xref: /freebsd/contrib/libpcap/pcap-bpf.c (revision 39beb93c3f8bdbf72a61fda42300b5ebed7390c8)
1 /*
2  * Copyright (c) 1993, 1994, 1995, 1996, 1998
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  *
21  * $FreeBSD$
22  */
23 #ifndef lint
24 static const char rcsid[] _U_ =
25     "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.86.2.12 2007/06/15 17:57:27 guy Exp $ (LBL)";
26 #endif
27 
28 #ifdef HAVE_CONFIG_H
29 #include "config.h"
30 #endif
31 
32 #include <sys/param.h>			/* optionally get BSD define */
33 #include <sys/mman.h>
34 #include <sys/time.h>
35 #include <sys/timeb.h>
36 #include <sys/socket.h>
37 #include <sys/file.h>
38 #include <sys/ioctl.h>
39 #include <sys/utsname.h>
40 
41 #include <net/if.h>
42 
43 #ifdef _AIX
44 
45 /*
46  * Make "pcap.h" not include "pcap-bpf.h"; we are going to include the
47  * native OS version, as we need "struct bpf_config" from it.
48  */
49 #define PCAP_DONT_INCLUDE_PCAP_BPF_H
50 
51 #include <sys/types.h>
52 
53 /*
54  * Prevent bpf.h from redefining the DLT_ values to their
55  * IFT_ values, as we're going to return the standard libpcap
56  * values, not IBM's non-standard IFT_ values.
57  */
58 #undef _AIX
59 #include <net/bpf.h>
60 #define _AIX
61 
62 #include <net/if_types.h>		/* for IFT_ values */
63 #include <sys/sysconfig.h>
64 #include <sys/device.h>
65 #include <sys/cfgodm.h>
66 #include <cf.h>
67 
68 #ifdef __64BIT__
69 #define domakedev makedev64
70 #define getmajor major64
71 #define bpf_hdr bpf_hdr32
72 #else /* __64BIT__ */
73 #define domakedev makedev
74 #define getmajor major
75 #endif /* __64BIT__ */
76 
77 #define BPF_NAME "bpf"
78 #define BPF_MINORS 4
79 #define DRIVER_PATH "/usr/lib/drivers"
80 #define BPF_NODE "/dev/bpf"
81 static int bpfloadedflag = 0;
82 static int odmlockid = 0;
83 
84 #else /* _AIX */
85 
86 #include <net/bpf.h>
87 
88 #endif /* _AIX */
89 
90 #ifdef BIOCSETBUFMODE
91 #include <machine/atomic.h>
92 #endif
93 
94 #include <ctype.h>
95 #include <errno.h>
96 #include <netdb.h>
97 #include <stdio.h>
98 #include <stdlib.h>
99 #include <string.h>
100 #include <unistd.h>
101 
102 #include "pcap-int.h"
103 
104 #ifdef HAVE_DAG_API
105 #include "pcap-dag.h"
106 #endif /* HAVE_DAG_API */
107 
108 #ifdef HAVE_OS_PROTO_H
109 #include "os-proto.h"
110 #endif
111 
112 #include "gencode.h"	/* for "no_optimize" */
113 
114 static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp);
115 static int pcap_setdirection_bpf(pcap_t *, pcap_direction_t);
116 static int pcap_set_datalink_bpf(pcap_t *p, int dlt);
117 
118 static int
119 pcap_stats_bpf(pcap_t *p, struct pcap_stat *ps)
120 {
121 	struct bpf_stat s;
122 
123 	/*
124 	 * "ps_recv" counts packets handed to the filter, not packets
125 	 * that passed the filter.  This includes packets later dropped
126 	 * because we ran out of buffer space.
127 	 *
128 	 * "ps_drop" counts packets dropped inside the BPF device
129 	 * because we ran out of buffer space.  It doesn't count
130 	 * packets dropped by the interface driver.  It counts
131 	 * only packets that passed the filter.
132 	 *
133 	 * Both statistics include packets not yet read from the kernel
134 	 * by libpcap, and thus not yet seen by the application.
135 	 */
136 	if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) {
137 		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s",
138 		    pcap_strerror(errno));
139 		return (-1);
140 	}
141 
142 	ps->ps_recv = s.bs_recv;
143 	ps->ps_drop = s.bs_drop;
144 	return (0);
145 }
146 
147 #ifdef BIOCGETBUFMODE
148 /*
149  * Zero-copy BPF buffer routines to check for and acknowledge BPF data in
150  * shared memory buffers.
151  *
152  * pcap_next_zbuf_shm(): Check for a newly available shared memory buffer,
153  * and set up p->buffer and cc to reflect one if available.  Notice that if
154  * there was no prior buffer, we select zbuf1 as this will be the first
155  * buffer filled for a fresh BPF session.
156  */
157 static int
158 pcap_next_zbuf_shm(pcap_t *p, int *cc)
159 {
160 	struct bpf_zbuf_header *bzh;
161 
162 	if (p->zbuffer == p->zbuf2 || p->zbuffer == NULL) {
163 		bzh = (struct bpf_zbuf_header *)p->zbuf1;
164 		if (bzh->bzh_user_gen !=
165 		    atomic_load_acq_int(&bzh->bzh_kernel_gen)) {
166 			p->bzh = bzh;
167 			p->zbuffer = (u_char *)p->zbuf1;
168 			p->buffer = p->zbuffer + sizeof(*bzh);
169 			*cc = bzh->bzh_kernel_len;
170 			return (1);
171 		}
172 	} else if (p->zbuffer == p->zbuf1) {
173 		bzh = (struct bpf_zbuf_header *)p->zbuf2;
174 		if (bzh->bzh_user_gen !=
175 		    atomic_load_acq_int(&bzh->bzh_kernel_gen)) {
176 			p->bzh = bzh;
177 			p->zbuffer = (u_char *)p->zbuf2;
178 			p->buffer = p->zbuffer + sizeof(*bzh);
179 			*cc = bzh->bzh_kernel_len;
180 			return (1);
181 		}
182 	}
183 	*cc = 0;
184 	return (0);
185 }
186 
187 /*
188  * pcap_next_zbuf() -- Similar to pcap_next_zbuf_shm(), except wait using
189  * select() for data or a timeout, and possibly force rotation of the buffer
190  * in the event we time out or are in immediate mode.  Invoke the shared
191  * memory check before doing system calls in order to avoid doing avoidable
192  * work.
