1/*#define CHASE_CHAIN*/
2/*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 *	The Regents of the University of California.  All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include <config.h>
25#endif
26
27#include <pcap-types.h>
28#ifdef _WIN32
29  #include <ws2tcpip.h>
30#else
31  #include <sys/socket.h>
32
33  #ifdef __NetBSD__
34    #include <sys/param.h>
35  #endif
36
37  #include <netinet/in.h>
38  #include <arpa/inet.h>
39#endif /* _WIN32 */
40
41#include <stdlib.h>
42#include <string.h>
43#include <memory.h>
44#include <setjmp.h>
45#include <stdarg.h>
46
47#ifdef MSDOS
48#include "pcap-dos.h"
49#endif
50
51#include "pcap-int.h"
52
53#include "extract.h"
54
55#include "ethertype.h"
56#include "nlpid.h"
57#include "llc.h"
58#include "gencode.h"
59#include "ieee80211.h"
60#include "atmuni31.h"
61#include "sunatmpos.h"
62#include "ppp.h"
63#include "pcap/sll.h"
64#include "pcap/ipnet.h"
65#include "arcnet.h"
66
67#include "grammar.h"
68#include "scanner.h"
69
70#if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
71#include <linux/types.h>
72#include <linux/if_packet.h>
73#include <linux/filter.h>
74#endif
75
76#ifdef HAVE_NET_PFVAR_H
77#include <sys/socket.h>
78#include <net/if.h>
79#include <net/pfvar.h>
80#include <net/if_pflog.h>
81#endif
82
83#ifndef offsetof
84#define offsetof(s, e) ((size_t)&((s *)0)->e)
85#endif
86
87#ifdef _WIN32
88  #ifdef INET6
89    #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
90/* IPv6 address */
91struct in6_addr
92  {
93    union
94      {
95	uint8_t		u6_addr8[16];
96	uint16_t	u6_addr16[8];
97	uint32_t	u6_addr32[4];
98      } in6_u;
99#define s6_addr			in6_u.u6_addr8
100#define s6_addr16		in6_u.u6_addr16
101#define s6_addr32		in6_u.u6_addr32
102#define s6_addr64		in6_u.u6_addr64
103  };
104
105typedef unsigned short	sa_family_t;
106
107#define	__SOCKADDR_COMMON(sa_prefix) \
108  sa_family_t sa_prefix##family
109
110/* Ditto, for IPv6.  */
111struct sockaddr_in6
112  {
113    __SOCKADDR_COMMON (sin6_);
114    uint16_t sin6_port;		/* Transport layer port # */
115    uint32_t sin6_flowinfo;	/* IPv6 flow information */
116    struct in6_addr sin6_addr;	/* IPv6 address */
117  };
118
119      #ifndef EAI_ADDRFAMILY
120struct addrinfo {
121	int	ai_flags;	/* AI_PASSIVE, AI_CANONNAME */
122	int	ai_family;	/* PF_xxx */
123	int	ai_socktype;	/* SOCK_xxx */
124	int	ai_protocol;	/* 0 or IPPROTO_xxx for IPv4 and IPv6 */
125	size_t	ai_addrlen;	/* length of ai_addr */
126	char	*ai_canonname;	/* canonical name for hostname */
127	struct sockaddr *ai_addr;	/* binary address */
128	struct addrinfo *ai_next;	/* next structure in linked list */
129};
130      #endif /* EAI_ADDRFAMILY */
131    #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
132  #endif /* INET6 */
133#else /* _WIN32 */
134  #include <netdb.h>	/* for "struct addrinfo" */
135#endif /* _WIN32 */
136#include <pcap/namedb.h>
137
138#include "nametoaddr.h"
139
140#define ETHERMTU	1500
141
142#ifndef ETHERTYPE_TEB
143#define ETHERTYPE_TEB 0x6558
144#endif
145
146#ifndef IPPROTO_HOPOPTS
147#define IPPROTO_HOPOPTS 0
148#endif
149#ifndef IPPROTO_ROUTING
150#define IPPROTO_ROUTING 43
151#endif
152#ifndef IPPROTO_FRAGMENT
153#define IPPROTO_FRAGMENT 44
154#endif
155#ifndef IPPROTO_DSTOPTS
156#define IPPROTO_DSTOPTS 60
157#endif
158#ifndef IPPROTO_SCTP
159#define IPPROTO_SCTP 132
160#endif
161
162#define GENEVE_PORT 6081
163
164#ifdef HAVE_OS_PROTO_H
165#include "os-proto.h"
166#endif
167
168#define JMP(c) ((c)|BPF_JMP|BPF_K)
169
170/*
171 * "Push" the current value of the link-layer header type and link-layer
172 * header offset onto a "stack", and set a new value.  (It's not a
173 * full-blown stack; we keep only the top two items.)
174 */
175#define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
176{ \
177	(cs)->prevlinktype = (cs)->linktype; \
178	(cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
179	(cs)->linktype = (new_linktype); \
180	(cs)->off_linkhdr.is_variable = (new_is_variable); \
181	(cs)->off_linkhdr.constant_part = (new_constant_part); \
182	(cs)->off_linkhdr.reg = (new_reg); \
183	(cs)->is_geneve = 0; \
184}
185
186/*
187 * Offset "not set" value.
188 */
189#define OFFSET_NOT_SET	0xffffffffU
190
191/*
192 * Absolute offsets, which are offsets from the beginning of the raw
193 * packet data, are, in the general case, the sum of a variable value
194 * and a constant value; the variable value may be absent, in which
195 * case the offset is only the constant value, and the constant value
196 * may be zero, in which case the offset is only the variable value.
197 *
198 * bpf_abs_offset is a structure containing all that information:
199 *
200 *   is_variable is 1 if there's a variable part.
201 *
202 *   constant_part is the constant part of the value, possibly zero;
203 *
204 *   if is_variable is 1, reg is the register number for a register
205 *   containing the variable value if the register has been assigned,
206 *   and -1 otherwise.
207 */
208typedef struct {
209	int	is_variable;
210	u_int	constant_part;
211	int	reg;
212} bpf_abs_offset;
213
214/*
215 * Value passed to gen_load_a() to indicate what the offset argument
216 * is relative to the beginning of.
217 */
218enum e_offrel {
219	OR_PACKET,		/* full packet data */
220	OR_LINKHDR,		/* link-layer header */
221	OR_PREVLINKHDR,		/* previous link-layer header */
222	OR_LLC,			/* 802.2 LLC header */
223	OR_PREVMPLSHDR,		/* previous MPLS header */
224	OR_LINKTYPE,		/* link-layer type */
225	OR_LINKPL,		/* link-layer payload */
226	OR_LINKPL_NOSNAP,	/* link-layer payload, with no SNAP header at the link layer */
227	OR_TRAN_IPV4,		/* transport-layer header, with IPv4 network layer */
228	OR_TRAN_IPV6		/* transport-layer header, with IPv6 network layer */
229};
230
231/*
232 * We divy out chunks of memory rather than call malloc each time so
233 * we don't have to worry about leaking memory.  It's probably
234 * not a big deal if all this memory was wasted but if this ever
235 * goes into a library that would probably not be a good idea.
236 *
237 * XXX - this *is* in a library....
238 */
239#define NCHUNKS 16
240#define CHUNK0SIZE 1024
241struct chunk {
242	size_t n_left;
243	void *m;
244};
245
246/* Code generator state */
247
248struct _compiler_state {
249	jmp_buf top_ctx;
250	pcap_t *bpf_pcap;
251
252	struct icode ic;
253
254	int snaplen;
255
256	int linktype;
257	int prevlinktype;
258	int outermostlinktype;
259
260	bpf_u_int32 netmask;
261	int no_optimize;
262
263	/* Hack for handling VLAN and MPLS stacks. */
264	u_int label_stack_depth;
265	u_int vlan_stack_depth;
266
267	/* XXX */
268	u_int pcap_fddipad;
269
270	/*
271	 * As errors are handled by a longjmp, anything allocated must
272	 * be freed in the longjmp handler, so it must be reachable
273	 * from that handler.
274	 *
275	 * One thing that's allocated is the result of pcap_nametoaddrinfo();
276	 * it must be freed with freeaddrinfo().  This variable points to
277	 * any addrinfo structure that would need to be freed.
278	 */
279	struct addrinfo *ai;
280
281	/*
282	 * Another thing that's allocated is the result of pcap_ether_aton();
283	 * it must be freed with free().  This variable points to any
284	 * address that would need to be freed.
285	 */
286	u_char *e;
287
288	/*
289	 * Various code constructs need to know the layout of the packet.
290	 * These values give the necessary offsets from the beginning
291	 * of the packet data.
292	 */
293
294	/*
295	 * Absolute offset of the beginning of the link-layer header.
296	 */
297	bpf_abs_offset off_linkhdr;
298
299	/*
300	 * If we're checking a link-layer header for a packet encapsulated
301	 * in another protocol layer, this is the equivalent information
302	 * for the previous layers' link-layer header from the beginning
303	 * of the raw packet data.
304	 */
305	bpf_abs_offset off_prevlinkhdr;
306
307	/*
308	 * This is the equivalent information for the outermost layers'
309	 * link-layer header.
310	 */
311	bpf_abs_offset off_outermostlinkhdr;
312
313	/*
314	 * Absolute offset of the beginning of the link-layer payload.
315	 */
316	bpf_abs_offset off_linkpl;
317
318	/*
319	 * "off_linktype" is the offset to information in the link-layer
320	 * header giving the packet type. This is an absolute offset
321	 * from the beginning of the packet.
322	 *
323	 * For Ethernet, it's the offset of the Ethernet type field; this
324	 * means that it must have a value that skips VLAN tags.
325	 *
326	 * For link-layer types that always use 802.2 headers, it's the
327	 * offset of the LLC header; this means that it must have a value
328	 * that skips VLAN tags.
329	 *
330	 * For PPP, it's the offset of the PPP type field.
331	 *
332	 * For Cisco HDLC, it's the offset of the CHDLC type field.
333	 *
334	 * For BSD loopback, it's the offset of the AF_ value.
335	 *
336	 * For Linux cooked sockets, it's the offset of the type field.
337	 *
338	 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
339	 * encapsulation, in which case, IP is assumed.
340	 */
341	bpf_abs_offset off_linktype;
342
343	/*
344	 * TRUE if the link layer includes an ATM pseudo-header.
345	 */
346	int is_atm;
347
348	/*
349	 * TRUE if "geneve" appeared in the filter; it causes us to
350	 * generate code that checks for a Geneve header and assume
351	 * that later filters apply to the encapsulated payload.
352	 */
353	int is_geneve;
354
355	/*
356	 * TRUE if we need variable length part of VLAN offset
357	 */
358	int is_vlan_vloffset;
359
360	/*
361	 * These are offsets for the ATM pseudo-header.
362	 */
363	u_int off_vpi;
364	u_int off_vci;
365	u_int off_proto;
366
367	/*
368	 * These are offsets for the MTP2 fields.
369	 */
370	u_int off_li;
371	u_int off_li_hsl;
372
373	/*
374	 * These are offsets for the MTP3 fields.
375	 */
376	u_int off_sio;
377	u_int off_opc;
378	u_int off_dpc;
379	u_int off_sls;
380
381	/*
382	 * This is the offset of the first byte after the ATM pseudo_header,
383	 * or -1 if there is no ATM pseudo-header.
384	 */
385	u_int off_payload;
386
387	/*
388	 * These are offsets to the beginning of the network-layer header.
389	 * They are relative to the beginning of the link-layer payload
390	 * (i.e., they don't include off_linkhdr.constant_part or
391	 * off_linkpl.constant_part).
392	 *
393	 * If the link layer never uses 802.2 LLC:
394	 *
395	 *	"off_nl" and "off_nl_nosnap" are the same.
396	 *
397	 * If the link layer always uses 802.2 LLC:
398	 *
399	 *	"off_nl" is the offset if there's a SNAP header following
400	 *	the 802.2 header;
401	 *
402	 *	"off_nl_nosnap" is the offset if there's no SNAP header.
403	 *
404	 * If the link layer is Ethernet:
405	 *
406	 *	"off_nl" is the offset if the packet is an Ethernet II packet
407	 *	(we assume no 802.3+802.2+SNAP);
408	 *
409	 *	"off_nl_nosnap" is the offset if the packet is an 802.3 packet
410	 *	with an 802.2 header following it.
411	 */
412	u_int off_nl;
413	u_int off_nl_nosnap;
414
415	/*
416	 * Here we handle simple allocation of the scratch registers.
417	 * If too many registers are alloc'd, the allocator punts.
418	 */
419	int regused[BPF_MEMWORDS];
420	int curreg;
421
422	/*
423	 * Memory chunks.
424	 */
425	struct chunk chunks[NCHUNKS];
426	int cur_chunk;
427};
428
429/*
430 * For use by routines outside this file.
431 */
432/* VARARGS */
433void
434bpf_set_error(compiler_state_t *cstate, const char *fmt, ...)
435{
436	va_list ap;
437
438	va_start(ap, fmt);
439	(void)pcap_vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
440	    fmt, ap);
441	va_end(ap);
442}
443
444/*
445 * For use *ONLY* in routines in this file.
446 */
447static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...)
448    PCAP_PRINTFLIKE(2, 3);
449
450/* VARARGS */
451static void PCAP_NORETURN
452bpf_error(compiler_state_t *cstate, const char *fmt, ...)
