xref: /freebsd/contrib/libpcap/gencode.c (revision 6472ac3d8a86336899b6cfb789a4cd9897e3fab5)
1 /*#define CHASE_CHAIN*/
2 /*
3  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4  *	The Regents of the University of California.  All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that: (1) source code distributions
8  * retain the above copyright notice and this paragraph in its entirety, (2)
9  * distributions including binary code include the above copyright notice and
10  * this paragraph in its entirety in the documentation or other materials
11  * provided with the distribution, and (3) all advertising materials mentioning
12  * features or use of this software display the following acknowledgement:
13  * ``This product includes software developed by the University of California,
14  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15  * the University nor the names of its contributors may be used to endorse
16  * or promote products derived from this software without specific prior
17  * written permission.
18  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21  *
22  * $FreeBSD$
23  */
24 #ifndef lint
25 static const char rcsid[] _U_ =
26     "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)";
27 #endif
28 
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32 
33 #ifdef WIN32
34 #include <pcap-stdinc.h>
35 #else /* WIN32 */
36 #if HAVE_INTTYPES_H
37 #include <inttypes.h>
38 #elif HAVE_STDINT_H
39 #include <stdint.h>
40 #endif
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
43 #endif
44 #include <sys/types.h>
45 #include <sys/socket.h>
46 #endif /* WIN32 */
47 
48 /*
49  * XXX - why was this included even on UNIX?
50  */
51 #ifdef __MINGW32__
52 #include "IP6_misc.h"
53 #endif
54 
55 #ifndef WIN32
56 
57 #ifdef __NetBSD__
58 #include <sys/param.h>
59 #endif
60 
61 #include <netinet/in.h>
62 #include <arpa/inet.h>
63 
64 #endif /* WIN32 */
65 
66 #include <stdlib.h>
67 #include <string.h>
68 #include <memory.h>
69 #include <setjmp.h>
70 #include <stdarg.h>
71 
72 #ifdef MSDOS
73 #include "pcap-dos.h"
74 #endif
75 
76 #include "pcap-int.h"
77 
78 #include "ethertype.h"
79 #include "nlpid.h"
80 #include "llc.h"
81 #include "gencode.h"
82 #include "ieee80211.h"
83 #include "atmuni31.h"
84 #include "sunatmpos.h"
85 #include "ppp.h"
86 #include "pcap/sll.h"
87 #include "pcap/ipnet.h"
88 #include "arcnet.h"
89 #ifdef HAVE_NET_PFVAR_H
90 #include <sys/socket.h>
91 #include <net/if.h>
92 #include <net/pfvar.h>
93 #include <net/if_pflog.h>
94 #endif
95 #ifndef offsetof
96 #define offsetof(s, e) ((size_t)&((s *)0)->e)
97 #endif
98 #ifdef INET6
99 #ifndef WIN32
100 #include <netdb.h>	/* for "struct addrinfo" */
101 #endif /* WIN32 */
102 #endif /*INET6*/
103 #include <pcap/namedb.h>
104 
105 #define ETHERMTU	1500
106 
107 #ifndef IPPROTO_SCTP
108 #define IPPROTO_SCTP 132
109 #endif
110 
111 #ifdef HAVE_OS_PROTO_H
112 #include "os-proto.h"
113 #endif
114 
115 #define JMP(c) ((c)|BPF_JMP|BPF_K)
116 
117 /* Locals */
118 static jmp_buf top_ctx;
119 static pcap_t *bpf_pcap;
120 
121 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
122 #ifdef WIN32
123 static u_int	orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
124 #else
125 static u_int	orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
126 #endif
127 
128 /* XXX */
129 #ifdef PCAP_FDDIPAD
130 static int	pcap_fddipad;
131 #endif
132 
133 /* VARARGS */
134 void
135 bpf_error(const char *fmt, ...)
136 {
137 	va_list ap;
138 
139 	va_start(ap, fmt);
140 	if (bpf_pcap != NULL)
141 		(void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
142 		    fmt, ap);
143 	va_end(ap);
144 	longjmp(top_ctx, 1);
145 	/* NOTREACHED */
146 }
147 
148 static void init_linktype(pcap_t *);
149 
150 static void init_regs(void);
151 static int alloc_reg(void);
152 static void free_reg(int);
153 
154 static struct block *root;
155 
156 /*
157  * Value passed to gen_load_a() to indicate what the offset argument
158  * is relative to.
159  */
160 enum e_offrel {
161 	OR_PACKET,	/* relative to the beginning of the packet */
162 	OR_LINK,	/* relative to the beginning of the link-layer header */
163 	OR_MACPL,	/* relative to the end of the MAC-layer header */
164 	OR_NET,		/* relative to the network-layer header */
165 	OR_NET_NOSNAP,	/* relative to the network-layer header, with no SNAP header at the link layer */
166 	OR_TRAN_IPV4,	/* relative to the transport-layer header, with IPv4 network layer */
167 	OR_TRAN_IPV6	/* relative to the transport-layer header, with IPv6 network layer */
168 };
169 
170 #ifdef INET6
171 /*
172  * As errors are handled by a longjmp, anything allocated must be freed
173  * in the longjmp handler, so it must be reachable from that handler.
174  * One thing that's allocated is the result of pcap_nametoaddrinfo();
175  * it must be freed with freeaddrinfo().  This variable points to any
176  * addrinfo structure that would need to be freed.
177  */
178 static struct addrinfo *ai;
179 #endif
180 
181 /*
182  * We divy out chunks of memory rather than call malloc each time so
183  * we don't have to worry about leaking memory.  It's probably
184  * not a big deal if all this memory was wasted but if this ever
185  * goes into a library that would probably not be a good idea.
186  *
187  * XXX - this *is* in a library....
188  */
189 #define NCHUNKS 16
190 #define CHUNK0SIZE 1024
191 struct chunk {
192 	u_int n_left;
193 	void *m;
194 };
195 
196 static struct chunk chunks[NCHUNKS];
197 static int cur_chunk;
198 
199 static void *newchunk(u_int);
200 static void freechunks(void);
201 static inline struct block *new_block(int);
202 static inline struct slist *new_stmt(int);
203 static struct block *gen_retblk(int);
204 static inline void syntax(void);
205 
206 static void backpatch(struct block *, struct block *);
207 static void merge(struct block *, struct block *);
208 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
209 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
210 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
211 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
212 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
213 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
214     bpf_u_int32);
215 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
216 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
217     bpf_u_int32, bpf_u_int32, int, bpf_int32);
218 static struct slist *gen_load_llrel(u_int, u_int);
219 static struct slist *gen_load_macplrel(u_int, u_int);
220 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
221 static struct slist *gen_loadx_iphdrlen(void);
222 static struct block *gen_uncond(int);
223 static inline struct block *gen_true(void);
224 static inline struct block *gen_false(void);
225 static struct block *gen_ether_linktype(int);
226 static struct block *gen_ipnet_linktype(int);
227 static struct block *gen_linux_sll_linktype(int);
228 static struct slist *gen_load_prism_llprefixlen(void);
229 static struct slist *gen_load_avs_llprefixlen(void);
230 static struct slist *gen_load_radiotap_llprefixlen(void);
231 static struct slist *gen_load_ppi_llprefixlen(void);
232 static void insert_compute_vloffsets(struct block *);
233 static struct slist *gen_llprefixlen(void);
234 static struct slist *gen_off_macpl(void);
235 static int ethertype_to_ppptype(int);
236 static struct block *gen_linktype(int);
237 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
238 static struct block *gen_llc_linktype(int);
239 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
240 #ifdef INET6
241 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
242 #endif
243 static struct block *gen_ahostop(const u_char *, int);
244 static struct block *gen_ehostop(const u_char *, int);
245 static struct block *gen_fhostop(const u_char *, int);
246 static struct block *gen_thostop(const u_char *, int);
247 static struct block *gen_wlanhostop(const u_char *, int);
248 static struct block *gen_ipfchostop(const u_char *, int);
249 static struct block *gen_dnhostop(bpf_u_int32, int);
250 static struct block *gen_mpls_linktype(int);
251 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
252 #ifdef INET6
253 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
254 #endif
255 #ifndef INET6
256 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
257 #endif
258 static struct block *gen_ipfrag(void);
259 static struct block *gen_portatom(int, bpf_int32);
260 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
261 #ifdef INET6
262 static struct block *gen_portatom6(int, bpf_int32);
263 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
264 #endif
265 struct block *gen_portop(int, int, int);
266 static struct block *gen_port(int, int, int);
267 struct block *gen_portrangeop(int, int, int, int);
268 static struct block *gen_portrange(int, int, int, int);
269 #ifdef INET6
270 struct block *gen_portop6(int, int, int);
271 static struct block *gen_port6(int, int, int);
272 struct block *gen_portrangeop6(int, int, int, int);
273 static struct block *gen_portrange6(int, int, int, int);
274 #endif
275 static int lookup_proto(const char *, int);
276 static struct block *gen_protochain(int, int, int);
277 static struct block *gen_proto(int, int, int);
278 static struct slist *xfer_to_x(struct arth *);
279 static struct slist *xfer_to_a(struct arth *);
280 static struct block *gen_mac_multicast(int);
281 static struct block *gen_len(int, int);
282 static struct block *gen_check_802_11_data_frame(void);
283 
284 static struct block *gen_ppi_dlt_check(void);
285 static struct block *gen_msg_abbrev(int type);
286 
287 static void *
288 newchunk(n)
289 	u_int n;
290 {
291 	struct chunk *cp;
292 	int k;
293 	size_t size;
294 
295 #ifndef __NetBSD__
296 	/* XXX Round up to nearest long. */
297 	n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
298 #else
299 	/* XXX Round up to structure boundary. */
300 	n = ALIGN(n);
301 #endif
302 
303 	cp = &chunks[cur_chunk];
304 	if (n > cp->n_left) {
305 		++cp, k = ++cur_chunk;
306 		if (k >= NCHUNKS)
307 			bpf_error("out of memory");
308 		size = CHUNK0SIZE << k;
309 		cp->m = (void *)malloc(size);
310 		if (cp->m == NULL)
311 			bpf_error("out of memory");
312 		memset((char *)cp->m, 0, size);
313 		cp->n_left = size;
314 		if (n > size)
315 			bpf_error("out of memory");
316 	}
317 	cp->n_left -= n;
318 	return (void *)((char *)cp->m + cp->n_left);
319 }
320 
321 static void
322 freechunks()
323 {
324 	int i;
325 
326 	cur_chunk = 0;
327 	for (i = 0; i < NCHUNKS; ++i)
328 		if (chunks[i].m != NULL) {
329 			free(chunks[i].m);
330 			chunks[i].m = NULL;
331 		}
332 }
333 
334 /*
335  * A strdup whose allocations are freed after code generation is over.
336  */
337 char *
338 sdup(s)
339 	register const char *s;
340 {
341 	int n = strlen(s) + 1;
342 	char *cp = newchunk(n);
343 
344 	strlcpy(cp, s, n);
345 	return (cp);
346 }
347 
348 static inline struct block *
349 new_block(code)
350 	int code;
351 {
352 	struct block *p;
353 
354 	p = (struct block *)newchunk(sizeof(*p));
355 	p->s.code = code;
356 	p->head = p;
357 
358 	return p;
359 }
360 
361 static inline struct slist *
362 new_stmt(code)
363 	int code;
364 {
365 	struct slist *p;
366 
367 	p = (struct slist *)newchunk(sizeof(*p));
368 	p->s.code = code;
369 
370 	return p;
371 }
372 
373 static struct block *
374 gen_retblk(v)
375 	int v;
376 {
377 	struct block *b = new_block(BPF_RET|BPF_K);
378 
379 	b->s.k = v;
380 	return b;
381 }
382 
383 static inline void
384 syntax()
385 {
386 	bpf_error("syntax error in filter expression");
387 }
388 
389 static bpf_u_int32 netmask;
390 static int snaplen;
391 int no_optimize;
392 #ifdef WIN32
393 static int
394 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
395 	     const char *buf, int optimize, bpf_u_int32 mask);
396 
397 int
398 pcap_compile(pcap_t *p, struct bpf_program *program,
399 	     const char *buf, int optimize, bpf_u_int32 mask)
400 {
401 	int result;
402 
403 	EnterCriticalSection(&g_PcapCompileCriticalSection);
404 
405 	result = pcap_compile_unsafe(p, program, buf, optimize, mask);
406 
407 	LeaveCriticalSection(&g_PcapCompileCriticalSection);
408 
409 	return result;
410 }
411 
412 static int
413 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
414 	     const char *buf, int optimize, bpf_u_int32 mask)
415 #else /* WIN32 */
416 int
417 pcap_compile(pcap_t *p, struct bpf_program *program,
418 	     const char *buf, int optimize, bpf_u_int32 mask)
419 #endif /* WIN32 */
420 {
421 	extern int n_errors;
422 	const char * volatile xbuf = buf;
423 	int len;
424 
425 	no_optimize = 0;
426 	n_errors = 0;
427 	root = NULL;
428 	bpf_pcap = p;
429 	init_regs();
430 	if (setjmp(top_ctx)) {
431 #ifdef INET6
432 		if (ai != NULL) {
433 			freeaddrinfo(ai);
434 			ai = NULL;
435 		}
436 #endif
437 		lex_cleanup();
438 		freechunks();
439 		return (-1);
440 	}
441 
442 	netmask = mask;
443 
444 	snaplen = pcap_snapshot(p);
445 	if (snaplen == 0) {
446 		snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
447 			 "snaplen of 0 rejects all packets");
448 		return -1;
449 	}
450 
451 	lex_init(xbuf ? xbuf : "");
452 	init_linktype(p);
453 	(void)pcap_parse();
454 
455 	if (n_errors)
456 		syntax();
457 
458 	if (root == NULL)
459 		root = gen_retblk(snaplen);
460 
461 	if (optimize && !no_optimize) {
462 		bpf_optimize(&root);
463 		if (root == NULL ||
464 		    (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
465 			bpf_error("expression rejects all packets");
466 	}
467 	program->bf_insns = icode_to_fcode(root, &len);
468 	program->bf_len = len;
469 
470 	lex_cleanup();
471 	freechunks();
472 	return (0);
473 }
474 
475 /*
476  * entry point for using the compiler with no pcap open
477  * pass in all the stuff that is needed explicitly instead.
478  */
479 int
480 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
481 		    struct bpf_program *program,
482 	     const char *buf, int optimize, bpf_u_int32 mask)
483 {
484 	pcap_t *p;
485 	int ret;
486 
487 	p = pcap_open_dead(linktype_arg, snaplen_arg);
488 	if (p == NULL)
489 		return (-1);
490 	ret = pcap_compile(p, program, buf, optimize, mask);
491 	pcap_close(p);
492 	return (ret);
493 }
494 
495 /*
496  * Clean up a "struct bpf_program" by freeing all the memory allocated
497  * in it.
498  */
499 void
500 pcap_freecode(struct bpf_program *program)
501 {
502 	program->bf_len = 0;
503 	if (program->bf_insns != NULL) {
504 		free((char *)program->bf_insns);
505 		program->bf_insns = NULL;
506 	}
507 }
508 
509 /*
510  * Backpatch the blocks in 'list' to 'target'.  The 'sense' field indicates
511  * which of the jt and jf fields has been resolved and which is a pointer
512  * back to another unresolved block (or nil).  At least one of the fields
513  * in each block is already resolved.
514  */
515 static void
516 backpatch(list, target)
517 	struct block *list, *target;
518 {
519 	struct block *next;
520 
521 	while (list) {
522 		if (!list->sense) {
523 			next = JT(list);
524 			JT(list) = target;
525 		} else {
526 			next = JF(list);
527 			JF(list) = target;
528 		}
529 		list = next;
530 	}
531 }
532 
533 /*
534  * Merge the lists in b0 and b1, using the 'sense' field to indicate
535  * which of jt and jf is the link.
536  */
537 static void
538 merge(b0, b1)
539 	struct block *b0, *b1;
540 {
541 	register struct block **p = &b0;
542 
543 	/* Find end of list. */
544 	while (*p)
545 		p = !((*p)->sense) ? &JT(*p) : &JF(*p);
546 
547 	/* Concatenate the lists. */
548 	*p = b1;
549 }
550 
551 void
552 finish_parse(p)
553 	struct block *p;
554 {
555 	struct block *ppi_dlt_check;
556 
557 	/*
558 	 * Insert before the statements of the first (root) block any
559 	 * statements needed to load the lengths of any variable-length
560 	 * headers into registers.
561 	 *
562 	 * XXX - a fancier strategy would be to insert those before the
563 	 * statements of all blocks that use those lengths and that
564 	 * have no predecessors that use them, so that we only compute
565 	 * the lengths if we need them.  There might be even better
566 	 * approaches than that.
567 	 *
568 	 * However, those strategies would be more complicated, and
569 	 * as we don't generate code to compute a length if the
570 	 * program has no tests that use the length, and as most
571 	 * tests will probably use those lengths, we would just
572 	 * postpone computing the lengths so that it's not done
573 	 * for tests that fail early, and it's not clear that's
574 	 * worth the effort.
575 	 */
576 	insert_compute_vloffsets(p->head);
577 
578 	/*
579 	 * For DLT_PPI captures, generate a check of the per-packet
580 	 * DLT value to make sure it's DLT_IEEE802_11.
581 	 */
582 	ppi_dlt_check = gen_ppi_dlt_check();
583 	if (ppi_dlt_check != NULL)
584 		gen_and(ppi_dlt_check, p);
585 
586 	backpatch(p, gen_retblk(snaplen));
587 	p->sense = !p->sense;
588 	backpatch(p, gen_retblk(0));
589 	root = p->head;
590 }
591 
592 void
593 gen_and(b0, b1)
594 	struct block *b0, *b1;
595 {
596 	backpatch(b0, b1->head);
597 	b0->sense = !b0->sense;
598 	b1->sense = !b1->sense;
599 	merge(b1, b0);
600 	b1->sense = !b1->sense;
601 	b1->head = b0->head;
602 }
603 
604 void
605 gen_or(b0, b1)
606 	struct block *b0, *b1;
607 {
608 	b0->sense = !b0->sense;
609 	backpatch(b0, b1->head);
610 	b0->sense = !b0->sense;
611 	merge(b1, b0);
612 	b1->head = b0->head;
613 }
614 
615 void
616 gen_not(b)
617 	struct block *b;
618 {
619 	b->sense = !b->sense;
620 }
621 
622 static struct block *
623 gen_cmp(offrel, offset, size, v)
624 	enum e_offrel offrel;
625 	u_int offset, size;
626 	bpf_int32 v;
627 {
628 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
629 }
630 
631 static struct block *
632 gen_cmp_gt(offrel, offset, size, v)
633 	enum e_offrel offrel;
634 	u_int offset, size;
635 	bpf_int32 v;
636 {
637 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
638 }
639 
640 static struct block *
641 gen_cmp_ge(offrel, offset, size, v)
642 	enum e_offrel offrel;
643 	u_int offset, size;
644 	bpf_int32 v;
645 {
646 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
647 }
648 
649 static struct block *
650 gen_cmp_lt(offrel, offset, size, v)
651 	enum e_offrel offrel;
652 	u_int offset, size;
653 	bpf_int32 v;
654 {
655 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
656 }
657 
658 static struct block *
659 gen_cmp_le(offrel, offset, size, v)
660 	enum e_offrel offrel;
661 	u_int offset, size;
662 	bpf_int32 v;
663 {
664 	return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
665 }
666 
667 static struct block *
668 gen_mcmp(offrel, offset, size, v, mask)
669 	enum e_offrel offrel;
670 	u_int offset, size;
671 	bpf_int32 v;
672 	bpf_u_int32 mask;
673 {
674 	return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
675 }
676 
677 static struct block *
678 gen_bcmp(offrel, offset, size, v)
679 	enum e_offrel offrel;
680 	register u_int offset, size;
681 	register const u_char *v;
682 {
683 	register struct block *b, *tmp;
684 
685 	b = NULL;
686 	while (size >= 4) {
687 		register const u_char *p = &v[size - 4];
688 		bpf_int32 w = ((bpf_int32)p[0] << 24) |
689 		    ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
690 
691 		tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
692 		if (b != NULL)
693 			gen_and(b, tmp);
694 		b = tmp;
695 		size -= 4;
696 	}
697 	while (size >= 2) {
698 		register const u_char *p = &v[size - 2];
699 		bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
700 
701 		tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
702 		if (b != NULL)
703 			gen_and(b, tmp);
704 		b = tmp;
705 		size -= 2;
706 	}
707 	if (size > 0) {
708 		tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
709 		if (b != NULL)
710 			gen_and(b, tmp);
711 		b = tmp;
712 	}
713 	return b;
714 }
715 
716 /*
717  * AND the field of size "size" at offset "offset" relative to the header
718  * specified by "offrel" with "mask", and compare it with the value "v"
719  * with the test specified by "jtype"; if "reverse" is true, the test
720  * should test the opposite of "jtype".
721  */
722 static struct block *
723 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
724 	enum e_offrel offrel;
725 	bpf_int32 v;
726 	bpf_u_int32 offset, size, mask, jtype;
727 	int reverse;
728 {
729 	struct slist *s, *s2;
730 	struct block *b;
731 
732 	s = gen_load_a(offrel, offset, size);
733 
734 	if (mask != 0xffffffff) {
735 		s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
736 		s2->s.k = mask;
737 		sappend(s, s2);
738 	}
739 
740 	b = new_block(JMP(jtype));
741 	b->stmts = s;
742 	b->s.k = v;
743 	if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
744 		gen_not(b);
745 	return b;
746 }
747 
748 /*
749  * Various code constructs need to know the layout of the data link
750  * layer.  These variables give the necessary offsets from the beginning
751  * of the packet data.
752  */
753 
754 /*
755  * This is the offset of the beginning of the link-layer header from
756  * the beginning of the raw packet data.
757  *
758  * It's usually 0, except for 802.11 with a fixed-length radio header.
759  * (For 802.11 with a variable-length radio header, we have to generate
760  * code to compute that offset; off_ll is 0 in that case.)
761  */
762 static u_int off_ll;
763 
764 /*
765  * If there's a variable-length header preceding the link-layer header,
766  * "reg_off_ll" is the register number for a register containing the
767  * length of that header, and therefore the offset of the link-layer
768  * header from the beginning of the raw packet data.  Otherwise,
769  * "reg_off_ll" is -1.
770  */
771 static int reg_off_ll;
772 
773 /*
774  * This is the offset of the beginning of the MAC-layer header from
775  * the beginning of the link-layer header.
776  * It's usually 0, except for ATM LANE, where it's the offset, relative
777  * to the beginning of the raw packet data, of the Ethernet header.
778  */
779 static u_int off_mac;
780 
781 /*
782  * This is the offset of the beginning of the MAC-layer payload,
783  * from the beginning of the raw packet data.
784  *
785  * I.e., it's the sum of the length of the link-layer header (without,
786  * for example, any 802.2 LLC header, so it's the MAC-layer
787  * portion of that header), plus any prefix preceding the
788  * link-layer header.
789  */
790 static u_int off_macpl;
791 
792 /*
793  * This is 1 if the offset of the beginning of the MAC-layer payload
794  * from the beginning of the link-layer header is variable-length.
795  */
796 static int off_macpl_is_variable;
797 
798 /*
799  * If the link layer has variable_length headers, "reg_off_macpl"
800  * is the register number for a register containing the length of the
801  * link-layer header plus the length of any variable-length header
802  * preceding the link-layer header.  Otherwise, "reg_off_macpl"
803  * is -1.
804  */
805 static int reg_off_macpl;
806 
807 /*
808  * "off_linktype" is the offset to information in the link-layer header
809  * giving the packet type.  This offset is relative to the beginning
810  * of the link-layer header (i.e., it doesn't include off_ll).
811  *
812  * For Ethernet, it's the offset of the Ethernet type field.
813  *
814  * For link-layer types that always use 802.2 headers, it's the
815  * offset of the LLC header.
816  *
817  * For PPP, it's the offset of the PPP type field.
818  *
819  * For Cisco HDLC, it's the offset of the CHDLC type field.
820  *
821  * For BSD loopback, it's the offset of the AF_ value.
822  *
823  * For Linux cooked sockets, it's the offset of the type field.
824  *
825  * It's set to -1 for no encapsulation, in which case, IP is assumed.
826  */
827 static u_int off_linktype;
828 
829 /*
830  * TRUE if "pppoes" appeared in the filter; it causes link-layer type
831  * checks to check the PPP header, assumed to follow a LAN-style link-
832  * layer header and a PPPoE session header.
833  */
834 static int is_pppoes = 0;
835 
836 /*
837  * TRUE if the link layer includes an ATM pseudo-header.
838  */
839 static int is_atm = 0;
840 
841 /*
842  * TRUE if "lane" appeared in the filter; it causes us to generate
843  * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
844  */
845 static int is_lane = 0;
846 
847 /*
848  * These are offsets for the ATM pseudo-header.
849  */
850 static u_int off_vpi;
851 static u_int off_vci;
852 static u_int off_proto;
853 
854 /*
855  * These are offsets for the MTP2 fields.
856  */
857 static u_int off_li;
858 
859 /*
860  * These are offsets for the MTP3 fields.
861  */
862 static u_int off_sio;
863 static u_int off_opc;
864 static u_int off_dpc;
865 static u_int off_sls;
866 
867 /*
868  * This is the offset of the first byte after the ATM pseudo_header,
869  * or -1 if there is no ATM pseudo-header.
870  */
871 static u_int off_payload;
872 
873 /*
874  * These are offsets to the beginning of the network-layer header.
875  * They are relative to the beginning of the MAC-layer payload (i.e.,
876  * they don't include off_ll or off_macpl).
877  *
878  * If the link layer never uses 802.2 LLC:
879  *
880  *	"off_nl" and "off_nl_nosnap" are the same.
881  *
882  * If the link layer always uses 802.2 LLC:
883  *
884  *	"off_nl" is the offset if there's a SNAP header following
885  *	the 802.2 header;
886  *
887  *	"off_nl_nosnap" is the offset if there's no SNAP header.
888  *
889  * If the link layer is Ethernet:
890  *
891  *	"off_nl" is the offset if the packet is an Ethernet II packet
892  *	(we assume no 802.3+802.2+SNAP);
893  *
894  *	"off_nl_nosnap" is the offset if the packet is an 802.3 packet
895  *	with an 802.2 header following it.
896  */
897 static u_int off_nl;
898 static u_int off_nl_nosnap;
899 
900 static int linktype;
901 
902 static void
903 init_linktype(p)
904 	pcap_t *p;
905 {
906 	linktype = pcap_datalink(p);
907 #ifdef PCAP_FDDIPAD
908 	pcap_fddipad = p->fddipad;
909 #endif
910 
911 	/*
912 	 * Assume it's not raw ATM with a pseudo-header, for now.
913 	 */
914 	off_mac = 0;
915 	is_atm = 0;
916 	is_lane = 0;
917 	off_vpi = -1;
918 	off_vci = -1;
919 	off_proto = -1;
920 	off_payload = -1;
921 
922 	/*
923 	 * And that we're not doing PPPoE.
924 	 */
925 	is_pppoes = 0;
926 
927 	/*
928 	 * And assume we're not doing SS7.
929 	 */
930 	off_li = -1;
931 	off_sio = -1;
932 	off_opc = -1;
933 	off_dpc = -1;
934 	off_sls = -1;
935 
936 	/*
937 	 * Also assume it's not 802.11.
938 	 */
939 	off_ll = 0;
940 	off_macpl = 0;
941 	off_macpl_is_variable = 0;
942 
943 	orig_linktype = -1;
944 	orig_nl = -1;
945         label_stack_depth = 0;
946 
947 	reg_off_ll = -1;
948 	reg_off_macpl = -1;
949 
950 	switch (linktype) {
951 
952 	case DLT_ARCNET:
953 		off_linktype = 2;
954 		off_macpl = 6;
955 		off_nl = 0;		/* XXX in reality, variable! */
956 		off_nl_nosnap = 0;	/* no 802.2 LLC */
957 		return;
958 
959 	case DLT_ARCNET_LINUX:
960 		off_linktype = 4;
961 		off_macpl = 8;
962 		off_nl = 0;		/* XXX in reality, variable! */
963 		off_nl_nosnap = 0;	/* no 802.2 LLC */
964 		return;
965 
966 	case DLT_EN10MB:
967 		off_linktype = 12;
968 		off_macpl = 14;		/* Ethernet header length */
969 		off_nl = 0;		/* Ethernet II */
970 		off_nl_nosnap = 3;	/* 802.3+802.2 */
971 		return;
972 
973 	case DLT_SLIP:
974 		/*
975 		 * SLIP doesn't have a link level type.  The 16 byte
976 		 * header is hacked into our SLIP driver.
977 		 */
978 		off_linktype = -1;
979 		off_macpl = 16;
980 		off_nl = 0;
981 		off_nl_nosnap = 0;	/* no 802.2 LLC */
982 		return;
983 
984 	case DLT_SLIP_BSDOS:
985 		/* XXX this may be the same as the DLT_PPP_BSDOS case */
986 		off_linktype = -1;
987 		/* XXX end */
988 		off_macpl = 24;
989 		off_nl = 0;
990 		off_nl_nosnap = 0;	/* no 802.2 LLC */
991 		return;
992 
993 	case DLT_NULL:
994 	case DLT_LOOP:
995 		off_linktype = 0;
996 		off_macpl = 4;
997 		off_nl = 0;
998 		off_nl_nosnap = 0;	/* no 802.2 LLC */
999 		return;
1000 
1001 	case DLT_ENC:
1002 		off_linktype = 0;
1003 		off_macpl = 12;
1004 		off_nl = 0;
1005 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1006 		return;
1007 
1008 	case DLT_PPP:
1009 	case DLT_PPP_PPPD:
1010 	case DLT_C_HDLC:		/* BSD/OS Cisco HDLC */
1011 	case DLT_PPP_SERIAL:		/* NetBSD sync/async serial PPP */
1012 		off_linktype = 2;
1013 		off_macpl = 4;
1014 		off_nl = 0;
1015 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1016 		return;
1017 
1018 	case DLT_PPP_ETHER:
1019 		/*
1020 		 * This does no include the Ethernet header, and
1021 		 * only covers session state.
1022 		 */
1023 		off_linktype = 6;
1024 		off_macpl = 8;
1025 		off_nl = 0;
1026 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1027 		return;
1028 
1029 	case DLT_PPP_BSDOS:
1030 		off_linktype = 5;
1031 		off_macpl = 24;
1032 		off_nl = 0;
1033 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1034 		return;
1035 
1036 	case DLT_FDDI:
1037 		/*
1038 		 * FDDI doesn't really have a link-level type field.
1039 		 * We set "off_linktype" to the offset of the LLC header.
1040 		 *
1041 		 * To check for Ethernet types, we assume that SSAP = SNAP
1042 		 * is being used and pick out the encapsulated Ethernet type.
1043 		 * XXX - should we generate code to check for SNAP?
1044 		 */
1045 		off_linktype = 13;
1046 #ifdef PCAP_FDDIPAD
1047 		off_linktype += pcap_fddipad;
1048 #endif
1049 		off_macpl = 13;		/* FDDI MAC header length */
1050 #ifdef PCAP_FDDIPAD
1051 		off_macpl += pcap_fddipad;
1052 #endif
1053 		off_nl = 8;		/* 802.2+SNAP */
1054 		off_nl_nosnap = 3;	/* 802.2 */
1055 		return;
1056 
1057 	case DLT_IEEE802:
1058 		/*
1059 		 * Token Ring doesn't really have a link-level type field.
1060 		 * We set "off_linktype" to the offset of the LLC header.
1061 		 *
1062 		 * To check for Ethernet types, we assume that SSAP = SNAP
1063 		 * is being used and pick out the encapsulated Ethernet type.
1064 		 * XXX - should we generate code to check for SNAP?
1065 		 *
1066 		 * XXX - the header is actually variable-length.
1067 		 * Some various Linux patched versions gave 38
1068 		 * as "off_linktype" and 40 as "off_nl"; however,
1069 		 * if a token ring packet has *no* routing
1070 		 * information, i.e. is not source-routed, the correct
1071 		 * values are 20 and 22, as they are in the vanilla code.
1072 		 *
1073 		 * A packet is source-routed iff the uppermost bit
1074 		 * of the first byte of the source address, at an
1075 		 * offset of 8, has the uppermost bit set.  If the
1076 		 * packet is source-routed, the total number of bytes
1077 		 * of routing information is 2 plus bits 0x1F00 of
1078 		 * the 16-bit value at an offset of 14 (shifted right
1079 		 * 8 - figure out which byte that is).
1080 		 */
1081 		off_linktype = 14;
1082 		off_macpl = 14;		/* Token Ring MAC header length */
1083 		off_nl = 8;		/* 802.2+SNAP */
1084 		off_nl_nosnap = 3;	/* 802.2 */
1085 		return;
1086 
1087 	case DLT_IEEE802_11:
1088 	case DLT_PRISM_HEADER:
1089 	case DLT_IEEE802_11_RADIO_AVS:
1090 	case DLT_IEEE802_11_RADIO:
1091 		/*
1092 		 * 802.11 doesn't really have a link-level type field.
1093 		 * We set "off_linktype" to the offset of the LLC header.
1094 		 *
1095 		 * To check for Ethernet types, we assume that SSAP = SNAP
1096 		 * is being used and pick out the encapsulated Ethernet type.
1097 		 * XXX - should we generate code to check for SNAP?
1098 		 *
1099 		 * We also handle variable-length radio headers here.
1100 		 * The Prism header is in theory variable-length, but in
1101 		 * practice it's always 144 bytes long.  However, some
1102 		 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1103 		 * sometimes or always supply an AVS header, so we
1104 		 * have to check whether the radio header is a Prism
1105 		 * header or an AVS header, so, in practice, it's
1106 		 * variable-length.
