /*
41  * XXX - why was this included even on UNIX?
42  */
43 #ifdef __MINGW32__
44 #include "IP6_misc.h"
45 #endif
46 
47 #ifndef WIN32
48 
49 #ifdef __NetBSD__
50 #include <sys/param.h>
51 #endif
52 
53 #include <netinet/in.h>
54 
55 #endif /* WIN32 */
56 
57 #include <stdlib.h>
58 #include <string.h>
59 #include <memory.h>
60 #include <setjmp.h>
61 #include <stdarg.h>
62 
63 #ifdef MSDOS
64 #include "pcap-dos.h"
65 #endif
66 
67 #include "pcap-int.h"
68 
69 #include "ethertype.h"
70 #include "nlpid.h"
71 #include "llc.h"
72 #include "gencode.h"
73 #include "atmuni31.h"
74 #include "sunatmpos.h"
75 #include "ppp.h"
76 #include "sll.h"
77 #include "arcnet.h"
78 #include "pf.h"
79 #ifndef offsetof
80 #define offsetof(s, e) ((size_t)&((s *)0)->e)
81 #endif
82 #ifdef INET6
83 #ifndef WIN32
84 #include <netdb.h>	/* for "struct addrinfo" */
85 #endif /* WIN32 */
86 #endif /*INET6*/
87 #include <pcap-namedb.h>
88 
89 #define ETHERMTU	1500
90 
91 #ifndef IPPROTO_SCTP
92 #define IPPROTO_SCTP 132
93 #endif
94 
95 #ifdef HAVE_OS_PROTO_H
96 #include "os-proto.h"
97 #endif
98 
99 #define JMP(c) ((c)|BPF_JMP|BPF_K)
100 
101 /* Locals */
102 static jmp_buf top_ctx;
103 static pcap_t *bpf_pcap;
104 
105 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
106 static u_int	orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
107 
108 /* XXX */
109 #ifdef PCAP_FDDIPAD
110 static int	pcap_fddipad;
111 #endif
112 
113 /* VARARGS */
114 void
115 bpf_error(const char *fmt, ...)
116 {
117 	va_list ap;
118 
119 	va_start(ap, fmt);
120 	if (bpf_pcap != NULL)
121 		(void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
122 		    fmt, ap);
123 	va_end(ap);
124 	longjmp(top_ctx, 1);
125 	/* NOTREACHED */
126 }
127 
128 static void init_linktype(pcap_t *);
129 
130 static int alloc_reg(void);
131 static void free_reg(int);
132 
133 static struct block *root;
134 
135 /*
136  * Value passed to gen_load_a() to indicate what the offset argument
137  * is relative to.
138  */
139 enum e_offrel {
140 	OR_PACKET,	/* relative to the beginning of the packet */
141 	OR_LINK,	/* relative to the link-layer header */
142 	OR_NET,		/* relative to the network-layer header */
143 	OR_NET_NOSNAP,	/* relative to the network-layer header, with no SNAP header at the link layer */
144 	OR_TRAN_IPV4,	/* relative to the transport-layer header, with IPv4 network layer */
145 	OR_TRAN_IPV6	/* relative to the transport-layer header, with IPv6 network layer */
146 };
147 
148 /*
149  * We divy out chunks of memory rather than call malloc each time so
150  * we don't have to worry about leaking memory.  It's probably
151  * not a big deal if all this memory was wasted but if this ever
152  * goes into a library that would probably not be a good idea.
153  *
154  * XXX - this *is* in a library....
155  */
156 #define NCHUNKS 16
157 #define CHUNK0SIZE 1024
158 struct chunk {
159 	u_int n_left;
160 	void *m;
161 };
162 
163 static struct chunk chunks[NCHUNKS];
164 static int cur_chunk;
165 
166 static void *newchunk(u_int);
167 static void freechunks(void);
168 static inline struct block *new_block(int);
169 static inline struct slist *new_stmt(int);
170 static struct block *gen_retblk(int);
171 static inline void syntax(void);
172 
173 static void backpatch(struct block *, struct block *);
174 static void merge(struct block *, struct block *);
175 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
176 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
177 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
178 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
179 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
180 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
181     bpf_u_int32);
182 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
183 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
184     bpf_u_int32, bpf_u_int32, int, bpf_int32);
185 static struct slist *gen_load_llrel(u_int, u_int);
186 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
187 static struct slist *gen_loadx_iphdrlen(void);
188 static struct block *gen_uncond(int);
189 static inline struct block *gen_true(void);
190 static inline struct block *gen_false(void);
191 static struct block *gen_ether_linktype(int);
192 static struct block *gen_linux_sll_linktype(int);
193 static void insert_radiotap_load_llprefixlen(struct block *);
194 static void insert_load_llprefixlen(struct block *);
195 static struct slist *gen_llprefixlen(void);
196 static struct block *gen_linktype(int);
197 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
198 static struct block *gen_llc_linktype(int);
199 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
200 #ifdef INET6
201 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
202 #endif
203 static struct block *gen_ahostop(const u_char *, int);
204 static struct block *gen_ehostop(const u_char *, int);
205 static struct block *gen_fhostop(const u_char *, int);
206 static struct block *gen_thostop(const u_char *, int);
207 static struct block *gen_wlanhostop(const u_char *, int);
208 static struct block *gen_ipfchostop(const u_char *, int);
209 static struct block *gen_dnhostop(bpf_u_int32, int);
210 static struct block *gen_mpls_linktype(int);
211 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
212 #ifdef INET6
213 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
214 #endif
215 #ifndef INET6
216 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
217 #endif
218 static struct block *gen_ipfrag(void);
219 static struct block *gen_portatom(int, bpf_int32);
220 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
221 #ifdef INET6
222 static struct block *gen_portatom6(int, bpf_int32);
223 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
224 #endif
225 struct block *gen_portop(int, int, int);
226 static struct block *gen_port(int, int, int);
227 struct block *gen_portrangeop(int, int, int, int);
228 static struct block *gen_portrange(int, int, int, int);
229 #ifdef INET6
230 struct block *gen_portop6(int, int, int);
231 static struct block *gen_port6(int, int, int);
232 struct block *gen_portrangeop6(int, int, int, int);
233 static struct block *gen_portrange6(int, int, int, int);
234 #endif
235 static int lookup_proto(const char *, int);
236 static struct block *gen_protochain(int, int, int);
237 static struct block *gen_proto(int, int, int);
238 static struct slist *xfer_to_x(struct arth *);
239 static struct slist *xfer_to_a(struct arth *);
240 static struct block *gen_mac_multicast(int);
241 static struct block *gen_len(int, int);
242 
243 static struct block *gen_msg_abbrev(int type);
244 
245 static void *
246 newchunk(n)
247 	u_int n;
248 {
249 	struct chunk *cp;
250 	int k;
251 	size_t size;
252 
253 #ifndef __NetBSD__
254 	/* XXX Round up to nearest long. */
255 	n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
256 #else
257 	/* XXX Round up to structure boundary. */
258 	n = ALIGN(n);
259 #endif
260 
261 	cp = &chunks[cur_chunk];
262 	if (n > cp->n_left) {
263 		++cp, k = ++cur_chunk;
264 		if (k >= NCHUNKS)
265 			bpf_error("out of memory");
266 		size = CHUNK0SIZE << k;
267 		cp->m = (void *)malloc(size);
268 		if (cp->m == NULL)
269 			bpf_error("out of memory");
270 		memset((char *)cp->m, 0, size);
271 		cp->n_left = size;
272 		if (n > size)
273 			bpf_error("out of memory");
274 	}
275 	cp->n_left -= n;
276 	return (void *)((char *)cp->m + cp->n_left);
277 }
278 
279 static void
280 freechunks()
281 {
282 	int i;
283 
284 	cur_chunk = 0;
285 	for (i = 0; i < NCHUNKS; ++i)
286 		if (chunks[i].m != NULL) {
287 			free(chunks[i].m);
288 			chunks[i].m = NULL;
289 		}
290 }
291 
292 /*
293  * A strdup whose allocations are freed after code generation is over.
294  */
295 char *
296 sdup(s)
297 	register const char *s;
298 {
299 	int n = strlen(s) + 1;
300 	char *cp = newchunk(n);
301 
302 	strlcpy(cp, s, n);
303 	return (cp);
304 }
305 
306 static inline struct block *
307 new_block(code)
308 	int code;
309 {
310 	struct block *p;
311 
312 	p = (struct block *)newchunk(sizeof(*p));
313 	p->s.code = code;
314 	p->head = p;
315 
316 	return p;
317 }
318 
319 static inline struct slist *
320 new_stmt(code)
321 	int code;
322 {
323 	struct slist *p;
324 
325 	p = (struct slist *)newchunk(sizeof(*p));
326 	p->s.code = code;
327 
328 	return p;
329 }
330 
331 static struct block *
332 gen_retblk(v)
333 	int v;
334 {
335 	struct block *b = new_block(BPF_RET|BPF_K);
336 
337 	b->s.k = v;
338 	return b;
339 }
340 
341 static inline void
342 syntax()
343 {
344 	bpf_error("syntax error in filter expression");
345 }
346 
347 static bpf_u_int32 netmask;
348 static int snaplen;
349 int no_optimize;
350 
351 int
352 pcap_compile(pcap_t *p, struct bpf_program *program,
353 	     char *buf, int optimize, bpf_u_int32 mask)
354 {
355 	extern int n_errors;
356 	int len;
357 
358 	no_optimize = 0;
359 	n_errors = 0;
360 	root = NULL;
361 	bpf_pcap = p;
362 	if (setjmp(top_ctx)) {
363 		lex_cleanup();
364 		freechunks();
365 		return (-1);
366 	}
367 
368 	netmask = mask;
369 
370 	snaplen = pcap_snapshot(p);
371 	if (snaplen == 0) {
372 		snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
373 			 "snaplen of 0 rejects all packets");
374 		return -1;
375 	}
376 
377 	lex_init(buf ? buf : "");
378 	init_linktype(p);
379 	(void)pcap_parse();
380 
381 	if (n_errors)
382 		syntax();
383 
384 	if (root == NULL)
385 		root = gen_retblk(snaplen);
386 
387 	if (optimize && !no_optimize) {
388 		bpf_optimize(&root);
389 		if (root == NULL ||
390 		    (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
391 			bpf_error("expression rejects all packets");
392 	}
393 	program->bf_insns = icode_to_fcode(root, &len);
394 	program->bf_len = len;
395 
396 	lex_cleanup();
397 	freechunks();
398 	return (0);
399 }
400 
401 /*
402  * entry point for using the compiler with no pcap open
403  * pass in all the stuff that is needed explicitly instead.
404  */
405 int
406 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
407 		    struct bpf_program *program,
408 	     char *buf, int optimize, bpf_u_int32 mask)
409 {
410 	pcap_t *p;
411 	int ret;
412 
413 	p = pcap_open_dead(linktype_arg, snaplen_arg);
414 	if (p == NULL)
415 		return (-1);
416 	ret = pcap_compile(p, program, buf, optimize, mask);
417 	pcap_close(p);
418 	return (ret);
419 }
420 
421 /*
422  * Clean up a "struct bpf_program" by freeing all the memory allocated
423  * in it.
424  */
425 void
426 pcap_freecode(struct bpf_program *program)
427 {
428 	program->bf_len = 0;
429 	if (program->bf_insns != NULL) {
430 		free((char *)program->bf_insns);
431 		program->bf_insns = NULL;
432 	}
433 }
434 
435 /*
436  * Backpatch the blocks in 'list' to 'target'.  The 'sense' field indicates
437  * which of the jt and jf fields has been resolved and which is a pointer
438  * back to another unresolved block (or nil).  At least one of the fields
439  * in each block is already resolved.
440  */
441 static void
442 backpatch(list, target)
443 	struct block *list, *target;
444 {
445 	struct block *next;
446 
447 	while (list) {
448 		if (!list->sense) {
449 			next = JT(list);
450 			JT(list) = target;
451 		} else {
452 			next = JF(list);
453 			JF(list) = target;
454 		}
455 		list = next;
456 	}
457 }
458 
459 /*
460  * Merge the lists in b0 and b1, using the 'sense' field to indicate
461  * which of jt and jf is the link.
462  */
463 static void
464 merge(b0, b1)
465 	struct block *b0, *b1;
466 {
467 	register struct block **p = &b0;
468 
469 	/* Find end of list. */
470 	while (*p)
471 		p = !((*p)->sense) ? &JT(*p) : &JF(*p);
472 
473 	/* Concatenate the lists. */
474 	*p = b1;
475 }
476 
477 void
478 finish_parse(p)
479 	struct block *p;
480 {
481 	backpatch(p, gen_retblk(snaplen));
482 	p->sense = !p->sense;
483 	backpatch(p, gen_retblk(0));
484 	root = p->head;
485 
486 	/*
487 	 * Insert before the statements of the first (root) block any
488 	 * statements needed to load the lengths of any variable-length
489 	 * headers into registers.
490 	 *
491 	 * XXX - a fancier strategy would be to insert those before the
492 	 * statements of all blocks that use those lengths and that
493 	 * have no predecessors that use them, so that we only compute
494 	 * the lengths if we need them.  There might be even better
495 	 * approaches than that.  However, as we're currently only
496 	 * handling variable-length radiotap headers, and as all
497 	 * filtering expressions other than raw link[M:N] tests
498 	 * require the length of that header, doing more for that
499 	 * header length isn't really worth the effort.
500 	 */
501 	insert_load_llprefixlen(root);
502 }
503 
504 void
505 gen_and(b0, b1)
506 	struct block *b0, *b1;
507 {
508 	backpatch(b0, b1->head);
509 	b0->sense = !b0->sense;
510 	b1->sense = !b1->sense;
511 	merge(b1, b0);
512 	b1->sense = !b1->sense;
513 	b1->head = b0->head;
514 }
515 
516 void
517 gen_or(b0, b1)
518 	struct block *b0, *b1;
519 {
520 	b0->sense = !b0->sense;
521 	backpatch(b0, b1->head);
522 	b0->sense = !b0->sense;
523 	merge(b1, b0);
524 	b1->head = b0->head;
525 }
526 
527 void
528 gen_not(b)
529 	struct block *b;
530 {
531 	b->sense = !b->sense;
532 }
533 
534 static struct block *
535 gen_cmp(offrel, offset, size, v)
536 	enum e_offrel offrel;
537 	u_int offset, size;
538 	bpf_int32 v;
539 {
540 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
541 }
542 
543 static struct block *
544 gen_cmp_gt(offrel, offset, size, v)
545 	enum e_offrel offrel;
546 	u_int offset, size;
547 	bpf_int32 v;
548 {
549 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
550 }
551 
552 static struct block *
553 gen_cmp_ge(offrel, offset, size, v)
554 	enum e_offrel offrel;
555 	u_int offset, size;
556 	bpf_int32 v;
557 {
558 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
559 }
560 
561 static struct block *
562 gen_cmp_lt(offrel, offset, size, v)
563 	enum e_offrel offrel;
564 	u_int offset, size;
565 	bpf_int32 v;
566 {
567 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
568 }
569 
570 static struct block *
571 gen_cmp_le(offrel, offset, size, v)
572 	enum e_offrel offrel;
573 	u_int offset, size;
574 	bpf_int32 v;
575 {
576 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
577 }
578 
579 static struct block *
580 gen_mcmp(offrel, offset, size, v, mask)
581 	enum e_offrel offrel;
582 	u_int offset, size;
583 	bpf_int32 v;
584 	bpf_u_int32 mask;
585 {
586 	return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
587 }
588 
589 static struct block *
590 gen_bcmp(offrel, offset, size, v)
591 	enum e_offrel offrel;
592 	register u_int offset, size;
593 	register const u_char *v;
594 {
595 	register struct block *b, *tmp;
596 
597 	b = NULL;
598 	while (size >= 4) {
599 		register const u_char *p = &v[size - 4];
600 		bpf_int32 w = ((bpf_int32)p[0] << 24) |
601 		    ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
602 
603 		tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
604 		if (b != NULL)
605 			gen_and(b, tmp);
606 		b = tmp;
607 		size -= 4;
608 	}
609 	while (size >= 2) {
610 		register const u_char *p = &v[size - 2];
611 		bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
612 
613 		tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
614 		if (b != NULL)
615 			gen_and(b, tmp);
616 		b = tmp;
617 		size -= 2;
618 	}
619 	if (size > 0) {
620 		tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
621 		if (b != NULL)
622 			gen_and(b, tmp);
623 		b = tmp;
624 	}
625 	return b;
626 }
627 
628 /*
629  * AND the field of size "size" at offset "offset" relative to the header
630  * specified by "offrel" with "mask", and compare it with the value "v"
631  * with the test specified by "jtype"; if "reverse" is true, the test
632  * should test the opposite of "jtype".
633  */
634 static struct block *
635 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
636 	enum e_offrel offrel;
637 	bpf_int32 v;
638 	bpf_u_int32 offset, size, mask, jtype;
639 	int reverse;
640 {
641 	struct slist *s, *s2;
642 	struct block *b;
643 
644 	s = gen_load_a(offrel, offset, size);
645 
646 	if (mask != 0xffffffff) {
647 		s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
648 		s2->s.k = mask;
649 		sappend(s, s2);
650 	}
651 
652 	b = new_block(JMP(jtype));
653 	b->stmts = s;
654 	b->s.k = v;
655 	if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
656 		gen_not(b);
657 	return b;
658 }
659 
660 /*
661  * Various code constructs need to know the layout of the data link
662  * layer.  These variables give the necessary offsets from the beginning
663  * of the packet data.
664  *
665  * If the link layer has variable_length headers, the offsets are offsets
666  * from the end of the link-link-layer header, and "reg_ll_size" is
667  * the register number for a register containing the length of the
668  * link-layer header.  Otherwise, "reg_ll_size" is -1.
669  */
670 static int reg_ll_size;
671 
672 /*
673  * This is the offset of the beginning of the link-layer header.
674  * It's usually 0, except for 802.11 with a fixed-length radio header.
675  */
676 static u_int off_ll;
677 
678 /*
679  * This is the offset of the beginning of the MAC-layer header.
680  * It's usually 0, except for ATM LANE.
681  */
682 static u_int off_mac;
683 
684 /*
685  * "off_linktype" is the offset to information in the link-layer header
686  * giving the packet type.
687  *
688  * For Ethernet, it's the offset of the Ethernet type field.
689  *
690  * For link-layer types that always use 802.2 headers, it's the
691  * offset of the LLC header.
692  *
693  * For PPP, it's the offset of the PPP type field.
694  *
695  * For Cisco HDLC, it's the offset of the CHDLC type field.
696  *
697  * For BSD loopback, it's the offset of the AF_ value.
698  *
699  * For Linux cooked sockets, it's the offset of the type field.
700  *
701  * It's set to -1 for no encapsulation, in which case, IP is assumed.
702  */
703 static u_int off_linktype;
704 
705 /*
706  * TRUE if the link layer includes an ATM pseudo-header.
707  */
708 static int is_atm = 0;
709 
710 /*
711  * TRUE if "lane" appeared in the filter; it causes us to generate
712  * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
713  */
714 static int is_lane = 0;
715 
716 /*
717  * These are offsets for the ATM pseudo-header.
718  */
719 static u_int off_vpi;
720 static u_int off_vci;
721 static u_int off_proto;
722 
723 /*
724  * These are offsets for the MTP3 fields.
725  */
726 static u_int off_sio;
727 static u_int off_opc;
728 static u_int off_dpc;
729 static u_int off_sls;
730 
731 /*
732  * This is the offset of the first byte after the ATM pseudo_header,
733  * or -1 if there is no ATM pseudo-header.
734  */
735 static u_int off_payload;
736 
737 /*
738  * These are offsets to the beginning of the network-layer header.
739  *
740  * If the link layer never uses 802.2 LLC:
741  *
742  *	"off_nl" and "off_nl_nosnap" are the same.
743  *
744  * If the link layer always uses 802.2 LLC:
745  *
746  *	"off_nl" is the offset if there's a SNAP header following
747  *	the 802.2 header;
748  *
749  *	"off_nl_nosnap" is the offset if there's no SNAP header.
750  *
751  * If the link layer is Ethernet:
752  *
753  *	"off_nl" is the offset if the packet is an Ethernet II packet
754  *	(we assume no 802.3+802.2+SNAP);
755  *
756  *	"off_nl_nosnap" is the offset if the packet is an 802.3 packet
757  *	with an 802.2 header following it.
758  */
759 static u_int off_nl;
760 static u_int off_nl_nosnap;
761 
762 static int linktype;
763 
764 static void
765 init_linktype(p)
766 	pcap_t *p;
767 {
768 	linktype = pcap_datalink(p);
769 #ifdef PCAP_FDDIPAD
770 	pcap_fddipad = p->fddipad;
771 #endif
772 
773 	/*
774 	 * Assume it's not raw ATM with a pseudo-header, for now.
775 	 */
776 	off_mac = 0;
777 	is_atm = 0;
778 	is_lane = 0;
779 	off_vpi = -1;
780 	off_vci = -1;
781 	off_proto = -1;
782 	off_payload = -1;
783 
784 	/*
785 	 * And assume we're not doing SS7.
786 	 */
787 	off_sio = -1;
788 	off_opc = -1;
789 	off_dpc = -1;
790 	off_sls = -1;
791 
792 	/*
793 	 * Also assume it's not 802.11 with a fixed-length radio header.
794 	 */
795 	off_ll = 0;
796 
797 	orig_linktype = -1;
798 	orig_nl = -1;
799         label_stack_depth = 0;
800 
801 	reg_ll_size = -1;
802 
803 	switch (linktype) {
804 
805 	case DLT_ARCNET:
806 		off_linktype = 2;
807 		off_nl = 6;		/* XXX in reality, variable! */
808 		off_nl_nosnap = 6;	/* no 802.2 LLC */
809 		return;
810 
811 	case DLT_ARCNET_LINUX:
812 		off_linktype = 4;
813 		off_nl = 8;		/* XXX in reality, variable! */
814 		off_nl_nosnap = 8;	/* no 802.2 LLC */
815 		return;
816 
817 	case DLT_EN10MB:
818 		off_linktype = 12;
819 		off_nl = 14;		/* Ethernet II */
820 		off_nl_nosnap = 17;	/* 802.3+802.2 */
821 		return;
822 
823 	case DLT_SLIP:
824 		/*
825 		 * SLIP doesn't have a link level type.  The 16 byte
826 		 * header is hacked into our SLIP driver.
827 		 */
828 		off_linktype = -1;
829 		off_nl = 16;
830 		off_nl_nosnap = 16;	/* no 802.2 LLC */
831 		return;
832 
833 	case DLT_SLIP_BSDOS:
834 		/* XXX this may be the same as the DLT_PPP_BSDOS case */
835 		off_linktype = -1;
836 		/* XXX end */
837 		off_nl = 24;
838 		off_nl_nosnap = 24;	/* no 802.2 LLC */
839 		return;
840 
841 	case DLT_NULL:
842 	case DLT_LOOP:
843 		off_linktype = 0;
844 		off_nl = 4;
845 		off_nl_nosnap = 4;	/* no 802.2 LLC */
846 		return;
847 
848 	case DLT_ENC:
849 		off_linktype = 0;
850 		off_nl = 12;
851 		off_nl_nosnap = 12;	/* no 802.2 LLC */
852 		return;
853 
854 	case DLT_PPP:
855 	case DLT_PPP_PPPD:
856 	case DLT_C_HDLC:		/* BSD/OS Cisco HDLC */
857 	case DLT_PPP_SERIAL:		/* NetBSD sync/async serial PPP */
858 		off_linktype = 2;
859 		off_nl = 4;
860 		off_nl_nosnap = 4;	/* no 802.2 LLC */
861 		return;
862 
863 	case DLT_PPP_ETHER:
864 		/*
865 		 * This does no include the Ethernet header, and
866 		 * only covers session state.
867 		 */
868 		off_linktype = 6;
869 		off_nl = 8;
870 		off_nl_nosnap = 8;	/* no 802.2 LLC */
871 		return;
872 
873 	case DLT_PPP_BSDOS:
874 		off_linktype = 5;
875 		off_nl = 24;
876 		off_nl_nosnap = 24;	/* no 802.2 LLC */
877 		return;
878 
879 	case DLT_FDDI:
880 		/*
881 		 * FDDI doesn't really have a link-level type field.
882 		 * We set "off_linktype" to the offset of the LLC header.
883 		 *
884 		 * To check for Ethernet types, we assume that SSAP = SNAP
885 		 * is being used and pick out the encapsulated Ethernet type.
886 		 * XXX - should we generate code to check for SNAP?
887 		 */
888 		off_linktype = 13;
889 #ifdef PCAP_FDDIPAD
890 		off_linktype += pcap_fddipad;
891 #endif
892 		off_nl = 21;		/* FDDI+802.2+SNAP */
893 		off_nl_nosnap = 16;	/* FDDI+802.2 */
894 #ifdef PCAP_FDDIPAD
895 		off_nl += pcap_fddipad;
896 		off_nl_nosnap += pcap_fddipad;
897 #endif
898 		return;
899 
900 	case DLT_IEEE802:
901 		/*
902 		 * Token Ring doesn't really have a link-level type field.
903 		 * We set "off_linktype" to the offset of the LLC header.
904 		 *
905 		 * To check for Ethernet types, we assume that SSAP = SNAP
906 		 * is being used and pick out the encapsulated Ethernet type.
907 		 * XXX - should we generate code to check for SNAP?
908 		 *
909 		 * XXX - the header is actually variable-length.
910 		 * Some various Linux patched versions gave 38
911 		 * as "off_linktype" and 40 as "off_nl"; however,
912 		 * if a token ring packet has *no* routing
913 		 * information, i.e. is not source-routed, the correct
914 		 * values are 20 and 22, as they are in the vanilla code.
915 		 *
916 		 * A packet is source-routed iff the uppermost bit
917 		 * of the first byte of the source address, at an
918 		 * offset of 8, has the uppermost bit set.  If the
919 		 * packet is source-routed, the total number of bytes
920 		 * of routing information is 2 plus bits 0x1F00 of
921 		 * the 16-bit value at an offset of 14 (shifted right
922 		 * 8 - figure out which byte that is).
923 		 */
924 		off_linktype = 14;
925 		off_nl = 22;		/* Token Ring+802.2+SNAP */
926 		off_nl_nosnap = 17;	/* Token Ring+802.2 */
927 		return;
928 
929 	case DLT_IEEE802_11:
930 		/*
931 		 * 802.11 doesn't really have a link-level type field.
932 		 * We set "off_linktype" to the offset of the LLC header.
933 		 *
934 		 * To check for Ethernet types, we assume that SSAP = SNAP
935 		 * is being used and pick out the encapsulated Ethernet type.
936 		 * XXX - should we generate code to check for SNAP?
937 		 *
938 		 * XXX - the header is actually variable-length.  We
939 		 * assume a 24-byte link-layer header, as appears in
940 		 * data frames in networks with no bridges.  If the
941 		 * fromds and tods 802.11 header bits are both set,
942 		 * it's actually supposed to be 30 bytes.
943 		 */
944 		off_linktype = 24;
945 		off_nl = 32;		/* 802.11+802.2+SNAP */
946 		off_nl_nosnap = 27;	/* 802.11+802.2 */
947 		return;
948 
949 	case DLT_PRISM_HEADER:
950 		/*
951 		 * Same as 802.11, but with an additional header before
952 		 * the 802.11 header, containing a bunch of additional
953 		 * information including radio-level information.