453{
454	va_list ap;
455
456	va_start(ap, fmt);
457	(void)pcap_vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
458	    fmt, ap);
459	va_end(ap);
460	longjmp(cstate->top_ctx, 1);
461	/*NOTREACHED*/
462}
463
464static int init_linktype(compiler_state_t *, pcap_t *);
465
466static void init_regs(compiler_state_t *);
467static int alloc_reg(compiler_state_t *);
468static void free_reg(compiler_state_t *, int);
469
470static void initchunks(compiler_state_t *cstate);
471static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t);
472static void *newchunk(compiler_state_t *cstate, size_t);
473static void freechunks(compiler_state_t *cstate);
474static inline struct block *new_block(compiler_state_t *cstate, int);
475static inline struct slist *new_stmt(compiler_state_t *cstate, int);
476static struct block *gen_retblk(compiler_state_t *cstate, int);
477static inline void syntax(compiler_state_t *cstate);
478
479static void backpatch(struct block *, struct block *);
480static void merge(struct block *, struct block *);
481static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
482    u_int, bpf_int32);
483static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
484    u_int, bpf_int32);
485static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
486    u_int, bpf_int32);
487static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
488    u_int, bpf_int32);
489static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
490    u_int, bpf_int32);
491static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
492    u_int, bpf_int32, bpf_u_int32);
493static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
494    u_int, const u_char *);
495static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32,
496    bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32);
497static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
498    u_int, u_int);
499static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
500    u_int);
501static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
502static struct block *gen_uncond(compiler_state_t *, int);
503static inline struct block *gen_true(compiler_state_t *);
504static inline struct block *gen_false(compiler_state_t *);
505static struct block *gen_ether_linktype(compiler_state_t *, int);
506static struct block *gen_ipnet_linktype(compiler_state_t *, int);
507static struct block *gen_linux_sll_linktype(compiler_state_t *, int);
508static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
509static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
510static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
511static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
512static void insert_compute_vloffsets(compiler_state_t *, struct block *);
513static struct slist *gen_abs_offset_varpart(compiler_state_t *,
514    bpf_abs_offset *);
515static int ethertype_to_ppptype(int);
516static struct block *gen_linktype(compiler_state_t *, int);
517static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
518static struct block *gen_llc_linktype(compiler_state_t *, int);
519static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
520    int, int, u_int, u_int);
521#ifdef INET6
522static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
523    struct in6_addr *, int, int, u_int, u_int);
524#endif
525static struct block *gen_ahostop(compiler_state_t *, const u_char *, int);
526static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
527static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
528static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
529static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
530static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
531static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
532static struct block *gen_mpls_linktype(compiler_state_t *, int);
533static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
534    int, int, int);
535#ifdef INET6
536static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
537    struct in6_addr *, int, int, int);
538#endif
539#ifndef INET6
540static struct block *gen_gateway(compiler_state_t *, const u_char *,
541    struct addrinfo *, int, int);
542#endif
543static struct block *gen_ipfrag(compiler_state_t *);
544static struct block *gen_portatom(compiler_state_t *, int, bpf_int32);
545static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32,
546    bpf_int32);
547static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32);
548static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32,
549    bpf_int32);
550struct block *gen_portop(compiler_state_t *, int, int, int);
551static struct block *gen_port(compiler_state_t *, int, int, int);
552struct block *gen_portrangeop(compiler_state_t *, int, int, int, int);
553static struct block *gen_portrange(compiler_state_t *, int, int, int, int);
554struct block *gen_portop6(compiler_state_t *, int, int, int);
555static struct block *gen_port6(compiler_state_t *, int, int, int);
556struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int);
557static struct block *gen_portrange6(compiler_state_t *, int, int, int, int);
558static int lookup_proto(compiler_state_t *, const char *, int);
559static struct block *gen_protochain(compiler_state_t *, int, int, int);
560static struct block *gen_proto(compiler_state_t *, int, int, int);
561static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
562static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
563static struct block *gen_mac_multicast(compiler_state_t *, int);
564static struct block *gen_len(compiler_state_t *, int, int);
565static struct block *gen_check_802_11_data_frame(compiler_state_t *);
566static struct block *gen_geneve_ll_check(compiler_state_t *cstate);
567
568static struct block *gen_ppi_dlt_check(compiler_state_t *);
569static struct block *gen_atmfield_code_internal(compiler_state_t *, int,
570    bpf_int32, bpf_u_int32, int);
571static struct block *gen_atmtype_llc(compiler_state_t *);
572static struct block *gen_msg_abbrev(compiler_state_t *, int type);
573
574static void
575initchunks(compiler_state_t *cstate)
576{
577	int i;
578
579	for (i = 0; i < NCHUNKS; i++) {
580		cstate->chunks[i].n_left = 0;
581		cstate->chunks[i].m = NULL;
582	}
583	cstate->cur_chunk = 0;
584}
585
586static void *
587newchunk_nolongjmp(compiler_state_t *cstate, size_t n)
588{
589	struct chunk *cp;
590	int k;
591	size_t size;
592
593#ifndef __NetBSD__
594	/* XXX Round up to nearest long. */
595	n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
596#else
597	/* XXX Round up to structure boundary. */
598	n = ALIGN(n);
599#endif
600
601	cp = &cstate->chunks[cstate->cur_chunk];
602	if (n > cp->n_left) {
603		++cp;
604		k = ++cstate->cur_chunk;
605		if (k >= NCHUNKS) {
606			bpf_set_error(cstate, "out of memory");
607			return (NULL);
608		}
609		size = CHUNK0SIZE << k;
610		cp->m = (void *)malloc(size);
611		if (cp->m == NULL) {
612			bpf_set_error(cstate, "out of memory");
613			return (NULL);
614		}
615		memset((char *)cp->m, 0, size);
616		cp->n_left = size;
617		if (n > size) {
618			bpf_set_error(cstate, "out of memory");
619			return (NULL);
620		}
621	}
622	cp->n_left -= n;
623	return (void *)((char *)cp->m + cp->n_left);
624}
625
626static void *
627newchunk(compiler_state_t *cstate, size_t n)
628{
629	void *p;
630
631	p = newchunk_nolongjmp(cstate, n);
632	if (p == NULL) {
633		longjmp(cstate->top_ctx, 1);
634		/*NOTREACHED*/
635	}
636	return (p);
637}
638
639static void
640freechunks(compiler_state_t *cstate)
641{
642	int i;
643
644	for (i = 0; i < NCHUNKS; ++i)
645		if (cstate->chunks[i].m != NULL)
646			free(cstate->chunks[i].m);
647}
648
649/*
650 * A strdup whose allocations are freed after code generation is over.
651 * This is used by the lexical analyzer, so it can't longjmp; it just
652 * returns NULL on an allocation error, and the callers must check
653 * for it.
654 */
655char *
656sdup(compiler_state_t *cstate, const char *s)
657{
658	size_t n = strlen(s) + 1;
659	char *cp = newchunk_nolongjmp(cstate, n);
660
661	if (cp == NULL)
662		return (NULL);
663	pcap_strlcpy(cp, s, n);
664	return (cp);
665}
666
667static inline struct block *
668new_block(compiler_state_t *cstate, int code)
669{
670	struct block *p;
671
672	p = (struct block *)newchunk(cstate, sizeof(*p));
673	p->s.code = code;
674	p->head = p;
675
676	return p;
677}
678
679static inline struct slist *
680new_stmt(compiler_state_t *cstate, int code)
681{
682	struct slist *p;
683
684	p = (struct slist *)newchunk(cstate, sizeof(*p));
685	p->s.code = code;
686
687	return p;
688}
689
690static struct block *
691gen_retblk(compiler_state_t *cstate, int v)
692{
693	struct block *b = new_block(cstate, BPF_RET|BPF_K);
694
695	b->s.k = v;
696	return b;
697}
698
699static inline PCAP_NORETURN_DEF void
700syntax(compiler_state_t *cstate)
701{
702	bpf_error(cstate, "syntax error in filter expression");
703}
704
705int
706pcap_compile(pcap_t *p, struct bpf_program *program,
707	     const char *buf, int optimize, bpf_u_int32 mask)
708{
709#ifdef _WIN32
710	static int done = 0;
711#endif
712	compiler_state_t cstate;
713	const char * volatile xbuf = buf;
714	yyscan_t scanner = NULL;
715	volatile YY_BUFFER_STATE in_buffer = NULL;
716	u_int len;
717	int  rc;
718
719	/*
720	 * If this pcap_t hasn't been activated, it doesn't have a
721	 * link-layer type, so we can't use it.
722	 */
723	if (!p->activated) {
724		pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
725		    "not-yet-activated pcap_t passed to pcap_compile");
726		return (-1);
727	}
728
729#ifdef _WIN32
730	if (!done)
731		pcap_wsockinit();
732	done = 1;
733#endif
734
735#ifdef ENABLE_REMOTE
736	/*
737	 * If the device on which we're capturing need to be notified
738	 * that a new filter is being compiled, do so.
739	 *
740	 * This allows them to save a copy of it, in case, for example,
741	 * they're implementing a form of remote packet capture, and
742	 * want the remote machine to filter out the packets in which
743	 * it's sending the packets it's captured.
744	 *
745	 * XXX - the fact that we happen to be compiling a filter
746	 * doesn't necessarily mean we'll be installing it as the
747	 * filter for this pcap_t; we might be running it from userland
748	 * on captured packets to do packet classification.  We really
749	 * need a better way of handling this, but this is all that
750	 * the WinPcap remote capture code did.
751	 */
752	if (p->save_current_filter_op != NULL)
753		(p->save_current_filter_op)(p, buf);
754#endif
755
756	initchunks(&cstate);
757	cstate.no_optimize = 0;
758#ifdef INET6
759	cstate.ai = NULL;
760#endif
761	cstate.e = NULL;
762	cstate.ic.root = NULL;
763	cstate.ic.cur_mark = 0;
764	cstate.bpf_pcap = p;
765	init_regs(&cstate);
766
767	cstate.netmask = mask;
768
769	cstate.snaplen = pcap_snapshot(p);
770	if (cstate.snaplen == 0) {
771		pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
772			 "snaplen of 0 rejects all packets");
773		rc = -1;
774		goto quit;
775	}
776
777	if (pcap_lex_init(&scanner) != 0)
778		pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
779		    errno, "can't initialize scanner");
780	in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner);
781
782	/*
783	 * Associate the compiler state with the lexical analyzer
784	 * state.
785	 */
786	pcap_set_extra(&cstate, scanner);
787
788	if (init_linktype(&cstate, p) == -1) {
789		rc = -1;
790		goto quit;
791	}
792	if (pcap_parse(scanner, &cstate) != 0) {
793#ifdef INET6
794		if (cstate.ai != NULL)
795			freeaddrinfo(cstate.ai);
796#endif
797		if (cstate.e != NULL)
798			free(cstate.e);
799		rc = -1;
800		goto quit;
801	}
802
803	if (cstate.ic.root == NULL) {
804		/*
805		 * Catch errors reported by gen_retblk().
806		 */
807		if (setjmp(cstate.top_ctx)) {
808			rc = -1;
809			goto quit;
810		}
811		cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
812	}
813
814	if (optimize && !cstate.no_optimize) {
815		if (bpf_optimize(&cstate.ic, p->errbuf) == -1) {
816			/* Failure */
817			rc = -1;
818			goto quit;
819		}
820		if (cstate.ic.root == NULL ||
821		    (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) {
822			(void)pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
823			    "expression rejects all packets");
824			rc = -1;
825			goto quit;
826		}
827	}
828	program->bf_insns = icode_to_fcode(&cstate.ic,
829	    cstate.ic.root, &len, p->errbuf);
830	if (program->bf_insns == NULL) {
831		/* Failure */
832		rc = -1;
833		goto quit;
834	}
835	program->bf_len = len;
836
837	rc = 0;  /* We're all okay */
838
839quit:
840	/*
841	 * Clean up everything for the lexical analyzer.
842	 */
843	if (in_buffer != NULL)
844		pcap__delete_buffer(in_buffer, scanner);
845	if (scanner != NULL)
846		pcap_lex_destroy(scanner);
847
848	/*
849	 * Clean up our own allocated memory.
850	 */
851	freechunks(&cstate);
852
853	return (rc);
854}
855
856/*
857 * entry point for using the compiler with no pcap open
858 * pass in all the stuff that is needed explicitly instead.
859 */
860int
861pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
862		    struct bpf_program *program,
863	     const char *buf, int optimize, bpf_u_int32 mask)
864{
865	pcap_t *p;
866	int ret;
867
868	p = pcap_open_dead(linktype_arg, snaplen_arg);
869	if (p == NULL)
870		return (-1);
871	ret = pcap_compile(p, program, buf, optimize, mask);
872	pcap_close(p);
873	return (ret);
874}
875
876/*
877 * Clean up a "struct bpf_program" by freeing all the memory allocated
878 * in it.
879 */
880void
881pcap_freecode(struct bpf_program *program)
882{
883	program->bf_len = 0;
884	if (program->bf_insns != NULL) {
885		free((char *)program->bf_insns);
886		program->bf_insns = NULL;
887	}
888}
889
890/*
891 * Backpatch the blocks in 'list' to 'target'.  The 'sense' field indicates
892 * which of the jt and jf fields has been resolved and which is a pointer
893 * back to another unresolved block (or nil).  At least one of the fields
894 * in each block is already resolved.
895 */
896static void
897backpatch(struct block *list, struct block *target)
898{
899	struct block *next;
900
901	while (list) {
902		if (!list->sense) {
903			next = JT(list);
904			JT(list) = target;
905		} else {
906			next = JF(list);
907			JF(list) = target;
908		}
909		list = next;
910	}
911}
912
913/*
914 * Merge the lists in b0 and b1, using the 'sense' field to indicate
915 * which of jt and jf is the link.