1107 		 */
1108 		off_linktype = 24;
1109 		off_macpl = 0;		/* link-layer header is variable-length */
1110 		off_macpl_is_variable = 1;
1111 		off_nl = 8;		/* 802.2+SNAP */
1112 		off_nl_nosnap = 3;	/* 802.2 */
1113 		return;
1114 
1115 	case DLT_PPI:
1116 		/*
1117 		 * At the moment we treat PPI the same way that we treat
1118 		 * normal Radiotap encoded packets. The difference is in
1119 		 * the function that generates the code at the beginning
1120 		 * to compute the header length.  Since this code generator
1121 		 * of PPI supports bare 802.11 encapsulation only (i.e.
1122 		 * the encapsulated DLT should be DLT_IEEE802_11) we
1123 		 * generate code to check for this too.
1124 		 */
1125 		off_linktype = 24;
1126 		off_macpl = 0;		/* link-layer header is variable-length */
1127 		off_macpl_is_variable = 1;
1128 		off_nl = 8;		/* 802.2+SNAP */
1129 		off_nl_nosnap = 3;	/* 802.2 */
1130 		return;
1131 
1132 	case DLT_ATM_RFC1483:
1133 	case DLT_ATM_CLIP:	/* Linux ATM defines this */
1134 		/*
1135 		 * assume routed, non-ISO PDUs
1136 		 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1137 		 *
1138 		 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1139 		 * or PPP with the PPP NLPID (e.g., PPPoA)?  The
1140 		 * latter would presumably be treated the way PPPoE
1141 		 * should be, so you can do "pppoe and udp port 2049"
1142 		 * or "pppoa and tcp port 80" and have it check for
1143 		 * PPPo{A,E} and a PPP protocol of IP and....
1144 		 */
1145 		off_linktype = 0;
1146 		off_macpl = 0;		/* packet begins with LLC header */
1147 		off_nl = 8;		/* 802.2+SNAP */
1148 		off_nl_nosnap = 3;	/* 802.2 */
1149 		return;
1150 
1151 	case DLT_SUNATM:
1152 		/*
1153 		 * Full Frontal ATM; you get AALn PDUs with an ATM
1154 		 * pseudo-header.
1155 		 */
1156 		is_atm = 1;
1157 		off_vpi = SUNATM_VPI_POS;
1158 		off_vci = SUNATM_VCI_POS;
1159 		off_proto = PROTO_POS;
1160 		off_mac = -1;	/* assume LLC-encapsulated, so no MAC-layer header */
1161 		off_payload = SUNATM_PKT_BEGIN_POS;
1162 		off_linktype = off_payload;
1163 		off_macpl = off_payload;	/* if LLC-encapsulated */
1164 		off_nl = 8;		/* 802.2+SNAP */
1165 		off_nl_nosnap = 3;	/* 802.2 */
1166 		return;
1167 
1168 	case DLT_RAW:
1169 	case DLT_IPV4:
1170 	case DLT_IPV6:
1171 		off_linktype = -1;
1172 		off_macpl = 0;
1173 		off_nl = 0;
1174 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1175 		return;
1176 
1177 	case DLT_LINUX_SLL:	/* fake header for Linux cooked socket */
1178 		off_linktype = 14;
1179 		off_macpl = 16;
1180 		off_nl = 0;
1181 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1182 		return;
1183 
1184 	case DLT_LTALK:
1185 		/*
1186 		 * LocalTalk does have a 1-byte type field in the LLAP header,
1187 		 * but really it just indicates whether there is a "short" or
1188 		 * "long" DDP packet following.
1189 		 */
1190 		off_linktype = -1;
1191 		off_macpl = 0;
1192 		off_nl = 0;
1193 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1194 		return;
1195 
1196 	case DLT_IP_OVER_FC:
1197 		/*
1198 		 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1199 		 * link-level type field.  We set "off_linktype" to the
1200 		 * offset of the LLC header.
1201 		 *
1202 		 * To check for Ethernet types, we assume that SSAP = SNAP
1203 		 * is being used and pick out the encapsulated Ethernet type.
1204 		 * XXX - should we generate code to check for SNAP? RFC
1205 		 * 2625 says SNAP should be used.
1206 		 */
1207 		off_linktype = 16;
1208 		off_macpl = 16;
1209 		off_nl = 8;		/* 802.2+SNAP */
1210 		off_nl_nosnap = 3;	/* 802.2 */
1211 		return;
1212 
1213 	case DLT_FRELAY:
1214 		/*
1215 		 * XXX - we should set this to handle SNAP-encapsulated
1216 		 * frames (NLPID of 0x80).
1217 		 */
1218 		off_linktype = -1;
1219 		off_macpl = 0;
1220 		off_nl = 0;
1221 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1222 		return;
1223 
1224                 /*
1225                  * the only BPF-interesting FRF.16 frames are non-control frames;
1226                  * Frame Relay has a variable length link-layer
1227                  * so lets start with offset 4 for now and increments later on (FIXME);
1228                  */
1229 	case DLT_MFR:
1230 		off_linktype = -1;
1231 		off_macpl = 0;
1232 		off_nl = 4;
1233 		off_nl_nosnap = 0;	/* XXX - for now -> no 802.2 LLC */
1234 		return;
1235 
1236 	case DLT_APPLE_IP_OVER_IEEE1394:
1237 		off_linktype = 16;
1238 		off_macpl = 18;
1239 		off_nl = 0;
1240 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1241 		return;
1242 
1243 	case DLT_LINUX_IRDA:
1244 		/*
1245 		 * Currently, only raw "link[N:M]" filtering is supported.
1246 		 */
1247 		off_linktype = -1;
1248 		off_macpl = -1;
1249 		off_nl = -1;
1250 		off_nl_nosnap = -1;
1251 		return;
1252 
1253 	case DLT_DOCSIS:
1254 		/*
1255 		 * Currently, only raw "link[N:M]" filtering is supported.
1256 		 */
1257 		off_linktype = -1;
1258 		off_macpl = -1;
1259 		off_nl = -1;
1260 		off_nl_nosnap = -1;
1261 		return;
1262 
1263 	case DLT_SYMANTEC_FIREWALL:
1264 		off_linktype = 6;
1265 		off_macpl = 44;
1266 		off_nl = 0;		/* Ethernet II */
1267 		off_nl_nosnap = 0;	/* XXX - what does it do with 802.3 packets? */
1268 		return;
1269 
1270 #ifdef HAVE_NET_PFVAR_H
1271 	case DLT_PFLOG:
1272 		off_linktype = 0;
1273 		off_macpl = PFLOG_HDRLEN;
1274 		off_nl = 0;
1275 		off_nl_nosnap = 0;	/* no 802.2 LLC */
1276 		return;
1277 #endif
1278 
1279         case DLT_JUNIPER_MFR:
1280         case DLT_JUNIPER_MLFR:
1281         case DLT_JUNIPER_MLPPP:
1282         case DLT_JUNIPER_PPP:
1283         case DLT_JUNIPER_CHDLC:
1284         case DLT_JUNIPER_FRELAY:
1285                 off_linktype = 4;
1286 		off_macpl = 4;
1287 		off_nl = 0;
1288 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1289                 return;
1290 
1291 	case DLT_JUNIPER_ATM1:
1292 		off_linktype = 4;	/* in reality variable between 4-8 */
1293 		off_macpl = 4;	/* in reality variable between 4-8 */
1294 		off_nl = 0;
1295 		off_nl_nosnap = 10;
1296 		return;
1297 
1298 	case DLT_JUNIPER_ATM2:
1299 		off_linktype = 8;	/* in reality variable between 8-12 */
1300 		off_macpl = 8;	/* in reality variable between 8-12 */
1301 		off_nl = 0;
1302 		off_nl_nosnap = 10;
1303 		return;
1304 
1305 		/* frames captured on a Juniper PPPoE service PIC
1306 		 * contain raw ethernet frames */
1307 	case DLT_JUNIPER_PPPOE:
1308         case DLT_JUNIPER_ETHER:
1309         	off_macpl = 14;
1310 		off_linktype = 16;
1311 		off_nl = 18;		/* Ethernet II */
1312 		off_nl_nosnap = 21;	/* 802.3+802.2 */
1313 		return;
1314 
1315 	case DLT_JUNIPER_PPPOE_ATM:
1316 		off_linktype = 4;
1317 		off_macpl = 6;
1318 		off_nl = 0;
1319 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1320 		return;
1321 
1322 	case DLT_JUNIPER_GGSN:
1323 		off_linktype = 6;
1324 		off_macpl = 12;
1325 		off_nl = 0;
1326 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1327 		return;
1328 
1329 	case DLT_JUNIPER_ES:
1330 		off_linktype = 6;
1331 		off_macpl = -1;		/* not really a network layer but raw IP addresses */
1332 		off_nl = -1;		/* not really a network layer but raw IP addresses */
1333 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1334 		return;
1335 
1336 	case DLT_JUNIPER_MONITOR:
1337 		off_linktype = 12;
1338 		off_macpl = 12;
1339 		off_nl = 0;		/* raw IP/IP6 header */
1340 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1341 		return;
1342 
1343 	case DLT_JUNIPER_SERVICES:
1344 		off_linktype = 12;
1345 		off_macpl = -1;		/* L3 proto location dep. on cookie type */
1346 		off_nl = -1;		/* L3 proto location dep. on cookie type */
1347 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1348 		return;
1349 
1350 	case DLT_JUNIPER_VP:
1351 		off_linktype = 18;
1352 		off_macpl = -1;
1353 		off_nl = -1;
1354 		off_nl_nosnap = -1;
1355 		return;
1356 
1357 	case DLT_JUNIPER_ST:
1358 		off_linktype = 18;
1359 		off_macpl = -1;
1360 		off_nl = -1;
1361 		off_nl_nosnap = -1;
1362 		return;
1363 
1364 	case DLT_JUNIPER_ISM:
1365 		off_linktype = 8;
1366 		off_macpl = -1;
1367 		off_nl = -1;
1368 		off_nl_nosnap = -1;
1369 		return;
1370 
1371 	case DLT_MTP2:
1372 		off_li = 2;
1373 		off_sio = 3;
1374 		off_opc = 4;
1375 		off_dpc = 4;
1376 		off_sls = 7;
1377 		off_linktype = -1;
1378 		off_macpl = -1;
1379 		off_nl = -1;
1380 		off_nl_nosnap = -1;
1381 		return;
1382 
1383 	case DLT_MTP2_WITH_PHDR:
1384 		off_li = 6;
1385 		off_sio = 7;
1386 		off_opc = 8;
1387 		off_dpc = 8;
1388 		off_sls = 11;
1389 		off_linktype = -1;
1390 		off_macpl = -1;
1391 		off_nl = -1;
1392 		off_nl_nosnap = -1;
1393 		return;
1394 
1395 	case DLT_ERF:
1396 		off_li = 22;
1397 		off_sio = 23;
1398 		off_opc = 24;
1399 		off_dpc = 24;
1400 		off_sls = 27;
1401 		off_linktype = -1;
1402 		off_macpl = -1;
1403 		off_nl = -1;
1404 		off_nl_nosnap = -1;
1405 		return;
1406 
1407 #ifdef DLT_PFSYNC
1408 	case DLT_PFSYNC:
1409 		off_linktype = -1;
1410 		off_macpl = 4;
1411 		off_nl = 0;
1412 		off_nl_nosnap = 0;
1413 		return;
1414 #endif
1415 
1416 	case DLT_LINUX_LAPD:
1417 		/*
1418 		 * Currently, only raw "link[N:M]" filtering is supported.
1419 		 */
1420 		off_linktype = -1;
1421 		off_macpl = -1;
1422 		off_nl = -1;
1423 		off_nl_nosnap = -1;
1424 		return;
1425 
1426 	case DLT_USB:
1427 		/*
1428 		 * Currently, only raw "link[N:M]" filtering is supported.
1429 		 */
1430 		off_linktype = -1;
1431 		off_macpl = -1;
1432 		off_nl = -1;
1433 		off_nl_nosnap = -1;
1434 		return;
1435 
1436 	case DLT_BLUETOOTH_HCI_H4:
1437 		/*
1438 		 * Currently, only raw "link[N:M]" filtering is supported.
1439 		 */
1440 		off_linktype = -1;
1441 		off_macpl = -1;
1442 		off_nl = -1;
1443 		off_nl_nosnap = -1;
1444 		return;
1445 
1446 	case DLT_USB_LINUX:
1447 		/*
1448 		 * Currently, only raw "link[N:M]" filtering is supported.
1449 		 */
1450 		off_linktype = -1;
1451 		off_macpl = -1;
1452 		off_nl = -1;
1453 		off_nl_nosnap = -1;
1454 		return;
1455 
1456 	case DLT_CAN20B:
1457 		/*
1458 		 * Currently, only raw "link[N:M]" filtering is supported.
1459 		 */
1460 		off_linktype = -1;
1461 		off_macpl = -1;
1462 		off_nl = -1;
1463 		off_nl_nosnap = -1;
1464 		return;
1465 
1466 	case DLT_IEEE802_15_4_LINUX:
1467 		/*
1468 		 * Currently, only raw "link[N:M]" filtering is supported.
1469 		 */
1470 		off_linktype = -1;
1471 		off_macpl = -1;
1472 		off_nl = -1;
1473 		off_nl_nosnap = -1;
1474 		return;
1475 
1476 	case DLT_IEEE802_16_MAC_CPS_RADIO:
1477 		/*
1478 		 * Currently, only raw "link[N:M]" filtering is supported.
1479 		 */
1480 		off_linktype = -1;
1481 		off_macpl = -1;
1482 		off_nl = -1;
1483 		off_nl_nosnap = -1;
1484 		return;
1485 
1486 	case DLT_IEEE802_15_4:
1487 		/*
1488 		 * Currently, only raw "link[N:M]" filtering is supported.
1489 		 */
1490 		off_linktype = -1;
1491 		off_macpl = -1;
1492 		off_nl = -1;
1493 		off_nl_nosnap = -1;
1494 		return;
1495 
1496 	case DLT_SITA:
1497 		/*
1498 		 * Currently, only raw "link[N:M]" filtering is supported.
1499 		 */
1500 		off_linktype = -1;
1501 		off_macpl = -1;
1502 		off_nl = -1;
1503 		off_nl_nosnap = -1;
1504 		return;
1505 
1506 	case DLT_RAIF1:
1507 		/*
1508 		 * Currently, only raw "link[N:M]" filtering is supported.
1509 		 */
1510 		off_linktype = -1;
1511 		off_macpl = -1;
1512 		off_nl = -1;
1513 		off_nl_nosnap = -1;
1514 		return;
1515 
1516 	case DLT_IPMB:
1517 		/*
1518 		 * Currently, only raw "link[N:M]" filtering is supported.
1519 		 */
1520 		off_linktype = -1;
1521 		off_macpl = -1;
1522 		off_nl = -1;
1523 		off_nl_nosnap = -1;
1524 		return;
1525 
1526 	case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
1527 		/*
1528 		 * Currently, only raw "link[N:M]" filtering is supported.
1529 		 */
1530 		off_linktype = -1;
1531 		off_macpl = -1;
1532 		off_nl = -1;
1533 		off_nl_nosnap = -1;
1534 		return;
1535 
1536 	case DLT_AX25_KISS:
1537 		/*
1538 		 * Currently, only raw "link[N:M]" filtering is supported.
1539 		 */
1540 		off_linktype = -1;	/* variable, min 15, max 71 steps of 7 */
1541 		off_macpl = -1;
1542 		off_nl = -1;		/* variable, min 16, max 71 steps of 7 */
1543 		off_nl_nosnap = -1;	/* no 802.2 LLC */
1544 		off_mac = 1;		/* step over the kiss length byte */
1545 		return;
1546 
1547 	case DLT_IEEE802_15_4_NONASK_PHY:
1548 		/*
1549 		 * Currently, only raw "link[N:M]" filtering is supported.
1550 		 */
1551 		off_linktype = -1;
1552 		off_macpl = -1;
1553 		off_nl = -1;
1554 		off_nl_nosnap = -1;
1555 		return;
1556 
1557 	case DLT_MPLS:
1558 		/*
1559 		 * Currently, only raw "link[N:M]" filtering is supported.
1560 		 */
1561 		off_linktype = -1;
1562 		off_macpl = -1;
1563 		off_nl = -1;
1564 		off_nl_nosnap = -1;
1565 		return;
1566 
1567 	case DLT_USB_LINUX_MMAPPED:
1568 		/*
1569 		 * Currently, only raw "link[N:M]" filtering is supported.
1570 		 */
1571 		off_linktype = -1;
1572 		off_macpl = -1;
1573 		off_nl = -1;
1574 		off_nl_nosnap = -1;
1575 		return;
1576 
1577 	case DLT_CAN_SOCKETCAN:
1578 		/*
1579 		 * Currently, only raw "link[N:M]" filtering is supported.
1580 		 */
1581 		off_linktype = -1;
1582 		off_macpl = -1;
1583 		off_nl = -1;
1584 		off_nl_nosnap = -1;
1585 		return;
1586 
1587 	case DLT_IPNET:
1588 		off_linktype = 1;
1589 		off_macpl = 24;		/* ipnet header length */
1590 		off_nl = 0;
1591 		off_nl_nosnap = -1;
1592 		return;
1593 	}
1594 	bpf_error("unknown data link type %d", linktype);
1595 	/* NOTREACHED */
1596 }
1597 
1598 /*
1599  * Load a value relative to the beginning of the link-layer header.
1600  * The link-layer header doesn't necessarily begin at the beginning
1601  * of the packet data; there might be a variable-length prefix containing
1602  * radio information.
1603  */
1604 static struct slist *
1605 gen_load_llrel(offset, size)
1606 	u_int offset, size;
1607 {
1608 	struct slist *s, *s2;
1609 
1610 	s = gen_llprefixlen();
1611 
1612 	/*
1613 	 * If "s" is non-null, it has code to arrange that the X register
1614 	 * contains the length of the prefix preceding the link-layer
1615 	 * header.
1616 	 *
1617 	 * Otherwise, the length of the prefix preceding the link-layer
1618 	 * header is "off_ll".
1619 	 */
1620 	if (s != NULL) {
1621 		/*
1622 		 * There's a variable-length prefix preceding the
1623 		 * link-layer header.  "s" points to a list of statements
1624 		 * that put the length of that prefix into the X register.
1625 		 * do an indirect load, to use the X register as an offset.
1626 		 */
1627 		s2 = new_stmt(BPF_LD|BPF_IND|size);
1628 		s2->s.k = offset;
1629 		sappend(s, s2);
1630 	} else {
1631 		/*
1632 		 * There is no variable-length header preceding the
1633 		 * link-layer header; add in off_ll, which, if there's
1634 		 * a fixed-length header preceding the link-layer header,
1635 		 * is the length of that header.
1636 		 */
1637 		s = new_stmt(BPF_LD|BPF_ABS|size);
1638 		s->s.k = offset + off_ll;
1639 	}
1640 	return s;
1641 }
1642 
1643 /*
1644  * Load a value relative to the beginning of the MAC-layer payload.
1645  */
1646 static struct slist *
1647 gen_load_macplrel(offset, size)
1648 	u_int offset, size;
1649 {
1650 	struct slist *s, *s2;
1651 
1652 	s = gen_off_macpl();
1653 
1654 	/*
1655 	 * If s is non-null, the offset of the MAC-layer payload is
1656 	 * variable, and s points to a list of instructions that
1657 	 * arrange that the X register contains that offset.
1658 	 *
1659 	 * Otherwise, the offset of the MAC-layer payload is constant,
1660 	 * and is in off_macpl.
1661 	 */
1662 	if (s != NULL) {
1663 		/*
1664 		 * The offset of the MAC-layer payload is in the X
1665 		 * register.  Do an indirect load, to use the X register
1666 		 * as an offset.
1667 		 */
1668 		s2 = new_stmt(BPF_LD|BPF_IND|size);
1669 		s2->s.k = offset;
1670 		sappend(s, s2);
1671 	} else {
1672 		/*
1673 		 * The offset of the MAC-layer payload is constant,
1674 		 * and is in off_macpl; load the value at that offset
1675 		 * plus the specified offset.
1676 		 */
1677 		s = new_stmt(BPF_LD|BPF_ABS|size);
1678 		s->s.k = off_macpl + offset;
1679 	}
1680 	return s;
1681 }
1682 
1683 /*
1684  * Load a value relative to the beginning of the specified header.
1685  */
1686 static struct slist *
1687 gen_load_a(offrel, offset, size)
1688 	enum e_offrel offrel;
1689 	u_int offset, size;
1690 {
1691 	struct slist *s, *s2;
1692 
1693 	switch (offrel) {
1694 
1695 	case OR_PACKET:
1696                 s = new_stmt(BPF_LD|BPF_ABS|size);
1697                 s->s.k = offset;
1698 		break;
1699 
1700 	case OR_LINK:
1701 		s = gen_load_llrel(offset, size);
1702 		break;
1703 
1704 	case OR_MACPL:
1705 		s = gen_load_macplrel(offset, size);
1706 		break;
1707 
1708 	case OR_NET:
1709 		s = gen_load_macplrel(off_nl + offset, size);
1710 		break;
1711 
1712 	case OR_NET_NOSNAP:
1713 		s = gen_load_macplrel(off_nl_nosnap + offset, size);
1714 		break;
1715 
1716 	case OR_TRAN_IPV4:
1717 		/*
1718 		 * Load the X register with the length of the IPv4 header
1719 		 * (plus the offset of the link-layer header, if it's
1720 		 * preceded by a variable-length header such as a radio
1721 		 * header), in bytes.
1722 		 */
1723 		s = gen_loadx_iphdrlen();
1724 
1725 		/*
1726 		 * Load the item at {offset of the MAC-layer payload} +
1727 		 * {offset, relative to the start of the MAC-layer
1728 		 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1729 		 * {specified offset}.
1730 		 *
1731 		 * (If the offset of the MAC-layer payload is variable,
1732 		 * it's included in the value in the X register, and
1733 		 * off_macpl is 0.)
1734 		 */
1735 		s2 = new_stmt(BPF_LD|BPF_IND|size);
1736 		s2->s.k = off_macpl + off_nl + offset;
1737 		sappend(s, s2);
1738 		break;
1739 
1740 	case OR_TRAN_IPV6:
1741 		s = gen_load_macplrel(off_nl + 40 + offset, size);
1742 		break;
1743 
1744 	default:
1745 		abort();
1746 		return NULL;
1747 	}
1748 	return s;
1749 }
1750 
1751 /*
1752  * Generate code to load into the X register the sum of the length of
1753  * the IPv4 header and any variable-length header preceding the link-layer
1754  * header.
1755  */
1756 static struct slist *
1757 gen_loadx_iphdrlen()
1758 {
1759 	struct slist *s, *s2;
1760 
1761 	s = gen_off_macpl();
1762 	if (s != NULL) {
1763 		/*
1764 		 * There's a variable-length prefix preceding the
1765 		 * link-layer header, or the link-layer header is itself
1766 		 * variable-length.  "s" points to a list of statements
1767 		 * that put the offset of the MAC-layer payload into
1768 		 * the X register.
1769 		 *
1770 		 * The 4*([k]&0xf) addressing mode can't be used, as we
1771 		 * don't have a constant offset, so we have to load the
1772 		 * value in question into the A register and add to it
1773 		 * the value from the X register.
1774 		 */
1775 		s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1776 		s2->s.k = off_nl;
1777 		sappend(s, s2);
1778 		s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1779 		s2->s.k = 0xf;
1780 		sappend(s, s2);
1781 		s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1782 		s2->s.k = 2;
1783 		sappend(s, s2);
1784 
1785 		/*
1786 		 * The A register now contains the length of the
1787 		 * IP header.  We need to add to it the offset of
1788 		 * the MAC-layer payload, which is still in the X
1789 		 * register, and move the result into the X register.
1790 		 */
1791 		sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1792 		sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1793 	} else {
1794 		/*
1795 		 * There is no variable-length header preceding the
1796 		 * link-layer header, and the link-layer header is
1797 		 * fixed-length; load the length of the IPv4 header,
1798 		 * which is at an offset of off_nl from the beginning
1799 		 * of the MAC-layer payload, and thus at an offset
1800 		 * of off_mac_pl + off_nl from the beginning of the
1801 		 * raw packet data.
1802 		 */
1803 		s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1804 		s->s.k = off_macpl + off_nl;
1805 	}
1806 	return s;
1807 }
1808 
1809 static struct block *
1810 gen_uncond(rsense)
1811 	int rsense;
1812 {
1813 	struct block *b;
1814 	struct slist *s;
1815 
1816 	s = new_stmt(BPF_LD|BPF_IMM);
1817 	s->s.k = !rsense;
1818 	b = new_block(JMP(BPF_JEQ));
1819 	b->stmts = s;
1820 
1821 	return b;
1822 }
1823 
1824 static inline struct block *
1825 gen_true()
1826 {
1827 	return gen_uncond(1);
1828 }
1829 
1830 static inline struct block *
1831 gen_false()
1832 {
1833 	return gen_uncond(0);
1834 }
1835 
1836 /*
1837  * Byte-swap a 32-bit number.
1838  * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1839  * big-endian platforms.)
1840  */
1841 #define	SWAPLONG(y) \
1842 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1843 
1844 /*
1845  * Generate code to match a particular packet type.
1846  *
1847  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1848  * value, if <= ETHERMTU.  We use that to determine whether to
1849  * match the type/length field or to check the type/length field for
1850  * a value <= ETHERMTU to see whether it's a type field and then do
1851  * the appropriate test.
1852  */
1853 static struct block *
1854 gen_ether_linktype(proto)
1855 	register int proto;
1856 {
1857 	struct block *b0, *b1;
1858 
1859 	switch (proto) {
1860 
1861 	case LLCSAP_ISONS:
1862 	case LLCSAP_IP:
1863 	case LLCSAP_NETBEUI:
1864 		/*
1865 		 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1866 		 * so we check the DSAP and SSAP.
1867 		 *
1868 		 * LLCSAP_IP checks for IP-over-802.2, rather
1869 		 * than IP-over-Ethernet or IP-over-SNAP.
1870 		 *
1871 		 * XXX - should we check both the DSAP and the
1872 		 * SSAP, like this, or should we check just the
1873 		 * DSAP, as we do for other types <= ETHERMTU
1874 		 * (i.e., other SAP values)?
1875 		 */
1876 		b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1877 		gen_not(b0);
1878 		b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1879 			     ((proto << 8) | proto));
1880 		gen_and(b0, b1);
1881 		return b1;
1882 
1883 	case LLCSAP_IPX:
1884 		/*
1885 		 * Check for;
1886 		 *
1887 		 *	Ethernet_II frames, which are Ethernet
1888 		 *	frames with a frame type of ETHERTYPE_IPX;
1889 		 *
1890 		 *	Ethernet_802.3 frames, which are 802.3
1891 		 *	frames (i.e., the type/length field is
1892 		 *	a length field, <= ETHERMTU, rather than
1893 		 *	a type field) with the first two bytes
1894 		 *	after the Ethernet/802.3 header being
1895 		 *	0xFFFF;
1896 		 *
1897 		 *	Ethernet_802.2 frames, which are 802.3
1898 		 *	frames with an 802.2 LLC header and
1899 		 *	with the IPX LSAP as the DSAP in the LLC
1900 		 *	header;
1901 		 *
1902 		 *	Ethernet_SNAP frames, which are 802.3
1903 		 *	frames with an LLC header and a SNAP
1904 		 *	header and with an OUI of 0x000000
1905 		 *	(encapsulated Ethernet) and a protocol
1906 		 *	ID of ETHERTYPE_IPX in the SNAP header.
1907 		 *
1908 		 * XXX - should we generate the same code both
1909 		 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1910 		 */
1911 
1912 		/*
1913 		 * This generates code to check both for the
1914 		 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1915 		 */
1916 		b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1917 		b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1918 		gen_or(b0, b1);
1919 
1920 		/*
1921 		 * Now we add code to check for SNAP frames with
1922 		 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1923 		 */
1924 		b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1925 		gen_or(b0, b1);
1926 
1927 		/*
1928 		 * Now we generate code to check for 802.3
1929 		 * frames in general.
1930 		 */
1931 		b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1932 		gen_not(b0);
1933 
1934 		/*
1935 		 * Now add the check for 802.3 frames before the
1936 		 * check for Ethernet_802.2 and Ethernet_802.3,
1937 		 * as those checks should only be done on 802.3
1938 		 * frames, not on Ethernet frames.
1939 		 */
1940 		gen_and(b0, b1);
1941 
1942 		/*
1943 		 * Now add the check for Ethernet_II frames, and
1944 		 * do that before checking for the other frame
1945 		 * types.
1946 		 */
1947 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1948 		    (bpf_int32)ETHERTYPE_IPX);
1949 		gen_or(b0, b1);
1950 		return b1;
1951 
1952 	case ETHERTYPE_ATALK:
1953 	case ETHERTYPE_AARP:
1954 		/*
1955 		 * EtherTalk (AppleTalk protocols on Ethernet link
1956 		 * layer) may use 802.2 encapsulation.
1957 		 */
1958 
1959 		/*
1960 		 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1961 		 * we check for an Ethernet type field less than
1962 		 * 1500, which means it's an 802.3 length field.
1963 		 */
1964 		b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1965 		gen_not(b0);
1966 
1967 		/*
1968 		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1969 		 * SNAP packets with an organization code of
1970 		 * 0x080007 (Apple, for Appletalk) and a protocol
1971 		 * type of ETHERTYPE_ATALK (Appletalk).
1972 		 *
1973 		 * 802.2-encapsulated ETHERTYPE_AARP packets are
1974 		 * SNAP packets with an organization code of
1975 		 * 0x000000 (encapsulated Ethernet) and a protocol
1976 		 * type of ETHERTYPE_AARP (Appletalk ARP).
1977 		 */
1978 		if (proto == ETHERTYPE_ATALK)
1979 			b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1980 		else	/* proto == ETHERTYPE_AARP */
1981 			b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1982 		gen_and(b0, b1);
1983 
1984 		/*
1985 		 * Check for Ethernet encapsulation (Ethertalk
1986 		 * phase 1?); we just check for the Ethernet
1987 		 * protocol type.
1988 		 */
1989 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1990 
1991 		gen_or(b0, b1);
1992 		return b1;
1993 
1994 	default:
1995 		if (proto <= ETHERMTU) {
1996 			/*
1997 			 * This is an LLC SAP value, so the frames
1998 			 * that match would be 802.2 frames.
1999 			 * Check that the frame is an 802.2 frame
2000 			 * (i.e., that the length/type field is
2001 			 * a length field, <= ETHERMTU) and
2002 			 * then check the DSAP.
2003 			 */
2004 			b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
2005 			gen_not(b0);
2006 			b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
2007 			    (bpf_int32)proto);
2008 			gen_and(b0, b1);
2009 			return b1;
2010 		} else {
2011 			/*
2012 			 * This is an Ethernet type, so compare
2013 			 * the length/type field with it (if
2014 			 * the frame is an 802.2 frame, the length
2015 			 * field will be <= ETHERMTU, and, as
2016 			 * "proto" is > ETHERMTU, this test
2017 			 * will fail and the frame won't match,
2018 			 * which is what we want).
2019 			 */
2020 			return gen_cmp(OR_LINK, off_linktype, BPF_H,
2021 			    (bpf_int32)proto);
2022 		}
2023 	}
2024 }
2025 
2026 /*
2027  * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2028  * or IPv6 then we have an error.
2029  */
2030 static struct block *
2031 gen_ipnet_linktype(proto)
2032 	register int proto;
2033 {
2034 	switch (proto) {
2035 
2036 	case ETHERTYPE_IP:
2037 		return gen_cmp(OR_LINK, off_linktype, BPF_B,
2038 		    (bpf_int32)IPH_AF_INET);
2039 		/* NOTREACHED */
2040 
2041 	case ETHERTYPE_IPV6:
2042 		return gen_cmp(OR_LINK, off_linktype, BPF_B,
2043 		    (bpf_int32)IPH_AF_INET6);
2044 		/* NOTREACHED */
2045 
2046 	default:
2047 		break;
2048 	}
2049 
2050 	return gen_false();
2051 }
2052 
2053 /*
2054  * Generate code to match a particular packet type.
2055  *
2056  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2057  * value, if <= ETHERMTU.  We use that to determine whether to
2058  * match the type field or to check the type field for the special
2059  * LINUX_SLL_P_802_2 value and then do the appropriate test.
2060  */
2061 static struct block *
2062 gen_linux_sll_linktype(proto)
2063 	register int proto;
2064 {
2065 	struct block *b0, *b1;
2066 
2067 	switch (proto) {
2068 
2069 	case LLCSAP_ISONS:
2070 	case LLCSAP_IP:
2071 	case LLCSAP_NETBEUI:
2072 		/*
2073 		 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2074 		 * so we check the DSAP and SSAP.
2075 		 *
2076 		 * LLCSAP_IP checks for IP-over-802.2, rather
2077 		 * than IP-over-Ethernet or IP-over-SNAP.
2078 		 *
2079 		 * XXX - should we check both the DSAP and the
2080 		 * SSAP, like this, or should we check just the
2081 		 * DSAP, as we do for other types <= ETHERMTU
2082 		 * (i.e., other SAP values)?
2083 		 */
2084 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2085 		b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
2086 			     ((proto << 8) | proto));
2087 		gen_and(b0, b1);
2088 		return b1;
2089 
2090 	case LLCSAP_IPX:
2091 		/*
2092 		 *	Ethernet_II frames, which are Ethernet
2093 		 *	frames with a frame type of ETHERTYPE_IPX;
2094 		 *
2095 		 *	Ethernet_802.3 frames, which have a frame
2096 		 *	type of LINUX_SLL_P_802_3;
2097 		 *
2098 		 *	Ethernet_802.2 frames, which are 802.3
2099 		 *	frames with an 802.2 LLC header (i.e, have
2100 		 *	a frame type of LINUX_SLL_P_802_2) and
2101 		 *	with the IPX LSAP as the DSAP in the LLC
2102 		 *	header;
2103 		 *
2104 		 *	Ethernet_SNAP frames, which are 802.3
2105 		 *	frames with an LLC header and a SNAP
2106 		 *	header and with an OUI of 0x000000
2107 		 *	(encapsulated Ethernet) and a protocol
2108 		 *	ID of ETHERTYPE_IPX in the SNAP header.