193  */
194 static int
195 pcap_next_zbuf(pcap_t *p, int *cc)
196 {
197 	struct bpf_zbuf bz;
198 	struct timeval tv;
199 	struct timespec cur;
200 	fd_set r_set;
201 	int data, r;
202 	int tmout, expire;
203 
204 #define TSTOMILLI(ts) (((ts)->tv_sec * 1000) + ((ts)->tv_nsec / 1000000))
205 	/*
206 	 * Start out by seeing whether anything is waiting by checking the
207 	 * next shared memory buffer for data.
208 	 */
209 	data = pcap_next_zbuf_shm(p, cc);
210 	if (data)
211 		return (data);
212 	/*
213 	 * If a previous sleep was interrupted due to signal delivery, make
214 	 * sure that the timeout gets adjusted accordingly.  This requires
215 	 * that we analyze when the timeout should be been expired, and
216 	 * subtract the current time from that.  If after this operation,
217 	 * our timeout is less then or equal to zero, handle it like a
218 	 * regular timeout.
219 	 */
220 	tmout = p->to_ms;
221 	if (tmout)
222 		(void) clock_gettime(CLOCK_MONOTONIC, &cur);
223 	if (p->interrupted && p->to_ms) {
224 		expire = TSTOMILLI(&p->firstsel) + p->to_ms;
225 		tmout = expire - TSTOMILLI(&cur);
226 #undef TSTOMILLI
227 		if (tmout <= 0) {
228 			p->interrupted = 0;
229 			data = pcap_next_zbuf_shm(p, cc);
230 			if (data)
231 				return (data);
232 			if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) {
233 				(void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
234 				    "BIOCROTZBUF: %s", strerror(errno));
235 				return (-1);
236 			}
237 			return (pcap_next_zbuf_shm(p, cc));
238 		}
239 	}
240 	/*
241 	 * No data in the buffer, so must use select() to wait for data or
242 	 * the next timeout.
243 	 */
244 	FD_ZERO(&r_set);
245 	FD_SET(p->fd, &r_set);
246 	if (tmout != 0) {
247 		tv.tv_sec = tmout / 1000;
248 		tv.tv_usec = (tmout * 1000) % 1000000;
249 	}
250 	r = select(p->fd + 1, &r_set, NULL, NULL, p->to_ms != 0 ? &tv :
251 	    NULL);
252 	if (r < 0 && errno == EINTR) {
253 		if (!p->interrupted && p->to_ms) {
254 			p->interrupted = 1;
255 			p->firstsel = cur;
256 		}
257 		return (0);
258 	} else if (r < 0) {
259 		(void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
260 		    "select: %s", strerror(errno));
261 		return (-1);
262 	}
263 	p->interrupted = 0;
264 	/*
265 	 * Check again for data, which may exist now that we've either been
266 	 * woken up as a result of data or timed out.  Try the "there's data"
267 	 * case first since it doesn't require a system call.
268 	 */
269 	data = pcap_next_zbuf_shm(p, cc);
270 	if (data)
271 		return (data);
272 
273 	/*
274 	 * Try forcing a buffer rotation to dislodge timed out or immediate
275 	 * data.
276 	 */
277 	if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) {
278 		(void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
279 		    "BIOCROTZBUF: %s", strerror(errno));
280 		return (-1);
281 	}
282 	return (pcap_next_zbuf_shm(p, cc));
283 }
284 
285 /*
286  * Notify kernel that we are done with the buffer.  We don't reset zbuffer so
287  * that we know which buffer to use next time around.
288  */
289 static int
290 pcap_ack_zbuf(pcap_t *p)
291 {
292 
293 	atomic_store_rel_int(&p->bzh->bzh_user_gen, p->bzh->bzh_kernel_gen);
294 	p->bzh = NULL;
295 	p->buffer = NULL;
296 	return (0);
297 }
298 #endif
299 
300 static int
301 pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
302 {
303 	int cc;
304 	int n = 0;
305 	register u_char *bp, *ep;
306 	u_char *datap;
307 	struct bpf_insn *fcode;
308 #ifdef BIOCSETBUFMODE
309 	int i;
310 #endif
311 #ifdef PCAP_FDDIPAD
312 	register int pad;
313 #endif
314 
315 	fcode = p->md.use_bpf ? NULL : p->fcode.bf_insns;
316  again:
317 	/*
318 	 * Has "pcap_breakloop()" been called?
319 	 */
320 	if (p->break_loop) {
321 		/*
322 		 * Yes - clear the flag that indicates that it
323 		 * has, and return -2 to indicate that we were
324 		 * told to break out of the loop.
325 		 */
326 		p->break_loop = 0;
327 		return (-2);
328 	}
329 	cc = p->cc;
330 	if (p->cc == 0) {
331 		/*
332 		 * When reading without zero-copy from a file descriptor, we
333 		 * use a single buffer and return a length of data in the
334 		 * buffer.  With zero-copy, we update the p->buffer pointer
335 		 * to point at whatever underlying buffer contains the next
336 		 * data and update cc to reflect the data found in the
337 		 * buffer.
338 		 */
339 #ifdef BIOCSETBUFMODE
340 		if (p->zerocopy) {
341 			if (p->buffer != NULL)
342 				pcap_ack_zbuf(p);
343 			i = pcap_next_zbuf(p, &cc);
344 			if (i == 0)
345 				goto again;
346 			if (i < 0)
347 				return (-1);
348 		} else
349 #endif
350 			cc = read(p->fd, (char *)p->buffer, p->bufsize);
351 
352 		if (cc < 0) {
353 			/* Don't choke when we get ptraced */
354 			switch (errno) {
355 
356 			case EINTR:
357 				goto again;
358 
359 #ifdef _AIX
360 			case EFAULT:
361 				/*
362 				 * Sigh.  More AIX wonderfulness.
363 				 *
364 				 * For some unknown reason the uiomove()
365 				 * operation in the bpf kernel extension
366 				 * used to copy the buffer into user
367 				 * space sometimes returns EFAULT. I have
368 				 * no idea why this is the case given that
369 				 * a kernel debugger shows the user buffer
370 				 * is correct. This problem appears to
371 				 * be mostly mitigated by the memset of
372 				 * the buffer before it is first used.
373 				 * Very strange.... Shaun Clowes
374 				 *
375 				 * In any case this means that we shouldn't
376 				 * treat EFAULT as a fatal error; as we
377 				 * don't have an API for returning
378 				 * a "some packets were dropped since
379 				 * the last packet you saw" indication,
380 				 * we just ignore EFAULT and keep reading.