916 */
917static void
918merge(struct block *b0, struct block *b1)
919{
920	register struct block **p = &b0;
921
922	/* Find end of list. */
923	while (*p)
924		p = !((*p)->sense) ? &JT(*p) : &JF(*p);
925
926	/* Concatenate the lists. */
927	*p = b1;
928}
929
930int
931finish_parse(compiler_state_t *cstate, struct block *p)
932{
933	struct block *ppi_dlt_check;
934
935	/*
936	 * Catch errors reported by us and routines below us, and return -1
937	 * on an error.
938	 */
939	if (setjmp(cstate->top_ctx))
940		return (-1);
941
942	/*
943	 * Insert before the statements of the first (root) block any
944	 * statements needed to load the lengths of any variable-length
945	 * headers into registers.
946	 *
947	 * XXX - a fancier strategy would be to insert those before the
948	 * statements of all blocks that use those lengths and that
949	 * have no predecessors that use them, so that we only compute
950	 * the lengths if we need them.  There might be even better
951	 * approaches than that.
952	 *
953	 * However, those strategies would be more complicated, and
954	 * as we don't generate code to compute a length if the
955	 * program has no tests that use the length, and as most
956	 * tests will probably use those lengths, we would just
957	 * postpone computing the lengths so that it's not done
958	 * for tests that fail early, and it's not clear that's
959	 * worth the effort.
960	 */
961	insert_compute_vloffsets(cstate, p->head);
962
963	/*
964	 * For DLT_PPI captures, generate a check of the per-packet
965	 * DLT value to make sure it's DLT_IEEE802_11.
966	 *
967	 * XXX - TurboCap cards use DLT_PPI for Ethernet.
968	 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
969	 * with appropriate Ethernet information and use that rather
970	 * than using something such as DLT_PPI where you don't know
971	 * the link-layer header type until runtime, which, in the
972	 * general case, would force us to generate both Ethernet *and*
973	 * 802.11 code (*and* anything else for which PPI is used)
974	 * and choose between them early in the BPF program?
975	 */
976	ppi_dlt_check = gen_ppi_dlt_check(cstate);
977	if (ppi_dlt_check != NULL)
978		gen_and(ppi_dlt_check, p);
979
980	backpatch(p, gen_retblk(cstate, cstate->snaplen));
981	p->sense = !p->sense;
982	backpatch(p, gen_retblk(cstate, 0));
983	cstate->ic.root = p->head;
984	return (0);
985}
986
987void
988gen_and(struct block *b0, struct block *b1)
989{
990	backpatch(b0, b1->head);
991	b0->sense = !b0->sense;
992	b1->sense = !b1->sense;
993	merge(b1, b0);
994	b1->sense = !b1->sense;
995	b1->head = b0->head;
996}
997
998void
999gen_or(struct block *b0, struct block *b1)
1000{
1001	b0->sense = !b0->sense;
1002	backpatch(b0, b1->head);
1003	b0->sense = !b0->sense;
1004	merge(b1, b0);
1005	b1->head = b0->head;
1006}
1007
1008void
1009gen_not(struct block *b)
1010{
1011	b->sense = !b->sense;
1012}
1013
1014static struct block *
1015gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1016    u_int size, bpf_int32 v)
1017{
1018	return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
1019}
1020
1021static struct block *
1022gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1023    u_int size, bpf_int32 v)
1024{
1025	return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
1026}
1027
1028static struct block *
1029gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1030    u_int size, bpf_int32 v)
1031{
1032	return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
1033}
1034
1035static struct block *
1036gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1037    u_int size, bpf_int32 v)
1038{
1039	return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
1040}
1041
1042static struct block *
1043gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1044    u_int size, bpf_int32 v)
1045{
1046	return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
1047}
1048
1049static struct block *
1050gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1051    u_int size, bpf_int32 v, bpf_u_int32 mask)
1052{
1053	return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
1054}
1055
1056static struct block *
1057gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1058    u_int size, const u_char *v)
1059{
1060	register struct block *b, *tmp;
1061
1062	/*
1063	 * XXX - the actual *instructions* do unsigned comparisons on
1064	 * most platforms, and the load instructions don't do sign
1065	 * extension, so gen_cmp() should really take an unsigned
1066	 * value argument.
1067	 *
1068	 * As the load instructons also don't do sign-extension, we
1069	 * fetch the values from the byte array as unsigned.  We don't
1070	 * want to use the signed versions of the extract calls.
1071	 */
1072	b = NULL;
1073	while (size >= 4) {
1074		register const u_char *p = &v[size - 4];
1075
1076		tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W,
1077		    (bpf_int32)EXTRACT_32BITS(p));
1078		if (b != NULL)
1079			gen_and(b, tmp);
1080		b = tmp;
1081		size -= 4;
1082	}
1083	while (size >= 2) {
1084		register const u_char *p = &v[size - 2];
1085
1086		tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H,
1087		    (bpf_int32)EXTRACT_16BITS(p));
1088		if (b != NULL)
1089			gen_and(b, tmp);
1090		b = tmp;
1091		size -= 2;
1092	}
1093	if (size > 0) {
1094		tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]);
1095		if (b != NULL)
1096			gen_and(b, tmp);
1097		b = tmp;
1098	}
1099	return b;
1100}
1101
1102/*
1103 * AND the field of size "size" at offset "offset" relative to the header
1104 * specified by "offrel" with "mask", and compare it with the value "v"
1105 * with the test specified by "jtype"; if "reverse" is true, the test
1106 * should test the opposite of "jtype".
1107 */
1108static struct block *
1109gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset,
1110    bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse,
1111    bpf_int32 v)
1112{
1113	struct slist *s, *s2;
1114	struct block *b;
1115
1116	s = gen_load_a(cstate, offrel, offset, size);
1117
1118	if (mask != 0xffffffff) {
1119		s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1120		s2->s.k = mask;
1121		sappend(s, s2);
1122	}
1123
1124	b = new_block(cstate, JMP(jtype));
1125	b->stmts = s;
1126	b->s.k = v;
1127	if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
1128		gen_not(b);
1129	return b;
1130}
1131
1132static int
1133init_linktype(compiler_state_t *cstate, pcap_t *p)
1134{
1135	cstate->pcap_fddipad = p->fddipad;
1136
1137	/*
1138	 * We start out with only one link-layer header.
1139	 */
1140	cstate->outermostlinktype = pcap_datalink(p);
1141	cstate->off_outermostlinkhdr.constant_part = 0;
1142	cstate->off_outermostlinkhdr.is_variable = 0;
1143	cstate->off_outermostlinkhdr.reg = -1;
1144
1145	cstate->prevlinktype = cstate->outermostlinktype;
1146	cstate->off_prevlinkhdr.constant_part = 0;
1147	cstate->off_prevlinkhdr.is_variable = 0;
1148	cstate->off_prevlinkhdr.reg = -1;
1149
1150	cstate->linktype = cstate->outermostlinktype;
1151	cstate->off_linkhdr.constant_part = 0;
1152	cstate->off_linkhdr.is_variable = 0;
1153	cstate->off_linkhdr.reg = -1;
1154
1155	/*
1156	 * XXX
1157	 */
1158	cstate->off_linkpl.constant_part = 0;
1159	cstate->off_linkpl.is_variable = 0;
1160	cstate->off_linkpl.reg = -1;
1161
1162	cstate->off_linktype.constant_part = 0;
1163	cstate->off_linktype.is_variable = 0;
1164	cstate->off_linktype.reg = -1;
1165
1166	/*
1167	 * Assume it's not raw ATM with a pseudo-header, for now.
1168	 */
1169	cstate->is_atm = 0;
1170	cstate->off_vpi = OFFSET_NOT_SET;
1171	cstate->off_vci = OFFSET_NOT_SET;
1172	cstate->off_proto = OFFSET_NOT_SET;
1173	cstate->off_payload = OFFSET_NOT_SET;
1174
1175	/*
1176	 * And not Geneve.
1177	 */
1178	cstate->is_geneve = 0;
1179
1180	/*
1181	 * No variable length VLAN offset by default
1182	 */
1183	cstate->is_vlan_vloffset = 0;
1184
1185	/*
1186	 * And assume we're not doing SS7.
1187	 */
1188	cstate->off_li = OFFSET_NOT_SET;
1189	cstate->off_li_hsl = OFFSET_NOT_SET;
1190	cstate->off_sio = OFFSET_NOT_SET;
1191	cstate->off_opc = OFFSET_NOT_SET;
1192	cstate->off_dpc = OFFSET_NOT_SET;
1193	cstate->off_sls = OFFSET_NOT_SET;
1194
1195	cstate->label_stack_depth = 0;
1196	cstate->vlan_stack_depth = 0;
1197
1198	switch (cstate->linktype) {
1199
1200	case DLT_ARCNET:
1201		cstate->off_linktype.constant_part = 2;
1202		cstate->off_linkpl.constant_part = 6;
1203		cstate->off_nl = 0;		/* XXX in reality, variable! */
1204		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1205		break;
1206
1207	case DLT_ARCNET_LINUX:
1208		cstate->off_linktype.constant_part = 4;
1209		cstate->off_linkpl.constant_part = 8;
1210		cstate->off_nl = 0;		/* XXX in reality, variable! */
1211		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1212		break;
1213
1214	case DLT_EN10MB:
1215		cstate->off_linktype.constant_part = 12;
1216		cstate->off_linkpl.constant_part = 14;	/* Ethernet header length */
1217		cstate->off_nl = 0;		/* Ethernet II */
1218		cstate->off_nl_nosnap = 3;	/* 802.3+802.2 */
1219		break;
1220
1221	case DLT_SLIP:
1222		/*
1223		 * SLIP doesn't have a link level type.  The 16 byte
1224		 * header is hacked into our SLIP driver.
1225		 */
1226		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1227		cstate->off_linkpl.constant_part = 16;
1228		cstate->off_nl = 0;
1229		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1230		break;
1231
1232	case DLT_SLIP_BSDOS:
1233		/* XXX this may be the same as the DLT_PPP_BSDOS case */
1234		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1235		/* XXX end */
1236		cstate->off_linkpl.constant_part = 24;
1237		cstate->off_nl = 0;
1238		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1239		break;
1240
1241	case DLT_NULL:
1242	case DLT_LOOP:
1243		cstate->off_linktype.constant_part = 0;
1244		cstate->off_linkpl.constant_part = 4;
1245		cstate->off_nl = 0;
1246		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1247		break;
1248
1249	case DLT_ENC:
1250		cstate->off_linktype.constant_part = 0;
1251		cstate->off_linkpl.constant_part = 12;
1252		cstate->off_nl = 0;
1253		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1254		break;
1255
1256	case DLT_PPP:
1257	case DLT_PPP_PPPD:
1258	case DLT_C_HDLC:		/* BSD/OS Cisco HDLC */
1259	case DLT_PPP_SERIAL:		/* NetBSD sync/async serial PPP */
1260		cstate->off_linktype.constant_part = 2;	/* skip HDLC-like framing */
1261		cstate->off_linkpl.constant_part = 4;	/* skip HDLC-like framing and protocol field */
1262		cstate->off_nl = 0;
1263		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1264		break;
1265
1266	case DLT_PPP_ETHER:
1267		/*
1268		 * This does no include the Ethernet header, and
1269		 * only covers session state.
1270		 */
1271		cstate->off_linktype.constant_part = 6;
1272		cstate->off_linkpl.constant_part = 8;
1273		cstate->off_nl = 0;
1274		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1275		break;
1276
1277	case DLT_PPP_BSDOS:
1278		cstate->off_linktype.constant_part = 5;
1279		cstate->off_linkpl.constant_part = 24;
1280		cstate->off_nl = 0;
1281		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1282		break;
1283
1284	case DLT_FDDI:
1285		/*
1286		 * FDDI doesn't really have a link-level type field.
1287		 * We set "off_linktype" to the offset of the LLC header.
1288		 *
1289		 * To check for Ethernet types, we assume that SSAP = SNAP
1290		 * is being used and pick out the encapsulated Ethernet type.
1291		 * XXX - should we generate code to check for SNAP?
1292		 */
1293		cstate->off_linktype.constant_part = 13;
1294		cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1295		cstate->off_linkpl.constant_part = 13;	/* FDDI MAC header length */
1296		cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1297		cstate->off_nl = 8;		/* 802.2+SNAP */
1298		cstate->off_nl_nosnap = 3;	/* 802.2 */
1299		break;
1300
1301	case DLT_IEEE802:
1302		/*
1303		 * Token Ring doesn't really have a link-level type field.
1304		 * We set "off_linktype" to the offset of the LLC header.
1305		 *
1306		 * To check for Ethernet types, we assume that SSAP = SNAP
1307		 * is being used and pick out the encapsulated Ethernet type.
1308		 * XXX - should we generate code to check for SNAP?
1309		 *
1310		 * XXX - the header is actually variable-length.
1311		 * Some various Linux patched versions gave 38
1312		 * as "off_linktype" and 40 as "off_nl"; however,
1313		 * if a token ring packet has *no* routing
1314		 * information, i.e. is not source-routed, the correct
1315		 * values are 20 and 22, as they are in the vanilla code.
1316		 *
1317		 * A packet is source-routed iff the uppermost bit
1318		 * of the first byte of the source address, at an
1319		 * offset of 8, has the uppermost bit set.  If the
1320		 * packet is source-routed, the total number of bytes
1321		 * of routing information is 2 plus bits 0x1F00 of
1322		 * the 16-bit value at an offset of 14 (shifted right
1323		 * 8 - figure out which byte that is).