2109 		 *
2110 		 * First, do the checks on LINUX_SLL_P_802_2
2111 		 * frames; generate the check for either
2112 		 * Ethernet_802.2 or Ethernet_SNAP frames, and
2113 		 * then put a check for LINUX_SLL_P_802_2 frames
2114 		 * before it.
2115 		 */
2116 		b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2117 		b1 = gen_snap(0x000000, ETHERTYPE_IPX);
2118 		gen_or(b0, b1);
2119 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2120 		gen_and(b0, b1);
2121 
2122 		/*
2123 		 * Now check for 802.3 frames and OR that with
2124 		 * the previous test.
2125 		 */
2126 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
2127 		gen_or(b0, b1);
2128 
2129 		/*
2130 		 * Now add the check for Ethernet_II frames, and
2131 		 * do that before checking for the other frame
2132 		 * types.
2133 		 */
2134 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2135 		    (bpf_int32)ETHERTYPE_IPX);
2136 		gen_or(b0, b1);
2137 		return b1;
2138 
2139 	case ETHERTYPE_ATALK:
2140 	case ETHERTYPE_AARP:
2141 		/*
2142 		 * EtherTalk (AppleTalk protocols on Ethernet link
2143 		 * layer) may use 802.2 encapsulation.
2144 		 */
2145 
2146 		/*
2147 		 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2148 		 * we check for the 802.2 protocol type in the
2149 		 * "Ethernet type" field.
2150 		 */
2151 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2152 
2153 		/*
2154 		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2155 		 * SNAP packets with an organization code of
2156 		 * 0x080007 (Apple, for Appletalk) and a protocol
2157 		 * type of ETHERTYPE_ATALK (Appletalk).
2158 		 *
2159 		 * 802.2-encapsulated ETHERTYPE_AARP packets are
2160 		 * SNAP packets with an organization code of
2161 		 * 0x000000 (encapsulated Ethernet) and a protocol
2162 		 * type of ETHERTYPE_AARP (Appletalk ARP).
2163 		 */
2164 		if (proto == ETHERTYPE_ATALK)
2165 			b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2166 		else	/* proto == ETHERTYPE_AARP */
2167 			b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2168 		gen_and(b0, b1);
2169 
2170 		/*
2171 		 * Check for Ethernet encapsulation (Ethertalk
2172 		 * phase 1?); we just check for the Ethernet
2173 		 * protocol type.
2174 		 */
2175 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2176 
2177 		gen_or(b0, b1);
2178 		return b1;
2179 
2180 	default:
2181 		if (proto <= ETHERMTU) {
2182 			/*
2183 			 * This is an LLC SAP value, so the frames
2184 			 * that match would be 802.2 frames.
2185 			 * Check for the 802.2 protocol type
2186 			 * in the "Ethernet type" field, and
2187 			 * then check the DSAP.
2188 			 */
2189 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2190 			    LINUX_SLL_P_802_2);
2191 			b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2192 			     (bpf_int32)proto);
2193 			gen_and(b0, b1);
2194 			return b1;
2195 		} else {
2196 			/*
2197 			 * This is an Ethernet type, so compare
2198 			 * the length/type field with it (if
2199 			 * the frame is an 802.2 frame, the length
2200 			 * field will be <= ETHERMTU, and, as
2201 			 * "proto" is > ETHERMTU, this test
2202 			 * will fail and the frame won't match,
2203 			 * which is what we want).
2204 			 */
2205 			return gen_cmp(OR_LINK, off_linktype, BPF_H,
2206 			    (bpf_int32)proto);
2207 		}
2208 	}
2209 }
2210 
2211 static struct slist *
2212 gen_load_prism_llprefixlen()
2213 {
2214 	struct slist *s1, *s2;
2215 	struct slist *sjeq_avs_cookie;
2216 	struct slist *sjcommon;
2217 
2218 	/*
2219 	 * This code is not compatible with the optimizer, as
2220 	 * we are generating jmp instructions within a normal
2221 	 * slist of instructions
2222 	 */
2223 	no_optimize = 1;
2224 
2225 	/*
2226 	 * Generate code to load the length of the radio header into
2227 	 * the register assigned to hold that length, if one has been
2228 	 * assigned.  (If one hasn't been assigned, no code we've
2229 	 * generated uses that prefix, so we don't need to generate any
2230 	 * code to load it.)
2231 	 *
2232 	 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2233 	 * or always use the AVS header rather than the Prism header.
2234 	 * We load a 4-byte big-endian value at the beginning of the
2235 	 * raw packet data, and see whether, when masked with 0xFFFFF000,
2236 	 * it's equal to 0x80211000.  If so, that indicates that it's
2237 	 * an AVS header (the masked-out bits are the version number).
2238 	 * Otherwise, it's a Prism header.
2239 	 *
2240 	 * XXX - the Prism header is also, in theory, variable-length,
2241 	 * but no known software generates headers that aren't 144
2242 	 * bytes long.
2243 	 */
2244 	if (reg_off_ll != -1) {
2245 		/*
2246 		 * Load the cookie.
2247 		 */
2248 		s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2249 		s1->s.k = 0;
2250 
2251 		/*
2252 		 * AND it with 0xFFFFF000.
2253 		 */
2254 		s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2255 		s2->s.k = 0xFFFFF000;
2256 		sappend(s1, s2);
2257 
2258 		/*
2259 		 * Compare with 0x80211000.
2260 		 */
2261 		sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2262 		sjeq_avs_cookie->s.k = 0x80211000;
2263 		sappend(s1, sjeq_avs_cookie);
2264 
2265 		/*
2266 		 * If it's AVS:
2267 		 *
2268 		 * The 4 bytes at an offset of 4 from the beginning of
2269 		 * the AVS header are the length of the AVS header.
2270 		 * That field is big-endian.
2271 		 */
2272 		s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2273 		s2->s.k = 4;
2274 		sappend(s1, s2);
2275 		sjeq_avs_cookie->s.jt = s2;
2276 
2277 		/*
2278 		 * Now jump to the code to allocate a register
2279 		 * into which to save the header length and
2280 		 * store the length there.  (The "jump always"
2281 		 * instruction needs to have the k field set;
2282 		 * it's added to the PC, so, as we're jumping
2283 		 * over a single instruction, it should be 1.)
2284 		 */
2285 		sjcommon = new_stmt(JMP(BPF_JA));
2286 		sjcommon->s.k = 1;
2287 		sappend(s1, sjcommon);
2288 
2289 		/*
2290 		 * Now for the code that handles the Prism header.
2291 		 * Just load the length of the Prism header (144)
2292 		 * into the A register.  Have the test for an AVS
2293 		 * header branch here if we don't have an AVS header.
2294 		 */
2295 		s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2296 		s2->s.k = 144;
2297 		sappend(s1, s2);
2298 		sjeq_avs_cookie->s.jf = s2;
2299 
2300 		/*
2301 		 * Now allocate a register to hold that value and store
2302 		 * it.  The code for the AVS header will jump here after
2303 		 * loading the length of the AVS header.
2304 		 */
2305 		s2 = new_stmt(BPF_ST);
2306 		s2->s.k = reg_off_ll;
2307 		sappend(s1, s2);
2308 		sjcommon->s.jf = s2;
2309 
2310 		/*
2311 		 * Now move it into the X register.
2312 		 */
2313 		s2 = new_stmt(BPF_MISC|BPF_TAX);
2314 		sappend(s1, s2);
2315 
2316 		return (s1);
2317 	} else
2318 		return (NULL);
2319 }
2320 
2321 static struct slist *
2322 gen_load_avs_llprefixlen()
2323 {
2324 	struct slist *s1, *s2;
2325 
2326 	/*
2327 	 * Generate code to load the length of the AVS header into
2328 	 * the register assigned to hold that length, if one has been
2329 	 * assigned.  (If one hasn't been assigned, no code we've
2330 	 * generated uses that prefix, so we don't need to generate any
2331 	 * code to load it.)
2332 	 */
2333 	if (reg_off_ll != -1) {
2334 		/*
2335 		 * The 4 bytes at an offset of 4 from the beginning of
2336 		 * the AVS header are the length of the AVS header.
2337 		 * That field is big-endian.
2338 		 */
2339 		s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2340 		s1->s.k = 4;
2341 
2342 		/*
2343 		 * Now allocate a register to hold that value and store
2344 		 * it.
2345 		 */
2346 		s2 = new_stmt(BPF_ST);
2347 		s2->s.k = reg_off_ll;
2348 		sappend(s1, s2);
2349 
2350 		/*
2351 		 * Now move it into the X register.
2352 		 */
2353 		s2 = new_stmt(BPF_MISC|BPF_TAX);
2354 		sappend(s1, s2);
2355 
2356 		return (s1);
2357 	} else
2358 		return (NULL);
2359 }
2360 
2361 static struct slist *
2362 gen_load_radiotap_llprefixlen()
2363 {
2364 	struct slist *s1, *s2;
2365 
2366 	/*
2367 	 * Generate code to load the length of the radiotap header into
2368 	 * the register assigned to hold that length, if one has been
2369 	 * assigned.  (If one hasn't been assigned, no code we've
2370 	 * generated uses that prefix, so we don't need to generate any
2371 	 * code to load it.)
2372 	 */
2373 	if (reg_off_ll != -1) {
2374 		/*
2375 		 * The 2 bytes at offsets of 2 and 3 from the beginning
2376 		 * of the radiotap header are the length of the radiotap
2377 		 * header; unfortunately, it's little-endian, so we have
2378 		 * to load it a byte at a time and construct the value.
2379 		 */
2380 
2381 		/*
2382 		 * Load the high-order byte, at an offset of 3, shift it
2383 		 * left a byte, and put the result in the X register.
2384 		 */
2385 		s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2386 		s1->s.k = 3;
2387 		s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2388 		sappend(s1, s2);
2389 		s2->s.k = 8;
2390 		s2 = new_stmt(BPF_MISC|BPF_TAX);
2391 		sappend(s1, s2);
2392 
2393 		/*
2394 		 * Load the next byte, at an offset of 2, and OR the
2395 		 * value from the X register into it.
2396 		 */
2397 		s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2398 		sappend(s1, s2);
2399 		s2->s.k = 2;
2400 		s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2401 		sappend(s1, s2);
2402 
2403 		/*
2404 		 * Now allocate a register to hold that value and store
2405 		 * it.
2406 		 */
2407 		s2 = new_stmt(BPF_ST);
2408 		s2->s.k = reg_off_ll;
2409 		sappend(s1, s2);
2410 
2411 		/*
2412 		 * Now move it into the X register.
2413 		 */
2414 		s2 = new_stmt(BPF_MISC|BPF_TAX);
2415 		sappend(s1, s2);
2416 
2417 		return (s1);
2418 	} else
2419 		return (NULL);
2420 }
2421 
2422 /*
2423  * At the moment we treat PPI as normal Radiotap encoded
2424  * packets. The difference is in the function that generates
2425  * the code at the beginning to compute the header length.
2426  * Since this code generator of PPI supports bare 802.11
2427  * encapsulation only (i.e. the encapsulated DLT should be
2428  * DLT_IEEE802_11) we generate code to check for this too;
2429  * that's done in finish_parse().
2430  */
2431 static struct slist *
2432 gen_load_ppi_llprefixlen()
2433 {
2434 	struct slist *s1, *s2;
2435 
2436 	/*
2437 	 * Generate code to load the length of the radiotap header
2438 	 * into the register assigned to hold that length, if one has
2439 	 * been assigned.
2440 	 */
2441 	if (reg_off_ll != -1) {
2442 		/*
2443 		 * The 2 bytes at offsets of 2 and 3 from the beginning
2444 		 * of the radiotap header are the length of the radiotap
2445 		 * header; unfortunately, it's little-endian, so we have
2446 		 * to load it a byte at a time and construct the value.
2447 		 */
2448 
2449 		/*
2450 		 * Load the high-order byte, at an offset of 3, shift it
2451 		 * left a byte, and put the result in the X register.
2452 		 */
2453 		s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2454 		s1->s.k = 3;
2455 		s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2456 		sappend(s1, s2);
2457 		s2->s.k = 8;
2458 		s2 = new_stmt(BPF_MISC|BPF_TAX);
2459 		sappend(s1, s2);
2460 
2461 		/*
2462 		 * Load the next byte, at an offset of 2, and OR the
2463 		 * value from the X register into it.
2464 		 */
2465 		s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2466 		sappend(s1, s2);
2467 		s2->s.k = 2;
2468 		s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2469 		sappend(s1, s2);
2470 
2471 		/*
2472 		 * Now allocate a register to hold that value and store
2473 		 * it.
2474 		 */
2475 		s2 = new_stmt(BPF_ST);
2476 		s2->s.k = reg_off_ll;
2477 		sappend(s1, s2);
2478 
2479 		/*
2480 		 * Now move it into the X register.
2481 		 */
2482 		s2 = new_stmt(BPF_MISC|BPF_TAX);
2483 		sappend(s1, s2);
2484 
2485 		return (s1);
2486 	} else
2487 		return (NULL);
2488 }
2489 
2490 /*
2491  * Load a value relative to the beginning of the link-layer header after the 802.11
2492  * header, i.e. LLC_SNAP.
2493  * The link-layer header doesn't necessarily begin at the beginning
2494  * of the packet data; there might be a variable-length prefix containing
2495  * radio information.
2496  */
2497 static struct slist *
2498 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2499 {
2500 	struct slist *s2;
2501 	struct slist *sjset_data_frame_1;
2502 	struct slist *sjset_data_frame_2;
2503 	struct slist *sjset_qos;
2504 	struct slist *sjset_radiotap_flags;
2505 	struct slist *sjset_radiotap_tsft;
2506 	struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2507 	struct slist *s_roundup;
2508 
2509 	if (reg_off_macpl == -1) {
2510 		/*
2511 		 * No register has been assigned to the offset of
2512 		 * the MAC-layer payload, which means nobody needs
2513 		 * it; don't bother computing it - just return
2514 		 * what we already have.
2515 		 */
2516 		return (s);
2517 	}
2518 
2519 	/*
2520 	 * This code is not compatible with the optimizer, as
2521 	 * we are generating jmp instructions within a normal
2522 	 * slist of instructions
2523 	 */
2524 	no_optimize = 1;
2525 
2526 	/*
2527 	 * If "s" is non-null, it has code to arrange that the X register
2528 	 * contains the length of the prefix preceding the link-layer
2529 	 * header.
2530 	 *
2531 	 * Otherwise, the length of the prefix preceding the link-layer
2532 	 * header is "off_ll".
2533 	 */
2534 	if (s == NULL) {
2535 		/*
2536 		 * There is no variable-length header preceding the
2537 		 * link-layer header.
2538 		 *
2539 		 * Load the length of the fixed-length prefix preceding
2540 		 * the link-layer header (if any) into the X register,
2541 		 * and store it in the reg_off_macpl register.
2542 		 * That length is off_ll.
2543 		 */
2544 		s = new_stmt(BPF_LDX|BPF_IMM);
2545 		s->s.k = off_ll;
2546 	}
2547 
2548 	/*
2549 	 * The X register contains the offset of the beginning of the
2550 	 * link-layer header; add 24, which is the minimum length
2551 	 * of the MAC header for a data frame, to that, and store it
2552 	 * in reg_off_macpl, and then load the Frame Control field,
2553 	 * which is at the offset in the X register, with an indexed load.
2554 	 */
2555 	s2 = new_stmt(BPF_MISC|BPF_TXA);
2556 	sappend(s, s2);
2557 	s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2558 	s2->s.k = 24;
2559 	sappend(s, s2);
2560 	s2 = new_stmt(BPF_ST);
2561 	s2->s.k = reg_off_macpl;
2562 	sappend(s, s2);
2563 
2564 	s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2565 	s2->s.k = 0;
2566 	sappend(s, s2);
2567 
2568 	/*
2569 	 * Check the Frame Control field to see if this is a data frame;
2570 	 * a data frame has the 0x08 bit (b3) in that field set and the
2571 	 * 0x04 bit (b2) clear.
2572 	 */
2573 	sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2574 	sjset_data_frame_1->s.k = 0x08;
2575 	sappend(s, sjset_data_frame_1);
2576 
2577 	/*
2578 	 * If b3 is set, test b2, otherwise go to the first statement of
2579 	 * the rest of the program.
2580 	 */
2581 	sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2582 	sjset_data_frame_2->s.k = 0x04;
2583 	sappend(s, sjset_data_frame_2);
2584 	sjset_data_frame_1->s.jf = snext;
2585 
2586 	/*
2587 	 * If b2 is not set, this is a data frame; test the QoS bit.
2588 	 * Otherwise, go to the first statement of the rest of the
2589 	 * program.
2590 	 */
2591 	sjset_data_frame_2->s.jt = snext;
2592 	sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2593 	sjset_qos->s.k = 0x80;	/* QoS bit */
2594 	sappend(s, sjset_qos);
2595 
2596 	/*
2597 	 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2598 	 * field.
2599 	 * Otherwise, go to the first statement of the rest of the
2600 	 * program.
2601 	 */
2602 	sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2603 	s2->s.k = reg_off_macpl;
2604 	sappend(s, s2);
2605 	s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2606 	s2->s.k = 2;
2607 	sappend(s, s2);
2608 	s2 = new_stmt(BPF_ST);
2609 	s2->s.k = reg_off_macpl;
2610 	sappend(s, s2);
2611 
2612 	/*
2613 	 * If we have a radiotap header, look at it to see whether
2614 	 * there's Atheros padding between the MAC-layer header
2615 	 * and the payload.
2616 	 *
2617 	 * Note: all of the fields in the radiotap header are
2618 	 * little-endian, so we byte-swap all of the values
2619 	 * we test against, as they will be loaded as big-endian
2620 	 * values.
2621 	 */
2622 	if (linktype == DLT_IEEE802_11_RADIO) {
2623 		/*
2624 		 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2625 		 * in the presence flag?
2626 		 */
2627 		sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2628 		s2->s.k = 4;
2629 		sappend(s, s2);
2630 
2631 		sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2632 		sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2633 		sappend(s, sjset_radiotap_flags);
2634 
2635 		/*
2636 		 * If not, skip all of this.
2637 		 */
2638 		sjset_radiotap_flags->s.jf = snext;
2639 
2640 		/*
2641 		 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2642 		 */
2643 		sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2644 		    new_stmt(JMP(BPF_JSET));
2645 		sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2646 		sappend(s, sjset_radiotap_tsft);
2647 
2648 		/*
2649 		 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2650 		 * at an offset of 16 from the beginning of the raw packet
2651 		 * data (8 bytes for the radiotap header and 8 bytes for
2652 		 * the TSFT field).
2653 		 *
2654 		 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2655 		 * is set.
2656 		 */
2657 		sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2658 		s2->s.k = 16;
2659 		sappend(s, s2);
2660 
2661 		sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2662 		sjset_tsft_datapad->s.k = 0x20;
2663 		sappend(s, sjset_tsft_datapad);
2664 
2665 		/*
2666 		 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2667 		 * at an offset of 8 from the beginning of the raw packet
2668 		 * data (8 bytes for the radiotap header).
2669 		 *
2670 		 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2671 		 * is set.
2672 		 */
2673 		sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2674 		s2->s.k = 8;
2675 		sappend(s, s2);
2676 
2677 		sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2678 		sjset_notsft_datapad->s.k = 0x20;
2679 		sappend(s, sjset_notsft_datapad);
2680 
2681 		/*
2682 		 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2683 		 * set, round the length of the 802.11 header to
2684 		 * a multiple of 4.  Do that by adding 3 and then
2685 		 * dividing by and multiplying by 4, which we do by
2686 		 * ANDing with ~3.
2687 		 */
2688 		s_roundup = new_stmt(BPF_LD|BPF_MEM);
2689 		s_roundup->s.k = reg_off_macpl;
2690 		sappend(s, s_roundup);
2691 		s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2692 		s2->s.k = 3;
2693 		sappend(s, s2);
2694 		s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2695 		s2->s.k = ~3;
2696 		sappend(s, s2);
2697 		s2 = new_stmt(BPF_ST);
2698 		s2->s.k = reg_off_macpl;
2699 		sappend(s, s2);
2700 
2701 		sjset_tsft_datapad->s.jt = s_roundup;
2702 		sjset_tsft_datapad->s.jf = snext;
2703 		sjset_notsft_datapad->s.jt = s_roundup;
2704 		sjset_notsft_datapad->s.jf = snext;
2705 	} else
2706 		sjset_qos->s.jf = snext;
2707 
2708 	return s;
2709 }
2710 
2711 static void
2712 insert_compute_vloffsets(b)
2713 	struct block *b;
2714 {
2715 	struct slist *s;
2716 
2717 	/*
2718 	 * For link-layer types that have a variable-length header
2719 	 * preceding the link-layer header, generate code to load
2720 	 * the offset of the link-layer header into the register
2721 	 * assigned to that offset, if any.
2722 	 */
2723 	switch (linktype) {
2724 
2725 	case DLT_PRISM_HEADER:
2726 		s = gen_load_prism_llprefixlen();
2727 		break;
2728 
2729 	case DLT_IEEE802_11_RADIO_AVS:
2730 		s = gen_load_avs_llprefixlen();
2731 		break;
2732 
2733 	case DLT_IEEE802_11_RADIO:
2734 		s = gen_load_radiotap_llprefixlen();
2735 		break;
2736 
2737 	case DLT_PPI:
2738 		s = gen_load_ppi_llprefixlen();
2739 		break;
2740 
2741 	default:
2742 		s = NULL;
2743 		break;
2744 	}
2745 
2746 	/*
2747 	 * For link-layer types that have a variable-length link-layer
2748 	 * header, generate code to load the offset of the MAC-layer
2749 	 * payload into the register assigned to that offset, if any.
2750 	 */
2751 	switch (linktype) {
2752 
2753 	case DLT_IEEE802_11:
2754 	case DLT_PRISM_HEADER:
2755 	case DLT_IEEE802_11_RADIO_AVS:
2756 	case DLT_IEEE802_11_RADIO:
2757 	case DLT_PPI:
2758 		s = gen_load_802_11_header_len(s, b->stmts);
2759 		break;
2760 	}
2761 
2762 	/*
2763 	 * If we have any offset-loading code, append all the
2764 	 * existing statements in the block to those statements,
2765 	 * and make the resulting list the list of statements
2766 	 * for the block.
2767 	 */
2768 	if (s != NULL) {
2769 		sappend(s, b->stmts);
2770 		b->stmts = s;
2771 	}
2772 }
2773 
2774 static struct block *
2775 gen_ppi_dlt_check(void)
2776 {
2777 	struct slist *s_load_dlt;
2778 	struct block *b;
2779 
2780 	if (linktype == DLT_PPI)
2781 	{
2782 		/* Create the statements that check for the DLT
2783 		 */
2784 		s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2785 		s_load_dlt->s.k = 4;
2786 
2787 		b = new_block(JMP(BPF_JEQ));
2788 
2789 		b->stmts = s_load_dlt;
2790 		b->s.k = SWAPLONG(DLT_IEEE802_11);
2791 	}
2792 	else
2793 	{
2794 		b = NULL;
2795 	}
2796 
2797 	return b;
2798 }
2799 
2800 static struct slist *
2801 gen_prism_llprefixlen(void)
2802 {
2803 	struct slist *s;
2804 
2805 	if (reg_off_ll == -1) {
2806 		/*
2807 		 * We haven't yet assigned a register for the length
2808 		 * of the radio header; allocate one.
2809 		 */
2810 		reg_off_ll = alloc_reg();
2811 	}
2812 
2813 	/*
2814 	 * Load the register containing the radio length
2815 	 * into the X register.
2816 	 */
2817 	s = new_stmt(BPF_LDX|BPF_MEM);
2818 	s->s.k = reg_off_ll;
2819 	return s;
2820 }
2821 
2822 static struct slist *
2823 gen_avs_llprefixlen(void)
2824 {
2825 	struct slist *s;
2826 
2827 	if (reg_off_ll == -1) {
2828 		/*
2829 		 * We haven't yet assigned a register for the length
2830 		 * of the AVS header; allocate one.
2831 		 */
2832 		reg_off_ll = alloc_reg();
2833 	}
2834 
2835 	/*
2836 	 * Load the register containing the AVS length
2837 	 * into the X register.
2838 	 */
2839 	s = new_stmt(BPF_LDX|BPF_MEM);
2840 	s->s.k = reg_off_ll;
2841 	return s;
2842 }
2843 
2844 static struct slist *
2845 gen_radiotap_llprefixlen(void)
2846 {
2847 	struct slist *s;
2848 
2849 	if (reg_off_ll == -1) {
2850 		/*
2851 		 * We haven't yet assigned a register for the length
2852 		 * of the radiotap header; allocate one.
2853 		 */
2854 		reg_off_ll = alloc_reg();
2855 	}
2856 
2857 	/*
2858 	 * Load the register containing the radiotap length
2859 	 * into the X register.
2860 	 */
2861 	s = new_stmt(BPF_LDX|BPF_MEM);
2862 	s->s.k = reg_off_ll;
2863 	return s;
2864 }
2865 
2866 /*
2867  * At the moment we treat PPI as normal Radiotap encoded
2868  * packets. The difference is in the function that generates
2869  * the code at the beginning to compute the header length.
2870  * Since this code generator of PPI supports bare 802.11
2871  * encapsulation only (i.e. the encapsulated DLT should be
2872  * DLT_IEEE802_11) we generate code to check for this too.
2873  */
2874 static struct slist *
2875 gen_ppi_llprefixlen(void)
2876 {
2877 	struct slist *s;
2878 
2879 	if (reg_off_ll == -1) {
2880 		/*
2881 		 * We haven't yet assigned a register for the length
2882 		 * of the radiotap header; allocate one.
2883 		 */
2884 		reg_off_ll = alloc_reg();
2885 	}
2886 
2887 	/*
2888 	 * Load the register containing the PPI length
2889 	 * into the X register.
2890 	 */
2891 	s = new_stmt(BPF_LDX|BPF_MEM);
2892 	s->s.k = reg_off_ll;
2893 	return s;
2894 }
2895 
2896 /*
2897  * Generate code to compute the link-layer header length, if necessary,
2898  * putting it into the X register, and to return either a pointer to a
2899  * "struct slist" for the list of statements in that code, or NULL if
2900  * no code is necessary.
2901  */
2902 static struct slist *
2903 gen_llprefixlen(void)
2904 {
2905 	switch (linktype) {
2906 
2907 	case DLT_PRISM_HEADER:
2908 		return gen_prism_llprefixlen();
2909 
2910 	case DLT_IEEE802_11_RADIO_AVS:
2911 		return gen_avs_llprefixlen();
2912 
2913 	case DLT_IEEE802_11_RADIO:
2914 		return gen_radiotap_llprefixlen();
2915 
2916 	case DLT_PPI:
2917 		return gen_ppi_llprefixlen();
2918 
2919 	default:
2920 		return NULL;
2921 	}
2922 }
2923 
2924 /*
2925  * Generate code to load the register containing the offset of the
2926  * MAC-layer payload into the X register; if no register for that offset
2927  * has been allocated, allocate it first.
2928  */
2929 static struct slist *
2930 gen_off_macpl(void)
2931 {
2932 	struct slist *s;
2933 
2934 	if (off_macpl_is_variable) {
2935 		if (reg_off_macpl == -1) {
2936 			/*
2937 			 * We haven't yet assigned a register for the offset
2938 			 * of the MAC-layer payload; allocate one.
2939 			 */
2940 			reg_off_macpl = alloc_reg();
2941 		}
2942 
2943 		/*
2944 		 * Load the register containing the offset of the MAC-layer
2945 		 * payload into the X register.
2946 		 */
2947 		s = new_stmt(BPF_LDX|BPF_MEM);
2948 		s->s.k = reg_off_macpl;
2949 		return s;
2950 	} else {
2951 		/*
2952 		 * That offset isn't variable, so we don't need to
2953 		 * generate any code.
2954 		 */
2955 		return NULL;
2956 	}
2957 }
2958 
2959 /*
2960  * Map an Ethernet type to the equivalent PPP type.
2961  */
2962 static int
2963 ethertype_to_ppptype(proto)
2964 	int proto;
2965 {
2966 	switch (proto) {
2967 
2968 	case ETHERTYPE_IP:
2969 		proto = PPP_IP;
2970 		break;
2971 
2972 #ifdef INET6
2973 	case ETHERTYPE_IPV6:
2974 		proto = PPP_IPV6;
2975 		break;
2976 #endif
2977 
2978 	case ETHERTYPE_DN:
2979 		proto = PPP_DECNET;
2980 		break;
2981 
2982 	case ETHERTYPE_ATALK:
2983 		proto = PPP_APPLE;
2984 		break;
2985 
2986 	case ETHERTYPE_NS:
2987 		proto = PPP_NS;
2988 		break;
2989 
2990 	case LLCSAP_ISONS:
2991 		proto = PPP_OSI;
2992 		break;
2993 
2994 	case LLCSAP_8021D:
2995 		/*
2996 		 * I'm assuming the "Bridging PDU"s that go
2997 		 * over PPP are Spanning Tree Protocol
2998 		 * Bridging PDUs.
2999 		 */
3000 		proto = PPP_BRPDU;
3001 		break;
3002 
3003 	case LLCSAP_IPX:
3004 		proto = PPP_IPX;
3005 		break;
3006 	}
3007 	return (proto);
3008 }
3009 
3010 /*
3011  * Generate code to match a particular packet type by matching the
3012  * link-layer type field or fields in the 802.2 LLC header.
3013  *
3014  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3015  * value, if <= ETHERMTU.
3016  */
3017 static struct block *
3018 gen_linktype(proto)
3019 	register int proto;
3020 {
3021 	struct block *b0, *b1, *b2;
3022 
3023 	/* are we checking MPLS-encapsulated packets? */
3024 	if (label_stack_depth > 0) {
3025 		switch (proto) {
3026 		case ETHERTYPE_IP:
3027 		case PPP_IP:
3028 			/* FIXME add other L3 proto IDs */
3029 			return gen_mpls_linktype(Q_IP);
3030 
3031 		case ETHERTYPE_IPV6:
3032 		case PPP_IPV6:
3033 			/* FIXME add other L3 proto IDs */
3034 			return gen_mpls_linktype(Q_IPV6);
3035 
3036 		default:
3037 			bpf_error("unsupported protocol over mpls");
3038 			/* NOTREACHED */
3039 		}
3040 	}
3041 
3042 	/*
3043 	 * Are we testing PPPoE packets?
3044 	 */
3045 	if (is_pppoes) {
3046 		/*
3047 		 * The PPPoE session header is part of the
3048 		 * MAC-layer payload, so all references
3049 		 * should be relative to the beginning of
3050 		 * that payload.
3051 		 */
3052 
3053 		/*
3054 		 * We use Ethernet protocol types inside libpcap;
3055 		 * map them to the corresponding PPP protocol types.
3056 		 */
3057 		proto = ethertype_to_ppptype(proto);
3058 		return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
3059 	}
3060 
3061 	switch (linktype) {
3062 
3063 	case DLT_EN10MB:
3064 		return gen_ether_linktype(proto);
3065 		/*NOTREACHED*/
3066 		break;
3067 
3068 	case DLT_C_HDLC:
3069 		switch (proto) {
3070 
3071 		case LLCSAP_ISONS:
3072 			proto = (proto << 8 | LLCSAP_ISONS);
3073 			/* fall through */
3074 
3075 		default:
3076 			return gen_cmp(OR_LINK, off_linktype, BPF_H,
3077 			    (bpf_int32)proto);
3078 			/*NOTREACHED*/
3079 			break;
3080 		}
3081 		break;
3082 
3083 	case DLT_IEEE802_11:
3084 	case DLT_PRISM_HEADER:
3085 	case DLT_IEEE802_11_RADIO_AVS:
3086 	case DLT_IEEE802_11_RADIO:
3087 	case DLT_PPI:
3088 		/*
3089 		 * Check that we have a data frame.
3090 		 */
3091 		b0 = gen_check_802_11_data_frame();
3092 
3093 		/*
3094 		 * Now check for the specified link-layer type.
3095 		 */
3096 		b1 = gen_llc_linktype(proto);
3097 		gen_and(b0, b1);
3098 		return b1;
3099 		/*NOTREACHED*/
3100 		break;
3101 
3102 	case DLT_FDDI:
3103 		/*
3104 		 * XXX - check for asynchronous frames, as per RFC 1103.
3105 		 */
3106 		return gen_llc_linktype(proto);
3107 		/*NOTREACHED*/
3108 		break;
3109 
3110 	case DLT_IEEE802:
3111 		/*
3112 		 * XXX - check for LLC PDUs, as per IEEE 802.5.
3113 		 */
3114 		return gen_llc_linktype(proto);
3115 		/*NOTREACHED*/
3116 		break;
3117 
3118 	case DLT_ATM_RFC1483:
3119 	case DLT_ATM_CLIP:
3120 	case DLT_IP_OVER_FC:
3121 		return gen_llc_linktype(proto);
3122 		/*NOTREACHED*/
3123 		break;
3124 
3125 	case DLT_SUNATM:
3126 		/*
3127 		 * If "is_lane" is set, check for a LANE-encapsulated
3128 		 * version of this protocol, otherwise check for an
3129 		 * LLC-encapsulated version of this protocol.
3130 		 *
3131 		 * We assume LANE means Ethernet, not Token Ring.
3132 		 */
3133 		if (is_lane) {
3134 			/*
3135 			 * Check that the packet doesn't begin with an
3136 			 * LE Control marker.  (We've already generated
3137 			 * a test for LANE.)
3138 			 */
3139 			b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3140 			    0xFF00);
3141 			gen_not(b0);
3142 
3143 			/*
3144 			 * Now generate an Ethernet test.