381 				 */
382 				goto again;
383 #endif
384 
385 			case EWOULDBLOCK:
386 				return (0);
387 #if defined(sun) && !defined(BSD)
388 			/*
389 			 * Due to a SunOS bug, after 2^31 bytes, the kernel
390 			 * file offset overflows and read fails with EINVAL.
391 			 * The lseek() to 0 will fix things.
392 			 */
393 			case EINVAL:
394 				if (lseek(p->fd, 0L, SEEK_CUR) +
395 				    p->bufsize < 0) {
396 					(void)lseek(p->fd, 0L, SEEK_SET);
397 					goto again;
398 				}
399 				/* fall through */
400 #endif
401 			}
402 			snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s",
403 			    pcap_strerror(errno));
404 			return (-1);
405 		}
406 		bp = p->buffer;
407 	} else
408 		bp = p->bp;
409 
410 	/*
411 	 * Loop through each packet.
412 	 */
413 #define bhp ((struct bpf_hdr *)bp)
414 	ep = bp + cc;
415 #ifdef PCAP_FDDIPAD
416 	pad = p->fddipad;
417 #endif
418 	while (bp < ep) {
419 		register int caplen, hdrlen;
420 
421 		/*
422 		 * Has "pcap_breakloop()" been called?
423 		 * If so, return immediately - if we haven't read any
424 		 * packets, clear the flag and return -2 to indicate
425 		 * that we were told to break out of the loop, otherwise
426 		 * leave the flag set, so that the *next* call will break
427 		 * out of the loop without having read any packets, and
428 		 * return the number of packets we've processed so far.
429 		 */
430 		if (p->break_loop) {
431 			if (n == 0) {
432 				p->break_loop = 0;
433 				return (-2);
434 			} else {
435 				p->bp = bp;
436 				p->cc = ep - bp;
437 				return (n);
438 			}
439 		}
440 
441 		caplen = bhp->bh_caplen;
442 		hdrlen = bhp->bh_hdrlen;
443 		datap = bp + hdrlen;
444 		/*
445 		 * Short-circuit evaluation: if using BPF filter
446 		 * in kernel, no need to do it now.
447 		 *
448 #ifdef PCAP_FDDIPAD
449 		 * Note: the filter code was generated assuming
450 		 * that p->fddipad was the amount of padding
451 		 * before the header, as that's what's required
452 		 * in the kernel, so we run the filter before
453 		 * skipping that padding.
454 #endif
455 		 */
456 		if (fcode == NULL ||
457 		    bpf_filter(fcode, datap, bhp->bh_datalen, caplen)) {
458 			struct pcap_pkthdr pkthdr;
459 
460 			pkthdr.ts.tv_sec = bhp->bh_tstamp.tv_sec;
461 #ifdef _AIX
462 			/*
463 			 * AIX's BPF returns seconds/nanoseconds time
464 			 * stamps, not seconds/microseconds time stamps.
465 			 */
466 			pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec/1000;
467 #else
468 			pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec;
469 #endif
470 #ifdef PCAP_FDDIPAD
471 			if (caplen > pad)
472 				pkthdr.caplen = caplen - pad;
473 			else
474 				pkthdr.caplen = 0;
475 			if (bhp->bh_datalen > pad)
476 				pkthdr.len = bhp->bh_datalen - pad;
477 			else
478 				pkthdr.len = 0;
479 			datap += pad;
480 #else
481 			pkthdr.caplen = caplen;
482 			pkthdr.len = bhp->bh_datalen;
483 #endif
484 			(*callback)(user, &pkthdr, datap);
485 			bp += BPF_WORDALIGN(caplen + hdrlen);
486 			if (++n >= cnt && cnt > 0) {
487 				p->bp = bp;
488 				p->cc = ep - bp;
489 				return (n);
490 			}
491 		} else {
492 			/*
493 			 * Skip this packet.
494 			 */
495 			bp += BPF_WORDALIGN(caplen + hdrlen);
496 		}
497 	}
498 #undef bhp
499 	p->cc = 0;
500 	return (n);
501 }
502 
503 static int
504 pcap_inject_bpf(pcap_t *p, const void *buf, size_t size)
505 {
506 	int ret;
507 
508 	ret = write(p->fd, buf, size);
509 #ifdef __APPLE__
510 	if (ret == -1 && errno == EAFNOSUPPORT) {
511 		/*
512 		 * In Mac OS X, there's a bug wherein setting the
513 		 * BIOCSHDRCMPLT flag causes writes to fail; see,
514 		 * for example:
515 		 *
516 		 *	http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/BIOCSHDRCMPLT-10.3.3.patch
517 		 *
518 		 * So, if, on OS X, we get EAFNOSUPPORT from the write, we
519 		 * assume it's due to that bug, and turn off that flag
520 		 * and try again.  If we succeed, it either means that
521 		 * somebody applied the fix from that URL, or other patches
522 		 * for that bug from
523 		 *
524 		 *	http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/
525 		 *
526 		 * and are running a Darwin kernel with those fixes, or
527 		 * that Apple fixed the problem in some OS X release.
528 		 */
529 		u_int spoof_eth_src = 0;
530 
531 		if (ioctl(p->fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) {
532 			(void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
533 			    "send: can't turn off BIOCSHDRCMPLT: %s",
534 			    pcap_strerror(errno));
535 			return (-1);
536 		}
537 
538 		/*
539 		 * Now try the write again.
540 		 */
541 		ret = write(p->fd, buf, size);
542 	}
543 #endif /* __APPLE__ */
544 	if (ret == -1) {
545 		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s",
546 		    pcap_strerror(errno));
547 		return (-1);
548 	}
549 	return (ret);
550 }
551 
552 #ifdef _AIX
553 static int
554 bpf_odminit(char *errbuf)
555 {
556 	char *errstr;
557 
558 	if (odm_initialize() == -1) {
559 		if (odm_err_msg(odmerrno, &errstr) == -1)
560 			errstr = "Unknown error";
561 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
562 		    "bpf_load: odm_initialize failed: %s",
563 		    errstr);
564 		return (-1);
565 	}
566 
567 	if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) {
568 		if (odm_err_msg(odmerrno, &errstr) == -1)
569 			errstr = "Unknown error";
570 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
571 		    "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s",
572 		    errstr);
573 		return (-1);
574 	}
575 
576 	return (0);
577 }
578 
579 static int
580 bpf_odmcleanup(char *errbuf)
581 {
582 	char *errstr;
583 
584 	if (odm_unlock(odmlockid) == -1) {
585 		if (odm_err_msg(odmerrno, &errstr) == -1)
586 			errstr = "Unknown error";
587 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
588 		    "bpf_load: odm_unlock failed: %s",
589 		    errstr);
590 		return (-1);
591 	}
592 
593 	if (odm_terminate() == -1) {
594 		if (odm_err_msg(odmerrno, &errstr) == -1)
595 			errstr = "Unknown error";
596 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
597 		    "bpf_load: odm_terminate failed: %s",
598 		    errstr);
599 		return (-1);
600 	}
601 
602 	return (0);
603 }
604 
605 static int
606 bpf_load(char *errbuf)
607 {
608 	long major;
609 	int *minors;
610 	int numminors, i, rc;
611 	char buf[1024];
612 	struct stat sbuf;
613 	struct bpf_config cfg_bpf;
614 	struct cfg_load cfg_ld;
615 	struct cfg_kmod cfg_km;
616 
617 	/*
618 	 * This is very very close to what happens in the real implementation
619 	 * but I've fixed some (unlikely) bug situations.