954 		 *
955 		 * The header is 144 bytes long.
956 		 *
957 		 * XXX - same variable-length header problem; at least
958 		 * the Prism header is fixed-length.
959 		 */
960 		off_ll = 144;
961 		off_linktype = 144+24;
962 		off_nl = 144+32;	/* Prism+802.11+802.2+SNAP */
963 		off_nl_nosnap = 144+27;	/* Prism+802.11+802.2 */
964 		return;
965 
966 	case DLT_IEEE802_11_RADIO_AVS:
967 		/*
968 		 * Same as 802.11, but with an additional header before
969 		 * the 802.11 header, containing a bunch of additional
970 		 * information including radio-level information.
971 		 *
972 		 * The header is 64 bytes long, at least in its
973 		 * current incarnation.
974 		 *
975 		 * XXX - same variable-length header problem, only
976 		 * more so; this header is also variable-length,
977 		 * with the length being the 32-bit big-endian
978 		 * number at an offset of 4 from the beginning
979 		 * of the radio header.
980 		 */
981 		off_ll = 64;
982 		off_linktype = 64+24;
983 		off_nl = 64+32;		/* Radio+802.11+802.2+SNAP */
984 		off_nl_nosnap = 64+27;	/* Radio+802.11+802.2 */
985 		return;
986 
987 	case DLT_IEEE802_11_RADIO:
988 		/*
989 		 * Same as 802.11, but with an additional header before
990 		 * the 802.11 header, containing a bunch of additional
991 		 * information including radio-level information.
992 		 *
993 		 * The radiotap header is variable length, and we
994 		 * generate code to compute its length and store it
995 		 * in a register.  These offsets are relative to the
996 		 * beginning of the 802.11 header.
997 		 */
998 		off_linktype = 24;
999 		off_nl = 32;		/* 802.11+802.2+SNAP */
1000 		off_nl_nosnap = 27;	/* 802.11+802.2 */
1001 		return;
1002 
1003 	case DLT_ATM_RFC1483:
1004 	case DLT_ATM_CLIP:	/* Linux ATM defines this */
1005 		/*
1006 		 * assume routed, non-ISO PDUs
1007 		 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1008 		 *
1009 		 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1010 		 * or PPP with the PPP NLPID (e.g., PPPoA)?  The
1011 		 * latter would presumably be treated the way PPPoE
1012 		 * should be, so you can do "pppoe and udp port 2049"
1013 		 * or "pppoa and tcp port 80" and have it check for
1014 		 * PPPo{A,E} and a PPP protocol of IP and....
1015 		 */
1016 		off_linktype = 0;
1017 		off_nl = 8;		/* 802.2+SNAP */
1018 		off_nl_nosnap = 3;	/* 802.2 */
1019 		return;
1020 
1021 	case DLT_SUNATM:
1022 		/*
1023 		 * Full Frontal ATM; you get AALn PDUs with an ATM
1024 		 * pseudo-header.
1025 		 */
1026 		is_atm = 1;
1027 		off_vpi = SUNATM_VPI_POS;
1028 		off_vci = SUNATM_VCI_POS;
1029 		off_proto = PROTO_POS;
1030 		off_mac = -1;	/* LLC-encapsulated, so no MAC-layer header */
1031 		off_payload = SUNATM_PKT_BEGIN_POS;
1032 		off_linktype = off_payload;
1033 		off_nl = off_payload+8;		/* 802.2+SNAP */
1034 		off_nl_nosnap = off_payload+3;	/* 802.2 */
1035 		return;
1036 
1037 	case DLT_RAW:
1038 		off_linktype = -1;
1039 		off_nl = 0;
1040 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1041 		return;
1042 
1043 	case DLT_LINUX_SLL:	/* fake header for Linux cooked socket */
1044 		off_linktype = 14;
1045 		off_nl = 16;
1046 		off_nl_nosnap = 16;	/* no 802.2 LLC */
1047 		return;
1048 
1049 	case DLT_LTALK:
1050 		/*
1051 		 * LocalTalk does have a 1-byte type field in the LLAP header,
1052 		 * but really it just indicates whether there is a "short" or
1053 		 * "long" DDP packet following.
1054 		 */
1055 		off_linktype = -1;
1056 		off_nl = 0;
1057 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1058 		return;
1059 
1060 	case DLT_IP_OVER_FC:
1061 		/*
1062 		 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1063 		 * link-level type field.  We set "off_linktype" to the
1064 		 * offset of the LLC header.
1065 		 *
1066 		 * To check for Ethernet types, we assume that SSAP = SNAP
1067 		 * is being used and pick out the encapsulated Ethernet type.
1068 		 * XXX - should we generate code to check for SNAP? RFC
1069 		 * 2625 says SNAP should be used.
1070 		 */
1071 		off_linktype = 16;
1072 		off_nl = 24;		/* IPFC+802.2+SNAP */
1073 		off_nl_nosnap = 19;	/* IPFC+802.2 */
1074 		return;
1075 
1076 	case DLT_FRELAY:
1077 		/*
1078 		 * XXX - we should set this to handle SNAP-encapsulated
1079 		 * frames (NLPID of 0x80).
1080 		 */
1081 		off_linktype = -1;
1082 		off_nl = 0;
1083 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1084 		return;
1085 
1086 	case DLT_APPLE_IP_OVER_IEEE1394:
1087 		off_linktype = 16;
1088 		off_nl = 18;
1089 		off_nl_nosnap = 18;	/* no 802.2 LLC */
1090 		return;
1091 
1092 	case DLT_LINUX_IRDA:
1093 		/*
1094 		 * Currently, only raw "link[N:M]" filtering is supported.
1095 		 */
1096 		off_linktype = -1;
1097 		off_nl = -1;
1098 		off_nl_nosnap = -1;
1099 		return;
1100 
1101 	case DLT_DOCSIS:
1102 		/*
1103 		 * Currently, only raw "link[N:M]" filtering is supported.
1104 		 */
1105 		off_linktype = -1;
1106 		off_nl = -1;
1107 		off_nl_nosnap = -1;
1108 		return;
1109 
1110 	case DLT_SYMANTEC_FIREWALL:
1111 		off_linktype = 6;
1112 		off_nl = 44;		/* Ethernet II */
1113 		off_nl_nosnap = 44;	/* XXX - what does it do with 802.3 packets? */
1114 		return;
1115 
1116 	case DLT_PFLOG:
1117 		off_linktype = 0;
1118 		/* XXX read this from pf.h? */
1119 		off_nl = PFLOG_HDRLEN;
1120 		off_nl_nosnap = PFLOG_HDRLEN;	/* no 802.2 LLC */
1121 		return;
1122 
1123         case DLT_JUNIPER_MFR:
1124         case DLT_JUNIPER_MLFR:
1125         case DLT_JUNIPER_MLPPP:
1126         case DLT_JUNIPER_PPP:
1127         case DLT_JUNIPER_CHDLC:
1128         case DLT_JUNIPER_FRELAY:
1129                 off_linktype = 4;
1130 		off_nl = 4;
1131 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1132                 return;
1133 
1134 	case DLT_JUNIPER_ATM1:
1135 		off_linktype = 4; /* in reality variable between 4-8 */
1136 		off_nl = 4;
1137 		off_nl_nosnap = 14;
1138 		return;
1139 
1140 	case DLT_JUNIPER_ATM2:
1141 		off_linktype = 8; /* in reality variable between 8-12 */
1142 		off_nl = 8;
1143 		off_nl_nosnap = 18;
1144 		return;
1145 
1146 		/* frames captured on a Juniper PPPoE service PIC
1147 		 * contain raw ethernet frames */
1148 	case DLT_JUNIPER_PPPOE:
1149         case DLT_JUNIPER_ETHER:
1150 		off_linktype = 16;
1151 		off_nl = 18;		/* Ethernet II */
1152 		off_nl_nosnap = 21;	/* 802.3+802.2 */
1153 		return;
1154 
1155 	case DLT_JUNIPER_PPPOE_ATM:
1156 		off_linktype = 4;
1157 		off_nl = 6;
1158 		off_nl_nosnap = -1;	 /* no 802.2 LLC */
1159 		return;
1160 
1161 	case DLT_JUNIPER_GGSN:
1162 		off_linktype = 6;
1163 		off_nl = 12;
1164 		off_nl_nosnap = -1;	 /* no 802.2 LLC */
1165 		return;
1166 
1167 	case DLT_JUNIPER_ES:
1168 		off_linktype = 6;
1169 		off_nl = -1;		/* not really a network layer but raw IP adresses */
1170 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1171 		return;
1172 
1173 	case DLT_JUNIPER_MONITOR:
1174 		off_linktype = 12;
1175 		off_nl = 12;		/* raw IP/IP6 header */
1176 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1177 		return;
1178 
1179 	case DLT_JUNIPER_SERVICES:
1180 		off_linktype = 12;
1181 		off_nl = -1;		/* L3 proto location dep. on cookie type */
1182 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1183 		return;
1184 
1185 	case DLT_MTP2:
1186 		off_sio = 3;
1187 		off_opc = 4;
1188 		off_dpc = 4;
1189 		off_sls = 7;
1190 		off_linktype = -1;
1191 		off_nl = -1;
1192 		off_nl_nosnap = -1;
1193 		return;
1194 
1195 #ifdef DLT_PFSYNC
1196 	case DLT_PFSYNC:
1197 		off_linktype = -1;
1198 		off_nl = 4;
1199 		off_nl_nosnap = 4;
1200 		return;
1201 #endif
1202 
1203 	case DLT_LINUX_LAPD:
1204 		/*
1205 		 * Currently, only raw "link[N:M]" filtering is supported.
1206 		 */
1207 		off_linktype = -1;
1208 		off_nl = -1;
1209 		off_nl_nosnap = -1;
1210 		return;
1211 	}
1212 	bpf_error("unknown data link type %d", linktype);
1213 	/* NOTREACHED */
1214 }
1215 
1216 /*
1217  * Load a value relative to the beginning of the link-layer header.
1218  * The link-layer header doesn't necessarily begin at the beginning
1219  * of the packet data; there might be a variable-length prefix containing
1220  * radio information.
1221  */
1222 static struct slist *
1223 gen_load_llrel(offset, size)
1224 	u_int offset, size;
1225 {
1226 	struct slist *s, *s2;
1227 
1228 	s = gen_llprefixlen();
1229 
1230 	/*
1231 	 * If "s" is non-null, it has code to arrange that the X register
1232 	 * contains the length of the prefix preceding the link-layer
1233 	 * header.
1234 	 */
1235 	if (s != NULL) {
1236 		s2 = new_stmt(BPF_LD|BPF_IND|size);
1237 		s2->s.k = offset;
1238 		sappend(s, s2);
1239 	} else {
1240 		s = new_stmt(BPF_LD|BPF_ABS|size);
1241 		s->s.k = offset;
1242 	}
1243 	return s;
1244 }
1245 
1246 /*
1247  * Load a value relative to the beginning of the specified header.
1248  */
1249 static struct slist *
1250 gen_load_a(offrel, offset, size)
1251 	enum e_offrel offrel;
1252 	u_int offset, size;
1253 {
1254 	struct slist *s, *s2;
1255 
1256 	switch (offrel) {
1257 
1258 	case OR_PACKET:
1259 		s = gen_load_llrel(offset, size);
1260 		break;
1261 
1262 	case OR_LINK:
1263 		s = gen_load_llrel(off_ll + offset, size);
1264 		break;
1265 
1266 	case OR_NET:
1267 		s = gen_load_llrel(off_nl + offset, size);
1268 		break;
1269 
1270 	case OR_NET_NOSNAP:
1271 		s = gen_load_llrel(off_nl_nosnap + offset, size);
1272 		break;
1273 
1274 	case OR_TRAN_IPV4:
1275 		/*
1276 		 * Load the X register with the length of the IPv4 header,
1277 		 * in bytes.
1278 		 */
1279 		s = gen_loadx_iphdrlen();
1280 
1281 		/*
1282 		 * Load the item at {length of the link-layer header} +
1283 		 * {length of the IPv4 header} + {specified offset}.
1284 		 */
1285 		s2 = new_stmt(BPF_LD|BPF_IND|size);
1286 		s2->s.k = off_nl + offset;
1287 		sappend(s, s2);
1288 		break;
1289 
1290 	case OR_TRAN_IPV6:
1291 		s = gen_load_llrel(off_nl + 40 + offset, size);
1292 		break;
1293 
1294 	default:
1295 		abort();
1296 		return NULL;
1297 	}
1298 	return s;
1299 }
1300 
1301 /*
1302  * Generate code to load into the X register the sum of the length of
1303  * the IPv4 header and any variable-length header preceding the link-layer
1304  * header.
1305  */
1306 static struct slist *
1307 gen_loadx_iphdrlen()
1308 {
1309 	struct slist *s, *s2;
1310 
1311 	s = gen_llprefixlen();
1312 	if (s != NULL) {
1313 		/*
1314 		 * There's a variable-length prefix preceding the
1315 		 * link-layer header.  "s" points to a list of statements
1316 		 * that put the length of that prefix into the X register.
1317 		 * The 4*([k]&0xf) addressing mode can't be used, as we
1318 		 * don't have a constant offset, so we have to load the
1319 		 * value in question into the A register and add to it
1320 		 * the value from the X register.
1321 		 */
1322 		s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1323 		s2->s.k = off_nl;
1324 		sappend(s, s2);
1325 		s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1326 		s2->s.k = 0xf;
1327 		sappend(s, s2);
1328 		s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1329 		s2->s.k = 2;
1330 		sappend(s, s2);
1331 
1332 		/*
1333 		 * The A register now contains the length of the
1334 		 * IP header.  We need to add to it the length
1335 		 * of the prefix preceding the link-layer
1336 		 * header, which is still in the X register, and
1337 		 * move the result into the X register.
1338 		 */
1339 		sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1340 		sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1341 	} else {
1342 		/*
1343 		 * There is no variable-length header preceding the
1344 		 * link-layer header; if there's a fixed-length
1345 		 * header preceding it, its length is included in
1346 		 * the off_ variables, so it doesn't need to be added.
1347 		 */
1348 		s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1349 		s->s.k = off_nl;
1350 	}
1351 	return s;
1352 }
1353 
1354 static struct block *
1355 gen_uncond(rsense)
1356 	int rsense;
1357 {
1358 	struct block *b;
1359 	struct slist *s;
1360 
1361 	s = new_stmt(BPF_LD|BPF_IMM);
1362 	s->s.k = !rsense;
1363 	b = new_block(JMP(BPF_JEQ));
1364 	b->stmts = s;
1365 
1366 	return b;
1367 }
1368 
1369 static inline struct block *
1370 gen_true()
1371 {
1372 	return gen_uncond(1);
1373 }
1374 
1375 static inline struct block *
1376 gen_false()
1377 {
1378 	return gen_uncond(0);
1379 }
1380 
1381 /*
1382  * Byte-swap a 32-bit number.
1383  * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1384  * big-endian platforms.)
1385  */
1386 #define	SWAPLONG(y) \
1387 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1388 
1389 /*
1390  * Generate code to match a particular packet type.
1391  *
1392  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1393  * value, if <= ETHERMTU.  We use that to determine whether to
1394  * match the type/length field or to check the type/length field for
1395  * a value <= ETHERMTU to see whether it's a type field and then do
1396  * the appropriate test.
1397  */
1398 static struct block *
1399 gen_ether_linktype(proto)
1400 	register int proto;
1401 {
1402 	struct block *b0, *b1;
1403 
1404 	switch (proto) {
1405 
1406 	case LLCSAP_ISONS:
1407 	case LLCSAP_IP:
1408 	case LLCSAP_NETBEUI:
1409 		/*
1410 		 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1411 		 * so we check the DSAP and SSAP.
1412 		 *
1413 		 * LLCSAP_IP checks for IP-over-802.2, rather
1414 		 * than IP-over-Ethernet or IP-over-SNAP.
1415 		 *
1416 		 * XXX - should we check both the DSAP and the
1417 		 * SSAP, like this, or should we check just the
1418 		 * DSAP, as we do for other types <= ETHERMTU
1419 		 * (i.e., other SAP values)?
1420 		 */
1421 		b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1422 		gen_not(b0);
1423 		b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1424 			     ((proto << 8) | proto));
1425 		gen_and(b0, b1);
1426 		return b1;
1427 
1428 	case LLCSAP_IPX:
1429 		/*
1430 		 * Check for;
1431 		 *
1432 		 *	Ethernet_II frames, which are Ethernet
1433 		 *	frames with a frame type of ETHERTYPE_IPX;
1434 		 *
1435 		 *	Ethernet_802.3 frames, which are 802.3
1436 		 *	frames (i.e., the type/length field is
1437 		 *	a length field, <= ETHERMTU, rather than
1438 		 *	a type field) with the first two bytes
1439 		 *	after the Ethernet/802.3 header being
1440 		 *	0xFFFF;
1441 		 *
1442 		 *	Ethernet_802.2 frames, which are 802.3
1443 		 *	frames with an 802.2 LLC header and
1444 		 *	with the IPX LSAP as the DSAP in the LLC
1445 		 *	header;
1446 		 *
1447 		 *	Ethernet_SNAP frames, which are 802.3
1448 		 *	frames with an LLC header and a SNAP
1449 		 *	header and with an OUI of 0x000000
1450 		 *	(encapsulated Ethernet) and a protocol
1451 		 *	ID of ETHERTYPE_IPX in the SNAP header.
1452 		 *
1453 		 * XXX - should we generate the same code both
1454 		 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1455 		 */
1456 
1457 		/*
1458 		 * This generates code to check both for the
1459 		 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1460 		 */
1461 		b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1462 		    (bpf_int32)LLCSAP_IPX);
1463 		b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H,
1464 		    (bpf_int32)0xFFFF);
1465 		gen_or(b0, b1);
1466 
1467 		/*
1468 		 * Now we add code to check for SNAP frames with
1469 		 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1470 		 */
1471 		b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1472 		gen_or(b0, b1);
1473 
1474 		/*
1475 		 * Now we generate code to check for 802.3
1476 		 * frames in general.
1477 		 */
1478 		b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1479 		gen_not(b0);
1480 
1481 		/*
1482 		 * Now add the check for 802.3 frames before the
1483 		 * check for Ethernet_802.2 and Ethernet_802.3,
1484 		 * as those checks should only be done on 802.3
1485 		 * frames, not on Ethernet frames.
1486 		 */
1487 		gen_and(b0, b1);
1488 
1489 		/*
1490 		 * Now add the check for Ethernet_II frames, and
1491 		 * do that before checking for the other frame
1492 		 * types.
1493 		 */
1494 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1495 		    (bpf_int32)ETHERTYPE_IPX);
1496 		gen_or(b0, b1);
1497 		return b1;
1498 
1499 	case ETHERTYPE_ATALK:
1500 	case ETHERTYPE_AARP:
1501 		/*
1502 		 * EtherTalk (AppleTalk protocols on Ethernet link
1503 		 * layer) may use 802.2 encapsulation.
1504 		 */
1505 
1506 		/*
1507 		 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1508 		 * we check for an Ethernet type field less than
1509 		 * 1500, which means it's an 802.3 length field.
1510 		 */
1511 		b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1512 		gen_not(b0);
1513 
1514 		/*
1515 		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1516 		 * SNAP packets with an organization code of
1517 		 * 0x080007 (Apple, for Appletalk) and a protocol
1518 		 * type of ETHERTYPE_ATALK (Appletalk).
1519 		 *
1520 		 * 802.2-encapsulated ETHERTYPE_AARP packets are
1521 		 * SNAP packets with an organization code of
1522 		 * 0x000000 (encapsulated Ethernet) and a protocol
1523 		 * type of ETHERTYPE_AARP (Appletalk ARP).
1524 		 */
1525 		if (proto == ETHERTYPE_ATALK)
1526 			b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1527 		else	/* proto == ETHERTYPE_AARP */
1528 			b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1529 		gen_and(b0, b1);
1530 
1531 		/*
1532 		 * Check for Ethernet encapsulation (Ethertalk
1533 		 * phase 1?); we just check for the Ethernet
1534 		 * protocol type.
1535 		 */
1536 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1537 
1538 		gen_or(b0, b1);
1539 		return b1;
1540 
1541 	default:
1542 		if (proto <= ETHERMTU) {
1543 			/*
1544 			 * This is an LLC SAP value, so the frames
1545 			 * that match would be 802.2 frames.
1546 			 * Check that the frame is an 802.2 frame
1547 			 * (i.e., that the length/type field is
1548 			 * a length field, <= ETHERMTU) and
1549 			 * then check the DSAP.
1550 			 */
1551 			b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1552 			gen_not(b0);
1553 			b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1554 			    (bpf_int32)proto);
1555 			gen_and(b0, b1);
1556 			return b1;
1557 		} else {
1558 			/*
1559 			 * This is an Ethernet type, so compare
1560 			 * the length/type field with it (if
1561 			 * the frame is an 802.2 frame, the length
1562 			 * field will be <= ETHERMTU, and, as
1563 			 * "proto" is > ETHERMTU, this test
1564 			 * will fail and the frame won't match,
1565 			 * which is what we want).
1566 			 */
1567 			return gen_cmp(OR_LINK, off_linktype, BPF_H,
1568 			    (bpf_int32)proto);
1569 		}
1570 	}
1571 }
1572 
1573 /*
1574  * Generate code to match a particular packet type.
1575  *
1576  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1577  * value, if <= ETHERMTU.  We use that to determine whether to
1578  * match the type field or to check the type field for the special
1579  * LINUX_SLL_P_802_2 value and then do the appropriate test.
1580  */
1581 static struct block *
1582 gen_linux_sll_linktype(proto)
1583 	register int proto;
1584 {
1585 	struct block *b0, *b1;
1586 
1587 	switch (proto) {
1588 
1589 	case LLCSAP_ISONS:
1590 	case LLCSAP_IP:
1591 	case LLCSAP_NETBEUI:
1592 		/*
1593 		 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1594 		 * so we check the DSAP and SSAP.
1595 		 *
1596 		 * LLCSAP_IP checks for IP-over-802.2, rather
1597 		 * than IP-over-Ethernet or IP-over-SNAP.
1598 		 *
1599 		 * XXX - should we check both the DSAP and the
1600 		 * SSAP, like this, or should we check just the
1601 		 * DSAP, as we do for other types <= ETHERMTU
1602 		 * (i.e., other SAP values)?
1603 		 */
1604 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1605 		b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1606 			     ((proto << 8) | proto));
1607 		gen_and(b0, b1);
1608 		return b1;
1609 
1610 	case LLCSAP_IPX:
1611 		/*
1612 		 *	Ethernet_II frames, which are Ethernet
1613 		 *	frames with a frame type of ETHERTYPE_IPX;
1614 		 *
1615 		 *	Ethernet_802.3 frames, which have a frame
1616 		 *	type of LINUX_SLL_P_802_3;
1617 		 *
1618 		 *	Ethernet_802.2 frames, which are 802.3
1619 		 *	frames with an 802.2 LLC header (i.e, have
1620 		 *	a frame type of LINUX_SLL_P_802_2) and
1621 		 *	with the IPX LSAP as the DSAP in the LLC
1622 		 *	header;
1623 		 *
1624 		 *	Ethernet_SNAP frames, which are 802.3
1625 		 *	frames with an LLC header and a SNAP
1626 		 *	header and with an OUI of 0x000000
1627 		 *	(encapsulated Ethernet) and a protocol
1628 		 *	ID of ETHERTYPE_IPX in the SNAP header.
1629 		 *
1630 		 * First, do the checks on LINUX_SLL_P_802_2
1631 		 * frames; generate the check for either
1632 		 * Ethernet_802.2 or Ethernet_SNAP frames, and
1633 		 * then put a check for LINUX_SLL_P_802_2 frames
1634 		 * before it.
1635 		 */
1636 		b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1637 		    (bpf_int32)LLCSAP_IPX);
1638 		b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1639 		    off_linktype + 2);
1640 		gen_or(b0, b1);
1641 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1642 		gen_and(b0, b1);
1643 
1644 		/*
1645 		 * Now check for 802.3 frames and OR that with
1646 		 * the previous test.
1647 		 */
1648 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1649 		gen_or(b0, b1);
1650 
1651 		/*
1652 		 * Now add the check for Ethernet_II frames, and
1653 		 * do that before checking for the other frame
1654 		 * types.
1655 		 */
1656 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1657 		    (bpf_int32)ETHERTYPE_IPX);
1658 		gen_or(b0, b1);
1659 		return b1;
1660 
1661 	case ETHERTYPE_ATALK:
1662 	case ETHERTYPE_AARP:
1663 		/*
1664 		 * EtherTalk (AppleTalk protocols on Ethernet link
1665 		 * layer) may use 802.2 encapsulation.
1666 		 */
1667 
1668 		/*
1669 		 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1670 		 * we check for the 802.2 protocol type in the
1671 		 * "Ethernet type" field.
1672 		 */
1673 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1674 
1675 		/*
1676 		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1677 		 * SNAP packets with an organization code of
1678 		 * 0x080007 (Apple, for Appletalk) and a protocol
1679 		 * type of ETHERTYPE_ATALK (Appletalk).
1680 		 *
1681 		 * 802.2-encapsulated ETHERTYPE_AARP packets are
1682 		 * SNAP packets with an organization code of
1683 		 * 0x000000 (encapsulated Ethernet) and a protocol
1684 		 * type of ETHERTYPE_AARP (Appletalk ARP).
1685 		 */
1686 		if (proto == ETHERTYPE_ATALK)
1687 			b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1688 			    off_linktype + 2);
1689 		else	/* proto == ETHERTYPE_AARP */
1690 			b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1691 			    off_linktype + 2);
1692 		gen_and(b0, b1);
1693 
1694 		/*
1695 		 * Check for Ethernet encapsulation (Ethertalk
1696 		 * phase 1?); we just check for the Ethernet
1697 		 * protocol type.
1698 		 */
1699 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1700 
1701 		gen_or(b0, b1);
1702 		return b1;
1703 
1704 	default:
1705 		if (proto <= ETHERMTU) {
1706 			/*
1707 			 * This is an LLC SAP value, so the frames
1708 			 * that match would be 802.2 frames.
1709 			 * Check for the 802.2 protocol type
1710 			 * in the "Ethernet type" field, and
1711 			 * then check the DSAP.
1712 			 */
1713 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1714 			    LINUX_SLL_P_802_2);
1715 			b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1716 			     (bpf_int32)proto);
1717 			gen_and(b0, b1);
1718 			return b1;
1719 		} else {
1720 			/*
1721 			 * This is an Ethernet type, so compare
1722 			 * the length/type field with it (if
1723 			 * the frame is an 802.2 frame, the length
1724 			 * field will be <= ETHERMTU, and, as
1725 			 * "proto" is > ETHERMTU, this test
1726 			 * will fail and the frame won't match,
1727 			 * which is what we want).
1728 			 */
1729 			return gen_cmp(OR_LINK, off_linktype, BPF_H,
1730 			    (bpf_int32)proto);
1731 		}
1732 	}
1733 }
1734 
1735 static void
1736 insert_radiotap_load_llprefixlen(b)
1737 	struct block *b;
1738 {
1739 	struct slist *s1, *s2;
1740 
1741 	/*
1742 	 * Prepend to the statements in this block code to load the
1743 	 * length of the radiotap header into the register assigned
1744 	 * to hold that length, if one has been assigned.