3145 			 */
3146 			b1 = gen_ether_linktype(proto);
3147 			gen_and(b0, b1);
3148 			return b1;
3149 		} else {
3150 			/*
3151 			 * Check for LLC encapsulation and then check the
3152 			 * protocol.
3153 			 */
3154 			b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3155 			b1 = gen_llc_linktype(proto);
3156 			gen_and(b0, b1);
3157 			return b1;
3158 		}
3159 		/*NOTREACHED*/
3160 		break;
3161 
3162 	case DLT_LINUX_SLL:
3163 		return gen_linux_sll_linktype(proto);
3164 		/*NOTREACHED*/
3165 		break;
3166 
3167 	case DLT_SLIP:
3168 	case DLT_SLIP_BSDOS:
3169 	case DLT_RAW:
3170 		/*
3171 		 * These types don't provide any type field; packets
3172 		 * are always IPv4 or IPv6.
3173 		 *
3174 		 * XXX - for IPv4, check for a version number of 4, and,
3175 		 * for IPv6, check for a version number of 6?
3176 		 */
3177 		switch (proto) {
3178 
3179 		case ETHERTYPE_IP:
3180 			/* Check for a version number of 4. */
3181 			return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3182 #ifdef INET6
3183 		case ETHERTYPE_IPV6:
3184 			/* Check for a version number of 6. */
3185 			return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3186 #endif
3187 
3188 		default:
3189 			return gen_false();		/* always false */
3190 		}
3191 		/*NOTREACHED*/
3192 		break;
3193 
3194 	case DLT_IPV4:
3195 		/*
3196 		 * Raw IPv4, so no type field.
3197 		 */
3198 		if (proto == ETHERTYPE_IP)
3199 			return gen_true();		/* always true */
3200 
3201 		/* Checking for something other than IPv4; always false */
3202 		return gen_false();
3203 		/*NOTREACHED*/
3204 		break;
3205 
3206 	case DLT_IPV6:
3207 		/*
3208 		 * Raw IPv6, so no type field.
3209 		 */
3210 #ifdef INET6
3211 		if (proto == ETHERTYPE_IPV6)
3212 			return gen_true();		/* always true */
3213 #endif
3214 
3215 		/* Checking for something other than IPv6; always false */
3216 		return gen_false();
3217 		/*NOTREACHED*/
3218 		break;
3219 
3220 	case DLT_PPP:
3221 	case DLT_PPP_PPPD:
3222 	case DLT_PPP_SERIAL:
3223 	case DLT_PPP_ETHER:
3224 		/*
3225 		 * We use Ethernet protocol types inside libpcap;
3226 		 * map them to the corresponding PPP protocol types.
3227 		 */
3228 		proto = ethertype_to_ppptype(proto);
3229 		return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3230 		/*NOTREACHED*/
3231 		break;
3232 
3233 	case DLT_PPP_BSDOS:
3234 		/*
3235 		 * We use Ethernet protocol types inside libpcap;
3236 		 * map them to the corresponding PPP protocol types.
3237 		 */
3238 		switch (proto) {
3239 
3240 		case ETHERTYPE_IP:
3241 			/*
3242 			 * Also check for Van Jacobson-compressed IP.
3243 			 * XXX - do this for other forms of PPP?
3244 			 */
3245 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3246 			b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3247 			gen_or(b0, b1);
3248 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3249 			gen_or(b1, b0);
3250 			return b0;
3251 
3252 		default:
3253 			proto = ethertype_to_ppptype(proto);
3254 			return gen_cmp(OR_LINK, off_linktype, BPF_H,
3255 				(bpf_int32)proto);
3256 		}
3257 		/*NOTREACHED*/
3258 		break;
3259 
3260 	case DLT_NULL:
3261 	case DLT_LOOP:
3262 	case DLT_ENC:
3263 		/*
3264 		 * For DLT_NULL, the link-layer header is a 32-bit
3265 		 * word containing an AF_ value in *host* byte order,
3266 		 * and for DLT_ENC, the link-layer header begins
3267 		 * with a 32-bit work containing an AF_ value in
3268 		 * host byte order.
3269 		 *
3270 		 * In addition, if we're reading a saved capture file,
3271 		 * the host byte order in the capture may not be the
3272 		 * same as the host byte order on this machine.
3273 		 *
3274 		 * For DLT_LOOP, the link-layer header is a 32-bit
3275 		 * word containing an AF_ value in *network* byte order.
3276 		 *
3277 		 * XXX - AF_ values may, unfortunately, be platform-
3278 		 * dependent; for example, FreeBSD's AF_INET6 is 24
3279 		 * whilst NetBSD's and OpenBSD's is 26.
3280 		 *
3281 		 * This means that, when reading a capture file, just
3282 		 * checking for our AF_INET6 value won't work if the
3283 		 * capture file came from another OS.
3284 		 */
3285 		switch (proto) {
3286 
3287 		case ETHERTYPE_IP:
3288 			proto = AF_INET;
3289 			break;
3290 
3291 #ifdef INET6
3292 		case ETHERTYPE_IPV6:
3293 			proto = AF_INET6;
3294 			break;
3295 #endif
3296 
3297 		default:
3298 			/*
3299 			 * Not a type on which we support filtering.
3300 			 * XXX - support those that have AF_ values
3301 			 * #defined on this platform, at least?
3302 			 */
3303 			return gen_false();
3304 		}
3305 
3306 		if (linktype == DLT_NULL || linktype == DLT_ENC) {
3307 			/*
3308 			 * The AF_ value is in host byte order, but
3309 			 * the BPF interpreter will convert it to
3310 			 * network byte order.
3311 			 *
3312 			 * If this is a save file, and it's from a
3313 			 * machine with the opposite byte order to
3314 			 * ours, we byte-swap the AF_ value.
3315 			 *
3316 			 * Then we run it through "htonl()", and
3317 			 * generate code to compare against the result.
3318 			 */
3319 			if (bpf_pcap->sf.rfile != NULL &&
3320 			    bpf_pcap->sf.swapped)
3321 				proto = SWAPLONG(proto);
3322 			proto = htonl(proto);
3323 		}
3324 		return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3325 
3326 #ifdef HAVE_NET_PFVAR_H
3327 	case DLT_PFLOG:
3328 		/*
3329 		 * af field is host byte order in contrast to the rest of
3330 		 * the packet.
3331 		 */
3332 		if (proto == ETHERTYPE_IP)
3333 			return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3334 			    BPF_B, (bpf_int32)AF_INET));
3335 #ifdef INET6
3336 		else if (proto == ETHERTYPE_IPV6)
3337 			return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3338 			    BPF_B, (bpf_int32)AF_INET6));
3339 #endif /* INET6 */
3340 		else
3341 			return gen_false();
3342 		/*NOTREACHED*/
3343 		break;
3344 #endif /* HAVE_NET_PFVAR_H */
3345 
3346 	case DLT_ARCNET:
3347 	case DLT_ARCNET_LINUX:
3348 		/*
3349 		 * XXX should we check for first fragment if the protocol
3350 		 * uses PHDS?
3351 		 */
3352 		switch (proto) {
3353 
3354 		default:
3355 			return gen_false();
3356 
3357 #ifdef INET6
3358 		case ETHERTYPE_IPV6:
3359 			return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3360 				(bpf_int32)ARCTYPE_INET6));
3361 #endif /* INET6 */
3362 
3363 		case ETHERTYPE_IP:
3364 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3365 				     (bpf_int32)ARCTYPE_IP);
3366 			b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3367 				     (bpf_int32)ARCTYPE_IP_OLD);
3368 			gen_or(b0, b1);
3369 			return (b1);
3370 
3371 		case ETHERTYPE_ARP:
3372 			b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3373 				     (bpf_int32)ARCTYPE_ARP);
3374 			b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3375 				     (bpf_int32)ARCTYPE_ARP_OLD);
3376 			gen_or(b0, b1);
3377 			return (b1);
3378 
3379 		case ETHERTYPE_REVARP:
3380 			return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3381 					(bpf_int32)ARCTYPE_REVARP));
3382 
3383 		case ETHERTYPE_ATALK:
3384 			return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3385 					(bpf_int32)ARCTYPE_ATALK));
3386 		}
3387 		/*NOTREACHED*/
3388 		break;
3389 
3390 	case DLT_LTALK:
3391 		switch (proto) {
3392 		case ETHERTYPE_ATALK:
3393 			return gen_true();
3394 		default:
3395 			return gen_false();
3396 		}
3397 		/*NOTREACHED*/
3398 		break;
3399 
3400 	case DLT_FRELAY:
3401 		/*
3402 		 * XXX - assumes a 2-byte Frame Relay header with
3403 		 * DLCI and flags.  What if the address is longer?
3404 		 */
3405 		switch (proto) {
3406 
3407 		case ETHERTYPE_IP:
3408 			/*
3409 			 * Check for the special NLPID for IP.
3410 			 */
3411 			return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3412 
3413 #ifdef INET6
3414 		case ETHERTYPE_IPV6:
3415 			/*
3416 			 * Check for the special NLPID for IPv6.
3417 			 */
3418 			return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3419 #endif
3420 
3421 		case LLCSAP_ISONS:
3422 			/*
3423 			 * Check for several OSI protocols.
3424 			 *
3425 			 * Frame Relay packets typically have an OSI
3426 			 * NLPID at the beginning; we check for each
3427 			 * of them.
3428 			 *
3429 			 * What we check for is the NLPID and a frame
3430 			 * control field of UI, i.e. 0x03 followed
3431 			 * by the NLPID.
3432 			 */
3433 			b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3434 			b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3435 			b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3436 			gen_or(b1, b2);
3437 			gen_or(b0, b2);
3438 			return b2;
3439 
3440 		default:
3441 			return gen_false();
3442 		}
3443 		/*NOTREACHED*/
3444 		break;
3445 
3446 	case DLT_MFR:
3447 		bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3448 
3449         case DLT_JUNIPER_MFR:
3450         case DLT_JUNIPER_MLFR:
3451         case DLT_JUNIPER_MLPPP:
3452 	case DLT_JUNIPER_ATM1:
3453 	case DLT_JUNIPER_ATM2:
3454 	case DLT_JUNIPER_PPPOE:
3455 	case DLT_JUNIPER_PPPOE_ATM:
3456         case DLT_JUNIPER_GGSN:
3457         case DLT_JUNIPER_ES:
3458         case DLT_JUNIPER_MONITOR:
3459         case DLT_JUNIPER_SERVICES:
3460         case DLT_JUNIPER_ETHER:
3461         case DLT_JUNIPER_PPP:
3462         case DLT_JUNIPER_FRELAY:
3463         case DLT_JUNIPER_CHDLC:
3464         case DLT_JUNIPER_VP:
3465         case DLT_JUNIPER_ST:
3466         case DLT_JUNIPER_ISM:
3467 		/* just lets verify the magic number for now -
3468 		 * on ATM we may have up to 6 different encapsulations on the wire
3469 		 * and need a lot of heuristics to figure out that the payload
3470 		 * might be;
3471 		 *
3472 		 * FIXME encapsulation specific BPF_ filters
3473 		 */
3474 		return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3475 
3476 	case DLT_IPNET:
3477 		return gen_ipnet_linktype(proto);
3478 
3479 	case DLT_LINUX_IRDA:
3480 		bpf_error("IrDA link-layer type filtering not implemented");
3481 
3482 	case DLT_DOCSIS:
3483 		bpf_error("DOCSIS link-layer type filtering not implemented");
3484 
3485 	case DLT_MTP2:
3486 	case DLT_MTP2_WITH_PHDR:
3487 		bpf_error("MTP2 link-layer type filtering not implemented");
3488 
3489 	case DLT_ERF:
3490 		bpf_error("ERF link-layer type filtering not implemented");
3491 
3492 #ifdef DLT_PFSYNC
3493 	case DLT_PFSYNC:
3494 		bpf_error("PFSYNC link-layer type filtering not implemented");
3495 #endif
3496 
3497 	case DLT_LINUX_LAPD:
3498 		bpf_error("LAPD link-layer type filtering not implemented");
3499 
3500 	case DLT_USB:
3501 	case DLT_USB_LINUX:
3502 	case DLT_USB_LINUX_MMAPPED:
3503 		bpf_error("USB link-layer type filtering not implemented");
3504 
3505 	case DLT_BLUETOOTH_HCI_H4:
3506 	case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3507 		bpf_error("Bluetooth link-layer type filtering not implemented");
3508 
3509 	case DLT_CAN20B:
3510 	case DLT_CAN_SOCKETCAN:
3511 		bpf_error("CAN link-layer type filtering not implemented");
3512 
3513 	case DLT_IEEE802_15_4:
3514 	case DLT_IEEE802_15_4_LINUX:
3515 	case DLT_IEEE802_15_4_NONASK_PHY:
3516 		bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3517 
3518 	case DLT_IEEE802_16_MAC_CPS_RADIO:
3519 		bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3520 
3521 	case DLT_SITA:
3522 		bpf_error("SITA link-layer type filtering not implemented");
3523 
3524 	case DLT_RAIF1:
3525 		bpf_error("RAIF1 link-layer type filtering not implemented");
3526 
3527 	case DLT_IPMB:
3528 		bpf_error("IPMB link-layer type filtering not implemented");
3529 
3530 	case DLT_AX25_KISS:
3531 		bpf_error("AX.25 link-layer type filtering not implemented");
3532 	}
3533 
3534 	/*
3535 	 * All the types that have no encapsulation should either be
3536 	 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3537 	 * all packets are IP packets, or should be handled in some
3538 	 * special case, if none of them are (if some are and some
3539 	 * aren't, the lack of encapsulation is a problem, as we'd
3540 	 * have to find some other way of determining the packet type).
3541 	 *
3542 	 * Therefore, if "off_linktype" is -1, there's an error.
3543 	 */
3544 	if (off_linktype == (u_int)-1)
3545 		abort();
3546 
3547 	/*
3548 	 * Any type not handled above should always have an Ethernet
3549 	 * type at an offset of "off_linktype".
3550 	 */
3551 	return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3552 }
3553 
3554 /*
3555  * Check for an LLC SNAP packet with a given organization code and
3556  * protocol type; we check the entire contents of the 802.2 LLC and
3557  * snap headers, checking for DSAP and SSAP of SNAP and a control
3558  * field of 0x03 in the LLC header, and for the specified organization
3559  * code and protocol type in the SNAP header.
3560  */
3561 static struct block *
3562 gen_snap(orgcode, ptype)
3563 	bpf_u_int32 orgcode;
3564 	bpf_u_int32 ptype;
3565 {
3566 	u_char snapblock[8];
3567 
3568 	snapblock[0] = LLCSAP_SNAP;	/* DSAP = SNAP */
3569 	snapblock[1] = LLCSAP_SNAP;	/* SSAP = SNAP */
3570 	snapblock[2] = 0x03;		/* control = UI */
3571 	snapblock[3] = (orgcode >> 16);	/* upper 8 bits of organization code */
3572 	snapblock[4] = (orgcode >> 8);	/* middle 8 bits of organization code */
3573 	snapblock[5] = (orgcode >> 0);	/* lower 8 bits of organization code */
3574 	snapblock[6] = (ptype >> 8);	/* upper 8 bits of protocol type */
3575 	snapblock[7] = (ptype >> 0);	/* lower 8 bits of protocol type */
3576 	return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3577 }
3578 
3579 /*
3580  * Generate code to match a particular packet type, for link-layer types
3581  * using 802.2 LLC headers.
3582  *
3583  * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3584  * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3585  *
3586  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3587  * value, if <= ETHERMTU.  We use that to determine whether to
3588  * match the DSAP or both DSAP and LSAP or to check the OUI and
3589  * protocol ID in a SNAP header.
3590  */
3591 static struct block *
3592 gen_llc_linktype(proto)
3593 	int proto;
3594 {
3595 	/*
3596 	 * XXX - handle token-ring variable-length header.
3597 	 */
3598 	switch (proto) {
3599 
3600 	case LLCSAP_IP:
3601 	case LLCSAP_ISONS:
3602 	case LLCSAP_NETBEUI:
3603 		/*
3604 		 * XXX - should we check both the DSAP and the
3605 		 * SSAP, like this, or should we check just the
3606 		 * DSAP, as we do for other types <= ETHERMTU
3607 		 * (i.e., other SAP values)?
3608 		 */
3609 		return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3610 			     ((proto << 8) | proto));
3611 
3612 	case LLCSAP_IPX:
3613 		/*
3614 		 * XXX - are there ever SNAP frames for IPX on
3615 		 * non-Ethernet 802.x networks?
3616 		 */
3617 		return gen_cmp(OR_MACPL, 0, BPF_B,
3618 		    (bpf_int32)LLCSAP_IPX);
3619 
3620 	case ETHERTYPE_ATALK:
3621 		/*
3622 		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3623 		 * SNAP packets with an organization code of
3624 		 * 0x080007 (Apple, for Appletalk) and a protocol
3625 		 * type of ETHERTYPE_ATALK (Appletalk).
3626 		 *
3627 		 * XXX - check for an organization code of
3628 		 * encapsulated Ethernet as well?
3629 		 */
3630 		return gen_snap(0x080007, ETHERTYPE_ATALK);
3631 
3632 	default:
3633 		/*
3634 		 * XXX - we don't have to check for IPX 802.3
3635 		 * here, but should we check for the IPX Ethertype?
3636 		 */
3637 		if (proto <= ETHERMTU) {
3638 			/*
3639 			 * This is an LLC SAP value, so check
3640 			 * the DSAP.
3641 			 */
3642 			return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3643 		} else {
3644 			/*
3645 			 * This is an Ethernet type; we assume that it's
3646 			 * unlikely that it'll appear in the right place
3647 			 * at random, and therefore check only the
3648 			 * location that would hold the Ethernet type
3649 			 * in a SNAP frame with an organization code of
3650 			 * 0x000000 (encapsulated Ethernet).
3651 			 *
3652 			 * XXX - if we were to check for the SNAP DSAP and
3653 			 * LSAP, as per XXX, and were also to check for an
3654 			 * organization code of 0x000000 (encapsulated
3655 			 * Ethernet), we'd do
3656 			 *
3657 			 *	return gen_snap(0x000000, proto);
3658 			 *
3659 			 * here; for now, we don't, as per the above.
3660 			 * I don't know whether it's worth the extra CPU
3661 			 * time to do the right check or not.
3662 			 */
3663 			return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3664 		}
3665 	}
3666 }
3667 
3668 static struct block *
3669 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3670 	bpf_u_int32 addr;
3671 	bpf_u_int32 mask;
3672 	int dir, proto;
3673 	u_int src_off, dst_off;
3674 {
3675 	struct block *b0, *b1;
3676 	u_int offset;
3677 
3678 	switch (dir) {
3679 
3680 	case Q_SRC:
3681 		offset = src_off;
3682 		break;
3683 
3684 	case Q_DST:
3685 		offset = dst_off;
3686 		break;
3687 
3688 	case Q_AND:
3689 		b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3690 		b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3691 		gen_and(b0, b1);
3692 		return b1;
3693 
3694 	case Q_OR:
3695 	case Q_DEFAULT:
3696 		b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3697 		b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3698 		gen_or(b0, b1);
3699 		return b1;
3700 
3701 	default:
3702 		abort();
3703 	}
3704 	b0 = gen_linktype(proto);
3705 	b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3706 	gen_and(b0, b1);
3707 	return b1;
3708 }
3709 
3710 #ifdef INET6
3711 static struct block *
3712 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3713 	struct in6_addr *addr;
3714 	struct in6_addr *mask;
3715 	int dir, proto;
3716 	u_int src_off, dst_off;
3717 {
3718 	struct block *b0, *b1;
3719 	u_int offset;
3720 	u_int32_t *a, *m;
3721 
3722 	switch (dir) {
3723 
3724 	case Q_SRC:
3725 		offset = src_off;
3726 		break;
3727 
3728 	case Q_DST:
3729 		offset = dst_off;
3730 		break;
3731 
3732 	case Q_AND:
3733 		b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3734 		b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3735 		gen_and(b0, b1);
3736 		return b1;
3737 
3738 	case Q_OR:
3739 	case Q_DEFAULT:
3740 		b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3741 		b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3742 		gen_or(b0, b1);
3743 		return b1;
3744 
3745 	default:
3746 		abort();
3747 	}
3748 	/* this order is important */
3749 	a = (u_int32_t *)addr;
3750 	m = (u_int32_t *)mask;
3751 	b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3752 	b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3753 	gen_and(b0, b1);
3754 	b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3755 	gen_and(b0, b1);
3756 	b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3757 	gen_and(b0, b1);
3758 	b0 = gen_linktype(proto);
3759 	gen_and(b0, b1);
3760 	return b1;
3761 }
3762 #endif /*INET6*/
3763 
3764 static struct block *
3765 gen_ehostop(eaddr, dir)
3766 	register const u_char *eaddr;
3767 	register int dir;
3768 {
3769 	register struct block *b0, *b1;
3770 
3771 	switch (dir) {
3772 	case Q_SRC:
3773 		return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3774 
3775 	case Q_DST:
3776 		return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3777 
3778 	case Q_AND:
3779 		b0 = gen_ehostop(eaddr, Q_SRC);
3780 		b1 = gen_ehostop(eaddr, Q_DST);
3781 		gen_and(b0, b1);
3782 		return b1;
3783 
3784 	case Q_DEFAULT:
3785 	case Q_OR:
3786 		b0 = gen_ehostop(eaddr, Q_SRC);
3787 		b1 = gen_ehostop(eaddr, Q_DST);
3788 		gen_or(b0, b1);
3789 		return b1;
3790 	}
3791 	abort();
3792 	/* NOTREACHED */
3793 }
3794 
3795 /*
3796  * Like gen_ehostop, but for DLT_FDDI
3797  */
3798 static struct block *
3799 gen_fhostop(eaddr, dir)
3800 	register const u_char *eaddr;
3801 	register int dir;
3802 {
3803 	struct block *b0, *b1;
3804 
3805 	switch (dir) {
3806 	case Q_SRC:
3807 #ifdef PCAP_FDDIPAD
3808 		return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3809 #else
3810 		return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3811 #endif
3812 
3813 	case Q_DST:
3814 #ifdef PCAP_FDDIPAD
3815 		return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3816 #else
3817 		return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3818 #endif
3819 
3820 	case Q_AND:
3821 		b0 = gen_fhostop(eaddr, Q_SRC);
3822 		b1 = gen_fhostop(eaddr, Q_DST);
3823 		gen_and(b0, b1);
3824 		return b1;
3825 
3826 	case Q_DEFAULT:
3827 	case Q_OR:
3828 		b0 = gen_fhostop(eaddr, Q_SRC);
3829 		b1 = gen_fhostop(eaddr, Q_DST);
3830 		gen_or(b0, b1);
3831 		return b1;
3832 	}
3833 	abort();
3834 	/* NOTREACHED */
3835 }
3836 
3837 /*
3838  * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3839  */
3840 static struct block *
3841 gen_thostop(eaddr, dir)
3842 	register const u_char *eaddr;
3843 	register int dir;
3844 {
3845 	register struct block *b0, *b1;
3846 
3847 	switch (dir) {
3848 	case Q_SRC:
3849 		return gen_bcmp(OR_LINK, 8, 6, eaddr);
3850 
3851 	case Q_DST:
3852 		return gen_bcmp(OR_LINK, 2, 6, eaddr);
3853 
3854 	case Q_AND:
3855 		b0 = gen_thostop(eaddr, Q_SRC);
3856 		b1 = gen_thostop(eaddr, Q_DST);
3857 		gen_and(b0, b1);
3858 		return b1;
3859 
3860 	case Q_DEFAULT:
3861 	case Q_OR:
3862 		b0 = gen_thostop(eaddr, Q_SRC);
3863 		b1 = gen_thostop(eaddr, Q_DST);
3864 		gen_or(b0, b1);
3865 		return b1;
3866 	}
3867 	abort();
3868 	/* NOTREACHED */
3869 }
3870 
3871 /*
3872  * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3873  * various 802.11 + radio headers.
3874  */
3875 static struct block *
3876 gen_wlanhostop(eaddr, dir)
3877 	register const u_char *eaddr;
3878 	register int dir;
3879 {
3880 	register struct block *b0, *b1, *b2;
3881 	register struct slist *s;
3882 
3883 #ifdef ENABLE_WLAN_FILTERING_PATCH
3884 	/*
3885 	 * TODO GV 20070613
3886 	 * We need to disable the optimizer because the optimizer is buggy
3887 	 * and wipes out some LD instructions generated by the below
3888 	 * code to validate the Frame Control bits
3889 	 */
3890 	no_optimize = 1;
3891 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3892 
3893 	switch (dir) {
3894 	case Q_SRC:
3895 		/*
3896 		 * Oh, yuk.
3897 		 *
3898 		 *	For control frames, there is no SA.
3899 		 *
3900 		 *	For management frames, SA is at an
3901 		 *	offset of 10 from the beginning of
3902 		 *	the packet.
3903 		 *
3904 		 *	For data frames, SA is at an offset
3905 		 *	of 10 from the beginning of the packet
3906 		 *	if From DS is clear, at an offset of
3907 		 *	16 from the beginning of the packet
3908 		 *	if From DS is set and To DS is clear,
3909 		 *	and an offset of 24 from the beginning
3910 		 *	of the packet if From DS is set and To DS
3911 		 *	is set.
3912 		 */
3913 
3914 		/*
3915 		 * Generate the tests to be done for data frames
3916 		 * with From DS set.
3917 		 *
3918 		 * First, check for To DS set, i.e. check "link[1] & 0x01".
3919 		 */
3920 		s = gen_load_a(OR_LINK, 1, BPF_B);
3921 		b1 = new_block(JMP(BPF_JSET));
3922 		b1->s.k = 0x01;	/* To DS */
3923 		b1->stmts = s;
3924 
3925 		/*
3926 		 * If To DS is set, the SA is at 24.
3927 		 */
3928 		b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3929 		gen_and(b1, b0);
3930 
3931 		/*
3932 		 * Now, check for To DS not set, i.e. check
3933 		 * "!(link[1] & 0x01)".
3934 		 */
3935 		s = gen_load_a(OR_LINK, 1, BPF_B);
3936 		b2 = new_block(JMP(BPF_JSET));
3937 		b2->s.k = 0x01;	/* To DS */
3938 		b2->stmts = s;
3939 		gen_not(b2);
3940 
3941 		/*
3942 		 * If To DS is not set, the SA is at 16.
3943 		 */
3944 		b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3945 		gen_and(b2, b1);
3946 
3947 		/*
3948 		 * Now OR together the last two checks.  That gives
3949 		 * the complete set of checks for data frames with
3950 		 * From DS set.
3951 		 */
3952 		gen_or(b1, b0);
3953 
3954 		/*
3955 		 * Now check for From DS being set, and AND that with
3956 		 * the ORed-together checks.
3957 		 */
3958 		s = gen_load_a(OR_LINK, 1, BPF_B);
3959 		b1 = new_block(JMP(BPF_JSET));
3960 		b1->s.k = 0x02;	/* From DS */
3961 		b1->stmts = s;
3962 		gen_and(b1, b0);
3963 
3964 		/*
3965 		 * Now check for data frames with From DS not set.
3966 		 */
3967 		s = gen_load_a(OR_LINK, 1, BPF_B);
3968 		b2 = new_block(JMP(BPF_JSET));
3969 		b2->s.k = 0x02;	/* From DS */
3970 		b2->stmts = s;
3971 		gen_not(b2);
3972 
3973 		/*
3974 		 * If From DS isn't set, the SA is at 10.
3975 		 */
3976 		b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3977 		gen_and(b2, b1);
3978 
3979 		/*
3980 		 * Now OR together the checks for data frames with
3981 		 * From DS not set and for data frames with From DS
3982 		 * set; that gives the checks done for data frames.
3983 		 */
3984 		gen_or(b1, b0);
3985 
3986 		/*
3987 		 * Now check for a data frame.
3988 		 * I.e, check "link[0] & 0x08".
3989 		 */
3990 		s = gen_load_a(OR_LINK, 0, BPF_B);
3991 		b1 = new_block(JMP(BPF_JSET));
3992 		b1->s.k = 0x08;
3993 		b1->stmts = s;
3994 
3995 		/*
3996 		 * AND that with the checks done for data frames.
3997 		 */
3998 		gen_and(b1, b0);
3999 
4000 		/*
4001 		 * If the high-order bit of the type value is 0, this
4002 		 * is a management frame.
4003 		 * I.e, check "!(link[0] & 0x08)".
4004 		 */
4005 		s = gen_load_a(OR_LINK, 0, BPF_B);
4006 		b2 = new_block(JMP(BPF_JSET));
4007 		b2->s.k = 0x08;
4008 		b2->stmts = s;
4009 		gen_not(b2);
4010 
4011 		/*
4012 		 * For management frames, the SA is at 10.
4013 		 */
4014 		b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4015 		gen_and(b2, b1);
4016 
4017 		/*
4018 		 * OR that with the checks done for data frames.
4019 		 * That gives the checks done for management and
4020 		 * data frames.
4021 		 */
4022 		gen_or(b1, b0);
4023 
4024 		/*
4025 		 * If the low-order bit of the type value is 1,
4026 		 * this is either a control frame or a frame
4027 		 * with a reserved type, and thus not a
4028 		 * frame with an SA.
4029 		 *
4030 		 * I.e., check "!(link[0] & 0x04)".
4031 		 */
4032 		s = gen_load_a(OR_LINK, 0, BPF_B);
4033 		b1 = new_block(JMP(BPF_JSET));
4034 		b1->s.k = 0x04;
4035 		b1->stmts = s;
4036 		gen_not(b1);
4037 
4038 		/*
4039 		 * AND that with the checks for data and management
4040 		 * frames.
4041 		 */
4042 		gen_and(b1, b0);
4043 		return b0;
4044 
4045 	case Q_DST:
4046 		/*
4047 		 * Oh, yuk.
4048 		 *
4049 		 *	For control frames, there is no DA.
4050 		 *
4051 		 *	For management frames, DA is at an
4052 		 *	offset of 4 from the beginning of
4053 		 *	the packet.
4054 		 *
4055 		 *	For data frames, DA is at an offset
4056 		 *	of 4 from the beginning of the packet
4057 		 *	if To DS is clear and at an offset of
4058 		 *	16 from the beginning of the packet
4059 		 *	if To DS is set.
4060 		 */
4061 
4062 		/*
4063 		 * Generate the tests to be done for data frames.
4064 		 *
4065 		 * First, check for To DS set, i.e. "link[1] & 0x01".
4066 		 */
4067 		s = gen_load_a(OR_LINK, 1, BPF_B);
4068 		b1 = new_block(JMP(BPF_JSET));
4069 		b1->s.k = 0x01;	/* To DS */
4070 		b1->stmts = s;
4071 
4072 		/*
4073 		 * If To DS is set, the DA is at 16.
4074 		 */
4075 		b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4076 		gen_and(b1, b0);
4077 
4078 		/*
4079 		 * Now, check for To DS not set, i.e. check
4080 		 * "!(link[1] & 0x01)".
4081 		 */
4082 		s = gen_load_a(OR_LINK, 1, BPF_B);
4083 		b2 = new_block(JMP(BPF_JSET));
4084 		b2->s.k = 0x01;	/* To DS */
4085 		b2->stmts = s;
4086 		gen_not(b2);
4087 
4088 		/*
4089 		 * If To DS is not set, the DA is at 4.
4090 		 */
4091 		b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4092 		gen_and(b2, b1);
4093 
4094 		/*
4095 		 * Now OR together the last two checks.  That gives
4096 		 * the complete set of checks for data frames.
4097 		 */
4098 		gen_or(b1, b0);
4099 
4100 		/*
4101 		 * Now check for a data frame.
4102 		 * I.e, check "link[0] & 0x08".
4103 		 */
4104 		s = gen_load_a(OR_LINK, 0, BPF_B);
4105 		b1 = new_block(JMP(BPF_JSET));
4106 		b1->s.k = 0x08;
4107 		b1->stmts = s;
4108 
4109 		/*
4110 		 * AND that with the checks done for data frames.
4111 		 */
4112 		gen_and(b1, b0);
4113 
4114 		/*
4115 		 * If the high-order bit of the type value is 0, this
4116 		 * is a management frame.
4117 		 * I.e, check "!(link[0] & 0x08)".
4118 		 */
4119 		s = gen_load_a(OR_LINK, 0, BPF_B);
4120 		b2 = new_block(JMP(BPF_JSET));
4121 		b2->s.k = 0x08;
4122 		b2->stmts = s;
4123 		gen_not(b2);
4124 
4125 		/*
4126 		 * For management frames, the DA is at 4.
4127 		 */
4128 		b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4129 		gen_and(b2, b1);
4130 
4131 		/*
4132 		 * OR that with the checks done for data frames.
4133 		 * That gives the checks done for management and
4134 		 * data frames.
4135 		 */
4136 		gen_or(b1, b0);
4137 
4138 		/*
4139 		 * If the low-order bit of the type value is 1,
4140 		 * this is either a control frame or a frame
4141 		 * with a reserved type, and thus not a
4142 		 * frame with an SA.
4143 		 *
4144 		 * I.e., check "!(link[0] & 0x04)".
4145 		 */
4146 		s = gen_load_a(OR_LINK, 0, BPF_B);
4147 		b1 = new_block(JMP(BPF_JSET));
4148 		b1->s.k = 0x04;
4149 		b1->stmts = s;
4150 		gen_not(b1);
4151 
4152 		/*
4153 		 * AND that with the checks for data and management
4154 		 * frames.
4155 		 */
4156 		gen_and(b1, b0);
4157 		return b0;
4158 
4159 	/*
4160 	 * XXX - add RA, TA, and BSSID keywords?
4161 	 */
4162 	case Q_ADDR1:
4163 		return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4164 
4165 	case Q_ADDR2:
4166 		/*
4167 		 * Not present in CTS or ACK control frames.
