libpcap  1.10.1
About: libpcap is a packet filter library used by tools like tcpdump.
  Fossies Dox: libpcap-1.10.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

gencode.c
Go to the documentation of this file.
1 /*#define CHASE_CHAIN*/
2 /*
3  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4  * The Regents of the University of California. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that: (1) source code distributions
8  * retain the above copyright notice and this paragraph in its entirety, (2)
9  * distributions including binary code include the above copyright notice and
10  * this paragraph in its entirety in the documentation or other materials
11  * provided with the distribution, and (3) all advertising materials mentioning
12  * features or use of this software display the following acknowledgement:
13  * ``This product includes software developed by the University of California,
14  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15  * the University nor the names of its contributors may be used to endorse
16  * or promote products derived from this software without specific prior
17  * written permission.
18  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21  */
22 
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26 
27 #include <pcap-types.h>
28 #ifdef _WIN32
29  #include <ws2tcpip.h>
30 #else
31  #include <sys/socket.h>
32 
33  #ifdef __NetBSD__
34  #include <sys/param.h>
35  #endif
36 
37  #include <netinet/in.h>
38  #include <arpa/inet.h>
39 #endif /* _WIN32 */
40 
41 #include <stdlib.h>
42 #include <string.h>
43 #include <memory.h>
44 #include <setjmp.h>
45 #include <stdarg.h>
46 
47 #ifdef MSDOS
48 #include "pcap-dos.h"
49 #endif
50 
51 #ifdef HAVE_NET_PFVAR_H
52 /*
53  * In NetBSD <net/if.h> includes <net/dlt.h>, which is an older version of
54  * "pcap/dlt.h" with a lower value of DLT_MATCHING_MAX. Include the headers
55  * below before "pcap-int.h", which eventually includes "pcap/dlt.h", which
56  * redefines DLT_MATCHING_MAX from what this version of NetBSD has to what
57  * this version of libpcap has.
58  */
59 #include <sys/socket.h>
60 #include <net/if.h>
61 #include <net/pfvar.h>
62 #include <net/if_pflog.h>
63 #endif /* HAVE_NET_PFVAR_H */
64 
65 #include "pcap-int.h"
66 
67 #include "extract.h"
68 
69 #include "ethertype.h"
70 #include "nlpid.h"
71 #include "llc.h"
72 #include "gencode.h"
73 #include "ieee80211.h"
74 #include "atmuni31.h"
75 #include "sunatmpos.h"
76 #include "ppp.h"
77 #include "pcap/sll.h"
78 #include "pcap/ipnet.h"
79 #include "arcnet.h"
80 
81 #include "grammar.h"
82 #include "scanner.h"
83 
84 #if defined(linux)
85 #include <linux/types.h>
86 #include <linux/if_packet.h>
87 #include <linux/filter.h>
88 #endif
89 
90 #ifndef offsetof
91 #define offsetof(s, e) ((size_t)&((s *)0)->e)
92 #endif
93 
94 #ifdef _WIN32
95  #ifdef INET6
96  #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
97 /* IPv6 address */
98 struct in6_addr
99  {
100  union
101  {
102  uint8_t u6_addr8[16];
103  uint16_t u6_addr16[8];
104  uint32_t u6_addr32[4];
105  } in6_u;
106 #define s6_addr in6_u.u6_addr8
107 #define s6_addr16 in6_u.u6_addr16
108 #define s6_addr32 in6_u.u6_addr32
109 #define s6_addr64 in6_u.u6_addr64
110  };
111 
112 typedef unsigned short sa_family_t;
113 
114 #define __SOCKADDR_COMMON(sa_prefix) \
115  sa_family_t sa_prefix##family
116 
117 /* Ditto, for IPv6. */
118 struct sockaddr_in6
119  {
120  __SOCKADDR_COMMON (sin6_);
121  uint16_t sin6_port; /* Transport layer port # */
122  uint32_t sin6_flowinfo; /* IPv6 flow information */
123  struct in6_addr sin6_addr; /* IPv6 address */
124  };
125 
126  #ifndef EAI_ADDRFAMILY
127 struct addrinfo {
128  int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
129  int ai_family; /* PF_xxx */
130  int ai_socktype; /* SOCK_xxx */
131  int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
132  size_t ai_addrlen; /* length of ai_addr */
133  char *ai_canonname; /* canonical name for hostname */
134  struct sockaddr *ai_addr; /* binary address */
135  struct addrinfo *ai_next; /* next structure in linked list */
136 };
137  #endif /* EAI_ADDRFAMILY */
138  #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
139  #endif /* INET6 */
140 #else /* _WIN32 */
141  #include <netdb.h> /* for "struct addrinfo" */
142 #endif /* _WIN32 */
143 #include <pcap/namedb.h>
144 
145 #include "nametoaddr.h"
146 
147 #define ETHERMTU 1500
148 
149 #ifndef IPPROTO_HOPOPTS
150 #define IPPROTO_HOPOPTS 0
151 #endif
152 #ifndef IPPROTO_ROUTING
153 #define IPPROTO_ROUTING 43
154 #endif
155 #ifndef IPPROTO_FRAGMENT
156 #define IPPROTO_FRAGMENT 44
157 #endif
158 #ifndef IPPROTO_DSTOPTS
159 #define IPPROTO_DSTOPTS 60
160 #endif
161 #ifndef IPPROTO_SCTP
162 #define IPPROTO_SCTP 132
163 #endif
164 
165 #define GENEVE_PORT 6081
166 
167 #ifdef HAVE_OS_PROTO_H
168 #include "os-proto.h"
169 #endif
170 
171 #define JMP(c) ((c)|BPF_JMP|BPF_K)
172 
173 /*
174  * "Push" the current value of the link-layer header type and link-layer
175  * header offset onto a "stack", and set a new value. (It's not a
176  * full-blown stack; we keep only the top two items.)
177  */
178 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
179 { \
180  (cs)->prevlinktype = (cs)->linktype; \
181  (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
182  (cs)->linktype = (new_linktype); \
183  (cs)->off_linkhdr.is_variable = (new_is_variable); \
184  (cs)->off_linkhdr.constant_part = (new_constant_part); \
185  (cs)->off_linkhdr.reg = (new_reg); \
186  (cs)->is_geneve = 0; \
187 }
188 
189 /*
190  * Offset "not set" value.
191  */
192 #define OFFSET_NOT_SET 0xffffffffU
193 
194 /*
195  * Absolute offsets, which are offsets from the beginning of the raw
196  * packet data, are, in the general case, the sum of a variable value
197  * and a constant value; the variable value may be absent, in which
198  * case the offset is only the constant value, and the constant value
199  * may be zero, in which case the offset is only the variable value.
200  *
201  * bpf_abs_offset is a structure containing all that information:
202  *
203  * is_variable is 1 if there's a variable part.
204  *
205  * constant_part is the constant part of the value, possibly zero;
206  *
207  * if is_variable is 1, reg is the register number for a register
208  * containing the variable value if the register has been assigned,
209  * and -1 otherwise.
210  */
211 typedef struct {
214  int reg;
216 
217 /*
218  * Value passed to gen_load_a() to indicate what the offset argument
219  * is relative to the beginning of.
220  */
221 enum e_offrel {
222  OR_PACKET, /* full packet data */
223  OR_LINKHDR, /* link-layer header */
224  OR_PREVLINKHDR, /* previous link-layer header */
225  OR_LLC, /* 802.2 LLC header */
226  OR_PREVMPLSHDR, /* previous MPLS header */
227  OR_LINKTYPE, /* link-layer type */
228  OR_LINKPL, /* link-layer payload */
229  OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
230  OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
231  OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
232 };
233 
234 /*
235  * We divy out chunks of memory rather than call malloc each time so
236  * we don't have to worry about leaking memory. It's probably
237  * not a big deal if all this memory was wasted but if this ever
238  * goes into a library that would probably not be a good idea.
239  *
240  * XXX - this *is* in a library....
241  */
242 #define NCHUNKS 16
243 #define CHUNK0SIZE 1024
244 struct chunk {
245  size_t n_left;
246  void *m;
247 };
248 
249 /* Code generator state */
250 
252  jmp_buf top_ctx;
255 
256  struct icode ic;
257 
258  int snaplen;
259 
260  int linktype;
263 
266 
267  /* Hack for handling VLAN and MPLS stacks. */
270 
271  /* XXX */
273 
274  /*
275  * As errors are handled by a longjmp, anything allocated must
276  * be freed in the longjmp handler, so it must be reachable
277  * from that handler.
278  *
279  * One thing that's allocated is the result of pcap_nametoaddrinfo();
280  * it must be freed with freeaddrinfo(). This variable points to
281  * any addrinfo structure that would need to be freed.
282  */
283  struct addrinfo *ai;
284 
285  /*
286  * Another thing that's allocated is the result of pcap_ether_aton();
287  * it must be freed with free(). This variable points to any
288  * address that would need to be freed.
289  */
290  u_char *e;
291 
292  /*
293  * Various code constructs need to know the layout of the packet.
294  * These values give the necessary offsets from the beginning
295  * of the packet data.
296  */
297 
298  /*
299  * Absolute offset of the beginning of the link-layer header.
300  */
302 
303  /*
304  * If we're checking a link-layer header for a packet encapsulated
305  * in another protocol layer, this is the equivalent information
306  * for the previous layers' link-layer header from the beginning
307  * of the raw packet data.
308  */
310 
311  /*
312  * This is the equivalent information for the outermost layers'
313  * link-layer header.
314  */
316 
317  /*
318  * Absolute offset of the beginning of the link-layer payload.
319  */
321 
322  /*
323  * "off_linktype" is the offset to information in the link-layer
324  * header giving the packet type. This is an absolute offset
325  * from the beginning of the packet.
326  *
327  * For Ethernet, it's the offset of the Ethernet type field; this
328  * means that it must have a value that skips VLAN tags.
329  *
330  * For link-layer types that always use 802.2 headers, it's the
331  * offset of the LLC header; this means that it must have a value
332  * that skips VLAN tags.
333  *
334  * For PPP, it's the offset of the PPP type field.
335  *
336  * For Cisco HDLC, it's the offset of the CHDLC type field.
337  *
338  * For BSD loopback, it's the offset of the AF_ value.
339  *
340  * For Linux cooked sockets, it's the offset of the type field.
341  *
342  * off_linktype.constant_part is set to OFFSET_NOT_SET for no
343  * encapsulation, in which case, IP is assumed.
344  */
346 
347  /*
348  * TRUE if the link layer includes an ATM pseudo-header.
349  */
350  int is_atm;
351 
352  /*
353  * TRUE if "geneve" appeared in the filter; it causes us to
354  * generate code that checks for a Geneve header and assume
355  * that later filters apply to the encapsulated payload.
356  */
358 
359  /*
360  * TRUE if we need variable length part of VLAN offset
361  */
363 
364  /*
365  * These are offsets for the ATM pseudo-header.
366  */
367  u_int off_vpi;
368  u_int off_vci;
369  u_int off_proto;
370 
371  /*
372  * These are offsets for the MTP2 fields.
373  */
374  u_int off_li;
375  u_int off_li_hsl;
376 
377  /*
378  * These are offsets for the MTP3 fields.
379  */
380  u_int off_sio;
381  u_int off_opc;
382  u_int off_dpc;
383  u_int off_sls;
384 
385  /*
386  * This is the offset of the first byte after the ATM pseudo_header,
387  * or -1 if there is no ATM pseudo-header.
388  */
389  u_int off_payload;
390 
391  /*
392  * These are offsets to the beginning of the network-layer header.
393  * They are relative to the beginning of the link-layer payload
394  * (i.e., they don't include off_linkhdr.constant_part or
395  * off_linkpl.constant_part).
396  *
397  * If the link layer never uses 802.2 LLC:
398  *
399  * "off_nl" and "off_nl_nosnap" are the same.
400  *
401  * If the link layer always uses 802.2 LLC:
402  *
403  * "off_nl" is the offset if there's a SNAP header following
404  * the 802.2 header;
405  *
406  * "off_nl_nosnap" is the offset if there's no SNAP header.
407  *
408  * If the link layer is Ethernet:
409  *
410  * "off_nl" is the offset if the packet is an Ethernet II packet
411  * (we assume no 802.3+802.2+SNAP);
412  *
413  * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
414  * with an 802.2 header following it.
415  */
416  u_int off_nl;
418 
419  /*
420  * Here we handle simple allocation of the scratch registers.
421  * If too many registers are alloc'd, the allocator punts.
422  */
424  int curreg;
425 
426  /*
427  * Memory chunks.
428  */
429  struct chunk chunks[NCHUNKS];
431 };
432 
433 /*
434  * For use by routines outside this file.
435  */
436 /* VARARGS */
437 void
438 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...)
439 {
440  va_list ap;
441 
442  /*
443  * If we've already set an error, don't override it.
444  * The lexical analyzer reports some errors by setting
445  * the error and then returning a LEX_ERROR token, which
446  * is not recognized by any grammar rule, and thus forces
447  * the parse to stop. We don't want the error reported
448  * by the lexical analyzer to be overwritten by the syntax
449  * error.
450  */
451  if (!cstate->error_set) {
452  va_start(ap, fmt);
453  (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
454  fmt, ap);
455  va_end(ap);
456  cstate->error_set = 1;
457  }
458 }
459 
460 /*
461  * For use *ONLY* in routines in this file.
462  */
463 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...)
464  PCAP_PRINTFLIKE(2, 3);
465 
466 /* VARARGS */
467 static void PCAP_NORETURN
468 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
469 {
470  va_list ap;
471 
472  va_start(ap, fmt);
473  (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
474  fmt, ap);
475  va_end(ap);
476  longjmp(cstate->top_ctx, 1);
477  /*NOTREACHED*/
478 }
479 
480 static int init_linktype(compiler_state_t *, pcap_t *);
481 
482 static void init_regs(compiler_state_t *);
483 static int alloc_reg(compiler_state_t *);
484 static void free_reg(compiler_state_t *, int);
485 
486 static void initchunks(compiler_state_t *cstate);
487 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t);
488 static void *newchunk(compiler_state_t *cstate, size_t);
489 static void freechunks(compiler_state_t *cstate);
490 static inline struct block *new_block(compiler_state_t *cstate, int);
491 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
492 static struct block *gen_retblk(compiler_state_t *cstate, int);
493 static inline void syntax(compiler_state_t *cstate);
494 
495 static void backpatch(struct block *, struct block *);
496 static void merge(struct block *, struct block *);
497 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
498  u_int, bpf_u_int32);
499 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
500  u_int, bpf_u_int32);
501 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
502  u_int, bpf_u_int32);
503 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
504  u_int, bpf_u_int32);
505 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
506  u_int, bpf_u_int32);
507 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
508  u_int, bpf_u_int32, bpf_u_int32);
509 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
510  u_int, const u_char *);
511 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, u_int,
512  u_int, bpf_u_int32, int, int, bpf_u_int32);
514  u_int, u_int);
515 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
516  u_int);
517 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
518 static struct block *gen_uncond(compiler_state_t *, int);
519 static inline struct block *gen_true(compiler_state_t *);
520 static inline struct block *gen_false(compiler_state_t *);
528 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
530  bpf_abs_offset *);
536  int, bpf_u_int32, u_int, u_int);
537 #ifdef INET6
538 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
539  struct in6_addr *, int, bpf_u_int32, u_int, u_int);
540 #endif
541 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int);
542 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
543 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
544 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
545 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
546 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
547 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
550  int, int, int);
551 #ifdef INET6
552 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
553  struct in6_addr *, int, int, int);
554 #endif
555 #ifndef INET6
556 static struct block *gen_gateway(compiler_state_t *, const u_char *,
557  struct addrinfo *, int, int);
558 #endif
559 static struct block *gen_ipfrag(compiler_state_t *);
560 static struct block *gen_portatom(compiler_state_t *, int, bpf_u_int32);
561 static struct block *gen_portrangeatom(compiler_state_t *, u_int, bpf_u_int32,
562  bpf_u_int32);
563 static struct block *gen_portatom6(compiler_state_t *, int, bpf_u_int32);
564 static struct block *gen_portrangeatom6(compiler_state_t *, u_int, bpf_u_int32,
565  bpf_u_int32);
566 static struct block *gen_portop(compiler_state_t *, u_int, u_int, int);
567 static struct block *gen_port(compiler_state_t *, u_int, int, int);
568 static struct block *gen_portrangeop(compiler_state_t *, u_int, u_int,
569  bpf_u_int32, int);
570 static struct block *gen_portrange(compiler_state_t *, u_int, u_int, int, int);
571 struct block *gen_portop6(compiler_state_t *, u_int, u_int, int);
572 static struct block *gen_port6(compiler_state_t *, u_int, int, int);
573 static struct block *gen_portrangeop6(compiler_state_t *, u_int, u_int,
574  bpf_u_int32, int);
575 static struct block *gen_portrange6(compiler_state_t *, u_int, u_int, int, int);
576 static int lookup_proto(compiler_state_t *, const char *, int);
577 static struct block *gen_protochain(compiler_state_t *, bpf_u_int32, int);
578 static struct block *gen_proto(compiler_state_t *, bpf_u_int32, int, int);
579 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
580 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
581 static struct block *gen_mac_multicast(compiler_state_t *, int);
582 static struct block *gen_len(compiler_state_t *, int, int);
584 static struct block *gen_geneve_ll_check(compiler_state_t *cstate);
585 
586 static struct block *gen_ppi_dlt_check(compiler_state_t *);
588  bpf_u_int32, int, int);
589 static struct block *gen_atmtype_llc(compiler_state_t *);
590 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
591 
592 static void
594 {
595  int i;
596 
597  for (i = 0; i < NCHUNKS; i++) {
598  cstate->chunks[i].n_left = 0;
599  cstate->chunks[i].m = NULL;
600  }
601  cstate->cur_chunk = 0;
602 }
603 
604 static void *
606 {
607  struct chunk *cp;
608  int k;
609  size_t size;
610 
611 #ifndef __NetBSD__
612  /* XXX Round up to nearest long. */
613  n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
614 #else
615  /* XXX Round up to structure boundary. */
616  n = ALIGN(n);
617 #endif
618 
619  cp = &cstate->chunks[cstate->cur_chunk];
620  if (n > cp->n_left) {
621  ++cp;
622  k = ++cstate->cur_chunk;
623  if (k >= NCHUNKS) {
624  bpf_set_error(cstate, "out of memory");
625  return (NULL);
626  }
627  size = CHUNK0SIZE << k;
628  cp->m = (void *)malloc(size);
629  if (cp->m == NULL) {
630  bpf_set_error(cstate, "out of memory");
631  return (NULL);
632  }
633  memset((char *)cp->m, 0, size);
634  cp->n_left = size;
635  if (n > size) {
636  bpf_set_error(cstate, "out of memory");
637  return (NULL);
638  }
639  }
640  cp->n_left -= n;
641  return (void *)((char *)cp->m + cp->n_left);
642 }
643 
644 static void *
645 newchunk(compiler_state_t *cstate, size_t n)
646 {
647  void *p;
648 
649  p = newchunk_nolongjmp(cstate, n);
650  if (p == NULL) {
651  longjmp(cstate->top_ctx, 1);
652  /*NOTREACHED*/
653  }
654  return (p);
655 }
656 
657 static void
659 {
660  int i;
661 
662  for (i = 0; i < NCHUNKS; ++i)
663  if (cstate->chunks[i].m != NULL)
664  free(cstate->chunks[i].m);
665 }
666 
667 /*
668  * A strdup whose allocations are freed after code generation is over.
669  * This is used by the lexical analyzer, so it can't longjmp; it just
670  * returns NULL on an allocation error, and the callers must check
671  * for it.