1745 	 */
1746 	if (reg_ll_size != -1) {
1747 		/*
1748 		 * The 2 bytes at offsets of 2 and 3 from the beginning
1749 		 * of the radiotap header are the length of the radiotap
1750 		 * header; unfortunately, it's little-endian, so we have
1751 		 * to load it a byte at a time and construct the value.
1752 		 */
1753 
1754 		/*
1755 		 * Load the high-order byte, at an offset of 3, shift it
1756 		 * left a byte, and put the result in the X register.
1757 		 */
1758 		s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1759 		s1->s.k = 3;
1760 		s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1761 		sappend(s1, s2);
1762 		s2->s.k = 8;
1763 		s2 = new_stmt(BPF_MISC|BPF_TAX);
1764 		sappend(s1, s2);
1765 
1766 		/*
1767 		 * Load the next byte, at an offset of 2, and OR the
1768 		 * value from the X register into it.
1769 		 */
1770 		s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1771 		sappend(s1, s2);
1772 		s2->s.k = 2;
1773 		s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
1774 		sappend(s1, s2);
1775 
1776 		/*
1777 		 * Now allocate a register to hold that value and store
1778 		 * it.
1779 		 */
1780 		s2 = new_stmt(BPF_ST);
1781 		s2->s.k = reg_ll_size;
1782 		sappend(s1, s2);
1783 
1784 		/*
1785 		 * Now move it into the X register.
1786 		 */
1787 		s2 = new_stmt(BPF_MISC|BPF_TAX);
1788 		sappend(s1, s2);
1789 
1790 		/*
1791 		 * Now append all the existing statements in this
1792 		 * block to these statements.
1793 		 */
1794 		sappend(s1, b->stmts);
1795 		b->stmts = s1;
1796 	}
1797 }
1798 
1799 
1800 static void
1801 insert_load_llprefixlen(b)
1802 	struct block *b;
1803 {
1804 	switch (linktype) {
1805 
1806 	case DLT_IEEE802_11_RADIO:
1807 		insert_radiotap_load_llprefixlen(b);
1808 	}
1809 }
1810 
1811 
1812 static struct slist *
1813 gen_radiotap_llprefixlen(void)
1814 {
1815 	struct slist *s;
1816 
1817 	if (reg_ll_size == -1) {
1818 		/*
1819 		 * We haven't yet assigned a register for the length
1820 		 * of the radiotap header; allocate one.
1821 		 */
1822 		reg_ll_size = alloc_reg();
1823 	}
1824 
1825 	/*
1826 	 * Load the register containing the radiotap length
1827 	 * into the X register.
1828 	 */
1829 	s = new_stmt(BPF_LDX|BPF_MEM);
1830 	s->s.k = reg_ll_size;
1831 	return s;
1832 }
1833 
1834 /*
1835  * Generate code to compute the link-layer header length, if necessary,
1836  * putting it into the X register, and to return either a pointer to a
1837  * "struct slist" for the list of statements in that code, or NULL if
1838  * no code is necessary.
1839  */
1840 static struct slist *
1841 gen_llprefixlen(void)
1842 {
1843 	switch (linktype) {
1844 
1845 	case DLT_IEEE802_11_RADIO:
1846 		return gen_radiotap_llprefixlen();
1847 
1848 	default:
1849 		return NULL;
1850 	}
1851 }
1852 
1853 /*
1854  * Generate code to match a particular packet type by matching the
1855  * link-layer type field or fields in the 802.2 LLC header.
1856  *
1857  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1858  * value, if <= ETHERMTU.
1859  */
1860 static struct block *
1861 gen_linktype(proto)
1862 	register int proto;
1863 {
1864 	struct block *b0, *b1, *b2;
1865 
1866 	/* are we checking MPLS-encapsulated packets? */
1867 	if (label_stack_depth > 0) {
1868 		switch (proto) {
1869 		case ETHERTYPE_IP:
1870 		case PPP_IP:
1871 		/* FIXME add other L3 proto IDs */
1872 			return gen_mpls_linktype(Q_IP);
1873 
1874 		case ETHERTYPE_IPV6:
1875 		case PPP_IPV6:
1876 		/* FIXME add other L3 proto IDs */
1877 			return gen_mpls_linktype(Q_IPV6);
1878 
1879 		default:
1880 			bpf_error("unsupported protocol over mpls");
1881 			/* NOTREACHED */
1882 		}
1883 	}
1884 
1885 	switch (linktype) {
1886 
1887 	case DLT_EN10MB:
1888 		return gen_ether_linktype(proto);
1889 		/*NOTREACHED*/
1890 		break;
1891 
1892 	case DLT_C_HDLC:
1893 		switch (proto) {
1894 
1895 		case LLCSAP_ISONS:
1896 			proto = (proto << 8 | LLCSAP_ISONS);
1897 			/* fall through */
1898 
1899 		default:
1900 			return gen_cmp(OR_LINK, off_linktype, BPF_H,
1901 			    (bpf_int32)proto);
1902 			/*NOTREACHED*/
1903 			break;
1904 		}
1905 		break;
1906 
1907 	case DLT_FDDI:
1908 	case DLT_IEEE802:
1909 	case DLT_IEEE802_11:
1910 	case DLT_IEEE802_11_RADIO_AVS:
1911 	case DLT_IEEE802_11_RADIO:
1912 	case DLT_PRISM_HEADER:
1913 	case DLT_ATM_RFC1483:
1914 	case DLT_ATM_CLIP:
1915 	case DLT_IP_OVER_FC:
1916 		return gen_llc_linktype(proto);
1917 		/*NOTREACHED*/
1918 		break;
1919 
1920 	case DLT_SUNATM:
1921 		/*
1922 		 * If "is_lane" is set, check for a LANE-encapsulated
1923 		 * version of this protocol, otherwise check for an
1924 		 * LLC-encapsulated version of this protocol.
1925 		 *
1926 		 * We assume LANE means Ethernet, not Token Ring.
1927 		 */
1928 		if (is_lane) {
1929 			/*
1930 			 * Check that the packet doesn't begin with an
1931 			 * LE Control marker.  (We've already generated
1932 			 * a test for LANE.)
1933 			 */
1934 			b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
1935 			    0xFF00);
1936 			gen_not(b0);
1937 
1938 			/*
1939 			 * Now generate an Ethernet test.
1940 			 */
1941 			b1 = gen_ether_linktype(proto);
1942 			gen_and(b0, b1);
1943 			return b1;
1944 		} else {
1945 			/*
1946 			 * Check for LLC encapsulation and then check the
1947 			 * protocol.
1948 			 */
1949 			b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1950 			b1 = gen_llc_linktype(proto);
1951 			gen_and(b0, b1);
1952 			return b1;
1953 		}
1954 		/*NOTREACHED*/
1955 		break;
1956 
1957 	case DLT_LINUX_SLL:
1958 		return gen_linux_sll_linktype(proto);
1959 		/*NOTREACHED*/
1960 		break;
1961 
1962 	case DLT_SLIP:
1963 	case DLT_SLIP_BSDOS:
1964 	case DLT_RAW:
1965 		/*
1966 		 * These types don't provide any type field; packets
1967 		 * are always IP.
1968 		 *
1969 		 * XXX - for IPv4, check for a version number of 4, and,
1970 		 * for IPv6, check for a version number of 6?
1971 		 */
1972 		switch (proto) {
1973 
1974 		case ETHERTYPE_IP:
1975 #ifdef INET6
1976 		case ETHERTYPE_IPV6:
1977 #endif
1978 			return gen_true();		/* always true */
1979 
1980 		default:
1981 			return gen_false();		/* always false */
1982 		}
1983 		/*NOTREACHED*/
1984 		break;
1985 
1986 	case DLT_PPP:
1987 	case DLT_PPP_PPPD:
1988 	case DLT_PPP_SERIAL:
1989 	case DLT_PPP_ETHER:
1990 		/*
1991 		 * We use Ethernet protocol types inside libpcap;
1992 		 * map them to the corresponding PPP protocol types.
1993 		 */
1994 		switch (proto) {
1995 
1996 		case ETHERTYPE_IP:
1997 			proto = PPP_IP;
1998 			break;
1999 
2000 #ifdef INET6
2001 		case ETHERTYPE_IPV6:
2002 			proto = PPP_IPV6;
2003 			break;
2004 #endif
2005 
2006 		case ETHERTYPE_DN:
2007 			proto = PPP_DECNET;
2008 			break;
2009 
2010 		case ETHERTYPE_ATALK:
2011 			proto = PPP_APPLE;
2012 			break;
2013 
2014 		case ETHERTYPE_NS:
2015 			proto = PPP_NS;
2016 			break;
2017 
2018 		case LLCSAP_ISONS:
2019 			proto = PPP_OSI;
2020 			break;
2021 
2022 		case LLCSAP_8021D:
2023 			/*
2024 			 * I'm assuming the "Bridging PDU"s that go
2025 			 * over PPP are Spanning Tree Protocol
2026 			 * Bridging PDUs.
2027 			 */
2028 			proto = PPP_BRPDU;
2029 			break;
2030 
2031 		case LLCSAP_IPX:
2032 			proto = PPP_IPX;
2033 			break;
2034 		}
2035 		break;
2036 
2037 	case DLT_PPP_BSDOS:
2038 		/*
2039 		 * We use Ethernet protocol types inside libpcap;
2040 		 * map them to the corresponding PPP protocol types.
2041 		 */
2042 		switch (proto) {
2043 
2044 		case ETHERTYPE_IP:
2045 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
2046 			b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
2047 			gen_or(b0, b1);
2048 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
2049 			gen_or(b1, b0);
2050 			return b0;
2051 
2052 #ifdef INET6
2053 		case ETHERTYPE_IPV6:
2054 			proto = PPP_IPV6;
2055 			/* more to go? */
2056 			break;
2057 #endif
2058 
2059 		case ETHERTYPE_DN:
2060 			proto = PPP_DECNET;
2061 			break;
2062 
2063 		case ETHERTYPE_ATALK:
2064 			proto = PPP_APPLE;
2065 			break;
2066 
2067 		case ETHERTYPE_NS:
2068 			proto = PPP_NS;
2069 			break;
2070 
2071 		case LLCSAP_ISONS:
2072 			proto = PPP_OSI;
2073 			break;
2074 
2075 		case LLCSAP_8021D:
2076 			/*
2077 			 * I'm assuming the "Bridging PDU"s that go
2078 			 * over PPP are Spanning Tree Protocol
2079 			 * Bridging PDUs.
2080 			 */
2081 			proto = PPP_BRPDU;
2082 			break;
2083 
2084 		case LLCSAP_IPX:
2085 			proto = PPP_IPX;
2086 			break;
2087 		}
2088 		break;
2089 
2090 	case DLT_NULL:
2091 	case DLT_LOOP:
2092 	case DLT_ENC:
2093 		/*
2094 		 * For DLT_NULL, the link-layer header is a 32-bit
2095 		 * word containing an AF_ value in *host* byte order,
2096 		 * and for DLT_ENC, the link-layer header begins
2097 		 * with a 32-bit work containing an AF_ value in
2098 		 * host byte order.
2099 		 *
2100 		 * In addition, if we're reading a saved capture file,
2101 		 * the host byte order in the capture may not be the
2102 		 * same as the host byte order on this machine.
2103 		 *
2104 		 * For DLT_LOOP, the link-layer header is a 32-bit
2105 		 * word containing an AF_ value in *network* byte order.
2106 		 *
2107 		 * XXX - AF_ values may, unfortunately, be platform-
2108 		 * dependent; for example, FreeBSD's AF_INET6 is 24
2109 		 * whilst NetBSD's and OpenBSD's is 26.
2110 		 *
2111 		 * This means that, when reading a capture file, just
2112 		 * checking for our AF_INET6 value won't work if the
2113 		 * capture file came from another OS.
2114 		 */
2115 		switch (proto) {
2116 
2117 		case ETHERTYPE_IP:
2118 			proto = AF_INET;
2119 			break;
2120 
2121 #ifdef INET6
2122 		case ETHERTYPE_IPV6:
2123 			proto = AF_INET6;
2124 			break;
2125 #endif
2126 
2127 		default:
2128 			/*
2129 			 * Not a type on which we support filtering.
2130 			 * XXX - support those that have AF_ values
2131 			 * #defined on this platform, at least?
2132 			 */
2133 			return gen_false();
2134 		}
2135 
2136 		if (linktype == DLT_NULL || linktype == DLT_ENC) {
2137 			/*
2138 			 * The AF_ value is in host byte order, but
2139 			 * the BPF interpreter will convert it to
2140 			 * network byte order.
2141 			 *
2142 			 * If this is a save file, and it's from a
2143 			 * machine with the opposite byte order to
2144 			 * ours, we byte-swap the AF_ value.
2145 			 *
2146 			 * Then we run it through "htonl()", and
2147 			 * generate code to compare against the result.
2148 			 */
2149 			if (bpf_pcap->sf.rfile != NULL &&
2150 			    bpf_pcap->sf.swapped)
2151 				proto = SWAPLONG(proto);
2152 			proto = htonl(proto);
2153 		}
2154 		return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
2155 
2156 	case DLT_PFLOG:
2157 		/*
2158 		 * af field is host byte order in contrast to the rest of
2159 		 * the packet.
2160 		 */
2161 		if (proto == ETHERTYPE_IP)
2162 			return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2163 			    BPF_B, (bpf_int32)AF_INET));
2164 #ifdef INET6
2165 		else if (proto == ETHERTYPE_IPV6)
2166 			return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2167 			    BPF_B, (bpf_int32)AF_INET6));
2168 #endif /* INET6 */
2169 		else
2170 			return gen_false();
2171 		/*NOTREACHED*/
2172 		break;
2173 
2174 	case DLT_ARCNET:
2175 	case DLT_ARCNET_LINUX:
2176 		/*
2177 		 * XXX should we check for first fragment if the protocol
2178 		 * uses PHDS?
2179 		 */
2180 		switch (proto) {
2181 
2182 		default:
2183 			return gen_false();
2184 
2185 #ifdef INET6
2186 		case ETHERTYPE_IPV6:
2187 			return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2188 				(bpf_int32)ARCTYPE_INET6));
2189 #endif /* INET6 */
2190 
2191 		case ETHERTYPE_IP:
2192 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2193 				     (bpf_int32)ARCTYPE_IP);
2194 			b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2195 				     (bpf_int32)ARCTYPE_IP_OLD);
2196 			gen_or(b0, b1);
2197 			return (b1);
2198 
2199 		case ETHERTYPE_ARP:
2200 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2201 				     (bpf_int32)ARCTYPE_ARP);
2202 			b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2203 				     (bpf_int32)ARCTYPE_ARP_OLD);
2204 			gen_or(b0, b1);
2205 			return (b1);
2206 
2207 		case ETHERTYPE_REVARP:
2208 			return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2209 					(bpf_int32)ARCTYPE_REVARP));
2210 
2211 		case ETHERTYPE_ATALK:
2212 			return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2213 					(bpf_int32)ARCTYPE_ATALK));
2214 		}
2215 		/*NOTREACHED*/
2216 		break;
2217 
2218 	case DLT_LTALK:
2219 		switch (proto) {
2220 		case ETHERTYPE_ATALK:
2221 			return gen_true();
2222 		default:
2223 			return gen_false();
2224 		}
2225 		/*NOTREACHED*/
2226 		break;
2227 
2228 	case DLT_FRELAY:
2229 		/*
2230 		 * XXX - assumes a 2-byte Frame Relay header with
2231 		 * DLCI and flags.  What if the address is longer?
2232 		 */
2233 		switch (proto) {
2234 
2235 		case ETHERTYPE_IP:
2236 			/*
2237 			 * Check for the special NLPID for IP.
2238 			 */
2239 			return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
2240 
2241 #ifdef INET6
2242 		case ETHERTYPE_IPV6:
2243 			/*
2244 			 * Check for the special NLPID for IPv6.
2245 			 */
2246 			return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
2247 #endif
2248 
2249 		case LLCSAP_ISONS:
2250 			/*
2251 			 * Check for several OSI protocols.
2252 			 *
2253 			 * Frame Relay packets typically have an OSI
2254 			 * NLPID at the beginning; we check for each
2255 			 * of them.
2256 			 *
2257 			 * What we check for is the NLPID and a frame
2258 			 * control field of UI, i.e. 0x03 followed
2259 			 * by the NLPID.
2260 			 */
2261 			b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
2262 			b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
2263 			b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
2264 			gen_or(b1, b2);
2265 			gen_or(b0, b2);
2266 			return b2;
2267 
2268 		default:
2269 			return gen_false();
2270 		}
2271 		/*NOTREACHED*/
2272 		break;
2273 
2274         case DLT_JUNIPER_MFR:
2275         case DLT_JUNIPER_MLFR:
2276         case DLT_JUNIPER_MLPPP:
2277 	case DLT_JUNIPER_ATM1:
2278 	case DLT_JUNIPER_ATM2:
2279 	case DLT_JUNIPER_PPPOE:
2280 	case DLT_JUNIPER_PPPOE_ATM:
2281         case DLT_JUNIPER_GGSN:
2282         case DLT_JUNIPER_ES:
2283         case DLT_JUNIPER_MONITOR:
2284         case DLT_JUNIPER_SERVICES:
2285         case DLT_JUNIPER_ETHER:
2286         case DLT_JUNIPER_PPP:
2287         case DLT_JUNIPER_FRELAY:
2288         case DLT_JUNIPER_CHDLC:
2289 		/* just lets verify the magic number for now -
2290 		 * on ATM we may have up to 6 different encapsulations on the wire
2291 		 * and need a lot of heuristics to figure out that the payload
2292 		 * might be;
2293 		 *
2294 		 * FIXME encapsulation specific BPF_ filters
2295 		 */
2296 		return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
2297 
2298 	case DLT_LINUX_IRDA:
2299 		bpf_error("IrDA link-layer type filtering not implemented");
2300 
2301 	case DLT_DOCSIS:
2302 		bpf_error("DOCSIS link-layer type filtering not implemented");
2303 
2304 	case DLT_LINUX_LAPD:
2305 		bpf_error("LAPD link-layer type filtering not implemented");
2306 	}
2307 
2308 	/*
2309 	 * All the types that have no encapsulation should either be
2310 	 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
2311 	 * all packets are IP packets, or should be handled in some
2312 	 * special case, if none of them are (if some are and some
2313 	 * aren't, the lack of encapsulation is a problem, as we'd
2314 	 * have to find some other way of determining the packet type).
2315 	 *
2316 	 * Therefore, if "off_linktype" is -1, there's an error.
2317 	 */
2318 	if (off_linktype == (u_int)-1)
2319 		abort();
2320 
2321 	/*
2322 	 * Any type not handled above should always have an Ethernet
2323 	 * type at an offset of "off_linktype".  (PPP is partially
2324 	 * handled above - the protocol type is mapped from the
2325 	 * Ethernet and LLC types we use internally to the corresponding
2326 	 * PPP type - but the PPP type is always specified by a value
2327 	 * at "off_linktype", so we don't have to do the code generation
2328 	 * above.)
2329 	 */
2330 	return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2331 }
2332 
2333 /*
2334  * Check for an LLC SNAP packet with a given organization code and
2335  * protocol type; we check the entire contents of the 802.2 LLC and
2336  * snap headers, checking for DSAP and SSAP of SNAP and a control
2337  * field of 0x03 in the LLC header, and for the specified organization
2338  * code and protocol type in the SNAP header.
2339  */
2340 static struct block *
2341 gen_snap(orgcode, ptype, offset)
2342 	bpf_u_int32 orgcode;
2343 	bpf_u_int32 ptype;
2344 	u_int offset;
2345 {
2346 	u_char snapblock[8];
2347 
2348 	snapblock[0] = LLCSAP_SNAP;	/* DSAP = SNAP */
2349 	snapblock[1] = LLCSAP_SNAP;	/* SSAP = SNAP */
2350 	snapblock[2] = 0x03;		/* control = UI */
2351 	snapblock[3] = (orgcode >> 16);	/* upper 8 bits of organization code */
2352 	snapblock[4] = (orgcode >> 8);	/* middle 8 bits of organization code */
2353 	snapblock[5] = (orgcode >> 0);	/* lower 8 bits of organization code */
2354 	snapblock[6] = (ptype >> 8);	/* upper 8 bits of protocol type */
2355 	snapblock[7] = (ptype >> 0);	/* lower 8 bits of protocol type */
2356 	return gen_bcmp(OR_LINK, offset, 8, snapblock);
2357 }
2358 
2359 /*
2360  * Generate code to match a particular packet type, for link-layer types
2361  * using 802.2 LLC headers.
2362  *
2363  * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
2364  * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
2365  *
2366  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2367  * value, if <= ETHERMTU.  We use that to determine whether to
2368  * match the DSAP or both DSAP and LSAP or to check the OUI and
2369  * protocol ID in a SNAP header.
2370  */
2371 static struct block *
2372 gen_llc_linktype(proto)
2373 	int proto;
2374 {
2375 	/*
2376 	 * XXX - handle token-ring variable-length header.
2377 	 */
2378 	switch (proto) {
2379 
2380 	case LLCSAP_IP:
2381 	case LLCSAP_ISONS:
2382 	case LLCSAP_NETBEUI:
2383 		/*
2384 		 * XXX - should we check both the DSAP and the
2385 		 * SSAP, like this, or should we check just the
2386 		 * DSAP, as we do for other types <= ETHERMTU
2387 		 * (i.e., other SAP values)?
2388 		 */
2389 		return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32)
2390 			     ((proto << 8) | proto));
2391 
2392 	case LLCSAP_IPX:
2393 		/*
2394 		 * XXX - are there ever SNAP frames for IPX on
2395 		 * non-Ethernet 802.x networks?
2396 		 */
2397 		return gen_cmp(OR_LINK, off_linktype, BPF_B,
2398 		    (bpf_int32)LLCSAP_IPX);
2399 
2400 	case ETHERTYPE_ATALK:
2401 		/*
2402 		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2403 		 * SNAP packets with an organization code of
2404 		 * 0x080007 (Apple, for Appletalk) and a protocol
2405 		 * type of ETHERTYPE_ATALK (Appletalk).
2406 		 *
2407 		 * XXX - check for an organization code of
2408 		 * encapsulated Ethernet as well?
2409 		 */
2410 		return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
2411 
2412 	default:
2413 		/*
2414 		 * XXX - we don't have to check for IPX 802.3
2415 		 * here, but should we check for the IPX Ethertype?
2416 		 */
2417 		if (proto <= ETHERMTU) {
2418 			/*
2419 			 * This is an LLC SAP value, so check
2420 			 * the DSAP.
2421 			 */
2422 			return gen_cmp(OR_LINK, off_linktype, BPF_B,
2423 			    (bpf_int32)proto);
2424 		} else {
2425 			/*
2426 			 * This is an Ethernet type; we assume that it's
2427 			 * unlikely that it'll appear in the right place
2428 			 * at random, and therefore check only the
2429 			 * location that would hold the Ethernet type
2430 			 * in a SNAP frame with an organization code of
2431 			 * 0x000000 (encapsulated Ethernet).
2432 			 *
2433 			 * XXX - if we were to check for the SNAP DSAP and
2434 			 * LSAP, as per XXX, and were also to check for an
2435 			 * organization code of 0x000000 (encapsulated
2436 			 * Ethernet), we'd do
2437 			 *
2438 			 *	return gen_snap(0x000000, proto,
2439 			 *	    off_linktype);
2440 			 *
2441 			 * here; for now, we don't, as per the above.
2442 			 * I don't know whether it's worth the extra CPU
2443 			 * time to do the right check or not.
2444 			 */
2445 			return gen_cmp(OR_LINK, off_linktype+6, BPF_H,
2446 			    (bpf_int32)proto);
2447 		}
2448 	}
2449 }
2450 
2451 static struct block *
2452 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
2453 	bpf_u_int32 addr;
2454 	bpf_u_int32 mask;
2455 	int dir, proto;
2456 	u_int src_off, dst_off;
2457 {
2458 	struct block *b0, *b1;
2459 	u_int offset;
2460 
2461 	switch (dir) {
2462 
2463 	case Q_SRC:
2464 		offset = src_off;
2465 		break;
2466 
2467 	case Q_DST:
2468 		offset = dst_off;
2469 		break;
2470 
2471 	case Q_AND:
2472 		b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2473 		b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2474 		gen_and(b0, b1);
2475 		return b1;
2476 
2477 	case Q_OR:
2478 	case Q_DEFAULT:
2479 		b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2480 		b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2481 		gen_or(b0, b1);
2482 		return b1;
2483 
2484 	default:
2485 		abort();
2486 	}
2487 	b0 = gen_linktype(proto);
2488 	b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
2489 	gen_and(b0, b1);
2490 	return b1;
2491 }
2492 
2493 #ifdef INET6
2494 static struct block *
2495 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2496 	struct in6_addr *addr;
2497 	struct in6_addr *mask;
2498 	int dir, proto;
2499 	u_int src_off, dst_off;
2500 {
2501 	struct block *b0, *b1;
2502 	u_int offset;
2503 	u_int32_t *a, *m;
2504 
2505 	switch (dir) {
2506 
2507 	case Q_SRC:
2508 		offset = src_off;
2509 		break;
2510 
2511 	case Q_DST:
2512 		offset = dst_off;
2513 		break;
2514 
2515 	case Q_AND:
2516 		b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2517 		b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2518 		gen_and(b0, b1);
2519 		return b1;
2520 
2521 	case Q_OR:
2522 	case Q_DEFAULT:
2523 		b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2524 		b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2525 		gen_or(b0, b1);
2526 		return b1;
2527 
2528 	default:
2529 		abort();
2530 	}
2531 	/* this order is important */
2532 	a = (u_int32_t *)addr;
2533 	m = (u_int32_t *)mask;
2534 	b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2535 	b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2536 	gen_and(b0, b1);
2537 	b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2538 	gen_and(b0, b1);
2539 	b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2540 	gen_and(b0, b1);
2541 	b0 = gen_linktype(proto);
2542 	gen_and(b0, b1);
2543 	return b1;
2544 }
2545 #endif /*INET6*/
2546 
2547 static struct block *
2548 gen_ehostop(eaddr, dir)
2549 	register const u_char *eaddr;
2550 	register int dir;
2551 {
2552 	register struct block *b0, *b1;
2553 
2554 	switch (dir) {
2555 	case Q_SRC:
2556 		return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
2557 
2558 	case Q_DST:
2559 		return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
2560 
2561 	case Q_AND:
2562 		b0 = gen_ehostop(eaddr, Q_SRC);
2563 		b1 = gen_ehostop(eaddr, Q_DST);
2564 		gen_and(b0, b1);
2565 		return b1;
2566 
2567 	case Q_DEFAULT:
2568 	case Q_OR:
2569 		b0 = gen_ehostop(eaddr, Q_SRC);
2570 		b1 = gen_ehostop(eaddr, Q_DST);
2571 		gen_or(b0, b1);
2572 		return b1;
2573 	}
2574 	abort();
2575 	/* NOTREACHED */
2576 }
2577 
2578 /*
2579  * Like gen_ehostop, but for DLT_FDDI
2580  */
2581 static struct block *
2582 gen_fhostop(eaddr, dir)
2583 	register const u_char *eaddr;
2584 	register int dir;
2585 {
2586 	struct block *b0, *b1;
2587 
2588 	switch (dir) {
2589 	case Q_SRC:
2590 #ifdef PCAP_FDDIPAD
2591 		return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
2592 #else
2593 		return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
2594 #endif
2595 
2596 	case Q_DST:
2597 #ifdef PCAP_FDDIPAD
2598 		return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
2599 #else
2600 		return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
2601 #endif
2602 
2603 	case Q_AND:
2604 		b0 = gen_fhostop(eaddr, Q_SRC);
2605 		b1 = gen_fhostop(eaddr, Q_DST);
2606 		gen_and(b0, b1);
2607 		return b1;
2608 
2609 	case Q_DEFAULT:
2610 	case Q_OR:
2611 		b0 = gen_fhostop(eaddr, Q_SRC);
2612 		b1 = gen_fhostop(eaddr, Q_DST);
2613 		gen_or(b0, b1);
2614 		return b1;
2615 	}
2616 	abort();
2617 	/* NOTREACHED */
2618 }
2619 
2620 /*
2621  * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2622  */
2623 static struct block *
2624 gen_thostop(eaddr, dir)
2625 	register const u_char *eaddr;
2626 	register int dir;
2627 {
2628 	register struct block *b0, *b1;
2629 
2630 	switch (dir) {
2631 	case Q_SRC:
2632 		return gen_bcmp(OR_LINK, 8, 6, eaddr);
2633 
2634 	case Q_DST:
2635 		return gen_bcmp(OR_LINK, 2, 6, eaddr);
2636 
2637 	case Q_AND:
2638 		b0 = gen_thostop(eaddr, Q_SRC);
2639 		b1 = gen_thostop(eaddr, Q_DST);
2640 		gen_and(b0, b1);
2641 		return b1;
2642 
2643 	case Q_DEFAULT:
2644 	case Q_OR:
2645 		b0 = gen_thostop(eaddr, Q_SRC);
2646 		b1 = gen_thostop(eaddr, Q_DST);
2647 		gen_or(b0, b1);
2648 		return b1;
2649 	}
2650 	abort();
2651 	/* NOTREACHED */
2652 }
2653 
2654 /*
2655  * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2656  */
2657 static struct block *
2658 gen_wlanhostop(eaddr, dir)
2659 	register const u_char *eaddr;
2660 	register int dir;
2661 {
2662 	register struct block *b0, *b1, *b2;
2663 	register struct slist *s;
2664 
2665 	switch (dir) {
2666 	case Q_SRC:
2667 		/*
2668 		 * Oh, yuk.