4168 		 */
4169 		b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4170 			IEEE80211_FC0_TYPE_MASK);
4171 		gen_not(b0);
4172 		b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4173 			IEEE80211_FC0_SUBTYPE_MASK);
4174 		gen_not(b1);
4175 		b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4176 			IEEE80211_FC0_SUBTYPE_MASK);
4177 		gen_not(b2);
4178 		gen_and(b1, b2);
4179 		gen_or(b0, b2);
4180 		b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4181 		gen_and(b2, b1);
4182 		return b1;
4183 
4184 	case Q_ADDR3:
4185 		/*
4186 		 * Not present in control frames.
4187 		 */
4188 		b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4189 			IEEE80211_FC0_TYPE_MASK);
4190 		gen_not(b0);
4191 		b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4192 		gen_and(b0, b1);
4193 		return b1;
4194 
4195 	case Q_ADDR4:
4196 		/*
4197 		 * Present only if the direction mask has both "From DS"
4198 		 * and "To DS" set.  Neither control frames nor management
4199 		 * frames should have both of those set, so we don't
4200 		 * check the frame type.
4201 		 */
4202 		b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4203 			IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4204 		b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4205 		gen_and(b0, b1);
4206 		return b1;
4207 
4208 	case Q_AND:
4209 		b0 = gen_wlanhostop(eaddr, Q_SRC);
4210 		b1 = gen_wlanhostop(eaddr, Q_DST);
4211 		gen_and(b0, b1);
4212 		return b1;
4213 
4214 	case Q_DEFAULT:
4215 	case Q_OR:
4216 		b0 = gen_wlanhostop(eaddr, Q_SRC);
4217 		b1 = gen_wlanhostop(eaddr, Q_DST);
4218 		gen_or(b0, b1);
4219 		return b1;
4220 	}
4221 	abort();
4222 	/* NOTREACHED */
4223 }
4224 
4225 /*
4226  * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4227  * (We assume that the addresses are IEEE 48-bit MAC addresses,
4228  * as the RFC states.)
4229  */
4230 static struct block *
4231 gen_ipfchostop(eaddr, dir)
4232 	register const u_char *eaddr;
4233 	register int dir;
4234 {
4235 	register struct block *b0, *b1;
4236 
4237 	switch (dir) {
4238 	case Q_SRC:
4239 		return gen_bcmp(OR_LINK, 10, 6, eaddr);
4240 
4241 	case Q_DST:
4242 		return gen_bcmp(OR_LINK, 2, 6, eaddr);
4243 
4244 	case Q_AND:
4245 		b0 = gen_ipfchostop(eaddr, Q_SRC);
4246 		b1 = gen_ipfchostop(eaddr, Q_DST);
4247 		gen_and(b0, b1);
4248 		return b1;
4249 
4250 	case Q_DEFAULT:
4251 	case Q_OR:
4252 		b0 = gen_ipfchostop(eaddr, Q_SRC);
4253 		b1 = gen_ipfchostop(eaddr, Q_DST);
4254 		gen_or(b0, b1);
4255 		return b1;
4256 	}
4257 	abort();
4258 	/* NOTREACHED */
4259 }
4260 
4261 /*
4262  * This is quite tricky because there may be pad bytes in front of the
4263  * DECNET header, and then there are two possible data packet formats that
4264  * carry both src and dst addresses, plus 5 packet types in a format that
4265  * carries only the src node, plus 2 types that use a different format and
4266  * also carry just the src node.
4267  *
4268  * Yuck.
4269  *
4270  * Instead of doing those all right, we just look for data packets with
4271  * 0 or 1 bytes of padding.  If you want to look at other packets, that
4272  * will require a lot more hacking.
4273  *
4274  * To add support for filtering on DECNET "areas" (network numbers)
4275  * one would want to add a "mask" argument to this routine.  That would
4276  * make the filter even more inefficient, although one could be clever
4277  * and not generate masking instructions if the mask is 0xFFFF.
4278  */
4279 static struct block *
4280 gen_dnhostop(addr, dir)
4281 	bpf_u_int32 addr;
4282 	int dir;
4283 {
4284 	struct block *b0, *b1, *b2, *tmp;
4285 	u_int offset_lh;	/* offset if long header is received */
4286 	u_int offset_sh;	/* offset if short header is received */
4287 
4288 	switch (dir) {
4289 
4290 	case Q_DST:
4291 		offset_sh = 1;	/* follows flags */
4292 		offset_lh = 7;	/* flgs,darea,dsubarea,HIORD */
4293 		break;
4294 
4295 	case Q_SRC:
4296 		offset_sh = 3;	/* follows flags, dstnode */
4297 		offset_lh = 15;	/* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4298 		break;
4299 
4300 	case Q_AND:
4301 		/* Inefficient because we do our Calvinball dance twice */
4302 		b0 = gen_dnhostop(addr, Q_SRC);
4303 		b1 = gen_dnhostop(addr, Q_DST);
4304 		gen_and(b0, b1);
4305 		return b1;
4306 
4307 	case Q_OR:
4308 	case Q_DEFAULT:
4309 		/* Inefficient because we do our Calvinball dance twice */
4310 		b0 = gen_dnhostop(addr, Q_SRC);
4311 		b1 = gen_dnhostop(addr, Q_DST);
4312 		gen_or(b0, b1);
4313 		return b1;
4314 
4315 	case Q_ISO:
4316 		bpf_error("ISO host filtering not implemented");
4317 
4318 	default:
4319 		abort();
4320 	}
4321 	b0 = gen_linktype(ETHERTYPE_DN);
4322 	/* Check for pad = 1, long header case */
4323 	tmp = gen_mcmp(OR_NET, 2, BPF_H,
4324 	    (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4325 	b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4326 	    BPF_H, (bpf_int32)ntohs((u_short)addr));
4327 	gen_and(tmp, b1);
4328 	/* Check for pad = 0, long header case */
4329 	tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4330 	b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4331 	gen_and(tmp, b2);
4332 	gen_or(b2, b1);
4333 	/* Check for pad = 1, short header case */
4334 	tmp = gen_mcmp(OR_NET, 2, BPF_H,
4335 	    (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4336 	b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4337 	gen_and(tmp, b2);
4338 	gen_or(b2, b1);
4339 	/* Check for pad = 0, short header case */
4340 	tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4341 	b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4342 	gen_and(tmp, b2);
4343 	gen_or(b2, b1);
4344 
4345 	/* Combine with test for linktype */
4346 	gen_and(b0, b1);
4347 	return b1;
4348 }
4349 
4350 /*
4351  * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4352  * test the bottom-of-stack bit, and then check the version number
4353  * field in the IP header.
4354  */
4355 static struct block *
4356 gen_mpls_linktype(proto)
4357 	int proto;
4358 {
4359 	struct block *b0, *b1;
4360 
4361         switch (proto) {
4362 
4363         case Q_IP:
4364                 /* match the bottom-of-stack bit */
4365                 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4366                 /* match the IPv4 version number */
4367                 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4368                 gen_and(b0, b1);
4369                 return b1;
4370 
4371        case Q_IPV6:
4372                 /* match the bottom-of-stack bit */
4373                 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4374                 /* match the IPv4 version number */
4375                 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4376                 gen_and(b0, b1);
4377                 return b1;
4378 
4379        default:
4380                 abort();
4381         }
4382 }
4383 
4384 static struct block *
4385 gen_host(addr, mask, proto, dir, type)
4386 	bpf_u_int32 addr;
4387 	bpf_u_int32 mask;
4388 	int proto;
4389 	int dir;
4390 	int type;
4391 {
4392 	struct block *b0, *b1;
4393 	const char *typestr;
4394 
4395 	if (type == Q_NET)
4396 		typestr = "net";
4397 	else
4398 		typestr = "host";
4399 
4400 	switch (proto) {
4401 
4402 	case Q_DEFAULT:
4403 		b0 = gen_host(addr, mask, Q_IP, dir, type);
4404 		/*
4405 		 * Only check for non-IPv4 addresses if we're not
4406 		 * checking MPLS-encapsulated packets.
4407 		 */
4408 		if (label_stack_depth == 0) {
4409 			b1 = gen_host(addr, mask, Q_ARP, dir, type);
4410 			gen_or(b0, b1);
4411 			b0 = gen_host(addr, mask, Q_RARP, dir, type);
4412 			gen_or(b1, b0);
4413 		}
4414 		return b0;
4415 
4416 	case Q_IP:
4417 		return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4418 
4419 	case Q_RARP:
4420 		return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4421 
4422 	case Q_ARP:
4423 		return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4424 
4425 	case Q_TCP:
4426 		bpf_error("'tcp' modifier applied to %s", typestr);
4427 
4428 	case Q_SCTP:
4429 		bpf_error("'sctp' modifier applied to %s", typestr);
4430 
4431 	case Q_UDP:
4432 		bpf_error("'udp' modifier applied to %s", typestr);
4433 
4434 	case Q_ICMP:
4435 		bpf_error("'icmp' modifier applied to %s", typestr);
4436 
4437 	case Q_IGMP:
4438 		bpf_error("'igmp' modifier applied to %s", typestr);
4439 
4440 	case Q_IGRP:
4441 		bpf_error("'igrp' modifier applied to %s", typestr);
4442 
4443 	case Q_PIM:
4444 		bpf_error("'pim' modifier applied to %s", typestr);
4445 
4446 	case Q_VRRP:
4447 		bpf_error("'vrrp' modifier applied to %s", typestr);
4448 
4449 	case Q_ATALK:
4450 		bpf_error("ATALK host filtering not implemented");
4451 
4452 	case Q_AARP:
4453 		bpf_error("AARP host filtering not implemented");
4454 
4455 	case Q_DECNET:
4456 		return gen_dnhostop(addr, dir);
4457 
4458 	case Q_SCA:
4459 		bpf_error("SCA host filtering not implemented");
4460 
4461 	case Q_LAT:
4462 		bpf_error("LAT host filtering not implemented");
4463 
4464 	case Q_MOPDL:
4465 		bpf_error("MOPDL host filtering not implemented");
4466 
4467 	case Q_MOPRC:
4468 		bpf_error("MOPRC host filtering not implemented");
4469 
4470 #ifdef INET6
4471 	case Q_IPV6:
4472 		bpf_error("'ip6' modifier applied to ip host");
4473 
4474 	case Q_ICMPV6:
4475 		bpf_error("'icmp6' modifier applied to %s", typestr);
4476 #endif /* INET6 */
4477 
4478 	case Q_AH:
4479 		bpf_error("'ah' modifier applied to %s", typestr);
4480 
4481 	case Q_ESP:
4482 		bpf_error("'esp' modifier applied to %s", typestr);
4483 
4484 	case Q_ISO:
4485 		bpf_error("ISO host filtering not implemented");
4486 
4487 	case Q_ESIS:
4488 		bpf_error("'esis' modifier applied to %s", typestr);
4489 
4490 	case Q_ISIS:
4491 		bpf_error("'isis' modifier applied to %s", typestr);
4492 
4493 	case Q_CLNP:
4494 		bpf_error("'clnp' modifier applied to %s", typestr);
4495 
4496 	case Q_STP:
4497 		bpf_error("'stp' modifier applied to %s", typestr);
4498 
4499 	case Q_IPX:
4500 		bpf_error("IPX host filtering not implemented");
4501 
4502 	case Q_NETBEUI:
4503 		bpf_error("'netbeui' modifier applied to %s", typestr);
4504 
4505 	case Q_RADIO:
4506 		bpf_error("'radio' modifier applied to %s", typestr);
4507 
4508 	default:
4509 		abort();
4510 	}
4511 	/* NOTREACHED */
4512 }
4513 
4514 #ifdef INET6
4515 static struct block *
4516 gen_host6(addr, mask, proto, dir, type)
4517 	struct in6_addr *addr;
4518 	struct in6_addr *mask;
4519 	int proto;
4520 	int dir;
4521 	int type;
4522 {
4523 	const char *typestr;
4524 
4525 	if (type == Q_NET)
4526 		typestr = "net";
4527 	else
4528 		typestr = "host";
4529 
4530 	switch (proto) {
4531 
4532 	case Q_DEFAULT:
4533 		return gen_host6(addr, mask, Q_IPV6, dir, type);
4534 
4535 	case Q_IP:
4536 		bpf_error("'ip' modifier applied to ip6 %s", typestr);
4537 
4538 	case Q_RARP:
4539 		bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4540 
4541 	case Q_ARP:
4542 		bpf_error("'arp' modifier applied to ip6 %s", typestr);
4543 
4544 	case Q_SCTP:
4545 		bpf_error("'sctp' modifier applied to %s", typestr);
4546 
4547 	case Q_TCP:
4548 		bpf_error("'tcp' modifier applied to %s", typestr);
4549 
4550 	case Q_UDP:
4551 		bpf_error("'udp' modifier applied to %s", typestr);
4552 
4553 	case Q_ICMP:
4554 		bpf_error("'icmp' modifier applied to %s", typestr);
4555 
4556 	case Q_IGMP:
4557 		bpf_error("'igmp' modifier applied to %s", typestr);
4558 
4559 	case Q_IGRP:
4560 		bpf_error("'igrp' modifier applied to %s", typestr);
4561 
4562 	case Q_PIM:
4563 		bpf_error("'pim' modifier applied to %s", typestr);
4564 
4565 	case Q_VRRP:
4566 		bpf_error("'vrrp' modifier applied to %s", typestr);
4567 
4568 	case Q_ATALK:
4569 		bpf_error("ATALK host filtering not implemented");
4570 
4571 	case Q_AARP:
4572 		bpf_error("AARP host filtering not implemented");
4573 
4574 	case Q_DECNET:
4575 		bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4576 
4577 	case Q_SCA:
4578 		bpf_error("SCA host filtering not implemented");
4579 
4580 	case Q_LAT:
4581 		bpf_error("LAT host filtering not implemented");
4582 
4583 	case Q_MOPDL:
4584 		bpf_error("MOPDL host filtering not implemented");
4585 
4586 	case Q_MOPRC:
4587 		bpf_error("MOPRC host filtering not implemented");
4588 
4589 	case Q_IPV6:
4590 		return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4591 
4592 	case Q_ICMPV6:
4593 		bpf_error("'icmp6' modifier applied to %s", typestr);
4594 
4595 	case Q_AH:
4596 		bpf_error("'ah' modifier applied to %s", typestr);
4597 
4598 	case Q_ESP:
4599 		bpf_error("'esp' modifier applied to %s", typestr);
4600 
4601 	case Q_ISO:
4602 		bpf_error("ISO host filtering not implemented");
4603 
4604 	case Q_ESIS:
4605 		bpf_error("'esis' modifier applied to %s", typestr);
4606 
4607 	case Q_ISIS:
4608 		bpf_error("'isis' modifier applied to %s", typestr);
4609 
4610 	case Q_CLNP:
4611 		bpf_error("'clnp' modifier applied to %s", typestr);
4612 
4613 	case Q_STP:
4614 		bpf_error("'stp' modifier applied to %s", typestr);
4615 
4616 	case Q_IPX:
4617 		bpf_error("IPX host filtering not implemented");
4618 
4619 	case Q_NETBEUI:
4620 		bpf_error("'netbeui' modifier applied to %s", typestr);
4621 
4622 	case Q_RADIO:
4623 		bpf_error("'radio' modifier applied to %s", typestr);
4624 
4625 	default:
4626 		abort();
4627 	}
4628 	/* NOTREACHED */
4629 }
4630 #endif /*INET6*/
4631 
4632 #ifndef INET6
4633 static struct block *
4634 gen_gateway(eaddr, alist, proto, dir)
4635 	const u_char *eaddr;
4636 	bpf_u_int32 **alist;
4637 	int proto;
4638 	int dir;
4639 {
4640 	struct block *b0, *b1, *tmp;
4641 
4642 	if (dir != 0)
4643 		bpf_error("direction applied to 'gateway'");
4644 
4645 	switch (proto) {
4646 	case Q_DEFAULT:
4647 	case Q_IP:
4648 	case Q_ARP:
4649 	case Q_RARP:
4650 		switch (linktype) {
4651 		case DLT_EN10MB:
4652 			b0 = gen_ehostop(eaddr, Q_OR);
4653 			break;
4654 		case DLT_FDDI:
4655 			b0 = gen_fhostop(eaddr, Q_OR);
4656 			break;
4657 		case DLT_IEEE802:
4658 			b0 = gen_thostop(eaddr, Q_OR);
4659 			break;
4660 		case DLT_IEEE802_11:
4661 		case DLT_PRISM_HEADER:
4662 		case DLT_IEEE802_11_RADIO_AVS:
4663 		case DLT_IEEE802_11_RADIO:
4664 		case DLT_PPI:
4665 			b0 = gen_wlanhostop(eaddr, Q_OR);
4666 			break;
4667 		case DLT_SUNATM:
4668 			if (!is_lane)
4669 				bpf_error(
4670 				    "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4671 			/*
4672 			 * Check that the packet doesn't begin with an
4673 			 * LE Control marker.  (We've already generated
4674 			 * a test for LANE.)
4675 			 */
4676 			b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4677 			    BPF_H, 0xFF00);
4678 			gen_not(b1);
4679 
4680 			/*
4681 			 * Now check the MAC address.
4682 			 */
4683 			b0 = gen_ehostop(eaddr, Q_OR);
4684 			gen_and(b1, b0);
4685 			break;
4686 		case DLT_IP_OVER_FC:
4687 			b0 = gen_ipfchostop(eaddr, Q_OR);
4688 			break;
4689 		default:
4690 			bpf_error(
4691 			    "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4692 		}
4693 		b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4694 		while (*alist) {
4695 			tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4696 			    Q_HOST);
4697 			gen_or(b1, tmp);
4698 			b1 = tmp;
4699 		}
4700 		gen_not(b1);
4701 		gen_and(b0, b1);
4702 		return b1;
4703 	}
4704 	bpf_error("illegal modifier of 'gateway'");
4705 	/* NOTREACHED */
4706 }
4707 #endif
4708 
4709 struct block *
4710 gen_proto_abbrev(proto)
4711 	int proto;
4712 {
4713 	struct block *b0;
4714 	struct block *b1;
4715 
4716 	switch (proto) {
4717 
4718 	case Q_SCTP:
4719 		b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4720 #ifdef INET6
4721 		b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4722 		gen_or(b0, b1);
4723 #endif
4724 		break;
4725 
4726 	case Q_TCP:
4727 		b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4728 #ifdef INET6
4729 		b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4730 		gen_or(b0, b1);
4731 #endif
4732 		break;
4733 
4734 	case Q_UDP:
4735 		b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4736 #ifdef INET6
4737 		b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4738 		gen_or(b0, b1);
4739 #endif
4740 		break;
4741 
4742 	case Q_ICMP:
4743 		b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4744 		break;
4745 
4746 #ifndef	IPPROTO_IGMP
4747 #define	IPPROTO_IGMP	2
4748 #endif
4749 
4750 	case Q_IGMP:
4751 		b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4752 		break;
4753 
4754 #ifndef	IPPROTO_IGRP
4755 #define	IPPROTO_IGRP	9
4756 #endif
4757 	case Q_IGRP:
4758 		b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4759 		break;
4760 
4761 #ifndef IPPROTO_PIM
4762 #define IPPROTO_PIM	103
4763 #endif
4764 
4765 	case Q_PIM:
4766 		b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4767 #ifdef INET6
4768 		b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4769 		gen_or(b0, b1);
4770 #endif
4771 		break;
4772 
4773 #ifndef IPPROTO_VRRP
4774 #define IPPROTO_VRRP	112
4775 #endif
4776 
4777 	case Q_VRRP:
4778 		b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4779 		break;
4780 
4781 	case Q_IP:
4782 		b1 =  gen_linktype(ETHERTYPE_IP);
4783 		break;
4784 
4785 	case Q_ARP:
4786 		b1 =  gen_linktype(ETHERTYPE_ARP);
4787 		break;
4788 
4789 	case Q_RARP:
4790 		b1 =  gen_linktype(ETHERTYPE_REVARP);
4791 		break;
4792 
4793 	case Q_LINK:
4794 		bpf_error("link layer applied in wrong context");
4795 
4796 	case Q_ATALK:
4797 		b1 =  gen_linktype(ETHERTYPE_ATALK);
4798 		break;
4799 
4800 	case Q_AARP:
4801 		b1 =  gen_linktype(ETHERTYPE_AARP);
4802 		break;
4803 
4804 	case Q_DECNET:
4805 		b1 =  gen_linktype(ETHERTYPE_DN);
4806 		break;
4807 
4808 	case Q_SCA:
4809 		b1 =  gen_linktype(ETHERTYPE_SCA);
4810 		break;
4811 
4812 	case Q_LAT:
4813 		b1 =  gen_linktype(ETHERTYPE_LAT);
4814 		break;
4815 
4816 	case Q_MOPDL:
4817 		b1 =  gen_linktype(ETHERTYPE_MOPDL);
4818 		break;
4819 
4820 	case Q_MOPRC:
4821 		b1 =  gen_linktype(ETHERTYPE_MOPRC);
4822 		break;
4823 
4824 #ifdef INET6
4825 	case Q_IPV6:
4826 		b1 = gen_linktype(ETHERTYPE_IPV6);
4827 		break;
4828 
4829 #ifndef IPPROTO_ICMPV6
4830 #define IPPROTO_ICMPV6	58
4831 #endif
4832 	case Q_ICMPV6:
4833 		b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4834 		break;
4835 #endif /* INET6 */
4836 
4837 #ifndef IPPROTO_AH
4838 #define IPPROTO_AH	51
4839 #endif
4840 	case Q_AH:
4841 		b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4842 #ifdef INET6
4843 		b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4844 		gen_or(b0, b1);
4845 #endif
4846 		break;
4847 
4848 #ifndef IPPROTO_ESP
4849 #define IPPROTO_ESP	50
4850 #endif
4851 	case Q_ESP:
4852 		b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4853 #ifdef INET6
4854 		b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4855 		gen_or(b0, b1);
4856 #endif
4857 		break;
4858 
4859 	case Q_ISO:
4860 		b1 = gen_linktype(LLCSAP_ISONS);
4861 		break;
4862 
4863 	case Q_ESIS:
4864 		b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4865 		break;
4866 
4867 	case Q_ISIS:
4868 		b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4869 		break;
4870 
4871 	case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4872 		b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4873 		b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4874 		gen_or(b0, b1);
4875 		b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4876 		gen_or(b0, b1);
4877 		b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4878 		gen_or(b0, b1);
4879 		b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4880 		gen_or(b0, b1);
4881 		break;
4882 
4883 	case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4884 		b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4885 		b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4886 		gen_or(b0, b1);
4887 		b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4888 		gen_or(b0, b1);
4889 		b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4890 		gen_or(b0, b1);
4891 		b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4892 		gen_or(b0, b1);
4893 		break;
4894 
4895 	case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4896 		b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4897 		b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4898 		gen_or(b0, b1);
4899 		b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4900 		gen_or(b0, b1);
4901 		break;
4902 
4903 	case Q_ISIS_LSP:
4904 		b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4905 		b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4906 		gen_or(b0, b1);
4907 		break;
4908 
4909 	case Q_ISIS_SNP:
4910 		b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4911 		b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4912 		gen_or(b0, b1);
4913 		b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4914 		gen_or(b0, b1);
4915 		b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4916 		gen_or(b0, b1);
4917 		break;
4918 
4919 	case Q_ISIS_CSNP:
4920 		b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4921 		b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4922 		gen_or(b0, b1);
4923 		break;
4924 
4925 	case Q_ISIS_PSNP:
4926 		b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4927 		b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4928 		gen_or(b0, b1);
4929 		break;
4930 
4931 	case Q_CLNP:
4932 		b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4933 		break;
4934 
4935 	case Q_STP:
4936 		b1 = gen_linktype(LLCSAP_8021D);
4937 		break;
4938 
4939 	case Q_IPX:
4940 		b1 = gen_linktype(LLCSAP_IPX);
4941 		break;
4942 
4943 	case Q_NETBEUI:
4944 		b1 = gen_linktype(LLCSAP_NETBEUI);
4945 		break;
4946 
4947 	case Q_RADIO:
4948 		bpf_error("'radio' is not a valid protocol type");
4949 
4950 	default:
4951 		abort();
4952 	}
4953 	return b1;
4954 }
4955 
4956 static struct block *
4957 gen_ipfrag()
4958 {
4959 	struct slist *s;
4960 	struct block *b;
4961 
4962 	/* not ip frag */
4963 	s = gen_load_a(OR_NET, 6, BPF_H);
4964 	b = new_block(JMP(BPF_JSET));
4965 	b->s.k = 0x1fff;
4966 	b->stmts = s;
4967 	gen_not(b);
4968 
4969 	return b;
4970 }
4971 
4972 /*
4973  * Generate a comparison to a port value in the transport-layer header
4974  * at the specified offset from the beginning of that header.
4975  *
4976  * XXX - this handles a variable-length prefix preceding the link-layer
4977  * header, such as the radiotap or AVS radio prefix, but doesn't handle
4978  * variable-length link-layer headers (such as Token Ring or 802.11
4979  * headers).
4980  */
4981 static struct block *
4982 gen_portatom(off, v)
4983 	int off;
4984 	bpf_int32 v;
4985 {
4986 	return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
4987 }
4988 
4989 #ifdef INET6
4990 static struct block *
4991 gen_portatom6(off, v)
4992 	int off;
4993 	bpf_int32 v;
4994 {
4995 	return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
4996 }
4997 #endif/*INET6*/
4998 
4999 struct block *
5000 gen_portop(port, proto, dir)
5001 	int port, proto, dir;
5002 {
5003 	struct block *b0, *b1, *tmp;
5004 
5005 	/* ip proto 'proto' */
5006 	tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5007 	b0 = gen_ipfrag();
5008 	gen_and(tmp, b0);
5009 
5010 	switch (dir) {
5011 	case Q_SRC:
5012 		b1 = gen_portatom(0, (bpf_int32)port);
5013 		break;
5014 
5015 	case Q_DST:
5016 		b1 = gen_portatom(2, (bpf_int32)port);
5017 		break;
5018 
5019 	case Q_OR:
5020 	case Q_DEFAULT:
5021 		tmp = gen_portatom(0, (bpf_int32)port);
5022 		b1 = gen_portatom(2, (bpf_int32)port);
5023 		gen_or(tmp, b1);
5024 		break;
5025 
5026 	case Q_AND:
5027 		tmp = gen_portatom(0, (bpf_int32)port);
5028 		b1 = gen_portatom(2, (bpf_int32)port);
5029 		gen_and(tmp, b1);
5030 		break;
5031 
5032 	default:
5033 		abort();
5034 	}
5035 	gen_and(b0, b1);
5036 
5037 	return b1;
5038 }
5039 
5040 static struct block *
5041 gen_port(port, ip_proto, dir)
5042 	int port;
5043 	int ip_proto;
5044 	int dir;
5045 {
5046 	struct block *b0, *b1, *tmp;
5047 
5048 	/*
5049 	 * ether proto ip
5050 	 *
5051 	 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5052 	 * not LLC encapsulation with LLCSAP_IP.
5053 	 *
5054 	 * For IEEE 802 networks - which includes 802.5 token ring
5055 	 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5056 	 * says that SNAP encapsulation is used, not LLC encapsulation
5057 	 * with LLCSAP_IP.
5058 	 *
5059 	 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5060 	 * RFC 2225 say that SNAP encapsulation is used, not LLC
5061 	 * encapsulation with LLCSAP_IP.
5062 	 *
5063 	 * So we always check for ETHERTYPE_IP.
5064 	 */
5065 	b0 =  gen_linktype(ETHERTYPE_IP);
5066 
5067 	switch (ip_proto) {
5068 	case IPPROTO_UDP:
5069 	case IPPROTO_TCP:
5070 	case IPPROTO_SCTP:
5071 		b1 = gen_portop(port, ip_proto, dir);
5072 		break;
5073 
5074 	case PROTO_UNDEF:
5075 		tmp = gen_portop(port, IPPROTO_TCP, dir);
5076 		b1 = gen_portop(port, IPPROTO_UDP, dir);
5077 		gen_or(tmp, b1);
5078 		tmp = gen_portop(port, IPPROTO_SCTP, dir);
5079 		gen_or(tmp, b1);
5080 		break;
5081 
5082 	default:
5083 		abort();
5084 	}
5085 	gen_and(b0, b1);
5086 	return b1;
5087 }
5088 
5089 #ifdef INET6
5090 struct block *
5091 gen_portop6(port, proto, dir)
5092 	int port, proto, dir;
5093 {
5094 	struct block *b0, *b1, *tmp;
5095 
5096 	/* ip6 proto 'proto' */
5097 	b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5098 
5099 	switch (dir) {
5100 	case Q_SRC:
5101 		b1 = gen_portatom6(0, (bpf_int32)port);
5102 		break;
5103 
5104 	case Q_DST:
5105 		b1 = gen_portatom6(2, (bpf_int32)port);
5106 		break;
5107 
5108 	case Q_OR:
5109 	case Q_DEFAULT:
5110 		tmp = gen_portatom6(0, (bpf_int32)port);
5111 		b1 = gen_portatom6(2, (bpf_int32)port);
5112 		gen_or(tmp, b1);
5113 		break;
5114 
5115 	case Q_AND:
5116 		tmp = gen_portatom6(0, (bpf_int32)port);
5117 		b1 = gen_portatom6(2, (bpf_int32)port);
5118 		gen_and(tmp, b1);
5119 		break;
5120 
5121 	default:
5122 		abort();
5123 	}
5124 	gen_and(b0, b1);
5125 
5126 	return b1;
5127 }
5128 
5129 static struct block *
5130 gen_port6(port, ip_proto, dir)
5131 	int port;
5132 	int ip_proto;
5133 	int dir;
5134 {
5135 	struct block *b0, *b1, *tmp;
5136 
5137 	/* link proto ip6 */
5138 	b0 =  gen_linktype(ETHERTYPE_IPV6);
5139 
5140 	switch (ip_proto) {
5141 	case IPPROTO_UDP:
5142 	case IPPROTO_TCP:
5143 	case IPPROTO_SCTP:
5144 		b1 = gen_portop6(port, ip_proto, dir);
5145 		break;
5146 
5147 	case PROTO_UNDEF:
5148 		tmp = gen_portop6(port, IPPROTO_TCP, dir);
5149 		b1 = gen_portop6(port, IPPROTO_UDP, dir);
5150 		gen_or(tmp, b1);
5151 		tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5152 		gen_or(tmp, b1);
5153 		break;
5154 
5155 	default:
5156 		abort();
5157 	}
5158 	gen_and(b0, b1);
5159 	return b1;
5160 }
5161 #endif /* INET6 */
5162 
5163 /* gen_portrange code */
5164 static struct block *
5165 gen_portrangeatom(off, v1, v2)
5166 	int off;
5167 	bpf_int32 v1, v2;
5168 {
5169 	struct block *b1, *b2;
5170 
5171 	if (v1 > v2) {
5172 		/*
5173 		 * Reverse the order of the ports, so v1 is the lower one.
5174 		 */
5175 		bpf_int32 vtemp;
5176 
5177 		vtemp = v1;
5178 		v1 = v2;
5179 		v2 = vtemp;
5180 	}
5181 
5182 	b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5183 	b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5184 
5185 	gen_and(b1, b2);
5186 
5187 	return b2;
5188 }
5189 
5190 struct block *
5191 gen_portrangeop(port1, port2, proto, dir)
5192 	int port1, port2;
5193 	int proto;
5194 	int dir;
5195 {
5196 	struct block *b0, *b1, *tmp;
5197 
5198 	/* ip proto 'proto' */
5199 	tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5200 	b0 = gen_ipfrag();
5201 	gen_and(tmp, b0);
5202 
5203 	switch (dir) {
5204 	case Q_SRC:
5205 		b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5206 		break;
5207 
5208 	case Q_DST:
5209 		b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5210 		break;
5211 
5212 	case Q_OR:
5213 	case Q_DEFAULT:
5214 		tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5215 		b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5216 		gen_or(tmp, b1);
5217 		break;
5218 
5219 	case Q_AND:
5220 		tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5221 		b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5222 		gen_and(tmp, b1);
5223 		break;
5224 
5225 	default:
5226 		abort();
5227 	}
5228 	gen_and(b0, b1);
5229 
5230 	return b1;
5231 }
5232 
5233 static struct block *
5234 gen_portrange(port1, port2, ip_proto, dir)
5235 	int port1, port2;
5236 	int ip_proto;
5237 	int dir;
5238 {
5239 	struct block *b0, *b1, *tmp;
5240 
5241 	/* link proto ip */
5242 	b0 =  gen_linktype(ETHERTYPE_IP);
5243 
5244 	switch (ip_proto) {
5245 	case IPPROTO_UDP:
5246 	case IPPROTO_TCP:
5247 	case IPPROTO_SCTP:
5248 		b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5249 		break;
5250 
5251 	case PROTO_UNDEF:
5252 		tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5253 		b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5254 		gen_or(tmp, b1);
5255 		tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5256 		gen_or(tmp, b1);
5257 		break;
5258 
5259 	default:
5260 		abort();
5261 	}
5262 	gen_and(b0, b1);
5263 	return b1;
5264 }
5265 
5266 #ifdef INET6
5267 static struct block *
5268 gen_portrangeatom6(off, v1, v2)
5269 	int off;
5270 	bpf_int32 v1, v2;
5271 {
5272 	struct block *b1, *b2;
5273 
5274 	if (v1 > v2) {
5275 		/*
5276 		 * Reverse the order of the ports, so v1 is the lower one.