672  */
673 char *
674 sdup(compiler_state_t *cstate, const char *s)
675 {
676  size_t n = strlen(s) + 1;
677  char *cp = newchunk_nolongjmp(cstate, n);
678 
679  if (cp == NULL)
680  return (NULL);
681  pcap_strlcpy(cp, s, n);
682  return (cp);
683 }
684 
685 static inline struct block *
686 new_block(compiler_state_t *cstate, int code)
687 {
688  struct block *p;
689 
690  p = (struct block *)newchunk(cstate, sizeof(*p));
691  p->s.code = code;
692  p->head = p;
693 
694  return p;
695 }
696 
697 static inline struct slist *
698 new_stmt(compiler_state_t *cstate, int code)
699 {
700  struct slist *p;
701 
702  p = (struct slist *)newchunk(cstate, sizeof(*p));
703  p->s.code = code;
704 
705  return p;
706 }
707 
708 static struct block *
710 {
711  struct block *b = new_block(cstate, BPF_RET|BPF_K);
712 
713  b->s.k = v;
714  return b;
715 }
716 
717 static inline PCAP_NORETURN_DEF void
719 {
720  bpf_error(cstate, "syntax error in filter expression");
721 }
722 
723 int
724 pcap_compile(pcap_t *p, struct bpf_program *program,
725  const char *buf, int optimize, bpf_u_int32 mask)
726 {
727 #ifdef _WIN32
728  static int done = 0;
729 #endif
730  compiler_state_t cstate;
731  const char * volatile xbuf = buf;
732  yyscan_t scanner = NULL;
733  volatile YY_BUFFER_STATE in_buffer = NULL;
734  u_int len;
735  int rc;
736 
737  /*
738  * If this pcap_t hasn't been activated, it doesn't have a
739  * link-layer type, so we can't use it.
740  */
741  if (!p->activated) {
743  "not-yet-activated pcap_t passed to pcap_compile");
744  return (-1);
745  }
746 
747 #ifdef _WIN32
748  if (!done)
749  pcap_wsockinit();
750  done = 1;
751 #endif
752 
753 #ifdef ENABLE_REMOTE
754  /*
755  * If the device on which we're capturing need to be notified
756  * that a new filter is being compiled, do so.
757  *
758  * This allows them to save a copy of it, in case, for example,
759  * they're implementing a form of remote packet capture, and
760  * want the remote machine to filter out the packets in which
761  * it's sending the packets it's captured.
762  *
763  * XXX - the fact that we happen to be compiling a filter
764  * doesn't necessarily mean we'll be installing it as the
765  * filter for this pcap_t; we might be running it from userland
766  * on captured packets to do packet classification. We really
767  * need a better way of handling this, but this is all that
768  * the WinPcap remote capture code did.
769  */
770  if (p->save_current_filter_op != NULL)
771  (p->save_current_filter_op)(p, buf);
772 #endif
773 
774  initchunks(&cstate);
775  cstate.no_optimize = 0;
776 #ifdef INET6
777  cstate.ai = NULL;
778 #endif
779  cstate.e = NULL;
780  cstate.ic.root = NULL;
781  cstate.ic.cur_mark = 0;
782  cstate.bpf_pcap = p;
783  cstate.error_set = 0;
784  init_regs(&cstate);
785 
786  cstate.netmask = mask;
787 
788  cstate.snaplen = pcap_snapshot(p);
789  if (cstate.snaplen == 0) {
791  "snaplen of 0 rejects all packets");
792  rc = -1;
793  goto quit;
794  }
795 
796  if (pcap_lex_init(&scanner) != 0)
798  errno, "can't initialize scanner");
799  in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner);
800 
801  /*
802  * Associate the compiler state with the lexical analyzer
803  * state.
804  */
805  pcap_set_extra(&cstate, scanner);
806 
807  if (init_linktype(&cstate, p) == -1) {
808  rc = -1;
809  goto quit;
810  }
811  if (pcap_parse(scanner, &cstate) != 0) {
812 #ifdef INET6
813  if (cstate.ai != NULL)
814  freeaddrinfo(cstate.ai);
815 #endif
816  if (cstate.e != NULL)
817  free(cstate.e);
818  rc = -1;
819  goto quit;
820  }
821 
822  if (cstate.ic.root == NULL) {
823  /*
824  * Catch errors reported by gen_retblk().
825  */
826  if (setjmp(cstate.top_ctx)) {
827  rc = -1;
828  goto quit;
829  }
830  cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
831  }
832 
833  if (optimize && !cstate.no_optimize) {
834  if (bpf_optimize(&cstate.ic, p->errbuf) == -1) {
835  /* Failure */
836  rc = -1;
837  goto quit;
838  }
839  if (cstate.ic.root == NULL ||
840  (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) {
841  (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
842  "expression rejects all packets");
843  rc = -1;
844  goto quit;
845  }
846  }
847  program->bf_insns = icode_to_fcode(&cstate.ic,
848  cstate.ic.root, &len, p->errbuf);
849  if (program->bf_insns == NULL) {
850  /* Failure */
851  rc = -1;
852  goto quit;
853  }
854  program->bf_len = len;
855 
856  rc = 0; /* We're all okay */
857 
858 quit:
859  /*
860  * Clean up everything for the lexical analyzer.
861  */
862  if (in_buffer != NULL)
863  pcap__delete_buffer(in_buffer, scanner);
864  if (scanner != NULL)
865  pcap_lex_destroy(scanner);
866 
867  /*
868  * Clean up our own allocated memory.
869  */
870  freechunks(&cstate);
871 
872  return (rc);
873 }
874 
875 /*
876  * entry point for using the compiler with no pcap open
877  * pass in all the stuff that is needed explicitly instead.
878  */
879 int
880 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
881  struct bpf_program *program,
882  const char *buf, int optimize, bpf_u_int32 mask)
883 {
884  pcap_t *p;
885  int ret;
886 
887  p = pcap_open_dead(linktype_arg, snaplen_arg);
888  if (p == NULL)
889  return (-1);
890  ret = pcap_compile(p, program, buf, optimize, mask);
891  pcap_close(p);
892  return (ret);
893 }
894 
895 /*
896  * Clean up a "struct bpf_program" by freeing all the memory allocated
897  * in it.
898  */
899 void
900 pcap_freecode(struct bpf_program *program)
901 {
902  program->bf_len = 0;
903  if (program->bf_insns != NULL) {
904  free((char *)program->bf_insns);
905  program->bf_insns = NULL;
906  }
907 }
908 
909 /*
910  * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
911  * which of the jt and jf fields has been resolved and which is a pointer
912  * back to another unresolved block (or nil). At least one of the fields
913  * in each block is already resolved.
914  */
915 static void
916 backpatch(struct block *list, struct block *target)
917 {
918  struct block *next;
919 
920  while (list) {
921  if (!list->sense) {
922  next = JT(list);
923  JT(list) = target;
924  } else {
925  next = JF(list);
926  JF(list) = target;
927  }
928  list = next;
929  }
930 }
931 
932 /*
933  * Merge the lists in b0 and b1, using the 'sense' field to indicate
934  * which of jt and jf is the link.
935  */
936 static void
937 merge(struct block *b0, struct block *b1)
938 {
939  register struct block **p = &b0;
940 
941  /* Find end of list. */
942  while (*p)
943  p = !((*p)->sense) ? &JT(*p) : &JF(*p);
944 
945  /* Concatenate the lists. */
946  *p = b1;
947 }
948 
949 int
951 {
952  struct block *ppi_dlt_check;
953 
954  /*
955  * Catch errors reported by us and routines below us, and return -1
956  * on an error.
957  */
958  if (setjmp(cstate->top_ctx))
959  return (-1);
960 
961  /*
962  * Insert before the statements of the first (root) block any
963  * statements needed to load the lengths of any variable-length
964  * headers into registers.
965  *
966  * XXX - a fancier strategy would be to insert those before the
967  * statements of all blocks that use those lengths and that
968  * have no predecessors that use them, so that we only compute
969  * the lengths if we need them. There might be even better
970  * approaches than that.
971  *
972  * However, those strategies would be more complicated, and
973  * as we don't generate code to compute a length if the
974  * program has no tests that use the length, and as most
975  * tests will probably use those lengths, we would just
976  * postpone computing the lengths so that it's not done
977  * for tests that fail early, and it's not clear that's
978  * worth the effort.
979  */
980  insert_compute_vloffsets(cstate, p->head);
981 
982  /*
983  * For DLT_PPI captures, generate a check of the per-packet
984  * DLT value to make sure it's DLT_IEEE802_11.
985  *
986  * XXX - TurboCap cards use DLT_PPI for Ethernet.
987  * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
988  * with appropriate Ethernet information and use that rather
989  * than using something such as DLT_PPI where you don't know
990  * the link-layer header type until runtime, which, in the
991  * general case, would force us to generate both Ethernet *and*
992  * 802.11 code (*and* anything else for which PPI is used)
993  * and choose between them early in the BPF program?
994  */
995  ppi_dlt_check = gen_ppi_dlt_check(cstate);
996  if (ppi_dlt_check != NULL)
997  gen_and(ppi_dlt_check, p);
998 
999  backpatch(p, gen_retblk(cstate, cstate->snaplen));
1000  p->sense = !p->sense;
1001  backpatch(p, gen_retblk(cstate, 0));
1002  cstate->ic.root = p->head;
1003  return (0);
1004 }
1005 
1006 void
1007 gen_and(struct block *b0, struct block *b1)
1008 {
1009  backpatch(b0, b1->head);
1010  b0->sense = !b0->sense;
1011  b1->sense = !b1->sense;
1012  merge(b1, b0);
1013  b1->sense = !b1->sense;
1014  b1->head = b0->head;
1015 }
1016 
1017 void
1018 gen_or(struct block *b0, struct block *b1)
1019 {
1020  b0->sense = !b0->sense;
1021  backpatch(b0, b1->head);
1022  b0->sense = !b0->sense;
1023  merge(b1, b0);
1024  b1->head = b0->head;
1025 }
1026 
1027 void
1028 gen_not(struct block *b)
1029 {
1030  b->sense = !b->sense;
1031 }
1032 
1033 static struct block *
1034 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1035  u_int size, bpf_u_int32 v)
1036 {
1037  return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
1038 }
1039 
1040 static struct block *
1041 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1042  u_int size, bpf_u_int32 v)
1043 {
1044  return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
1045 }
1046 
1047 static struct block *
1048 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1049  u_int size, bpf_u_int32 v)
1050 {
1051  return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
1052 }
1053 
1054 static struct block *
1055 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1056  u_int size, bpf_u_int32 v)
1057 {
1058  return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
1059 }
1060 
1061 static struct block *
1062 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1063  u_int size, bpf_u_int32 v)
1064 {
1065  return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
1066 }
1067 
1068 static struct block *
1069 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1070  u_int size, bpf_u_int32 v, bpf_u_int32 mask)
1071 {
1072  return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
1073 }
1074 
1075 static struct block *
1076 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1077  u_int size, const u_char *v)
1078 {
1079  register struct block *b, *tmp;
1080 
1081  b = NULL;
1082  while (size >= 4) {
1083  register const u_char *p = &v[size - 4];
1084 
1085  tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W,
1086  EXTRACT_BE_U_4(p));
1087  if (b != NULL)
1088  gen_and(b, tmp);
1089  b = tmp;
1090  size -= 4;
1091  }
1092  while (size >= 2) {
1093  register const u_char *p = &v[size - 2];
1094 
1095  tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H,
1096  EXTRACT_BE_U_2(p));
1097  if (b != NULL)
1098  gen_and(b, tmp);
1099  b = tmp;
1100  size -= 2;
1101  }
1102  if (size > 0) {
1103  tmp = gen_cmp(cstate, offrel, offset, BPF_B, v[0]);
1104  if (b != NULL)
1105  gen_and(b, tmp);
1106  b = tmp;
1107  }
1108  return b;
1109 }
1110 
1111 /*
1112  * AND the field of size "size" at offset "offset" relative to the header
1113  * specified by "offrel" with "mask", and compare it with the value "v"
1114  * with the test specified by "jtype"; if "reverse" is true, the test
1115  * should test the opposite of "jtype".
1116  */
1117 static struct block *
1118 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1119  u_int size, bpf_u_int32 mask, int jtype, int reverse,
1120  bpf_u_int32 v)
1121 {
1122  struct slist *s, *s2;
1123  struct block *b;
1124 
1125  s = gen_load_a(cstate, offrel, offset, size);
1126 
1127  if (mask != 0xffffffff) {
1128  s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1129  s2->s.k = mask;
1130  sappend(s, s2);
1131  }
1132 
1133  b = new_block(cstate, JMP(jtype));
1134  b->stmts = s;
1135  b->s.k = v;
1136  if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
1137  gen_not(b);
1138  return b;
1139 }
1140 
1141 static int
1143 {
1144  cstate->pcap_fddipad = p->fddipad;
1145 
1146  /*
1147  * We start out with only one link-layer header.
1148  */
1149  cstate->outermostlinktype = pcap_datalink(p);
1150  cstate->off_outermostlinkhdr.constant_part = 0;
1151  cstate->off_outermostlinkhdr.is_variable = 0;
1152  cstate->off_outermostlinkhdr.reg = -1;
1153 
1154  cstate->prevlinktype = cstate->outermostlinktype;
1155  cstate->off_prevlinkhdr.constant_part = 0;
1156  cstate->off_prevlinkhdr.is_variable = 0;
1157  cstate->off_prevlinkhdr.reg = -1;
1158 
1159  cstate->linktype = cstate->outermostlinktype;
1160  cstate->off_linkhdr.constant_part = 0;
1161  cstate->off_linkhdr.is_variable = 0;
1162  cstate->off_linkhdr.reg = -1;
1163 
1164  /*
1165  * XXX
1166  */
1167  cstate->off_linkpl.constant_part = 0;
1168  cstate->off_linkpl.is_variable = 0;
1169  cstate->off_linkpl.reg = -1;
1170 
1171  cstate->off_linktype.constant_part = 0;
1172  cstate->off_linktype.is_variable = 0;
1173  cstate->off_linktype.reg = -1;
1174 
1175  /*
1176  * Assume it's not raw ATM with a pseudo-header, for now.
1177  */
1178  cstate->is_atm = 0;
1179  cstate->off_vpi = OFFSET_NOT_SET;
1180  cstate->off_vci = OFFSET_NOT_SET;
1181  cstate->off_proto = OFFSET_NOT_SET;
1182  cstate->off_payload = OFFSET_NOT_SET;
1183 
1184  /*
1185  * And not Geneve.
1186  */
1187  cstate->is_geneve = 0;
1188 
1189  /*
1190  * No variable length VLAN offset by default
1191  */
1192  cstate->is_vlan_vloffset = 0;
1193 
1194  /*
1195  * And assume we're not doing SS7.
1196  */
1197  cstate->off_li = OFFSET_NOT_SET;
1198  cstate->off_li_hsl = OFFSET_NOT_SET;
1199  cstate->off_sio = OFFSET_NOT_SET;
1200  cstate->off_opc = OFFSET_NOT_SET;
1201  cstate->off_dpc = OFFSET_NOT_SET;
1202  cstate->off_sls = OFFSET_NOT_SET;
1203 
1204  cstate->label_stack_depth = 0;
1205  cstate->vlan_stack_depth = 0;
1206 
1207  switch (cstate->linktype) {
1208 
1209  case DLT_ARCNET:
1210  cstate->off_linktype.constant_part = 2;
1211  cstate->off_linkpl.constant_part = 6;
1212  cstate->off_nl = 0; /* XXX in reality, variable! */
1213  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1214  break;
1215 
1216  case DLT_ARCNET_LINUX:
1217  cstate->off_linktype.constant_part = 4;
1218  cstate->off_linkpl.constant_part = 8;
1219  cstate->off_nl = 0; /* XXX in reality, variable! */
1220  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1221  break;
1222 
1223  case DLT_EN10MB:
1224  cstate->off_linktype.constant_part = 12;
1225  cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1226  cstate->off_nl = 0; /* Ethernet II */
1227  cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1228  break;
1229 
1230  case DLT_SLIP:
1231  /*
1232  * SLIP doesn't have a link level type. The 16 byte
1233  * header is hacked into our SLIP driver.
1234  */
1236  cstate->off_linkpl.constant_part = 16;
1237  cstate->off_nl = 0;
1238  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1239  break;
1240 
1241  case DLT_SLIP_BSDOS:
1242  /* XXX this may be the same as the DLT_PPP_BSDOS case */
1244  /* XXX end */
1245  cstate->off_linkpl.constant_part = 24;
1246  cstate->off_nl = 0;
1247  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1248  break;
1249 
1250  case DLT_NULL:
1251  case DLT_LOOP:
1252  cstate->off_linktype.constant_part = 0;
1253  cstate->off_linkpl.constant_part = 4;
1254  cstate->off_nl = 0;
1255  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1256  break;
1257 
1258  case DLT_ENC:
1259  cstate->off_linktype.constant_part = 0;
1260  cstate->off_linkpl.constant_part = 12;
1261  cstate->off_nl = 0;
1262  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1263  break;
1264 
1265  case DLT_PPP:
1266  case DLT_PPP_PPPD:
1267  case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1268  case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1269  cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1270  cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1271  cstate->off_nl = 0;
1272  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1273  break;
1274 
1275  case DLT_PPP_ETHER:
1276  /*
1277  * This does no include the Ethernet header, and
1278  * only covers session state.
1279  */
1280  cstate->off_linktype.constant_part = 6;
1281  cstate->off_linkpl.constant_part = 8;
1282  cstate->off_nl = 0;
1283  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1284  break;
1285 
1286  case DLT_PPP_BSDOS:
1287  cstate->off_linktype.constant_part = 5;
1288  cstate->off_linkpl.constant_part = 24;
1289  cstate->off_nl = 0;
1290  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1291  break;
1292 
1293  case DLT_FDDI:
1294  /*
1295  * FDDI doesn't really have a link-level type field.
1296  * We set "off_linktype" to the offset of the LLC header.
1297  *
1298  * To check for Ethernet types, we assume that SSAP = SNAP
1299  * is being used and pick out the encapsulated Ethernet type.
1300  * XXX - should we generate code to check for SNAP?
1301  */
1302  cstate->off_linktype.constant_part = 13;
1303  cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1304  cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1305  cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1306  cstate->off_nl = 8; /* 802.2+SNAP */
1307  cstate->off_nl_nosnap = 3; /* 802.2 */
1308  break;
1309 
1310  case DLT_IEEE802:
1311  /*
1312  * Token Ring doesn't really have a link-level type field.
1313  * We set "off_linktype" to the offset of the LLC header.
1314  *
1315  * To check for Ethernet types, we assume that SSAP = SNAP
1316  * is being used and pick out the encapsulated Ethernet type.
1317  * XXX - should we generate code to check for SNAP?
1318  *
1319  * XXX - the header is actually variable-length.
1320  * Some various Linux patched versions gave 38
1321  * as "off_linktype" and 40 as "off_nl"; however,
1322  * if a token ring packet has *no* routing
1323  * information, i.e. is not source-routed, the correct
1324  * values are 20 and 22, as they are in the vanilla code.
1325  *
1326  * A packet is source-routed iff the uppermost bit
1327  * of the first byte of the source address, at an
1328  * offset of 8, has the uppermost bit set. If the
1329  * packet is source-routed, the total number of bytes
1330  * of routing information is 2 plus bits 0x1F00 of
1331  * the 16-bit value at an offset of 14 (shifted right
1332  * 8 - figure out which byte that is).
1333  */
1334  cstate->off_linktype.constant_part = 14;
1335  cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1336  cstate->off_nl = 8; /* 802.2+SNAP */
1337  cstate->off_nl_nosnap = 3; /* 802.2 */
1338  break;
1339 
1340  case DLT_PRISM_HEADER:
1342  case DLT_IEEE802_11_RADIO:
1343  cstate->off_linkhdr.is_variable = 1;
1344  /* Fall through, 802.11 doesn't have a variable link
1345  * prefix but is otherwise the same. */
1346  /* FALLTHROUGH */
1347 
1348  case DLT_IEEE802_11:
1349  /*
1350  * 802.11 doesn't really have a link-level type field.