1324		 */
1325		cstate->off_linktype.constant_part = 14;
1326		cstate->off_linkpl.constant_part = 14;	/* Token Ring MAC header length */
1327		cstate->off_nl = 8;		/* 802.2+SNAP */
1328		cstate->off_nl_nosnap = 3;	/* 802.2 */
1329		break;
1330
1331	case DLT_PRISM_HEADER:
1332	case DLT_IEEE802_11_RADIO_AVS:
1333	case DLT_IEEE802_11_RADIO:
1334		cstate->off_linkhdr.is_variable = 1;
1335		/* Fall through, 802.11 doesn't have a variable link
1336		 * prefix but is otherwise the same. */
1337		/* FALLTHROUGH */
1338
1339	case DLT_IEEE802_11:
1340		/*
1341		 * 802.11 doesn't really have a link-level type field.
1342		 * We set "off_linktype.constant_part" to the offset of
1343		 * the LLC header.
1344		 *
1345		 * To check for Ethernet types, we assume that SSAP = SNAP
1346		 * is being used and pick out the encapsulated Ethernet type.
1347		 * XXX - should we generate code to check for SNAP?
1348		 *
1349		 * We also handle variable-length radio headers here.
1350		 * The Prism header is in theory variable-length, but in
1351		 * practice it's always 144 bytes long.  However, some
1352		 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1353		 * sometimes or always supply an AVS header, so we
1354		 * have to check whether the radio header is a Prism
1355		 * header or an AVS header, so, in practice, it's
1356		 * variable-length.
1357		 */
1358		cstate->off_linktype.constant_part = 24;
1359		cstate->off_linkpl.constant_part = 0;	/* link-layer header is variable-length */
1360		cstate->off_linkpl.is_variable = 1;
1361		cstate->off_nl = 8;		/* 802.2+SNAP */
1362		cstate->off_nl_nosnap = 3;	/* 802.2 */
1363		break;
1364
1365	case DLT_PPI:
1366		/*
1367		 * At the moment we treat PPI the same way that we treat
1368		 * normal Radiotap encoded packets. The difference is in
1369		 * the function that generates the code at the beginning
1370		 * to compute the header length.  Since this code generator
1371		 * of PPI supports bare 802.11 encapsulation only (i.e.
1372		 * the encapsulated DLT should be DLT_IEEE802_11) we
1373		 * generate code to check for this too.
1374		 */
1375		cstate->off_linktype.constant_part = 24;
1376		cstate->off_linkpl.constant_part = 0;	/* link-layer header is variable-length */
1377		cstate->off_linkpl.is_variable = 1;
1378		cstate->off_linkhdr.is_variable = 1;
1379		cstate->off_nl = 8;		/* 802.2+SNAP */
1380		cstate->off_nl_nosnap = 3;	/* 802.2 */
1381		break;
1382
1383	case DLT_ATM_RFC1483:
1384	case DLT_ATM_CLIP:	/* Linux ATM defines this */
1385		/*
1386		 * assume routed, non-ISO PDUs
1387		 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1388		 *
1389		 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1390		 * or PPP with the PPP NLPID (e.g., PPPoA)?  The
1391		 * latter would presumably be treated the way PPPoE
1392		 * should be, so you can do "pppoe and udp port 2049"
1393		 * or "pppoa and tcp port 80" and have it check for
1394		 * PPPo{A,E} and a PPP protocol of IP and....
1395		 */
1396		cstate->off_linktype.constant_part = 0;
1397		cstate->off_linkpl.constant_part = 0;	/* packet begins with LLC header */
1398		cstate->off_nl = 8;		/* 802.2+SNAP */
1399		cstate->off_nl_nosnap = 3;	/* 802.2 */
1400		break;
1401
1402	case DLT_SUNATM:
1403		/*
1404		 * Full Frontal ATM; you get AALn PDUs with an ATM
1405		 * pseudo-header.
1406		 */
1407		cstate->is_atm = 1;
1408		cstate->off_vpi = SUNATM_VPI_POS;
1409		cstate->off_vci = SUNATM_VCI_POS;
1410		cstate->off_proto = PROTO_POS;
1411		cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1412		cstate->off_linktype.constant_part = cstate->off_payload;
1413		cstate->off_linkpl.constant_part = cstate->off_payload;	/* if LLC-encapsulated */
1414		cstate->off_nl = 8;		/* 802.2+SNAP */
1415		cstate->off_nl_nosnap = 3;	/* 802.2 */
1416		break;
1417
1418	case DLT_RAW:
1419	case DLT_IPV4:
1420	case DLT_IPV6:
1421		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1422		cstate->off_linkpl.constant_part = 0;
1423		cstate->off_nl = 0;
1424		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1425		break;
1426
1427	case DLT_LINUX_SLL:	/* fake header for Linux cooked socket v1 */
1428		cstate->off_linktype.constant_part = 14;
1429		cstate->off_linkpl.constant_part = 16;
1430		cstate->off_nl = 0;
1431		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1432		break;
1433
1434	case DLT_LINUX_SLL2:	/* fake header for Linux cooked socket v2 */
1435		cstate->off_linktype.constant_part = 0;
1436		cstate->off_linkpl.constant_part = 20;
1437		cstate->off_nl = 0;
1438		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1439		break;
1440
1441	case DLT_LTALK:
1442		/*
1443		 * LocalTalk does have a 1-byte type field in the LLAP header,
1444		 * but really it just indicates whether there is a "short" or
1445		 * "long" DDP packet following.
1446		 */
1447		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1448		cstate->off_linkpl.constant_part = 0;
1449		cstate->off_nl = 0;
1450		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1451		break;
1452
1453	case DLT_IP_OVER_FC:
1454		/*
1455		 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1456		 * link-level type field.  We set "off_linktype" to the
1457		 * offset of the LLC header.
1458		 *
1459		 * To check for Ethernet types, we assume that SSAP = SNAP
1460		 * is being used and pick out the encapsulated Ethernet type.
1461		 * XXX - should we generate code to check for SNAP? RFC
1462		 * 2625 says SNAP should be used.
1463		 */
1464		cstate->off_linktype.constant_part = 16;
1465		cstate->off_linkpl.constant_part = 16;
1466		cstate->off_nl = 8;		/* 802.2+SNAP */
1467		cstate->off_nl_nosnap = 3;	/* 802.2 */
1468		break;
1469
1470	case DLT_FRELAY:
1471		/*
1472		 * XXX - we should set this to handle SNAP-encapsulated
1473		 * frames (NLPID of 0x80).
1474		 */
1475		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1476		cstate->off_linkpl.constant_part = 0;
1477		cstate->off_nl = 0;
1478		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1479		break;
1480
1481                /*
1482                 * the only BPF-interesting FRF.16 frames are non-control frames;
1483                 * Frame Relay has a variable length link-layer
1484                 * so lets start with offset 4 for now and increments later on (FIXME);
1485                 */
1486	case DLT_MFR:
1487		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1488		cstate->off_linkpl.constant_part = 0;
1489		cstate->off_nl = 4;
1490		cstate->off_nl_nosnap = 0;	/* XXX - for now -> no 802.2 LLC */
1491		break;
1492
1493	case DLT_APPLE_IP_OVER_IEEE1394:
1494		cstate->off_linktype.constant_part = 16;
1495		cstate->off_linkpl.constant_part = 18;
1496		cstate->off_nl = 0;
1497		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1498		break;
1499
1500	case DLT_SYMANTEC_FIREWALL:
1501		cstate->off_linktype.constant_part = 6;
1502		cstate->off_linkpl.constant_part = 44;
1503		cstate->off_nl = 0;		/* Ethernet II */
1504		cstate->off_nl_nosnap = 0;	/* XXX - what does it do with 802.3 packets? */
1505		break;
1506
1507#ifdef HAVE_NET_PFVAR_H
1508	case DLT_PFLOG:
1509		cstate->off_linktype.constant_part = 0;
1510		cstate->off_linkpl.constant_part = PFLOG_HDRLEN;
1511		cstate->off_nl = 0;
1512		cstate->off_nl_nosnap = 0;	/* no 802.2 LLC */
1513		break;
1514#endif
1515
1516        case DLT_JUNIPER_MFR:
1517        case DLT_JUNIPER_MLFR:
1518        case DLT_JUNIPER_MLPPP:
1519        case DLT_JUNIPER_PPP:
1520        case DLT_JUNIPER_CHDLC:
1521        case DLT_JUNIPER_FRELAY:
1522		cstate->off_linktype.constant_part = 4;
1523		cstate->off_linkpl.constant_part = 4;
1524		cstate->off_nl = 0;
1525		cstate->off_nl_nosnap = OFFSET_NOT_SET;	/* no 802.2 LLC */
1526                break;
1527
1528	case DLT_JUNIPER_ATM1:
1529		cstate->off_linktype.constant_part = 4;		/* in reality variable between 4-8 */
1530		cstate->off_linkpl.constant_part = 4;	/* in reality variable between 4-8 */
1531		cstate->off_nl = 0;
1532		cstate->off_nl_nosnap = 10;
1533		break;
1534
1535	case DLT_JUNIPER_ATM2:
1536		cstate->off_linktype.constant_part = 8;		/* in reality variable between 8-12 */
1537		cstate->off_linkpl.constant_part = 8;	/* in reality variable between 8-12 */
1538		cstate->off_nl = 0;
1539		cstate->off_nl_nosnap = 10;
1540		break;
1541
1542		/* frames captured on a Juniper PPPoE service PIC
1543		 * contain raw ethernet frames */
1544	case DLT_JUNIPER_PPPOE:
1545        case DLT_JUNIPER_ETHER:
1546		cstate->off_linkpl.constant_part = 14;
1547		cstate->off_linktype.constant_part = 16;
1548		cstate->off_nl = 18;		/* Ethernet II */
1549		cstate->off_nl_nosnap = 21;	/* 802.3+802.2 */
1550		break;
1551
1552	case DLT_JUNIPER_PPPOE_ATM:
1553		cstate->off_linktype.constant_part = 4;
1554		cstate->off_linkpl.constant_part = 6;
1555		cstate->off_nl = 0;
1556		cstate->off_nl_nosnap = OFFSET_NOT_SET;	/* no 802.2 LLC */
1557		break;
1558
1559	case DLT_JUNIPER_GGSN:
1560		cstate->off_linktype.constant_part = 6;
1561		cstate->off_linkpl.constant_part = 12;
1562		cstate->off_nl = 0;
1563		cstate->off_nl_nosnap = OFFSET_NOT_SET;	/* no 802.2 LLC */
1564		break;
1565
1566	case DLT_JUNIPER_ES:
1567		cstate->off_linktype.constant_part = 6;
1568		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;	/* not really a network layer but raw IP addresses */
1569		cstate->off_nl = OFFSET_NOT_SET;	/* not really a network layer but raw IP addresses */
1570		cstate->off_nl_nosnap = OFFSET_NOT_SET;	/* no 802.2 LLC */
1571		break;
1572
1573	case DLT_JUNIPER_MONITOR:
1574		cstate->off_linktype.constant_part = 12;
1575		cstate->off_linkpl.constant_part = 12;
1576		cstate->off_nl = 0;			/* raw IP/IP6 header */
1577		cstate->off_nl_nosnap = OFFSET_NOT_SET;	/* no 802.2 LLC */
1578		break;
1579
1580	case DLT_BACNET_MS_TP:
1581		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1582		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1583		cstate->off_nl = OFFSET_NOT_SET;
1584		cstate->off_nl_nosnap = OFFSET_NOT_SET;
1585		break;
1586
1587	case DLT_JUNIPER_SERVICES:
1588		cstate->off_linktype.constant_part = 12;
1589		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;	/* L3 proto location dep. on cookie type */
1590		cstate->off_nl = OFFSET_NOT_SET;	/* L3 proto location dep. on cookie type */
1591		cstate->off_nl_nosnap = OFFSET_NOT_SET;	/* no 802.2 LLC */
1592		break;
1593
1594	case DLT_JUNIPER_VP:
1595		cstate->off_linktype.constant_part = 18;
1596		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1597		cstate->off_nl = OFFSET_NOT_SET;
1598		cstate->off_nl_nosnap = OFFSET_NOT_SET;
1599		break;
1600
1601	case DLT_JUNIPER_ST:
1602		cstate->off_linktype.constant_part = 18;
1603		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1604		cstate->off_nl = OFFSET_NOT_SET;
1605		cstate->off_nl_nosnap = OFFSET_NOT_SET;
1606		break;
1607
1608	case DLT_JUNIPER_ISM:
1609		cstate->off_linktype.constant_part = 8;
1610		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1611		cstate->off_nl = OFFSET_NOT_SET;
1612		cstate->off_nl_nosnap = OFFSET_NOT_SET;
1613		break;
1614
1615	case DLT_JUNIPER_VS:
1616	case DLT_JUNIPER_SRX_E2E:
1617	case DLT_JUNIPER_FIBRECHANNEL:
1618	case DLT_JUNIPER_ATM_CEMIC:
1619		cstate->off_linktype.constant_part = 8;
1620		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1621		cstate->off_nl = OFFSET_NOT_SET;
1622		cstate->off_nl_nosnap = OFFSET_NOT_SET;
1623		break;
1624
1625	case DLT_MTP2:
1626		cstate->off_li = 2;
1627		cstate->off_li_hsl = 4;
1628		cstate->off_sio = 3;
1629		cstate->off_opc = 4;
1630		cstate->off_dpc = 4;
1631		cstate->off_sls = 7;
1632		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1633		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1634		cstate->off_nl = OFFSET_NOT_SET;
1635		cstate->off_nl_nosnap = OFFSET_NOT_SET;
1636		break;
1637
1638	case DLT_MTP2_WITH_PHDR:
1639		cstate->off_li = 6;
1640		cstate->off_li_hsl = 8;
1641		cstate->off_sio = 7;
1642		cstate->off_opc = 8;
1643		cstate->off_dpc = 8;
1644		cstate->off_sls = 11;
1645		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1646		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1647		cstate->off_nl = OFFSET_NOT_SET;
1648		cstate->off_nl_nosnap = OFFSET_NOT_SET;
1649		break;
1650
1651	case DLT_ERF:
1652		cstate->off_li = 22;
1653		cstate->off_li_hsl = 24;
1654		cstate->off_sio = 23;
1655		cstate->off_opc = 24;
1656		cstate->off_dpc = 24;
1657		cstate->off_sls = 27;
1658		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1659		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1660		cstate->off_nl = OFFSET_NOT_SET;
1661		cstate->off_nl_nosnap = OFFSET_NOT_SET;
1662		break;
1663
1664	case DLT_PFSYNC:
1665		cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1666		cstate->off_linkpl.constant_part = 4;
1667		cstate->off_nl = 0;
1668		cstate->off_nl_nosnap = 0;
1669		break;
1670
1671	case DLT_AX25_KISS:
1672		/*
1673		 * Currently, only raw "link[N:M]" filtering is supported.