620 	 */
621 	if (bpfloadedflag)
622 		return (0);
623 
624 	if (bpf_odminit(errbuf) != 0)
625 		return (-1);
626 
627 	major = genmajor(BPF_NAME);
628 	if (major == -1) {
629 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
630 		    "bpf_load: genmajor failed: %s", pcap_strerror(errno));
631 		return (-1);
632 	}
633 
634 	minors = getminor(major, &numminors, BPF_NAME);
635 	if (!minors) {
636 		minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1);
637 		if (!minors) {
638 			snprintf(errbuf, PCAP_ERRBUF_SIZE,
639 			    "bpf_load: genminor failed: %s",
640 			    pcap_strerror(errno));
641 			return (-1);
642 		}
643 	}
644 
645 	if (bpf_odmcleanup(errbuf))
646 		return (-1);
647 
648 	rc = stat(BPF_NODE "0", &sbuf);
649 	if (rc == -1 && errno != ENOENT) {
650 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
651 		    "bpf_load: can't stat %s: %s",
652 		    BPF_NODE "0", pcap_strerror(errno));
653 		return (-1);
654 	}
655 
656 	if (rc == -1 || getmajor(sbuf.st_rdev) != major) {
657 		for (i = 0; i < BPF_MINORS; i++) {
658 			sprintf(buf, "%s%d", BPF_NODE, i);
659 			unlink(buf);
660 			if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) {
661 				snprintf(errbuf, PCAP_ERRBUF_SIZE,
662 				    "bpf_load: can't mknod %s: %s",
663 				    buf, pcap_strerror(errno));
664 				return (-1);
665 			}
666 		}
667 	}
668 
669 	/* Check if the driver is loaded */
670 	memset(&cfg_ld, 0x0, sizeof(cfg_ld));
671 	cfg_ld.path = buf;
672 	sprintf(cfg_ld.path, "%s/%s", DRIVER_PATH, BPF_NAME);
673 	if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) ||
674 	    (cfg_ld.kmid == 0)) {
675 		/* Driver isn't loaded, load it now */
676 		if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) {
677 			snprintf(errbuf, PCAP_ERRBUF_SIZE,
678 			    "bpf_load: could not load driver: %s",
679 			    strerror(errno));
680 			return (-1);
681 		}
682 	}
683 
684 	/* Configure the driver */
685 	cfg_km.cmd = CFG_INIT;
686 	cfg_km.kmid = cfg_ld.kmid;
687 	cfg_km.mdilen = sizeof(cfg_bpf);
688 	cfg_km.mdiptr = (void *)&cfg_bpf;
689 	for (i = 0; i < BPF_MINORS; i++) {
690 		cfg_bpf.devno = domakedev(major, i);
691 		if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) {
692 			snprintf(errbuf, PCAP_ERRBUF_SIZE,
693 			    "bpf_load: could not configure driver: %s",
694 			    strerror(errno));
695 			return (-1);
696 		}
697 	}
698 
699 	bpfloadedflag = 1;
700 
701 	return (0);
702 }
703 #endif
704 
705 static inline int
706 bpf_open(pcap_t *p, char *errbuf)
707 {
708 	int fd;
709 #ifdef HAVE_CLONING_BPF
710 	static const char device[] = "/dev/bpf";
711 #else
712 	int n = 0;
713 	char device[sizeof "/dev/bpf0000000000"];
714 #endif
715 
716 #ifdef _AIX
717 	/*
718 	 * Load the bpf driver, if it isn't already loaded,
719 	 * and create the BPF device entries, if they don't
720 	 * already exist.
721 	 */
722 	if (bpf_load(errbuf) == -1)
723 		return (-1);
724 #endif
725 
726 #ifdef HAVE_CLONING_BPF
727 	if ((fd = open(device, O_RDWR)) == -1 &&
728 	    (errno != EACCES || (fd = open(device, O_RDONLY)) == -1))
729 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
730 		  "(cannot open device) %s: %s", device, pcap_strerror(errno));
731 #else
732 	/*
733 	 * Go through all the minors and find one that isn't in use.
734 	 */
735 	do {
736 		(void)snprintf(device, sizeof(device), "/dev/bpf%d", n++);
737 		/*
738 		 * Initially try a read/write open (to allow the inject
739 		 * method to work).  If that fails due to permission
740 		 * issues, fall back to read-only.  This allows a
741 		 * non-root user to be granted specific access to pcap
742 		 * capabilities via file permissions.
743 		 *
744 		 * XXX - we should have an API that has a flag that
745 		 * controls whether to open read-only or read-write,
746 		 * so that denial of permission to send (or inability
747 		 * to send, if sending packets isn't supported on
748 		 * the device in question) can be indicated at open
749 		 * time.
750 		 */
751 		fd = open(device, O_RDWR);
752 		if (fd == -1 && errno == EACCES)
753 			fd = open(device, O_RDONLY);
754 	} while (fd < 0 && errno == EBUSY);
755 
756 	/*
757 	 * XXX better message for all minors used
758 	 */
759 	if (fd < 0)
760 		snprintf(errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s",
761 		    device, pcap_strerror(errno));
762 #endif
763 
764 	return (fd);
765 }
766 
767 /*
768  * We include the OS's <net/bpf.h>, not our "pcap-bpf.h", so we probably
769  * don't get DLT_DOCSIS defined.