1351  * We set "off_linktype.constant_part" to the offset of
1352  * the LLC header.
1353  *
1354  * To check for Ethernet types, we assume that SSAP = SNAP
1355  * is being used and pick out the encapsulated Ethernet type.
1356  * XXX - should we generate code to check for SNAP?
1357  *
1358  * We also handle variable-length radio headers here.
1359  * The Prism header is in theory variable-length, but in
1360  * practice it's always 144 bytes long. However, some
1361  * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1362  * sometimes or always supply an AVS header, so we
1363  * have to check whether the radio header is a Prism
1364  * header or an AVS header, so, in practice, it's
1365  * variable-length.
1366  */
1367  cstate->off_linktype.constant_part = 24;
1368  cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1369  cstate->off_linkpl.is_variable = 1;
1370  cstate->off_nl = 8; /* 802.2+SNAP */
1371  cstate->off_nl_nosnap = 3; /* 802.2 */
1372  break;
1373 
1374  case DLT_PPI:
1375  /*
1376  * At the moment we treat PPI the same way that we treat
1377  * normal Radiotap encoded packets. The difference is in
1378  * the function that generates the code at the beginning
1379  * to compute the header length. Since this code generator
1380  * of PPI supports bare 802.11 encapsulation only (i.e.
1381  * the encapsulated DLT should be DLT_IEEE802_11) we
1382  * generate code to check for this too.
1383  */
1384  cstate->off_linktype.constant_part = 24;
1385  cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1386  cstate->off_linkpl.is_variable = 1;
1387  cstate->off_linkhdr.is_variable = 1;
1388  cstate->off_nl = 8; /* 802.2+SNAP */
1389  cstate->off_nl_nosnap = 3; /* 802.2 */
1390  break;
1391 
1392  case DLT_ATM_RFC1483:
1393  case DLT_ATM_CLIP: /* Linux ATM defines this */
1394  /*
1395  * assume routed, non-ISO PDUs
1396  * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1397  *
1398  * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1399  * or PPP with the PPP NLPID (e.g., PPPoA)? The
1400  * latter would presumably be treated the way PPPoE
1401  * should be, so you can do "pppoe and udp port 2049"
1402  * or "pppoa and tcp port 80" and have it check for
1403  * PPPo{A,E} and a PPP protocol of IP and....
1404  */
1405  cstate->off_linktype.constant_part = 0;
1406  cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1407  cstate->off_nl = 8; /* 802.2+SNAP */
1408  cstate->off_nl_nosnap = 3; /* 802.2 */
1409  break;
1410 
1411  case DLT_SUNATM:
1412  /*
1413  * Full Frontal ATM; you get AALn PDUs with an ATM
1414  * pseudo-header.
1415  */
1416  cstate->is_atm = 1;
1417  cstate->off_vpi = SUNATM_VPI_POS;
1418  cstate->off_vci = SUNATM_VCI_POS;
1419  cstate->off_proto = PROTO_POS;
1421  cstate->off_linktype.constant_part = cstate->off_payload;
1422  cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1423  cstate->off_nl = 8; /* 802.2+SNAP */
1424  cstate->off_nl_nosnap = 3; /* 802.2 */
1425  break;
1426 
1427  case DLT_RAW:
1428  case DLT_IPV4:
1429  case DLT_IPV6:
1431  cstate->off_linkpl.constant_part = 0;
1432  cstate->off_nl = 0;
1433  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1434  break;
1435 
1436  case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */
1437  cstate->off_linktype.constant_part = 14;
1438  cstate->off_linkpl.constant_part = 16;
1439  cstate->off_nl = 0;
1440  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1441  break;
1442 
1443  case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */
1444  cstate->off_linktype.constant_part = 0;
1445  cstate->off_linkpl.constant_part = 20;
1446  cstate->off_nl = 0;
1447  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1448  break;
1449 
1450  case DLT_LTALK:
1451  /*
1452  * LocalTalk does have a 1-byte type field in the LLAP header,
1453  * but really it just indicates whether there is a "short" or
1454  * "long" DDP packet following.
1455  */
1457  cstate->off_linkpl.constant_part = 0;
1458  cstate->off_nl = 0;
1459  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1460  break;
1461 
1462  case DLT_IP_OVER_FC:
1463  /*
1464  * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1465  * link-level type field. We set "off_linktype" to the
1466  * offset of the LLC header.
1467  *
1468  * To check for Ethernet types, we assume that SSAP = SNAP
1469  * is being used and pick out the encapsulated Ethernet type.
1470  * XXX - should we generate code to check for SNAP? RFC
1471  * 2625 says SNAP should be used.
1472  */
1473  cstate->off_linktype.constant_part = 16;
1474  cstate->off_linkpl.constant_part = 16;
1475  cstate->off_nl = 8; /* 802.2+SNAP */
1476  cstate->off_nl_nosnap = 3; /* 802.2 */
1477  break;
1478 
1479  case DLT_FRELAY:
1480  /*
1481  * XXX - we should set this to handle SNAP-encapsulated
1482  * frames (NLPID of 0x80).
1483  */
1485  cstate->off_linkpl.constant_part = 0;
1486  cstate->off_nl = 0;
1487  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1488  break;
1489 
1490  /*
1491  * the only BPF-interesting FRF.16 frames are non-control frames;
1492  * Frame Relay has a variable length link-layer
1493  * so lets start with offset 4 for now and increments later on (FIXME);
1494  */
1495  case DLT_MFR:
1497  cstate->off_linkpl.constant_part = 0;
1498  cstate->off_nl = 4;
1499  cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1500  break;
1501 
1503  cstate->off_linktype.constant_part = 16;
1504  cstate->off_linkpl.constant_part = 18;
1505  cstate->off_nl = 0;
1506  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1507  break;
1508 
1509  case DLT_SYMANTEC_FIREWALL:
1510  cstate->off_linktype.constant_part = 6;
1511  cstate->off_linkpl.constant_part = 44;
1512  cstate->off_nl = 0; /* Ethernet II */
1513  cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1514  break;
1515 
1516 #ifdef HAVE_NET_PFVAR_H
1517  case DLT_PFLOG:
1518  cstate->off_linktype.constant_part = 0;
1519  cstate->off_linkpl.constant_part = PFLOG_HDRLEN;
1520  cstate->off_nl = 0;
1521  cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1522  break;
1523 #endif
1524 
1525  case DLT_JUNIPER_MFR:
1526  case DLT_JUNIPER_MLFR:
1527  case DLT_JUNIPER_MLPPP:
1528  case DLT_JUNIPER_PPP:
1529  case DLT_JUNIPER_CHDLC:
1530  case DLT_JUNIPER_FRELAY:
1531  cstate->off_linktype.constant_part = 4;
1532  cstate->off_linkpl.constant_part = 4;
1533  cstate->off_nl = 0;
1534  cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1535  break;
1536 
1537  case DLT_JUNIPER_ATM1:
1538  cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1539  cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1540  cstate->off_nl = 0;
1541  cstate->off_nl_nosnap = 10;
1542  break;
1543 
1544  case DLT_JUNIPER_ATM2:
1545  cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1546  cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1547  cstate->off_nl = 0;
1548  cstate->off_nl_nosnap = 10;
1549  break;
1550 
1551  /* frames captured on a Juniper PPPoE service PIC
1552  * contain raw ethernet frames */
1553  case DLT_JUNIPER_PPPOE:
1554  case DLT_JUNIPER_ETHER:
1555  cstate->off_linkpl.constant_part = 14;
1556  cstate->off_linktype.constant_part = 16;
1557  cstate->off_nl = 18; /* Ethernet II */
1558  cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1559  break;
1560 
1561  case DLT_JUNIPER_PPPOE_ATM:
1562  cstate->off_linktype.constant_part = 4;
1563  cstate->off_linkpl.constant_part = 6;
1564  cstate->off_nl = 0;
1565  cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1566  break;
1567 
1568  case DLT_JUNIPER_GGSN:
1569  cstate->off_linktype.constant_part = 6;
1570  cstate->off_linkpl.constant_part = 12;
1571  cstate->off_nl = 0;
1572  cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1573  break;
1574 
1575  case DLT_JUNIPER_ES:
1576  cstate->off_linktype.constant_part = 6;
1577  cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1578  cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1579  cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1580  break;
1581 
1582  case DLT_JUNIPER_MONITOR:
1583  cstate->off_linktype.constant_part = 12;
1584  cstate->off_linkpl.constant_part = 12;
1585  cstate->off_nl = 0; /* raw IP/IP6 header */
1586  cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1587  break;
1588 
1589  case DLT_BACNET_MS_TP:
1592  cstate->off_nl = OFFSET_NOT_SET;
1593  cstate->off_nl_nosnap = OFFSET_NOT_SET;
1594  break;
1595 
1596  case DLT_JUNIPER_SERVICES:
1597  cstate->off_linktype.constant_part = 12;
1598  cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1599  cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1600  cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1601  break;
1602 
1603  case DLT_JUNIPER_VP:
1604  cstate->off_linktype.constant_part = 18;
1606  cstate->off_nl = OFFSET_NOT_SET;
1607  cstate->off_nl_nosnap = OFFSET_NOT_SET;
1608  break;
1609 
1610  case DLT_JUNIPER_ST:
1611  cstate->off_linktype.constant_part = 18;
1613  cstate->off_nl = OFFSET_NOT_SET;
1614  cstate->off_nl_nosnap = OFFSET_NOT_SET;
1615  break;
1616 
1617  case DLT_JUNIPER_ISM:
1618  cstate->off_linktype.constant_part = 8;
1620  cstate->off_nl = OFFSET_NOT_SET;
1621  cstate->off_nl_nosnap = OFFSET_NOT_SET;
1622  break;
1623 
1624  case DLT_JUNIPER_VS:
1625  case DLT_JUNIPER_SRX_E2E:
1627  case DLT_JUNIPER_ATM_CEMIC:
1628  cstate->off_linktype.constant_part = 8;
1630  cstate->off_nl = OFFSET_NOT_SET;
1631  cstate->off_nl_nosnap = OFFSET_NOT_SET;
1632  break;
1633 
1634  case DLT_MTP2:
1635  cstate->off_li = 2;
1636  cstate->off_li_hsl = 4;
1637  cstate->off_sio = 3;
1638  cstate->off_opc = 4;
1639  cstate->off_dpc = 4;
1640  cstate->off_sls = 7;
1643  cstate->off_nl = OFFSET_NOT_SET;
1644  cstate->off_nl_nosnap = OFFSET_NOT_SET;
1645  break;
1646 
1647  case DLT_MTP2_WITH_PHDR:
1648  cstate->off_li = 6;
1649  cstate->off_li_hsl = 8;
1650  cstate->off_sio = 7;
1651  cstate->off_opc = 8;
1652  cstate->off_dpc = 8;
1653  cstate->off_sls = 11;
1656  cstate->off_nl = OFFSET_NOT_SET;
1657  cstate->off_nl_nosnap = OFFSET_NOT_SET;
1658  break;
1659 
1660  case DLT_ERF:
1661  cstate->off_li = 22;
1662  cstate->off_li_hsl = 24;
1663  cstate->off_sio = 23;
1664  cstate->off_opc = 24;
1665  cstate->off_dpc = 24;
1666  cstate->off_sls = 27;
1669  cstate->off_nl = OFFSET_NOT_SET;
1670  cstate->off_nl_nosnap = OFFSET_NOT_SET;
1671  break;
1672 
1673  case DLT_PFSYNC:
1675  cstate->off_linkpl.constant_part = 4;
1676  cstate->off_nl = 0;
1677  cstate->off_nl_nosnap = 0;
1678  break;
1679 
1680  case DLT_AX25_KISS:
1681  /*
1682  * Currently, only raw "link[N:M]" filtering is supported.
1683  */
1684  cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1686  cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1687  cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1688  break;
1689 
1690  case DLT_IPNET:
1691  cstate->off_linktype.constant_part = 1;
1692  cstate->off_linkpl.constant_part = 24; /* ipnet header length */
1693  cstate->off_nl = 0;
1694  cstate->off_nl_nosnap = OFFSET_NOT_SET;
1695  break;
1696 
1697  case DLT_NETANALYZER:
1698  cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1699  cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1700  cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1701  cstate->off_nl = 0; /* Ethernet II */
1702  cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1703  break;
1704 
1706  cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1707  cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1708  cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1709  cstate->off_nl = 0; /* Ethernet II */
1710  cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1711  break;
1712 
1713  default:
1714  /*
1715  * For values in the range in which we've assigned new
1716  * DLT_ values, only raw "link[N:M]" filtering is supported.
1717  */
1718  if (cstate->linktype >= DLT_MATCHING_MIN &&
1719  cstate->linktype <= DLT_MATCHING_MAX) {
1722  cstate->off_nl = OFFSET_NOT_SET;
1723  cstate->off_nl_nosnap = OFFSET_NOT_SET;
1724  } else {
1725  bpf_set_error(cstate, "unknown data link type %d", cstate->linktype);
1726  return (-1);
1727  }
1728  break;
1729  }
1730 
1731  cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1732  return (0);
1733 }
1734 
1735 /*
1736  * Load a value relative to the specified absolute offset.
1737  */
1738 static struct slist *
1740  u_int offset, u_int size)
1741 {
1742  struct slist *s, *s2;
1743 
1744  s = gen_abs_offset_varpart(cstate, abs_offset);
1745 
1746  /*
1747  * If "s" is non-null, it has code to arrange that the X register
1748  * contains the variable part of the absolute offset, so we
1749  * generate a load relative to that, with an offset of
1750  * abs_offset->constant_part + offset.
1751  *
1752  * Otherwise, we can do an absolute load with an offset of
1753  * abs_offset->constant_part + offset.
1754  */
1755  if (s != NULL) {
1756  /*
1757  * "s" points to a list of statements that puts the
1758  * variable part of the absolute offset into the X register.
1759  * Do an indirect load, to use the X register as an offset.
1760  */
1761  s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1762  s2->s.k = abs_offset->constant_part + offset;
1763  sappend(s, s2);
1764  } else {
1765  /*
1766  * There is no variable part of the absolute offset, so
1767  * just do an absolute load.
1768  */
1769  s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1770  s->s.k = abs_offset->constant_part + offset;
1771  }
1772  return s;
1773 }
1774 
1775 /*
1776  * Load a value relative to the beginning of the specified header.
1777  */
1778 static struct slist *
1779 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1780  u_int size)
1781 {
1782  struct slist *s, *s2;
1783 
1784  /*
1785  * Squelch warnings from compilers that *don't* assume that
1786  * offrel always has a valid enum value and therefore don't
1787  * assume that we'll always go through one of the case arms.
1788  *
1789  * If we have a default case, compilers that *do* assume that
1790  * will then complain about the default case code being
1791  * unreachable.
1792  *
1793  * Damned if you do, damned if you don't.
1794  */
1795  s = NULL;
1796 
1797  switch (offrel) {
1798 
1799  case OR_PACKET:
1800  s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1801  s->s.k = offset;
1802  break;
1803 
1804  case OR_LINKHDR:
1805  s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1806  break;
1807 
1808  case OR_PREVLINKHDR:
1809  s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1810  break;
1811 
1812  case OR_LLC:
1813  s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1814  break;
1815 
1816  case OR_PREVMPLSHDR:
1817  s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1818  break;
1819 
1820  case OR_LINKPL:
1821  s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1822  break;
1823 
1824  case OR_LINKPL_NOSNAP:
1825  s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1826  break;
1827 
1828  case OR_LINKTYPE:
1829  s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1830  break;
1831 
1832  case OR_TRAN_IPV4:
1833  /*
1834  * Load the X register with the length of the IPv4 header
1835  * (plus the offset of the link-layer header, if it's
1836  * preceded by a variable-length header such as a radio
1837  * header), in bytes.
1838  */
1839  s = gen_loadx_iphdrlen(cstate);
1840 
1841  /*
1842  * Load the item at {offset of the link-layer payload} +
1843  * {offset, relative to the start of the link-layer
1844  * paylod, of the IPv4 header} + {length of the IPv4 header} +
1845  * {specified offset}.
1846  *
1847  * If the offset of the link-layer payload is variable,
1848  * the variable part of that offset is included in the
1849  * value in the X register, and we include the constant
1850  * part in the offset of the load.
1851  */
1852  s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1853  s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
1854  sappend(s, s2);
1855  break;
1856 
1857  case OR_TRAN_IPV6:
1858  s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
1859  break;
1860  }
1861  return s;
1862 }
1863 
1864 /*
1865  * Generate code to load into the X register the sum of the length of
1866  * the IPv4 header and the variable part of the offset of the link-layer
1867  * payload.
1868  */
1869 static struct slist *
1871 {
1872  struct slist *s, *s2;
1873 
1874  s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
1875  if (s != NULL) {
1876  /*
1877  * The offset of the link-layer payload has a variable
1878  * part. "s" points to a list of statements that put
1879  * the variable part of that offset into the X register.
1880  *
1881  * The 4*([k]&0xf) addressing mode can't be used, as we
1882  * don't have a constant offset, so we have to load the
1883  * value in question into the A register and add to it
1884  * the value from the X register.
1885  */
1886  s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
1887  s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1888  sappend(s, s2);
1889  s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1890  s2->s.k = 0xf;
1891  sappend(s, s2);
1892  s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
1893  s2->s.k = 2;
1894  sappend(s, s2);
1895 
1896  /*
1897  * The A register now contains the length of the IP header.
1898  * We need to add to it the variable part of the offset of
1899  * the link-layer payload, which is still in the X
1900  * register, and move the result into the X register.
1901  */
1902  sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
1903  sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
1904  } else {
1905  /*
1906  * The offset of the link-layer payload is a constant,
1907  * so no code was generated to load the (non-existent)
1908  * variable part of that offset.
1909  *
1910  * This means we can use the 4*([k]&0xf) addressing
1911  * mode. Load the length of the IPv4 header, which
1912  * is at an offset of cstate->off_nl from the beginning of
1913  * the link-layer payload, and thus at an offset of
1914  * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
1915  * of the raw packet data, using that addressing mode.
1916  */
1917  s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
1918  s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1919  }
1920  return s;
1921 }
1922 
1923 
1924 static struct block *
1925 gen_uncond(compiler_state_t *cstate, int rsense)
1926 {
1927  struct block *b;
1928  struct slist *s;
1929 
1930  s = new_stmt(cstate, BPF_LD|BPF_IMM);
1931  s->s.k = !rsense;
1932  b = new_block(cstate, JMP(BPF_JEQ));
1933  b->stmts = s;
1934 
1935  return b;
1936 }
1937 
1938 static inline struct block *
1940 {
1941  return gen_uncond(cstate, 1);
1942 }
1943 
1944 static inline struct block *
1946 {
1947  return gen_uncond(cstate, 0);
1948 }
1949 
1950 /*
1951  * Byte-swap a 32-bit number.
1952  * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1953  * big-endian platforms.)
1954  */
1955 #define SWAPLONG(y) \
1956 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1957 
1958 /*
1959  * Generate code to match a particular packet type.
1960  *
1961  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1962  * value, if <= ETHERMTU. We use that to determine whether to
1963  * match the type/length field or to check the type/length field for
1964  * a value <= ETHERMTU to see whether it's a type field and then do
1965  * the appropriate test.
1966  */
1967 static struct block *
1969 {
1970  struct block *b0, *b1;
1971 
1972  switch (ll_proto) {
1973 
1974  case LLCSAP_ISONS:
1975  case LLCSAP_IP:
1976  case LLCSAP_NETBEUI:
1977  /*
1978  * OSI protocols and NetBEUI always use 802.2 encapsulation,
1979  * so we check the DSAP and SSAP.
1980  *
1981  * LLCSAP_IP checks for IP-over-802.2, rather
1982  * than IP-over-Ethernet or IP-over-SNAP.
1983  *
1984  * XXX - should we check both the DSAP and the
1985  * SSAP, like this, or should we check just the
1986  * DSAP, as we do for other types <= ETHERMTU
1987  * (i.e., other SAP values)?