1674		 */
1675		cstate->off_linktype.constant_part = OFFSET_NOT_SET;	/* variable, min 15, max 71 steps of 7 */
1676		cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1677		cstate->off_nl = OFFSET_NOT_SET;	/* variable, min 16, max 71 steps of 7 */
1678		cstate->off_nl_nosnap = OFFSET_NOT_SET;	/* no 802.2 LLC */
1679		break;
1680
1681	case DLT_IPNET:
1682		cstate->off_linktype.constant_part = 1;
1683		cstate->off_linkpl.constant_part = 24;	/* ipnet header length */
1684		cstate->off_nl = 0;
1685		cstate->off_nl_nosnap = OFFSET_NOT_SET;
1686		break;
1687
1688	case DLT_NETANALYZER:
1689		cstate->off_linkhdr.constant_part = 4;	/* Ethernet header is past 4-byte pseudo-header */
1690		cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1691		cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14;	/* pseudo-header+Ethernet header length */
1692		cstate->off_nl = 0;		/* Ethernet II */
1693		cstate->off_nl_nosnap = 3;	/* 802.3+802.2 */
1694		break;
1695
1696	case DLT_NETANALYZER_TRANSPARENT:
1697		cstate->off_linkhdr.constant_part = 12;	/* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1698		cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1699		cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14;	/* pseudo-header+preamble+SFD+Ethernet header length */
1700		cstate->off_nl = 0;		/* Ethernet II */
1701		cstate->off_nl_nosnap = 3;	/* 802.3+802.2 */
1702		break;
1703
1704	default:
1705		/*
1706		 * For values in the range in which we've assigned new
1707		 * DLT_ values, only raw "link[N:M]" filtering is supported.
1708		 */
1709		if (cstate->linktype >= DLT_MATCHING_MIN &&
1710		    cstate->linktype <= DLT_MATCHING_MAX) {
1711			cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1712			cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1713			cstate->off_nl = OFFSET_NOT_SET;
1714			cstate->off_nl_nosnap = OFFSET_NOT_SET;
1715		} else {
1716			bpf_set_error(cstate, "unknown data link type %d", cstate->linktype);
1717			return (-1);
1718		}
1719		break;
1720	}
1721
1722	cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1723	return (0);
1724}
1725
1726/*
1727 * Load a value relative to the specified absolute offset.
1728 */
1729static struct slist *
1730gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
1731    u_int offset, u_int size)
1732{
1733	struct slist *s, *s2;
1734
1735	s = gen_abs_offset_varpart(cstate, abs_offset);
1736
1737	/*
1738	 * If "s" is non-null, it has code to arrange that the X register
1739	 * contains the variable part of the absolute offset, so we
1740	 * generate a load relative to that, with an offset of
1741	 * abs_offset->constant_part + offset.
1742	 *
1743	 * Otherwise, we can do an absolute load with an offset of
1744	 * abs_offset->constant_part + offset.
1745	 */
1746	if (s != NULL) {
1747		/*
1748		 * "s" points to a list of statements that puts the
1749		 * variable part of the absolute offset into the X register.
1750		 * Do an indirect load, to use the X register as an offset.
1751		 */
1752		s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1753		s2->s.k = abs_offset->constant_part + offset;
1754		sappend(s, s2);
1755	} else {
1756		/*
1757		 * There is no variable part of the absolute offset, so
1758		 * just do an absolute load.
1759		 */
1760		s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1761		s->s.k = abs_offset->constant_part + offset;
1762	}
1763	return s;
1764}
1765
1766/*
1767 * Load a value relative to the beginning of the specified header.
1768 */
1769static struct slist *
1770gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1771    u_int size)
1772{
1773	struct slist *s, *s2;
1774
1775	/*
1776	 * Squelch warnings from compilers that *don't* assume that
1777	 * offrel always has a valid enum value and therefore don't
1778	 * assume that we'll always go through one of the case arms.
1779	 *
1780	 * If we have a default case, compilers that *do* assume that
1781	 * will then complain about the default case code being
1782	 * unreachable.
1783	 *
1784	 * Damned if you do, damned if you don't.
1785	 */
1786	s = NULL;
1787
1788	switch (offrel) {
1789
1790	case OR_PACKET:
1791                s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1792                s->s.k = offset;
1793		break;
1794
1795	case OR_LINKHDR:
1796		s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1797		break;
1798
1799	case OR_PREVLINKHDR:
1800		s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1801		break;
1802
1803	case OR_LLC:
1804		s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1805		break;
1806
1807	case OR_PREVMPLSHDR:
1808		s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1809		break;
1810
1811	case OR_LINKPL:
1812		s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1813		break;
1814
1815	case OR_LINKPL_NOSNAP:
1816		s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1817		break;
1818
1819	case OR_LINKTYPE:
1820		s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1821		break;
1822
1823	case OR_TRAN_IPV4:
1824		/*
1825		 * Load the X register with the length of the IPv4 header
1826		 * (plus the offset of the link-layer header, if it's
1827		 * preceded by a variable-length header such as a radio
1828		 * header), in bytes.
1829		 */
1830		s = gen_loadx_iphdrlen(cstate);
1831
1832		/*
1833		 * Load the item at {offset of the link-layer payload} +
1834		 * {offset, relative to the start of the link-layer
1835		 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1836		 * {specified offset}.
1837		 *
1838		 * If the offset of the link-layer payload is variable,
1839		 * the variable part of that offset is included in the
1840		 * value in the X register, and we include the constant
1841		 * part in the offset of the load.
1842		 */
1843		s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1844		s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
1845		sappend(s, s2);
1846		break;
1847
1848	case OR_TRAN_IPV6:
1849		s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
1850		break;
1851	}
1852	return s;
1853}
1854
1855/*
1856 * Generate code to load into the X register the sum of the length of
1857 * the IPv4 header and the variable part of the offset of the link-layer
1858 * payload.
1859 */
1860static struct slist *
1861gen_loadx_iphdrlen(compiler_state_t *cstate)
1862{
1863	struct slist *s, *s2;
1864
1865	s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
1866	if (s != NULL) {
1867		/*
1868		 * The offset of the link-layer payload has a variable
1869		 * part.  "s" points to a list of statements that put
1870		 * the variable part of that offset into the X register.
1871		 *
1872		 * The 4*([k]&0xf) addressing mode can't be used, as we
1873		 * don't have a constant offset, so we have to load the
1874		 * value in question into the A register and add to it
1875		 * the value from the X register.
1876		 */
1877		s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
1878		s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1879		sappend(s, s2);
1880		s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1881		s2->s.k = 0xf;
1882		sappend(s, s2);
1883		s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
1884		s2->s.k = 2;
1885		sappend(s, s2);
1886
1887		/*
1888		 * The A register now contains the length of the IP header.
1889		 * We need to add to it the variable part of the offset of
1890		 * the link-layer payload, which is still in the X
1891		 * register, and move the result into the X register.
1892		 */
1893		sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
1894		sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
1895	} else {
1896		/*
1897		 * The offset of the link-layer payload is a constant,
1898		 * so no code was generated to load the (non-existent)
1899		 * variable part of that offset.
1900		 *
1901		 * This means we can use the 4*([k]&0xf) addressing
1902		 * mode.  Load the length of the IPv4 header, which
1903		 * is at an offset of cstate->off_nl from the beginning of
1904		 * the link-layer payload, and thus at an offset of
1905		 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
1906		 * of the raw packet data, using that addressing mode.
1907		 */
1908		s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
1909		s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1910	}
1911	return s;
1912}
1913
1914
1915static struct block *
1916gen_uncond(compiler_state_t *cstate, int rsense)
1917{
1918	struct block *b;
1919	struct slist *s;
1920
1921	s = new_stmt(cstate, BPF_LD|BPF_IMM);
1922	s->s.k = !rsense;
1923	b = new_block(cstate, JMP(BPF_JEQ));
1924	b->stmts = s;
1925
1926	return b;
1927}
1928
1929static inline struct block *
1930gen_true(compiler_state_t *cstate)
1931{
1932	return gen_uncond(cstate, 1);
1933}
1934
1935static inline struct block *
1936gen_false(compiler_state_t *cstate)
1937{
1938	return gen_uncond(cstate, 0);
1939}
1940
1941/*
1942 * Byte-swap a 32-bit number.
1943 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1944 * big-endian platforms.)
1945 */
1946#define	SWAPLONG(y) \
1947((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1948
1949/*
1950 * Generate code to match a particular packet type.
1951 *
1952 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1953 * value, if <= ETHERMTU.  We use that to determine whether to
1954 * match the type/length field or to check the type/length field for
1955 * a value <= ETHERMTU to see whether it's a type field and then do
1956 * the appropriate test.
1957 */
1958static struct block *
1959gen_ether_linktype(compiler_state_t *cstate, int proto)
1960{
1961	struct block *b0, *b1;
1962
1963	switch (proto) {
1964
1965	case LLCSAP_ISONS:
1966	case LLCSAP_IP:
1967	case LLCSAP_NETBEUI:
1968		/*
1969		 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1970		 * so we check the DSAP and SSAP.
1971		 *
1972		 * LLCSAP_IP checks for IP-over-802.2, rather
1973		 * than IP-over-Ethernet or IP-over-SNAP.
1974		 *
1975		 * XXX - should we check both the DSAP and the
1976		 * SSAP, like this, or should we check just the
1977		 * DSAP, as we do for other types <= ETHERMTU
1978		 * (i.e., other SAP values)?
1979		 */
1980		b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1981		gen_not(b0);
1982		b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)
1983			     ((proto << 8) | proto));
1984		gen_and(b0, b1);
1985		return b1;
1986
1987	case LLCSAP_IPX:
1988		/*
1989		 * Check for;
1990		 *
1991		 *	Ethernet_II frames, which are Ethernet
1992		 *	frames with a frame type of ETHERTYPE_IPX;
1993		 *
1994		 *	Ethernet_802.3 frames, which are 802.3
1995		 *	frames (i.e., the type/length field is
1996		 *	a length field, <= ETHERMTU, rather than
1997		 *	a type field) with the first two bytes
1998		 *	after the Ethernet/802.3 header being
1999		 *	0xFFFF;
2000		 *
2001		 *	Ethernet_802.2 frames, which are 802.3
2002		 *	frames with an 802.2 LLC header and
2003		 *	with the IPX LSAP as the DSAP in the LLC
2004		 *	header;
2005		 *
2006		 *	Ethernet_SNAP frames, which are 802.3
2007		 *	frames with an LLC header and a SNAP
2008		 *	header and with an OUI of 0x000000
2009		 *	(encapsulated Ethernet) and a protocol
2010		 *	ID of ETHERTYPE_IPX in the SNAP header.
2011		 *
2012		 * XXX - should we generate the same code both
2013		 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
2014		 */
2015
2016		/*
2017		 * This generates code to check both for the
2018		 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
2019		 */
2020		b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2021		b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
2022		gen_or(b0, b1);
2023
2024		/*
2025		 * Now we add code to check for SNAP frames with
2026		 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
2027		 */
2028		b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2029		gen_or(b0, b1);
2030
2031		/*
2032		 * Now we generate code to check for 802.3
2033		 * frames in general.
2034		 */
2035		b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2036		gen_not(b0);
2037
2038		/*
2039		 * Now add the check for 802.3 frames before the
2040		 * check for Ethernet_802.2 and Ethernet_802.3,
2041		 * as those checks should only be done on 802.3
2042		 * frames, not on Ethernet frames.
2043		 */
2044		gen_and(b0, b1);
2045
2046		/*
2047		 * Now add the check for Ethernet_II frames, and
2048		 * do that before checking for the other frame
2049		 * types.
2050		 */
2051		b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
2052		gen_or(b0, b1);
2053		return b1;
2054
2055	case ETHERTYPE_ATALK:
2056	case ETHERTYPE_AARP:
2057		/*
2058		 * EtherTalk (AppleTalk protocols on Ethernet link
2059		 * layer) may use 802.2 encapsulation.
2060		 */
2061
2062		/*
2063		 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2064		 * we check for an Ethernet type field less than
2065		 * 1500, which means it's an 802.3 length field.
2066		 */
2067		b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2068		gen_not(b0);
2069
2070		/*
2071		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2072		 * SNAP packets with an organization code of
2073		 * 0x080007 (Apple, for Appletalk) and a protocol
2074		 * type of ETHERTYPE_ATALK (Appletalk).
2075		 *
2076		 * 802.2-encapsulated ETHERTYPE_AARP packets are
2077		 * SNAP packets with an organization code of
2078		 * 0x000000 (encapsulated Ethernet) and a protocol
2079		 * type of ETHERTYPE_AARP (Appletalk ARP).