770  */
771 #ifndef DLT_DOCSIS
772 #define DLT_DOCSIS	143
773 #endif
774 
775 pcap_t *
776 pcap_open_live(const char *device, int snaplen, int promisc, int to_ms,
777     char *ebuf)
778 {
779 	int fd;
780 	struct ifreq ifr;
781 	struct bpf_version bv;
782 #ifdef BIOCGDLTLIST
783 	struct bpf_dltlist bdl;
784 #endif
785 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT)
786 	u_int spoof_eth_src = 1;
787 #endif
788 	u_int v;
789 	pcap_t *p;
790 	struct bpf_insn total_insn;
791 	struct bpf_program total_prog;
792 	struct utsname osinfo;
793 #ifdef BIOCSETBUFMODE
794 	struct bpf_zbuf bz;
795 	u_int bufmode, zbufmax;
796 #endif
797 
798 #ifdef HAVE_DAG_API
799 	if (strstr(device, "dag")) {
800 		return dag_open_live(device, snaplen, promisc, to_ms, ebuf);
801 	}
802 #endif /* HAVE_DAG_API */
803 
804 #ifdef BIOCGDLTLIST
805 	memset(&bdl, 0, sizeof(bdl));
806 #endif
807 
808 	p = (pcap_t *)malloc(sizeof(*p));
809 	if (p == NULL) {
810 		snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
811 		    pcap_strerror(errno));
812 		return (NULL);
813 	}
814 	memset(p, 0, sizeof(*p));
815 	fd = bpf_open(p, ebuf);
816 	if (fd < 0)
817 		goto bad;
818 
819 	p->fd = fd;
820 	p->snapshot = snaplen;
821 
822 	if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) {
823 		snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s",
824 		    pcap_strerror(errno));
825 		goto bad;
826 	}
827 	if (bv.bv_major != BPF_MAJOR_VERSION ||
828 	    bv.bv_minor < BPF_MINOR_VERSION) {
829 		snprintf(ebuf, PCAP_ERRBUF_SIZE,
830 		    "kernel bpf filter out of date");
831 		goto bad;
832 	}
833 
834 #ifdef BIOCSETBUFMODE
835 	/*
836 	 * If the BPF extension to set buffer mode is present, try setting
837 	 * the mode to zero-copy.  If that fails, use regular buffering.  If
838 	 * it succeeds but other setup fails, return an error to the user.
839 	 */
840 	bufmode = BPF_BUFMODE_ZBUF;
841 	if (ioctl(fd, BIOCSETBUFMODE, (caddr_t)&bufmode) == 0) {
842 		p->zerocopy = 1;
843 
844 		/*
845 		 * How to pick a buffer size: first, query the maximum buffer
846 		 * size supported by zero-copy.  This also lets us quickly
847 		 * determine whether the kernel generally supports zero-copy.
848 		 * Then, query the default buffer size, which reflects kernel
849 		 * policy for a desired default.  Round to the nearest page
850 		 * size.
851 		 */
852 		if (ioctl(fd, BIOCGETZMAX, (caddr_t)&zbufmax) < 0) {
853 			snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGETZMAX: %s",
854 			    pcap_strerror(errno));
855 			goto bad;
856 		}
857 		if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || v < 32768)
858 			v = 32768;
859 #ifndef roundup
860 #define	roundup(x, y)	((((x)+((y)-1))/(y))*(y))  /* to any y */
861 #endif
862 		p->zbufsize = roundup(v, getpagesize());
863 		if (p->zbufsize > zbufmax)
864 			p->zbufsize = zbufmax;
865 		p->zbuf1 = mmap(NULL, p->zbufsize, PROT_READ | PROT_WRITE,
866 		    MAP_ANON, -1, 0);
867 		p->zbuf2 = mmap(NULL, p->zbufsize, PROT_READ | PROT_WRITE,
868 		    MAP_ANON, -1, 0);
869 		if (p->zbuf1 == MAP_FAILED || p->zbuf2 == MAP_FAILED) {
870 			snprintf(ebuf, PCAP_ERRBUF_SIZE, "mmap: %s",
871 			    pcap_strerror(errno));
872 			goto bad;
873 		}
874 		bzero(&bz, sizeof(bz));
875 		bz.bz_bufa = p->zbuf1;
876 		bz.bz_bufb = p->zbuf2;
877 		bz.bz_buflen = p->zbufsize;
878 		if (ioctl(fd, BIOCSETZBUF, (caddr_t)&bz) < 0) {
879 			snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETZBUF: %s",
880 			    pcap_strerror(errno));
881 			goto bad;
882 		}
883 		(void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
884 		if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) {
885 			snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s",
886 			    device, pcap_strerror(errno));
887 			goto bad;
888 		}
889 		v = p->zbufsize - sizeof(struct bpf_zbuf_header);
890 	} else {
891 #endif
892 
893 		/*
894 		 * Try finding a good size for the buffer; 32768 may be too
895 		 * big, so keep cutting it in half until we find a size
896 		 * that works, or run out of sizes to try.  If the default
897 		 * is larger, don't make it smaller.
898 		 *
899 		 * XXX - there should be a user-accessible hook to set the
900 		 * initial buffer size.
901 		 */
902 		if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || v < 32768)
903 			v = 32768;
904 		for ( ; v != 0; v >>= 1) {
905 			/* Ignore the return value - this is because the call
906 			 * fails on BPF systems that don't have kernel
907 			 * malloc.  And if the call fails, it's no big deal,
908 			 * we just continue to use the standard buffer size.
909 			 */
910 			(void) ioctl(fd, BIOCSBLEN, (caddr_t)&v);
911 
912 			(void)strncpy(ifr.ifr_name, device,
913 			    sizeof(ifr.ifr_name));
914 			if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0)
915 				break;	/* that size worked; we're done */
916 
917 			if (errno != ENOBUFS) {
918 				snprintf(ebuf, PCAP_ERRBUF_SIZE,
919 				    "BIOCSETIF: %s: %s",
920 				    device, pcap_strerror(errno));
921 				goto bad;
922 			}
923 		}
924 
925 		if (v == 0) {
926 			snprintf(ebuf, PCAP_ERRBUF_SIZE,
927 			    "BIOCSBLEN: %s: No buffer size worked", device);
928 			goto bad;
929 		}
930 #ifdef BIOCSETBUFMODE
931 	}
932 #endif
933 
934 	/* Get the data link layer type. */
935 	if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) {
936 		snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s",
937 		    pcap_strerror(errno));
938 		goto bad;
939 	}
940 #ifdef _AIX
941 	/*
942 	 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT.