1988  */
1989  b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1990  gen_not(b0);
1991  b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
1992  gen_and(b0, b1);
1993  return b1;
1994 
1995  case LLCSAP_IPX:
1996  /*
1997  * Check for;
1998  *
1999  * Ethernet_II frames, which are Ethernet
2000  * frames with a frame type of ETHERTYPE_IPX;
2001  *
2002  * Ethernet_802.3 frames, which are 802.3
2003  * frames (i.e., the type/length field is
2004  * a length field, <= ETHERMTU, rather than
2005  * a type field) with the first two bytes
2006  * after the Ethernet/802.3 header being
2007  * 0xFFFF;
2008  *
2009  * Ethernet_802.2 frames, which are 802.3
2010  * frames with an 802.2 LLC header and
2011  * with the IPX LSAP as the DSAP in the LLC
2012  * header;
2013  *
2014  * Ethernet_SNAP frames, which are 802.3
2015  * frames with an LLC header and a SNAP
2016  * header and with an OUI of 0x000000
2017  * (encapsulated Ethernet) and a protocol
2018  * ID of ETHERTYPE_IPX in the SNAP header.
2019  *
2020  * XXX - should we generate the same code both
2021  * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
2022  */
2023 
2024  /*
2025  * This generates code to check both for the
2026  * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
2027  */
2028  b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2029  b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
2030  gen_or(b0, b1);
2031 
2032  /*
2033  * Now we add code to check for SNAP frames with
2034  * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
2035  */
2036  b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2037  gen_or(b0, b1);
2038 
2039  /*
2040  * Now we generate code to check for 802.3
2041  * frames in general.
2042  */
2043  b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2044  gen_not(b0);
2045 
2046  /*
2047  * Now add the check for 802.3 frames before the
2048  * check for Ethernet_802.2 and Ethernet_802.3,
2049  * as those checks should only be done on 802.3
2050  * frames, not on Ethernet frames.
2051  */
2052  gen_and(b0, b1);
2053 
2054  /*
2055  * Now add the check for Ethernet_II frames, and
2056  * do that before checking for the other frame
2057  * types.
2058  */
2059  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2060  gen_or(b0, b1);
2061  return b1;
2062 
2063  case ETHERTYPE_ATALK:
2064  case ETHERTYPE_AARP:
2065  /*
2066  * EtherTalk (AppleTalk protocols on Ethernet link
2067  * layer) may use 802.2 encapsulation.
2068  */
2069 
2070  /*
2071  * Check for 802.2 encapsulation (EtherTalk phase 2?);
2072  * we check for an Ethernet type field less than
2073  * 1500, which means it's an 802.3 length field.
2074  */
2075  b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2076  gen_not(b0);
2077 
2078  /*
2079  * 802.2-encapsulated ETHERTYPE_ATALK packets are
2080  * SNAP packets with an organization code of
2081  * 0x080007 (Apple, for Appletalk) and a protocol
2082  * type of ETHERTYPE_ATALK (Appletalk).
2083  *
2084  * 802.2-encapsulated ETHERTYPE_AARP packets are
2085  * SNAP packets with an organization code of
2086  * 0x000000 (encapsulated Ethernet) and a protocol
2087  * type of ETHERTYPE_AARP (Appletalk ARP).
2088  */
2089  if (ll_proto == ETHERTYPE_ATALK)
2090  b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2091  else /* ll_proto == ETHERTYPE_AARP */
2092  b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2093  gen_and(b0, b1);
2094 
2095  /*
2096  * Check for Ethernet encapsulation (Ethertalk
2097  * phase 1?); we just check for the Ethernet
2098  * protocol type.
2099  */
2100  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2101 
2102  gen_or(b0, b1);
2103  return b1;
2104 
2105  default:
2106  if (ll_proto <= ETHERMTU) {
2107  /*
2108  * This is an LLC SAP value, so the frames
2109  * that match would be 802.2 frames.
2110  * Check that the frame is an 802.2 frame
2111  * (i.e., that the length/type field is
2112  * a length field, <= ETHERMTU) and
2113  * then check the DSAP.
2114  */
2115  b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2116  gen_not(b0);
2117  b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, ll_proto);
2118  gen_and(b0, b1);
2119  return b1;
2120  } else {
2121  /*
2122  * This is an Ethernet type, so compare
2123  * the length/type field with it (if
2124  * the frame is an 802.2 frame, the length
2125  * field will be <= ETHERMTU, and, as
2126  * "ll_proto" is > ETHERMTU, this test
2127  * will fail and the frame won't match,
2128  * which is what we want).
2129  */
2130  return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2131  }
2132  }
2133 }
2134 
2135 static struct block *
2137 {
2138  /*
2139  * For DLT_NULL, the link-layer header is a 32-bit word
2140  * containing an AF_ value in *host* byte order, and for
2141  * DLT_ENC, the link-layer header begins with a 32-bit
2142  * word containing an AF_ value in host byte order.
2143  *
2144  * In addition, if we're reading a saved capture file,
2145  * the host byte order in the capture may not be the
2146  * same as the host byte order on this machine.
2147  *
2148  * For DLT_LOOP, the link-layer header is a 32-bit
2149  * word containing an AF_ value in *network* byte order.
2150  */
2151  if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2152  /*
2153  * The AF_ value is in host byte order, but the BPF
2154  * interpreter will convert it to network byte order.
2155  *
2156  * If this is a save file, and it's from a machine
2157  * with the opposite byte order to ours, we byte-swap
2158  * the AF_ value.
2159  *
2160  * Then we run it through "htonl()", and generate
2161  * code to compare against the result.
2162  */
2163  if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2164  ll_proto = SWAPLONG(ll_proto);
2165  ll_proto = htonl(ll_proto);
2166  }
2167  return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, ll_proto));
2168 }
2169 
2170 /*
2171  * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2172  * or IPv6 then we have an error.
2173  */
2174 static struct block *
2176 {
2177  switch (ll_proto) {
2178 
2179  case ETHERTYPE_IP:
2180  return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET);
2181  /*NOTREACHED*/
2182 
2183  case ETHERTYPE_IPV6:
2184  return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET6);
2185  /*NOTREACHED*/
2186 
2187  default:
2188  break;
2189  }
2190 
2191  return gen_false(cstate);
2192 }
2193 
2194 /*
2195  * Generate code to match a particular packet type.
2196  *
2197  * "ll_proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2198  * value, if <= ETHERMTU. We use that to determine whether to
2199  * match the type field or to check the type field for the special
2200  * LINUX_SLL_P_802_2 value and then do the appropriate test.
2201  */
2202 static struct block *
2204 {
2205  struct block *b0, *b1;
2206 
2207  switch (ll_proto) {
2208 
2209  case LLCSAP_ISONS:
2210  case LLCSAP_IP:
2211  case LLCSAP_NETBEUI:
2212  /*
2213  * OSI protocols and NetBEUI always use 802.2 encapsulation,
2214  * so we check the DSAP and SSAP.
2215  *
2216  * LLCSAP_IP checks for IP-over-802.2, rather
2217  * than IP-over-Ethernet or IP-over-SNAP.
2218  *
2219  * XXX - should we check both the DSAP and the
2220  * SSAP, like this, or should we check just the
2221  * DSAP, as we do for other types <= ETHERMTU
2222  * (i.e., other SAP values)?
2223  */
2224  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2225  b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2226  gen_and(b0, b1);
2227  return b1;
2228 
2229  case LLCSAP_IPX:
2230  /*
2231  * Ethernet_II frames, which are Ethernet
2232  * frames with a frame type of ETHERTYPE_IPX;
2233  *
2234  * Ethernet_802.3 frames, which have a frame
2235  * type of LINUX_SLL_P_802_3;
2236  *
2237  * Ethernet_802.2 frames, which are 802.3
2238  * frames with an 802.2 LLC header (i.e, have
2239  * a frame type of LINUX_SLL_P_802_2) and
2240  * with the IPX LSAP as the DSAP in the LLC
2241  * header;
2242  *
2243  * Ethernet_SNAP frames, which are 802.3
2244  * frames with an LLC header and a SNAP
2245  * header and with an OUI of 0x000000
2246  * (encapsulated Ethernet) and a protocol
2247  * ID of ETHERTYPE_IPX in the SNAP header.
2248  *
2249  * First, do the checks on LINUX_SLL_P_802_2
2250  * frames; generate the check for either
2251  * Ethernet_802.2 or Ethernet_SNAP frames, and
2252  * then put a check for LINUX_SLL_P_802_2 frames
2253  * before it.
2254  */
2255  b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2256  b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2257  gen_or(b0, b1);
2258  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2259  gen_and(b0, b1);
2260 
2261  /*
2262  * Now check for 802.3 frames and OR that with
2263  * the previous test.
2264  */
2265  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2266  gen_or(b0, b1);
2267 
2268  /*
2269  * Now add the check for Ethernet_II frames, and
2270  * do that before checking for the other frame
2271  * types.
2272  */
2273  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2274  gen_or(b0, b1);
2275  return b1;
2276 
2277  case ETHERTYPE_ATALK:
2278  case ETHERTYPE_AARP:
2279  /*
2280  * EtherTalk (AppleTalk protocols on Ethernet link
2281  * layer) may use 802.2 encapsulation.
2282  */
2283 
2284  /*
2285  * Check for 802.2 encapsulation (EtherTalk phase 2?);
2286  * we check for the 802.2 protocol type in the
2287  * "Ethernet type" field.
2288  */
2289  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2290 
2291  /*
2292  * 802.2-encapsulated ETHERTYPE_ATALK packets are
2293  * SNAP packets with an organization code of
2294  * 0x080007 (Apple, for Appletalk) and a protocol
2295  * type of ETHERTYPE_ATALK (Appletalk).
2296  *
2297  * 802.2-encapsulated ETHERTYPE_AARP packets are
2298  * SNAP packets with an organization code of
2299  * 0x000000 (encapsulated Ethernet) and a protocol
2300  * type of ETHERTYPE_AARP (Appletalk ARP).
2301  */
2302  if (ll_proto == ETHERTYPE_ATALK)
2303  b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2304  else /* ll_proto == ETHERTYPE_AARP */
2305  b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2306  gen_and(b0, b1);
2307 
2308  /*
2309  * Check for Ethernet encapsulation (Ethertalk
2310  * phase 1?); we just check for the Ethernet
2311  * protocol type.
2312  */
2313  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2314 
2315  gen_or(b0, b1);
2316  return b1;
2317 
2318  default:
2319  if (ll_proto <= ETHERMTU) {
2320  /*
2321  * This is an LLC SAP value, so the frames
2322  * that match would be 802.2 frames.
2323  * Check for the 802.2 protocol type
2324  * in the "Ethernet type" field, and
2325  * then check the DSAP.
2326  */
2327  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2328  b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2329  ll_proto);
2330  gen_and(b0, b1);
2331  return b1;
2332  } else {
2333  /*
2334  * This is an Ethernet type, so compare
2335  * the length/type field with it (if
2336  * the frame is an 802.2 frame, the length
2337  * field will be <= ETHERMTU, and, as
2338  * "ll_proto" is > ETHERMTU, this test
2339  * will fail and the frame won't match,
2340  * which is what we want).
2341  */
2342  return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2343  }
2344  }
2345 }
2346 
2347 static struct slist *
2349 {
2350  struct slist *s1, *s2;
2351  struct slist *sjeq_avs_cookie;
2352  struct slist *sjcommon;
2353 
2354  /*
2355  * This code is not compatible with the optimizer, as
2356  * we are generating jmp instructions within a normal
2357  * slist of instructions
2358  */
2359  cstate->no_optimize = 1;
2360 
2361  /*
2362  * Generate code to load the length of the radio header into
2363  * the register assigned to hold that length, if one has been
2364  * assigned. (If one hasn't been assigned, no code we've
2365  * generated uses that prefix, so we don't need to generate any
2366  * code to load it.)
2367  *
2368  * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2369  * or always use the AVS header rather than the Prism header.
2370  * We load a 4-byte big-endian value at the beginning of the
2371  * raw packet data, and see whether, when masked with 0xFFFFF000,
2372  * it's equal to 0x80211000. If so, that indicates that it's
2373  * an AVS header (the masked-out bits are the version number).
2374  * Otherwise, it's a Prism header.
2375  *
2376  * XXX - the Prism header is also, in theory, variable-length,
2377  * but no known software generates headers that aren't 144
2378  * bytes long.
2379  */
2380  if (cstate->off_linkhdr.reg != -1) {
2381  /*
2382  * Load the cookie.
2383  */
2384  s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2385  s1->s.k = 0;
2386 
2387  /*
2388  * AND it with 0xFFFFF000.
2389  */
2390  s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2391  s2->s.k = 0xFFFFF000;
2392  sappend(s1, s2);
2393 
2394  /*
2395  * Compare with 0x80211000.
2396  */
2397  sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2398  sjeq_avs_cookie->s.k = 0x80211000;
2399  sappend(s1, sjeq_avs_cookie);
2400 
2401  /*
2402  * If it's AVS:
2403  *
2404  * The 4 bytes at an offset of 4 from the beginning of
2405  * the AVS header are the length of the AVS header.
2406  * That field is big-endian.
2407  */
2408  s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2409  s2->s.k = 4;
2410  sappend(s1, s2);
2411  sjeq_avs_cookie->s.jt = s2;
2412 
2413  /*
2414  * Now jump to the code to allocate a register
2415  * into which to save the header length and
2416  * store the length there. (The "jump always"
2417  * instruction needs to have the k field set;
2418  * it's added to the PC, so, as we're jumping
2419  * over a single instruction, it should be 1.)
2420  */
2421  sjcommon = new_stmt(cstate, JMP(BPF_JA));
2422  sjcommon->s.k = 1;
2423  sappend(s1, sjcommon);
2424 
2425  /*
2426  * Now for the code that handles the Prism header.
2427  * Just load the length of the Prism header (144)
2428  * into the A register. Have the test for an AVS
2429  * header branch here if we don't have an AVS header.
2430  */
2431  s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2432  s2->s.k = 144;
2433  sappend(s1, s2);
2434  sjeq_avs_cookie->s.jf = s2;
2435 
2436  /*
2437  * Now allocate a register to hold that value and store
2438  * it. The code for the AVS header will jump here after
2439  * loading the length of the AVS header.
2440  */
2441  s2 = new_stmt(cstate, BPF_ST);
2442  s2->s.k = cstate->off_linkhdr.reg;
2443  sappend(s1, s2);
2444  sjcommon->s.jf = s2;
2445 
2446  /*
2447  * Now move it into the X register.
2448  */
2449  s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2450  sappend(s1, s2);
2451 
2452  return (s1);
2453  } else
2454  return (NULL);
2455 }
2456 
2457 static struct slist *
2459 {
2460  struct slist *s1, *s2;
2461 
2462  /*
2463  * Generate code to load the length of the AVS header into
2464  * the register assigned to hold that length, if one has been
2465  * assigned. (If one hasn't been assigned, no code we've
2466  * generated uses that prefix, so we don't need to generate any
2467  * code to load it.)
2468  */
2469  if (cstate->off_linkhdr.reg != -1) {
2470  /*
2471  * The 4 bytes at an offset of 4 from the beginning of
2472  * the AVS header are the length of the AVS header.
2473  * That field is big-endian.
2474  */
2475  s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2476  s1->s.k = 4;
2477 
2478  /*
2479  * Now allocate a register to hold that value and store
2480  * it.
2481  */
2482  s2 = new_stmt(cstate, BPF_ST);
2483  s2->s.k = cstate->off_linkhdr.reg;
2484  sappend(s1, s2);
2485 
2486  /*
2487  * Now move it into the X register.
2488  */
2489  s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2490  sappend(s1, s2);
2491 
2492  return (s1);
2493  } else
2494  return (NULL);
2495 }
2496 
2497 static struct slist *
2499 {
2500  struct slist *s1, *s2;
2501 
2502  /*
2503  * Generate code to load the length of the radiotap header into
2504  * the register assigned to hold that length, if one has been
2505  * assigned. (If one hasn't been assigned, no code we've
2506  * generated uses that prefix, so we don't need to generate any
2507  * code to load it.)
2508  */
2509  if (cstate->off_linkhdr.reg != -1) {
2510  /*
2511  * The 2 bytes at offsets of 2 and 3 from the beginning
2512  * of the radiotap header are the length of the radiotap
2513  * header; unfortunately, it's little-endian, so we have
2514  * to load it a byte at a time and construct the value.
2515  */
2516 
2517  /*
2518  * Load the high-order byte, at an offset of 3, shift it
2519  * left a byte, and put the result in the X register.
2520  */
2521  s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2522  s1->s.k = 3;
2523  s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2524  sappend(s1, s2);
2525  s2->s.k = 8;
2526  s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2527  sappend(s1, s2);
2528 
2529  /*
2530  * Load the next byte, at an offset of 2, and OR the
2531  * value from the X register into it.
2532  */
2533  s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2534  sappend(s1, s2);
2535  s2->s.k = 2;
2536  s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2537  sappend(s1, s2);
2538 
2539  /*
2540  * Now allocate a register to hold that value and store
2541  * it.
2542  */
2543  s2 = new_stmt(cstate, BPF_ST);
2544  s2->s.k = cstate->off_linkhdr.reg;
2545  sappend(s1, s2);
2546 
2547  /*
2548  * Now move it into the X register.
2549  */
2550  s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2551  sappend(s1, s2);
2552 
2553  return (s1);
2554  } else
2555  return (NULL);
2556 }
2557 
2558 /*
2559  * At the moment we treat PPI as normal Radiotap encoded
2560  * packets. The difference is in the function that generates
2561  * the code at the beginning to compute the header length.
2562  * Since this code generator of PPI supports bare 802.11
2563  * encapsulation only (i.e. the encapsulated DLT should be
2564  * DLT_IEEE802_11) we generate code to check for this too;
2565  * that's done in finish_parse().
2566  */
2567 static struct slist *
2569 {
2570  struct slist *s1, *s2;
2571 
2572  /*
2573  * Generate code to load the length of the radiotap header
2574  * into the register assigned to hold that length, if one has
2575  * been assigned.
2576  */
2577  if (cstate->off_linkhdr.reg != -1) {
2578  /*
2579  * The 2 bytes at offsets of 2 and 3 from the beginning
2580  * of the radiotap header are the length of the radiotap
2581  * header; unfortunately, it's little-endian, so we have
2582  * to load it a byte at a time and construct the value.
2583  */
2584 
2585  /*
2586  * Load the high-order byte, at an offset of 3, shift it
2587  * left a byte, and put the result in the X register.
2588  */
2589  s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2590  s1->s.k = 3;
2591  s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2592  sappend(s1, s2);
2593  s2->s.k = 8;
2594  s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2595  sappend(s1, s2);
2596 
2597  /*
2598  * Load the next byte, at an offset of 2, and OR the
2599  * value from the X register into it.
2600  */
2601  s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2602  sappend(s1, s2);
2603  s2->s.k = 2;
2604  s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2605  sappend(s1, s2);
2606 
2607  /*
2608  * Now allocate a register to hold that value and store
2609  * it.
2610  */
2611  s2 = new_stmt(cstate, BPF_ST);
2612  s2->s.k = cstate->off_linkhdr.reg;
2613  sappend(s1, s2);
2614 
2615  /*
2616  * Now move it into the X register.
2617  */
2618  s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2619  sappend(s1, s2);
2620 
2621  return (s1);
2622  } else
2623  return (NULL);
2624 }
2625 
2626 /*
2627  * Load a value relative to the beginning of the link-layer header after the 802.11
2628  * header, i.e. LLC_SNAP.
2629  * The link-layer header doesn't necessarily begin at the beginning
2630  * of the packet data; there might be a variable-length prefix containing
2631  * radio information.