2080		 */
2081		if (proto == ETHERTYPE_ATALK)
2082			b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2083		else	/* proto == ETHERTYPE_AARP */
2084			b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2085		gen_and(b0, b1);
2086
2087		/*
2088		 * Check for Ethernet encapsulation (Ethertalk
2089		 * phase 1?); we just check for the Ethernet
2090		 * protocol type.
2091		 */
2092		b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2093
2094		gen_or(b0, b1);
2095		return b1;
2096
2097	default:
2098		if (proto <= ETHERMTU) {
2099			/*
2100			 * This is an LLC SAP value, so the frames
2101			 * that match would be 802.2 frames.
2102			 * Check that the frame is an 802.2 frame
2103			 * (i.e., that the length/type field is
2104			 * a length field, <= ETHERMTU) and
2105			 * then check the DSAP.
2106			 */
2107			b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2108			gen_not(b0);
2109			b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto);
2110			gen_and(b0, b1);
2111			return b1;
2112		} else {
2113			/*
2114			 * This is an Ethernet type, so compare
2115			 * the length/type field with it (if
2116			 * the frame is an 802.2 frame, the length
2117			 * field will be <= ETHERMTU, and, as
2118			 * "proto" is > ETHERMTU, this test
2119			 * will fail and the frame won't match,
2120			 * which is what we want).
2121			 */
2122			return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
2123			    (bpf_int32)proto);
2124		}
2125	}
2126}
2127
2128static struct block *
2129gen_loopback_linktype(compiler_state_t *cstate, int proto)
2130{
2131	/*
2132	 * For DLT_NULL, the link-layer header is a 32-bit word
2133	 * containing an AF_ value in *host* byte order, and for
2134	 * DLT_ENC, the link-layer header begins with a 32-bit
2135	 * word containing an AF_ value in host byte order.
2136	 *
2137	 * In addition, if we're reading a saved capture file,
2138	 * the host byte order in the capture may not be the
2139	 * same as the host byte order on this machine.
2140	 *
2141	 * For DLT_LOOP, the link-layer header is a 32-bit
2142	 * word containing an AF_ value in *network* byte order.
2143	 */
2144	if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2145		/*
2146		 * The AF_ value is in host byte order, but the BPF
2147		 * interpreter will convert it to network byte order.
2148		 *
2149		 * If this is a save file, and it's from a machine
2150		 * with the opposite byte order to ours, we byte-swap
2151		 * the AF_ value.
2152		 *
2153		 * Then we run it through "htonl()", and generate
2154		 * code to compare against the result.
2155		 */
2156		if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2157			proto = SWAPLONG(proto);
2158		proto = htonl(proto);
2159	}
2160	return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto));
2161}
2162
2163/*
2164 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2165 * or IPv6 then we have an error.
2166 */
2167static struct block *
2168gen_ipnet_linktype(compiler_state_t *cstate, int proto)
2169{
2170	switch (proto) {
2171
2172	case ETHERTYPE_IP:
2173		return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET);
2174		/*NOTREACHED*/
2175
2176	case ETHERTYPE_IPV6:
2177		return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
2178		    (bpf_int32)IPH_AF_INET6);
2179		/*NOTREACHED*/
2180
2181	default:
2182		break;
2183	}
2184
2185	return gen_false(cstate);
2186}
2187
2188/*
2189 * Generate code to match a particular packet type.
2190 *
2191 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2192 * value, if <= ETHERMTU.  We use that to determine whether to
2193 * match the type field or to check the type field for the special
2194 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2195 */
2196static struct block *
2197gen_linux_sll_linktype(compiler_state_t *cstate, int proto)
2198{
2199	struct block *b0, *b1;
2200
2201	switch (proto) {
2202
2203	case LLCSAP_ISONS:
2204	case LLCSAP_IP:
2205	case LLCSAP_NETBEUI:
2206		/*
2207		 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2208		 * so we check the DSAP and SSAP.
2209		 *
2210		 * LLCSAP_IP checks for IP-over-802.2, rather
2211		 * than IP-over-Ethernet or IP-over-SNAP.
2212		 *
2213		 * XXX - should we check both the DSAP and the
2214		 * SSAP, like this, or should we check just the
2215		 * DSAP, as we do for other types <= ETHERMTU
2216		 * (i.e., other SAP values)?
2217		 */
2218		b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2219		b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)
2220			     ((proto << 8) | proto));
2221		gen_and(b0, b1);
2222		return b1;
2223
2224	case LLCSAP_IPX:
2225		/*
2226		 *	Ethernet_II frames, which are Ethernet
2227		 *	frames with a frame type of ETHERTYPE_IPX;
2228		 *
2229		 *	Ethernet_802.3 frames, which have a frame
2230		 *	type of LINUX_SLL_P_802_3;
2231		 *
2232		 *	Ethernet_802.2 frames, which are 802.3
2233		 *	frames with an 802.2 LLC header (i.e, have
2234		 *	a frame type of LINUX_SLL_P_802_2) and
2235		 *	with the IPX LSAP as the DSAP in the LLC
2236		 *	header;
2237		 *
2238		 *	Ethernet_SNAP frames, which are 802.3
2239		 *	frames with an LLC header and a SNAP
2240		 *	header and with an OUI of 0x000000
2241		 *	(encapsulated Ethernet) and a protocol
2242		 *	ID of ETHERTYPE_IPX in the SNAP header.
2243		 *
2244		 * First, do the checks on LINUX_SLL_P_802_2
2245		 * frames; generate the check for either
2246		 * Ethernet_802.2 or Ethernet_SNAP frames, and
2247		 * then put a check for LINUX_SLL_P_802_2 frames
2248		 * before it.
2249		 */
2250		b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2251		b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2252		gen_or(b0, b1);
2253		b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2254		gen_and(b0, b1);
2255
2256		/*
2257		 * Now check for 802.3 frames and OR that with
2258		 * the previous test.
2259		 */
2260		b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2261		gen_or(b0, b1);
2262
2263		/*
2264		 * Now add the check for Ethernet_II frames, and
2265		 * do that before checking for the other frame
2266		 * types.
2267		 */
2268		b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
2269		gen_or(b0, b1);
2270		return b1;
2271
2272	case ETHERTYPE_ATALK:
2273	case ETHERTYPE_AARP:
2274		/*
2275		 * EtherTalk (AppleTalk protocols on Ethernet link
2276		 * layer) may use 802.2 encapsulation.
2277		 */
2278
2279		/*
2280		 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2281		 * we check for the 802.2 protocol type in the
2282		 * "Ethernet type" field.
2283		 */
2284		b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2285
2286		/*
2287		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2288		 * SNAP packets with an organization code of
2289		 * 0x080007 (Apple, for Appletalk) and a protocol
2290		 * type of ETHERTYPE_ATALK (Appletalk).
2291		 *
2292		 * 802.2-encapsulated ETHERTYPE_AARP packets are
2293		 * SNAP packets with an organization code of
2294		 * 0x000000 (encapsulated Ethernet) and a protocol
2295		 * type of ETHERTYPE_AARP (Appletalk ARP).
2296		 */
2297		if (proto == ETHERTYPE_ATALK)
2298			b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2299		else	/* proto == ETHERTYPE_AARP */
2300			b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2301		gen_and(b0, b1);
2302
2303		/*
2304		 * Check for Ethernet encapsulation (Ethertalk
2305		 * phase 1?); we just check for the Ethernet
2306		 * protocol type.
2307		 */
2308		b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2309
2310		gen_or(b0, b1);
2311		return b1;
2312
2313	default:
2314		if (proto <= ETHERMTU) {
2315			/*
2316			 * This is an LLC SAP value, so the frames
2317			 * that match would be 802.2 frames.
2318			 * Check for the 802.2 protocol type
2319			 * in the "Ethernet type" field, and
2320			 * then check the DSAP.
2321			 */
2322			b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2323			b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2324			     (bpf_int32)proto);
2325			gen_and(b0, b1);
2326			return b1;
2327		} else {
2328			/*
2329			 * This is an Ethernet type, so compare
2330			 * the length/type field with it (if
2331			 * the frame is an 802.2 frame, the length
2332			 * field will be <= ETHERMTU, and, as
2333			 * "proto" is > ETHERMTU, this test
2334			 * will fail and the frame won't match,
2335			 * which is what we want).
2336			 */
2337			return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2338		}
2339	}
2340}
2341
2342static struct slist *
2343gen_load_prism_llprefixlen(compiler_state_t *cstate)
2344{
2345	struct slist *s1, *s2;
2346	struct slist *sjeq_avs_cookie;
2347	struct slist *sjcommon;
2348
2349	/*
2350	 * This code is not compatible with the optimizer, as
2351	 * we are generating jmp instructions within a normal
2352	 * slist of instructions
2353	 */
2354	cstate->no_optimize = 1;
2355
2356	/*
2357	 * Generate code to load the length of the radio header into
2358	 * the register assigned to hold that length, if one has been
2359	 * assigned.  (If one hasn't been assigned, no code we've
2360	 * generated uses that prefix, so we don't need to generate any
2361	 * code to load it.)
2362	 *
2363	 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2364	 * or always use the AVS header rather than the Prism header.
2365	 * We load a 4-byte big-endian value at the beginning of the
2366	 * raw packet data, and see whether, when masked with 0xFFFFF000,
2367	 * it's equal to 0x80211000.  If so, that indicates that it's
2368	 * an AVS header (the masked-out bits are the version number).
2369	 * Otherwise, it's a Prism header.
2370	 *
2371	 * XXX - the Prism header is also, in theory, variable-length,
2372	 * but no known software generates headers that aren't 144
2373	 * bytes long.
2374	 */
2375	if (cstate->off_linkhdr.reg != -1) {
2376		/*
2377		 * Load the cookie.
2378		 */
2379		s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2380		s1->s.k = 0;
2381
2382		/*
2383		 * AND it with 0xFFFFF000.
2384		 */
2385		s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2386		s2->s.k = 0xFFFFF000;
2387		sappend(s1, s2);
2388
2389		/*
2390		 * Compare with 0x80211000.
2391		 */
2392		sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2393		sjeq_avs_cookie->s.k = 0x80211000;
2394		sappend(s1, sjeq_avs_cookie);
2395
2396		/*
2397		 * If it's AVS:
2398		 *
2399		 * The 4 bytes at an offset of 4 from the beginning of
2400		 * the AVS header are the length of the AVS header.
2401		 * That field is big-endian.
2402		 */
2403		s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2404		s2->s.k = 4;
2405		sappend(s1, s2);
2406		sjeq_avs_cookie->s.jt = s2;
2407
2408		/*
2409		 * Now jump to the code to allocate a register
2410		 * into which to save the header length and
2411		 * store the length there.  (The "jump always"
2412		 * instruction needs to have the k field set;
2413		 * it's added to the PC, so, as we're jumping
2414		 * over a single instruction, it should be 1.)
2415		 */
2416		sjcommon = new_stmt(cstate, JMP(BPF_JA));
2417		sjcommon->s.k = 1;
2418		sappend(s1, sjcommon);
2419
2420		/*
2421		 * Now for the code that handles the Prism header.
2422		 * Just load the length of the Prism header (144)
2423		 * into the A register.  Have the test for an AVS
2424		 * header branch here if we don't have an AVS header.
2425		 */
2426		s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2427		s2->s.k = 144;
2428		sappend(s1, s2);
2429		sjeq_avs_cookie->s.jf = s2;
2430
2431		/*
2432		 * Now allocate a register to hold that value and store
2433		 * it.  The code for the AVS header will jump here after
2434		 * loading the length of the AVS header.
2435		 */
2436		s2 = new_stmt(cstate, BPF_ST);
2437		s2->s.k = cstate->off_linkhdr.reg;
2438		sappend(s1, s2);
2439		sjcommon->s.jf = s2;
2440
2441		/*
2442		 * Now move it into the X register.
2443		 */
2444		s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2445		sappend(s1, s2);
2446
2447		return (s1);
2448	} else
2449		return (NULL);
2450}
2451
2452static struct slist *
2453gen_load_avs_llprefixlen(compiler_state_t *cstate)
2454{
2455	struct slist *s1, *s2;
2456
2457	/*
2458	 * Generate code to load the length of the AVS header into
2459	 * the register assigned to hold that length, if one has been
2460	 * assigned.  (If one hasn't been assigned, no code we've
2461	 * generated uses that prefix, so we don't need to generate any
2462	 * code to load it.)
2463	 */
2464	if (cstate->off_linkhdr.reg != -1) {
2465		/*
2466		 * The 4 bytes at an offset of 4 from the beginning of
2467		 * the AVS header are the length of the AVS header.
2468		 * That field is big-endian.
2469		 */
2470		s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2471		s1->s.k = 4;
2472
2473		/*
2474		 * Now allocate a register to hold that value and store
2475		 * it.
2476		 */
2477		s2 = new_stmt(cstate, BPF_ST);
2478		s2->s.k = cstate->off_linkhdr.reg;
2479		sappend(s1, s2);
2480
2481		/*
2482		 * Now move it into the X register.
2483		 */
2484		s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2485		sappend(s1, s2);
2486
2487		return (s1);
2488	} else
2489		return (NULL);
2490}
2491
2492static struct slist *
2493gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2494{
2495	struct slist *s1, *s2;
2496
2497	/*
2498	 * Generate code to load the length of the radiotap header into
2499	 * the register assigned to hold that length, if one has been
2500	 * assigned.  (If one hasn't been assigned, no code we've
2501	 * generated uses that prefix, so we don't need to generate any
2502	 * code to load it.)
2503	 */
2504	if (cstate->off_linkhdr.reg != -1) {
2505		/*
2506		 * The 2 bytes at offsets of 2 and 3 from the beginning
2507		 * of the radiotap header are the length of the radiotap
2508		 * header; unfortunately, it's little-endian, so we have
2509		 * to load it a byte at a time and construct the value.