5277 		 */
5278 		bpf_int32 vtemp;
5279 
5280 		vtemp = v1;
5281 		v1 = v2;
5282 		v2 = vtemp;
5283 	}
5284 
5285 	b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5286 	b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5287 
5288 	gen_and(b1, b2);
5289 
5290 	return b2;
5291 }
5292 
5293 struct block *
5294 gen_portrangeop6(port1, port2, proto, dir)
5295 	int port1, port2;
5296 	int proto;
5297 	int dir;
5298 {
5299 	struct block *b0, *b1, *tmp;
5300 
5301 	/* ip6 proto 'proto' */
5302 	b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5303 
5304 	switch (dir) {
5305 	case Q_SRC:
5306 		b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5307 		break;
5308 
5309 	case Q_DST:
5310 		b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5311 		break;
5312 
5313 	case Q_OR:
5314 	case Q_DEFAULT:
5315 		tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5316 		b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5317 		gen_or(tmp, b1);
5318 		break;
5319 
5320 	case Q_AND:
5321 		tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5322 		b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5323 		gen_and(tmp, b1);
5324 		break;
5325 
5326 	default:
5327 		abort();
5328 	}
5329 	gen_and(b0, b1);
5330 
5331 	return b1;
5332 }
5333 
5334 static struct block *
5335 gen_portrange6(port1, port2, ip_proto, dir)
5336 	int port1, port2;
5337 	int ip_proto;
5338 	int dir;
5339 {
5340 	struct block *b0, *b1, *tmp;
5341 
5342 	/* link proto ip6 */
5343 	b0 =  gen_linktype(ETHERTYPE_IPV6);
5344 
5345 	switch (ip_proto) {
5346 	case IPPROTO_UDP:
5347 	case IPPROTO_TCP:
5348 	case IPPROTO_SCTP:
5349 		b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5350 		break;
5351 
5352 	case PROTO_UNDEF:
5353 		tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5354 		b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5355 		gen_or(tmp, b1);
5356 		tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5357 		gen_or(tmp, b1);
5358 		break;
5359 
5360 	default:
5361 		abort();
5362 	}
5363 	gen_and(b0, b1);
5364 	return b1;
5365 }
5366 #endif /* INET6 */
5367 
5368 static int
5369 lookup_proto(name, proto)
5370 	register const char *name;
5371 	register int proto;
5372 {
5373 	register int v;
5374 
5375 	switch (proto) {
5376 
5377 	case Q_DEFAULT:
5378 	case Q_IP:
5379 	case Q_IPV6:
5380 		v = pcap_nametoproto(name);
5381 		if (v == PROTO_UNDEF)
5382 			bpf_error("unknown ip proto '%s'", name);
5383 		break;
5384 
5385 	case Q_LINK:
5386 		/* XXX should look up h/w protocol type based on linktype */
5387 		v = pcap_nametoeproto(name);
5388 		if (v == PROTO_UNDEF) {
5389 			v = pcap_nametollc(name);
5390 			if (v == PROTO_UNDEF)
5391 				bpf_error("unknown ether proto '%s'", name);
5392 		}
5393 		break;
5394 
5395 	case Q_ISO:
5396 		if (strcmp(name, "esis") == 0)
5397 			v = ISO9542_ESIS;
5398 		else if (strcmp(name, "isis") == 0)
5399 			v = ISO10589_ISIS;
5400 		else if (strcmp(name, "clnp") == 0)
5401 			v = ISO8473_CLNP;
5402 		else
5403 			bpf_error("unknown osi proto '%s'", name);
5404 		break;
5405 
5406 	default:
5407 		v = PROTO_UNDEF;
5408 		break;
5409 	}
5410 	return v;
5411 }
5412 
5413 #if 0
5414 struct stmt *
5415 gen_joinsp(s, n)
5416 	struct stmt **s;
5417 	int n;
5418 {
5419 	return NULL;
5420 }
5421 #endif
5422 
5423 static struct block *
5424 gen_protochain(v, proto, dir)
5425 	int v;
5426 	int proto;
5427 	int dir;
5428 {
5429 #ifdef NO_PROTOCHAIN
5430 	return gen_proto(v, proto, dir);
5431 #else
5432 	struct block *b0, *b;
5433 	struct slist *s[100];
5434 	int fix2, fix3, fix4, fix5;
5435 	int ahcheck, again, end;
5436 	int i, max;
5437 	int reg2 = alloc_reg();
5438 
5439 	memset(s, 0, sizeof(s));
5440 	fix2 = fix3 = fix4 = fix5 = 0;
5441 
5442 	switch (proto) {
5443 	case Q_IP:
5444 	case Q_IPV6:
5445 		break;
5446 	case Q_DEFAULT:
5447 		b0 = gen_protochain(v, Q_IP, dir);
5448 		b = gen_protochain(v, Q_IPV6, dir);
5449 		gen_or(b0, b);
5450 		return b;
5451 	default:
5452 		bpf_error("bad protocol applied for 'protochain'");
5453 		/*NOTREACHED*/
5454 	}
5455 
5456 	/*
5457 	 * We don't handle variable-length prefixes before the link-layer
5458 	 * header, or variable-length link-layer headers, here yet.
5459 	 * We might want to add BPF instructions to do the protochain
5460 	 * work, to simplify that and, on platforms that have a BPF
5461 	 * interpreter with the new instructions, let the filtering
5462 	 * be done in the kernel.  (We already require a modified BPF
5463 	 * engine to do the protochain stuff, to support backward
5464 	 * branches, and backward branch support is unlikely to appear
5465 	 * in kernel BPF engines.)
5466 	 */
5467 	switch (linktype) {
5468 
5469 	case DLT_IEEE802_11:
5470 	case DLT_PRISM_HEADER:
5471 	case DLT_IEEE802_11_RADIO_AVS:
5472 	case DLT_IEEE802_11_RADIO:
5473 	case DLT_PPI:
5474 		bpf_error("'protochain' not supported with 802.11");
5475 	}
5476 
5477 	no_optimize = 1; /*this code is not compatible with optimzer yet */
5478 
5479 	/*
5480 	 * s[0] is a dummy entry to protect other BPF insn from damage
5481 	 * by s[fix] = foo with uninitialized variable "fix".  It is somewhat
5482 	 * hard to find interdependency made by jump table fixup.
5483 	 */
5484 	i = 0;
5485 	s[i] = new_stmt(0);	/*dummy*/
5486 	i++;
5487 
5488 	switch (proto) {
5489 	case Q_IP:
5490 		b0 = gen_linktype(ETHERTYPE_IP);
5491 
5492 		/* A = ip->ip_p */
5493 		s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5494 		s[i]->s.k = off_macpl + off_nl + 9;
5495 		i++;
5496 		/* X = ip->ip_hl << 2 */
5497 		s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5498 		s[i]->s.k = off_macpl + off_nl;
5499 		i++;
5500 		break;
5501 #ifdef INET6
5502 	case Q_IPV6:
5503 		b0 = gen_linktype(ETHERTYPE_IPV6);
5504 
5505 		/* A = ip6->ip_nxt */
5506 		s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5507 		s[i]->s.k = off_macpl + off_nl + 6;
5508 		i++;
5509 		/* X = sizeof(struct ip6_hdr) */
5510 		s[i] = new_stmt(BPF_LDX|BPF_IMM);
5511 		s[i]->s.k = 40;
5512 		i++;
5513 		break;
5514 #endif
5515 	default:
5516 		bpf_error("unsupported proto to gen_protochain");
5517 		/*NOTREACHED*/
5518 	}
5519 
5520 	/* again: if (A == v) goto end; else fall through; */
5521 	again = i;
5522 	s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5523 	s[i]->s.k = v;
5524 	s[i]->s.jt = NULL;		/*later*/
5525 	s[i]->s.jf = NULL;		/*update in next stmt*/
5526 	fix5 = i;
5527 	i++;
5528 
5529 #ifndef IPPROTO_NONE
5530 #define IPPROTO_NONE	59
5531 #endif
5532 	/* if (A == IPPROTO_NONE) goto end */
5533 	s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5534 	s[i]->s.jt = NULL;	/*later*/
5535 	s[i]->s.jf = NULL;	/*update in next stmt*/
5536 	s[i]->s.k = IPPROTO_NONE;
5537 	s[fix5]->s.jf = s[i];
5538 	fix2 = i;
5539 	i++;
5540 
5541 #ifdef INET6
5542 	if (proto == Q_IPV6) {
5543 		int v6start, v6end, v6advance, j;
5544 
5545 		v6start = i;
5546 		/* if (A == IPPROTO_HOPOPTS) goto v6advance */
5547 		s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5548 		s[i]->s.jt = NULL;	/*later*/
5549 		s[i]->s.jf = NULL;	/*update in next stmt*/
5550 		s[i]->s.k = IPPROTO_HOPOPTS;
5551 		s[fix2]->s.jf = s[i];
5552 		i++;
5553 		/* if (A == IPPROTO_DSTOPTS) goto v6advance */
5554 		s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5555 		s[i]->s.jt = NULL;	/*later*/
5556 		s[i]->s.jf = NULL;	/*update in next stmt*/
5557 		s[i]->s.k = IPPROTO_DSTOPTS;
5558 		i++;
5559 		/* if (A == IPPROTO_ROUTING) goto v6advance */
5560 		s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5561 		s[i]->s.jt = NULL;	/*later*/
5562 		s[i]->s.jf = NULL;	/*update in next stmt*/
5563 		s[i]->s.k = IPPROTO_ROUTING;
5564 		i++;
5565 		/* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5566 		s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5567 		s[i]->s.jt = NULL;	/*later*/
5568 		s[i]->s.jf = NULL;	/*later*/
5569 		s[i]->s.k = IPPROTO_FRAGMENT;
5570 		fix3 = i;
5571 		v6end = i;
5572 		i++;
5573 
5574 		/* v6advance: */
5575 		v6advance = i;
5576 
5577 		/*
5578 		 * in short,
5579 		 * A = P[X];
5580 		 * X = X + (P[X + 1] + 1) * 8;
5581 		 */
5582 		/* A = X */
5583 		s[i] = new_stmt(BPF_MISC|BPF_TXA);
5584 		i++;
5585 		/* A = P[X + packet head] */
5586 		s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5587 		s[i]->s.k = off_macpl + off_nl;
5588 		i++;
5589 		/* MEM[reg2] = A */
5590 		s[i] = new_stmt(BPF_ST);
5591 		s[i]->s.k = reg2;
5592 		i++;
5593 		/* A = X */
5594 		s[i] = new_stmt(BPF_MISC|BPF_TXA);
5595 		i++;
5596 		/* A += 1 */
5597 		s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5598 		s[i]->s.k = 1;
5599 		i++;
5600 		/* X = A */
5601 		s[i] = new_stmt(BPF_MISC|BPF_TAX);
5602 		i++;
5603 		/* A = P[X + packet head]; */
5604 		s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5605 		s[i]->s.k = off_macpl + off_nl;
5606 		i++;
5607 		/* A += 1 */
5608 		s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5609 		s[i]->s.k = 1;
5610 		i++;
5611 		/* A *= 8 */
5612 		s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5613 		s[i]->s.k = 8;
5614 		i++;
5615 		/* X = A; */
5616 		s[i] = new_stmt(BPF_MISC|BPF_TAX);
5617 		i++;
5618 		/* A = MEM[reg2] */
5619 		s[i] = new_stmt(BPF_LD|BPF_MEM);
5620 		s[i]->s.k = reg2;
5621 		i++;
5622 
5623 		/* goto again; (must use BPF_JA for backward jump) */
5624 		s[i] = new_stmt(BPF_JMP|BPF_JA);
5625 		s[i]->s.k = again - i - 1;
5626 		s[i - 1]->s.jf = s[i];
5627 		i++;
5628 
5629 		/* fixup */
5630 		for (j = v6start; j <= v6end; j++)
5631 			s[j]->s.jt = s[v6advance];
5632 	} else
5633 #endif
5634 	{
5635 		/* nop */
5636 		s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5637 		s[i]->s.k = 0;
5638 		s[fix2]->s.jf = s[i];
5639 		i++;
5640 	}
5641 
5642 	/* ahcheck: */
5643 	ahcheck = i;
5644 	/* if (A == IPPROTO_AH) then fall through; else goto end; */
5645 	s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5646 	s[i]->s.jt = NULL;	/*later*/
5647 	s[i]->s.jf = NULL;	/*later*/
5648 	s[i]->s.k = IPPROTO_AH;
5649 	if (fix3)
5650 		s[fix3]->s.jf = s[ahcheck];
5651 	fix4 = i;
5652 	i++;
5653 
5654 	/*
5655 	 * in short,
5656 	 * A = P[X];
5657 	 * X = X + (P[X + 1] + 2) * 4;
5658 	 */
5659 	/* A = X */
5660 	s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5661 	i++;
5662 	/* A = P[X + packet head]; */
5663 	s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5664 	s[i]->s.k = off_macpl + off_nl;
5665 	i++;
5666 	/* MEM[reg2] = A */
5667 	s[i] = new_stmt(BPF_ST);
5668 	s[i]->s.k = reg2;
5669 	i++;
5670 	/* A = X */
5671 	s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5672 	i++;
5673 	/* A += 1 */
5674 	s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5675 	s[i]->s.k = 1;
5676 	i++;
5677 	/* X = A */
5678 	s[i] = new_stmt(BPF_MISC|BPF_TAX);
5679 	i++;
5680 	/* A = P[X + packet head] */
5681 	s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5682 	s[i]->s.k = off_macpl + off_nl;
5683 	i++;
5684 	/* A += 2 */
5685 	s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5686 	s[i]->s.k = 2;
5687 	i++;
5688 	/* A *= 4 */
5689 	s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5690 	s[i]->s.k = 4;
5691 	i++;
5692 	/* X = A; */
5693 	s[i] = new_stmt(BPF_MISC|BPF_TAX);
5694 	i++;
5695 	/* A = MEM[reg2] */
5696 	s[i] = new_stmt(BPF_LD|BPF_MEM);
5697 	s[i]->s.k = reg2;
5698 	i++;
5699 
5700 	/* goto again; (must use BPF_JA for backward jump) */
5701 	s[i] = new_stmt(BPF_JMP|BPF_JA);
5702 	s[i]->s.k = again - i - 1;
5703 	i++;
5704 
5705 	/* end: nop */
5706 	end = i;
5707 	s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5708 	s[i]->s.k = 0;
5709 	s[fix2]->s.jt = s[end];
5710 	s[fix4]->s.jf = s[end];
5711 	s[fix5]->s.jt = s[end];
5712 	i++;
5713 
5714 	/*
5715 	 * make slist chain
5716 	 */
5717 	max = i;
5718 	for (i = 0; i < max - 1; i++)
5719 		s[i]->next = s[i + 1];
5720 	s[max - 1]->next = NULL;
5721 
5722 	/*
5723 	 * emit final check
5724 	 */
5725 	b = new_block(JMP(BPF_JEQ));
5726 	b->stmts = s[1];	/*remember, s[0] is dummy*/
5727 	b->s.k = v;
5728 
5729 	free_reg(reg2);
5730 
5731 	gen_and(b0, b);
5732 	return b;
5733 #endif
5734 }
5735 
5736 static struct block *
5737 gen_check_802_11_data_frame()
5738 {
5739 	struct slist *s;
5740 	struct block *b0, *b1;
5741 
5742 	/*
5743 	 * A data frame has the 0x08 bit (b3) in the frame control field set
5744 	 * and the 0x04 bit (b2) clear.
5745 	 */
5746 	s = gen_load_a(OR_LINK, 0, BPF_B);
5747 	b0 = new_block(JMP(BPF_JSET));
5748 	b0->s.k = 0x08;
5749 	b0->stmts = s;
5750 
5751 	s = gen_load_a(OR_LINK, 0, BPF_B);
5752 	b1 = new_block(JMP(BPF_JSET));
5753 	b1->s.k = 0x04;
5754 	b1->stmts = s;
5755 	gen_not(b1);
5756 
5757 	gen_and(b1, b0);
5758 
5759 	return b0;
5760 }
5761 
5762 /*
5763  * Generate code that checks whether the packet is a packet for protocol
5764  * <proto> and whether the type field in that protocol's header has
5765  * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5766  * IP packet and checks the protocol number in the IP header against <v>.
5767  *
5768  * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5769  * against Q_IP and Q_IPV6.
5770  */
5771 static struct block *
5772 gen_proto(v, proto, dir)
5773 	int v;
5774 	int proto;
5775 	int dir;
5776 {
5777 	struct block *b0, *b1;
5778 
5779 	if (dir != Q_DEFAULT)
5780 		bpf_error("direction applied to 'proto'");
5781 
5782 	switch (proto) {
5783 	case Q_DEFAULT:
5784 #ifdef INET6
5785 		b0 = gen_proto(v, Q_IP, dir);
5786 		b1 = gen_proto(v, Q_IPV6, dir);
5787 		gen_or(b0, b1);
5788 		return b1;
5789 #else
5790 		/*FALLTHROUGH*/
5791 #endif
5792 	case Q_IP:
5793 		/*
5794 		 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5795 		 * not LLC encapsulation with LLCSAP_IP.
5796 		 *
5797 		 * For IEEE 802 networks - which includes 802.5 token ring
5798 		 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5799 		 * says that SNAP encapsulation is used, not LLC encapsulation
5800 		 * with LLCSAP_IP.
5801 		 *
5802 		 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5803 		 * RFC 2225 say that SNAP encapsulation is used, not LLC
5804 		 * encapsulation with LLCSAP_IP.
5805 		 *
5806 		 * So we always check for ETHERTYPE_IP.
5807 		 */
5808 		b0 = gen_linktype(ETHERTYPE_IP);
5809 #ifndef CHASE_CHAIN
5810 		b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
5811 #else
5812 		b1 = gen_protochain(v, Q_IP);
5813 #endif
5814 		gen_and(b0, b1);
5815 		return b1;
5816 
5817 	case Q_ISO:
5818 		switch (linktype) {
5819 
5820 		case DLT_FRELAY:
5821 			/*
5822 			 * Frame Relay packets typically have an OSI
5823 			 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5824 			 * generates code to check for all the OSI
5825 			 * NLPIDs, so calling it and then adding a check
5826 			 * for the particular NLPID for which we're
5827 			 * looking is bogus, as we can just check for
5828 			 * the NLPID.
5829 			 *
5830 			 * What we check for is the NLPID and a frame
5831 			 * control field value of UI, i.e. 0x03 followed
5832 			 * by the NLPID.
5833 			 *
5834 			 * XXX - assumes a 2-byte Frame Relay header with
5835 			 * DLCI and flags.  What if the address is longer?
5836 			 *
5837 			 * XXX - what about SNAP-encapsulated frames?
5838 			 */
5839 			return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
5840 			/*NOTREACHED*/
5841 			break;
5842 
5843 		case DLT_C_HDLC:
5844 			/*
5845 			 * Cisco uses an Ethertype lookalike - for OSI,
5846 			 * it's 0xfefe.
5847 			 */
5848 			b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5849 			/* OSI in C-HDLC is stuffed with a fudge byte */
5850 			b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
5851 			gen_and(b0, b1);
5852 			return b1;
5853 
5854 		default:
5855 			b0 = gen_linktype(LLCSAP_ISONS);
5856 			b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
5857 			gen_and(b0, b1);
5858 			return b1;
5859 		}
5860 
5861 	case Q_ISIS:
5862 		b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5863 		/*
5864 		 * 4 is the offset of the PDU type relative to the IS-IS
5865 		 * header.
5866 		 */
5867 		b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
5868 		gen_and(b0, b1);
5869 		return b1;
5870 
5871 	case Q_ARP:
5872 		bpf_error("arp does not encapsulate another protocol");
5873 		/* NOTREACHED */
5874 
5875 	case Q_RARP:
5876 		bpf_error("rarp does not encapsulate another protocol");
5877 		/* NOTREACHED */
5878 
5879 	case Q_ATALK:
5880 		bpf_error("atalk encapsulation is not specifiable");
5881 		/* NOTREACHED */
5882 
5883 	case Q_DECNET:
5884 		bpf_error("decnet encapsulation is not specifiable");
5885 		/* NOTREACHED */
5886 
5887 	case Q_SCA:
5888 		bpf_error("sca does not encapsulate another protocol");
5889 		/* NOTREACHED */
5890 
5891 	case Q_LAT:
5892 		bpf_error("lat does not encapsulate another protocol");
5893 		/* NOTREACHED */
5894 
5895 	case Q_MOPRC:
5896 		bpf_error("moprc does not encapsulate another protocol");
5897 		/* NOTREACHED */
5898 
5899 	case Q_MOPDL:
5900 		bpf_error("mopdl does not encapsulate another protocol");
5901 		/* NOTREACHED */
5902 
5903 	case Q_LINK:
5904 		return gen_linktype(v);
5905 
5906 	case Q_UDP:
5907 		bpf_error("'udp proto' is bogus");
5908 		/* NOTREACHED */
5909 
5910 	case Q_TCP:
5911 		bpf_error("'tcp proto' is bogus");
5912 		/* NOTREACHED */
5913 
5914 	case Q_SCTP:
5915 		bpf_error("'sctp proto' is bogus");
5916 		/* NOTREACHED */
5917 
5918 	case Q_ICMP:
5919 		bpf_error("'icmp proto' is bogus");
5920 		/* NOTREACHED */
5921 
5922 	case Q_IGMP:
5923 		bpf_error("'igmp proto' is bogus");
5924 		/* NOTREACHED */
5925 
5926 	case Q_IGRP:
5927 		bpf_error("'igrp proto' is bogus");
5928 		/* NOTREACHED */
5929 
5930 	case Q_PIM:
5931 		bpf_error("'pim proto' is bogus");
5932 		/* NOTREACHED */
5933 
5934 	case Q_VRRP:
5935 		bpf_error("'vrrp proto' is bogus");
5936 		/* NOTREACHED */
5937 
5938 #ifdef INET6
5939 	case Q_IPV6:
5940 		b0 = gen_linktype(ETHERTYPE_IPV6);
5941 #ifndef CHASE_CHAIN
5942 		b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
5943 #else
5944 		b1 = gen_protochain(v, Q_IPV6);
5945 #endif
5946 		gen_and(b0, b1);
5947 		return b1;
5948 
5949 	case Q_ICMPV6:
5950 		bpf_error("'icmp6 proto' is bogus");
5951 #endif /* INET6 */
5952 
5953 	case Q_AH:
5954 		bpf_error("'ah proto' is bogus");
5955 
5956 	case Q_ESP:
5957 		bpf_error("'ah proto' is bogus");
5958 
5959 	case Q_STP:
5960 		bpf_error("'stp proto' is bogus");
5961 
5962 	case Q_IPX:
5963 		bpf_error("'ipx proto' is bogus");
5964 
5965 	case Q_NETBEUI:
5966 		bpf_error("'netbeui proto' is bogus");
5967 
5968 	case Q_RADIO:
5969 		bpf_error("'radio proto' is bogus");
5970 
5971 	default:
5972 		abort();
5973 		/* NOTREACHED */
5974 	}
5975 	/* NOTREACHED */
5976 }
5977 
5978 struct block *
5979 gen_scode(name, q)
5980 	register const char *name;
5981 	struct qual q;
5982 {
5983 	int proto = q.proto;
5984 	int dir = q.dir;
5985 	int tproto;
5986 	u_char *eaddr;
5987 	bpf_u_int32 mask, addr;
5988 #ifndef INET6
5989 	bpf_u_int32 **alist;
5990 #else
5991 	int tproto6;
5992 	struct sockaddr_in *sin4;
5993 	struct sockaddr_in6 *sin6;
5994 	struct addrinfo *res, *res0;
5995 	struct in6_addr mask128;
5996 #endif /*INET6*/
5997 	struct block *b, *tmp;
5998 	int port, real_proto;
5999 	int port1, port2;
6000 
6001 	switch (q.addr) {
6002 
6003 	case Q_NET:
6004 		addr = pcap_nametonetaddr(name);
6005 		if (addr == 0)
6006 			bpf_error("unknown network '%s'", name);
6007 		/* Left justify network addr and calculate its network mask */
6008 		mask = 0xffffffff;
6009 		while (addr && (addr & 0xff000000) == 0) {
6010 			addr <<= 8;
6011 			mask <<= 8;
6012 		}
6013 		return gen_host(addr, mask, proto, dir, q.addr);
6014 
6015 	case Q_DEFAULT:
6016 	case Q_HOST:
6017 		if (proto == Q_LINK) {
6018 			switch (linktype) {
6019 
6020 			case DLT_EN10MB:
6021 				eaddr = pcap_ether_hostton(name);
6022 				if (eaddr == NULL)
6023 					bpf_error(
6024 					    "unknown ether host '%s'", name);
6025 				b = gen_ehostop(eaddr, dir);
6026 				free(eaddr);
6027 				return b;
6028 
6029 			case DLT_FDDI:
6030 				eaddr = pcap_ether_hostton(name);
6031 				if (eaddr == NULL)
6032 					bpf_error(
6033 					    "unknown FDDI host '%s'", name);
6034 				b = gen_fhostop(eaddr, dir);
6035 				free(eaddr);
6036 				return b;
6037 
6038 			case DLT_IEEE802:
6039 				eaddr = pcap_ether_hostton(name);
6040 				if (eaddr == NULL)
6041 					bpf_error(
6042 					    "unknown token ring host '%s'", name);
6043 				b = gen_thostop(eaddr, dir);
6044 				free(eaddr);
6045 				return b;
6046 
6047 			case DLT_IEEE802_11:
6048 			case DLT_PRISM_HEADER:
6049 			case DLT_IEEE802_11_RADIO_AVS:
6050 			case DLT_IEEE802_11_RADIO:
6051 			case DLT_PPI:
6052 				eaddr = pcap_ether_hostton(name);
6053 				if (eaddr == NULL)
6054 					bpf_error(
6055 					    "unknown 802.11 host '%s'", name);
6056 				b = gen_wlanhostop(eaddr, dir);
6057 				free(eaddr);
6058 				return b;
6059 
6060 			case DLT_IP_OVER_FC:
6061 				eaddr = pcap_ether_hostton(name);
6062 				if (eaddr == NULL)
6063 					bpf_error(
6064 					    "unknown Fibre Channel host '%s'", name);
6065 				b = gen_ipfchostop(eaddr, dir);
6066 				free(eaddr);
6067 				return b;
6068 
6069 			case DLT_SUNATM:
6070 				if (!is_lane)
6071 					break;
6072 
6073 				/*
6074 				 * Check that the packet doesn't begin
6075 				 * with an LE Control marker.  (We've
6076 				 * already generated a test for LANE.)
6077 				 */
6078 				tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6079 				    BPF_H, 0xFF00);
6080 				gen_not(tmp);
6081 
6082 				eaddr = pcap_ether_hostton(name);
6083 				if (eaddr == NULL)
6084 					bpf_error(
6085 					    "unknown ether host '%s'", name);
6086 				b = gen_ehostop(eaddr, dir);
6087 				gen_and(tmp, b);
6088 				free(eaddr);
6089 				return b;
6090 			}
6091 
6092 			bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6093 		} else if (proto == Q_DECNET) {
6094 			unsigned short dn_addr = __pcap_nametodnaddr(name);
6095 			/*
6096 			 * I don't think DECNET hosts can be multihomed, so
6097 			 * there is no need to build up a list of addresses
6098 			 */
6099 			return (gen_host(dn_addr, 0, proto, dir, q.addr));
6100 		} else {
6101 #ifndef INET6
6102 			alist = pcap_nametoaddr(name);
6103 			if (alist == NULL || *alist == NULL)
6104 				bpf_error("unknown host '%s'", name);
6105 			tproto = proto;
6106 			if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
6107 				tproto = Q_IP;
6108 			b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6109 			while (*alist) {
6110 				tmp = gen_host(**alist++, 0xffffffff,
6111 					       tproto, dir, q.addr);
6112 				gen_or(b, tmp);
6113 				b = tmp;
6114 			}
6115 			return b;
6116 #else
6117 			memset(&mask128, 0xff, sizeof(mask128));
6118 			res0 = res = pcap_nametoaddrinfo(name);
6119 			if (res == NULL)
6120 				bpf_error("unknown host '%s'", name);
6121 			ai = res;
6122 			b = tmp = NULL;
6123 			tproto = tproto6 = proto;
6124 			if (off_linktype == -1 && tproto == Q_DEFAULT) {
6125 				tproto = Q_IP;
6126 				tproto6 = Q_IPV6;
6127 			}
6128 			for (res = res0; res; res = res->ai_next) {
6129 				switch (res->ai_family) {
6130 				case AF_INET:
6131 					if (tproto == Q_IPV6)
6132 						continue;
6133 
6134 					sin4 = (struct sockaddr_in *)
6135 						res->ai_addr;
6136 					tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6137 						0xffffffff, tproto, dir, q.addr);
6138 					break;
6139 				case AF_INET6:
6140 					if (tproto6 == Q_IP)
6141 						continue;
6142 
6143 					sin6 = (struct sockaddr_in6 *)
6144 						res->ai_addr;
6145 					tmp = gen_host6(&sin6->sin6_addr,
6146 						&mask128, tproto6, dir, q.addr);
6147 					break;
6148 				default:
6149 					continue;
6150 				}
6151 				if (b)
6152 					gen_or(b, tmp);
6153 				b = tmp;
6154 			}
6155 			ai = NULL;
6156 			freeaddrinfo(res0);
6157 			if (b == NULL) {
6158 				bpf_error("unknown host '%s'%s", name,
6159 				    (proto == Q_DEFAULT)
6160 					? ""
6161 					: " for specified address family");
6162 			}
6163 			return b;
6164 #endif /*INET6*/
6165 		}
6166 
6167 	case Q_PORT:
6168 		if (proto != Q_DEFAULT &&
6169 		    proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6170 			bpf_error("illegal qualifier of 'port'");
6171 		if (pcap_nametoport(name, &port, &real_proto) == 0)
6172 			bpf_error("unknown port '%s'", name);
6173 		if (proto == Q_UDP) {
6174 			if (real_proto == IPPROTO_TCP)
6175 				bpf_error("port '%s' is tcp", name);
6176 			else if (real_proto == IPPROTO_SCTP)
6177 				bpf_error("port '%s' is sctp", name);
6178 			else
6179 				/* override PROTO_UNDEF */
6180 				real_proto = IPPROTO_UDP;
6181 		}
6182 		if (proto == Q_TCP) {
6183 			if (real_proto == IPPROTO_UDP)
6184 				bpf_error("port '%s' is udp", name);
6185 
6186 			else if (real_proto == IPPROTO_SCTP)
6187 				bpf_error("port '%s' is sctp", name);
6188 			else
6189 				/* override PROTO_UNDEF */
6190 				real_proto = IPPROTO_TCP;
6191 		}
6192 		if (proto == Q_SCTP) {
6193 			if (real_proto == IPPROTO_UDP)
6194 				bpf_error("port '%s' is udp", name);
6195 
6196 			else if (real_proto == IPPROTO_TCP)
6197 				bpf_error("port '%s' is tcp", name);
6198 			else
6199 				/* override PROTO_UNDEF */
6200 				real_proto = IPPROTO_SCTP;
6201 		}
6202 #ifndef INET6
6203 		return gen_port(port, real_proto, dir);
6204 #else
6205 		b = gen_port(port, real_proto, dir);
6206 		gen_or(gen_port6(port, real_proto, dir), b);
6207 		return b;
6208 #endif /* INET6 */
6209 
6210 	case Q_PORTRANGE:
6211 		if (proto != Q_DEFAULT &&
6212 		    proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6213 			bpf_error("illegal qualifier of 'portrange'");
6214 		if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6215 			bpf_error("unknown port in range '%s'", name);
6216 		if (proto == Q_UDP) {
6217 			if (real_proto == IPPROTO_TCP)
6218 				bpf_error("port in range '%s' is tcp", name);
6219 			else if (real_proto == IPPROTO_SCTP)
6220 				bpf_error("port in range '%s' is sctp", name);
6221 			else
6222 				/* override PROTO_UNDEF */
6223 				real_proto = IPPROTO_UDP;
6224 		}
6225 		if (proto == Q_TCP) {
6226 			if (real_proto == IPPROTO_UDP)
6227 				bpf_error("port in range '%s' is udp", name);
6228 			else if (real_proto == IPPROTO_SCTP)
6229 				bpf_error("port in range '%s' is sctp", name);
6230 			else
6231 				/* override PROTO_UNDEF */
6232 				real_proto = IPPROTO_TCP;
6233 		}
6234 		if (proto == Q_SCTP) {
6235 			if (real_proto == IPPROTO_UDP)
6236 				bpf_error("port in range '%s' is udp", name);
6237 			else if (real_proto == IPPROTO_TCP)
6238 				bpf_error("port in range '%s' is tcp", name);
6239 			else
6240 				/* override PROTO_UNDEF */
6241 				real_proto = IPPROTO_SCTP;
6242 		}
6243 #ifndef INET6
6244 		return gen_portrange(port1, port2, real_proto, dir);
6245 #else
6246 		b = gen_portrange(port1, port2, real_proto, dir);
6247 		gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6248 		return b;
6249 #endif /* INET6 */
6250 
6251 	case Q_GATEWAY:
6252 #ifndef INET6
6253 		eaddr = pcap_ether_hostton(name);
6254 		if (eaddr == NULL)
6255 			bpf_error("unknown ether host: %s", name);
6256 
6257 		alist = pcap_nametoaddr(name);
6258 		if (alist == NULL || *alist == NULL)
6259 			bpf_error("unknown host '%s'", name);
6260 		b = gen_gateway(eaddr, alist, proto, dir);
6261 		free(eaddr);
6262 		return b;
6263 #else
6264 		bpf_error("'gateway' not supported in this configuration");
6265 #endif /*INET6*/
6266 
6267 	case Q_PROTO:
6268 		real_proto = lookup_proto(name, proto);
6269 		if (real_proto >= 0)
6270 			return gen_proto(real_proto, proto, dir);
6271 		else
6272 			bpf_error("unknown protocol: %s", name);
6273 
6274 	case Q_PROTOCHAIN:
6275 		real_proto = lookup_proto(name, proto);
6276 		if (real_proto >= 0)
6277 			return gen_protochain(real_proto, proto, dir);
6278 		else
6279 			bpf_error("unknown protocol: %s", name);
6280 
6281 	case Q_UNDEF:
6282 		syntax();
6283 		/* NOTREACHED */
6284 	}
6285 	abort();
6286 	/* NOTREACHED */
6287 }
6288 
6289 struct block *
6290 gen_mcode(s1, s2, masklen, q)
6291 	register const char *s1, *s2;
6292 	register int masklen;
6293 	struct qual q;
6294 {
6295 	register int nlen, mlen;
6296 	bpf_u_int32 n, m;
6297 
6298 	nlen = __pcap_atoin(s1, &n);
6299 	/* Promote short ipaddr */
6300 	n <<= 32 - nlen;
6301 
6302 	if (s2 != NULL) {
6303 		mlen = __pcap_atoin(s2, &m);
6304 		/* Promote short ipaddr */
6305 		m <<= 32 - mlen;
6306 		if ((n & ~m) != 0)
6307 			bpf_error("non-network bits set in \"%s mask %s\"",
6308 			    s1, s2);
6309 	} else {
6310 		/* Convert mask len to mask */
6311 		if (masklen > 32)
6312 			bpf_error("mask length must be <= 32");
6313 		if (masklen == 0) {
6314 			/*
6315 			 * X << 32 is not guaranteed by C to be 0; it's
6316 			 * undefined.