2632  */
2633 static struct slist *
2634 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2635 {
2636  struct slist *s2;
2637  struct slist *sjset_data_frame_1;
2638  struct slist *sjset_data_frame_2;
2639  struct slist *sjset_qos;
2640  struct slist *sjset_radiotap_flags_present;
2641  struct slist *sjset_radiotap_ext_present;
2642  struct slist *sjset_radiotap_tsft_present;
2643  struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2644  struct slist *s_roundup;
2645 
2646  if (cstate->off_linkpl.reg == -1) {
2647  /*
2648  * No register has been assigned to the offset of
2649  * the link-layer payload, which means nobody needs
2650  * it; don't bother computing it - just return
2651  * what we already have.
2652  */
2653  return (s);
2654  }
2655 
2656  /*
2657  * This code is not compatible with the optimizer, as
2658  * we are generating jmp instructions within a normal
2659  * slist of instructions
2660  */
2661  cstate->no_optimize = 1;
2662 
2663  /*
2664  * If "s" is non-null, it has code to arrange that the X register
2665  * contains the length of the prefix preceding the link-layer
2666  * header.
2667  *
2668  * Otherwise, the length of the prefix preceding the link-layer
2669  * header is "off_outermostlinkhdr.constant_part".
2670  */
2671  if (s == NULL) {
2672  /*
2673  * There is no variable-length header preceding the
2674  * link-layer header.
2675  *
2676  * Load the length of the fixed-length prefix preceding
2677  * the link-layer header (if any) into the X register,
2678  * and store it in the cstate->off_linkpl.reg register.
2679  * That length is off_outermostlinkhdr.constant_part.
2680  */
2681  s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2682  s->s.k = cstate->off_outermostlinkhdr.constant_part;
2683  }
2684 
2685  /*
2686  * The X register contains the offset of the beginning of the
2687  * link-layer header; add 24, which is the minimum length
2688  * of the MAC header for a data frame, to that, and store it
2689  * in cstate->off_linkpl.reg, and then load the Frame Control field,
2690  * which is at the offset in the X register, with an indexed load.
2691  */
2692  s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2693  sappend(s, s2);
2694  s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2695  s2->s.k = 24;
2696  sappend(s, s2);
2697  s2 = new_stmt(cstate, BPF_ST);
2698  s2->s.k = cstate->off_linkpl.reg;
2699  sappend(s, s2);
2700 
2701  s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2702  s2->s.k = 0;
2703  sappend(s, s2);
2704 
2705  /*
2706  * Check the Frame Control field to see if this is a data frame;
2707  * a data frame has the 0x08 bit (b3) in that field set and the
2708  * 0x04 bit (b2) clear.
2709  */
2710  sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2711  sjset_data_frame_1->s.k = 0x08;
2712  sappend(s, sjset_data_frame_1);
2713 
2714  /*
2715  * If b3 is set, test b2, otherwise go to the first statement of
2716  * the rest of the program.
2717  */
2718  sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2719  sjset_data_frame_2->s.k = 0x04;
2720  sappend(s, sjset_data_frame_2);
2721  sjset_data_frame_1->s.jf = snext;
2722 
2723  /*
2724  * If b2 is not set, this is a data frame; test the QoS bit.
2725  * Otherwise, go to the first statement of the rest of the
2726  * program.
2727  */
2728  sjset_data_frame_2->s.jt = snext;
2729  sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2730  sjset_qos->s.k = 0x80; /* QoS bit */
2731  sappend(s, sjset_qos);
2732 
2733  /*
2734  * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2735  * field.
2736  * Otherwise, go to the first statement of the rest of the
2737  * program.
2738  */
2739  sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2740  s2->s.k = cstate->off_linkpl.reg;
2741  sappend(s, s2);
2742  s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2743  s2->s.k = 2;
2744  sappend(s, s2);
2745  s2 = new_stmt(cstate, BPF_ST);
2746  s2->s.k = cstate->off_linkpl.reg;
2747  sappend(s, s2);
2748 
2749  /*
2750  * If we have a radiotap header, look at it to see whether
2751  * there's Atheros padding between the MAC-layer header
2752  * and the payload.
2753  *
2754  * Note: all of the fields in the radiotap header are
2755  * little-endian, so we byte-swap all of the values
2756  * we test against, as they will be loaded as big-endian
2757  * values.
2758  *
2759  * XXX - in the general case, we would have to scan through
2760  * *all* the presence bits, if there's more than one word of
2761  * presence bits. That would require a loop, meaning that
2762  * we wouldn't be able to run the filter in the kernel.
2763  *
2764  * We assume here that the Atheros adapters that insert the
2765  * annoying padding don't have multiple antennae and therefore
2766  * do not generate radiotap headers with multiple presence words.
2767  */
2768  if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2769  /*
2770  * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2771  * in the first presence flag word?
2772  */
2773  sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2774  s2->s.k = 4;
2775  sappend(s, s2);
2776 
2777  sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2778  sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2779  sappend(s, sjset_radiotap_flags_present);
2780 
2781  /*
2782  * If not, skip all of this.
2783  */
2784  sjset_radiotap_flags_present->s.jf = snext;
2785 
2786  /*
2787  * Otherwise, is the "extension" bit set in that word?
2788  */
2789  sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2790  sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2791  sappend(s, sjset_radiotap_ext_present);
2792  sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2793 
2794  /*
2795  * If so, skip all of this.
2796  */
2797  sjset_radiotap_ext_present->s.jt = snext;
2798 
2799  /*
2800  * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2801  */
2802  sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
2803  sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
2804  sappend(s, sjset_radiotap_tsft_present);
2805  sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
2806 
2807  /*
2808  * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2809  * at an offset of 16 from the beginning of the raw packet
2810  * data (8 bytes for the radiotap header and 8 bytes for
2811  * the TSFT field).
2812  *
2813  * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2814  * is set.
2815  */
2816  s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2817  s2->s.k = 16;
2818  sappend(s, s2);
2819  sjset_radiotap_tsft_present->s.jt = s2;
2820 
2821  sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2822  sjset_tsft_datapad->s.k = 0x20;
2823  sappend(s, sjset_tsft_datapad);
2824 
2825  /*
2826  * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2827  * at an offset of 8 from the beginning of the raw packet
2828  * data (8 bytes for the radiotap header).
2829  *
2830  * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2831  * is set.
2832  */
2833  s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2834  s2->s.k = 8;
2835  sappend(s, s2);
2836  sjset_radiotap_tsft_present->s.jf = s2;
2837 
2838  sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2839  sjset_notsft_datapad->s.k = 0x20;
2840  sappend(s, sjset_notsft_datapad);
2841 
2842  /*
2843  * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2844  * set, round the length of the 802.11 header to
2845  * a multiple of 4. Do that by adding 3 and then
2846  * dividing by and multiplying by 4, which we do by
2847  * ANDing with ~3.
2848  */
2849  s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
2850  s_roundup->s.k = cstate->off_linkpl.reg;
2851  sappend(s, s_roundup);
2852  s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2853  s2->s.k = 3;
2854  sappend(s, s2);
2855  s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
2856  s2->s.k = (bpf_u_int32)~3;
2857  sappend(s, s2);
2858  s2 = new_stmt(cstate, BPF_ST);
2859  s2->s.k = cstate->off_linkpl.reg;
2860  sappend(s, s2);
2861 
2862  sjset_tsft_datapad->s.jt = s_roundup;
2863  sjset_tsft_datapad->s.jf = snext;
2864  sjset_notsft_datapad->s.jt = s_roundup;
2865  sjset_notsft_datapad->s.jf = snext;
2866  } else
2867  sjset_qos->s.jf = snext;
2868 
2869  return s;
2870 }
2871 
2872 static void
2874 {
2875  struct slist *s;
2876 
2877  /* There is an implicit dependency between the link
2878  * payload and link header since the payload computation
2879  * includes the variable part of the header. Therefore,
2880  * if nobody else has allocated a register for the link
2881  * header and we need it, do it now. */
2882  if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
2883  cstate->off_linkhdr.reg == -1)
2884  cstate->off_linkhdr.reg = alloc_reg(cstate);
2885 
2886  /*
2887  * For link-layer types that have a variable-length header
2888  * preceding the link-layer header, generate code to load
2889  * the offset of the link-layer header into the register
2890  * assigned to that offset, if any.
2891  *
2892  * XXX - this, and the next switch statement, won't handle
2893  * encapsulation of 802.11 or 802.11+radio information in
2894  * some other protocol stack. That's significantly more
2895  * complicated.
2896  */
2897  switch (cstate->outermostlinktype) {
2898 
2899  case DLT_PRISM_HEADER:
2900  s = gen_load_prism_llprefixlen(cstate);
2901  break;
2902 
2904  s = gen_load_avs_llprefixlen(cstate);
2905  break;
2906 
2907  case DLT_IEEE802_11_RADIO:
2908  s = gen_load_radiotap_llprefixlen(cstate);
2909  break;
2910 
2911  case DLT_PPI:
2912  s = gen_load_ppi_llprefixlen(cstate);
2913  break;
2914 
2915  default:
2916  s = NULL;
2917  break;
2918  }
2919 
2920  /*
2921  * For link-layer types that have a variable-length link-layer
2922  * header, generate code to load the offset of the link-layer
2923  * payload into the register assigned to that offset, if any.
2924  */
2925  switch (cstate->outermostlinktype) {
2926 
2927  case DLT_IEEE802_11:
2928  case DLT_PRISM_HEADER:
2930  case DLT_IEEE802_11_RADIO:
2931  case DLT_PPI:
2932  s = gen_load_802_11_header_len(cstate, s, b->stmts);
2933  break;
2934  }
2935 
2936  /*
2937  * If there is no initialization yet and we need variable
2938  * length offsets for VLAN, initialize them to zero
2939  */
2940  if (s == NULL && cstate->is_vlan_vloffset) {
2941  struct slist *s2;
2942 
2943  if (cstate->off_linkpl.reg == -1)
2944  cstate->off_linkpl.reg = alloc_reg(cstate);
2945  if (cstate->off_linktype.reg == -1)
2946  cstate->off_linktype.reg = alloc_reg(cstate);
2947 
2948  s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2949  s->s.k = 0;
2950  s2 = new_stmt(cstate, BPF_ST);
2951  s2->s.k = cstate->off_linkpl.reg;
2952  sappend(s, s2);
2953  s2 = new_stmt(cstate, BPF_ST);
2954  s2->s.k = cstate->off_linktype.reg;
2955  sappend(s, s2);
2956  }
2957 
2958  /*
2959  * If we have any offset-loading code, append all the
2960  * existing statements in the block to those statements,
2961  * and make the resulting list the list of statements
2962  * for the block.
2963  */
2964  if (s != NULL) {
2965  sappend(s, b->stmts);
2966  b->stmts = s;
2967  }
2968 }
2969 
2970 static struct block *
2972 {
2973  struct slist *s_load_dlt;
2974  struct block *b;
2975 
2976  if (cstate->linktype == DLT_PPI)
2977  {
2978  /* Create the statements that check for the DLT
2979  */
2980  s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2981  s_load_dlt->s.k = 4;
2982 
2983  b = new_block(cstate, JMP(BPF_JEQ));
2984 
2985  b->stmts = s_load_dlt;
2986  b->s.k = SWAPLONG(DLT_IEEE802_11);
2987  }
2988  else
2989  {
2990  b = NULL;
2991  }
2992 
2993  return b;
2994 }
2995 
2996 /*
2997  * Take an absolute offset, and:
2998  *
2999  * if it has no variable part, return NULL;
3000  *
3001  * if it has a variable part, generate code to load the register
3002  * containing that variable part into the X register, returning
3003  * a pointer to that code - if no register for that offset has
3004  * been allocated, allocate it first.
3005  *
3006  * (The code to set that register will be generated later, but will
3007  * be placed earlier in the code sequence.)
3008  */
3009 static struct slist *
3011 {
3012  struct slist *s;
3013 
3014  if (off->is_variable) {
3015  if (off->reg == -1) {
3016  /*
3017  * We haven't yet assigned a register for the
3018  * variable part of the offset of the link-layer
3019  * header; allocate one.
3020  */
3021  off->reg = alloc_reg(cstate);
3022  }
3023 
3024  /*
3025  * Load the register containing the variable part of the
3026  * offset of the link-layer header into the X register.
3027  */
3028  s = new_stmt(cstate, BPF_LDX|BPF_MEM);
3029  s->s.k = off->reg;
3030  return s;
3031  } else {
3032  /*
3033  * That offset isn't variable, there's no variable part,
3034  * so we don't need to generate any code.
3035  */
3036  return NULL;
3037  }
3038 }
3039 
3040 /*
3041  * Map an Ethernet type to the equivalent PPP type.
3042  */
3043 static bpf_u_int32
3045 {
3046  switch (ll_proto) {
3047 
3048  case ETHERTYPE_IP:
3049  ll_proto = PPP_IP;
3050  break;
3051 
3052  case ETHERTYPE_IPV6:
3053  ll_proto = PPP_IPV6;
3054  break;
3055 
3056  case ETHERTYPE_DN:
3057  ll_proto = PPP_DECNET;
3058  break;
3059 
3060  case ETHERTYPE_ATALK:
3061  ll_proto = PPP_APPLE;
3062  break;
3063 
3064  case ETHERTYPE_NS:
3065  ll_proto = PPP_NS;
3066  break;
3067 
3068  case LLCSAP_ISONS:
3069  ll_proto = PPP_OSI;
3070  break;
3071 
3072  case LLCSAP_8021D:
3073  /*
3074  * I'm assuming the "Bridging PDU"s that go
3075  * over PPP are Spanning Tree Protocol
3076  * Bridging PDUs.
3077  */
3078  ll_proto = PPP_BRPDU;
3079  break;
3080 
3081  case LLCSAP_IPX:
3082  ll_proto = PPP_IPX;
3083  break;
3084  }
3085  return (ll_proto);
3086 }
3087 
3088 /*
3089  * Generate any tests that, for encapsulation of a link-layer packet
3090  * inside another protocol stack, need to be done to check for those
3091  * link-layer packets (and that haven't already been done by a check
3092  * for that encapsulation).
3093  */
3094 static struct block *
3096 {
3097  struct block *b0;
3098 
3099  if (cstate->is_geneve)
3100  return gen_geneve_ll_check(cstate);
3101 
3102  switch (cstate->prevlinktype) {
3103 
3104  case DLT_SUNATM:
3105  /*
3106  * This is LANE-encapsulated Ethernet; check that the LANE
3107  * packet doesn't begin with an LE Control marker, i.e.
3108  * that it's data, not a control message.
3109  *
3110  * (We've already generated a test for LANE.)
3111  */
3112  b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3113  gen_not(b0);
3114  return b0;
3115 
3116  default:
3117  /*
3118  * No such tests are necessary.
3119  */
3120  return NULL;
3121  }
3122  /*NOTREACHED*/
3123 }
3124 
3125 /*
3126  * The three different values we should check for when checking for an
3127  * IPv6 packet with DLT_NULL.
3128  */
3129 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3130 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3131 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */
3132 
3133 /*
3134  * Generate code to match a particular packet type by matching the
3135  * link-layer type field or fields in the 802.2 LLC header.
3136  *
3137  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3138  * value, if <= ETHERMTU.
3139  */
3140 static struct block *
3142 {
3143  struct block *b0, *b1, *b2;
3144  const char *description;
3145 
3146  /* are we checking MPLS-encapsulated packets? */
3147  if (cstate->label_stack_depth > 0)
3148  return gen_mpls_linktype(cstate, ll_proto);
3149 
3150  switch (cstate->linktype) {
3151 
3152  case DLT_EN10MB:
3153  case DLT_NETANALYZER:
3155  /* Geneve has an EtherType regardless of whether there is an
3156  * L2 header. */
3157  if (!cstate->is_geneve)
3158  b0 = gen_prevlinkhdr_check(cstate);
3159  else
3160  b0 = NULL;
3161 
3162  b1 = gen_ether_linktype(cstate, ll_proto);
3163  if (b0 != NULL)
3164  gen_and(b0, b1);
3165  return b1;
3166  /*NOTREACHED*/
3167 
3168  case DLT_C_HDLC:
3169  switch (ll_proto) {
3170 
3171  case LLCSAP_ISONS:
3172  ll_proto = (ll_proto << 8 | LLCSAP_ISONS);
3173  /* fall through */
3174 
3175  default:
3176  return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3177  /*NOTREACHED*/
3178  }
3179 
3180  case DLT_IEEE802_11:
3181  case DLT_PRISM_HEADER:
3183  case DLT_IEEE802_11_RADIO:
3184  case DLT_PPI:
3185  /*
3186  * Check that we have a data frame.
3187  */
3188  b0 = gen_check_802_11_data_frame(cstate);
3189 
3190  /*
3191  * Now check for the specified link-layer type.
3192  */
3193  b1 = gen_llc_linktype(cstate, ll_proto);
3194  gen_and(b0, b1);
3195  return b1;
3196  /*NOTREACHED*/
3197 
3198  case DLT_FDDI:
3199  /*
3200  * XXX - check for LLC frames.
3201  */
3202  return gen_llc_linktype(cstate, ll_proto);
3203  /*NOTREACHED*/
3204 
3205  case DLT_IEEE802:
3206  /*
3207  * XXX - check for LLC PDUs, as per IEEE 802.5.
3208  */
3209  return gen_llc_linktype(cstate, ll_proto);
3210  /*NOTREACHED*/
3211 
3212  case DLT_ATM_RFC1483:
3213  case DLT_ATM_CLIP:
3214  case DLT_IP_OVER_FC:
3215  return gen_llc_linktype(cstate, ll_proto);
3216  /*NOTREACHED*/
3217 
3218  case DLT_SUNATM:
3219  /*
3220  * Check for an LLC-encapsulated version of this protocol;
3221  * if we were checking for LANE, linktype would no longer
3222  * be DLT_SUNATM.
3223  *
3224  * Check for LLC encapsulation and then check the protocol.
3225  */
3227  b1 = gen_llc_linktype(cstate, ll_proto);
3228  gen_and(b0, b1);
3229  return b1;
3230  /*NOTREACHED*/
3231 
3232  case DLT_LINUX_SLL:
3233  return gen_linux_sll_linktype(cstate, ll_proto);
3234  /*NOTREACHED*/
3235 
3236  case DLT_SLIP:
3237  case DLT_SLIP_BSDOS:
3238  case DLT_RAW:
3239  /*
3240  * These types don't provide any type field; packets
3241  * are always IPv4 or IPv6.
3242  *
3243  * XXX - for IPv4, check for a version number of 4, and,
3244  * for IPv6, check for a version number of 6?
3245  */
3246  switch (ll_proto) {
3247 
3248  case ETHERTYPE_IP:
3249  /* Check for a version number of 4. */
3250  return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3251 
3252  case ETHERTYPE_IPV6:
3253  /* Check for a version number of 6. */
3254  return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3255 
3256  default:
3257  return gen_false(cstate); /* always false */
3258  }
3259  /*NOTREACHED*/
3260 
3261  case DLT_IPV4:
3262  /*
3263  * Raw IPv4, so no type field.
3264  */
3265  if (ll_proto == ETHERTYPE_IP)
3266  return gen_true(cstate); /* always true */
3267 
3268  /* Checking for something other than IPv4; always false */
3269  return gen_false(cstate);
3270  /*NOTREACHED*/
3271 
3272  case DLT_IPV6:
3273  /*
3274  * Raw IPv6, so no type field.
3275  */
3276  if (ll_proto == ETHERTYPE_IPV6)
3277  return gen_true(cstate); /* always true */
3278 
3279  /* Checking for something other than IPv6; always false */
3280  return gen_false(cstate);
3281  /*NOTREACHED*/
3282 
3283  case DLT_PPP:
3284  case DLT_PPP_PPPD:
3285  case DLT_PPP_SERIAL:
3286  case DLT_PPP_ETHER:
3287  /*
3288  * We use Ethernet protocol types inside libpcap;
3289  * map them to the corresponding PPP protocol types.