2510		 */
2511
2512		/*
2513		 * Load the high-order byte, at an offset of 3, shift it
2514		 * left a byte, and put the result in the X register.
2515		 */
2516		s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2517		s1->s.k = 3;
2518		s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2519		sappend(s1, s2);
2520		s2->s.k = 8;
2521		s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2522		sappend(s1, s2);
2523
2524		/*
2525		 * Load the next byte, at an offset of 2, and OR the
2526		 * value from the X register into it.
2527		 */
2528		s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2529		sappend(s1, s2);
2530		s2->s.k = 2;
2531		s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2532		sappend(s1, s2);
2533
2534		/*
2535		 * Now allocate a register to hold that value and store
2536		 * it.
2537		 */
2538		s2 = new_stmt(cstate, BPF_ST);
2539		s2->s.k = cstate->off_linkhdr.reg;
2540		sappend(s1, s2);
2541
2542		/*
2543		 * Now move it into the X register.
2544		 */
2545		s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2546		sappend(s1, s2);
2547
2548		return (s1);
2549	} else
2550		return (NULL);
2551}
2552
2553/*
2554 * At the moment we treat PPI as normal Radiotap encoded
2555 * packets. The difference is in the function that generates
2556 * the code at the beginning to compute the header length.
2557 * Since this code generator of PPI supports bare 802.11
2558 * encapsulation only (i.e. the encapsulated DLT should be
2559 * DLT_IEEE802_11) we generate code to check for this too;
2560 * that's done in finish_parse().
2561 */
2562static struct slist *
2563gen_load_ppi_llprefixlen(compiler_state_t *cstate)
2564{
2565	struct slist *s1, *s2;
2566
2567	/*
2568	 * Generate code to load the length of the radiotap header
2569	 * into the register assigned to hold that length, if one has
2570	 * been assigned.
2571	 */
2572	if (cstate->off_linkhdr.reg != -1) {
2573		/*
2574		 * The 2 bytes at offsets of 2 and 3 from the beginning
2575		 * of the radiotap header are the length of the radiotap
2576		 * header; unfortunately, it's little-endian, so we have
2577		 * to load it a byte at a time and construct the value.
2578		 */
2579
2580		/*
2581		 * Load the high-order byte, at an offset of 3, shift it
2582		 * left a byte, and put the result in the X register.
2583		 */
2584		s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2585		s1->s.k = 3;
2586		s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2587		sappend(s1, s2);
2588		s2->s.k = 8;
2589		s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2590		sappend(s1, s2);
2591
2592		/*
2593		 * Load the next byte, at an offset of 2, and OR the
2594		 * value from the X register into it.
2595		 */
2596		s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2597		sappend(s1, s2);
2598		s2->s.k = 2;
2599		s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2600		sappend(s1, s2);
2601
2602		/*
2603		 * Now allocate a register to hold that value and store
2604		 * it.
2605		 */
2606		s2 = new_stmt(cstate, BPF_ST);
2607		s2->s.k = cstate->off_linkhdr.reg;
2608		sappend(s1, s2);
2609
2610		/*
2611		 * Now move it into the X register.
2612		 */
2613		s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2614		sappend(s1, s2);
2615
2616		return (s1);
2617	} else
2618		return (NULL);
2619}
2620
2621/*
2622 * Load a value relative to the beginning of the link-layer header after the 802.11
2623 * header, i.e. LLC_SNAP.
2624 * The link-layer header doesn't necessarily begin at the beginning
2625 * of the packet data; there might be a variable-length prefix containing
2626 * radio information.
2627 */
2628static struct slist *
2629gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2630{
2631	struct slist *s2;
2632	struct slist *sjset_data_frame_1;
2633	struct slist *sjset_data_frame_2;
2634	struct slist *sjset_qos;
2635	struct slist *sjset_radiotap_flags_present;
2636	struct slist *sjset_radiotap_ext_present;
2637	struct slist *sjset_radiotap_tsft_present;
2638	struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2639	struct slist *s_roundup;
2640
2641	if (cstate->off_linkpl.reg == -1) {
2642		/*
2643		 * No register has been assigned to the offset of
2644		 * the link-layer payload, which means nobody needs
2645		 * it; don't bother computing it - just return
2646		 * what we already have.
2647		 */
2648		return (s);
2649	}
2650
2651	/*
2652	 * This code is not compatible with the optimizer, as
2653	 * we are generating jmp instructions within a normal
2654	 * slist of instructions
2655	 */
2656	cstate->no_optimize = 1;
2657
2658	/*
2659	 * If "s" is non-null, it has code to arrange that the X register
2660	 * contains the length of the prefix preceding the link-layer
2661	 * header.
2662	 *
2663	 * Otherwise, the length of the prefix preceding the link-layer
2664	 * header is "off_outermostlinkhdr.constant_part".
2665	 */
2666	if (s == NULL) {
2667		/*
2668		 * There is no variable-length header preceding the
2669		 * link-layer header.
2670		 *
2671		 * Load the length of the fixed-length prefix preceding
2672		 * the link-layer header (if any) into the X register,
2673		 * and store it in the cstate->off_linkpl.reg register.
2674		 * That length is off_outermostlinkhdr.constant_part.
2675		 */
2676		s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2677		s->s.k = cstate->off_outermostlinkhdr.constant_part;
2678	}
2679
2680	/*
2681	 * The X register contains the offset of the beginning of the
2682	 * link-layer header; add 24, which is the minimum length
2683	 * of the MAC header for a data frame, to that, and store it
2684	 * in cstate->off_linkpl.reg, and then load the Frame Control field,
2685	 * which is at the offset in the X register, with an indexed load.
2686	 */
2687	s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2688	sappend(s, s2);
2689	s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2690	s2->s.k = 24;
2691	sappend(s, s2);
2692	s2 = new_stmt(cstate, BPF_ST);
2693	s2->s.k = cstate->off_linkpl.reg;
2694	sappend(s, s2);
2695
2696	s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2697	s2->s.k = 0;
2698	sappend(s, s2);
2699
2700	/*
2701	 * Check the Frame Control field to see if this is a data frame;
2702	 * a data frame has the 0x08 bit (b3) in that field set and the
2703	 * 0x04 bit (b2) clear.
2704	 */
2705	sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2706	sjset_data_frame_1->s.k = 0x08;
2707	sappend(s, sjset_data_frame_1);
2708
2709	/*
2710	 * If b3 is set, test b2, otherwise go to the first statement of
2711	 * the rest of the program.
2712	 */
2713	sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2714	sjset_data_frame_2->s.k = 0x04;
2715	sappend(s, sjset_data_frame_2);
2716	sjset_data_frame_1->s.jf = snext;
2717
2718	/*
2719	 * If b2 is not set, this is a data frame; test the QoS bit.
2720	 * Otherwise, go to the first statement of the rest of the
2721	 * program.
2722	 */
2723	sjset_data_frame_2->s.jt = snext;
2724	sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2725	sjset_qos->s.k = 0x80;	/* QoS bit */
2726	sappend(s, sjset_qos);
2727
2728	/*
2729	 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2730	 * field.
2731	 * Otherwise, go to the first statement of the rest of the
2732	 * program.
2733	 */
2734	sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2735	s2->s.k = cstate->off_linkpl.reg;
2736	sappend(s, s2);
2737	s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2738	s2->s.k = 2;
2739	sappend(s, s2);
2740	s2 = new_stmt(cstate, BPF_ST);
2741	s2->s.k = cstate->off_linkpl.reg;
2742	sappend(s, s2);
2743
2744	/*
2745	 * If we have a radiotap header, look at it to see whether
2746	 * there's Atheros padding between the MAC-layer header
2747	 * and the payload.
2748	 *
2749	 * Note: all of the fields in the radiotap header are
2750	 * little-endian, so we byte-swap all of the values
2751	 * we test against, as they will be loaded as big-endian
2752	 * values.
2753	 *
2754	 * XXX - in the general case, we would have to scan through
2755	 * *all* the presence bits, if there's more than one word of
2756	 * presence bits.  That would require a loop, meaning that
2757	 * we wouldn't be able to run the filter in the kernel.
2758	 *
2759	 * We assume here that the Atheros adapters that insert the
2760	 * annoying padding don't have multiple antennae and therefore
2761	 * do not generate radiotap headers with multiple presence words.
2762	 */
2763	if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2764		/*
2765		 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2766		 * in the first presence flag word?
2767		 */
2768		sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2769		s2->s.k = 4;
2770		sappend(s, s2);
2771
2772		sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2773		sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2774		sappend(s, sjset_radiotap_flags_present);
2775
2776		/*
2777		 * If not, skip all of this.
2778		 */
2779		sjset_radiotap_flags_present->s.jf = snext;
2780
2781		/*
2782		 * Otherwise, is the "extension" bit set in that word?
2783		 */
2784		sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2785		sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2786		sappend(s, sjset_radiotap_ext_present);
2787		sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2788
2789		/*
2790		 * If so, skip all of this.
2791		 */
2792		sjset_radiotap_ext_present->s.jt = snext;
2793
2794		/*
2795		 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2796		 */
2797		sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
2798		sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
2799		sappend(s, sjset_radiotap_tsft_present);
2800		sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
2801
2802		/*
2803		 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2804		 * at an offset of 16 from the beginning of the raw packet
2805		 * data (8 bytes for the radiotap header and 8 bytes for
2806		 * the TSFT field).
2807		 *
2808		 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2809		 * is set.
2810		 */
2811		s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2812		s2->s.k = 16;
2813		sappend(s, s2);
2814		sjset_radiotap_tsft_present->s.jt = s2;
2815
2816		sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2817		sjset_tsft_datapad->s.k = 0x20;
2818		sappend(s, sjset_tsft_datapad);
2819
2820		/*
2821		 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2822		 * at an offset of 8 from the beginning of the raw packet
2823		 * data (8 bytes for the radiotap header).
2824		 *
2825		 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2826		 * is set.
2827		 */
2828		s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2829		s2->s.k = 8;
2830		sappend(s, s2);
2831		sjset_radiotap_tsft_present->s.jf = s2;
2832
2833		sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2834		sjset_notsft_datapad->s.k = 0x20;
2835		sappend(s, sjset_notsft_datapad);
2836
2837		/*
2838		 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2839		 * set, round the length of the 802.11 header to
2840		 * a multiple of 4.  Do that by adding 3 and then
2841		 * dividing by and multiplying by 4, which we do by
2842		 * ANDing with ~3.
2843		 */
2844		s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
2845		s_roundup->s.k = cstate->off_linkpl.reg;
2846		sappend(s, s_roundup);
2847		s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2848		s2->s.k = 3;
2849		sappend(s, s2);
2850		s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
2851		s2->s.k = ~3;
2852		sappend(s, s2);
2853		s2 = new_stmt(cstate, BPF_ST);
2854		s2->s.k = cstate->off_linkpl.reg;
2855		sappend(s, s2);
2856
2857		sjset_tsft_datapad->s.jt = s_roundup;
2858		sjset_tsft_datapad->s.jf = snext;
2859		sjset_notsft_datapad->s.jt = s_roundup;
2860		sjset_notsft_datapad->s.jf = snext;
2861	} else
2862		sjset_qos->s.jf = snext;
2863
2864	return s;
2865}
2866
2867static void
2868insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
2869{
2870	struct slist *s;
2871
2872	/* There is an implicit dependency between the link
2873	 * payload and link header since the payload computation
2874	 * includes the variable part of the header. Therefore,
2875	 * if nobody else has allocated a register for the link
2876	 * header and we need it, do it now. */
2877	if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
2878	    cstate->off_linkhdr.reg == -1)
2879		cstate->off_linkhdr.reg = alloc_reg(cstate);
2880
2881	/*
2882	 * For link-layer types that have a variable-length header
2883	 * preceding the link-layer header, generate code to load
2884	 * the offset of the link-layer header into the register
2885	 * assigned to that offset, if any.
2886	 *
2887	 * XXX - this, and the next switch statement, won't handle
2888	 * encapsulation of 802.11 or 802.11+radio information in
2889	 * some other protocol stack.  That's significantly more
2890	 * complicated.
2891	 */
2892	switch (cstate->outermostlinktype) {
2893
2894	case DLT_PRISM_HEADER:
2895		s = gen_load_prism_llprefixlen(cstate);
2896		break;
2897
2898	case DLT_IEEE802_11_RADIO_AVS:
2899		s = gen_load_avs_llprefixlen(cstate);
2900		break;
2901
2902	case DLT_IEEE802_11_RADIO:
2903		s = gen_load_radiotap_llprefixlen(cstate);
2904		break;
2905
2906	case DLT_PPI:
2907		s = gen_load_ppi_llprefixlen(cstate);
2908		break;
2909
2910	default:
2911		s = NULL;
2912		break;
2913	}
2914
2915	/*
2916	 * For link-layer types that have a variable-length link-layer
2917	 * header, generate code to load the offset of the link-layer
2918	 * payload into the register assigned to that offset, if any.