943 	 */
944 	switch (v) {
945 
946 	case IFT_ETHER:
947 	case IFT_ISO88023:
948 		v = DLT_EN10MB;
949 		break;
950 
951 	case IFT_FDDI:
952 		v = DLT_FDDI;
953 		break;
954 
955 	case IFT_ISO88025:
956 		v = DLT_IEEE802;
957 		break;
958 
959 	case IFT_LOOP:
960 		v = DLT_NULL;
961 		break;
962 
963 	default:
964 		/*
965 		 * We don't know what to map this to yet.
966 		 */
967 		snprintf(ebuf, PCAP_ERRBUF_SIZE, "unknown interface type %u",
968 		    v);
969 		goto bad;
970 	}
971 #endif
972 #if _BSDI_VERSION - 0 >= 199510
973 	/* The SLIP and PPP link layer header changed in BSD/OS 2.1 */
974 	switch (v) {
975 
976 	case DLT_SLIP:
977 		v = DLT_SLIP_BSDOS;
978 		break;
979 
980 	case DLT_PPP:
981 		v = DLT_PPP_BSDOS;
982 		break;
983 
984 	case 11:	/*DLT_FR*/
985 		v = DLT_FRELAY;
986 		break;
987 
988 	case 12:	/*DLT_C_HDLC*/
989 		v = DLT_CHDLC;
990 		break;
991 	}
992 #endif
993 #ifdef PCAP_FDDIPAD
994 	if (v == DLT_FDDI)
995 		p->fddipad = PCAP_FDDIPAD;
996 	else
997 		p->fddipad = 0;
998 #endif
999 	p->linktype = v;
1000 
1001 #ifdef BIOCGDLTLIST
1002 	/*
1003 	 * We know the default link type -- now determine all the DLTs
1004 	 * this interface supports.  If this fails with EINVAL, it's
1005 	 * not fatal; we just don't get to use the feature later.
1006 	 */
1007 	if (ioctl(fd, BIOCGDLTLIST, (caddr_t)&bdl) == 0) {
1008 		u_int i;
1009 		int is_ethernet;
1010 
1011 		bdl.bfl_list = (u_int *) malloc(sizeof(u_int) * (bdl.bfl_len + 1));
1012 		if (bdl.bfl_list == NULL) {
1013 			(void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
1014 			    pcap_strerror(errno));
1015 			goto bad;
1016 		}
1017 
1018 		if (ioctl(fd, BIOCGDLTLIST, (caddr_t)&bdl) < 0) {
1019 			(void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
1020 			    "BIOCGDLTLIST: %s", pcap_strerror(errno));
1021 			free(bdl.bfl_list);
1022 			goto bad;
1023 		}
1024 
1025 		/*
1026 		 * OK, for real Ethernet devices, add DLT_DOCSIS to the
1027 		 * list, so that an application can let you choose it,
1028 		 * in case you're capturing DOCSIS traffic that a Cisco
1029 		 * Cable Modem Termination System is putting out onto
1030 		 * an Ethernet (it doesn't put an Ethernet header onto
1031 		 * the wire, it puts raw DOCSIS frames out on the wire
1032 		 * inside the low-level Ethernet framing).
1033 		 *
1034 		 * A "real Ethernet device" is defined here as a device
1035 		 * that has a link-layer type of DLT_EN10MB and that has
1036 		 * no alternate link-layer types; that's done to exclude
1037 		 * 802.11 interfaces (which might or might not be the
1038 		 * right thing to do, but I suspect it is - Ethernet <->
1039 		 * 802.11 bridges would probably badly mishandle frames
1040 		 * that don't have Ethernet headers).
1041 		 */
1042 		if (p->linktype == DLT_EN10MB) {
1043 			is_ethernet = 1;
1044 			for (i = 0; i < bdl.bfl_len; i++) {
1045 				if (bdl.bfl_list[i] != DLT_EN10MB) {
1046 					is_ethernet = 0;
1047 					break;
1048 				}
1049 			}
1050 			if (is_ethernet) {
1051 				/*
1052 				 * We reserved one more slot at the end of
1053 				 * the list.
1054 				 */
1055 				bdl.bfl_list[bdl.bfl_len] = DLT_DOCSIS;
1056 				bdl.bfl_len++;
1057 			}
1058 		}
1059 		p->dlt_count = bdl.bfl_len;
1060 		p->dlt_list = bdl.bfl_list;
1061 	} else {
1062 		if (errno != EINVAL) {
1063 			(void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
1064 			    "BIOCGDLTLIST: %s", pcap_strerror(errno));
1065 			goto bad;
1066 		}
1067 	}
1068 #endif
1069 
1070 	/*
1071 	 * If this is an Ethernet device, and we don't have a DLT_ list,
1072 	 * give it a list with DLT_EN10MB and DLT_DOCSIS.  (That'd give
1073 	 * 802.11 interfaces DLT_DOCSIS, which isn't the right thing to
1074 	 * do, but there's not much we can do about that without finding
1075 	 * some other way of determining whether it's an Ethernet or 802.11
1076 	 * device.)
1077 	 */
1078 	if (p->linktype == DLT_EN10MB && p->dlt_count == 0) {
1079 		p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
1080 		/*
1081 		 * If that fails, just leave the list empty.
1082 		 */
1083 		if (p->dlt_list != NULL) {
1084 			p->dlt_list[0] = DLT_EN10MB;
1085 			p->dlt_list[1] = DLT_DOCSIS;
1086 			p->dlt_count = 2;
1087 		}
1088 	}
1089 
1090 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT)
1091 	/*
1092 	 * Do a BIOCSHDRCMPLT, if defined, to turn that flag on, so
1093 	 * the link-layer source address isn't forcibly overwritten.
1094 	 * (Should we ignore errors?  Should we do this only if
1095 	 * we're open for writing?)
1096 	 *
1097 	 * XXX - I seem to remember some packet-sending bug in some
1098 	 * BSDs - check CVS log for "bpf.c"?
1099 	 */
1100 	if (ioctl(fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) {
1101 		(void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
1102 		    "BIOCSHDRCMPLT: %s", pcap_strerror(errno));
1103 		goto bad;
1104 	}
1105 #endif
1106 	/* set timeout */
1107 	p->to_ms = to_ms;
1108 	if (to_ms != 0 && !p->zerocopy) {
1109 		/*
1110 		 * XXX - is this seconds/nanoseconds in AIX?
1111 		 * (Treating it as such doesn't fix the timeout
1112 		 * problem described below.)