3290  */
3291  return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3292  ethertype_to_ppptype(ll_proto));
3293  /*NOTREACHED*/
3294 
3295  case DLT_PPP_BSDOS:
3296  /*
3297  * We use Ethernet protocol types inside libpcap;
3298  * map them to the corresponding PPP protocol types.
3299  */
3300  switch (ll_proto) {
3301 
3302  case ETHERTYPE_IP:
3303  /*
3304  * Also check for Van Jacobson-compressed IP.
3305  * XXX - do this for other forms of PPP?
3306  */
3307  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3308  b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3309  gen_or(b0, b1);
3310  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3311  gen_or(b1, b0);
3312  return b0;
3313 
3314  default:
3315  return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3316  ethertype_to_ppptype(ll_proto));
3317  }
3318  /*NOTREACHED*/
3319 
3320  case DLT_NULL:
3321  case DLT_LOOP:
3322  case DLT_ENC:
3323  switch (ll_proto) {
3324 
3325  case ETHERTYPE_IP:
3326  return (gen_loopback_linktype(cstate, AF_INET));
3327 
3328  case ETHERTYPE_IPV6:
3329  /*
3330  * AF_ values may, unfortunately, be platform-
3331  * dependent; AF_INET isn't, because everybody
3332  * used 4.2BSD's value, but AF_INET6 is, because
3333  * 4.2BSD didn't have a value for it (given that
3334  * IPv6 didn't exist back in the early 1980's),
3335  * and they all picked their own values.
3336  *
3337  * This means that, if we're reading from a
3338  * savefile, we need to check for all the
3339  * possible values.
3340  *
3341  * If we're doing a live capture, we only need
3342  * to check for this platform's value; however,
3343  * Npcap uses 24, which isn't Windows's AF_INET6
3344  * value. (Given the multiple different values,
3345  * programs that read pcap files shouldn't be
3346  * checking for their platform's AF_INET6 value
3347  * anyway, they should check for all of the
3348  * possible values. and they might as well do
3349  * that even for live captures.)
3350  */
3351  if (cstate->bpf_pcap->rfile != NULL) {
3352  /*
3353  * Savefile - check for all three
3354  * possible IPv6 values.
3355  */
3358  gen_or(b0, b1);
3360  gen_or(b0, b1);
3361  return (b1);
3362  } else {
3363  /*
3364  * Live capture, so we only need to
3365  * check for the value used on this
3366  * platform.
3367  */
3368 #ifdef _WIN32
3369  /*
3370  * Npcap doesn't use Windows's AF_INET6,
3371  * as that collides with AF_IPX on
3372  * some BSDs (both have the value 23).
3373  * Instead, it uses 24.
3374  */
3375  return (gen_loopback_linktype(cstate, 24));
3376 #else /* _WIN32 */
3377 #ifdef AF_INET6
3378  return (gen_loopback_linktype(cstate, AF_INET6));
3379 #else /* AF_INET6 */
3380  /*
3381  * I guess this platform doesn't support
3382  * IPv6, so we just reject all packets.
3383  */
3384  return gen_false(cstate);
3385 #endif /* AF_INET6 */
3386 #endif /* _WIN32 */
3387  }
3388 
3389  default:
3390  /*
3391  * Not a type on which we support filtering.
3392  * XXX - support those that have AF_ values
3393  * #defined on this platform, at least?
3394  */
3395  return gen_false(cstate);
3396  }
3397 
3398 #ifdef HAVE_NET_PFVAR_H
3399  case DLT_PFLOG:
3400  /*
3401  * af field is host byte order in contrast to the rest of
3402  * the packet.
3403  */
3404  if (ll_proto == ETHERTYPE_IP)
3405  return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3406  BPF_B, AF_INET));
3407  else if (ll_proto == ETHERTYPE_IPV6)
3408  return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3409  BPF_B, AF_INET6));
3410  else
3411  return gen_false(cstate);
3412  /*NOTREACHED*/
3413 #endif /* HAVE_NET_PFVAR_H */
3414 
3415  case DLT_ARCNET:
3416  case DLT_ARCNET_LINUX:
3417  /*
3418  * XXX should we check for first fragment if the protocol
3419  * uses PHDS?
3420  */
3421  switch (ll_proto) {
3422 
3423  default:
3424  return gen_false(cstate);
3425 
3426  case ETHERTYPE_IPV6:
3427  return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3428  ARCTYPE_INET6));
3429 
3430  case ETHERTYPE_IP:
3431  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3432  ARCTYPE_IP);
3433  b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3434  ARCTYPE_IP_OLD);
3435  gen_or(b0, b1);
3436  return (b1);
3437 
3438  case ETHERTYPE_ARP:
3439  b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3440  ARCTYPE_ARP);
3441  b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3442  ARCTYPE_ARP_OLD);
3443  gen_or(b0, b1);
3444  return (b1);
3445 
3446  case ETHERTYPE_REVARP:
3447  return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3448  ARCTYPE_REVARP));
3449 
3450  case ETHERTYPE_ATALK:
3451  return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3452  ARCTYPE_ATALK));
3453  }
3454  /*NOTREACHED*/
3455 
3456  case DLT_LTALK:
3457  switch (ll_proto) {
3458  case ETHERTYPE_ATALK:
3459  return gen_true(cstate);
3460  default:
3461  return gen_false(cstate);
3462  }
3463  /*NOTREACHED*/
3464 
3465  case DLT_FRELAY:
3466  /*
3467  * XXX - assumes a 2-byte Frame Relay header with
3468  * DLCI and flags. What if the address is longer?
3469  */
3470  switch (ll_proto) {
3471 
3472  case ETHERTYPE_IP:
3473  /*
3474  * Check for the special NLPID for IP.
3475  */
3476  return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3477 
3478  case ETHERTYPE_IPV6:
3479  /*
3480  * Check for the special NLPID for IPv6.
3481  */
3482  return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3483 
3484  case LLCSAP_ISONS:
3485  /*
3486  * Check for several OSI protocols.
3487  *
3488  * Frame Relay packets typically have an OSI
3489  * NLPID at the beginning; we check for each
3490  * of them.
3491  *
3492  * What we check for is the NLPID and a frame
3493  * control field of UI, i.e. 0x03 followed
3494  * by the NLPID.
3495  */
3496  b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3497  b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3498  b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3499  gen_or(b1, b2);
3500  gen_or(b0, b2);
3501  return b2;
3502 
3503  default:
3504  return gen_false(cstate);
3505  }
3506  /*NOTREACHED*/
3507 
3508  case DLT_MFR:
3509  bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented");
3510 
3511  case DLT_JUNIPER_MFR:
3512  case DLT_JUNIPER_MLFR:
3513  case DLT_JUNIPER_MLPPP:
3514  case DLT_JUNIPER_ATM1:
3515  case DLT_JUNIPER_ATM2:
3516  case DLT_JUNIPER_PPPOE:
3517  case DLT_JUNIPER_PPPOE_ATM:
3518  case DLT_JUNIPER_GGSN:
3519  case DLT_JUNIPER_ES:
3520  case DLT_JUNIPER_MONITOR:
3521  case DLT_JUNIPER_SERVICES:
3522  case DLT_JUNIPER_ETHER:
3523  case DLT_JUNIPER_PPP:
3524  case DLT_JUNIPER_FRELAY:
3525  case DLT_JUNIPER_CHDLC:
3526  case DLT_JUNIPER_VP:
3527  case DLT_JUNIPER_ST:
3528  case DLT_JUNIPER_ISM:
3529  case DLT_JUNIPER_VS:
3530  case DLT_JUNIPER_SRX_E2E:
3532  case DLT_JUNIPER_ATM_CEMIC:
3533 
3534  /* just lets verify the magic number for now -
3535  * on ATM we may have up to 6 different encapsulations on the wire
3536  * and need a lot of heuristics to figure out that the payload
3537  * might be;
3538  *
3539  * FIXME encapsulation specific BPF_ filters
3540  */
3541  return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3542 
3543  case DLT_BACNET_MS_TP:
3544  return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3545 
3546  case DLT_IPNET:
3547  return gen_ipnet_linktype(cstate, ll_proto);
3548 
3549  case DLT_LINUX_IRDA:
3550  bpf_error(cstate, "IrDA link-layer type filtering not implemented");
3551 
3552  case DLT_DOCSIS:
3553  bpf_error(cstate, "DOCSIS link-layer type filtering not implemented");
3554 
3555  case DLT_MTP2:
3556  case DLT_MTP2_WITH_PHDR:
3557  bpf_error(cstate, "MTP2 link-layer type filtering not implemented");
3558 
3559  case DLT_ERF:
3560  bpf_error(cstate, "ERF link-layer type filtering not implemented");
3561 
3562  case DLT_PFSYNC:
3563  bpf_error(cstate, "PFSYNC link-layer type filtering not implemented");
3564 
3565  case DLT_LINUX_LAPD:
3566  bpf_error(cstate, "LAPD link-layer type filtering not implemented");
3567 
3568  case DLT_USB_FREEBSD:
3569  case DLT_USB_LINUX:
3570  case DLT_USB_LINUX_MMAPPED:
3571  case DLT_USBPCAP:
3572  bpf_error(cstate, "USB link-layer type filtering not implemented");
3573 
3574  case DLT_BLUETOOTH_HCI_H4:
3576  bpf_error(cstate, "Bluetooth link-layer type filtering not implemented");
3577 
3578  case DLT_CAN20B:
3579  case DLT_CAN_SOCKETCAN:
3580  bpf_error(cstate, "CAN link-layer type filtering not implemented");
3581 
3582  case DLT_IEEE802_15_4:
3586  case DLT_IEEE802_15_4_TAP:
3587  bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented");
3588 
3590  bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented");
3591 
3592  case DLT_SITA:
3593  bpf_error(cstate, "SITA link-layer type filtering not implemented");
3594 
3595  case DLT_RAIF1:
3596  bpf_error(cstate, "RAIF1 link-layer type filtering not implemented");
3597 
3598  case DLT_IPMB_KONTRON:
3599  case DLT_IPMB_LINUX:
3600  bpf_error(cstate, "IPMB link-layer type filtering not implemented");
3601 
3602  case DLT_AX25_KISS:
3603  bpf_error(cstate, "AX.25 link-layer type filtering not implemented");
3604 
3605  case DLT_NFLOG:
3606  /* Using the fixed-size NFLOG header it is possible to tell only
3607  * the address family of the packet, other meaningful data is
3608  * either missing or behind TLVs.
3609  */
3610  bpf_error(cstate, "NFLOG link-layer type filtering not implemented");
3611 
3612  default:
3613  /*
3614  * Does this link-layer header type have a field
3615  * indicating the type of the next protocol? If
3616  * so, off_linktype.constant_part will be the offset of that
3617  * field in the packet; if not, it will be OFFSET_NOT_SET.
3618  */
3619  if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3620  /*
3621  * Yes; assume it's an Ethernet type. (If
3622  * it's not, it needs to be handled specially
3623  * above.)
3624  */
3625  return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3626  /*NOTREACHED */
3627  } else {
3628  /*
3629  * No; report an error.
3630  */
3631  description = pcap_datalink_val_to_description_or_dlt(cstate->linktype);
3632  bpf_error(cstate, "%s link-layer type filtering not implemented",
3633  description);
3634  /*NOTREACHED */
3635  }
3636  }
3637 }
3638 
3639 /*
3640  * Check for an LLC SNAP packet with a given organization code and
3641  * protocol type; we check the entire contents of the 802.2 LLC and
3642  * snap headers, checking for DSAP and SSAP of SNAP and a control
3643  * field of 0x03 in the LLC header, and for the specified organization
3644  * code and protocol type in the SNAP header.
3645  */
3646 static struct block *
3648 {
3649  u_char snapblock[8];
3650 
3651  snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3652  snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3653  snapblock[2] = 0x03; /* control = UI */
3654  snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */
3655  snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */
3656  snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */
3657  snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */
3658  snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */
3659  return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3660 }
3661 
3662 /*
3663  * Generate code to match frames with an LLC header.
3664  */
3665 static struct block *
3667 {
3668  struct block *b0, *b1;
3669 
3670  switch (cstate->linktype) {
3671 
3672  case DLT_EN10MB:
3673  /*
3674  * We check for an Ethernet type field less than
3675  * 1500, which means it's an 802.3 length field.
3676  */
3677  b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3678  gen_not(b0);
3679 
3680  /*
3681  * Now check for the purported DSAP and SSAP not being
3682  * 0xFF, to rule out NetWare-over-802.3.
3683  */
3684  b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
3685  gen_not(b1);
3686  gen_and(b0, b1);
3687  return b1;
3688 
3689  case DLT_SUNATM:
3690  /*
3691  * We check for LLC traffic.
3692  */
3693  b0 = gen_atmtype_llc(cstate);
3694  return b0;
3695 
3696  case DLT_IEEE802: /* Token Ring */
3697  /*
3698  * XXX - check for LLC frames.
3699  */
3700  return gen_true(cstate);
3701 
3702  case DLT_FDDI:
3703  /*
3704  * XXX - check for LLC frames.
3705  */
3706  return gen_true(cstate);
3707 
3708  case DLT_ATM_RFC1483:
3709  /*
3710  * For LLC encapsulation, these are defined to have an
3711  * 802.2 LLC header.
3712  *
3713  * For VC encapsulation, they don't, but there's no
3714  * way to check for that; the protocol used on the VC
3715  * is negotiated out of band.
3716  */
3717  return gen_true(cstate);
3718 
3719  case DLT_IEEE802_11:
3720  case DLT_PRISM_HEADER:
3721  case DLT_IEEE802_11_RADIO:
3723  case DLT_PPI:
3724  /*
3725  * Check that we have a data frame.
3726  */
3727  b0 = gen_check_802_11_data_frame(cstate);
3728  return b0;
3729 
3730  default:
3731  bpf_error(cstate, "'llc' not supported for %s",
3733  /*NOTREACHED*/
3734  }
3735 }
3736 
3737 struct block *
3739 {
3740  /*
3741  * Catch errors reported by us and routines below us, and return NULL
3742  * on an error.
3743  */
3744  if (setjmp(cstate->top_ctx))
3745  return (NULL);
3746 
3747  return gen_llc_internal(cstate);
3748 }
3749 
3750 struct block *
3752 {
3753  struct block *b0, *b1;
3754  struct slist *s;
3755 
3756  /*
3757  * Catch errors reported by us and routines below us, and return NULL
3758  * on an error.
3759  */
3760  if (setjmp(cstate->top_ctx))
3761  return (NULL);
3762 
3763  /*
3764  * Check whether this is an LLC frame.
3765  */
3766  b0 = gen_llc_internal(cstate);
3767 
3768  /*
3769  * Load the control byte and test the low-order bit; it must
3770  * be clear for I frames.
3771  */
3772  s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3773  b1 = new_block(cstate, JMP(BPF_JSET));
3774  b1->s.k = 0x01;
3775  b1->stmts = s;
3776  gen_not(b1);
3777  gen_and(b0, b1);
3778  return b1;
3779 }
3780 
3781 struct block *
3783 {
3784  struct block *b0, *b1;
3785 
3786  /*
3787  * Catch errors reported by us and routines below us, and return NULL
3788  * on an error.
3789  */
3790  if (setjmp(cstate->top_ctx))
3791  return (NULL);
3792 
3793  /*
3794  * Check whether this is an LLC frame.
3795  */
3796  b0 = gen_llc_internal(cstate);
3797 
3798  /*
3799  * Now compare the low-order 2 bit of the control byte against
3800  * the appropriate value for S frames.
3801  */
3802  b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3803  gen_and(b0, b1);
3804  return b1;
3805 }
3806 
3807 struct block *
3809 {
3810  struct block *b0, *b1;
3811 
3812  /*
3813  * Catch errors reported by us and routines below us, and return NULL
3814  * on an error.
3815  */
3816  if (setjmp(cstate->top_ctx))
3817  return (NULL);
3818 
3819  /*
3820  * Check whether this is an LLC frame.
3821  */
3822  b0 = gen_llc_internal(cstate);
3823 
3824  /*
3825  * Now compare the low-order 2 bit of the control byte against
3826  * the appropriate value for U frames.
3827  */
3828  b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3829  gen_and(b0, b1);
3830  return b1;
3831 }
3832 
3833 struct block *
3835 {
3836  struct block *b0, *b1;
3837 
3838  /*
3839  * Catch errors reported by us and routines below us, and return NULL
3840  * on an error.
3841  */
3842  if (setjmp(cstate->top_ctx))
3843  return (NULL);
3844 
3845  /*
3846  * Check whether this is an LLC frame.
3847  */
3848  b0 = gen_llc_internal(cstate);
3849 
3850  /*
3851  * Now check for an S frame with the appropriate type.
3852  */
3853  b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3854  gen_and(b0, b1);
3855  return b1;
3856 }
3857 
3858 struct block *
3860 {
3861  struct block *b0, *b1;
3862 
3863  /*
3864  * Catch errors reported by us and routines below us, and return NULL
3865  * on an error.
3866  */
3867  if (setjmp(cstate->top_ctx))
3868  return (NULL);
3869 
3870  /*
3871  * Check whether this is an LLC frame.
3872  */
3873  b0 = gen_llc_internal(cstate);
3874 
3875  /*
3876  * Now check for a U frame with the appropriate type.
3877  */
3878  b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3879  gen_and(b0, b1);
3880  return b1;
3881 }
3882 
3883 /*
3884  * Generate code to match a particular packet type, for link-layer types
3885  * using 802.2 LLC headers.
3886  *
3887  * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3888  * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3889  *
3890  * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3891  * value, if <= ETHERMTU. We use that to determine whether to
3892  * match the DSAP or both DSAP and LSAP or to check the OUI and
3893  * protocol ID in a SNAP header.
3894  */
3895 static struct block *
3897 {
3898  /*
3899  * XXX - handle token-ring variable-length header.
3900  */
3901  switch (ll_proto) {
3902 
3903  case LLCSAP_IP:
3904  case LLCSAP_ISONS:
3905  case LLCSAP_NETBEUI:
3906  /*
3907  * XXX - should we check both the DSAP and the
3908  * SSAP, like this, or should we check just the
3909  * DSAP, as we do for other SAP values?
3910  */
3911  return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
3912  ((ll_proto << 8) | ll_proto));
3913 
3914  case LLCSAP_IPX:
3915  /*
3916  * XXX - are there ever SNAP frames for IPX on
3917  * non-Ethernet 802.x networks?
3918  */
3919  return gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
3920 
3921  case ETHERTYPE_ATALK:
3922  /*
3923  * 802.2-encapsulated ETHERTYPE_ATALK packets are
3924  * SNAP packets with an organization code of
3925  * 0x080007 (Apple, for Appletalk) and a protocol
3926  * type of ETHERTYPE_ATALK (Appletalk).
3927  *
3928  * XXX - check for an organization code of
3929  * encapsulated Ethernet as well?
3930  */
3931  return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
3932 
3933  default:
3934  /*
3935  * XXX - we don't have to check for IPX 802.3
3936  * here, but should we check for the IPX Ethertype?
3937  */
3938  if (ll_proto <= ETHERMTU) {
3939  /*
3940  * This is an LLC SAP value, so check
3941  * the DSAP.
3942  */
3943  return gen_cmp(cstate, OR_LLC, 0, BPF_B, ll_proto);
3944  } else {
3945  /*
3946  * This is an Ethernet type; we assume that it's
3947  * unlikely that it'll appear in the right place
3948  * at random, and therefore check only the
3949  * location that would hold the Ethernet type
3950  * in a SNAP frame with an organization code of
3951  * 0x000000 (encapsulated Ethernet).
3952  *
3953  * XXX - if we were to check for the SNAP DSAP and
3954  * LSAP, as per XXX, and were also to check for an
3955  * organization code of 0x000000 (encapsulated
3956  * Ethernet), we'd do
3957  *
3958  * return gen_snap(cstate, 0x000000, ll_proto);
3959  *
3960  * here; for now, we don't, as per the above.