2669 		 *
2670 		 *	For control frames, there is no SA.
2671 		 *
2672 		 *	For management frames, SA is at an
2673 		 *	offset of 10 from the beginning of
2674 		 *	the packet.
2675 		 *
2676 		 *	For data frames, SA is at an offset
2677 		 *	of 10 from the beginning of the packet
2678 		 *	if From DS is clear, at an offset of
2679 		 *	16 from the beginning of the packet
2680 		 *	if From DS is set and To DS is clear,
2681 		 *	and an offset of 24 from the beginning
2682 		 *	of the packet if From DS is set and To DS
2683 		 *	is set.
2684 		 */
2685 
2686 		/*
2687 		 * Generate the tests to be done for data frames
2688 		 * with From DS set.
2689 		 *
2690 		 * First, check for To DS set, i.e. check "link[1] & 0x01".
2691 		 */
2692 		s = gen_load_a(OR_LINK, 1, BPF_B);
2693 		b1 = new_block(JMP(BPF_JSET));
2694 		b1->s.k = 0x01;	/* To DS */
2695 		b1->stmts = s;
2696 
2697 		/*
2698 		 * If To DS is set, the SA is at 24.
2699 		 */
2700 		b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
2701 		gen_and(b1, b0);
2702 
2703 		/*
2704 		 * Now, check for To DS not set, i.e. check
2705 		 * "!(link[1] & 0x01)".
2706 		 */
2707 		s = gen_load_a(OR_LINK, 1, BPF_B);
2708 		b2 = new_block(JMP(BPF_JSET));
2709 		b2->s.k = 0x01;	/* To DS */
2710 		b2->stmts = s;
2711 		gen_not(b2);
2712 
2713 		/*
2714 		 * If To DS is not set, the SA is at 16.
2715 		 */
2716 		b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
2717 		gen_and(b2, b1);
2718 
2719 		/*
2720 		 * Now OR together the last two checks.  That gives
2721 		 * the complete set of checks for data frames with
2722 		 * From DS set.
2723 		 */
2724 		gen_or(b1, b0);
2725 
2726 		/*
2727 		 * Now check for From DS being set, and AND that with
2728 		 * the ORed-together checks.
2729 		 */
2730 		s = gen_load_a(OR_LINK, 1, BPF_B);
2731 		b1 = new_block(JMP(BPF_JSET));
2732 		b1->s.k = 0x02;	/* From DS */
2733 		b1->stmts = s;
2734 		gen_and(b1, b0);
2735 
2736 		/*
2737 		 * Now check for data frames with From DS not set.
2738 		 */
2739 		s = gen_load_a(OR_LINK, 1, BPF_B);
2740 		b2 = new_block(JMP(BPF_JSET));
2741 		b2->s.k = 0x02;	/* From DS */
2742 		b2->stmts = s;
2743 		gen_not(b2);
2744 
2745 		/*
2746 		 * If From DS isn't set, the SA is at 10.
2747 		 */
2748 		b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
2749 		gen_and(b2, b1);
2750 
2751 		/*
2752 		 * Now OR together the checks for data frames with
2753 		 * From DS not set and for data frames with From DS
2754 		 * set; that gives the checks done for data frames.
2755 		 */
2756 		gen_or(b1, b0);
2757 
2758 		/*
2759 		 * Now check for a data frame.
2760 		 * I.e, check "link[0] & 0x08".
2761 		 */
2762 		gen_load_a(OR_LINK, 0, BPF_B);
2763 		b1 = new_block(JMP(BPF_JSET));
2764 		b1->s.k = 0x08;
2765 		b1->stmts = s;
2766 
2767 		/*
2768 		 * AND that with the checks done for data frames.
2769 		 */
2770 		gen_and(b1, b0);
2771 
2772 		/*
2773 		 * If the high-order bit of the type value is 0, this
2774 		 * is a management frame.
2775 		 * I.e, check "!(link[0] & 0x08)".
2776 		 */
2777 		s = gen_load_a(OR_LINK, 0, BPF_B);
2778 		b2 = new_block(JMP(BPF_JSET));
2779 		b2->s.k = 0x08;
2780 		b2->stmts = s;
2781 		gen_not(b2);
2782 
2783 		/*
2784 		 * For management frames, the SA is at 10.
2785 		 */
2786 		b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
2787 		gen_and(b2, b1);
2788 
2789 		/*
2790 		 * OR that with the checks done for data frames.
2791 		 * That gives the checks done for management and
2792 		 * data frames.
2793 		 */
2794 		gen_or(b1, b0);
2795 
2796 		/*
2797 		 * If the low-order bit of the type value is 1,
2798 		 * this is either a control frame or a frame
2799 		 * with a reserved type, and thus not a
2800 		 * frame with an SA.
2801 		 *
2802 		 * I.e., check "!(link[0] & 0x04)".
2803 		 */
2804 		s = gen_load_a(OR_LINK, 0, BPF_B);
2805 		b1 = new_block(JMP(BPF_JSET));
2806 		b1->s.k = 0x04;
2807 		b1->stmts = s;
2808 		gen_not(b1);
2809 
2810 		/*
2811 		 * AND that with the checks for data and management
2812 		 * frames.
2813 		 */
2814 		gen_and(b1, b0);
2815 		return b0;
2816 
2817 	case Q_DST:
2818 		/*
2819 		 * Oh, yuk.
2820 		 *
2821 		 *	For control frames, there is no DA.
2822 		 *
2823 		 *	For management frames, DA is at an
2824 		 *	offset of 4 from the beginning of
2825 		 *	the packet.
2826 		 *
2827 		 *	For data frames, DA is at an offset
2828 		 *	of 4 from the beginning of the packet
2829 		 *	if To DS is clear and at an offset of
2830 		 *	16 from the beginning of the packet
2831 		 *	if To DS is set.
2832 		 */
2833 
2834 		/*
2835 		 * Generate the tests to be done for data frames.
2836 		 *
2837 		 * First, check for To DS set, i.e. "link[1] & 0x01".
2838 		 */
2839 		s = gen_load_a(OR_LINK, 1, BPF_B);
2840 		b1 = new_block(JMP(BPF_JSET));
2841 		b1->s.k = 0x01;	/* To DS */
2842 		b1->stmts = s;
2843 
2844 		/*
2845 		 * If To DS is set, the DA is at 16.
2846 		 */
2847 		b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
2848 		gen_and(b1, b0);
2849 
2850 		/*
2851 		 * Now, check for To DS not set, i.e. check
2852 		 * "!(link[1] & 0x01)".
2853 		 */
2854 		s = gen_load_a(OR_LINK, 1, BPF_B);
2855 		b2 = new_block(JMP(BPF_JSET));
2856 		b2->s.k = 0x01;	/* To DS */
2857 		b2->stmts = s;
2858 		gen_not(b2);
2859 
2860 		/*
2861 		 * If To DS is not set, the DA is at 4.
2862 		 */
2863 		b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
2864 		gen_and(b2, b1);
2865 
2866 		/*
2867 		 * Now OR together the last two checks.  That gives
2868 		 * the complete set of checks for data frames.
2869 		 */
2870 		gen_or(b1, b0);
2871 
2872 		/*
2873 		 * Now check for a data frame.
2874 		 * I.e, check "link[0] & 0x08".
2875 		 */
2876 		s = gen_load_a(OR_LINK, 0, BPF_B);
2877 		b1 = new_block(JMP(BPF_JSET));
2878 		b1->s.k = 0x08;
2879 		b1->stmts = s;
2880 
2881 		/*
2882 		 * AND that with the checks done for data frames.
2883 		 */
2884 		gen_and(b1, b0);
2885 
2886 		/*
2887 		 * If the high-order bit of the type value is 0, this
2888 		 * is a management frame.
2889 		 * I.e, check "!(link[0] & 0x08)".
2890 		 */
2891 		s = gen_load_a(OR_LINK, 0, BPF_B);
2892 		b2 = new_block(JMP(BPF_JSET));
2893 		b2->s.k = 0x08;
2894 		b2->stmts = s;
2895 		gen_not(b2);
2896 
2897 		/*
2898 		 * For management frames, the DA is at 4.
2899 		 */
2900 		b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
2901 		gen_and(b2, b1);
2902 
2903 		/*
2904 		 * OR that with the checks done for data frames.
2905 		 * That gives the checks done for management and
2906 		 * data frames.
2907 		 */
2908 		gen_or(b1, b0);
2909 
2910 		/*
2911 		 * If the low-order bit of the type value is 1,
2912 		 * this is either a control frame or a frame
2913 		 * with a reserved type, and thus not a
2914 		 * frame with an SA.
2915 		 *
2916 		 * I.e., check "!(link[0] & 0x04)".
2917 		 */
2918 		s = gen_load_a(OR_LINK, 0, BPF_B);
2919 		b1 = new_block(JMP(BPF_JSET));
2920 		b1->s.k = 0x04;
2921 		b1->stmts = s;
2922 		gen_not(b1);
2923 
2924 		/*
2925 		 * AND that with the checks for data and management
2926 		 * frames.
2927 		 */
2928 		gen_and(b1, b0);
2929 		return b0;
2930 
2931 	case Q_AND:
2932 		b0 = gen_wlanhostop(eaddr, Q_SRC);
2933 		b1 = gen_wlanhostop(eaddr, Q_DST);
2934 		gen_and(b0, b1);
2935 		return b1;
2936 
2937 	case Q_DEFAULT:
2938 	case Q_OR:
2939 		b0 = gen_wlanhostop(eaddr, Q_SRC);
2940 		b1 = gen_wlanhostop(eaddr, Q_DST);
2941 		gen_or(b0, b1);
2942 		return b1;
2943 	}
2944 	abort();
2945 	/* NOTREACHED */
2946 }
2947 
2948 /*
2949  * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2950  * (We assume that the addresses are IEEE 48-bit MAC addresses,
2951  * as the RFC states.)
2952  */
2953 static struct block *
2954 gen_ipfchostop(eaddr, dir)
2955 	register const u_char *eaddr;
2956 	register int dir;
2957 {
2958 	register struct block *b0, *b1;
2959 
2960 	switch (dir) {
2961 	case Q_SRC:
2962 		return gen_bcmp(OR_LINK, 10, 6, eaddr);
2963 
2964 	case Q_DST:
2965 		return gen_bcmp(OR_LINK, 2, 6, eaddr);
2966 
2967 	case Q_AND:
2968 		b0 = gen_ipfchostop(eaddr, Q_SRC);
2969 		b1 = gen_ipfchostop(eaddr, Q_DST);
2970 		gen_and(b0, b1);
2971 		return b1;
2972 
2973 	case Q_DEFAULT:
2974 	case Q_OR:
2975 		b0 = gen_ipfchostop(eaddr, Q_SRC);
2976 		b1 = gen_ipfchostop(eaddr, Q_DST);
2977 		gen_or(b0, b1);
2978 		return b1;
2979 	}
2980 	abort();
2981 	/* NOTREACHED */
2982 }
2983 
2984 /*
2985  * This is quite tricky because there may be pad bytes in front of the
2986  * DECNET header, and then there are two possible data packet formats that
2987  * carry both src and dst addresses, plus 5 packet types in a format that
2988  * carries only the src node, plus 2 types that use a different format and
2989  * also carry just the src node.
2990  *
2991  * Yuck.
2992  *
2993  * Instead of doing those all right, we just look for data packets with
2994  * 0 or 1 bytes of padding.  If you want to look at other packets, that
2995  * will require a lot more hacking.
2996  *
2997  * To add support for filtering on DECNET "areas" (network numbers)
2998  * one would want to add a "mask" argument to this routine.  That would
2999  * make the filter even more inefficient, although one could be clever
3000  * and not generate masking instructions if the mask is 0xFFFF.
3001  */
3002 static struct block *
3003 gen_dnhostop(addr, dir)
3004 	bpf_u_int32 addr;
3005 	int dir;
3006 {
3007 	struct block *b0, *b1, *b2, *tmp;
3008 	u_int offset_lh;	/* offset if long header is received */
3009 	u_int offset_sh;	/* offset if short header is received */
3010 
3011 	switch (dir) {
3012 
3013 	case Q_DST:
3014 		offset_sh = 1;	/* follows flags */
3015 		offset_lh = 7;	/* flgs,darea,dsubarea,HIORD */
3016 		break;
3017 
3018 	case Q_SRC:
3019 		offset_sh = 3;	/* follows flags, dstnode */
3020 		offset_lh = 15;	/* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
3021 		break;
3022 
3023 	case Q_AND:
3024 		/* Inefficient because we do our Calvinball dance twice */
3025 		b0 = gen_dnhostop(addr, Q_SRC);
3026 		b1 = gen_dnhostop(addr, Q_DST);
3027 		gen_and(b0, b1);
3028 		return b1;
3029 
3030 	case Q_OR:
3031 	case Q_DEFAULT:
3032 		/* Inefficient because we do our Calvinball dance twice */
3033 		b0 = gen_dnhostop(addr, Q_SRC);
3034 		b1 = gen_dnhostop(addr, Q_DST);
3035 		gen_or(b0, b1);
3036 		return b1;
3037 
3038 	case Q_ISO:
3039 		bpf_error("ISO host filtering not implemented");
3040 
3041 	default:
3042 		abort();
3043 	}
3044 	b0 = gen_linktype(ETHERTYPE_DN);
3045 	/* Check for pad = 1, long header case */
3046 	tmp = gen_mcmp(OR_NET, 2, BPF_H,
3047 	    (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
3048 	b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
3049 	    BPF_H, (bpf_int32)ntohs(addr));
3050 	gen_and(tmp, b1);
3051 	/* Check for pad = 0, long header case */
3052 	tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
3053 	b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
3054 	gen_and(tmp, b2);
3055 	gen_or(b2, b1);
3056 	/* Check for pad = 1, short header case */
3057 	tmp = gen_mcmp(OR_NET, 2, BPF_H,
3058 	    (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
3059 	b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
3060 	gen_and(tmp, b2);
3061 	gen_or(b2, b1);
3062 	/* Check for pad = 0, short header case */
3063 	tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
3064 	b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
3065 	gen_and(tmp, b2);
3066 	gen_or(b2, b1);
3067 
3068 	/* Combine with test for linktype */
3069 	gen_and(b0, b1);
3070 	return b1;
3071 }
3072 
3073 /*
3074  * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
3075  * test the bottom-of-stack bit, and then check the version number
3076  * field in the IP header.
3077  */
3078 static struct block *
3079 gen_mpls_linktype(proto)
3080 	int proto;
3081 {
3082 	struct block *b0, *b1;
3083 
3084         switch (proto) {
3085 
3086         case Q_IP:
3087                 /* match the bottom-of-stack bit */
3088                 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3089                 /* match the IPv4 version number */
3090                 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
3091                 gen_and(b0, b1);
3092                 return b1;
3093 
3094        case Q_IPV6:
3095                 /* match the bottom-of-stack bit */
3096                 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3097                 /* match the IPv4 version number */
3098                 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
3099                 gen_and(b0, b1);
3100                 return b1;
3101 
3102        default:
3103                 abort();
3104         }
3105 }
3106 
3107 static struct block *
3108 gen_host(addr, mask, proto, dir)
3109 	bpf_u_int32 addr;
3110 	bpf_u_int32 mask;
3111 	int proto;
3112 	int dir;
3113 {
3114 	struct block *b0, *b1;
3115 
3116 	switch (proto) {
3117 
3118 	case Q_DEFAULT:
3119 		b0 = gen_host(addr, mask, Q_IP, dir);
3120 		/*
3121 		 * Only check for non-IPv4 addresses if we're not
3122 		 * checking MPLS-encapsulated packets.
3123 		 */
3124 		if (label_stack_depth == 0) {
3125 			b1 = gen_host(addr, mask, Q_ARP, dir);
3126 			gen_or(b0, b1);
3127 			b0 = gen_host(addr, mask, Q_RARP, dir);
3128 			gen_or(b1, b0);
3129 		}
3130 		return b0;
3131 
3132 	case Q_IP:
3133 		return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
3134 
3135 	case Q_RARP:
3136 		return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
3137 
3138 	case Q_ARP:
3139 		return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
3140 
3141 	case Q_TCP:
3142 		bpf_error("'tcp' modifier applied to host");
3143 
3144 	case Q_SCTP:
3145 		bpf_error("'sctp' modifier applied to host");
3146 
3147 	case Q_UDP:
3148 		bpf_error("'udp' modifier applied to host");
3149 
3150 	case Q_ICMP:
3151 		bpf_error("'icmp' modifier applied to host");
3152 
3153 	case Q_IGMP:
3154 		bpf_error("'igmp' modifier applied to host");
3155 
3156 	case Q_IGRP:
3157 		bpf_error("'igrp' modifier applied to host");
3158 
3159 	case Q_PIM:
3160 		bpf_error("'pim' modifier applied to host");
3161 
3162 	case Q_VRRP:
3163 		bpf_error("'vrrp' modifier applied to host");
3164 
3165 	case Q_ATALK:
3166 		bpf_error("ATALK host filtering not implemented");
3167 
3168 	case Q_AARP:
3169 		bpf_error("AARP host filtering not implemented");
3170 
3171 	case Q_DECNET:
3172 		return gen_dnhostop(addr, dir);
3173 
3174 	case Q_SCA:
3175 		bpf_error("SCA host filtering not implemented");
3176 
3177 	case Q_LAT:
3178 		bpf_error("LAT host filtering not implemented");
3179 
3180 	case Q_MOPDL:
3181 		bpf_error("MOPDL host filtering not implemented");
3182 
3183 	case Q_MOPRC:
3184 		bpf_error("MOPRC host filtering not implemented");
3185 
3186 #ifdef INET6
3187 	case Q_IPV6:
3188 		bpf_error("'ip6' modifier applied to ip host");
3189 
3190 	case Q_ICMPV6:
3191 		bpf_error("'icmp6' modifier applied to host");
3192 #endif /* INET6 */
3193 
3194 	case Q_AH:
3195 		bpf_error("'ah' modifier applied to host");
3196 
3197 	case Q_ESP:
3198 		bpf_error("'esp' modifier applied to host");
3199 
3200 	case Q_ISO:
3201 		bpf_error("ISO host filtering not implemented");
3202 
3203 	case Q_ESIS:
3204 		bpf_error("'esis' modifier applied to host");
3205 
3206 	case Q_ISIS:
3207 		bpf_error("'isis' modifier applied to host");
3208 
3209 	case Q_CLNP:
3210 		bpf_error("'clnp' modifier applied to host");
3211 
3212 	case Q_STP:
3213 		bpf_error("'stp' modifier applied to host");
3214 
3215 	case Q_IPX:
3216 		bpf_error("IPX host filtering not implemented");
3217 
3218 	case Q_NETBEUI:
3219 		bpf_error("'netbeui' modifier applied to host");
3220 
3221 	case Q_RADIO:
3222 		bpf_error("'radio' modifier applied to host");
3223 
3224 	default:
3225 		abort();
3226 	}
3227 	/* NOTREACHED */
3228 }
3229 
3230 #ifdef INET6
3231 static struct block *
3232 gen_host6(addr, mask, proto, dir)
3233 	struct in6_addr *addr;
3234 	struct in6_addr *mask;
3235 	int proto;
3236 	int dir;
3237 {
3238 	switch (proto) {
3239 
3240 	case Q_DEFAULT:
3241 		return gen_host6(addr, mask, Q_IPV6, dir);
3242 
3243 	case Q_IP:
3244 		bpf_error("'ip' modifier applied to ip6 host");
3245 
3246 	case Q_RARP:
3247 		bpf_error("'rarp' modifier applied to ip6 host");
3248 
3249 	case Q_ARP:
3250 		bpf_error("'arp' modifier applied to ip6 host");
3251 
3252 	case Q_SCTP:
3253 		bpf_error("'sctp' modifier applied to host");
3254 
3255 	case Q_TCP:
3256 		bpf_error("'tcp' modifier applied to host");
3257 
3258 	case Q_UDP:
3259 		bpf_error("'udp' modifier applied to host");
3260 
3261 	case Q_ICMP:
3262 		bpf_error("'icmp' modifier applied to host");
3263 
3264 	case Q_IGMP:
3265 		bpf_error("'igmp' modifier applied to host");
3266 
3267 	case Q_IGRP:
3268 		bpf_error("'igrp' modifier applied to host");
3269 
3270 	case Q_PIM:
3271 		bpf_error("'pim' modifier applied to host");
3272 
3273 	case Q_VRRP:
3274 		bpf_error("'vrrp' modifier applied to host");
3275 
3276 	case Q_ATALK:
3277 		bpf_error("ATALK host filtering not implemented");
3278 
3279 	case Q_AARP:
3280 		bpf_error("AARP host filtering not implemented");
3281 
3282 	case Q_DECNET:
3283 		bpf_error("'decnet' modifier applied to ip6 host");
3284 
3285 	case Q_SCA:
3286 		bpf_error("SCA host filtering not implemented");
3287 
3288 	case Q_LAT:
3289 		bpf_error("LAT host filtering not implemented");
3290 
3291 	case Q_MOPDL:
3292 		bpf_error("MOPDL host filtering not implemented");
3293 
3294 	case Q_MOPRC:
3295 		bpf_error("MOPRC host filtering not implemented");
3296 
3297 	case Q_IPV6:
3298 		return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
3299 
3300 	case Q_ICMPV6:
3301 		bpf_error("'icmp6' modifier applied to host");
3302 
3303 	case Q_AH:
3304 		bpf_error("'ah' modifier applied to host");
3305 
3306 	case Q_ESP:
3307 		bpf_error("'esp' modifier applied to host");
3308 
3309 	case Q_ISO:
3310 		bpf_error("ISO host filtering not implemented");
3311 
3312 	case Q_ESIS:
3313 		bpf_error("'esis' modifier applied to host");
3314 
3315 	case Q_ISIS:
3316 		bpf_error("'isis' modifier applied to host");
3317 
3318 	case Q_CLNP:
3319 		bpf_error("'clnp' modifier applied to host");
3320 
3321 	case Q_STP:
3322 		bpf_error("'stp' modifier applied to host");
3323 
3324 	case Q_IPX:
3325 		bpf_error("IPX host filtering not implemented");
3326 
3327 	case Q_NETBEUI:
3328 		bpf_error("'netbeui' modifier applied to host");
3329 
3330 	case Q_RADIO:
3331 		bpf_error("'radio' modifier applied to host");
3332 
3333 	default:
3334 		abort();
3335 	}
3336 	/* NOTREACHED */
3337 }
3338 #endif /*INET6*/
3339 
3340 #ifndef INET6
3341 static struct block *
3342 gen_gateway(eaddr, alist, proto, dir)
3343 	const u_char *eaddr;
3344 	bpf_u_int32 **alist;
3345 	int proto;
3346 	int dir;
3347 {
3348 	struct block *b0, *b1, *tmp;
3349 
3350 	if (dir != 0)
3351 		bpf_error("direction applied to 'gateway'");
3352 
3353 	switch (proto) {
3354 	case Q_DEFAULT:
3355 	case Q_IP:
3356 	case Q_ARP:
3357 	case Q_RARP:
3358 		if (linktype == DLT_EN10MB)
3359 			b0 = gen_ehostop(eaddr, Q_OR);
3360 		else if (linktype == DLT_FDDI)
3361 			b0 = gen_fhostop(eaddr, Q_OR);
3362 		else if (linktype == DLT_IEEE802)
3363 			b0 = gen_thostop(eaddr, Q_OR);
3364 		else if (linktype == DLT_IEEE802_11 ||
3365 		    linktype == DLT_IEEE802_11_RADIO_AVS ||
3366 		    linktype == DLT_IEEE802_11_RADIO ||
3367 		    linktype == DLT_PRISM_HEADER)
3368 			b0 = gen_wlanhostop(eaddr, Q_OR);
3369 		else if (linktype == DLT_SUNATM && is_lane) {
3370 			/*
3371 			 * Check that the packet doesn't begin with an
3372 			 * LE Control marker.  (We've already generated
3373 			 * a test for LANE.)
3374 			 */
3375 			b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3376 			    0xFF00);
3377 			gen_not(b1);
3378 
3379 			/*
3380 			 * Now check the MAC address.