1113 		 */
1114 		struct timeval to;
1115 		to.tv_sec = to_ms / 1000;
1116 		to.tv_usec = (to_ms * 1000) % 1000000;
1117 		if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) {
1118 			snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s",
1119 			    pcap_strerror(errno));
1120 			goto bad;
1121 		}
1122 	}
1123 #ifdef BIOCSETBUFMODE
1124 	p->timeout = to_ms;
1125 #endif
1126 
1127 #ifdef _AIX
1128 #ifdef	BIOCIMMEDIATE
1129 	/*
1130 	 * Darren Reed notes that
1131 	 *
1132 	 *	On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the
1133 	 *	timeout appears to be ignored and it waits until the buffer
1134 	 *	is filled before returning.  The result of not having it
1135 	 *	set is almost worse than useless if your BPF filter
1136 	 *	is reducing things to only a few packets (i.e. one every
1137 	 *	second or so).
1138 	 *
1139 	 * so we turn BIOCIMMEDIATE mode on if this is AIX.
1140 	 *
1141 	 * We don't turn it on for other platforms, as that means we
1142 	 * get woken up for every packet, which may not be what we want;
1143 	 * in the Winter 1993 USENIX paper on BPF, they say:
1144 	 *
1145 	 *	Since a process might want to look at every packet on a
1146 	 *	network and the time between packets can be only a few
1147 	 *	microseconds, it is not possible to do a read system call
1148 	 *	per packet and BPF must collect the data from several
1149 	 *	packets and return it as a unit when the monitoring
1150 	 *	application does a read.
1151 	 *
1152 	 * which I infer is the reason for the timeout - it means we
1153 	 * wait that amount of time, in the hopes that more packets
1154 	 * will arrive and we'll get them all with one read.
1155 	 *
1156 	 * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other
1157 	 * BSDs) causes the timeout to be ignored.
1158 	 *
1159 	 * On the other hand, some platforms (e.g., Linux) don't support
1160 	 * timeouts, they just hand stuff to you as soon as it arrives;
1161 	 * if that doesn't cause a problem on those platforms, it may
1162 	 * be OK to have BIOCIMMEDIATE mode on BSD as well.
1163 	 *
1164 	 * (Note, though, that applications may depend on the read
1165 	 * completing, even if no packets have arrived, when the timeout
1166 	 * expires, e.g. GUI applications that have to check for input
1167 	 * while waiting for packets to arrive; a non-zero timeout
1168 	 * prevents "select()" from working right on FreeBSD and
1169 	 * possibly other BSDs, as the timer doesn't start until a
1170 	 * "read()" is done, so the timer isn't in effect if the
1171 	 * application is blocked on a "select()", and the "select()"
1172 	 * doesn't get woken up for a BPF device until the buffer
1173 	 * fills up.)
1174 	 */
1175 	v = 1;
1176 	if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) {
1177 		snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s",
1178 		    pcap_strerror(errno));
1179 		goto bad;
1180 	}
1181 #endif	/* BIOCIMMEDIATE */
1182 #endif	/* _AIX */
1183 
1184 	if (promisc) {
1185 		/* set promiscuous mode, okay if it fails */
1186 		if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) {
1187 			snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s",
1188 			    pcap_strerror(errno));
1189 		}
1190 	}
1191 
1192 	if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) {
1193 		snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s",
1194 		    pcap_strerror(errno));
1195 		goto bad;
1196 	}
1197 	p->bufsize = v;
1198 #ifdef BIOCSETBUFMODE
1199 	if (!p->zerocopy) {
1200 #endif
1201 		p->buffer = (u_char *)malloc(p->bufsize);
1202 		if (p->buffer == NULL) {
1203 			snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
1204 			    pcap_strerror(errno));
1205 			goto bad;
1206 		}
1207 #ifdef _AIX
1208 		/* For some strange reason this seems to prevent the EFAULT
1209 		 * problems we have experienced from AIX BPF. */
1210 		memset(p->buffer, 0x0, p->bufsize);
1211 #endif
1212 #ifdef BIOCSETBUFMODE
1213 	}
1214 #endif
1215 
1216 	/*
1217 	 * If there's no filter program installed, there's
1218 	 * no indication to the kernel of what the snapshot
1219 	 * length should be, so no snapshotting is done.
1220 	 *
1221 	 * Therefore, when we open the device, we install
1222 	 * an "accept everything" filter with the specified
1223 	 * snapshot length.
1224 	 */
1225 	total_insn.code = (u_short)(BPF_RET | BPF_K);
1226 	total_insn.jt = 0;
1227 	total_insn.jf = 0;
1228 	total_insn.k = snaplen;
1229 
1230 	total_prog.bf_len = 1;
1231 	total_prog.bf_insns = &total_insn;
1232 	if (ioctl(p->fd, BIOCSETF, (caddr_t)&total_prog) < 0) {
1233 		snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
1234 		    pcap_strerror(errno));
1235 		goto bad;
1236 	}
1237 
1238 	/*
1239 	 * On most BPF platforms, either you can do a "select()" or
1240 	 * "poll()" on a BPF file descriptor and it works correctly,
1241 	 * or you can do it and it will return "readable" if the
1242 	 * hold buffer is full but not if the timeout expires *and*
1243 	 * a non-blocking read will, if the hold buffer is empty
1244 	 * but the store buffer isn't empty, rotate the buffers
1245 	 * and return what packets are available.
1246 	 *
1247 	 * In the latter case, the fact that a non-blocking read
1248 	 * will give you the available packets means you can work
1249 	 * around the failure of "select()" and "poll()" to wake up
1250 	 * and return "readable" when the timeout expires by using
1251 	 * the timeout as the "select()" or "poll()" timeout, putting
1252 	 * the BPF descriptor into non-blocking mode, and read from
1253 	 * it regardless of whether "select()" reports it as readable
1254 	 * or not.
1255 	 *
1256 	 * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()"
1257 	 * won't wake up and return "readable" if the timer expires
1258 	 * and non-blocking reads return EWOULDBLOCK if the hold
1259 	 * buffer is empty, even if the store buffer is non-empty.
1260 	 *
1261 	 * This means the workaround in question won't work.
1262 	 *
1263 	 * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd"
1264 	 * to -1, which means "sorry, you can't use 'select()' or 'poll()'
1265 	 * here".  On all other BPF platforms, we set it to the FD for
1266 	 * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking
1267 	 * read will, if the hold buffer is empty and the store buffer
1268 	 * isn't empty, rotate the buffers and return what packets are
1269 	 * there (and in sufficiently recent versions of OpenBSD
1270 	 * "select()" and "poll()" should work correctly).