6317 			 */
6318 			m = 0;
6319 		} else
6320 			m = 0xffffffff << (32 - masklen);
6321 		if ((n & ~m) != 0)
6322 			bpf_error("non-network bits set in \"%s/%d\"",
6323 			    s1, masklen);
6324 	}
6325 
6326 	switch (q.addr) {
6327 
6328 	case Q_NET:
6329 		return gen_host(n, m, q.proto, q.dir, q.addr);
6330 
6331 	default:
6332 		bpf_error("Mask syntax for networks only");
6333 		/* NOTREACHED */
6334 	}
6335 	/* NOTREACHED */
6336 	return NULL;
6337 }
6338 
6339 struct block *
6340 gen_ncode(s, v, q)
6341 	register const char *s;
6342 	bpf_u_int32 v;
6343 	struct qual q;
6344 {
6345 	bpf_u_int32 mask;
6346 	int proto = q.proto;
6347 	int dir = q.dir;
6348 	register int vlen;
6349 
6350 	if (s == NULL)
6351 		vlen = 32;
6352 	else if (q.proto == Q_DECNET)
6353 		vlen = __pcap_atodn(s, &v);
6354 	else
6355 		vlen = __pcap_atoin(s, &v);
6356 
6357 	switch (q.addr) {
6358 
6359 	case Q_DEFAULT:
6360 	case Q_HOST:
6361 	case Q_NET:
6362 		if (proto == Q_DECNET)
6363 			return gen_host(v, 0, proto, dir, q.addr);
6364 		else if (proto == Q_LINK) {
6365 			bpf_error("illegal link layer address");
6366 		} else {
6367 			mask = 0xffffffff;
6368 			if (s == NULL && q.addr == Q_NET) {
6369 				/* Promote short net number */
6370 				while (v && (v & 0xff000000) == 0) {
6371 					v <<= 8;
6372 					mask <<= 8;
6373 				}
6374 			} else {
6375 				/* Promote short ipaddr */
6376 				v <<= 32 - vlen;
6377 				mask <<= 32 - vlen;
6378 			}
6379 			return gen_host(v, mask, proto, dir, q.addr);
6380 		}
6381 
6382 	case Q_PORT:
6383 		if (proto == Q_UDP)
6384 			proto = IPPROTO_UDP;
6385 		else if (proto == Q_TCP)
6386 			proto = IPPROTO_TCP;
6387 		else if (proto == Q_SCTP)
6388 			proto = IPPROTO_SCTP;
6389 		else if (proto == Q_DEFAULT)
6390 			proto = PROTO_UNDEF;
6391 		else
6392 			bpf_error("illegal qualifier of 'port'");
6393 
6394 #ifndef INET6
6395 		return gen_port((int)v, proto, dir);
6396 #else
6397 	    {
6398 		struct block *b;
6399 		b = gen_port((int)v, proto, dir);
6400 		gen_or(gen_port6((int)v, proto, dir), b);
6401 		return b;
6402 	    }
6403 #endif /* INET6 */
6404 
6405 	case Q_PORTRANGE:
6406 		if (proto == Q_UDP)
6407 			proto = IPPROTO_UDP;
6408 		else if (proto == Q_TCP)
6409 			proto = IPPROTO_TCP;
6410 		else if (proto == Q_SCTP)
6411 			proto = IPPROTO_SCTP;
6412 		else if (proto == Q_DEFAULT)
6413 			proto = PROTO_UNDEF;
6414 		else
6415 			bpf_error("illegal qualifier of 'portrange'");
6416 
6417 #ifndef INET6
6418 		return gen_portrange((int)v, (int)v, proto, dir);
6419 #else
6420 	    {
6421 		struct block *b;
6422 		b = gen_portrange((int)v, (int)v, proto, dir);
6423 		gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6424 		return b;
6425 	    }
6426 #endif /* INET6 */
6427 
6428 	case Q_GATEWAY:
6429 		bpf_error("'gateway' requires a name");
6430 		/* NOTREACHED */
6431 
6432 	case Q_PROTO:
6433 		return gen_proto((int)v, proto, dir);
6434 
6435 	case Q_PROTOCHAIN:
6436 		return gen_protochain((int)v, proto, dir);
6437 
6438 	case Q_UNDEF:
6439 		syntax();
6440 		/* NOTREACHED */
6441 
6442 	default:
6443 		abort();
6444 		/* NOTREACHED */
6445 	}
6446 	/* NOTREACHED */
6447 }
6448 
6449 #ifdef INET6
6450 struct block *
6451 gen_mcode6(s1, s2, masklen, q)
6452 	register const char *s1, *s2;
6453 	register int masklen;
6454 	struct qual q;
6455 {
6456 	struct addrinfo *res;
6457 	struct in6_addr *addr;
6458 	struct in6_addr mask;
6459 	struct block *b;
6460 	u_int32_t *a, *m;
6461 
6462 	if (s2)
6463 		bpf_error("no mask %s supported", s2);
6464 
6465 	res = pcap_nametoaddrinfo(s1);
6466 	if (!res)
6467 		bpf_error("invalid ip6 address %s", s1);
6468 	ai = res;
6469 	if (res->ai_next)
6470 		bpf_error("%s resolved to multiple address", s1);
6471 	addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6472 
6473 	if (sizeof(mask) * 8 < masklen)
6474 		bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6475 	memset(&mask, 0, sizeof(mask));
6476 	memset(&mask, 0xff, masklen / 8);
6477 	if (masklen % 8) {
6478 		mask.s6_addr[masklen / 8] =
6479 			(0xff << (8 - masklen % 8)) & 0xff;
6480 	}
6481 
6482 	a = (u_int32_t *)addr;
6483 	m = (u_int32_t *)&mask;
6484 	if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6485 	 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6486 		bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6487 	}
6488 
6489 	switch (q.addr) {
6490 
6491 	case Q_DEFAULT:
6492 	case Q_HOST:
6493 		if (masklen != 128)
6494 			bpf_error("Mask syntax for networks only");
6495 		/* FALLTHROUGH */
6496 
6497 	case Q_NET:
6498 		b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6499 		ai = NULL;
6500 		freeaddrinfo(res);
6501 		return b;
6502 
6503 	default:
6504 		bpf_error("invalid qualifier against IPv6 address");
6505 		/* NOTREACHED */
6506 	}
6507 	return NULL;
6508 }
6509 #endif /*INET6*/
6510 
6511 struct block *
6512 gen_ecode(eaddr, q)
6513 	register const u_char *eaddr;
6514 	struct qual q;
6515 {
6516 	struct block *b, *tmp;
6517 
6518 	if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6519 		switch (linktype) {
6520 		case DLT_EN10MB:
6521 			return gen_ehostop(eaddr, (int)q.dir);
6522 		case DLT_FDDI:
6523 			return gen_fhostop(eaddr, (int)q.dir);
6524 		case DLT_IEEE802:
6525 			return gen_thostop(eaddr, (int)q.dir);
6526 		case DLT_IEEE802_11:
6527 		case DLT_PRISM_HEADER:
6528 		case DLT_IEEE802_11_RADIO_AVS:
6529 		case DLT_IEEE802_11_RADIO:
6530 		case DLT_PPI:
6531 			return gen_wlanhostop(eaddr, (int)q.dir);
6532 		case DLT_SUNATM:
6533 			if (is_lane) {
6534 				/*
6535 				 * Check that the packet doesn't begin with an
6536 				 * LE Control marker.  (We've already generated
6537 				 * a test for LANE.)
6538 				 */
6539 				tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6540 					0xFF00);
6541 				gen_not(tmp);
6542 
6543 				/*
6544 				 * Now check the MAC address.
6545 				 */
6546 				b = gen_ehostop(eaddr, (int)q.dir);
6547 				gen_and(tmp, b);
6548 				return b;
6549 			}
6550 			break;
6551 		case DLT_IP_OVER_FC:
6552 			return gen_ipfchostop(eaddr, (int)q.dir);
6553 		default:
6554 			bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6555 			break;
6556 		}
6557 	}
6558 	bpf_error("ethernet address used in non-ether expression");
6559 	/* NOTREACHED */
6560 	return NULL;
6561 }
6562 
6563 void
6564 sappend(s0, s1)
6565 	struct slist *s0, *s1;
6566 {
6567 	/*
6568 	 * This is definitely not the best way to do this, but the
6569 	 * lists will rarely get long.
6570 	 */
6571 	while (s0->next)
6572 		s0 = s0->next;
6573 	s0->next = s1;
6574 }
6575 
6576 static struct slist *
6577 xfer_to_x(a)
6578 	struct arth *a;
6579 {
6580 	struct slist *s;
6581 
6582 	s = new_stmt(BPF_LDX|BPF_MEM);
6583 	s->s.k = a->regno;
6584 	return s;
6585 }
6586 
6587 static struct slist *
6588 xfer_to_a(a)
6589 	struct arth *a;
6590 {
6591 	struct slist *s;
6592 
6593 	s = new_stmt(BPF_LD|BPF_MEM);
6594 	s->s.k = a->regno;
6595 	return s;
6596 }
6597 
6598 /*
6599  * Modify "index" to use the value stored into its register as an
6600  * offset relative to the beginning of the header for the protocol
6601  * "proto", and allocate a register and put an item "size" bytes long
6602  * (1, 2, or 4) at that offset into that register, making it the register
6603  * for "index".
6604  */
6605 struct arth *
6606 gen_load(proto, inst, size)
6607 	int proto;
6608 	struct arth *inst;
6609 	int size;
6610 {
6611 	struct slist *s, *tmp;
6612 	struct block *b;
6613 	int regno = alloc_reg();
6614 
6615 	free_reg(inst->regno);
6616 	switch (size) {
6617 
6618 	default:
6619 		bpf_error("data size must be 1, 2, or 4");
6620 
6621 	case 1:
6622 		size = BPF_B;
6623 		break;
6624 
6625 	case 2:
6626 		size = BPF_H;
6627 		break;
6628 
6629 	case 4:
6630 		size = BPF_W;
6631 		break;
6632 	}
6633 	switch (proto) {
6634 	default:
6635 		bpf_error("unsupported index operation");
6636 
6637 	case Q_RADIO:
6638 		/*
6639 		 * The offset is relative to the beginning of the packet
6640 		 * data, if we have a radio header.  (If we don't, this
6641 		 * is an error.)
6642 		 */
6643 		if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6644 		    linktype != DLT_IEEE802_11_RADIO &&
6645 		    linktype != DLT_PRISM_HEADER)
6646 			bpf_error("radio information not present in capture");
6647 
6648 		/*
6649 		 * Load into the X register the offset computed into the
6650 		 * register specifed by "index".
6651 		 */
6652 		s = xfer_to_x(inst);
6653 
6654 		/*
6655 		 * Load the item at that offset.
6656 		 */
6657 		tmp = new_stmt(BPF_LD|BPF_IND|size);
6658 		sappend(s, tmp);
6659 		sappend(inst->s, s);
6660 		break;
6661 
6662 	case Q_LINK:
6663 		/*
6664 		 * The offset is relative to the beginning of
6665 		 * the link-layer header.
6666 		 *
6667 		 * XXX - what about ATM LANE?  Should the index be
6668 		 * relative to the beginning of the AAL5 frame, so
6669 		 * that 0 refers to the beginning of the LE Control
6670 		 * field, or relative to the beginning of the LAN
6671 		 * frame, so that 0 refers, for Ethernet LANE, to
6672 		 * the beginning of the destination address?
6673 		 */
6674 		s = gen_llprefixlen();
6675 
6676 		/*
6677 		 * If "s" is non-null, it has code to arrange that the
6678 		 * X register contains the length of the prefix preceding
6679 		 * the link-layer header.  Add to it the offset computed
6680 		 * into the register specified by "index", and move that
6681 		 * into the X register.  Otherwise, just load into the X
6682 		 * register the offset computed into the register specifed
6683 		 * by "index".
6684 		 */
6685 		if (s != NULL) {
6686 			sappend(s, xfer_to_a(inst));
6687 			sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6688 			sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6689 		} else
6690 			s = xfer_to_x(inst);
6691 
6692 		/*
6693 		 * Load the item at the sum of the offset we've put in the
6694 		 * X register and the offset of the start of the link
6695 		 * layer header (which is 0 if the radio header is
6696 		 * variable-length; that header length is what we put
6697 		 * into the X register and then added to the index).
6698 		 */
6699 		tmp = new_stmt(BPF_LD|BPF_IND|size);
6700 		tmp->s.k = off_ll;
6701 		sappend(s, tmp);
6702 		sappend(inst->s, s);
6703 		break;
6704 
6705 	case Q_IP:
6706 	case Q_ARP:
6707 	case Q_RARP:
6708 	case Q_ATALK:
6709 	case Q_DECNET:
6710 	case Q_SCA:
6711 	case Q_LAT:
6712 	case Q_MOPRC:
6713 	case Q_MOPDL:
6714 #ifdef INET6
6715 	case Q_IPV6:
6716 #endif
6717 		/*
6718 		 * The offset is relative to the beginning of
6719 		 * the network-layer header.
6720 		 * XXX - are there any cases where we want
6721 		 * off_nl_nosnap?
6722 		 */
6723 		s = gen_off_macpl();
6724 
6725 		/*
6726 		 * If "s" is non-null, it has code to arrange that the
6727 		 * X register contains the offset of the MAC-layer
6728 		 * payload.  Add to it the offset computed into the
6729 		 * register specified by "index", and move that into
6730 		 * the X register.  Otherwise, just load into the X
6731 		 * register the offset computed into the register specifed
6732 		 * by "index".
6733 		 */
6734 		if (s != NULL) {
6735 			sappend(s, xfer_to_a(inst));
6736 			sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6737 			sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6738 		} else
6739 			s = xfer_to_x(inst);
6740 
6741 		/*
6742 		 * Load the item at the sum of the offset we've put in the
6743 		 * X register, the offset of the start of the network
6744 		 * layer header from the beginning of the MAC-layer
6745 		 * payload, and the purported offset of the start of the
6746 		 * MAC-layer payload (which might be 0 if there's a
6747 		 * variable-length prefix before the link-layer header
6748 		 * or the link-layer header itself is variable-length;
6749 		 * the variable-length offset of the start of the
6750 		 * MAC-layer payload is what we put into the X register
6751 		 * and then added to the index).
6752 		 */
6753 		tmp = new_stmt(BPF_LD|BPF_IND|size);
6754 		tmp->s.k = off_macpl + off_nl;
6755 		sappend(s, tmp);
6756 		sappend(inst->s, s);
6757 
6758 		/*
6759 		 * Do the computation only if the packet contains
6760 		 * the protocol in question.
6761 		 */
6762 		b = gen_proto_abbrev(proto);
6763 		if (inst->b)
6764 			gen_and(inst->b, b);
6765 		inst->b = b;
6766 		break;
6767 
6768 	case Q_SCTP:
6769 	case Q_TCP:
6770 	case Q_UDP:
6771 	case Q_ICMP:
6772 	case Q_IGMP:
6773 	case Q_IGRP:
6774 	case Q_PIM:
6775 	case Q_VRRP:
6776 		/*
6777 		 * The offset is relative to the beginning of
6778 		 * the transport-layer header.
6779 		 *
6780 		 * Load the X register with the length of the IPv4 header
6781 		 * (plus the offset of the link-layer header, if it's
6782 		 * a variable-length header), in bytes.
6783 		 *
6784 		 * XXX - are there any cases where we want
6785 		 * off_nl_nosnap?
6786 		 * XXX - we should, if we're built with
6787 		 * IPv6 support, generate code to load either
6788 		 * IPv4, IPv6, or both, as appropriate.
6789 		 */
6790 		s = gen_loadx_iphdrlen();
6791 
6792 		/*
6793 		 * The X register now contains the sum of the length
6794 		 * of any variable-length header preceding the link-layer
6795 		 * header, any variable-length link-layer header, and the
6796 		 * length of the network-layer header.
6797 		 *
6798 		 * Load into the A register the offset relative to
6799 		 * the beginning of the transport layer header,
6800 		 * add the X register to that, move that to the
6801 		 * X register, and load with an offset from the
6802 		 * X register equal to the offset of the network
6803 		 * layer header relative to the beginning of
6804 		 * the MAC-layer payload plus the fixed-length
6805 		 * portion of the offset of the MAC-layer payload
6806 		 * from the beginning of the raw packet data.
6807 		 */
6808 		sappend(s, xfer_to_a(inst));
6809 		sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6810 		sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6811 		sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6812 		tmp->s.k = off_macpl + off_nl;
6813 		sappend(inst->s, s);
6814 
6815 		/*
6816 		 * Do the computation only if the packet contains
6817 		 * the protocol in question - which is true only
6818 		 * if this is an IP datagram and is the first or
6819 		 * only fragment of that datagram.
6820 		 */
6821 		gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6822 		if (inst->b)
6823 			gen_and(inst->b, b);
6824 #ifdef INET6
6825 		gen_and(gen_proto_abbrev(Q_IP), b);
6826 #endif
6827 		inst->b = b;
6828 		break;
6829 #ifdef INET6
6830 	case Q_ICMPV6:
6831 		bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6832 		/*NOTREACHED*/
6833 #endif
6834 	}
6835 	inst->regno = regno;
6836 	s = new_stmt(BPF_ST);
6837 	s->s.k = regno;
6838 	sappend(inst->s, s);
6839 
6840 	return inst;
6841 }
6842 
6843 struct block *
6844 gen_relation(code, a0, a1, reversed)
6845 	int code;
6846 	struct arth *a0, *a1;
6847 	int reversed;
6848 {
6849 	struct slist *s0, *s1, *s2;
6850 	struct block *b, *tmp;
6851 
6852 	s0 = xfer_to_x(a1);
6853 	s1 = xfer_to_a(a0);
6854 	if (code == BPF_JEQ) {
6855 		s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6856 		b = new_block(JMP(code));
6857 		sappend(s1, s2);
6858 	}
6859 	else
6860 		b = new_block(BPF_JMP|code|BPF_X);
6861 	if (reversed)
6862 		gen_not(b);
6863 
6864 	sappend(s0, s1);
6865 	sappend(a1->s, s0);
6866 	sappend(a0->s, a1->s);
6867 
6868 	b->stmts = a0->s;
6869 
6870 	free_reg(a0->regno);
6871 	free_reg(a1->regno);
6872 
6873 	/* 'and' together protocol checks */
6874 	if (a0->b) {
6875 		if (a1->b) {
6876 			gen_and(a0->b, tmp = a1->b);
6877 		}
6878 		else
6879 			tmp = a0->b;
6880 	} else
6881 		tmp = a1->b;
6882 
6883 	if (tmp)
6884 		gen_and(tmp, b);
6885 
6886 	return b;
6887 }
6888 
6889 struct arth *
6890 gen_loadlen()
6891 {
6892 	int regno = alloc_reg();
6893 	struct arth *a = (struct arth *)newchunk(sizeof(*a));
6894 	struct slist *s;
6895 
6896 	s = new_stmt(BPF_LD|BPF_LEN);
6897 	s->next = new_stmt(BPF_ST);
6898 	s->next->s.k = regno;
6899 	a->s = s;
6900 	a->regno = regno;
6901 
6902 	return a;
6903 }
6904 
6905 struct arth *
6906 gen_loadi(val)
6907 	int val;
6908 {
6909 	struct arth *a;
6910 	struct slist *s;
6911 	int reg;
6912 
6913 	a = (struct arth *)newchunk(sizeof(*a));
6914 
6915 	reg = alloc_reg();
6916 
6917 	s = new_stmt(BPF_LD|BPF_IMM);
6918 	s->s.k = val;
6919 	s->next = new_stmt(BPF_ST);
6920 	s->next->s.k = reg;
6921 	a->s = s;
6922 	a->regno = reg;
6923 
6924 	return a;
6925 }
6926 
6927 struct arth *
6928 gen_neg(a)
6929 	struct arth *a;
6930 {
6931 	struct slist *s;
6932 
6933 	s = xfer_to_a(a);
6934 	sappend(a->s, s);
6935 	s = new_stmt(BPF_ALU|BPF_NEG);
6936 	s->s.k = 0;
6937 	sappend(a->s, s);
6938 	s = new_stmt(BPF_ST);
6939 	s->s.k = a->regno;
6940 	sappend(a->s, s);
6941 
6942 	return a;
6943 }
6944 
6945 struct arth *
6946 gen_arth(code, a0, a1)
6947 	int code;
6948 	struct arth *a0, *a1;
6949 {
6950 	struct slist *s0, *s1, *s2;
6951 
6952 	s0 = xfer_to_x(a1);
6953 	s1 = xfer_to_a(a0);
6954 	s2 = new_stmt(BPF_ALU|BPF_X|code);
6955 
6956 	sappend(s1, s2);
6957 	sappend(s0, s1);
6958 	sappend(a1->s, s0);
6959 	sappend(a0->s, a1->s);
6960 
6961 	free_reg(a0->regno);
6962 	free_reg(a1->regno);
6963 
6964 	s0 = new_stmt(BPF_ST);
6965 	a0->regno = s0->s.k = alloc_reg();
6966 	sappend(a0->s, s0);
6967 
6968 	return a0;
6969 }
6970 
6971 /*
6972  * Here we handle simple allocation of the scratch registers.
6973  * If too many registers are alloc'd, the allocator punts.
6974  */
6975 static int regused[BPF_MEMWORDS];
6976 static int curreg;
6977 
6978 /*
6979  * Initialize the table of used registers and the current register.
6980  */
6981 static void
6982 init_regs()
6983 {
6984 	curreg = 0;
6985 	memset(regused, 0, sizeof regused);
6986 }
6987 
6988 /*
6989  * Return the next free register.
6990  */
6991 static int
6992 alloc_reg()
6993 {
6994 	int n = BPF_MEMWORDS;
6995 
6996 	while (--n >= 0) {
6997 		if (regused[curreg])
6998 			curreg = (curreg + 1) % BPF_MEMWORDS;
6999 		else {
7000 			regused[curreg] = 1;
7001 			return curreg;
7002 		}
7003 	}
7004 	bpf_error("too many registers needed to evaluate expression");
7005 	/* NOTREACHED */
7006 	return 0;
7007 }
7008 
7009 /*
7010  * Return a register to the table so it can
7011  * be used later.
7012  */
7013 static void
7014 free_reg(n)
7015 	int n;
7016 {
7017 	regused[n] = 0;
7018 }
7019 
7020 static struct block *
7021 gen_len(jmp, n)
7022 	int jmp, n;
7023 {
7024 	struct slist *s;
7025 	struct block *b;
7026 
7027 	s = new_stmt(BPF_LD|BPF_LEN);
7028 	b = new_block(JMP(jmp));
7029 	b->stmts = s;
7030 	b->s.k = n;
7031 
7032 	return b;
7033 }
7034 
7035 struct block *
7036 gen_greater(n)
7037 	int n;
7038 {
7039 	return gen_len(BPF_JGE, n);
7040 }
7041 
7042 /*
7043  * Actually, this is less than or equal.
7044  */
7045 struct block *
7046 gen_less(n)
7047 	int n;
7048 {
7049 	struct block *b;
7050 
7051 	b = gen_len(BPF_JGT, n);
7052 	gen_not(b);
7053 
7054 	return b;
7055 }
7056 
7057 /*
7058  * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7059  * the beginning of the link-layer header.
7060  * XXX - that means you can't test values in the radiotap header, but
7061  * as that header is difficult if not impossible to parse generally
7062  * without a loop, that might not be a severe problem.  A new keyword
7063  * "radio" could be added for that, although what you'd really want
7064  * would be a way of testing particular radio header values, which
7065  * would generate code appropriate to the radio header in question.
7066  */
7067 struct block *
7068 gen_byteop(op, idx, val)
7069 	int op, idx, val;
7070 {
7071 	struct block *b;
7072 	struct slist *s;
7073 
7074 	switch (op) {
7075 	default:
7076 		abort();
7077 
7078 	case '=':
7079 		return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7080 
7081 	case '<':
7082 		b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7083 		return b;
7084 
7085 	case '>':
7086 		b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7087 		return b;
7088 
7089 	case '|':
7090 		s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7091 		break;
7092 
7093 	case '&':
7094 		s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7095 		break;
7096 	}
7097 	s->s.k = val;
7098 	b = new_block(JMP(BPF_JEQ));
7099 	b->stmts = s;
7100 	gen_not(b);
7101 
7102 	return b;
7103 }
7104 
7105 static u_char abroadcast[] = { 0x0 };
7106 
7107 struct block *
7108 gen_broadcast(proto)
7109 	int proto;
7110 {
7111 	bpf_u_int32 hostmask;
7112 	struct block *b0, *b1, *b2;
7113 	static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7114 
7115 	switch (proto) {
7116 
7117 	case Q_DEFAULT:
7118 	case Q_LINK:
7119 		switch (linktype) {
7120 		case DLT_ARCNET:
7121 		case DLT_ARCNET_LINUX:
7122 			return gen_ahostop(abroadcast, Q_DST);
7123 		case DLT_EN10MB:
7124 			return gen_ehostop(ebroadcast, Q_DST);
7125 		case DLT_FDDI:
7126 			return gen_fhostop(ebroadcast, Q_DST);
7127 		case DLT_IEEE802:
7128 			return gen_thostop(ebroadcast, Q_DST);
7129 		case DLT_IEEE802_11:
7130 		case DLT_PRISM_HEADER:
7131 		case DLT_IEEE802_11_RADIO_AVS:
7132 		case DLT_IEEE802_11_RADIO:
7133 		case DLT_PPI:
7134 			return gen_wlanhostop(ebroadcast, Q_DST);
7135 		case DLT_IP_OVER_FC:
7136 			return gen_ipfchostop(ebroadcast, Q_DST);
7137 		case DLT_SUNATM:
7138 			if (is_lane) {
7139 				/*
7140 				 * Check that the packet doesn't begin with an
7141 				 * LE Control marker.  (We've already generated
7142 				 * a test for LANE.)
7143 				 */
7144 				b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7145 				    BPF_H, 0xFF00);
7146 				gen_not(b1);
7147 
7148 				/*
7149 				 * Now check the MAC address.
7150 				 */
7151 				b0 = gen_ehostop(ebroadcast, Q_DST);
7152 				gen_and(b1, b0);
7153 				return b0;
7154 			}
7155 			break;
7156 		default:
7157 			bpf_error("not a broadcast link");
7158 		}
7159 		break;
7160 
7161 	case Q_IP:
7162 		/*
7163 		 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7164 		 * as an indication that we don't know the netmask, and fail
7165 		 * in that case.
7166 		 */
7167 		if (netmask == PCAP_NETMASK_UNKNOWN)
7168 			bpf_error("netmask not known, so 'ip broadcast' not supported");
7169 		b0 = gen_linktype(ETHERTYPE_IP);
7170 		hostmask = ~netmask;
7171 		b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7172 		b2 = gen_mcmp(OR_NET, 16, BPF_W,
7173 			      (bpf_int32)(~0 & hostmask), hostmask);
7174 		gen_or(b1, b2);
7175 		gen_and(b0, b2);
7176 		return b2;
7177 	}
7178 	bpf_error("only link-layer/IP broadcast filters supported");
7179 	/* NOTREACHED */
7180 	return NULL;
7181 }
7182 
7183 /*
7184  * Generate code to test the low-order bit of a MAC address (that's
7185  * the bottom bit of the *first* byte).
7186  */
7187 static struct block *
7188 gen_mac_multicast(offset)
7189 	int offset;
7190 {
7191 	register struct block *b0;
7192 	register struct slist *s;
7193 
7194 	/* link[offset] & 1 != 0 */
7195 	s = gen_load_a(OR_LINK, offset, BPF_B);
7196 	b0 = new_block(JMP(BPF_JSET));
7197 	b0->s.k = 1;
7198 	b0->stmts = s;
7199 	return b0;
7200 }
7201 
7202 struct block *
7203 gen_multicast(proto)
7204 	int proto;
7205 {
7206 	register struct block *b0, *b1, *b2;
7207 	register struct slist *s;
7208 
7209 	switch (proto) {
7210 
7211 	case Q_DEFAULT:
7212 	case Q_LINK:
7213 		switch (linktype) {
7214 		case DLT_ARCNET:
7215 		case DLT_ARCNET_LINUX:
7216 			/* all ARCnet multicasts use the same address */
7217 			return gen_ahostop(abroadcast, Q_DST);
7218 		case DLT_EN10MB:
7219 			/* ether[0] & 1 != 0 */
7220 			return gen_mac_multicast(0);
7221 		case DLT_FDDI:
7222 			/*
7223 			 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7224 			 *
7225 			 * XXX - was that referring to bit-order issues?
7226 			 */
7227 			/* fddi[1] & 1 != 0 */
7228 			return gen_mac_multicast(1);
7229 		case DLT_IEEE802:
7230 			/* tr[2] & 1 != 0 */
7231 			return gen_mac_multicast(2);
7232 		case DLT_IEEE802_11:
7233 		case DLT_PRISM_HEADER:
7234 		case DLT_IEEE802_11_RADIO_AVS:
7235 		case DLT_IEEE802_11_RADIO:
7236 		case DLT_PPI:
7237 			/*
7238 			 * Oh, yuk.
7239 			 *
7240 			 *	For control frames, there is no DA.
7241 			 *
7242 			 *	For management frames, DA is at an
7243 			 *	offset of 4 from the beginning of
7244 			 *	the packet.
7245 			 *
7246 			 *	For data frames, DA is at an offset
7247 			 *	of 4 from the beginning of the packet
7248 			 *	if To DS is clear and at an offset of
7249 			 *	16 from the beginning of the packet
7250 			 *	if To DS is set.
7251 			 */
7252 
7253 			/*
7254 			 * Generate the tests to be done for data frames.
7255 			 *
7256 			 * First, check for To DS set, i.e. "link[1] & 0x01".
7257 			 */
7258 			s = gen_load_a(OR_LINK, 1, BPF_B);
7259 			b1 = new_block(JMP(BPF_JSET));
7260 			b1->s.k = 0x01;	/* To DS */
7261 			b1->stmts = s;
7262 
7263 			/*
7264 			 * If To DS is set, the DA is at 16.
7265 			 */
7266 			b0 = gen_mac_multicast(16);
7267 			gen_and(b1, b0);
7268 
7269 			/*
7270 			 * Now, check for To DS not set, i.e. check
7271 			 * "!(link[1] & 0x01)".
7272 			 */
7273 			s = gen_load_a(OR_LINK, 1, BPF_B);
7274 			b2 = new_block(JMP(BPF_JSET));
7275 			b2->s.k = 0x01;	/* To DS */
7276 			b2->stmts = s;
7277 			gen_not(b2);
7278 
7279 			/*
7280 			 * If To DS is not set, the DA is at 4.
7281 			 */
7282 			b1 = gen_mac_multicast(4);
7283 			gen_and(b2, b1);
7284 
7285 			/*
7286 			 * Now OR together the last two checks.  That gives
7287 			 * the complete set of checks for data frames.
7288 			 */
7289 			gen_or(b1, b0);
7290 
7291 			/*
7292 			 * Now check for a data frame.
7293 			 * I.e, check "link[0] & 0x08".
7294 			 */
7295 			s = gen_load_a(OR_LINK, 0, BPF_B);
7296 			b1 = new_block(JMP(BPF_JSET));
7297 			b1->s.k = 0x08;
7298 			b1->stmts = s;
7299 
7300 			/*
7301 			 * AND that with the checks done for data frames.
7302 			 */
7303 			gen_and(b1, b0);
7304 
7305 			/*
7306 			 * If the high-order bit of the type value is 0, this
7307 			 * is a management frame.
7308 			 * I.e, check "!(link[0] & 0x08)".
7309 			 */
7310 			s = gen_load_a(OR_LINK, 0, BPF_B);
7311 			b2 = new_block(JMP(BPF_JSET));
7312 			b2->s.k = 0x08;
7313 			b2->stmts = s;
7314 			gen_not(b2);
7315 
7316 			/*
7317 			 * For management frames, the DA is at 4.
7318 			 */
7319 			b1 = gen_mac_multicast(4);
7320 			gen_and(b2, b1);
7321 
7322 			/*
7323 			 * OR that with the checks done for data frames.
7324 			 * That gives the checks done for management and
7325 			 * data frames.
7326 			 */
7327 			gen_or(b1, b0);
7328 
7329 			/*
7330 			 * If the low-order bit of the type value is 1,
7331 			 * this is either a control frame or a frame
7332 			 * with a reserved type, and thus not a
7333 			 * frame with an SA.
7334 			 *
7335 			 * I.e., check "!(link[0] & 0x04)".
7336 			 */
7337 			s = gen_load_a(OR_LINK, 0, BPF_B);
7338 			b1 = new_block(JMP(BPF_JSET));
7339 			b1->s.k = 0x04;
7340 			b1->stmts = s;
7341 			gen_not(b1);
7342 
7343 			/*
7344 			 * AND that with the checks for data and management
7345 			 * frames.