3961  * I don't know whether it's worth the extra CPU
3962  * time to do the right check or not.
3963  */
3964  return gen_cmp(cstate, OR_LLC, 6, BPF_H, ll_proto);
3965  }
3966  }
3967 }
3968 
3969 static struct block *
3971  int dir, bpf_u_int32 ll_proto, u_int src_off, u_int dst_off)
3972 {
3973  struct block *b0, *b1;
3974  u_int offset;
3975 
3976  switch (dir) {
3977 
3978  case Q_SRC:
3979  offset = src_off;
3980  break;
3981 
3982  case Q_DST:
3983  offset = dst_off;
3984  break;
3985 
3986  case Q_AND:
3987  b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
3988  b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
3989  gen_and(b0, b1);
3990  return b1;
3991 
3992  case Q_DEFAULT:
3993  case Q_OR:
3994  b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
3995  b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
3996  gen_or(b0, b1);
3997  return b1;
3998 
3999  case Q_ADDR1:
4000  bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4001  /*NOTREACHED*/
4002 
4003  case Q_ADDR2:
4004  bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4005  /*NOTREACHED*/
4006 
4007  case Q_ADDR3:
4008  bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4009  /*NOTREACHED*/
4010 
4011  case Q_ADDR4:
4012  bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4013  /*NOTREACHED*/
4014 
4015  case Q_RA:
4016  bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4017  /*NOTREACHED*/
4018 
4019  case Q_TA:
4020  bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4021  /*NOTREACHED*/
4022 
4023  default:
4024  abort();
4025  /*NOTREACHED*/
4026  }
4027  b0 = gen_linktype(cstate, ll_proto);
4028  b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, addr, mask);
4029  gen_and(b0, b1);
4030  return b1;
4031 }
4032 
4033 #ifdef INET6
4034 static struct block *
4035 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
4036  struct in6_addr *mask, int dir, bpf_u_int32 ll_proto, u_int src_off,
4037  u_int dst_off)
4038 {
4039  struct block *b0, *b1;
4040  u_int offset;
4041  uint32_t *a, *m;
4042 
4043  switch (dir) {
4044 
4045  case Q_SRC:
4046  offset = src_off;
4047  break;
4048 
4049  case Q_DST:
4050  offset = dst_off;
4051  break;
4052 
4053  case Q_AND:
4054  b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4055  b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4056  gen_and(b0, b1);
4057  return b1;
4058 
4059  case Q_DEFAULT:
4060  case Q_OR:
4061  b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4062  b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4063  gen_or(b0, b1);
4064  return b1;
4065 
4066  case Q_ADDR1:
4067  bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4068  /*NOTREACHED*/
4069 
4070  case Q_ADDR2:
4071  bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4072  /*NOTREACHED*/
4073 
4074  case Q_ADDR3:
4075  bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4076  /*NOTREACHED*/
4077 
4078  case Q_ADDR4:
4079  bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4080  /*NOTREACHED*/
4081 
4082  case Q_RA:
4083  bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4084  /*NOTREACHED*/
4085 
4086  case Q_TA:
4087  bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4088  /*NOTREACHED*/
4089 
4090  default:
4091  abort();
4092  /*NOTREACHED*/
4093  }
4094  /* this order is important */
4095  a = (uint32_t *)addr;
4096  m = (uint32_t *)mask;
4097  b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
4098  b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
4099  gen_and(b0, b1);
4100  b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
4101  gen_and(b0, b1);
4102  b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
4103  gen_and(b0, b1);
4104  b0 = gen_linktype(cstate, ll_proto);
4105  gen_and(b0, b1);
4106  return b1;
4107 }
4108 #endif
4109 
4110 static struct block *
4111 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4112 {
4113  register struct block *b0, *b1;
4114 
4115  switch (dir) {
4116  case Q_SRC:
4117  return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
4118 
4119  case Q_DST:
4120  return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
4121 
4122  case Q_AND:
4123  b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4124  b1 = gen_ehostop(cstate, eaddr, Q_DST);
4125  gen_and(b0, b1);
4126  return b1;
4127 
4128  case Q_DEFAULT:
4129  case Q_OR:
4130  b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4131  b1 = gen_ehostop(cstate, eaddr, Q_DST);
4132  gen_or(b0, b1);
4133  return b1;
4134 
4135  case Q_ADDR1:
4136  bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers");
4137  /*NOTREACHED*/
4138 
4139  case Q_ADDR2:
4140  bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers");
4141  /*NOTREACHED*/
4142 
4143  case Q_ADDR3:
4144  bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers");
4145  /*NOTREACHED*/
4146 
4147  case Q_ADDR4:
4148  bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers");
4149  /*NOTREACHED*/
4150 
4151  case Q_RA:
4152  bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
4153  /*NOTREACHED*/
4154 
4155  case Q_TA:
4156  bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
4157  /*NOTREACHED*/
4158  }
4159  abort();
4160  /*NOTREACHED*/
4161 }
4162 
4163 /*
4164  * Like gen_ehostop, but for DLT_FDDI
4165  */
4166 static struct block *
4167 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4168 {
4169  struct block *b0, *b1;
4170 
4171  switch (dir) {
4172  case Q_SRC:
4173  return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4174 
4175  case Q_DST:
4176  return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4177 
4178  case Q_AND:
4179  b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4180  b1 = gen_fhostop(cstate, eaddr, Q_DST);
4181  gen_and(b0, b1);
4182  return b1;
4183 
4184  case Q_DEFAULT:
4185  case Q_OR:
4186  b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4187  b1 = gen_fhostop(cstate, eaddr, Q_DST);
4188  gen_or(b0, b1);
4189  return b1;
4190 
4191  case Q_ADDR1:
4192  bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4193  /*NOTREACHED*/
4194 
4195  case Q_ADDR2:
4196  bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4197  /*NOTREACHED*/
4198 
4199  case Q_ADDR3:
4200  bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4201  /*NOTREACHED*/
4202 
4203  case Q_ADDR4:
4204  bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4205  /*NOTREACHED*/
4206 
4207  case Q_RA:
4208  bpf_error(cstate, "'ra' is only supported on 802.11");
4209  /*NOTREACHED*/
4210 
4211  case Q_TA:
4212  bpf_error(cstate, "'ta' is only supported on 802.11");
4213  /*NOTREACHED*/
4214  }
4215  abort();
4216  /*NOTREACHED*/
4217 }
4218 
4219 /*
4220  * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4221  */
4222 static struct block *
4223 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4224 {
4225  register struct block *b0, *b1;
4226 
4227  switch (dir) {
4228  case Q_SRC:
4229  return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4230 
4231  case Q_DST:
4232  return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4233 
4234  case Q_AND:
4235  b0 = gen_thostop(cstate, eaddr, Q_SRC);
4236  b1 = gen_thostop(cstate, eaddr, Q_DST);
4237  gen_and(b0, b1);
4238  return b1;
4239 
4240  case Q_DEFAULT:
4241  case Q_OR:
4242  b0 = gen_thostop(cstate, eaddr, Q_SRC);
4243  b1 = gen_thostop(cstate, eaddr, Q_DST);
4244  gen_or(b0, b1);
4245  return b1;
4246 
4247  case Q_ADDR1:
4248  bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4249  /*NOTREACHED*/
4250 
4251  case Q_ADDR2:
4252  bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4253  /*NOTREACHED*/
4254 
4255  case Q_ADDR3:
4256  bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4257  /*NOTREACHED*/
4258 
4259  case Q_ADDR4:
4260  bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4261  /*NOTREACHED*/
4262 
4263  case Q_RA:
4264  bpf_error(cstate, "'ra' is only supported on 802.11");
4265  /*NOTREACHED*/
4266 
4267  case Q_TA:
4268  bpf_error(cstate, "'ta' is only supported on 802.11");
4269  /*NOTREACHED*/
4270  }
4271  abort();
4272  /*NOTREACHED*/
4273 }
4274 
4275 /*
4276  * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4277  * various 802.11 + radio headers.
4278  */
4279 static struct block *
4280 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4281 {
4282  register struct block *b0, *b1, *b2;
4283  register struct slist *s;
4284 
4285 #ifdef ENABLE_WLAN_FILTERING_PATCH
4286  /*
4287  * TODO GV 20070613
4288  * We need to disable the optimizer because the optimizer is buggy
4289  * and wipes out some LD instructions generated by the below
4290  * code to validate the Frame Control bits
4291  */
4292  cstate->no_optimize = 1;
4293 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4294 
4295  switch (dir) {
4296  case Q_SRC:
4297  /*
4298  * Oh, yuk.
4299  *
4300  * For control frames, there is no SA.
4301  *
4302  * For management frames, SA is at an
4303  * offset of 10 from the beginning of
4304  * the packet.
4305  *
4306  * For data frames, SA is at an offset
4307  * of 10 from the beginning of the packet
4308  * if From DS is clear, at an offset of
4309  * 16 from the beginning of the packet
4310  * if From DS is set and To DS is clear,
4311  * and an offset of 24 from the beginning
4312  * of the packet if From DS is set and To DS
4313  * is set.
4314  */
4315 
4316  /*
4317  * Generate the tests to be done for data frames
4318  * with From DS set.
4319  *
4320  * First, check for To DS set, i.e. check "link[1] & 0x01".
4321  */
4322  s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4323  b1 = new_block(cstate, JMP(BPF_JSET));
4324  b1->s.k = 0x01; /* To DS */
4325  b1->stmts = s;
4326 
4327  /*
4328  * If To DS is set, the SA is at 24.
4329  */
4330  b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4331  gen_and(b1, b0);
4332 
4333  /*
4334  * Now, check for To DS not set, i.e. check
4335  * "!(link[1] & 0x01)".
4336  */
4337  s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4338  b2 = new_block(cstate, JMP(BPF_JSET));
4339  b2->s.k = 0x01; /* To DS */
4340  b2->stmts = s;
4341  gen_not(b2);
4342 
4343  /*
4344  * If To DS is not set, the SA is at 16.
4345  */
4346  b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4347  gen_and(b2, b1);
4348 
4349  /*
4350  * Now OR together the last two checks. That gives
4351  * the complete set of checks for data frames with
4352  * From DS set.
4353  */
4354  gen_or(b1, b0);
4355 
4356  /*
4357  * Now check for From DS being set, and AND that with
4358  * the ORed-together checks.
4359  */
4360  s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4361  b1 = new_block(cstate, JMP(BPF_JSET));
4362  b1->s.k = 0x02; /* From DS */
4363  b1->stmts = s;
4364  gen_and(b1, b0);
4365 
4366  /*
4367  * Now check for data frames with From DS not set.
4368  */
4369  s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4370  b2 = new_block(cstate, JMP(BPF_JSET));
4371  b2->s.k = 0x02; /* From DS */
4372  b2->stmts = s;
4373  gen_not(b2);
4374 
4375  /*
4376  * If From DS isn't set, the SA is at 10.
4377  */
4378  b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4379  gen_and(b2, b1);
4380 
4381  /*
4382  * Now OR together the checks for data frames with
4383  * From DS not set and for data frames with From DS
4384  * set; that gives the checks done for data frames.
4385  */
4386  gen_or(b1, b0);
4387 
4388  /*
4389  * Now check for a data frame.
4390  * I.e, check "link[0] & 0x08".
4391  */
4392  s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4393  b1 = new_block(cstate, JMP(BPF_JSET));
4394  b1->s.k = 0x08;
4395  b1->stmts = s;
4396 
4397  /*
4398  * AND that with the checks done for data frames.
4399  */
4400  gen_and(b1, b0);
4401 
4402  /*
4403  * If the high-order bit of the type value is 0, this
4404  * is a management frame.
4405  * I.e, check "!(link[0] & 0x08)".
4406  */
4407  s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4408  b2 = new_block(cstate, JMP(BPF_JSET));
4409  b2->s.k = 0x08;
4410  b2->stmts = s;
4411  gen_not(b2);
4412 
4413  /*
4414  * For management frames, the SA is at 10.
4415  */
4416  b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4417  gen_and(b2, b1);
4418 
4419  /*
4420  * OR that with the checks done for data frames.
4421  * That gives the checks done for management and
4422  * data frames.
4423  */
4424  gen_or(b1, b0);
4425 
4426  /*
4427  * If the low-order bit of the type value is 1,
4428  * this is either a control frame or a frame
4429  * with a reserved type, and thus not a
4430  * frame with an SA.
4431  *
4432  * I.e., check "!(link[0] & 0x04)".
4433  */
4434  s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4435  b1 = new_block(cstate, JMP(BPF_JSET));
4436  b1->s.k = 0x04;
4437  b1->stmts = s;
4438  gen_not(b1);
4439 
4440  /*
4441  * AND that with the checks for data and management
4442  * frames.
4443  */
4444  gen_and(b1, b0);
4445  return b0;
4446 
4447  case Q_DST:
4448  /*
4449  * Oh, yuk.
4450  *
4451  * For control frames, there is no DA.
4452  *
4453  * For management frames, DA is at an
4454  * offset of 4 from the beginning of
4455  * the packet.
4456  *
4457  * For data frames, DA is at an offset
4458  * of 4 from the beginning of the packet
4459  * if To DS is clear and at an offset of
4460  * 16 from the beginning of the packet
4461  * if To DS is set.
4462  */
4463 
4464  /*
4465  * Generate the tests to be done for data frames.
4466  *
4467  * First, check for To DS set, i.e. "link[1] & 0x01".
4468  */
4469  s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4470  b1 = new_block(cstate, JMP(BPF_JSET));
4471  b1->s.k = 0x01; /* To DS */
4472  b1->stmts = s;
4473 
4474  /*
4475  * If To DS is set, the DA is at 16.
4476  */
4477  b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4478  gen_and(b1, b0);
4479 
4480  /*
4481  * Now, check for To DS not set, i.e. check
4482  * "!(link[1] & 0x01)".
4483  */
4484  s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4485  b2 = new_block(cstate, JMP(BPF_JSET));
4486  b2->s.k = 0x01; /* To DS */
4487  b2->stmts = s;
4488  gen_not(b2);
4489 
4490  /*
4491  * If To DS is not set, the DA is at 4.
4492  */
4493  b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4494  gen_and(b2, b1);
4495 
4496  /*
4497  * Now OR together the last two checks. That gives
4498  * the complete set of checks for data frames.
4499  */
4500  gen_or(b1, b0);
4501 
4502  /*
4503  * Now check for a data frame.
4504  * I.e, check "link[0] & 0x08".
4505  */
4506  s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4507  b1 = new_block(cstate, JMP(BPF_JSET));
4508  b1->s.k = 0x08;
4509  b1->stmts = s;
4510 
4511  /*
4512  * AND that with the checks done for data frames.
4513  */
4514  gen_and(b1, b0);
4515 
4516  /*
4517  * If the high-order bit of the type value is 0, this
4518  * is a management frame.
4519  * I.e, check "!(link[0] & 0x08)".
4520  */
4521  s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4522  b2 = new_block(cstate, JMP(BPF_JSET));
4523  b2->s.k = 0x08;
4524  b2->stmts = s;
4525  gen_not(b2);
4526 
4527  /*
4528  * For management frames, the DA is at 4.
4529  */
4530  b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4531  gen_and(b2, b1);
4532 
4533  /*
4534  * OR that with the checks done for data frames.
4535  * That gives the checks done for management and
4536  * data frames.
4537  */
4538  gen_or(b1, b0);
4539 
4540  /*
4541  * If the low-order bit of the type value is 1,
4542  * this is either a control frame or a frame
4543  * with a reserved type, and thus not a
4544  * frame with an SA.
4545  *
4546  * I.e., check "!(link[0] & 0x04)".
4547  */
4548  s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4549  b1 = new_block(cstate, JMP(BPF_JSET));
4550  b1->s.k = 0x04;
4551  b1->stmts = s;
4552  gen_not(b1);
4553 
4554  /*
4555  * AND that with the checks for data and management
4556  * frames.
4557  */
4558  gen_and(b1, b0);
4559  return b0;
4560 
4561  case Q_AND:
4562  b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4563  b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4564  gen_and(b0, b1);
4565  return b1;
4566 
4567  case Q_DEFAULT:
4568  case Q_OR:
4569  b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4570  b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4571  gen_or(b0, b1);
4572  return b1;
4573 
4574  /*
4575  * XXX - add BSSID keyword?
4576  */
4577  case Q_ADDR1:
4578  return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4579 
4580  case Q_ADDR2:
4581  /*
4582  * Not present in CTS or ACK control frames.
4583  */
4584  b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4586  gen_not(b0);
4589  gen_not(b1);
4592  gen_not(b2);
4593  gen_and(b1, b2);
4594  gen_or(b0, b2);
4595  b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4596  gen_and(b2, b1);
4597  return b1;
4598 
4599  case Q_ADDR3:
4600  /*
4601  * Not present in control frames.
4602  */
4603  b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4605  gen_not(b0);
4606  b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4607  gen_and(b0, b1);
4608  return b1;
4609 
4610  case Q_ADDR4:
4611  /*
4612  * Present only if the direction mask has both "From DS"
4613  * and "To DS" set. Neither control frames nor management
4614  * frames should have both of those set, so we don't
4615  * check the frame type.
4616  */
4617  b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4619  b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4620  gen_and(b0, b1);
4621  return b1;
4622 
4623  case Q_RA:
4624  /*
4625  * Not present in management frames; addr1 in other
4626  * frames.
4627  */
4628 
4629  /*
4630  * If the high-order bit of the type value is 0, this
4631  * is a management frame.
4632  * I.e, check "(link[0] & 0x08)".
4633  */
4634  s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4635  b1 = new_block(cstate, JMP(BPF_JSET));
4636  b1->s.k = 0x08;
4637  b1->stmts = s;
4638 
4639  /*
4640  * Check addr1.
4641  */
4642  b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4643 
4644  /*
4645  * AND that with the check of addr1.
4646  */
4647  gen_and(b1, b0);
4648  return (b0);
4649 
4650  case Q_TA:
4651  /*
4652  * Not present in management frames; addr2, if present,
4653  * in other frames.
4654  */
4655 
4656  /*
4657  * Not present in CTS or ACK control frames.
4658  */
4659  b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4661  gen_not(b0);
4664  gen_not(b1);
4667  gen_not(b2);
4668  gen_and(b1, b2);
4669  gen_or(b0, b2);
4670 
4671  /*
4672  * If the high-order bit of the type value is 0, this
4673  * is a management frame.
4674  * I.e, check "(link[0] & 0x08)".
4675  */
4676  s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4677  b1 = new_block(cstate, JMP(BPF_JSET));
4678  b1->s.k = 0x08;
4679  b1->stmts = s;
4680 
4681  /*
4682  * AND that with the check for frames other than
4683  * CTS and ACK frames.
4684  */
4685  gen_and(b1, b2);
4686 
4687  /*
4688  * Check addr2.
4689  */
4690  b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4691  gen_and(b2, b1);
4692  return b1;
4693  }
4694  abort();
4695  /*NOTREACHED*/
4696 }
4697 
4698 /*
4699  * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4700  * (We assume that the addresses are IEEE 48-bit MAC addresses,
4701  * as the RFC states.)