3381 			 */
3382 			b0 = gen_ehostop(eaddr, Q_OR);
3383 			gen_and(b1, b0);
3384 		} else if (linktype == DLT_IP_OVER_FC)
3385 			b0 = gen_ipfchostop(eaddr, Q_OR);
3386 		else
3387 			bpf_error(
3388 			    "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
3389 
3390 		b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
3391 		while (*alist) {
3392 			tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
3393 			gen_or(b1, tmp);
3394 			b1 = tmp;
3395 		}
3396 		gen_not(b1);
3397 		gen_and(b0, b1);
3398 		return b1;
3399 	}
3400 	bpf_error("illegal modifier of 'gateway'");
3401 	/* NOTREACHED */
3402 }
3403 #endif
3404 
3405 struct block *
3406 gen_proto_abbrev(proto)
3407 	int proto;
3408 {
3409 	struct block *b0;
3410 	struct block *b1;
3411 
3412 	switch (proto) {
3413 
3414 	case Q_SCTP:
3415 		b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
3416 #ifdef INET6
3417 		b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
3418 		gen_or(b0, b1);
3419 #endif
3420 		break;
3421 
3422 	case Q_TCP:
3423 		b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
3424 #ifdef INET6
3425 		b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
3426 		gen_or(b0, b1);
3427 #endif
3428 		break;
3429 
3430 	case Q_UDP:
3431 		b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
3432 #ifdef INET6
3433 		b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
3434 		gen_or(b0, b1);
3435 #endif
3436 		break;
3437 
3438 	case Q_ICMP:
3439 		b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
3440 		break;
3441 
3442 #ifndef	IPPROTO_IGMP
3443 #define	IPPROTO_IGMP	2
3444 #endif
3445 
3446 	case Q_IGMP:
3447 		b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
3448 		break;
3449 
3450 #ifndef	IPPROTO_IGRP
3451 #define	IPPROTO_IGRP	9
3452 #endif
3453 	case Q_IGRP:
3454 		b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
3455 		break;
3456 
3457 #ifndef IPPROTO_PIM
3458 #define IPPROTO_PIM	103
3459 #endif
3460 
3461 	case Q_PIM:
3462 		b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
3463 #ifdef INET6
3464 		b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
3465 		gen_or(b0, b1);
3466 #endif
3467 		break;
3468 
3469 #ifndef IPPROTO_VRRP
3470 #define IPPROTO_VRRP	112
3471 #endif
3472 
3473 	case Q_VRRP:
3474 		b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
3475 		break;
3476 
3477 	case Q_IP:
3478 		b1 =  gen_linktype(ETHERTYPE_IP);
3479 		break;
3480 
3481 	case Q_ARP:
3482 		b1 =  gen_linktype(ETHERTYPE_ARP);
3483 		break;
3484 
3485 	case Q_RARP:
3486 		b1 =  gen_linktype(ETHERTYPE_REVARP);
3487 		break;
3488 
3489 	case Q_LINK:
3490 		bpf_error("link layer applied in wrong context");
3491 
3492 	case Q_ATALK:
3493 		b1 =  gen_linktype(ETHERTYPE_ATALK);
3494 		break;
3495 
3496 	case Q_AARP:
3497 		b1 =  gen_linktype(ETHERTYPE_AARP);
3498 		break;
3499 
3500 	case Q_DECNET:
3501 		b1 =  gen_linktype(ETHERTYPE_DN);
3502 		break;
3503 
3504 	case Q_SCA:
3505 		b1 =  gen_linktype(ETHERTYPE_SCA);
3506 		break;
3507 
3508 	case Q_LAT:
3509 		b1 =  gen_linktype(ETHERTYPE_LAT);
3510 		break;
3511 
3512 	case Q_MOPDL:
3513 		b1 =  gen_linktype(ETHERTYPE_MOPDL);
3514 		break;
3515 
3516 	case Q_MOPRC:
3517 		b1 =  gen_linktype(ETHERTYPE_MOPRC);
3518 		break;
3519 
3520 #ifdef INET6
3521 	case Q_IPV6:
3522 		b1 = gen_linktype(ETHERTYPE_IPV6);
3523 		break;
3524 
3525 #ifndef IPPROTO_ICMPV6
3526 #define IPPROTO_ICMPV6	58
3527 #endif
3528 	case Q_ICMPV6:
3529 		b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3530 		break;
3531 #endif /* INET6 */
3532 
3533 #ifndef IPPROTO_AH
3534 #define IPPROTO_AH	51
3535 #endif
3536 	case Q_AH:
3537 		b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3538 #ifdef INET6
3539 		b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3540 		gen_or(b0, b1);
3541 #endif
3542 		break;
3543 
3544 #ifndef IPPROTO_ESP
3545 #define IPPROTO_ESP	50
3546 #endif
3547 	case Q_ESP:
3548 		b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3549 #ifdef INET6
3550 		b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3551 		gen_or(b0, b1);
3552 #endif
3553 		break;
3554 
3555 	case Q_ISO:
3556 		b1 = gen_linktype(LLCSAP_ISONS);
3557 		break;
3558 
3559 	case Q_ESIS:
3560 		b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3561 		break;
3562 
3563 	case Q_ISIS:
3564 		b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3565 		break;
3566 
3567 	case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3568 		b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3569 		b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3570 		gen_or(b0, b1);
3571 		b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3572 		gen_or(b0, b1);
3573 		b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3574 		gen_or(b0, b1);
3575 		b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3576 		gen_or(b0, b1);
3577 		break;
3578 
3579 	case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3580 		b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3581 		b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3582 		gen_or(b0, b1);
3583 		b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3584 		gen_or(b0, b1);
3585 		b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3586 		gen_or(b0, b1);
3587 		b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3588 		gen_or(b0, b1);
3589 		break;
3590 
3591 	case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3592 		b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3593 		b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3594 		gen_or(b0, b1);
3595 		b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3596 		gen_or(b0, b1);
3597 		break;
3598 
3599 	case Q_ISIS_LSP:
3600 		b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3601 		b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3602 		gen_or(b0, b1);
3603 		break;
3604 
3605 	case Q_ISIS_SNP:
3606 		b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3607 		b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3608 		gen_or(b0, b1);
3609 		b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3610 		gen_or(b0, b1);
3611 		b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3612 		gen_or(b0, b1);
3613 		break;
3614 
3615 	case Q_ISIS_CSNP:
3616 		b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3617 		b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3618 		gen_or(b0, b1);
3619 		break;
3620 
3621 	case Q_ISIS_PSNP:
3622 		b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3623 		b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3624 		gen_or(b0, b1);
3625 		break;
3626 
3627 	case Q_CLNP:
3628 		b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3629 		break;
3630 
3631 	case Q_STP:
3632 		b1 = gen_linktype(LLCSAP_8021D);
3633 		break;
3634 
3635 	case Q_IPX:
3636 		b1 = gen_linktype(LLCSAP_IPX);
3637 		break;
3638 
3639 	case Q_NETBEUI:
3640 		b1 = gen_linktype(LLCSAP_NETBEUI);
3641 		break;
3642 
3643 	case Q_RADIO:
3644 		bpf_error("'radio' is not a valid protocol type");
3645 
3646 	default:
3647 		abort();
3648 	}
3649 	return b1;
3650 }
3651 
3652 static struct block *
3653 gen_ipfrag()
3654 {
3655 	struct slist *s;
3656 	struct block *b;
3657 
3658 	/* not ip frag */
3659 	s = gen_load_a(OR_NET, 6, BPF_H);
3660 	b = new_block(JMP(BPF_JSET));
3661 	b->s.k = 0x1fff;
3662 	b->stmts = s;
3663 	gen_not(b);
3664 
3665 	return b;
3666 }
3667 
3668 /*
3669  * Generate a comparison to a port value in the transport-layer header
3670  * at the specified offset from the beginning of that header.
3671  *
3672  * XXX - this handles a variable-length prefix preceding the link-layer
3673  * header, such as the radiotap or AVS radio prefix, but doesn't handle
3674  * variable-length link-layer headers (such as Token Ring or 802.11
3675  * headers).
3676  */
3677 static struct block *
3678 gen_portatom(off, v)
3679 	int off;
3680 	bpf_int32 v;
3681 {
3682 	return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
3683 }
3684 
3685 #ifdef INET6
3686 static struct block *
3687 gen_portatom6(off, v)
3688 	int off;
3689 	bpf_int32 v;
3690 {
3691 	return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
3692 }
3693 #endif/*INET6*/
3694 
3695 struct block *
3696 gen_portop(port, proto, dir)
3697 	int port, proto, dir;
3698 {
3699 	struct block *b0, *b1, *tmp;
3700 
3701 	/* ip proto 'proto' */
3702 	tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
3703 	b0 = gen_ipfrag();
3704 	gen_and(tmp, b0);
3705 
3706 	switch (dir) {
3707 	case Q_SRC:
3708 		b1 = gen_portatom(0, (bpf_int32)port);
3709 		break;
3710 
3711 	case Q_DST:
3712 		b1 = gen_portatom(2, (bpf_int32)port);
3713 		break;
3714 
3715 	case Q_OR:
3716 	case Q_DEFAULT:
3717 		tmp = gen_portatom(0, (bpf_int32)port);
3718 		b1 = gen_portatom(2, (bpf_int32)port);
3719 		gen_or(tmp, b1);
3720 		break;
3721 
3722 	case Q_AND:
3723 		tmp = gen_portatom(0, (bpf_int32)port);
3724 		b1 = gen_portatom(2, (bpf_int32)port);
3725 		gen_and(tmp, b1);
3726 		break;
3727 
3728 	default:
3729 		abort();
3730 	}
3731 	gen_and(b0, b1);
3732 
3733 	return b1;
3734 }
3735 
3736 static struct block *
3737 gen_port(port, ip_proto, dir)
3738 	int port;
3739 	int ip_proto;
3740 	int dir;
3741 {
3742 	struct block *b0, *b1, *tmp;
3743 
3744 	/*
3745 	 * ether proto ip
3746 	 *
3747 	 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3748 	 * not LLC encapsulation with LLCSAP_IP.
3749 	 *
3750 	 * For IEEE 802 networks - which includes 802.5 token ring
3751 	 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3752 	 * says that SNAP encapsulation is used, not LLC encapsulation
3753 	 * with LLCSAP_IP.
3754 	 *
3755 	 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3756 	 * RFC 2225 say that SNAP encapsulation is used, not LLC
3757 	 * encapsulation with LLCSAP_IP.
3758 	 *
3759 	 * So we always check for ETHERTYPE_IP.
3760 	 */
3761 	b0 =  gen_linktype(ETHERTYPE_IP);
3762 
3763 	switch (ip_proto) {
3764 	case IPPROTO_UDP:
3765 	case IPPROTO_TCP:
3766 	case IPPROTO_SCTP:
3767 		b1 = gen_portop(port, ip_proto, dir);
3768 		break;
3769 
3770 	case PROTO_UNDEF:
3771 		tmp = gen_portop(port, IPPROTO_TCP, dir);
3772 		b1 = gen_portop(port, IPPROTO_UDP, dir);
3773 		gen_or(tmp, b1);
3774 		tmp = gen_portop(port, IPPROTO_SCTP, dir);
3775 		gen_or(tmp, b1);
3776 		break;
3777 
3778 	default:
3779 		abort();
3780 	}
3781 	gen_and(b0, b1);
3782 	return b1;
3783 }
3784 
3785 #ifdef INET6
3786 struct block *
3787 gen_portop6(port, proto, dir)
3788 	int port, proto, dir;
3789 {
3790 	struct block *b0, *b1, *tmp;
3791 
3792 	/* ip6 proto 'proto' */
3793 	b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
3794 
3795 	switch (dir) {
3796 	case Q_SRC:
3797 		b1 = gen_portatom6(0, (bpf_int32)port);
3798 		break;
3799 
3800 	case Q_DST:
3801 		b1 = gen_portatom6(2, (bpf_int32)port);
3802 		break;
3803 
3804 	case Q_OR:
3805 	case Q_DEFAULT:
3806 		tmp = gen_portatom6(0, (bpf_int32)port);
3807 		b1 = gen_portatom6(2, (bpf_int32)port);
3808 		gen_or(tmp, b1);
3809 		break;
3810 
3811 	case Q_AND:
3812 		tmp = gen_portatom6(0, (bpf_int32)port);
3813 		b1 = gen_portatom6(2, (bpf_int32)port);
3814 		gen_and(tmp, b1);
3815 		break;
3816 
3817 	default:
3818 		abort();
3819 	}
3820 	gen_and(b0, b1);
3821 
3822 	return b1;
3823 }
3824 
3825 static struct block *
3826 gen_port6(port, ip_proto, dir)
3827 	int port;
3828 	int ip_proto;
3829 	int dir;
3830 {
3831 	struct block *b0, *b1, *tmp;
3832 
3833 	/* link proto ip6 */
3834 	b0 =  gen_linktype(ETHERTYPE_IPV6);
3835 
3836 	switch (ip_proto) {
3837 	case IPPROTO_UDP:
3838 	case IPPROTO_TCP:
3839 	case IPPROTO_SCTP:
3840 		b1 = gen_portop6(port, ip_proto, dir);
3841 		break;
3842 
3843 	case PROTO_UNDEF:
3844 		tmp = gen_portop6(port, IPPROTO_TCP, dir);
3845 		b1 = gen_portop6(port, IPPROTO_UDP, dir);
3846 		gen_or(tmp, b1);
3847 		tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3848 		gen_or(tmp, b1);
3849 		break;
3850 
3851 	default:
3852 		abort();
3853 	}
3854 	gen_and(b0, b1);
3855 	return b1;
3856 }
3857 #endif /* INET6 */
3858 
3859 /* gen_portrange code */
3860 static struct block *
3861 gen_portrangeatom(off, v1, v2)
3862 	int off;
3863 	bpf_int32 v1, v2;
3864 {
3865 	struct block *b1, *b2;
3866 
3867 	if (v1 > v2) {
3868 		/*
3869 		 * Reverse the order of the ports, so v1 is the lower one.
3870 		 */
3871 		bpf_int32 vtemp;
3872 
3873 		vtemp = v1;
3874 		v1 = v2;
3875 		v2 = vtemp;
3876 	}
3877 
3878 	b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
3879 	b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
3880 
3881 	gen_and(b1, b2);
3882 
3883 	return b2;
3884 }
3885 
3886 struct block *
3887 gen_portrangeop(port1, port2, proto, dir)
3888 	int port1, port2;
3889 	int proto;
3890 	int dir;
3891 {
3892 	struct block *b0, *b1, *tmp;
3893 
3894 	/* ip proto 'proto' */
3895 	tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
3896 	b0 = gen_ipfrag();
3897 	gen_and(tmp, b0);
3898 
3899 	switch (dir) {
3900 	case Q_SRC:
3901 		b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3902 		break;
3903 
3904 	case Q_DST:
3905 		b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3906 		break;
3907 
3908 	case Q_OR:
3909 	case Q_DEFAULT:
3910 		tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3911 		b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3912 		gen_or(tmp, b1);
3913 		break;
3914 
3915 	case Q_AND:
3916 		tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3917 		b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3918 		gen_and(tmp, b1);
3919 		break;
3920 
3921 	default:
3922 		abort();
3923 	}
3924 	gen_and(b0, b1);
3925 
3926 	return b1;
3927 }
3928 
3929 static struct block *
3930 gen_portrange(port1, port2, ip_proto, dir)
3931 	int port1, port2;
3932 	int ip_proto;
3933 	int dir;
3934 {
3935 	struct block *b0, *b1, *tmp;
3936 
3937 	/* link proto ip */
3938 	b0 =  gen_linktype(ETHERTYPE_IP);
3939 
3940 	switch (ip_proto) {
3941 	case IPPROTO_UDP:
3942 	case IPPROTO_TCP:
3943 	case IPPROTO_SCTP:
3944 		b1 = gen_portrangeop(port1, port2, ip_proto, dir);
3945 		break;
3946 
3947 	case PROTO_UNDEF:
3948 		tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
3949 		b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
3950 		gen_or(tmp, b1);
3951 		tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
3952 		gen_or(tmp, b1);
3953 		break;
3954 
3955 	default:
3956 		abort();
3957 	}
3958 	gen_and(b0, b1);
3959 	return b1;
3960 }
3961 
3962 #ifdef INET6
3963 static struct block *
3964 gen_portrangeatom6(off, v1, v2)
3965 	int off;
3966 	bpf_int32 v1, v2;
3967 {
3968 	struct block *b1, *b2;
3969 
3970 	if (v1 > v2) {
3971 		/*
3972 		 * Reverse the order of the ports, so v1 is the lower one.
3973 		 */
3974 		bpf_int32 vtemp;
3975 
3976 		vtemp = v1;
3977 		v1 = v2;
3978 		v2 = vtemp;
3979 	}
3980 
3981 	b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
3982 	b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
3983 
3984 	gen_and(b1, b2);
3985 
3986 	return b2;
3987 }
3988 
3989 struct block *
3990 gen_portrangeop6(port1, port2, proto, dir)
3991 	int port1, port2;
3992 	int proto;
3993 	int dir;
3994 {
3995 	struct block *b0, *b1, *tmp;
3996 
3997 	/* ip6 proto 'proto' */
3998 	b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
3999 
4000 	switch (dir) {
4001 	case Q_SRC:
4002 		b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4003 		break;
4004 
4005 	case Q_DST:
4006 		b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4007 		break;
4008 
4009 	case Q_OR:
4010 	case Q_DEFAULT:
4011 		tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4012 		b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4013 		gen_or(tmp, b1);
4014 		break;
4015 
4016 	case Q_AND:
4017 		tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4018 		b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4019 		gen_and(tmp, b1);
4020 		break;
4021 
4022 	default:
4023 		abort();
4024 	}
4025 	gen_and(b0, b1);
4026 
4027 	return b1;
4028 }
4029 
4030 static struct block *
4031 gen_portrange6(port1, port2, ip_proto, dir)
4032 	int port1, port2;
4033 	int ip_proto;
4034 	int dir;
4035 {
4036 	struct block *b0, *b1, *tmp;
4037 
4038 	/* link proto ip6 */
4039 	b0 =  gen_linktype(ETHERTYPE_IPV6);
4040 
4041 	switch (ip_proto) {
4042 	case IPPROTO_UDP:
4043 	case IPPROTO_TCP:
4044 	case IPPROTO_SCTP:
4045 		b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
4046 		break;
4047 
4048 	case PROTO_UNDEF:
4049 		tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
4050 		b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
4051 		gen_or(tmp, b1);
4052 		tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
4053 		gen_or(tmp, b1);
4054 		break;
4055 
4056 	default:
4057 		abort();
4058 	}
4059 	gen_and(b0, b1);
4060 	return b1;
4061 }
4062 #endif /* INET6 */
4063 
4064 static int
4065 lookup_proto(name, proto)
4066 	register const char *name;
4067 	register int proto;
4068 {
4069 	register int v;
4070 
4071 	switch (proto) {
4072 
4073 	case Q_DEFAULT:
4074 	case Q_IP:
4075 	case Q_IPV6:
4076 		v = pcap_nametoproto(name);
4077 		if (v == PROTO_UNDEF)
4078 			bpf_error("unknown ip proto '%s'", name);
4079 		break;
4080 
4081 	case Q_LINK:
4082 		/* XXX should look up h/w protocol type based on linktype */
4083 		v = pcap_nametoeproto(name);
4084 		if (v == PROTO_UNDEF) {
4085 			v = pcap_nametollc(name);
4086 			if (v == PROTO_UNDEF)
4087 				bpf_error("unknown ether proto '%s'", name);
4088 		}
4089 		break;
4090 
4091 	case Q_ISO:
4092 		if (strcmp(name, "esis") == 0)
4093 			v = ISO9542_ESIS;
4094 		else if (strcmp(name, "isis") == 0)
4095 			v = ISO10589_ISIS;
4096 		else if (strcmp(name, "clnp") == 0)
4097 			v = ISO8473_CLNP;
4098 		else
4099 			bpf_error("unknown osi proto '%s'", name);
4100 		break;
4101 
4102 	default:
4103 		v = PROTO_UNDEF;
4104 		break;
4105 	}
4106 	return v;
4107 }
4108 
4109 #if 0
4110 struct stmt *
4111 gen_joinsp(s, n)
4112 	struct stmt **s;
4113 	int n;
4114 {
4115 	return NULL;
4116 }
4117 #endif
4118 
4119 static struct block *
4120 gen_protochain(v, proto, dir)
4121 	int v;
4122 	int proto;
4123 	int dir;
4124 {
4125 #ifdef NO_PROTOCHAIN
4126 	return gen_proto(v, proto, dir);
4127 #else
4128 	struct block *b0, *b;
4129 	struct slist *s[100];
4130 	int fix2, fix3, fix4, fix5;
4131 	int ahcheck, again, end;
4132 	int i, max;
4133 	int reg2 = alloc_reg();
4134 
4135 	memset(s, 0, sizeof(s));
4136 	fix2 = fix3 = fix4 = fix5 = 0;
4137 
4138 	switch (proto) {
4139 	case Q_IP:
4140 	case Q_IPV6:
4141 		break;
4142 	case Q_DEFAULT:
4143 		b0 = gen_protochain(v, Q_IP, dir);
4144 		b = gen_protochain(v, Q_IPV6, dir);
4145 		gen_or(b0, b);
4146 		return b;
4147 	default:
4148 		bpf_error("bad protocol applied for 'protochain'");
4149 		/*NOTREACHED*/
4150 	}
4151 
4152 	/*
4153 	 * We don't handle variable-length radiotap here headers yet.
4154 	 * We might want to add BPF instructions to do the protochain
4155 	 * work, to simplify that and, on platforms that have a BPF
4156 	 * interpreter with the new instructions, let the filtering
4157 	 * be done in the kernel.  (We already require a modified BPF
4158 	 * engine to do the protochain stuff, to support backward
4159 	 * branches, and backward branch support is unlikely to appear
4160 	 * in kernel BPF engines.)
4161 	 */
4162 	if (linktype == DLT_IEEE802_11_RADIO)
4163 		bpf_error("'protochain' not supported with radiotap headers");
4164 
4165 	no_optimize = 1; /*this code is not compatible with optimzer yet */
4166 
4167 	/*
4168 	 * s[0] is a dummy entry to protect other BPF insn from damage
4169 	 * by s[fix] = foo with uninitialized variable "fix".  It is somewhat
4170 	 * hard to find interdependency made by jump table fixup.
4171 	 */
4172 	i = 0;
4173 	s[i] = new_stmt(0);	/*dummy*/
4174 	i++;
4175 
4176 	switch (proto) {
4177 	case Q_IP:
4178 		b0 = gen_linktype(ETHERTYPE_IP);
4179 
4180 		/* A = ip->ip_p */
4181 		s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4182 		s[i]->s.k = off_nl + 9;
4183 		i++;
4184 		/* X = ip->ip_hl << 2 */
4185 		s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4186 		s[i]->s.k = off_nl;
4187 		i++;
4188 		break;
4189 #ifdef INET6
4190 	case Q_IPV6:
4191 		b0 = gen_linktype(ETHERTYPE_IPV6);
4192 
4193 		/* A = ip6->ip_nxt */
4194 		s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4195 		s[i]->s.k = off_nl + 6;
4196 		i++;
4197 		/* X = sizeof(struct ip6_hdr) */
4198 		s[i] = new_stmt(BPF_LDX|BPF_IMM);
4199 		s[i]->s.k = 40;
4200 		i++;
4201 		break;
4202 #endif
4203 	default:
4204 		bpf_error("unsupported proto to gen_protochain");
4205 		/*NOTREACHED*/
4206 	}
4207 
4208 	/* again: if (A == v) goto end; else fall through; */
4209 	again = i;
4210 	s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4211 	s[i]->s.k = v;
4212 	s[i]->s.jt = NULL;		/*later*/
4213 	s[i]->s.jf = NULL;		/*update in next stmt*/
4214 	fix5 = i;
4215 	i++;
4216 
4217 #ifndef IPPROTO_NONE
4218 #define IPPROTO_NONE	59
4219 #endif
4220 	/* if (A == IPPROTO_NONE) goto end */
4221 	s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4222 	s[i]->s.jt = NULL;	/*later*/
4223 	s[i]->s.jf = NULL;	/*update in next stmt*/
4224 	s[i]->s.k = IPPROTO_NONE;
4225 	s[fix5]->s.jf = s[i];
4226 	fix2 = i;
4227 	i++;
4228 
4229 #ifdef INET6
4230 	if (proto == Q_IPV6) {
4231 		int v6start, v6end, v6advance, j;
4232 
4233 		v6start = i;
4234 		/* if (A == IPPROTO_HOPOPTS) goto v6advance */
4235 		s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4236 		s[i]->s.jt = NULL;	/*later*/
4237 		s[i]->s.jf = NULL;	/*update in next stmt*/
4238 		s[i]->s.k = IPPROTO_HOPOPTS;
4239 		s[fix2]->s.jf = s[i];
4240 		i++;
4241 		/* if (A == IPPROTO_DSTOPTS) goto v6advance */
4242 		s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4243 		s[i]->s.jt = NULL;	/*later*/
4244 		s[i]->s.jf = NULL;	/*update in next stmt*/
4245 		s[i]->s.k = IPPROTO_DSTOPTS;
4246 		i++;
4247 		/* if (A == IPPROTO_ROUTING) goto v6advance */
4248 		s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4249 		s[i]->s.jt = NULL;	/*later*/
4250 		s[i]->s.jf = NULL;	/*update in next stmt*/
4251 		s[i]->s.k = IPPROTO_ROUTING;
4252 		i++;
4253 		/* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
4254 		s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4255 		s[i]->s.jt = NULL;	/*later*/
4256 		s[i]->s.jf = NULL;	/*later*/
4257 		s[i]->s.k = IPPROTO_FRAGMENT;
4258 		fix3 = i;
4259 		v6end = i;
4260 		i++;
4261 
4262 		/* v6advance: */
4263 		v6advance = i;
4264 
4265 		/*
4266 		 * in short,
4267 		 * A = P[X];
4268 		 * X = X + (P[X + 1] + 1) * 8;
4269 		 */
4270 		/* A = X */
4271 		s[i] = new_stmt(BPF_MISC|BPF_TXA);
4272 		i++;
4273 		/* A = P[X + packet head] */
4274 		s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4275 		s[i]->s.k = off_nl;
4276 		i++;
4277 		/* MEM[reg2] = A */
4278 		s[i] = new_stmt(BPF_ST);
4279 		s[i]->s.k = reg2;
4280 		i++;
4281 		/* A = X */
4282 		s[i] = new_stmt(BPF_MISC|BPF_TXA);
4283 		i++;
4284 		/* A += 1 */
4285 		s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4286 		s[i]->s.k = 1;
4287 		i++;
4288 		/* X = A */
4289 		s[i] = new_stmt(BPF_MISC|BPF_TAX);
4290 		i++;
4291 		/* A = P[X + packet head]; */
4292 		s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4293 		s[i]->s.k = off_nl;
4294 		i++;
4295 		/* A += 1 */
4296 		s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4297 		s[i]->s.k = 1;
4298 		i++;
4299 		/* A *= 8 */
4300 		s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4301 		s[i]->s.k = 8;
4302 		i++;
4303 		/* X = A; */
4304 		s[i] = new_stmt(BPF_MISC|BPF_TAX);
4305 		i++;
4306 		/* A = MEM[reg2] */
4307 		s[i] = new_stmt(BPF_LD|BPF_MEM);
4308 		s[i]->s.k = reg2;
4309 		i++;
4310 
4311 		/* goto again; (must use BPF_JA for backward jump) */
4312 		s[i] = new_stmt(BPF_JMP|BPF_JA);
4313 		s[i]->s.k = again - i - 1;
4314 		s[i - 1]->s.jf = s[i];
4315 		i++;
4316 
4317 		/* fixup */
4318 		for (j = v6start; j <= v6end; j++)
4319 			s[j]->s.jt = s[v6advance];
4320 	} else
4321 #endif
4322 	{
4323 		/* nop */
4324 		s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4325 		s[i]->s.k = 0;
4326 		s[fix2]->s.jf = s[i];
4327 		i++;
4328 	}
4329 
4330 	/* ahcheck: */
4331 	ahcheck = i;
4332 	/* if (A == IPPROTO_AH) then fall through; else goto end; */
4333 	s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4334 	s[i]->s.jt = NULL;	/*later*/
4335 	s[i]->s.jf = NULL;	/*later*/
4336 	s[i]->s.k = IPPROTO_AH;
4337 	if (fix3)
4338 		s[fix3]->s.jf = s[ahcheck];
4339 	fix4 = i;
4340 	i++;
4341 
4342 	/*
4343 	 * in short,
4344 	 * A = P[X];
4345 	 * X = X + (P[X + 1] + 2) * 4;
4346 	 */
4347 	/* A = X */
4348 	s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4349 	i++;
4350 	/* A = P[X + packet head]; */
4351 	s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4352 	s[i]->s.k = off_nl;
4353 	i++;
4354 	/* MEM[reg2] = A */
4355 	s[i] = new_stmt(BPF_ST);
4356 	s[i]->s.k = reg2;
4357 	i++;
4358 	/* A = X */
4359 	s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4360 	i++;
4361 	/* A += 1 */
4362 	s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4363 	s[i]->s.k = 1;
4364 	i++;
4365 	/* X = A */
4366 	s[i] = new_stmt(BPF_MISC|BPF_TAX);
4367 	i++;
4368 	/* A = P[X + packet head] */
4369 	s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4370 	s[i]->s.k = off_nl;
4371 	i++;
4372 	/* A += 2 */
4373 	s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4374 	s[i]->s.k = 2;
4375 	i++;
4376 	/* A *= 4 */
4377 	s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4378 	s[i]->s.k = 4;
4379 	i++;
4380 	/* X = A; */
4381 	s[i] = new_stmt(BPF_MISC|BPF_TAX);
4382 	i++;
4383 	/* A = MEM[reg2] */
4384 	s[i] = new_stmt(BPF_LD|BPF_MEM);
4385 	s[i]->s.k = reg2;
4386 	i++;
4387 
4388 	/* goto again; (must use BPF_JA for backward jump) */
4389 	s[i] = new_stmt(BPF_JMP|BPF_JA);
4390 	s[i]->s.k = again - i - 1;
4391 	i++;
4392 
4393 	/* end: nop */
4394 	end = i;
4395 	s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4396 	s[i]->s.k = 0;
4397 	s[fix2]->s.jt = s[end];
4398 	s[fix4]->s.jf = s[end];
4399 	s[fix5]->s.jt = s[end];
4400 	i++;
4401 
4402 	/*
4403 	 * make slist chain
4404 	 */
4405 	max = i;
4406 	for (i = 0; i < max - 1; i++)
4407 		s[i]->next = s[i + 1];
4408 	s[max - 1]->next = NULL;
4409 
4410 	/*
4411 	 * emit final check
4412 	 */
4413 	b = new_block(JMP(BPF_JEQ));
4414 	b->stmts = s[1];	/*remember, s[0] is dummy*/
4415 	b->s.k = v;
4416 
4417 	free_reg(reg2);
4418 
4419 	gen_and(b0, b);
4420 	return b;
4421 #endif
4422 }
4423 
4424 /*
4425  * Generate code that checks whether the packet is a packet for protocol
4426  * <proto> and whether the type field in that protocol's header has
4427  * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
4428  * IP packet and checks the protocol number in the IP header against <v>.