7346 			 */
7347 			gen_and(b1, b0);
7348 			return b0;
7349 		case DLT_IP_OVER_FC:
7350 			b0 = gen_mac_multicast(2);
7351 			return b0;
7352 		case DLT_SUNATM:
7353 			if (is_lane) {
7354 				/*
7355 				 * Check that the packet doesn't begin with an
7356 				 * LE Control marker.  (We've already generated
7357 				 * a test for LANE.)
7358 				 */
7359 				b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7360 				    BPF_H, 0xFF00);
7361 				gen_not(b1);
7362 
7363 				/* ether[off_mac] & 1 != 0 */
7364 				b0 = gen_mac_multicast(off_mac);
7365 				gen_and(b1, b0);
7366 				return b0;
7367 			}
7368 			break;
7369 		default:
7370 			break;
7371 		}
7372 		/* Link not known to support multicasts */
7373 		break;
7374 
7375 	case Q_IP:
7376 		b0 = gen_linktype(ETHERTYPE_IP);
7377 		b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7378 		gen_and(b0, b1);
7379 		return b1;
7380 
7381 #ifdef INET6
7382 	case Q_IPV6:
7383 		b0 = gen_linktype(ETHERTYPE_IPV6);
7384 		b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7385 		gen_and(b0, b1);
7386 		return b1;
7387 #endif /* INET6 */
7388 	}
7389 	bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7390 	/* NOTREACHED */
7391 	return NULL;
7392 }
7393 
7394 /*
7395  * generate command for inbound/outbound.  It's here so we can
7396  * make it link-type specific.  'dir' = 0 implies "inbound",
7397  * = 1 implies "outbound".
7398  */
7399 struct block *
7400 gen_inbound(dir)
7401 	int dir;
7402 {
7403 	register struct block *b0;
7404 
7405 	/*
7406 	 * Only some data link types support inbound/outbound qualifiers.
7407 	 */
7408 	switch (linktype) {
7409 	case DLT_SLIP:
7410 		b0 = gen_relation(BPF_JEQ,
7411 			  gen_load(Q_LINK, gen_loadi(0), 1),
7412 			  gen_loadi(0),
7413 			  dir);
7414 		break;
7415 
7416 	case DLT_IPNET:
7417 		if (dir) {
7418 			/* match outgoing packets */
7419 			b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND);
7420 		} else {
7421 			/* match incoming packets */
7422 			b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND);
7423 		}
7424 		break;
7425 
7426 	case DLT_LINUX_SLL:
7427 		if (dir) {
7428 			/*
7429 			 * Match packets sent by this machine.
7430 			 */
7431 			b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7432 		} else {
7433 			/*
7434 			 * Match packets sent to this machine.
7435 			 * (No broadcast or multicast packets, or
7436 			 * packets sent to some other machine and
7437 			 * received promiscuously.)
7438 			 *
7439 			 * XXX - packets sent to other machines probably
7440 			 * shouldn't be matched, but what about broadcast
7441 			 * or multicast packets we received?
7442 			 */
7443 			b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
7444 		}
7445 		break;
7446 
7447 #ifdef HAVE_NET_PFVAR_H
7448 	case DLT_PFLOG:
7449 		b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7450 		    (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7451 		break;
7452 #endif
7453 
7454 	case DLT_PPP_PPPD:
7455 		if (dir) {
7456 			/* match outgoing packets */
7457 			b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7458 		} else {
7459 			/* match incoming packets */
7460 			b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7461 		}
7462 		break;
7463 
7464         case DLT_JUNIPER_MFR:
7465         case DLT_JUNIPER_MLFR:
7466         case DLT_JUNIPER_MLPPP:
7467 	case DLT_JUNIPER_ATM1:
7468 	case DLT_JUNIPER_ATM2:
7469 	case DLT_JUNIPER_PPPOE:
7470 	case DLT_JUNIPER_PPPOE_ATM:
7471         case DLT_JUNIPER_GGSN:
7472         case DLT_JUNIPER_ES:
7473         case DLT_JUNIPER_MONITOR:
7474         case DLT_JUNIPER_SERVICES:
7475         case DLT_JUNIPER_ETHER:
7476         case DLT_JUNIPER_PPP:
7477         case DLT_JUNIPER_FRELAY:
7478         case DLT_JUNIPER_CHDLC:
7479         case DLT_JUNIPER_VP:
7480         case DLT_JUNIPER_ST:
7481         case DLT_JUNIPER_ISM:
7482 		/* juniper flags (including direction) are stored
7483 		 * the byte after the 3-byte magic number */
7484 		if (dir) {
7485 			/* match outgoing packets */
7486 			b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7487 		} else {
7488 			/* match incoming packets */
7489 			b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7490 		}
7491 		break;
7492 
7493 	default:
7494 		bpf_error("inbound/outbound not supported on linktype %d",
7495 		    linktype);
7496 		b0 = NULL;
7497 		/* NOTREACHED */
7498 	}
7499 	return (b0);
7500 }
7501 
7502 #ifdef HAVE_NET_PFVAR_H
7503 /* PF firewall log matched interface */
7504 struct block *
7505 gen_pf_ifname(const char *ifname)
7506 {
7507 	struct block *b0;
7508 	u_int len, off;
7509 
7510 	if (linktype != DLT_PFLOG) {
7511 		bpf_error("ifname supported only on PF linktype");
7512 		/* NOTREACHED */
7513 	}
7514 	len = sizeof(((struct pfloghdr *)0)->ifname);
7515 	off = offsetof(struct pfloghdr, ifname);
7516 	if (strlen(ifname) >= len) {
7517 		bpf_error("ifname interface names can only be %d characters",
7518 		    len-1);
7519 		/* NOTREACHED */
7520 	}
7521 	b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7522 	return (b0);
7523 }
7524 
7525 /* PF firewall log ruleset name */
7526 struct block *
7527 gen_pf_ruleset(char *ruleset)
7528 {
7529 	struct block *b0;
7530 
7531 	if (linktype != DLT_PFLOG) {
7532 		bpf_error("ruleset supported only on PF linktype");
7533 		/* NOTREACHED */
7534 	}
7535 
7536 	if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7537 		bpf_error("ruleset names can only be %ld characters",
7538 		    (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7539 		/* NOTREACHED */
7540 	}
7541 
7542 	b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7543 	    strlen(ruleset), (const u_char *)ruleset);
7544 	return (b0);
7545 }
7546 
7547 /* PF firewall log rule number */
7548 struct block *
7549 gen_pf_rnr(int rnr)
7550 {
7551 	struct block *b0;
7552 
7553 	if (linktype != DLT_PFLOG) {
7554 		bpf_error("rnr supported only on PF linktype");
7555 		/* NOTREACHED */
7556 	}
7557 
7558 	b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7559 		 (bpf_int32)rnr);
7560 	return (b0);
7561 }
7562 
7563 /* PF firewall log sub-rule number */
7564 struct block *
7565 gen_pf_srnr(int srnr)
7566 {
7567 	struct block *b0;
7568 
7569 	if (linktype != DLT_PFLOG) {
7570 		bpf_error("srnr supported only on PF linktype");
7571 		/* NOTREACHED */
7572 	}
7573 
7574 	b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7575 	    (bpf_int32)srnr);
7576 	return (b0);
7577 }
7578 
7579 /* PF firewall log reason code */
7580 struct block *
7581 gen_pf_reason(int reason)
7582 {
7583 	struct block *b0;
7584 
7585 	if (linktype != DLT_PFLOG) {
7586 		bpf_error("reason supported only on PF linktype");
7587 		/* NOTREACHED */
7588 	}
7589 
7590 	b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7591 	    (bpf_int32)reason);
7592 	return (b0);
7593 }
7594 
7595 /* PF firewall log action */
7596 struct block *
7597 gen_pf_action(int action)
7598 {
7599 	struct block *b0;
7600 
7601 	if (linktype != DLT_PFLOG) {
7602 		bpf_error("action supported only on PF linktype");
7603 		/* NOTREACHED */
7604 	}
7605 
7606 	b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7607 	    (bpf_int32)action);
7608 	return (b0);
7609 }
7610 #else /* !HAVE_NET_PFVAR_H */
7611 struct block *
7612 gen_pf_ifname(const char *ifname)
7613 {
7614 	bpf_error("libpcap was compiled without pf support");
7615 	/* NOTREACHED */
7616 	return (NULL);
7617 }
7618 
7619 struct block *
7620 gen_pf_ruleset(char *ruleset)
7621 {
7622 	bpf_error("libpcap was compiled on a machine without pf support");
7623 	/* NOTREACHED */
7624 	return (NULL);
7625 }
7626 
7627 struct block *
7628 gen_pf_rnr(int rnr)
7629 {
7630 	bpf_error("libpcap was compiled on a machine without pf support");
7631 	/* NOTREACHED */
7632 	return (NULL);
7633 }
7634 
7635 struct block *
7636 gen_pf_srnr(int srnr)
7637 {
7638 	bpf_error("libpcap was compiled on a machine without pf support");
7639 	/* NOTREACHED */
7640 	return (NULL);
7641 }
7642 
7643 struct block *
7644 gen_pf_reason(int reason)
7645 {
7646 	bpf_error("libpcap was compiled on a machine without pf support");
7647 	/* NOTREACHED */
7648 	return (NULL);
7649 }
7650 
7651 struct block *
7652 gen_pf_action(int action)
7653 {
7654 	bpf_error("libpcap was compiled on a machine without pf support");
7655 	/* NOTREACHED */
7656 	return (NULL);
7657 }
7658 #endif /* HAVE_NET_PFVAR_H */
7659 
7660 /* IEEE 802.11 wireless header */
7661 struct block *
7662 gen_p80211_type(int type, int mask)
7663 {
7664 	struct block *b0;
7665 
7666 	switch (linktype) {
7667 
7668 	case DLT_IEEE802_11:
7669 	case DLT_PRISM_HEADER:
7670 	case DLT_IEEE802_11_RADIO_AVS:
7671 	case DLT_IEEE802_11_RADIO:
7672 		b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7673 		    (bpf_int32)mask);
7674 		break;
7675 
7676 	default:
7677 		bpf_error("802.11 link-layer types supported only on 802.11");
7678 		/* NOTREACHED */
7679 	}
7680 
7681 	return (b0);
7682 }
7683 
7684 struct block *
7685 gen_p80211_fcdir(int fcdir)
7686 {
7687 	struct block *b0;
7688 
7689 	switch (linktype) {
7690 
7691 	case DLT_IEEE802_11:
7692 	case DLT_PRISM_HEADER:
7693 	case DLT_IEEE802_11_RADIO_AVS:
7694 	case DLT_IEEE802_11_RADIO:
7695 		break;
7696 
7697 	default:
7698 		bpf_error("frame direction supported only with 802.11 headers");
7699 		/* NOTREACHED */
7700 	}
7701 
7702 	b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7703 		(bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7704 
7705 	return (b0);
7706 }
7707 
7708 struct block *
7709 gen_acode(eaddr, q)
7710 	register const u_char *eaddr;
7711 	struct qual q;
7712 {
7713 	switch (linktype) {
7714 
7715 	case DLT_ARCNET:
7716 	case DLT_ARCNET_LINUX:
7717 		if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7718 		    q.proto == Q_LINK)
7719 			return (gen_ahostop(eaddr, (int)q.dir));
7720 		else {
7721 			bpf_error("ARCnet address used in non-arc expression");
7722 			/* NOTREACHED */
7723 		}
7724 		break;
7725 
7726 	default:
7727 		bpf_error("aid supported only on ARCnet");
7728 		/* NOTREACHED */
7729 	}
7730 	bpf_error("ARCnet address used in non-arc expression");
7731 	/* NOTREACHED */
7732 	return NULL;
7733 }
7734 
7735 static struct block *
7736 gen_ahostop(eaddr, dir)
7737 	register const u_char *eaddr;
7738 	register int dir;
7739 {
7740 	register struct block *b0, *b1;
7741 
7742 	switch (dir) {
7743 	/* src comes first, different from Ethernet */
7744 	case Q_SRC:
7745 		return gen_bcmp(OR_LINK, 0, 1, eaddr);
7746 
7747 	case Q_DST:
7748 		return gen_bcmp(OR_LINK, 1, 1, eaddr);
7749 
7750 	case Q_AND:
7751 		b0 = gen_ahostop(eaddr, Q_SRC);
7752 		b1 = gen_ahostop(eaddr, Q_DST);
7753 		gen_and(b0, b1);
7754 		return b1;
7755 
7756 	case Q_DEFAULT:
7757 	case Q_OR:
7758 		b0 = gen_ahostop(eaddr, Q_SRC);
7759 		b1 = gen_ahostop(eaddr, Q_DST);
7760 		gen_or(b0, b1);
7761 		return b1;
7762 	}
7763 	abort();
7764 	/* NOTREACHED */
7765 }
7766 
7767 /*
7768  * support IEEE 802.1Q VLAN trunk over ethernet
7769  */
7770 struct block *
7771 gen_vlan(vlan_num)
7772 	int vlan_num;
7773 {
7774 	struct	block	*b0, *b1;
7775 
7776 	/* can't check for VLAN-encapsulated packets inside MPLS */
7777 	if (label_stack_depth > 0)
7778 		bpf_error("no VLAN match after MPLS");
7779 
7780 	/*
7781 	 * Check for a VLAN packet, and then change the offsets to point
7782 	 * to the type and data fields within the VLAN packet.  Just
7783 	 * increment the offsets, so that we can support a hierarchy, e.g.
7784 	 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7785 	 * VLAN 100.
7786 	 *
7787 	 * XXX - this is a bit of a kludge.  If we were to split the
7788 	 * compiler into a parser that parses an expression and
7789 	 * generates an expression tree, and a code generator that
7790 	 * takes an expression tree (which could come from our
7791 	 * parser or from some other parser) and generates BPF code,
7792 	 * we could perhaps make the offsets parameters of routines
7793 	 * and, in the handler for an "AND" node, pass to subnodes
7794 	 * other than the VLAN node the adjusted offsets.
7795 	 *
7796 	 * This would mean that "vlan" would, instead of changing the
7797 	 * behavior of *all* tests after it, change only the behavior
7798 	 * of tests ANDed with it.  That would change the documented
7799 	 * semantics of "vlan", which might break some expressions.
7800 	 * However, it would mean that "(vlan and ip) or ip" would check
7801 	 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7802 	 * checking only for VLAN-encapsulated IP, so that could still
7803 	 * be considered worth doing; it wouldn't break expressions
7804 	 * that are of the form "vlan and ..." or "vlan N and ...",
7805 	 * which I suspect are the most common expressions involving
7806 	 * "vlan".  "vlan or ..." doesn't necessarily do what the user
7807 	 * would really want, now, as all the "or ..." tests would
7808 	 * be done assuming a VLAN, even though the "or" could be viewed
7809 	 * as meaning "or, if this isn't a VLAN packet...".
7810 	 */
7811 	orig_nl = off_nl;
7812 
7813 	switch (linktype) {
7814 
7815 	case DLT_EN10MB:
7816 		/* check for VLAN */
7817 		b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7818 		    (bpf_int32)ETHERTYPE_8021Q);
7819 
7820 		/* If a specific VLAN is requested, check VLAN id */
7821 		if (vlan_num >= 0) {
7822 			b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
7823 			    (bpf_int32)vlan_num, 0x0fff);
7824 			gen_and(b0, b1);
7825 			b0 = b1;
7826 		}
7827 
7828 		off_macpl += 4;
7829 		off_linktype += 4;
7830 #if 0
7831 		off_nl_nosnap += 4;
7832 		off_nl += 4;
7833 #endif
7834 		break;
7835 
7836 	default:
7837 		bpf_error("no VLAN support for data link type %d",
7838 		      linktype);
7839 		/*NOTREACHED*/
7840 	}
7841 
7842 	return (b0);
7843 }
7844 
7845 /*
7846  * support for MPLS
7847  */
7848 struct block *
7849 gen_mpls(label_num)
7850 	int label_num;
7851 {
7852 	struct	block	*b0,*b1;
7853 
7854 	/*
7855 	 * Change the offsets to point to the type and data fields within
7856 	 * the MPLS packet.  Just increment the offsets, so that we
7857 	 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
7858 	 * capture packets with an outer label of 100000 and an inner
7859 	 * label of 1024.
7860 	 *
7861 	 * XXX - this is a bit of a kludge.  See comments in gen_vlan().
7862 	 */
7863         orig_nl = off_nl;
7864 
7865         if (label_stack_depth > 0) {
7866             /* just match the bottom-of-stack bit clear */
7867             b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
7868         } else {
7869             /*
7870              * Indicate that we're checking MPLS-encapsulated headers,
7871              * to make sure higher level code generators don't try to
7872              * match against IP-related protocols such as Q_ARP, Q_RARP
7873              * etc.
7874              */
7875             switch (linktype) {
7876 
7877             case DLT_C_HDLC: /* fall through */
7878             case DLT_EN10MB:
7879                     b0 = gen_linktype(ETHERTYPE_MPLS);
7880                     break;
7881 
7882             case DLT_PPP:
7883                     b0 = gen_linktype(PPP_MPLS_UCAST);
7884                     break;
7885 
7886                     /* FIXME add other DLT_s ...
7887                      * for Frame-Relay/and ATM this may get messy due to SNAP headers
7888                      * leave it for now */
7889 
7890             default:
7891                     bpf_error("no MPLS support for data link type %d",
7892                           linktype);
7893                     b0 = NULL;
7894                     /*NOTREACHED*/
7895                     break;
7896             }
7897         }
7898 
7899 	/* If a specific MPLS label is requested, check it */
7900 	if (label_num >= 0) {
7901 		label_num = label_num << 12; /* label is shifted 12 bits on the wire */
7902 		b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
7903 		    0xfffff000); /* only compare the first 20 bits */
7904 		gen_and(b0, b1);
7905 		b0 = b1;
7906 	}
7907 
7908         off_nl_nosnap += 4;
7909         off_nl += 4;
7910         label_stack_depth++;
7911 	return (b0);
7912 }
7913 
7914 /*
7915  * Support PPPOE discovery and session.
7916  */
7917 struct block *
7918 gen_pppoed()
7919 {
7920 	/* check for PPPoE discovery */
7921 	return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
7922 }
7923 
7924 struct block *
7925 gen_pppoes()
7926 {
7927 	struct block *b0;
7928 
7929 	/*
7930 	 * Test against the PPPoE session link-layer type.
7931 	 */
7932 	b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
7933 
7934 	/*
7935 	 * Change the offsets to point to the type and data fields within
7936 	 * the PPP packet, and note that this is PPPoE rather than
7937 	 * raw PPP.
7938 	 *
7939 	 * XXX - this is a bit of a kludge.  If we were to split the
7940 	 * compiler into a parser that parses an expression and
7941 	 * generates an expression tree, and a code generator that
7942 	 * takes an expression tree (which could come from our
7943 	 * parser or from some other parser) and generates BPF code,
7944 	 * we could perhaps make the offsets parameters of routines
7945 	 * and, in the handler for an "AND" node, pass to subnodes
7946 	 * other than the PPPoE node the adjusted offsets.
7947 	 *
7948 	 * This would mean that "pppoes" would, instead of changing the
7949 	 * behavior of *all* tests after it, change only the behavior
7950 	 * of tests ANDed with it.  That would change the documented
7951 	 * semantics of "pppoes", which might break some expressions.
7952 	 * However, it would mean that "(pppoes and ip) or ip" would check
7953 	 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7954 	 * checking only for VLAN-encapsulated IP, so that could still
7955 	 * be considered worth doing; it wouldn't break expressions
7956 	 * that are of the form "pppoes and ..." which I suspect are the
7957 	 * most common expressions involving "pppoes".  "pppoes or ..."
7958 	 * doesn't necessarily do what the user would really want, now,
7959 	 * as all the "or ..." tests would be done assuming PPPoE, even
7960 	 * though the "or" could be viewed as meaning "or, if this isn't
7961 	 * a PPPoE packet...".
7962 	 */
7963 	orig_linktype = off_linktype;	/* save original values */
7964 	orig_nl = off_nl;
7965 	is_pppoes = 1;
7966 
7967 	/*
7968 	 * The "network-layer" protocol is PPPoE, which has a 6-byte
7969 	 * PPPoE header, followed by a PPP packet.
7970 	 *
7971 	 * There is no HDLC encapsulation for the PPP packet (it's
7972 	 * encapsulated in PPPoES instead), so the link-layer type
7973 	 * starts at the first byte of the PPP packet.  For PPPoE,
7974 	 * that offset is relative to the beginning of the total
7975 	 * link-layer payload, including any 802.2 LLC header, so
7976 	 * it's 6 bytes past off_nl.
7977 	 */
7978 	off_linktype = off_nl + 6;
7979 
7980 	/*
7981 	 * The network-layer offsets are relative to the beginning
7982 	 * of the MAC-layer payload; that's past the 6-byte
7983 	 * PPPoE header and the 2-byte PPP header.
7984 	 */
7985 	off_nl = 6+2;
7986 	off_nl_nosnap = 6+2;
7987 
7988 	return b0;
7989 }
7990 
7991 struct block *
7992 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
7993 	int atmfield;
7994 	bpf_int32 jvalue;
7995 	bpf_u_int32 jtype;
7996 	int reverse;
7997 {
7998 	struct block *b0;
7999 
8000 	switch (atmfield) {
8001 
8002 	case A_VPI:
8003 		if (!is_atm)
8004 			bpf_error("'vpi' supported only on raw ATM");
8005 		if (off_vpi == (u_int)-1)
8006 			abort();
8007 		b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
8008 		    reverse, jvalue);
8009 		break;
8010 
8011 	case A_VCI:
8012 		if (!is_atm)
8013 			bpf_error("'vci' supported only on raw ATM");
8014 		if (off_vci == (u_int)-1)
8015 			abort();
8016 		b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
8017 		    reverse, jvalue);
8018 		break;
8019 
8020 	case A_PROTOTYPE:
8021 		if (off_proto == (u_int)-1)
8022 			abort();	/* XXX - this isn't on FreeBSD */
8023 		b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
8024 		    reverse, jvalue);
8025 		break;
8026 
8027 	case A_MSGTYPE:
8028 		if (off_payload == (u_int)-1)
8029 			abort();
8030 		b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
8031 		    0xffffffff, jtype, reverse, jvalue);
8032 		break;
8033 
8034 	case A_CALLREFTYPE:
8035 		if (!is_atm)
8036 			bpf_error("'callref' supported only on raw ATM");
8037 		if (off_proto == (u_int)-1)
8038 			abort();
8039 		b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
8040 		    jtype, reverse, jvalue);
8041 		break;
8042 
8043 	default:
8044 		abort();
8045 	}
8046 	return b0;
8047 }
8048 
8049 struct block *
8050 gen_atmtype_abbrev(type)
8051 	int type;
8052 {
8053 	struct block *b0, *b1;
8054 
8055 	switch (type) {
8056 
8057 	case A_METAC:
8058 		/* Get all packets in Meta signalling Circuit */
8059 		if (!is_atm)
8060 			bpf_error("'metac' supported only on raw ATM");
8061 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8062 		b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
8063 		gen_and(b0, b1);
8064 		break;
8065 
8066 	case A_BCC:
8067 		/* Get all packets in Broadcast Circuit*/
8068 		if (!is_atm)
8069 			bpf_error("'bcc' supported only on raw ATM");
8070 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8071 		b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
8072 		gen_and(b0, b1);
8073 		break;
8074 
8075 	case A_OAMF4SC:
8076 		/* Get all cells in Segment OAM F4 circuit*/
8077 		if (!is_atm)
8078 			bpf_error("'oam4sc' supported only on raw ATM");
8079 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8080 		b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8081 		gen_and(b0, b1);
8082 		break;
8083 
8084 	case A_OAMF4EC:
8085 		/* Get all cells in End-to-End OAM F4 Circuit*/
8086 		if (!is_atm)
8087 			bpf_error("'oam4ec' supported only on raw ATM");
8088 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8089 		b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8090 		gen_and(b0, b1);
8091 		break;
8092 
8093 	case A_SC:
8094 		/*  Get all packets in connection Signalling Circuit */
8095 		if (!is_atm)
8096 			bpf_error("'sc' supported only on raw ATM");
8097 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8098 		b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8099 		gen_and(b0, b1);
8100 		break;
8101 
8102 	case A_ILMIC:
8103 		/* Get all packets in ILMI Circuit */
8104 		if (!is_atm)
8105 			bpf_error("'ilmic' supported only on raw ATM");
8106 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8107 		b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8108 		gen_and(b0, b1);
8109 		break;
8110 
8111 	case A_LANE:
8112 		/* Get all LANE packets */
8113 		if (!is_atm)
8114 			bpf_error("'lane' supported only on raw ATM");
8115 		b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8116 
8117 		/*
8118 		 * Arrange that all subsequent tests assume LANE
8119 		 * rather than LLC-encapsulated packets, and set
8120 		 * the offsets appropriately for LANE-encapsulated
8121 		 * Ethernet.
8122 		 *
8123 		 * "off_mac" is the offset of the Ethernet header,
8124 		 * which is 2 bytes past the ATM pseudo-header
8125 		 * (skipping the pseudo-header and 2-byte LE Client
8126 		 * field).  The other offsets are Ethernet offsets
8127 		 * relative to "off_mac".
8128 		 */
8129 		is_lane = 1;
8130 		off_mac = off_payload + 2;	/* MAC header */
8131 		off_linktype = off_mac + 12;
8132 		off_macpl = off_mac + 14;	/* Ethernet */
8133 		off_nl = 0;			/* Ethernet II */
8134 		off_nl_nosnap = 3;		/* 802.3+802.2 */
8135 		break;
8136 
8137 	case A_LLC:
8138 		/* Get all LLC-encapsulated packets */
8139 		if (!is_atm)
8140 			bpf_error("'llc' supported only on raw ATM");
8141 		b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8142 		is_lane = 0;
8143 		break;
8144 
8145 	default:
8146 		abort();
8147 	}
8148 	return b1;
8149 }
8150 
8151 /*
8152  * Filtering for MTP2 messages based on li value
8153  * FISU, length is null
8154  * LSSU, length is 1 or 2
8155  * MSU, length is 3 or more
8156  */
8157 struct block *
8158 gen_mtp2type_abbrev(type)
8159 	int type;
8160 {
8161 	struct block *b0, *b1;
8162 
8163 	switch (type) {
8164 
8165 	case M_FISU:
8166 		if ( (linktype != DLT_MTP2) &&
8167 		     (linktype != DLT_ERF) &&
8168 		     (linktype != DLT_MTP2_WITH_PHDR) )
8169 			bpf_error("'fisu' supported only on MTP2");
8170 		/* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8171 		b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8172 		break;
8173 
8174 	case M_LSSU:
8175 		if ( (linktype != DLT_MTP2) &&
8176 		     (linktype != DLT_ERF) &&
8177 		     (linktype != DLT_MTP2_WITH_PHDR) )
8178 			bpf_error("'lssu' supported only on MTP2");
8179 		b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8180 		b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8181 		gen_and(b1, b0);
8182 		break;
8183 
8184 	case M_MSU:
8185 		if ( (linktype != DLT_MTP2) &&
8186 		     (linktype != DLT_ERF) &&
8187 		     (linktype != DLT_MTP2_WITH_PHDR) )
8188 			bpf_error("'msu' supported only on MTP2");
8189 		b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8190 		break;
8191 
8192 	default:
8193 		abort();
8194 	}
8195 	return b0;
8196 }
8197 
8198 struct block *
8199 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8200 	int mtp3field;
8201 	bpf_u_int32 jvalue;
8202 	bpf_u_int32 jtype;
8203 	int reverse;
8204 {
8205 	struct block *b0;
8206 	bpf_u_int32 val1 , val2 , val3;
8207 
8208 	switch (mtp3field) {
8209 
8210 	case M_SIO:
8211 		if (off_sio == (u_int)-1)
8212 			bpf_error("'sio' supported only on SS7");
8213 		/* sio coded on 1 byte so max value 255 */
8214 		if(jvalue > 255)
8215 		        bpf_error("sio value %u too big; max value = 255",
8216 		            jvalue);
8217 		b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
8218 		    (u_int)jtype, reverse, (u_int)jvalue);
8219 		break;
8220 
8221         case M_OPC:
8222 	        if (off_opc == (u_int)-1)
8223 			bpf_error("'opc' supported only on SS7");
8224 		/* opc coded on 14 bits so max value 16383 */
8225 		if (jvalue > 16383)
8226 		        bpf_error("opc value %u too big; max value = 16383",
8227 		            jvalue);
8228 		/* the following instructions are made to convert jvalue
8229 		 * to the form used to write opc in an ss7 message*/
8230 		val1 = jvalue & 0x00003c00;
8231 		val1 = val1 >>10;
8232 		val2 = jvalue & 0x000003fc;
8233 		val2 = val2 <<6;
8234 		val3 = jvalue & 0x00000003;
8235 		val3 = val3 <<22;
8236 		jvalue = val1 + val2 + val3;
8237 		b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
8238 		    (u_int)jtype, reverse, (u_int)jvalue);
8239 		break;
8240 
8241 	case M_DPC:
8242 	        if (off_dpc == (u_int)-1)
8243 			bpf_error("'dpc' supported only on SS7");
8244 		/* dpc coded on 14 bits so max value 16383 */
8245 		if (jvalue > 16383)
8246 		        bpf_error("dpc value %u too big; max value = 16383",
8247 		            jvalue);
8248 		/* the following instructions are made to convert jvalue
8249 		 * to the forme used to write dpc in an ss7 message*/
8250 		val1 = jvalue & 0x000000ff;
8251 		val1 = val1 << 24;
8252 		val2 = jvalue & 0x00003f00;
8253 		val2 = val2 << 8;
8254 		jvalue = val1 + val2;
8255 		b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
8256 		    (u_int)jtype, reverse, (u_int)jvalue);
8257 		break;
8258 
8259 	case M_SLS:
8260 	        if (off_sls == (u_int)-1)
8261 			bpf_error("'sls' supported only on SS7");
8262 		/* sls coded on 4 bits so max value 15 */
8263 		if (jvalue > 15)
8264 		         bpf_error("sls value %u too big; max value = 15",
8265 		             jvalue);
8266 		/* the following instruction is made to convert jvalue
8267 		 * to the forme used to write sls in an ss7 message*/
8268 		jvalue = jvalue << 4;
8269 		b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
8270 		    (u_int)jtype,reverse, (u_int)jvalue);
8271 		break;
8272 
8273 	default:
8274 		abort();
8275 	}
8276 	return b0;
8277 }
8278 
8279 static struct block *
8280 gen_msg_abbrev(type)
8281 	int type;
8282 {
8283 	struct block *b1;
8284 
8285 	/*
8286 	 * Q.2931 signalling protocol messages for handling virtual circuits
8287 	 * establishment and teardown
8288 	 */
8289 	switch (type) {
8290 
8291 	case A_SETUP:
8292 		b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8293 		break;
8294 
8295 	case A_CALLPROCEED:
8296 		b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8297 		break;
8298 
8299 	case A_CONNECT:
8300 		b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8301 		break;
8302 
8303 	case A_CONNECTACK:
8304 		b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8305 		break;
8306 
8307 	case A_RELEASE:
8308 		b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8309 		break;
8310 
8311 	case A_RELEASE_DONE:
8312 		b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8313 		break;
8314 
8315 	default:
8316 		abort();
8317 	}
8318 	return b1;
8319 }
8320 
8321 struct block *
8322 gen_atmmulti_abbrev(type)
8323 	int type;
8324 {
8325 	struct block *b0, *b1;
8326 
8327 	switch (type) {
8328 
8329 	case A_OAM:
8330 		if (!is_atm)
8331 			bpf_error("'oam' supported only on raw ATM");
8332 		b1 = gen_atmmulti_abbrev(A_OAMF4);
8333 		break;
8334 
8335 	case A_OAMF4:
8336 		if (!is_atm)
8337 			bpf_error("'oamf4' supported only on raw ATM");
8338 		/* OAM F4 type */
8339 		b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8340 		b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8341 		gen_or(b0, b1);
8342 		b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8343 		gen_and(b0, b1);
8344 		break;
8345 
8346 	case A_CONNECTMSG:
8347 		/*
8348 		 * Get Q.2931 signalling messages for switched
8349 		 * virtual connection
8350 		 */
8351 		if (!is_atm)
8352 			bpf_error("'connectmsg' supported only on raw ATM");
8353 		b0 = gen_msg_abbrev(A_SETUP);
8354 		b1 = gen_msg_abbrev(A_CALLPROCEED);
8355 		gen_or(b0, b1);
8356 		b0 = gen_msg_abbrev(A_CONNECT);
8357 		gen_or(b0, b1);
8358 		b0 = gen_msg_abbrev(A_CONNECTACK);
8359 		gen_or(b0, b1);
8360 		b0 = gen_msg_abbrev(A_RELEASE);
8361 		gen_or(b0, b1);
8362 		b0 = gen_msg_abbrev(A_RELEASE_DONE);
8363 		gen_or(b0, b1);
8364 		b0 = gen_atmtype_abbrev(A_SC);
8365 		gen_and(b0, b1);
8366 		break;
8367 
8368 	case A_METACONNECT:
8369 		if (!is_atm)
8370 			bpf_error("'metaconnect' supported only on raw ATM");
8371 		b0 = gen_msg_abbrev(A_SETUP);
8372 		b1 = gen_msg_abbrev(A_CALLPROCEED);
8373 		gen_or(b0, b1);
8374 		b0 = gen_msg_abbrev(A_CONNECT);
8375 		gen_or(b0, b1);
8376 		b0 = gen_msg_abbrev(A_RELEASE);
8377 		gen_or(b0, b1);
8378 		b0 = gen_msg_abbrev(A_RELEASE_DONE);
8379 		gen_or(b0, b1);
8380 		b0 = gen_atmtype_abbrev(A_METAC);
8381 		gen_and(b0, b1);
8382 		break;
8383 
8384 	default:
8385 		abort();
8386 	}
8387 	return b1;
8388 }
8389