1271 	 *
1272 	 * XXX - what about AIX?
1273 	 */
1274 	p->selectable_fd = p->fd;	/* assume select() works until we know otherwise */
1275 	if (uname(&osinfo) == 0) {
1276 		/*
1277 		 * We can check what OS this is.
1278 		 */
1279 		if (strcmp(osinfo.sysname, "FreeBSD") == 0) {
1280 			if (strncmp(osinfo.release, "4.3-", 4) == 0 ||
1281 			     strncmp(osinfo.release, "4.4-", 4) == 0)
1282 				p->selectable_fd = -1;
1283 		}
1284 	}
1285 
1286 	p->read_op = pcap_read_bpf;
1287 	p->inject_op = pcap_inject_bpf;
1288 	p->setfilter_op = pcap_setfilter_bpf;
1289 	p->setdirection_op = pcap_setdirection_bpf;
1290 	p->set_datalink_op = pcap_set_datalink_bpf;
1291 	p->getnonblock_op = pcap_getnonblock_fd;
1292 	p->setnonblock_op = pcap_setnonblock_fd;
1293 	p->stats_op = pcap_stats_bpf;
1294 	p->close_op = pcap_close_common;
1295 
1296 	return (p);
1297  bad:
1298 
1299 	(void)close(fd);
1300 #ifdef BIOCSETBUFMODE
1301 	/*
1302 	 * In zero-copy mode, p->buffer is just a pointer into one of the two
1303 	 * memory-mapped buffers, so no need to free it.
1304 	 */
1305 	if (p->zerocopy) {
1306 		if (p->zbuf1 != MAP_FAILED && p->zbuf1 != NULL)
1307 			munmap(p->zbuf1, p->zbufsize);
1308 		if (p->zbuf2 != MAP_FAILED && p->zbuf2 != NULL)
1309 			munmap(p->zbuf2, p->zbufsize);
1310 	} else
1311 #endif
1312 	if (p->buffer != NULL)
1313 		free(p->buffer);
1314 	if (p->dlt_list != NULL)
1315 		free(p->dlt_list);
1316 	free(p);
1317 	return (NULL);
1318 }
1319 
1320 int
1321 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf)
1322 {
1323 #ifdef HAVE_DAG_API
1324 	if (dag_platform_finddevs(alldevsp, errbuf) < 0)
1325 		return (-1);
1326 #endif /* HAVE_DAG_API */
1327 
1328 	return (0);
1329 }
1330 
1331 static int
1332 pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp)
1333 {
1334 	/*
1335 	 * It looks that BPF code generated by gen_protochain() is not
1336 	 * compatible with some of kernel BPF code (for example BSD/OS 3.1).
1337 	 * Take a safer side for now.
1338 	 */
1339 	if (no_optimize) {
1340 		/*
1341 		 * XXX - what if we already have a filter in the kernel?
1342 		 */
1343 		if (install_bpf_program(p, fp) < 0)
1344 			return (-1);
1345 		p->md.use_bpf = 0;	/* filtering in userland */
1346 		return (0);
1347 	}
1348 
1349 	/*
1350 	 * Free any user-mode filter we might happen to have installed.
1351 	 */
1352 	pcap_freecode(&p->fcode);
1353 
1354 	/*
1355 	 * Try to install the kernel filter.
1356 	 */
1357 	if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
1358 		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
1359 		    pcap_strerror(errno));
1360 		return (-1);
1361 	}
1362 	p->md.use_bpf = 1;	/* filtering in the kernel */
1363 
1364 	/*
1365 	 * Discard any previously-received packets, as they might have
1366 	 * passed whatever filter was formerly in effect, but might
1367 	 * not pass this filter (BIOCSETF discards packets buffered
1368 	 * in the kernel, so you can lose packets in any case).
1369 	 */
1370 	p->cc = 0;
1371 	return (0);
1372 }
1373 
1374 /*
1375  * Set direction flag: Which packets do we accept on a forwarding
1376  * single device? IN, OUT or both?
1377  */
1378 static int
1379 pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d)
1380 {
1381 #if defined(BIOCSDIRECTION)
1382 	u_int direction;
1383 
1384 	direction = (d == PCAP_D_IN) ? BPF_D_IN :
1385 	    ((d == PCAP_D_OUT) ? BPF_D_OUT : BPF_D_INOUT);
1386 	if (ioctl(p->fd, BIOCSDIRECTION, &direction) == -1) {
1387 		(void) snprintf(p->errbuf, sizeof(p->errbuf),
1388 		    "Cannot set direction to %s: %s",
1389 		        (d == PCAP_D_IN) ? "PCAP_D_IN" :
1390 			((d == PCAP_D_OUT) ? "PCAP_D_OUT" : "PCAP_D_INOUT"),
1391 			strerror(errno));
1392 		return (-1);
1393 	}
1394 	return (0);
1395 #elif defined(BIOCSSEESENT)
1396 	u_int seesent;
1397 
1398 	/*
1399 	 * We don't support PCAP_D_OUT.
1400 	 */
1401 	if (d == PCAP_D_OUT) {
1402 		snprintf(p->errbuf, sizeof(p->errbuf),
1403 		    "Setting direction to PCAP_D_OUT is not supported on BPF");
1404 		return -1;
1405 	}
1406 
1407 	seesent = (d == PCAP_D_INOUT);
1408 	if (ioctl(p->fd, BIOCSSEESENT, &seesent) == -1) {
1409 		(void) snprintf(p->errbuf, sizeof(p->errbuf),
1410 		    "Cannot set direction to %s: %s",
1411 		        (d == PCAP_D_INOUT) ? "PCAP_D_INOUT" : "PCAP_D_IN",
1412 			strerror(errno));
1413 		return (-1);
1414 	}
1415 	return (0);
1416 #else
1417 	(void) snprintf(p->errbuf, sizeof(p->errbuf),
1418 	    "This system doesn't support BIOCSSEESENT, so the direction can't be set");
1419 	return (-1);
1420 #endif
1421 }
1422 
1423 static int
1424 pcap_set_datalink_bpf(pcap_t *p, int dlt)
1425 {
1426 #ifdef BIOCSDLT
1427 	if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) {
1428 		(void) snprintf(p->errbuf, sizeof(p->errbuf),
1429 		    "Cannot set DLT %d: %s", dlt, strerror(errno));
1430 		return (-1);
1431 	}
1432 #endif
1433 	return (0);
1434 }
1435