4429  *
4430  * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
4431  * against Q_IP and Q_IPV6.
4432  */
4433 static struct block *
4434 gen_proto(v, proto, dir)
4435 	int v;
4436 	int proto;
4437 	int dir;
4438 {
4439 	struct block *b0, *b1;
4440 
4441 	if (dir != Q_DEFAULT)
4442 		bpf_error("direction applied to 'proto'");
4443 
4444 	switch (proto) {
4445 	case Q_DEFAULT:
4446 #ifdef INET6
4447 		b0 = gen_proto(v, Q_IP, dir);
4448 		b1 = gen_proto(v, Q_IPV6, dir);
4449 		gen_or(b0, b1);
4450 		return b1;
4451 #else
4452 		/*FALLTHROUGH*/
4453 #endif
4454 	case Q_IP:
4455 		/*
4456 		 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4457 		 * not LLC encapsulation with LLCSAP_IP.
4458 		 *
4459 		 * For IEEE 802 networks - which includes 802.5 token ring
4460 		 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4461 		 * says that SNAP encapsulation is used, not LLC encapsulation
4462 		 * with LLCSAP_IP.
4463 		 *
4464 		 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4465 		 * RFC 2225 say that SNAP encapsulation is used, not LLC
4466 		 * encapsulation with LLCSAP_IP.
4467 		 *
4468 		 * So we always check for ETHERTYPE_IP.
4469 		 */
4470 
4471 		b0 = gen_linktype(ETHERTYPE_IP);
4472 #ifndef CHASE_CHAIN
4473 		b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
4474 #else
4475 		b1 = gen_protochain(v, Q_IP);
4476 #endif
4477 		gen_and(b0, b1);
4478 		return b1;
4479 
4480 	case Q_ISO:
4481 		switch (linktype) {
4482 
4483 		case DLT_FRELAY:
4484 			/*
4485 			 * Frame Relay packets typically have an OSI
4486 			 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
4487 			 * generates code to check for all the OSI
4488 			 * NLPIDs, so calling it and then adding a check
4489 			 * for the particular NLPID for which we're
4490 			 * looking is bogus, as we can just check for
4491 			 * the NLPID.
4492 			 *
4493 			 * What we check for is the NLPID and a frame
4494 			 * control field value of UI, i.e. 0x03 followed
4495 			 * by the NLPID.
4496 			 *
4497 			 * XXX - assumes a 2-byte Frame Relay header with
4498 			 * DLCI and flags.  What if the address is longer?
4499 			 *
4500 			 * XXX - what about SNAP-encapsulated frames?
4501 			 */
4502 			return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
4503 			/*NOTREACHED*/
4504 			break;
4505 
4506 		case DLT_C_HDLC:
4507 			/*
4508 			 * Cisco uses an Ethertype lookalike - for OSI,
4509 			 * it's 0xfefe.
4510 			 */
4511 			b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
4512 			/* OSI in C-HDLC is stuffed with a fudge byte */
4513 			b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
4514 			gen_and(b0, b1);
4515 			return b1;
4516 
4517 		default:
4518 			b0 = gen_linktype(LLCSAP_ISONS);
4519 			b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
4520 			gen_and(b0, b1);
4521 			return b1;
4522 		}
4523 
4524 	case Q_ISIS:
4525 		b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4526 		/*
4527 		 * 4 is the offset of the PDU type relative to the IS-IS
4528 		 * header.
4529 		 */
4530 		b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
4531 		gen_and(b0, b1);
4532 		return b1;
4533 
4534 	case Q_ARP:
4535 		bpf_error("arp does not encapsulate another protocol");
4536 		/* NOTREACHED */
4537 
4538 	case Q_RARP:
4539 		bpf_error("rarp does not encapsulate another protocol");
4540 		/* NOTREACHED */
4541 
4542 	case Q_ATALK:
4543 		bpf_error("atalk encapsulation is not specifiable");
4544 		/* NOTREACHED */
4545 
4546 	case Q_DECNET:
4547 		bpf_error("decnet encapsulation is not specifiable");
4548 		/* NOTREACHED */
4549 
4550 	case Q_SCA:
4551 		bpf_error("sca does not encapsulate another protocol");
4552 		/* NOTREACHED */
4553 
4554 	case Q_LAT:
4555 		bpf_error("lat does not encapsulate another protocol");
4556 		/* NOTREACHED */
4557 
4558 	case Q_MOPRC:
4559 		bpf_error("moprc does not encapsulate another protocol");
4560 		/* NOTREACHED */
4561 
4562 	case Q_MOPDL:
4563 		bpf_error("mopdl does not encapsulate another protocol");
4564 		/* NOTREACHED */
4565 
4566 	case Q_LINK:
4567 		return gen_linktype(v);
4568 
4569 	case Q_UDP:
4570 		bpf_error("'udp proto' is bogus");
4571 		/* NOTREACHED */
4572 
4573 	case Q_TCP:
4574 		bpf_error("'tcp proto' is bogus");
4575 		/* NOTREACHED */
4576 
4577 	case Q_SCTP:
4578 		bpf_error("'sctp proto' is bogus");
4579 		/* NOTREACHED */
4580 
4581 	case Q_ICMP:
4582 		bpf_error("'icmp proto' is bogus");
4583 		/* NOTREACHED */
4584 
4585 	case Q_IGMP:
4586 		bpf_error("'igmp proto' is bogus");
4587 		/* NOTREACHED */
4588 
4589 	case Q_IGRP:
4590 		bpf_error("'igrp proto' is bogus");
4591 		/* NOTREACHED */
4592 
4593 	case Q_PIM:
4594 		bpf_error("'pim proto' is bogus");
4595 		/* NOTREACHED */
4596 
4597 	case Q_VRRP:
4598 		bpf_error("'vrrp proto' is bogus");
4599 		/* NOTREACHED */
4600 
4601 #ifdef INET6
4602 	case Q_IPV6:
4603 		b0 = gen_linktype(ETHERTYPE_IPV6);
4604 #ifndef CHASE_CHAIN
4605 		b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
4606 #else
4607 		b1 = gen_protochain(v, Q_IPV6);
4608 #endif
4609 		gen_and(b0, b1);
4610 		return b1;
4611 
4612 	case Q_ICMPV6:
4613 		bpf_error("'icmp6 proto' is bogus");
4614 #endif /* INET6 */
4615 
4616 	case Q_AH:
4617 		bpf_error("'ah proto' is bogus");
4618 
4619 	case Q_ESP:
4620 		bpf_error("'ah proto' is bogus");
4621 
4622 	case Q_STP:
4623 		bpf_error("'stp proto' is bogus");
4624 
4625 	case Q_IPX:
4626 		bpf_error("'ipx proto' is bogus");
4627 
4628 	case Q_NETBEUI:
4629 		bpf_error("'netbeui proto' is bogus");
4630 
4631 	case Q_RADIO:
4632 		bpf_error("'radio proto' is bogus");
4633 
4634 	default:
4635 		abort();
4636 		/* NOTREACHED */
4637 	}
4638 	/* NOTREACHED */
4639 }
4640 
4641 struct block *
4642 gen_scode(name, q)
4643 	register const char *name;
4644 	struct qual q;
4645 {
4646 	int proto = q.proto;
4647 	int dir = q.dir;
4648 	int tproto;
4649 	u_char *eaddr;
4650 	bpf_u_int32 mask, addr;
4651 #ifndef INET6
4652 	bpf_u_int32 **alist;
4653 #else
4654 	int tproto6;
4655 	struct sockaddr_in *sin;
4656 	struct sockaddr_in6 *sin6;
4657 	struct addrinfo *res, *res0;
4658 	struct in6_addr mask128;
4659 #endif /*INET6*/
4660 	struct block *b, *tmp;
4661 	int port, real_proto;
4662 	int port1, port2;
4663 
4664 	switch (q.addr) {
4665 
4666 	case Q_NET:
4667 		addr = pcap_nametonetaddr(name);
4668 		if (addr == 0)
4669 			bpf_error("unknown network '%s'", name);
4670 		/* Left justify network addr and calculate its network mask */
4671 		mask = 0xffffffff;
4672 		while (addr && (addr & 0xff000000) == 0) {
4673 			addr <<= 8;
4674 			mask <<= 8;
4675 		}
4676 		return gen_host(addr, mask, proto, dir);
4677 
4678 	case Q_DEFAULT:
4679 	case Q_HOST:
4680 		if (proto == Q_LINK) {
4681 			switch (linktype) {
4682 
4683 			case DLT_EN10MB:
4684 				eaddr = pcap_ether_hostton(name);
4685 				if (eaddr == NULL)
4686 					bpf_error(
4687 					    "unknown ether host '%s'", name);
4688 				b = gen_ehostop(eaddr, dir);
4689 				free(eaddr);
4690 				return b;
4691 
4692 			case DLT_FDDI:
4693 				eaddr = pcap_ether_hostton(name);
4694 				if (eaddr == NULL)
4695 					bpf_error(
4696 					    "unknown FDDI host '%s'", name);
4697 				b = gen_fhostop(eaddr, dir);
4698 				free(eaddr);
4699 				return b;
4700 
4701 			case DLT_IEEE802:
4702 				eaddr = pcap_ether_hostton(name);
4703 				if (eaddr == NULL)
4704 					bpf_error(
4705 					    "unknown token ring host '%s'", name);
4706 				b = gen_thostop(eaddr, dir);
4707 				free(eaddr);
4708 				return b;
4709 
4710 			case DLT_IEEE802_11:
4711 			case DLT_IEEE802_11_RADIO_AVS:
4712 			case DLT_IEEE802_11_RADIO:
4713 			case DLT_PRISM_HEADER:
4714 				eaddr = pcap_ether_hostton(name);
4715 				if (eaddr == NULL)
4716 					bpf_error(
4717 					    "unknown 802.11 host '%s'", name);
4718 				b = gen_wlanhostop(eaddr, dir);
4719 				free(eaddr);
4720 				return b;
4721 
4722 			case DLT_IP_OVER_FC:
4723 				eaddr = pcap_ether_hostton(name);
4724 				if (eaddr == NULL)
4725 					bpf_error(
4726 					    "unknown Fibre Channel host '%s'", name);
4727 				b = gen_ipfchostop(eaddr, dir);
4728 				free(eaddr);
4729 				return b;
4730 
4731 			case DLT_SUNATM:
4732 				if (!is_lane)
4733 					break;
4734 
4735 				/*
4736 				 * Check that the packet doesn't begin
4737 				 * with an LE Control marker.  (We've
4738 				 * already generated a test for LANE.)
4739 				 */
4740 				tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4741 				    BPF_H, 0xFF00);
4742 				gen_not(tmp);
4743 
4744 				eaddr = pcap_ether_hostton(name);
4745 				if (eaddr == NULL)
4746 					bpf_error(
4747 					    "unknown ether host '%s'", name);
4748 				b = gen_ehostop(eaddr, dir);
4749 				gen_and(tmp, b);
4750 				free(eaddr);
4751 				return b;
4752 			}
4753 
4754 			bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
4755 		} else if (proto == Q_DECNET) {
4756 			unsigned short dn_addr = __pcap_nametodnaddr(name);
4757 			/*
4758 			 * I don't think DECNET hosts can be multihomed, so
4759 			 * there is no need to build up a list of addresses
4760 			 */
4761 			return (gen_host(dn_addr, 0, proto, dir));
4762 		} else {
4763 #ifndef INET6
4764 			alist = pcap_nametoaddr(name);
4765 			if (alist == NULL || *alist == NULL)
4766 				bpf_error("unknown host '%s'", name);
4767 			tproto = proto;
4768 			if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
4769 				tproto = Q_IP;
4770 			b = gen_host(**alist++, 0xffffffff, tproto, dir);
4771 			while (*alist) {
4772 				tmp = gen_host(**alist++, 0xffffffff,
4773 					       tproto, dir);
4774 				gen_or(b, tmp);
4775 				b = tmp;
4776 			}
4777 			return b;
4778 #else
4779 			memset(&mask128, 0xff, sizeof(mask128));
4780 			res0 = res = pcap_nametoaddrinfo(name);
4781 			if (res == NULL)
4782 				bpf_error("unknown host '%s'", name);
4783 			b = tmp = NULL;
4784 			tproto = tproto6 = proto;
4785 			if (off_linktype == -1 && tproto == Q_DEFAULT) {
4786 				tproto = Q_IP;
4787 				tproto6 = Q_IPV6;
4788 			}
4789 			for (res = res0; res; res = res->ai_next) {
4790 				switch (res->ai_family) {
4791 				case AF_INET:
4792 					if (tproto == Q_IPV6)
4793 						continue;
4794 
4795 					sin = (struct sockaddr_in *)
4796 						res->ai_addr;
4797 					tmp = gen_host(ntohl(sin->sin_addr.s_addr),
4798 						0xffffffff, tproto, dir);
4799 					break;
4800 				case AF_INET6:
4801 					if (tproto6 == Q_IP)
4802 						continue;
4803 
4804 					sin6 = (struct sockaddr_in6 *)
4805 						res->ai_addr;
4806 					tmp = gen_host6(&sin6->sin6_addr,
4807 						&mask128, tproto6, dir);
4808 					break;
4809 				default:
4810 					continue;
4811 				}
4812 				if (b)
4813 					gen_or(b, tmp);
4814 				b = tmp;
4815 			}
4816 			freeaddrinfo(res0);
4817 			if (b == NULL) {
4818 				bpf_error("unknown host '%s'%s", name,
4819 				    (proto == Q_DEFAULT)
4820 					? ""
4821 					: " for specified address family");
4822 			}
4823 			return b;
4824 #endif /*INET6*/
4825 		}
4826 
4827 	case Q_PORT:
4828 		if (proto != Q_DEFAULT &&
4829 		    proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4830 			bpf_error("illegal qualifier of 'port'");
4831 		if (pcap_nametoport(name, &port, &real_proto) == 0)
4832 			bpf_error("unknown port '%s'", name);
4833 		if (proto == Q_UDP) {
4834 			if (real_proto == IPPROTO_TCP)
4835 				bpf_error("port '%s' is tcp", name);
4836 			else if (real_proto == IPPROTO_SCTP)
4837 				bpf_error("port '%s' is sctp", name);
4838 			else
4839 				/* override PROTO_UNDEF */
4840 				real_proto = IPPROTO_UDP;
4841 		}
4842 		if (proto == Q_TCP) {
4843 			if (real_proto == IPPROTO_UDP)
4844 				bpf_error("port '%s' is udp", name);
4845 
4846 			else if (real_proto == IPPROTO_SCTP)
4847 				bpf_error("port '%s' is sctp", name);
4848 			else
4849 				/* override PROTO_UNDEF */
4850 				real_proto = IPPROTO_TCP;
4851 		}
4852 		if (proto == Q_SCTP) {
4853 			if (real_proto == IPPROTO_UDP)
4854 				bpf_error("port '%s' is udp", name);
4855 
4856 			else if (real_proto == IPPROTO_TCP)
4857 				bpf_error("port '%s' is tcp", name);
4858 			else
4859 				/* override PROTO_UNDEF */
4860 				real_proto = IPPROTO_SCTP;
4861 		}
4862 #ifndef INET6
4863 		return gen_port(port, real_proto, dir);
4864 #else
4865 	    {
4866 		struct block *b;
4867 		b = gen_port(port, real_proto, dir);
4868 		gen_or(gen_port6(port, real_proto, dir), b);
4869 		return b;
4870 	    }
4871 #endif /* INET6 */
4872 
4873 	case Q_PORTRANGE:
4874 		if (proto != Q_DEFAULT &&
4875 		    proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4876 			bpf_error("illegal qualifier of 'portrange'");
4877 		if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
4878 			bpf_error("unknown port in range '%s'", name);
4879 		if (proto == Q_UDP) {
4880 			if (real_proto == IPPROTO_TCP)
4881 				bpf_error("port in range '%s' is tcp", name);
4882 			else if (real_proto == IPPROTO_SCTP)
4883 				bpf_error("port in range '%s' is sctp", name);
4884 			else
4885 				/* override PROTO_UNDEF */
4886 				real_proto = IPPROTO_UDP;
4887 		}
4888 		if (proto == Q_TCP) {
4889 			if (real_proto == IPPROTO_UDP)
4890 				bpf_error("port in range '%s' is udp", name);
4891 			else if (real_proto == IPPROTO_SCTP)
4892 				bpf_error("port in range '%s' is sctp", name);
4893 			else
4894 				/* override PROTO_UNDEF */
4895 				real_proto = IPPROTO_TCP;
4896 		}
4897 		if (proto == Q_SCTP) {
4898 			if (real_proto == IPPROTO_UDP)
4899 				bpf_error("port in range '%s' is udp", name);
4900 			else if (real_proto == IPPROTO_TCP)
4901 				bpf_error("port in range '%s' is tcp", name);
4902 			else
4903 				/* override PROTO_UNDEF */
4904 				real_proto = IPPROTO_SCTP;
4905 		}
4906 #ifndef INET6
4907 		return gen_portrange(port1, port2, real_proto, dir);
4908 #else
4909 	    {
4910 		struct block *b;
4911 		b = gen_portrange(port1, port2, real_proto, dir);
4912 		gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
4913 		return b;
4914 	    }
4915 #endif /* INET6 */
4916 
4917 	case Q_GATEWAY:
4918 #ifndef INET6
4919 		eaddr = pcap_ether_hostton(name);
4920 		if (eaddr == NULL)
4921 			bpf_error("unknown ether host: %s", name);
4922 
4923 		alist = pcap_nametoaddr(name);
4924 		if (alist == NULL || *alist == NULL)
4925 			bpf_error("unknown host '%s'", name);
4926 		b = gen_gateway(eaddr, alist, proto, dir);
4927 		free(eaddr);
4928 		return b;
4929 #else
4930 		bpf_error("'gateway' not supported in this configuration");
4931 #endif /*INET6*/
4932 
4933 	case Q_PROTO:
4934 		real_proto = lookup_proto(name, proto);
4935 		if (real_proto >= 0)
4936 			return gen_proto(real_proto, proto, dir);
4937 		else
4938 			bpf_error("unknown protocol: %s", name);
4939 
4940 	case Q_PROTOCHAIN:
4941 		real_proto = lookup_proto(name, proto);
4942 		if (real_proto >= 0)
4943 			return gen_protochain(real_proto, proto, dir);
4944 		else
4945 			bpf_error("unknown protocol: %s", name);
4946 
4947 
4948 	case Q_UNDEF:
4949 		syntax();
4950 		/* NOTREACHED */
4951 	}
4952 	abort();
4953 	/* NOTREACHED */
4954 }
4955 
4956 struct block *
4957 gen_mcode(s1, s2, masklen, q)
4958 	register const char *s1, *s2;
4959 	register int masklen;
4960 	struct qual q;
4961 {
4962 	register int nlen, mlen;
4963 	bpf_u_int32 n, m;
4964 
4965 	nlen = __pcap_atoin(s1, &n);
4966 	/* Promote short ipaddr */
4967 	n <<= 32 - nlen;
4968 
4969 	if (s2 != NULL) {
4970 		mlen = __pcap_atoin(s2, &m);
4971 		/* Promote short ipaddr */
4972 		m <<= 32 - mlen;
4973 		if ((n & ~m) != 0)
4974 			bpf_error("non-network bits set in \"%s mask %s\"",
4975 			    s1, s2);
4976 	} else {
4977 		/* Convert mask len to mask */
4978 		if (masklen > 32)
4979 			bpf_error("mask length must be <= 32");
4980 		m = 0xffffffff << (32 - masklen);
4981 		if ((n & ~m) != 0)
4982 			bpf_error("non-network bits set in \"%s/%d\"",
4983 			    s1, masklen);
4984 	}
4985 
4986 	switch (q.addr) {
4987 
4988 	case Q_NET:
4989 		return gen_host(n, m, q.proto, q.dir);
4990 
4991 	default:
4992 		bpf_error("Mask syntax for networks only");
4993 		/* NOTREACHED */
4994 	}
4995 	/* NOTREACHED */
4996 }
4997 
4998 struct block *
4999 gen_ncode(s, v, q)
5000 	register const char *s;
5001 	bpf_u_int32 v;
5002 	struct qual q;
5003 {
5004 	bpf_u_int32 mask;
5005 	int proto = q.proto;
5006 	int dir = q.dir;
5007 	register int vlen;
5008 
5009 	if (s == NULL)
5010 		vlen = 32;
5011 	else if (q.proto == Q_DECNET)
5012 		vlen = __pcap_atodn(s, &v);
5013 	else
5014 		vlen = __pcap_atoin(s, &v);
5015 
5016 	switch (q.addr) {
5017 
5018 	case Q_DEFAULT:
5019 	case Q_HOST:
5020 	case Q_NET:
5021 		if (proto == Q_DECNET)
5022 			return gen_host(v, 0, proto, dir);
5023 		else if (proto == Q_LINK) {
5024 			bpf_error("illegal link layer address");
5025 		} else {
5026 			mask = 0xffffffff;
5027 			if (s == NULL && q.addr == Q_NET) {
5028 				/* Promote short net number */
5029 				while (v && (v & 0xff000000) == 0) {
5030 					v <<= 8;
5031 					mask <<= 8;
5032 				}
5033 			} else {
5034 				/* Promote short ipaddr */
5035 				v <<= 32 - vlen;
5036 				mask <<= 32 - vlen;
5037 			}
5038 			return gen_host(v, mask, proto, dir);
5039 		}
5040 
5041 	case Q_PORT:
5042 		if (proto == Q_UDP)
5043 			proto = IPPROTO_UDP;
5044 		else if (proto == Q_TCP)
5045 			proto = IPPROTO_TCP;
5046 		else if (proto == Q_SCTP)
5047 			proto = IPPROTO_SCTP;
5048 		else if (proto == Q_DEFAULT)
5049 			proto = PROTO_UNDEF;
5050 		else
5051 			bpf_error("illegal qualifier of 'port'");
5052 
5053 #ifndef INET6
5054 		return gen_port((int)v, proto, dir);
5055 #else
5056 	    {
5057 		struct block *b;
5058 		b = gen_port((int)v, proto, dir);
5059 		gen_or(gen_port6((int)v, proto, dir), b);
5060 		return b;
5061 	    }
5062 #endif /* INET6 */
5063 
5064 	case Q_PORTRANGE:
5065 		if (proto == Q_UDP)
5066 			proto = IPPROTO_UDP;
5067 		else if (proto == Q_TCP)
5068 			proto = IPPROTO_TCP;
5069 		else if (proto == Q_SCTP)
5070 			proto = IPPROTO_SCTP;
5071 		else if (proto == Q_DEFAULT)
5072 			proto = PROTO_UNDEF;
5073 		else
5074 			bpf_error("illegal qualifier of 'portrange'");
5075 
5076 #ifndef INET6
5077 		return gen_portrange((int)v, (int)v, proto, dir);
5078 #else
5079 	    {
5080 		struct block *b;
5081 		b = gen_portrange((int)v, (int)v, proto, dir);
5082 		gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
5083 		return b;
5084 	    }
5085 #endif /* INET6 */
5086 
5087 	case Q_GATEWAY:
5088 		bpf_error("'gateway' requires a name");
5089 		/* NOTREACHED */
5090 
5091 	case Q_PROTO:
5092 		return gen_proto((int)v, proto, dir);
5093 
5094 	case Q_PROTOCHAIN:
5095 		return gen_protochain((int)v, proto, dir);
5096 
5097 	case Q_UNDEF:
5098 		syntax();
5099 		/* NOTREACHED */
5100 
5101 	default:
5102 		abort();
5103 		/* NOTREACHED */
5104 	}
5105 	/* NOTREACHED */
5106 }
5107 
5108 #ifdef INET6
5109 struct block *
5110 gen_mcode6(s1, s2, masklen, q)
5111 	register const char *s1, *s2;
5112 	register int masklen;
5113 	struct qual q;
5114 {
5115 	struct addrinfo *res;
5116 	struct in6_addr *addr;
5117 	struct in6_addr mask;
5118 	struct block *b;
5119 	u_int32_t *a, *m;
5120 
5121 	if (s2)
5122 		bpf_error("no mask %s supported", s2);
5123 
5124 	res = pcap_nametoaddrinfo(s1);
5125 	if (!res)
5126 		bpf_error("invalid ip6 address %s", s1);
5127 	if (res->ai_next)
5128 		bpf_error("%s resolved to multiple address", s1);
5129 	addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
5130 
5131 	if (sizeof(mask) * 8 < masklen)
5132 		bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
5133 	memset(&mask, 0, sizeof(mask));
5134 	memset(&mask, 0xff, masklen / 8);
5135 	if (masklen % 8) {
5136 		mask.s6_addr[masklen / 8] =
5137 			(0xff << (8 - masklen % 8)) & 0xff;
5138 	}
5139 
5140 	a = (u_int32_t *)addr;
5141 	m = (u_int32_t *)&mask;
5142 	if ((a[0] & ~m[0]) || (a[1] & ~m[1])
5143 	 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
5144 		bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
5145 	}
5146 
5147 	switch (q.addr) {
5148 
5149 	case Q_DEFAULT:
5150 	case Q_HOST:
5151 		if (masklen != 128)
5152 			bpf_error("Mask syntax for networks only");
5153 		/* FALLTHROUGH */
5154 
5155 	case Q_NET:
5156 		b = gen_host6(addr, &mask, q.proto, q.dir);
5157 		freeaddrinfo(res);
5158 		return b;
5159 
5160 	default:
5161 		bpf_error("invalid qualifier against IPv6 address");
5162 		/* NOTREACHED */
5163 	}
5164 }
5165 #endif /*INET6*/
5166 
5167 struct block *
5168 gen_ecode(eaddr, q)
5169 	register const u_char *eaddr;
5170 	struct qual q;
5171 {
5172 	struct block *b, *tmp;
5173 
5174 	if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5175 		if (linktype == DLT_EN10MB)
5176 			return gen_ehostop(eaddr, (int)q.dir);
5177 		if (linktype == DLT_FDDI)
5178 			return gen_fhostop(eaddr, (int)q.dir);
5179 		if (linktype == DLT_IEEE802)
5180 			return gen_thostop(eaddr, (int)q.dir);
5181 		if (linktype == DLT_IEEE802_11 ||
5182 		    linktype == DLT_IEEE802_11_RADIO_AVS ||
5183 		    linktype == DLT_IEEE802_11_RADIO ||
5184 		    linktype == DLT_PRISM_HEADER)
5185 			return gen_wlanhostop(eaddr, (int)q.dir);
5186 		if (linktype == DLT_SUNATM && is_lane) {
5187 			/*
5188 			 * Check that the packet doesn't begin with an
5189 			 * LE Control marker.  (We've already generated
5190 			 * a test for LANE.)