4702  */
4703 static struct block *
4704 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4705 {
4706  register struct block *b0, *b1;
4707 
4708  switch (dir) {
4709  case Q_SRC:
4710  return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4711 
4712  case Q_DST:
4713  return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4714 
4715  case Q_AND:
4716  b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4717  b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4718  gen_and(b0, b1);
4719  return b1;
4720 
4721  case Q_DEFAULT:
4722  case Q_OR:
4723  b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4724  b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4725  gen_or(b0, b1);
4726  return b1;
4727 
4728  case Q_ADDR1:
4729  bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4730  /*NOTREACHED*/
4731 
4732  case Q_ADDR2:
4733  bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4734  /*NOTREACHED*/
4735 
4736  case Q_ADDR3:
4737  bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4738  /*NOTREACHED*/
4739 
4740  case Q_ADDR4:
4741  bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4742  /*NOTREACHED*/
4743 
4744  case Q_RA:
4745  bpf_error(cstate, "'ra' is only supported on 802.11");
4746  /*NOTREACHED*/
4747 
4748  case Q_TA:
4749  bpf_error(cstate, "'ta' is only supported on 802.11");
4750  /*NOTREACHED*/
4751  }
4752  abort();
4753  /*NOTREACHED*/
4754 }
4755 
4756 /*
4757  * This is quite tricky because there may be pad bytes in front of the
4758  * DECNET header, and then there are two possible data packet formats that
4759  * carry both src and dst addresses, plus 5 packet types in a format that
4760  * carries only the src node, plus 2 types that use a different format and
4761  * also carry just the src node.
4762  *
4763  * Yuck.
4764  *
4765  * Instead of doing those all right, we just look for data packets with
4766  * 0 or 1 bytes of padding. If you want to look at other packets, that
4767  * will require a lot more hacking.
4768  *
4769  * To add support for filtering on DECNET "areas" (network numbers)
4770  * one would want to add a "mask" argument to this routine. That would
4771  * make the filter even more inefficient, although one could be clever
4772  * and not generate masking instructions if the mask is 0xFFFF.
4773  */
4774 static struct block *
4776 {
4777  struct block *b0, *b1, *b2, *tmp;
4778  u_int offset_lh; /* offset if long header is received */
4779  u_int offset_sh; /* offset if short header is received */
4780 
4781  switch (dir) {
4782 
4783  case Q_DST:
4784  offset_sh = 1; /* follows flags */
4785  offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4786  break;
4787 
4788  case Q_SRC:
4789  offset_sh = 3; /* follows flags, dstnode */
4790  offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4791  break;
4792 
4793  case Q_AND:
4794  /* Inefficient because we do our Calvinball dance twice */
4795  b0 = gen_dnhostop(cstate, addr, Q_SRC);
4796  b1 = gen_dnhostop(cstate, addr, Q_DST);
4797  gen_and(b0, b1);
4798  return b1;
4799 
4800  case Q_DEFAULT:
4801  case Q_OR:
4802  /* Inefficient because we do our Calvinball dance twice */
4803  b0 = gen_dnhostop(cstate, addr, Q_SRC);
4804  b1 = gen_dnhostop(cstate, addr, Q_DST);
4805  gen_or(b0, b1);
4806  return b1;
4807 
4808  case Q_ADDR1:
4809  bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4810  /*NOTREACHED*/
4811 
4812  case Q_ADDR2:
4813  bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4814  /*NOTREACHED*/
4815 
4816  case Q_ADDR3:
4817  bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4818  /*NOTREACHED*/
4819 
4820  case Q_ADDR4:
4821  bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4822  /*NOTREACHED*/
4823 
4824  case Q_RA:
4825  bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4826  /*NOTREACHED*/
4827 
4828  case Q_TA:
4829  bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4830  /*NOTREACHED*/
4831 
4832  default:
4833  abort();
4834  /*NOTREACHED*/
4835  }
4836  b0 = gen_linktype(cstate, ETHERTYPE_DN);
4837  /* Check for pad = 1, long header case */
4838  tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4839  (bpf_u_int32)ntohs(0x0681), (bpf_u_int32)ntohs(0x07FF));
4840  b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
4841  BPF_H, (bpf_u_int32)ntohs((u_short)addr));
4842  gen_and(tmp, b1);
4843  /* Check for pad = 0, long header case */
4844  tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x06,
4845  (bpf_u_int32)0x7);
4846  b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H,
4847  (bpf_u_int32)ntohs((u_short)addr));
4848  gen_and(tmp, b2);
4849  gen_or(b2, b1);
4850  /* Check for pad = 1, short header case */
4851  tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4852  (bpf_u_int32)ntohs(0x0281), (bpf_u_int32)ntohs(0x07FF));
4853  b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H,
4854  (bpf_u_int32)ntohs((u_short)addr));
4855  gen_and(tmp, b2);
4856  gen_or(b2, b1);
4857  /* Check for pad = 0, short header case */
4858  tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x02,
4859  (bpf_u_int32)0x7);
4860  b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H,
4861  (bpf_u_int32)ntohs((u_short)addr));
4862  gen_and(tmp, b2);
4863  gen_or(b2, b1);
4864 
4865  /* Combine with test for cstate->linktype */
4866  gen_and(b0, b1);
4867  return b1;
4868 }
4869 
4870 /*
4871  * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4872  * test the bottom-of-stack bit, and then check the version number
4873  * field in the IP header.
4874  */
4875 static struct block *
4877 {
4878  struct block *b0, *b1;
4879 
4880  switch (ll_proto) {
4881 
4882  case ETHERTYPE_IP:
4883  /* match the bottom-of-stack bit */
4884  b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4885  /* match the IPv4 version number */
4886  b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4887  gen_and(b0, b1);
4888  return b1;
4889 
4890  case ETHERTYPE_IPV6:
4891  /* match the bottom-of-stack bit */
4892  b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4893  /* match the IPv4 version number */
4894  b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4895  gen_and(b0, b1);
4896  return b1;
4897 
4898  default:
4899  /* FIXME add other L3 proto IDs */
4900  bpf_error(cstate, "unsupported protocol over mpls");
4901  /*NOTREACHED*/
4902  }
4903 }
4904 
4905 static struct block *
4907  int proto, int dir, int type)
4908 {
4909  struct block *b0, *b1;
4910  const char *typestr;
4911 
4912  if (type == Q_NET)
4913  typestr = "net";
4914  else
4915  typestr = "host";
4916 
4917  switch (proto) {
4918 
4919  case Q_DEFAULT:
4920  b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
4921  /*
4922  * Only check for non-IPv4 addresses if we're not
4923  * checking MPLS-encapsulated packets.
4924  */
4925  if (cstate->label_stack_depth == 0) {
4926  b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
4927  gen_or(b0, b1);
4928  b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
4929  gen_or(b1, b0);
4930  }
4931  return b0;
4932 
4933  case Q_LINK:
4934  bpf_error(cstate, "link-layer modifier applied to %s", typestr);
4935 
4936  case Q_IP:
4937  return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16);
4938 
4939  case Q_RARP:
4940  return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4941 
4942  case Q_ARP:
4943  return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4944 
4945  case Q_SCTP:
4946  bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4947 
4948  case Q_TCP:
4949  bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4950 
4951  case Q_UDP:
4952  bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4953 
4954  case Q_ICMP:
4955  bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4956 
4957  case Q_IGMP:
4958  bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4959 
4960  case Q_IGRP:
4961  bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4962 
4963  case Q_ATALK:
4964  bpf_error(cstate, "AppleTalk host filtering not implemented");
4965 
4966  case Q_DECNET:
4967  return gen_dnhostop(cstate, addr, dir);
4968 
4969  case Q_LAT:
4970  bpf_error(cstate, "LAT host filtering not implemented");
4971 
4972  case Q_SCA:
4973  bpf_error(cstate, "SCA host filtering not implemented");
4974 
4975  case Q_MOPRC:
4976  bpf_error(cstate, "MOPRC host filtering not implemented");
4977 
4978  case Q_MOPDL:
4979  bpf_error(cstate, "MOPDL host filtering not implemented");
4980 
4981  case Q_IPV6:
4982  bpf_error(cstate, "'ip6' modifier applied to ip host");
4983 
4984  case Q_ICMPV6:
4985  bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4986 
4987  case Q_AH:
4988  bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4989 
4990  case Q_ESP:
4991  bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4992 
4993  case Q_PIM:
4994  bpf_error(cstate, "'pim' modifier applied to %s", typestr);
4995 
4996  case Q_VRRP:
4997  bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
4998 
4999  case Q_AARP:
5000  bpf_error(cstate, "AARP host filtering not implemented");
5001 
5002  case Q_ISO:
5003  bpf_error(cstate, "ISO host filtering not implemented");
5004 
5005  case Q_ESIS:
5006  bpf_error(cstate, "'esis' modifier applied to %s", typestr);
5007 
5008  case Q_ISIS:
5009  bpf_error(cstate, "'isis' modifier applied to %s", typestr);
5010 
5011  case Q_CLNP:
5012  bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
5013 
5014  case Q_STP:
5015  bpf_error(cstate, "'stp' modifier applied to %s", typestr);
5016 
5017  case Q_IPX:
5018  bpf_error(cstate, "IPX host filtering not implemented");
5019 
5020  case Q_NETBEUI:
5021  bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
5022 
5023  case Q_ISIS_L1:
5024  bpf_error(cstate, "'l1' modifier applied to %s", typestr);
5025 
5026  case Q_ISIS_L2:
5027  bpf_error(cstate, "'l2' modifier applied to %s", typestr);
5028 
5029  case Q_ISIS_IIH:
5030  bpf_error(cstate, "'iih' modifier applied to %s", typestr);
5031 
5032  case Q_ISIS_SNP:
5033  bpf_error(cstate, "'snp' modifier applied to %s", typestr);
5034 
5035  case Q_ISIS_CSNP:
5036  bpf_error(cstate, "'csnp' modifier applied to %s", typestr);
5037 
5038  case Q_ISIS_PSNP:
5039  bpf_error(cstate, "'psnp' modifier applied to %s", typestr);
5040 
5041  case Q_ISIS_LSP:
5042  bpf_error(cstate, "'lsp' modifier applied to %s", typestr);
5043 
5044  case Q_RADIO:
5045  bpf_error(cstate, "'radio' modifier applied to %s", typestr);
5046 
5047  case Q_CARP:
5048  bpf_error(cstate, "'carp' modifier applied to %s", typestr);
5049 
5050  default:
5051  abort();
5052  }
5053  /*NOTREACHED*/
5054 }
5055 
5056 #ifdef INET6
5057 static struct block *
5058 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
5059  struct in6_addr *mask, int proto, int dir, int type)
5060 {
5061  const char *typestr;
5062 
5063  if (type == Q_NET)
5064  typestr = "net";
5065  else
5066  typestr = "host";
5067 
5068  switch (proto) {
5069 
5070  case Q_DEFAULT:
5071  return gen_host6(cstate, addr, mask, Q_IPV6, dir, type);
5072 
5073  case Q_LINK:
5074  bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
5075 
5076  case Q_IP:
5077  bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
5078 
5079  case Q_RARP:
5080  bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
5081 
5082  case Q_ARP:
5083  bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
5084 
5085  case Q_SCTP:
5086  bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr);
5087 
5088  case Q_TCP:
5089  bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr);
5090 
5091  case Q_UDP:
5092  bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr);
5093 
5094  case Q_ICMP:
5095  bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr);
5096 
5097  case Q_IGMP:
5098  bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr);
5099 
5100  case Q_IGRP:
5101  bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr);
5102 
5103  case Q_ATALK:
5104  bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr);
5105 
5106  case Q_DECNET:
5107  bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
5108 
5109  case Q_LAT:
5110  bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr);
5111 
5112  case Q_SCA:
5113  bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr);
5114 
5115  case Q_MOPRC:
5116  bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr);
5117 
5118  case Q_MOPDL:
5119  bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr);
5120 
5121  case Q_IPV6:
5122  return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
5123 
5124  case Q_ICMPV6:
5125  bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr);
5126 
5127  case Q_AH:
5128  bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr);
5129 
5130  case Q_ESP:
5131  bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr);
5132 
5133  case Q_PIM:
5134  bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr);
5135 
5136  case Q_VRRP:
5137  bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr);
5138 
5139  case Q_AARP:
5140  bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr);
5141 
5142  case Q_ISO:
5143  bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr);
5144 
5145  case Q_ESIS:
5146  bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr);
5147 
5148  case Q_ISIS:
5149  bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr);
5150 
5151  case Q_CLNP:
5152  bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr);
5153 
5154  case Q_STP:
5155  bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr);
5156 
5157  case Q_IPX:
5158  bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr);
5159 
5160  case Q_NETBEUI:
5161  bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr);
5162 
5163  case Q_ISIS_L1:
5164  bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr);
5165 
5166  case Q_ISIS_L2:
5167  bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr);
5168 
5169  case Q_ISIS_IIH:
5170  bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr);
5171 
5172  case Q_ISIS_SNP:
5173  bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr);
5174 
5175  case Q_ISIS_CSNP:
5176  bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr);
5177 
5178  case Q_ISIS_PSNP:
5179  bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr);
5180 
5181  case Q_ISIS_LSP:
5182  bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr);
5183 
5184  case Q_RADIO:
5185  bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr);
5186 
5187  case Q_CARP:
5188  bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr);
5189 
5190  default:
5191  abort();
5192  }
5193  /*NOTREACHED*/
5194 }
5195 #endif
5196 
5197 #ifndef INET6
5198 static struct block *
5199 gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
5200  struct addrinfo *alist, int proto, int dir)
5201 {
5202  struct block *b0, *b1, *tmp;
5203  struct addrinfo *ai;
5204  struct sockaddr_in *sin;
5205 
5206  if (dir != 0)
5207  bpf_error(cstate, "direction applied to 'gateway'");
5208 
5209  switch (proto) {
5210  case Q_DEFAULT:
5211  case Q_IP:
5212  case Q_ARP:
5213  case Q_RARP:
5214  switch (cstate->linktype) {
5215  case DLT_EN10MB:
5216  case DLT_NETANALYZER:
5218  b1 = gen_prevlinkhdr_check(cstate);
5219  b0 = gen_ehostop(cstate, eaddr, Q_OR);
5220  if (b1 != NULL)
5221  gen_and(b1, b0);
5222  break;
5223  case DLT_FDDI:
5224  b0 = gen_fhostop(cstate, eaddr, Q_OR);
5225  break;
5226  case DLT_IEEE802:
5227  b0 = gen_thostop(cstate, eaddr, Q_OR);
5228  break;
5229  case DLT_IEEE802_11:
5230  case DLT_PRISM_HEADER:
5232  case DLT_IEEE802_11_RADIO:
5233  case DLT_PPI:
5234  b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5235  break;
5236  case DLT_SUNATM:
5237  /*
5238  * This is LLC-multiplexed traffic; if it were
5239  * LANE, cstate->linktype would have been set to
5240  * DLT_EN10MB.
5241  */
5242  bpf_error(cstate,
5243  "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5244  break;
5245  case DLT_IP_OVER_FC:
5246  b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5247  break;
5248  default:
5249  bpf_error(cstate,
5250  "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5251  }
5252  b1 = NULL;
5253  for (ai = alist; ai != NULL; ai = ai->ai_next) {
5254  /*
5255  * Does it have an address?
5256  */
5257  if (ai->ai_addr != NULL) {
5258  /*
5259  * Yes. Is it an IPv4 address?
5260  */
5261  if (ai->ai_addr->sa_family == AF_INET) {
5262  /*
5263  * Generate an entry for it.
5264  */
5265  sin = (struct sockaddr_in *)ai->ai_addr;
5266  tmp = gen_host(cstate,
5267  ntohl(sin->sin_addr.s_addr),
5268  0xffffffff, proto, Q_OR, Q_HOST);
5269  /*
5270  * Is it the *first* IPv4 address?
5271  */
5272  if (b1 == NULL) {
5273  /*
5274  * Yes, so start with it.
5275  */
5276  b1 = tmp;
5277  } else {
5278  /*
5279  * No, so OR it into the
5280  * existing set of
5281  * addresses.
5282  */
5283  gen_or(b1, tmp);
5284  b1 = tmp;
5285  }
5286  }
5287  }
5288  }
5289  if (b1 == NULL) {
5290  /*
5291  * No IPv4 addresses found.
5292  */
5293  return (NULL);
5294  }
5295  gen_not(b1);
5296  gen_and(b0, b1);
5297  return b1;
5298  }
5299  bpf_error(cstate, "illegal modifier of 'gateway'");
5300  /*NOTREACHED*/
5301 }
5302 #endif
5303 
5304 static struct block *
5306 {
5307  struct block *b0;
5308  struct block *b1;
5309 
5310  switch (proto) {
5311 
5312  case Q_SCTP:
5313  b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT);
5314  b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
5315  gen_or(b0, b1);
5316  break;
5317 
5318  case Q_TCP:
5319  b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT);
5320  b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
5321  gen_or(b0, b1);
5322  break;
5323 
5324  case Q_UDP:
5325  b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT);
5326  b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
5327  gen_or(b0, b1);
5328  break;
5329 
5330  case Q_ICMP:
5331  b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5332  break;
5333 
5334 #ifndef IPPROTO_IGMP
5335 #define IPPROTO_IGMP 2
5336 #endif
5337 
5338  case Q_IGMP:
5339  b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5340  break;
5341 
5342 #ifndef IPPROTO_IGRP
5343 #define IPPROTO_IGRP 9
5344 #endif
5345  case Q_IGRP:
5346  b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5347  break;
5348 
5349 #ifndef IPPROTO_PIM
5350 #define IPPROTO_PIM 103
5351 #endif
5352 
5353  case Q_PIM:
5354  b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT);
5355  b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
5356  gen_or(b0, b1);
5357  break;
5358 
5359 #ifndef IPPROTO_VRRP
5360 #define IPPROTO_VRRP 112
5361 #endif
5362 
5363  case Q_VRRP:
5364  b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5365  break;
5366 
5367 #ifndef IPPROTO_CARP
5368 #define IPPROTO_CARP 112
5369 #endif
5370 
5371  case Q_CARP:
5372  b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5373  break;
5374 
5375  case Q_IP:
5376  b1 = gen_linktype(cstate, ETHERTYPE_IP);
5377  break;
5378 
5379  case Q_ARP:
5380  b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5381  break;
5382 
5383  case Q_RARP:
5384  b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5385  break;
5386 
5387  case Q_LINK:
5388  bpf_error(cstate, "link layer applied in wrong context");
5389 
5390  case Q_ATALK:
5391  b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5392  break;
5393 
5394  case Q_AARP:
5395  b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5396  break;
5397 
5398  case Q_DECNET:
5399  b1 = gen_linktype(cstate, ETHERTYPE_DN);
5400  break;
5401 
5402  case Q_SCA:
5403  b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5404  break;
5405 
5406  case Q_LAT:
5407  b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5408  break;
5409 
5410  case Q_MOPDL:
5411  b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5412  break;
5413 
5414  case Q_MOPRC:
5415  b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5416  break;
5417 
5418  case Q_IPV6:
5419  b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5420  break;
5421 
5422 #ifndef IPPROTO_ICMPV6
5423 #define IPPROTO_ICMPV6 58
5424 #endif
5425  case Q_ICMPV6:
5426  b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5427  break;
5428 
5429 #ifndef IPPROTO_AH
5430 #define IPPROTO_AH 51
5431 #endif
5432  case Q_AH:
5433  b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT);
5434  b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT);
5435  gen_or(b0, b1);
5436  break;
5437 
5438 #ifndef IPPROTO_ESP
5439 #define IPPROTO_ESP 50
5440 #endif
5441  case Q_ESP:
5442  b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT);
5443  b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
5444  gen_or(b0, b1);
5445  break;
5446 
5447  case Q_ISO:
5448  b1 = gen_linktype(cstate, LLCSAP_ISONS);
5449  break;
5450 
5451  case Q_ESIS:
5452  b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5453  break;
5454 
5455  case Q_ISIS:
5456  b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5457  break;
5458 
5459  case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5460  b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5461  b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5462  gen_or(b0, b1);
5463  b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5464  gen_or(b0, b1);
5465  b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5466  gen_or(b0, b1);
5467  b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5468  gen_or(b0, b1);
5469  break;
5470 
5471  case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5472  b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5473  b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5474  gen_or(b0, b1);
5475  b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5476  gen_or(b0, b1);
5477  b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5478  gen_or(b0, b1);
5479  b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5480  gen_or(b0, b1);
5481  break;
5482 
5483  case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5484  b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5485  b1 = gen_proto(cstate, ISIS_