5191 			 */
5192 			tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5193 			    0xFF00);
5194 			gen_not(tmp);
5195 
5196 			/*
5197 			 * Now check the MAC address.
5198 			 */
5199 			b = gen_ehostop(eaddr, (int)q.dir);
5200 			gen_and(tmp, b);
5201 			return b;
5202 		}
5203 		if (linktype == DLT_IP_OVER_FC)
5204 			return gen_ipfchostop(eaddr, (int)q.dir);
5205 		bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5206 	}
5207 	bpf_error("ethernet address used in non-ether expression");
5208 	/* NOTREACHED */
5209 }
5210 
5211 void
5212 sappend(s0, s1)
5213 	struct slist *s0, *s1;
5214 {
5215 	/*
5216 	 * This is definitely not the best way to do this, but the
5217 	 * lists will rarely get long.
5218 	 */
5219 	while (s0->next)
5220 		s0 = s0->next;
5221 	s0->next = s1;
5222 }
5223 
5224 static struct slist *
5225 xfer_to_x(a)
5226 	struct arth *a;
5227 {
5228 	struct slist *s;
5229 
5230 	s = new_stmt(BPF_LDX|BPF_MEM);
5231 	s->s.k = a->regno;
5232 	return s;
5233 }
5234 
5235 static struct slist *
5236 xfer_to_a(a)
5237 	struct arth *a;
5238 {
5239 	struct slist *s;
5240 
5241 	s = new_stmt(BPF_LD|BPF_MEM);
5242 	s->s.k = a->regno;
5243 	return s;
5244 }
5245 
5246 /*
5247  * Modify "index" to use the value stored into its register as an
5248  * offset relative to the beginning of the header for the protocol
5249  * "proto", and allocate a register and put an item "size" bytes long
5250  * (1, 2, or 4) at that offset into that register, making it the register
5251  * for "index".
5252  */
5253 struct arth *
5254 gen_load(proto, index, size)
5255 	int proto;
5256 	struct arth *index;
5257 	int size;
5258 {
5259 	struct slist *s, *tmp;
5260 	struct block *b;
5261 	int regno = alloc_reg();
5262 
5263 	free_reg(index->regno);
5264 	switch (size) {
5265 
5266 	default:
5267 		bpf_error("data size must be 1, 2, or 4");
5268 
5269 	case 1:
5270 		size = BPF_B;
5271 		break;
5272 
5273 	case 2:
5274 		size = BPF_H;
5275 		break;
5276 
5277 	case 4:
5278 		size = BPF_W;
5279 		break;
5280 	}
5281 	switch (proto) {
5282 	default:
5283 		bpf_error("unsupported index operation");
5284 
5285 	case Q_RADIO:
5286 		/*
5287 		 * The offset is relative to the beginning of the packet
5288 		 * data, if we have a radio header.  (If we don't, this
5289 		 * is an error.)
5290 		 */
5291 		if (linktype != DLT_IEEE802_11_RADIO_AVS &&
5292 		    linktype != DLT_IEEE802_11_RADIO &&
5293 		    linktype != DLT_PRISM_HEADER)
5294 			bpf_error("radio information not present in capture");
5295 
5296 		/*
5297 		 * Load into the X register the offset computed into the
5298 		 * register specifed by "index".
5299 		 */
5300 		s = xfer_to_x(index);
5301 
5302 		/*
5303 		 * Load the item at that offset.
5304 		 */
5305 		tmp = new_stmt(BPF_LD|BPF_IND|size);
5306 		sappend(s, tmp);
5307 		sappend(index->s, s);
5308 		break;
5309 
5310 	case Q_LINK:
5311 		/*
5312 		 * The offset is relative to the beginning of
5313 		 * the link-layer header.
5314 		 *
5315 		 * XXX - what about ATM LANE?  Should the index be
5316 		 * relative to the beginning of the AAL5 frame, so
5317 		 * that 0 refers to the beginning of the LE Control
5318 		 * field, or relative to the beginning of the LAN
5319 		 * frame, so that 0 refers, for Ethernet LANE, to
5320 		 * the beginning of the destination address?
5321 		 */
5322 		s = gen_llprefixlen();
5323 
5324 		/*
5325 		 * If "s" is non-null, it has code to arrange that the
5326 		 * X register contains the length of the prefix preceding
5327 		 * the link-layer header.  Add to it the offset computed
5328 		 * into the register specified by "index", and move that
5329 		 * into the X register.  Otherwise, just load into the X
5330 		 * register the offset computed into the register specifed
5331 		 * by "index".
5332 		 */
5333 		if (s != NULL) {
5334 			sappend(s, xfer_to_a(index));
5335 			sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5336 			sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5337 		} else
5338 			s = xfer_to_x(index);
5339 
5340 		/*
5341 		 * Load the item at the sum of the offset we've put in the
5342 		 * X register and the offset of the start of the link
5343 		 * layer header (which is 0 if the radio header is
5344 		 * variable-length; that header length is what we put
5345 		 * into the X register and then added to the index).
5346 		 */
5347 		tmp = new_stmt(BPF_LD|BPF_IND|size);
5348 		tmp->s.k = off_ll;
5349 		sappend(s, tmp);
5350 		sappend(index->s, s);
5351 		break;
5352 
5353 	case Q_IP:
5354 	case Q_ARP:
5355 	case Q_RARP:
5356 	case Q_ATALK:
5357 	case Q_DECNET:
5358 	case Q_SCA:
5359 	case Q_LAT:
5360 	case Q_MOPRC:
5361 	case Q_MOPDL:
5362 #ifdef INET6
5363 	case Q_IPV6:
5364 #endif
5365 		/*
5366 		 * The offset is relative to the beginning of
5367 		 * the network-layer header.
5368 		 * XXX - are there any cases where we want
5369 		 * off_nl_nosnap?
5370 		 */
5371 		s = gen_llprefixlen();
5372 
5373 		/*
5374 		 * If "s" is non-null, it has code to arrange that the
5375 		 * X register contains the length of the prefix preceding
5376 		 * the link-layer header.  Add to it the offset computed
5377 		 * into the register specified by "index", and move that
5378 		 * into the X register.  Otherwise, just load into the X
5379 		 * register the offset computed into the register specifed
5380 		 * by "index".
5381 		 */
5382 		if (s != NULL) {
5383 			sappend(s, xfer_to_a(index));
5384 			sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5385 			sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5386 		} else
5387 			s = xfer_to_x(index);
5388 
5389 		/*
5390 		 * Load the item at the sum of the offset we've put in the
5391 		 * X register and the offset of the start of the network
5392 		 * layer header.
5393 		 */
5394 		tmp = new_stmt(BPF_LD|BPF_IND|size);
5395 		tmp->s.k = off_nl;
5396 		sappend(s, tmp);
5397 		sappend(index->s, s);
5398 
5399 		/*
5400 		 * Do the computation only if the packet contains
5401 		 * the protocol in question.
5402 		 */
5403 		b = gen_proto_abbrev(proto);
5404 		if (index->b)
5405 			gen_and(index->b, b);
5406 		index->b = b;
5407 		break;
5408 
5409 	case Q_SCTP:
5410 	case Q_TCP:
5411 	case Q_UDP:
5412 	case Q_ICMP:
5413 	case Q_IGMP:
5414 	case Q_IGRP:
5415 	case Q_PIM:
5416 	case Q_VRRP:
5417 		/*
5418 		 * The offset is relative to the beginning of
5419 		 * the transport-layer header.
5420 		 * XXX - are there any cases where we want
5421 		 * off_nl_nosnap?
5422 		 * XXX - we should, if we're built with
5423 		 * IPv6 support, generate code to load either
5424 		 * IPv4, IPv6, or both, as appropriate.
5425 		 */
5426 		s = gen_loadx_iphdrlen();
5427 
5428 		/*
5429 		 * The X register now contains the sum of the offset
5430 		 * of the beginning of the link-layer header and
5431 		 * the length of the network-layer header.  Load
5432 		 * into the A register the offset relative to
5433 		 * the beginning of the transport layer header,
5434 		 * add the X register to that, move that to the
5435 		 * X register, and load with an offset from the
5436 		 * X register equal to the offset of the network
5437 		 * layer header relative to the beginning of
5438 		 * the link-layer header.
5439 		 */
5440 		sappend(s, xfer_to_a(index));
5441 		sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5442 		sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5443 		sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
5444 		tmp->s.k = off_nl;
5445 		sappend(index->s, s);
5446 
5447 		/*
5448 		 * Do the computation only if the packet contains
5449 		 * the protocol in question - which is true only
5450 		 * if this is an IP datagram and is the first or
5451 		 * only fragment of that datagram.
5452 		 */
5453 		gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
5454 		if (index->b)
5455 			gen_and(index->b, b);
5456 #ifdef INET6
5457 		gen_and(gen_proto_abbrev(Q_IP), b);
5458 #endif
5459 		index->b = b;
5460 		break;
5461 #ifdef INET6
5462 	case Q_ICMPV6:
5463 		bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
5464 		/*NOTREACHED*/
5465 #endif
5466 	}
5467 	index->regno = regno;
5468 	s = new_stmt(BPF_ST);
5469 	s->s.k = regno;
5470 	sappend(index->s, s);
5471 
5472 	return index;
5473 }
5474 
5475 struct block *
5476 gen_relation(code, a0, a1, reversed)
5477 	int code;
5478 	struct arth *a0, *a1;
5479 	int reversed;
5480 {
5481 	struct slist *s0, *s1, *s2;
5482 	struct block *b, *tmp;
5483 
5484 	s0 = xfer_to_x(a1);
5485 	s1 = xfer_to_a(a0);
5486 	if (code == BPF_JEQ) {
5487 		s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
5488 		b = new_block(JMP(code));
5489 		sappend(s1, s2);
5490 	}
5491 	else
5492 		b = new_block(BPF_JMP|code|BPF_X);
5493 	if (reversed)
5494 		gen_not(b);
5495 
5496 	sappend(s0, s1);
5497 	sappend(a1->s, s0);
5498 	sappend(a0->s, a1->s);
5499 
5500 	b->stmts = a0->s;
5501 
5502 	free_reg(a0->regno);
5503 	free_reg(a1->regno);
5504 
5505 	/* 'and' together protocol checks */
5506 	if (a0->b) {
5507 		if (a1->b) {
5508 			gen_and(a0->b, tmp = a1->b);
5509 		}
5510 		else
5511 			tmp = a0->b;
5512 	} else
5513 		tmp = a1->b;
5514 
5515 	if (tmp)
5516 		gen_and(tmp, b);
5517 
5518 	return b;
5519 }
5520 
5521 struct arth *
5522 gen_loadlen()
5523 {
5524 	int regno = alloc_reg();
5525 	struct arth *a = (struct arth *)newchunk(sizeof(*a));
5526 	struct slist *s;
5527 
5528 	s = new_stmt(BPF_LD|BPF_LEN);
5529 	s->next = new_stmt(BPF_ST);
5530 	s->next->s.k = regno;
5531 	a->s = s;
5532 	a->regno = regno;
5533 
5534 	return a;
5535 }
5536 
5537 struct arth *
5538 gen_loadi(val)
5539 	int val;
5540 {
5541 	struct arth *a;
5542 	struct slist *s;
5543 	int reg;
5544 
5545 	a = (struct arth *)newchunk(sizeof(*a));
5546 
5547 	reg = alloc_reg();
5548 
5549 	s = new_stmt(BPF_LD|BPF_IMM);
5550 	s->s.k = val;
5551 	s->next = new_stmt(BPF_ST);
5552 	s->next->s.k = reg;
5553 	a->s = s;
5554 	a->regno = reg;
5555 
5556 	return a;
5557 }
5558 
5559 struct arth *
5560 gen_neg(a)
5561 	struct arth *a;
5562 {
5563 	struct slist *s;
5564 
5565 	s = xfer_to_a(a);
5566 	sappend(a->s, s);
5567 	s = new_stmt(BPF_ALU|BPF_NEG);
5568 	s->s.k = 0;
5569 	sappend(a->s, s);
5570 	s = new_stmt(BPF_ST);
5571 	s->s.k = a->regno;
5572 	sappend(a->s, s);
5573 
5574 	return a;
5575 }
5576 
5577 struct arth *
5578 gen_arth(code, a0, a1)
5579 	int code;
5580 	struct arth *a0, *a1;
5581 {
5582 	struct slist *s0, *s1, *s2;
5583 
5584 	s0 = xfer_to_x(a1);
5585 	s1 = xfer_to_a(a0);
5586 	s2 = new_stmt(BPF_ALU|BPF_X|code);
5587 
5588 	sappend(s1, s2);
5589 	sappend(s0, s1);
5590 	sappend(a1->s, s0);
5591 	sappend(a0->s, a1->s);
5592 
5593 	free_reg(a0->regno);
5594 	free_reg(a1->regno);
5595 
5596 	s0 = new_stmt(BPF_ST);
5597 	a0->regno = s0->s.k = alloc_reg();
5598 	sappend(a0->s, s0);
5599 
5600 	return a0;
5601 }
5602 
5603 /*
5604  * Here we handle simple allocation of the scratch registers.
5605  * If too many registers are alloc'd, the allocator punts.
5606  */
5607 static int regused[BPF_MEMWORDS];
5608 static int curreg;
5609 
5610 /*
5611  * Return the next free register.
5612  */
5613 static int
5614 alloc_reg()
5615 {
5616 	int n = BPF_MEMWORDS;
5617 
5618 	while (--n >= 0) {
5619 		if (regused[curreg])
5620 			curreg = (curreg + 1) % BPF_MEMWORDS;
5621 		else {
5622 			regused[curreg] = 1;
5623 			return curreg;
5624 		}
5625 	}
5626 	bpf_error("too many registers needed to evaluate expression");
5627 	/* NOTREACHED */
5628 }
5629 
5630 /*
5631  * Return a register to the table so it can
5632  * be used later.
5633  */
5634 static void
5635 free_reg(n)
5636 	int n;
5637 {
5638 	regused[n] = 0;
5639 }
5640 
5641 static struct block *
5642 gen_len(jmp, n)
5643 	int jmp, n;
5644 {
5645 	struct slist *s;
5646 	struct block *b;
5647 
5648 	s = new_stmt(BPF_LD|BPF_LEN);
5649 	b = new_block(JMP(jmp));
5650 	b->stmts = s;
5651 	b->s.k = n;
5652 
5653 	return b;
5654 }
5655 
5656 struct block *
5657 gen_greater(n)
5658 	int n;
5659 {
5660 	return gen_len(BPF_JGE, n);
5661 }
5662 
5663 /*
5664  * Actually, this is less than or equal.
5665  */
5666 struct block *
5667 gen_less(n)
5668 	int n;
5669 {
5670 	struct block *b;
5671 
5672 	b = gen_len(BPF_JGT, n);
5673 	gen_not(b);
5674 
5675 	return b;
5676 }
5677 
5678 /*
5679  * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
5680  * the beginning of the link-layer header.
5681  * XXX - that means you can't test values in the radiotap header, but
5682  * as that header is difficult if not impossible to parse generally
5683  * without a loop, that might not be a severe problem.  A new keyword
5684  * "radio" could be added for that, although what you'd really want
5685  * would be a way of testing particular radio header values, which
5686  * would generate code appropriate to the radio header in question.
5687  */
5688 struct block *
5689 gen_byteop(op, idx, val)
5690 	int op, idx, val;
5691 {
5692 	struct block *b;
5693 	struct slist *s;
5694 
5695 	switch (op) {
5696 	default:
5697 		abort();
5698 
5699 	case '=':
5700 		return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5701 
5702 	case '<':
5703 		b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5704 		return b;
5705 
5706 	case '>':
5707 		b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5708 		return b;
5709 
5710 	case '|':
5711 		s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
5712 		break;
5713 
5714 	case '&':
5715 		s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
5716 		break;
5717 	}
5718 	s->s.k = val;
5719 	b = new_block(JMP(BPF_JEQ));
5720 	b->stmts = s;
5721 	gen_not(b);
5722 
5723 	return b;
5724 }
5725 
5726 static u_char abroadcast[] = { 0x0 };
5727 
5728 struct block *
5729 gen_broadcast(proto)
5730 	int proto;
5731 {
5732 	bpf_u_int32 hostmask;
5733 	struct block *b0, *b1, *b2;
5734 	static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
5735 
5736 	switch (proto) {
5737 
5738 	case Q_DEFAULT:
5739 	case Q_LINK:
5740 		if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5741 			return gen_ahostop(abroadcast, Q_DST);
5742 		if (linktype == DLT_EN10MB)
5743 			return gen_ehostop(ebroadcast, Q_DST);
5744 		if (linktype == DLT_FDDI)
5745 			return gen_fhostop(ebroadcast, Q_DST);
5746 		if (linktype == DLT_IEEE802)
5747 			return gen_thostop(ebroadcast, Q_DST);
5748 		if (linktype == DLT_IEEE802_11 ||
5749 		    linktype == DLT_IEEE802_11_RADIO_AVS ||
5750 		    linktype == DLT_IEEE802_11_RADIO ||
5751 		    linktype == DLT_PRISM_HEADER)
5752 			return gen_wlanhostop(ebroadcast, Q_DST);
5753 		if (linktype == DLT_IP_OVER_FC)
5754 			return gen_ipfchostop(ebroadcast, Q_DST);
5755 		if (linktype == DLT_SUNATM && is_lane) {
5756 			/*
5757 			 * Check that the packet doesn't begin with an
5758 			 * LE Control marker.  (We've already generated
5759 			 * a test for LANE.)
5760 			 */
5761 			b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5762 			    0xFF00);
5763 			gen_not(b1);
5764 
5765 			/*
5766 			 * Now check the MAC address.
5767 			 */
5768 			b0 = gen_ehostop(ebroadcast, Q_DST);
5769 			gen_and(b1, b0);
5770 			return b0;
5771 		}
5772 		bpf_error("not a broadcast link");
5773 		break;
5774 
5775 	case Q_IP:
5776 		b0 = gen_linktype(ETHERTYPE_IP);
5777 		hostmask = ~netmask;
5778 		b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
5779 		b2 = gen_mcmp(OR_NET, 16, BPF_W,
5780 			      (bpf_int32)(~0 & hostmask), hostmask);
5781 		gen_or(b1, b2);
5782 		gen_and(b0, b2);
5783 		return b2;
5784 	}
5785 	bpf_error("only link-layer/IP broadcast filters supported");
5786 	/* NOTREACHED */
5787 }
5788 
5789 /*
5790  * Generate code to test the low-order bit of a MAC address (that's
5791  * the bottom bit of the *first* byte).
5792  */
5793 static struct block *
5794 gen_mac_multicast(offset)
5795 	int offset;
5796 {
5797 	register struct block *b0;
5798 	register struct slist *s;
5799 
5800 	/* link[offset] & 1 != 0 */
5801 	s = gen_load_a(OR_LINK, offset, BPF_B);
5802 	b0 = new_block(JMP(BPF_JSET));
5803 	b0->s.k = 1;
5804 	b0->stmts = s;
5805 	return b0;
5806 }
5807 
5808 struct block *
5809 gen_multicast(proto)
5810 	int proto;
5811 {
5812 	register struct block *b0, *b1, *b2;
5813 	register struct slist *s;
5814 
5815 	switch (proto) {
5816 
5817 	case Q_DEFAULT:
5818 	case Q_LINK:
5819 		if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5820 			/* all ARCnet multicasts use the same address */
5821 			return gen_ahostop(abroadcast, Q_DST);
5822 
5823 		if (linktype == DLT_EN10MB) {
5824 			/* ether[0] & 1 != 0 */
5825 			return gen_mac_multicast(0);
5826 		}
5827 
5828 		if (linktype == DLT_FDDI) {
5829 			/*
5830 			 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
5831 			 *
5832 			 * XXX - was that referring to bit-order issues?
5833 			 */
5834 			/* fddi[1] & 1 != 0 */
5835 			return gen_mac_multicast(1);
5836 		}
5837 
5838 		if (linktype == DLT_IEEE802) {
5839 			/* tr[2] & 1 != 0 */
5840 			return gen_mac_multicast(2);
5841 		}
5842 
5843 		if (linktype == DLT_IEEE802_11 ||
5844 		    linktype == DLT_IEEE802_11_RADIO_AVS ||
5845 		    linktype == DLT_IEEE802_11_RADIO ||
5846 		    linktype == DLT_PRISM_HEADER) {
5847 			/*
5848 			 * Oh, yuk.
5849 			 *
5850 			 *	For control frames, there is no DA.
5851 			 *
5852 			 *	For management frames, DA is at an
5853 			 *	offset of 4 from the beginning of
5854 			 *	the packet.
5855 			 *
5856 			 *	For data frames, DA is at an offset
5857 			 *	of 4 from the beginning of the packet
5858 			 *	if To DS is clear and at an offset of
5859 			 *	16 from the beginning of the packet
5860 			 *	if To DS is set.
5861 			 */
5862 
5863 			/*
5864 			 * Generate the tests to be done for data frames.
5865 			 *
5866 			 * First, check for To DS set, i.e. "link[1] & 0x01".
5867 			 */
5868 			s = gen_load_a(OR_LINK, 1, BPF_B);
5869 			b1 = new_block(JMP(BPF_JSET));
5870 			b1->s.k = 0x01;	/* To DS */
5871 			b1->stmts = s;
5872 
5873 			/*
5874 			 * If To DS is set, the DA is at 16.
5875 			 */
5876 			b0 = gen_mac_multicast(16);
5877 			gen_and(b1, b0);
5878 
5879 			/*
5880 			 * Now, check for To DS not set, i.e. check
5881 			 * "!(link[1] & 0x01)".
5882 			 */
5883 			s = gen_load_a(OR_LINK, 1, BPF_B);
5884 			b2 = new_block(JMP(BPF_JSET));
5885 			b2->s.k = 0x01;	/* To DS */
5886 			b2->stmts = s;
5887 			gen_not(b2);
5888 
5889 			/*
5890 			 * If To DS is not set, the DA is at 4.
5891 			 */
5892 			b1 = gen_mac_multicast(4);
5893 			gen_and(b2, b1);
5894 
5895 			/*
5896 			 * Now OR together the last two checks.  That gives
5897 			 * the complete set of checks for data frames.
5898 			 */
5899 			gen_or(b1, b0);
5900 
5901 			/*
5902 			 * Now check for a data frame.
5903 			 * I.e, check "link[0] & 0x08".
5904 			 */
5905 			s = gen_load_a(OR_LINK, 0, BPF_B);
5906 			b1 = new_block(JMP(BPF_JSET));
5907 			b1->s.k = 0x08;
5908 			b1->stmts = s;
5909 
5910 			/*
5911 			 * AND that with the checks done for data frames.
5912 			 */
5913 			gen_and(b1, b0);
5914 
5915 			/*
5916 			 * If the high-order bit of the type value is 0, this
5917 			 * is a management frame.
5918 			 * I.e, check "!(link[0] & 0x08)".
5919 			 */
5920 			s = gen_load_a(OR_LINK, 0, BPF_B);
5921 			b2 = new_block(JMP(BPF_JSET));
5922 			b2->s.k = 0x08;
5923 			b2->stmts = s;
5924 			gen_not(b2);
5925 
5926 			/*
5927 			 * For management frames, the DA is at 4.
5928 			 */
5929 			b1 = gen_mac_multicast(4);
5930 			gen_and(b2, b1);
5931 
5932 			/*
5933 			 * OR that with the checks done for data frames.
5934 			 * That gives the checks done for management and
5935 			 * data frames.
5936 			 */
5937 			gen_or(b1, b0);
5938 
5939 			/*
5940 			 * If the low-order bit of the type value is 1,
5941 			 * this is either a control frame or a frame
5942 			 * with a reserved type, and thus not a
5943 			 * frame with an SA.
5944 			 *
5945 			 * I.e., check "!(link[0] & 0x04)".
5946 			 */
5947 			s = gen_load_a(OR_LINK, 0, BPF_B);
5948 			b1 = new_block(JMP(BPF_JSET));
5949 			b1->s.k = 0x04;
5950 			b1->stmts = s;
5951 			gen_not(b1);
5952 
5953 			/*
5954 			 * AND that with the checks for data and management
5955 			 * frames.
5956 			 */
5957 			gen_and(b1, b0);
5958 			return b0;
5959 		}
5960 
5961 		if (linktype == DLT_IP_OVER_FC) {
5962 			b0 = gen_mac_multicast(2);
5963 			return b0;
5964 		}
5965 
5966 		if (linktype == DLT_SUNATM && is_lane) {
5967 			/*
5968 			 * Check that the packet doesn't begin with an
5969 			 * LE Control marker.  (We've already generated
5970 			 * a test for LANE.)
5971 			 */
5972 			b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5973 			    0xFF00);
5974 			gen_not(b1);
5975 
5976 			/* ether[off_mac] & 1 != 0 */
5977 			b0 = gen_mac_multicast(off_mac);
5978 			gen_and(b1, b0);
5979 			return b0;
5980 		}
5981 
5982 		/* Link not known to support multicasts */
5983 		break;
5984 
5985 	case Q_IP:
5986 		b0 = gen_linktype(ETHERTYPE_IP);
5987 		b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
5988 		gen_and(b0, b1);
5989 		return b1;
5990 
5991 #ifdef INET6
5992 	case Q_IPV6:
5993 		b0 = gen_linktype(ETHERTYPE_IPV6);
5994 		b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
5995 		gen_and(b0, b1);
5996 		return b1;
5997 #endif /* INET6 */
5998 	}
5999 	bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
6000 	/* NOTREACHED */
6001 }
6002 
6003 /*
6004  * generate command for inbound/outbound.  It's here so we can
6005  * make it link-type specific.  'dir' = 0 implies "inbound",
6006  * = 1 implies "outbound".
6007  */
6008 struct block *
6009 gen_inbound(dir)
6010 	int dir;
6011 {
6012 	register struct block *b0;
6013 
6014 	/*
6015 	 * Only some data link types support inbound/outbound qualifiers.
6016 	 */
6017 	switch (linktype) {
6018 	case DLT_SLIP:
6019 		b0 = gen_relation(BPF_JEQ,
6020 			  gen_load(Q_LINK, gen_loadi(0), 1),
6021 			  gen_loadi(0),
6022 			  dir);
6023 		break;
6024 
6025 	case DLT_LINUX_SLL:
6026 		if (dir) {
6027 			/*
6028 			 * Match packets sent by this machine.
6029 			 */
6030 			b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
6031 		} else {
6032 			/*
6033 			 * Match packets sent to this machine.
6034 			 * (No broadcast or multicast packets, or
6035 			 * packets sent to some other machine and
6036 			 * received promiscuously.)
6037 			 *
6038 			 * XXX - packets sent to other machines probably
6039 			 * shouldn't be matched, but what about broadcast
6040 			 * or multicast packets we received?
6041 			 */
6042 			b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
6043 		}
6044 		break;
6045 
6046 	case DLT_PFLOG:
6047 		b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
6048 		    (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
6049 		break;
6050 
6051 	case DLT_PPP_PPPD:
6052 		if (dir) {
6053 			/* match outgoing packets */
6054 			b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
6055 		} else {
6056 			/* match incoming packets */
6057 			b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
6058 		}
6059 		break;
6060 
6061         case DLT_JUNIPER_MFR:
6062         case DLT_JUNIPER_MLFR:
6063         case DLT_JUNIPER_MLPPP:
6064 	case DLT_JUNIPER_ATM1:
6065 	case DLT_JUNIPER_ATM2:
6066 	case DLT_JUNIPER_PPPOE:
6067 	case DLT_JUNIPER_PPPOE_ATM:
6068         case DLT_JUNIPER_GGSN:
6069         case DLT_JUNIPER_ES:
6070         case DLT_JUNIPER_MONITOR:
6071         case DLT_JUNIPER_SERVICES:
6072         case DLT_JUNIPER_ETHER:
6073         case DLT_JUNIPER_PPP:
6074         case DLT_JUNIPER_FRELAY:
6075         case DLT_JUNIPER_CHDLC:
6076 		/* juniper flags (including direction) are stored
6077 		 * the byte after the 3-byte magic number */
6078 		if (dir) {
6079 			/* match outgoing packets */
6080 			b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
6081 		} else {
6082 			/* match incoming packets */
6083 			b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
6084 		}
6085 	    break;
6086 
6087 	default:
6088 		bpf_error("inbound/outbound not supported on linktype %d",
6089 		    linktype);
6090 		b0 = NULL;
6091 		/* NOTREACHED */
6092 	}
6093 	return (b0);
6094 }
6095 
6096 /* PF firewall log matched interface */
6097 struct block *
6098 gen_pf_ifname(const char *ifname)
6099 {
6100 	struct block *b0;
6101 	u_int len, off;
6102 
6103 	if (linktype == DLT_PFLOG) {
6104 		len = sizeof(((struct pfloghdr *)0)->ifname);
6105 		off = offsetof(struct pfloghdr, ifname);
6106 	} else {
6107 		bpf_error("ifname not supported on linktype 0x%x", linktype);
6108 		/* NOTREACHED */
6109 	}
6110 	if (strlen(ifname) >= len) {
6111 		bpf_error("ifname interface names can only be %d characters",
6112 		    len-1);
6113 		/* NOTREACHED */
6114 	}
6115 	b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
6116 	return (b0);
6117 }
6118 
6119 /* PF firewall log ruleset name */
6120 struct block *
6121 gen_pf_ruleset(char *ruleset)
6122 {
6123 	struct block *b0;
6124 
6125 	if (linktype != DLT_PFLOG) {
6126 		bpf_error("ruleset not supported on linktype 0x%x", linktype);
6127 		/* NOTREACHED */
6128 	}
6129 	if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
6130 		bpf_error("ruleset names can only be %ld characters",
6131 		    (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
6132 		/* NOTREACHED */
6133 	}
6134 	b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
6135 	    strlen(ruleset), (const u_char *)ruleset);
6136 	return (b0);
6137 }
6138 
6139 /* PF firewall log rule number */
6140 struct block *
6141 gen_pf_rnr(int rnr)
6142 {
6143 	struct block *b0;
6144 
6145 	if (linktype == DLT_PFLOG) {
6146 		b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
6147 			 (bpf_int32)rnr);
6148 	} else {
6149 		bpf_error("rnr not supported on linktype 0x%x", linktype);
6150 		/* NOTREACHED */
6151 	}
6152 
6153 	return (b0);
6154 }
6155 
6156 /* PF firewall log sub-rule number */
6157 struct block *
6158 gen_pf_srnr(int srnr)
6159 {
6160 	struct block *b0;
6161 
6162 	if (linktype != DLT_PFLOG) {
6163 		bpf_error("srnr not supported on linktype 0x%x", linktype);
6164 		/* NOTREACHED */
6165 	}
6166 
6167 	b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
6168 	    (bpf_int32)srnr);
6169 	return (b0);
6170 }
6171 
6172 /* PF firewall log reason code */
6173 struct block *
6174 gen_pf_reason(int reason)
6175 {
6176 	struct block *b0;
6177 
6178 	if (linktype == DLT_PFLOG) {
6179 		b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
6180 		    (bpf_int32)reason);
6181 	} else {
6182 		bpf_error("reason not supported on linktype 0x%x", linktype);
6183 		/* NOTREACHED */
6184 	}
6185 
6186 	return (b0);
6187 }
6188 
6189 /* PF firewall log action */
6190 struct block *
6191 gen_pf_action(int action)
6192 {
6193 	struct block *b0;
6194 
6195 	if (linktype == DLT_PFLOG) {
6196 		b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
6197 		    (bpf_int32)action);
6198 	} else {
6199 		bpf_error("action not supported on linktype 0x%x", linktype);
6200 		/* NOTREACHED */
6201 	}
6202 
6203 	return (b0);
6204 }
6205 
6206 struct block *
6207 gen_acode(eaddr, q)
6208 	register const u_char *eaddr;
6209 	struct qual q;
6210 {
6211 	if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6212 		if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
6213 			return gen_ahostop(eaddr, (int)q.dir);
6214 	}
6215 	bpf_error("ARCnet address used in non-arc expression");
6216 	/* NOTREACHED */
6217 }
6218 
6219 static struct block *
6220 gen_ahostop(eaddr, dir)
6221 	register const u_char *eaddr;
6222 	register int dir;
6223 {
6224 	register struct block *b0, *b1;
6225 
6226 	switch (dir) {
6227 	/* src comes first, different from Ethernet */
6228 	case Q_SRC:
6229 		return gen_bcmp(OR_LINK, 0, 1, eaddr);
6230 
6231 	case Q_DST:
6232 		return gen_bcmp(OR_LINK, 1, 1, eaddr);
6233 
6234 	case Q_AND:
6235 		b0 = gen_ahostop(eaddr, Q_SRC);
6236 		b1 = gen_ahostop(eaddr, Q_DST);
6237 		gen_and(b0, b1);
6238 		return b1;
6239 
6240 	case Q_DEFAULT:
6241 	case Q_OR:
6242 		b0 = gen_ahostop(eaddr, Q_SRC);
6243 		b1 = gen_ahostop(eaddr, Q_DST);
6244 		gen_or(b0, b1);
6245 		return b1;
6246 	}
6247 	abort();
6248 	/* NOTREACHED */
6249 }
6250 
6251 /*
6252  * support IEEE 802.1Q VLAN trunk over ethernet
6253  */
6254 struct block *
6255 gen_vlan(vlan_num)
6256 	int vlan_num;
6257 {
6258 	struct	block	*b0, *b1;
6259 
6260 	/* can't check for VLAN-encapsulated packets inside MPLS */
6261 	if (label_stack_depth > 0)
6262 		bpf_error("no VLAN match after MPLS");
6263 
6264 	/*
6265 	 * Change the offsets to point to the type and data fields within
6266 	 * the VLAN packet.  Just increment the offsets, so that we
6267 	 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to
6268 	 * capture VLAN 200 encapsulated within VLAN 100.
6269 	 *
6270 	 * XXX - this is a bit of a kludge.  If we were to split the
6271 	 * compiler into a parser that parses an expression and
6272 	 * generates an expression tree, and a code generator that
6273 	 * takes an expression tree (which could come from our
6274 	 * parser or from some other parser) and generates BPF code,
6275 	 * we could perhaps make the offsets parameters of routines
6276 	 * and, in the handler for an "AND" node, pass to subnodes
6277 	 * other than the VLAN node the adjusted offsets.
6278 	 *
6279 	 * This would mean that "vlan" would, instead of changing the
6280 	 * behavior of *all* tests after it, change only the behavior
6281 	 * of tests ANDed with it.  That would change the documented
6282 	 * semantics of "vlan", which might break some expressions.
6283 	 * However, it would mean that "(vlan and ip) or ip" would check
6284 	 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6285 	 * checking only for VLAN-encapsulated IP, so that could still
6286 	 * be considered worth doing; it wouldn't break expressions
6287 	 * that are of the form "vlan and ..." or "vlan N and ...",
6288 	 * which I suspect are the most common expressions involving
6289 	 * "vlan".  "vlan or ..." doesn't necessarily do what the user
6290 	 * would really want, now, as all the "or ..." tests would
6291 	 * be done assuming a VLAN, even though the "or" could be viewed
6292 	 * as meaning "or, if this isn't a VLAN packet...".
6293 	 */
6294 	orig_linktype = off_linktype;	/* save original values */
6295 	orig_nl = off_nl;
6296 
6297 	switch (linktype) {
6298 
6299 	case DLT_EN10MB:
6300 		off_linktype += 4;
6301 		off_nl_nosnap += 4;
6302 		off_nl += 4;
6303 		break;
6304 
6305 	default:
6306 		bpf_error("no VLAN support for data link type %d",
6307 		      linktype);
6308 		/*NOTREACHED*/
6309 	}
6310 
6311 	/* check for VLAN */
6312 	b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
6313 
6314 	/* If a specific VLAN is requested, check VLAN id */
6315 	if (vlan_num >= 0) {
6316 		b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num,
6317 		    0x0fff);
6318 		gen_and(b0, b1);
6319 		b0 = b1;
6320 	}
6321 
6322 	return (b0);
6323 }
6324 
6325 /*
6326  * support for MPLS
6327  */
6328 struct block *
6329 gen_mpls(label_num)
6330 	int label_num;
6331 {
6332 	struct	block	*b0,*b1;
6333 
6334 	/*
6335 	 * Change the offsets to point to the type and data fields within
6336 	 * the MPLS packet.  Just increment the offsets, so that we
6337 	 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
6338 	 * capture packets with an outer label of 100000 and an inner
6339 	 * label of 1024.
6340 	 *
6341 	 * XXX - this is a bit of a kludge.  See comments in gen_vlan().
6342 	 */
6343         orig_nl = off_nl;
6344 
6345         if (label_stack_depth > 0) {
6346             /* just match the bottom-of-stack bit clear */
6347             b0 = gen_mcmp(OR_LINK, orig_nl-2, BPF_B, 0, 0x01);
6348         } else {
6349             /*
6350              * Indicate that we're checking MPLS-encapsulated headers,
6351              * to make sure higher level code generators don't try to
6352              * match against IP-related protocols such as Q_ARP, Q_RARP
6353              * etc.
6354              */
6355             switch (linktype) {
6356 
6357             case DLT_C_HDLC: /* fall through */
6358             case DLT_EN10MB:
6359                     b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
6360                                  (bpf_int32)ETHERTYPE_MPLS);
6361                     break;
6362 
6363             case DLT_PPP:
6364                     b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
6365                                  (bpf_int32)PPP_MPLS_UCAST);
6366                     break;
6367 
6368                     /* FIXME add other DLT_s ...
6369                      * for Frame-Relay/and ATM this may get messy due to SNAP headers
6370                      * leave it for now */
6371 
6372             default:
6373                     bpf_error("no MPLS support for data link type %d",
6374                           linktype);
6375                     b0 = NULL;
6376                     /*NOTREACHED*/
6377                     break;
6378             }
6379         }
6380 
6381 	/* If a specific MPLS label is requested, check it */
6382 	if (label_num >= 0) {
6383 		label_num = label_num << 12; /* label is shifted 12 bits on the wire */
6384 		b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num,
6385 		    0xfffff000); /* only compare the first 20 bits */
6386 		gen_and(b0, b1);
6387 		b0 = b1;
6388 	}
6389 
6390         off_nl_nosnap += 4;
6391         off_nl += 4;
6392         label_stack_depth++;
6393 	return (b0);
6394 }
6395 
6396 /*
6397  * Support PPPOE discovery and session.
6398  */
6399 struct block *
6400 gen_pppoed()
6401 {
6402 	/* check for PPPoE discovery */
6403 	return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
6404 }
6405 
6406 struct block *
6407 gen_pppoes()
6408 {
6409 	struct block *b0;
6410 
6411 	/*
6412 	 * Test against the PPPoE session link-layer type.
6413 	 */
6414 	b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
6415 
6416 	/*
6417 	 * Change the offsets to point to the type and data fields within
6418 	 * the PPP packet.
6419 	 *
6420 	 * XXX - this is a bit of a kludge.  If we were to split the
6421 	 * compiler into a parser that parses an expression and
6422 	 * generates an expression tree, and a code generator that
6423 	 * takes an expression tree (which could come from our
6424 	 * parser or from some other parser) and generates BPF code,
6425 	 * we could perhaps make the offsets parameters of routines
6426 	 * and, in the handler for an "AND" node, pass to subnodes
6427 	 * other than the PPPoE node the adjusted offsets.
6428 	 *
6429 	 * This would mean that "pppoes" would, instead of changing the
6430 	 * behavior of *all* tests after it, change only the behavior
6431 	 * of tests ANDed with it.  That would change the documented
6432 	 * semantics of "pppoes", which might break some expressions.
6433 	 * However, it would mean that "(pppoes and ip) or ip" would check
6434 	 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6435 	 * checking only for VLAN-encapsulated IP, so that could still
6436 	 * be considered worth doing; it wouldn't break expressions
6437 	 * that are of the form "pppoes and ..." which I suspect are the
6438 	 * most common expressions involving "pppoes".  "pppoes or ..."
6439 	 * doesn't necessarily do what the user would really want, now,
6440 	 * as all the "or ..." tests would be done assuming PPPoE, even
6441 	 * though the "or" could be viewed as meaning "or, if this isn't
6442 	 * a PPPoE packet...".
6443 	 */
6444 	orig_linktype = off_linktype;	/* save original values */
6445 	orig_nl = off_nl;
6446 
6447 	/*
6448 	 * The "network-layer" protocol is PPPoE, which has a 6-byte
6449 	 * PPPoE header, followed by PPP payload, so we set the
6450 	 * offsets to the network layer offset plus 6 bytes for
6451 	 * the PPPoE header plus the values appropriate for PPP when
6452 	 * encapsulated in Ethernet (which means there's no HDLC
6453 	 * encapsulation).
6454 	 */
6455 	off_linktype = orig_nl + 6;
6456 	off_nl = orig_nl + 6 + 2;
6457 	off_nl_nosnap = orig_nl + 6 + 2;
6458 
6459 	/*
6460 	 * Set the link-layer type to PPP, as all subsequent tests will
6461 	 * be on the encapsulated PPP header.
6462 	 */
6463 	linktype = DLT_PPP;
6464 
6465 	return b0;
6466 }
6467 
6468 struct block *
6469 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
6470 	int atmfield;
6471 	bpf_int32 jvalue;
6472 	bpf_u_int32 jtype;
6473 	int reverse;
6474 {
6475 	struct block *b0;
6476 
6477 	switch (atmfield) {
6478 
6479 	case A_VPI:
6480 		if (!is_atm)
6481 			bpf_error("'vpi' supported only on raw ATM");
6482 		if (off_vpi == (u_int)-1)
6483 			abort();
6484 		b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
6485 		    reverse, jvalue);
6486 		break;
6487 
6488 	case A_VCI:
6489 		if (!is_atm)
6490 			bpf_error("'vci' supported only on raw ATM");
6491 		if (off_vci == (u_int)-1)
6492 			abort();
6493 		b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
6494 		    reverse, jvalue);
6495 		break;
6496 
6497 	case A_PROTOTYPE:
6498 		if (off_proto == (u_int)-1)
6499 			abort();	/* XXX - this isn't on FreeBSD */
6500 		b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
6501 		    reverse, jvalue);
6502 		break;
6503 
6504 	case A_MSGTYPE:
6505 		if (off_payload == (u_int)-1)
6506 			abort();
6507 		b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
6508 		    0xffffffff, jtype, reverse, jvalue);
6509 		break;
6510 
6511 	case A_CALLREFTYPE:
6512 		if (!is_atm)
6513 			bpf_error("'callref' supported only on raw ATM");
6514 		if (off_proto == (u_int)-1)
6515 			abort();
6516 		b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
6517 		    jtype, reverse, jvalue);
6518 		break;
6519 
6520 	default:
6521 		abort();
6522 	}
6523 	return b0;
6524 }
6525 
6526 struct block *
6527 gen_atmtype_abbrev(type)
6528 	int type;
6529 {
6530 	struct block *b0, *b1;
6531 
6532 	switch (type) {
6533 
6534 	case A_METAC:
6535 		/* Get all packets in Meta signalling Circuit */
6536 		if (!is_atm)
6537 			bpf_error("'metac' supported only on raw ATM");
6538 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6539 		b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
6540 		gen_and(b0, b1);
6541 		break;
6542 
6543 	case A_BCC:
6544 		/* Get all packets in Broadcast Circuit*/
6545 		if (!is_atm)
6546 			bpf_error("'bcc' supported only on raw ATM");
6547 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6548 		b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
6549 		gen_and(b0, b1);
6550 		break;
6551 
6552 	case A_OAMF4SC:
6553 		/* Get all cells in Segment OAM F4 circuit*/
6554 		if (!is_atm)
6555 			bpf_error("'oam4sc' supported only on raw ATM");
6556 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6557 		b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
6558 		gen_and(b0, b1);
6559 		break;
6560 
6561 	case A_OAMF4EC:
6562 		/* Get all cells in End-to-End OAM F4 Circuit*/
6563 		if (!is_atm)
6564 			bpf_error("'oam4ec' supported only on raw ATM");
6565 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6566 		b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
6567 		gen_and(b0, b1);
6568 		break;
6569 
6570 	case A_SC:
6571 		/*  Get all packets in connection Signalling Circuit */
6572 		if (!is_atm)
6573 			bpf_error("'sc' supported only on raw ATM");
6574 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6575 		b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
6576 		gen_and(b0, b1);
6577 		break;
6578 
6579 	case A_ILMIC:
6580 		/* Get all packets in ILMI Circuit */
6581 		if (!is_atm)
6582 			bpf_error("'ilmic' supported only on raw ATM");
6583 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6584 		b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
6585 		gen_and(b0, b1);
6586 		break;
6587 
6588 	case A_LANE:
6589 		/* Get all LANE packets */
6590 		if (!is_atm)
6591 			bpf_error("'lane' supported only on raw ATM");
6592 		b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
6593 
6594 		/*
6595 		 * Arrange that all subsequent tests assume LANE
6596 		 * rather than LLC-encapsulated packets, and set
6597 		 * the offsets appropriately for LANE-encapsulated
6598 		 * Ethernet.
6599 		 *
6600 		 * "off_mac" is the offset of the Ethernet header,
6601 		 * which is 2 bytes past the ATM pseudo-header
6602 		 * (skipping the pseudo-header and 2-byte LE Client
6603 		 * field).  The other offsets are Ethernet offsets
6604 		 * relative to "off_mac".
6605 		 */
6606 		is_lane = 1;
6607 		off_mac = off_payload + 2;	/* MAC header */
6608 		off_linktype = off_mac + 12;
6609 		off_nl = off_mac + 14;		/* Ethernet II */
6610 		off_nl_nosnap = off_mac + 17;	/* 802.3+802.2 */
6611 		break;
6612 
6613 	case A_LLC:
6614 		/* Get all LLC-encapsulated packets */
6615 		if (!is_atm)
6616 			bpf_error("'llc' supported only on raw ATM");
6617 		b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
6618 		is_lane = 0;
6619 		break;
6620 
6621 	default:
6622 		abort();
6623 	}
6624 	return b1;
6625 }
6626 
6627 struct block *
6628 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
6629 	int mtp3field;
6630 	bpf_u_int32 jvalue;
6631 	bpf_u_int32 jtype;
6632 	int reverse;
6633 {
6634 	struct block *b0;
6635 	bpf_u_int32 val1 , val2 , val3;
6636 
6637 	switch (mtp3field) {
6638 
6639 	case M_SIO:
6640 		if (off_sio == (u_int)-1)
6641 			bpf_error("'sio' supported only on SS7");
6642 		/* sio coded on 1 byte so max value 255 */
6643 		if(jvalue > 255)
6644 		        bpf_error("sio value %u too big; max value = 255",
6645 		            jvalue);
6646 		b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
6647 		    (u_int)jtype, reverse, (u_int)jvalue);
6648 		break;
6649 
6650         case M_OPC:
6651 	        if (off_opc == (u_int)-1)
6652 			bpf_error("'opc' supported only on SS7");
6653 		/* opc coded on 14 bits so max value 16383 */
6654 		if (jvalue > 16383)
6655 		        bpf_error("opc value %u too big; max value = 16383",
6656 		            jvalue);
6657 		/* the following instructions are made to convert jvalue
6658 		 * to the form used to write opc in an ss7 message*/
6659 		val1 = jvalue & 0x00003c00;
6660 		val1 = val1 >>10;
6661 		val2 = jvalue & 0x000003fc;
6662 		val2 = val2 <<6;
6663 		val3 = jvalue & 0x00000003;
6664 		val3 = val3 <<22;
6665 		jvalue = val1 + val2 + val3;
6666 		b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
6667 		    (u_int)jtype, reverse, (u_int)jvalue);
6668 		break;
6669 
6670 	case M_DPC:
6671 	        if (off_dpc == (u_int)-1)
6672 			bpf_error("'dpc' supported only on SS7");
6673 		/* dpc coded on 14 bits so max value 16383 */
6674 		if (jvalue > 16383)
6675 		        bpf_error("dpc value %u too big; max value = 16383",
6676 		            jvalue);
6677 		/* the following instructions are made to convert jvalue
6678 		 * to the forme used to write dpc in an ss7 message*/
6679 		val1 = jvalue & 0x000000ff;
6680 		val1 = val1 << 24;
6681 		val2 = jvalue & 0x00003f00;
6682 		val2 = val2 << 8;
6683 		jvalue = val1 + val2;
6684 		b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
6685 		    (u_int)jtype, reverse, (u_int)jvalue);
6686 		break;
6687 
6688 	case M_SLS:
6689 	        if (off_sls == (u_int)-1)
6690 			bpf_error("'sls' supported only on SS7");
6691 		/* sls coded on 4 bits so max value 15 */
6692 		if (jvalue > 15)
6693 		         bpf_error("sls value %u too big; max value = 15",
6694 		             jvalue);
6695 		/* the following instruction is made to convert jvalue
6696 		 * to the forme used to write sls in an ss7 message*/
6697 		jvalue = jvalue << 4;
6698 		b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
6699 		    (u_int)jtype,reverse, (u_int)jvalue);
6700 		break;
6701 
6702 	default:
6703 		abort();
6704 	}
6705 	return b0;
6706 }
6707 
6708 static struct block *
6709 gen_msg_abbrev(type)
6710 	int type;
6711 {
6712 	struct block *b1;
6713 
6714 	/*
6715 	 * Q.2931 signalling protocol messages for handling virtual circuits
6716 	 * establishment and teardown
6717 	 */
6718 	switch (type) {
6719 
6720 	case A_SETUP:
6721 		b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
6722 		break;
6723 
6724 	case A_CALLPROCEED:
6725 		b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
6726 		break;
6727 
6728 	case A_CONNECT:
6729 		b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
6730 		break;
6731 
6732 	case A_CONNECTACK:
6733 		b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
6734 		break;
6735 
6736 	case A_RELEASE:
6737 		b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
6738 		break;
6739 
6740 	case A_RELEASE_DONE:
6741 		b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
6742 		break;
6743 
6744 	default:
6745 		abort();
6746 	}
6747 	return b1;
6748 }
6749 
6750 struct block *
6751 gen_atmmulti_abbrev(type)
6752 	int type;
6753 {
6754 	struct block *b0, *b1;
6755 
6756 	switch (type) {
6757 
6758 	case A_OAM:
6759 		if (!is_atm)
6760 			bpf_error("'oam' supported only on raw ATM");
6761 		b1 = gen_atmmulti_abbrev(A_OAMF4);
6762 		break;
6763 
6764 	case A_OAMF4:
6765 		if (!is_atm)
6766 			bpf_error("'oamf4' supported only on raw ATM");
6767 		/* OAM F4 type */
6768 		b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
6769 		b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
6770 		gen_or(b0, b1);
6771 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6772 		gen_and(b0, b1);
6773 		break;
6774 
6775 	case A_CONNECTMSG:
6776 		/*
6777 		 * Get Q.2931 signalling messages for switched
6778 		 * virtual connection
6779 		 */
6780 		if (!is_atm)
6781 			bpf_error("'connectmsg' supported only on raw ATM");
6782 		b0 = gen_msg_abbrev(A_SETUP);
6783 		b1 = gen_msg_abbrev(A_CALLPROCEED);
6784 		gen_or(b0, b1);
6785 		b0 = gen_msg_abbrev(A_CONNECT);
6786 		gen_or(b0, b1);
6787 		b0 = gen_msg_abbrev(A_CONNECTACK);
6788 		gen_or(b0, b1);
6789 		b0 = gen_msg_abbrev(A_RELEASE);
6790 		gen_or(b0, b1);
6791 		b0 = gen_msg_abbrev(A_RELEASE_DONE);
6792 		gen_or(b0, b1);
6793 		b0 = gen_atmtype_abbrev(A_SC);
6794 		gen_and(b0, b1);
6795 		break;
6796 
6797 	case A_METACONNECT:
6798 		if (!is_atm)
6799 			bpf_error("'metaconnect' supported only on raw ATM");
6800 		b0 = gen_msg_abbrev(A_SETUP);
6801 		b1 = gen_msg_abbrev(A_CALLPROCEED);
6802 		gen_or(b0, b1);
6803 		b0 = gen_msg_abbrev(A_CONNECT);
6804 		gen_or(b0, b1);
6805 		b0 = gen_msg_abbrev(A_RELEASE);
6806 		gen_or(b0, b1);
6807 		b0 = gen_msg_abbrev(A_RELEASE_DONE);
6808 		gen_or(b0, b1);
6809 		b0 = gen_atmtype_abbrev(A_METAC);
6810 		gen_and(b0, b1);
6811 		break;
6812 
6813 	default:
6814 		abort();
6815 	}
6816 	return b1;
6817 }
6818