2919	 */
2920	switch (cstate->outermostlinktype) {
2921
2922	case DLT_IEEE802_11:
2923	case DLT_PRISM_HEADER:
2924	case DLT_IEEE802_11_RADIO_AVS:
2925	case DLT_IEEE802_11_RADIO:
2926	case DLT_PPI:
2927		s = gen_load_802_11_header_len(cstate, s, b->stmts);
2928		break;
2929	}
2930
2931	/*
2932	 * If there there is no initialization yet and we need variable
2933	 * length offsets for VLAN, initialize them to zero
2934	 */
2935	if (s == NULL && cstate->is_vlan_vloffset) {
2936		struct slist *s2;
2937
2938		if (cstate->off_linkpl.reg == -1)
2939			cstate->off_linkpl.reg = alloc_reg(cstate);
2940		if (cstate->off_linktype.reg == -1)
2941			cstate->off_linktype.reg = alloc_reg(cstate);
2942
2943		s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2944		s->s.k = 0;
2945		s2 = new_stmt(cstate, BPF_ST);
2946		s2->s.k = cstate->off_linkpl.reg;
2947		sappend(s, s2);
2948		s2 = new_stmt(cstate, BPF_ST);
2949		s2->s.k = cstate->off_linktype.reg;
2950		sappend(s, s2);
2951	}
2952
2953	/*
2954	 * If we have any offset-loading code, append all the
2955	 * existing statements in the block to those statements,
2956	 * and make the resulting list the list of statements
2957	 * for the block.
2958	 */
2959	if (s != NULL) {
2960		sappend(s, b->stmts);
2961		b->stmts = s;
2962	}
2963}
2964
2965static struct block *
2966gen_ppi_dlt_check(compiler_state_t *cstate)
2967{
2968	struct slist *s_load_dlt;
2969	struct block *b;
2970
2971	if (cstate->linktype == DLT_PPI)
2972	{
2973		/* Create the statements that check for the DLT
2974		 */
2975		s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2976		s_load_dlt->s.k = 4;
2977
2978		b = new_block(cstate, JMP(BPF_JEQ));
2979
2980		b->stmts = s_load_dlt;
2981		b->s.k = SWAPLONG(DLT_IEEE802_11);
2982	}
2983	else
2984	{
2985		b = NULL;
2986	}
2987
2988	return b;
2989}
2990
2991/*
2992 * Take an absolute offset, and:
2993 *
2994 *    if it has no variable part, return NULL;
2995 *
2996 *    if it has a variable part, generate code to load the register
2997 *    containing that variable part into the X register, returning
2998 *    a pointer to that code - if no register for that offset has
2999 *    been allocated, allocate it first.
3000 *
3001 * (The code to set that register will be generated later, but will
3002 * be placed earlier in the code sequence.)
3003 */
3004static struct slist *
3005gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
3006{
3007	struct slist *s;
3008
3009	if (off->is_variable) {
3010		if (off->reg == -1) {
3011			/*
3012			 * We haven't yet assigned a register for the
3013			 * variable part of the offset of the link-layer
3014			 * header; allocate one.
3015			 */
3016			off->reg = alloc_reg(cstate);
3017		}
3018
3019		/*
3020		 * Load the register containing the variable part of the
3021		 * offset of the link-layer header into the X register.
3022		 */
3023		s = new_stmt(cstate, BPF_LDX|BPF_MEM);
3024		s->s.k = off->reg;
3025		return s;
3026	} else {
3027		/*
3028		 * That offset isn't variable, there's no variable part,
3029		 * so we don't need to generate any code.
3030		 */
3031		return NULL;
3032	}
3033}
3034
3035/*
3036 * Map an Ethernet type to the equivalent PPP type.
3037 */
3038static int
3039ethertype_to_ppptype(int proto)
3040{
3041	switch (proto) {
3042
3043	case ETHERTYPE_IP:
3044		proto = PPP_IP;
3045		break;
3046
3047	case ETHERTYPE_IPV6:
3048		proto = PPP_IPV6;
3049		break;
3050
3051	case ETHERTYPE_DN:
3052		proto = PPP_DECNET;
3053		break;
3054
3055	case ETHERTYPE_ATALK:
3056		proto = PPP_APPLE;
3057		break;
3058
3059	case ETHERTYPE_NS:
3060		proto = PPP_NS;
3061		break;
3062
3063	case LLCSAP_ISONS:
3064		proto = PPP_OSI;
3065		break;
3066
3067	case LLCSAP_8021D:
3068		/*
3069		 * I'm assuming the "Bridging PDU"s that go
3070		 * over PPP are Spanning Tree Protocol
3071		 * Bridging PDUs.
3072		 */
3073		proto = PPP_BRPDU;
3074		break;
3075
3076	case LLCSAP_IPX:
3077		proto = PPP_IPX;
3078		break;
3079	}
3080	return (proto);
3081}
3082
3083/*
3084 * Generate any tests that, for encapsulation of a link-layer packet
3085 * inside another protocol stack, need to be done to check for those
3086 * link-layer packets (and that haven't already been done by a check
3087 * for that encapsulation).
3088 */
3089static struct block *
3090gen_prevlinkhdr_check(compiler_state_t *cstate)
3091{
3092	struct block *b0;
3093
3094	if (cstate->is_geneve)
3095		return gen_geneve_ll_check(cstate);
3096
3097	switch (cstate->prevlinktype) {
3098
3099	case DLT_SUNATM:
3100		/*
3101		 * This is LANE-encapsulated Ethernet; check that the LANE
3102		 * packet doesn't begin with an LE Control marker, i.e.
3103		 * that it's data, not a control message.
3104		 *
3105		 * (We've already generated a test for LANE.)
3106		 */
3107		b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3108		gen_not(b0);
3109		return b0;
3110
3111	default:
3112		/*
3113		 * No such tests are necessary.
3114		 */
3115		return NULL;
3116	}
3117	/*NOTREACHED*/
3118}
3119
3120/*
3121 * The three different values we should check for when checking for an
3122 * IPv6 packet with DLT_NULL.
3123 */
3124#define BSD_AFNUM_INET6_BSD	24	/* NetBSD, OpenBSD, BSD/OS, Npcap */
3125#define BSD_AFNUM_INET6_FREEBSD	28	/* FreeBSD */
3126#define BSD_AFNUM_INET6_DARWIN	30	/* macOS, iOS, other Darwin-based OSes */
3127
3128/*
3129 * Generate code to match a particular packet type by matching the
3130 * link-layer type field or fields in the 802.2 LLC header.
3131 *
3132 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3133 * value, if <= ETHERMTU.
3134 */
3135static struct block *
3136gen_linktype(compiler_state_t *cstate, int proto)
3137{
3138	struct block *b0, *b1, *b2;
3139	const char *description;
3140
3141	/* are we checking MPLS-encapsulated packets? */
3142	if (cstate->label_stack_depth > 0) {
3143		switch (proto) {
3144		case ETHERTYPE_IP:
3145		case PPP_IP:
3146			/* FIXME add other L3 proto IDs */
3147			return gen_mpls_linktype(cstate, Q_IP);
3148
3149		case ETHERTYPE_IPV6:
3150		case PPP_IPV6:
3151			/* FIXME add other L3 proto IDs */
3152			return gen_mpls_linktype(cstate, Q_IPV6);
3153
3154		default:
3155			bpf_error(cstate, "unsupported protocol over mpls");
3156			/*NOTREACHED*/
3157		}
3158	}
3159
3160	switch (cstate->linktype) {
3161
3162	case DLT_EN10MB:
3163	case DLT_NETANALYZER:
3164	case DLT_NETANALYZER_TRANSPARENT:
3165		/* Geneve has an EtherType regardless of whether there is an
3166		 * L2 header. */
3167		if (!cstate->is_geneve)
3168			b0 = gen_prevlinkhdr_check(cstate);
3169		else
3170			b0 = NULL;
3171
3172		b1 = gen_ether_linktype(cstate, proto);
3173		if (b0 != NULL)
3174			gen_and(b0, b1);
3175		return b1;
3176		/*NOTREACHED*/
3177
3178	case DLT_C_HDLC:
3179		switch (proto) {
3180
3181		case LLCSAP_ISONS:
3182			proto = (proto << 8 | LLCSAP_ISONS);
3183			/* fall through */
3184
3185		default:
3186			return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3187			/*NOTREACHED*/
3188		}
3189
3190	case DLT_IEEE802_11:
3191	case DLT_PRISM_HEADER:
3192	case DLT_IEEE802_11_RADIO_AVS:
3193	case DLT_IEEE802_11_RADIO:
3194	case DLT_PPI:
3195		/*
3196		 * Check that we have a data frame.
3197		 */
3198		b0 = gen_check_802_11_data_frame(cstate);
3199
3200		/*
3201		 * Now check for the specified link-layer type.
3202		 */
3203		b1 = gen_llc_linktype(cstate, proto);
3204		gen_and(b0, b1);
3205		return b1;
3206		/*NOTREACHED*/
3207
3208	case DLT_FDDI:
3209		/*
3210		 * XXX - check for LLC frames.
3211		 */
3212		return gen_llc_linktype(cstate, proto);
3213		/*NOTREACHED*/
3214
3215	case DLT_IEEE802:
3216		/*
3217		 * XXX - check for LLC PDUs, as per IEEE 802.5.
3218		 */
3219		return gen_llc_linktype(cstate, proto);
3220		/*NOTREACHED*/
3221
3222	case DLT_ATM_RFC1483:
3223	case DLT_ATM_CLIP:
3224	case DLT_IP_OVER_FC:
3225		return gen_llc_linktype(cstate, proto);
3226		/*NOTREACHED*/
3227
3228	case DLT_SUNATM:
3229		/*
3230		 * Check for an LLC-encapsulated version of this protocol;
3231		 * if we were checking for LANE, linktype would no longer
3232		 * be DLT_SUNATM.
3233		 *
3234		 * Check for LLC encapsulation and then check the protocol.
3235		 */
3236		b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3237		b1 = gen_llc_linktype(cstate, proto);
3238		gen_and(b0, b1);
3239		return b1;
3240		/*NOTREACHED*/
3241
3242	case DLT_LINUX_SLL:
3243		return gen_linux_sll_linktype(cstate, proto);
3244		/*NOTREACHED*/
3245
3246	case DLT_SLIP:
3247	case DLT_SLIP_BSDOS:
3248	case DLT_RAW:
3249		/*
3250		 * These types don't provide any type field; packets
3251		 * are always IPv4 or IPv6.
3252		 *
3253		 * XXX - for IPv4, check for a version number of 4, and,
3254		 * for IPv6, check for a version number of 6?
3255		 */
3256		switch (proto) {
3257
3258		case ETHERTYPE_IP:
3259			/* Check for a version number of 4. */
3260			return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3261
3262		case ETHERTYPE_IPV6:
3263			/* Check for a version number of 6. */
3264			return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3265
3266		default:
3267			return gen_false(cstate);	/* always false */
3268		}
3269		/*NOTREACHED*/
3270
3271	case DLT_IPV4:
3272		/*
3273		 * Raw IPv4, so no type field.
3274		 */
3275		if (proto == ETHERTYPE_IP)
3276			return gen_true(cstate);	/* always true */
3277
3278		/* Checking for something other than IPv4; always false */
3279		return gen_false(cstate);
3280		/*NOTREACHED*/
3281
3282	case DLT_IPV6:
3283		/*
3284		 * Raw IPv6, so no type field.
3285		 */
3286		if (proto == ETHERTYPE_IPV6)
3287			return gen_true(cstate);	/* always true */
3288
3289		/* Checking for something other than IPv6; always false */
3290		return gen_false(cstate);
3291		/*NOTREACHED*/
3292
3293	case DLT_PPP:
3294	case DLT_PPP_PPPD:
3295	case DLT_PPP_SERIAL:
3296	case DLT_PPP_ETHER:
3297		/*
3298		 * We use Ethernet protocol types inside libpcap;
3299		 * map them to the corresponding PPP protocol types.
3300		 */
3301		proto = ethertype_to_ppptype(proto);
3302		return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3303		/*NOTREACHED*/
3304
3305	case DLT_PPP_BSDOS:
3306		/*
3307		 * We use Ethernet protocol types inside libpcap;
3308		 * map them to the corresponding PPP protocol types.
3309		 */
3310		switch (proto) {
3311
3312		case ETHERTYPE_IP:
3313			/*
3314			 * Also check for Van Jacobson-compressed IP.
3315			 * XXX - do this for other forms of PPP?
3316			 */
3317			b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3318			b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3319			gen_or(b0, b1);
3320			b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3321			gen_or(b1, b0);
3322			return b0;
3323
3324		default:
3325			proto = ethertype_to_ppptype(proto);
3326			return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3327				(bpf_int32)proto);
3328		}
3329		/*NOTREACHED*/
3330
3331	case DLT_NULL:
3332	case DLT_LOOP:
3333	case DLT_ENC:
3334		switch (proto) {
3335
3336		case ETHERTYPE_IP:
3337			return (gen_loopback_linktype(cstate, AF_INET));
3338
3339		case ETHERTYPE_IPV6:
3340			/*
3341			 * AF_ values may, unfortunately, be platform-
3342			 * dependent; AF_INET isn't, because everybody
3343			 * used 4.2BSD's value, but AF_INET6 is, because
3344			 * 4.2BSD didn't have a value for it (given that
3345			 * IPv6 didn't exist back in the early 1980's),
3346			 * and they all picked their own values.
3347			 *
3348			 * This means that, if we're reading from a
3349			 * savefile, we need to check for all the
3350			 * possible values.
3351			 *
3352			 * If we're doing a live capture, we only need
3353			 * to check for this platform's value; however,
3354			 * Npcap uses 24, which isn't Windows's AF_INET6
3355			 * value.  (Given the multiple different values,
3356			 * programs that read pcap files shouldn't be
3357			 * checking for their platform's AF_INET6 value
3358			 * anyway, they should check for all of the
3359			 * possible values. and they might as well do
3360			 * that even for live captures.)
3361			 */
3362			if (cstate->bpf_pcap->rfile != NULL) {
3363				/*
3364				 * Savefile - check for all three
3365				 * possible IPv6 values.
3366				 */
3367				b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3368				b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3369				gen_or(b0, b1);
3370				b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3371				gen_or(b0, b1);
3372				return (b1);
3373			} else {
3374				/*
3375				 * Live capture, so we only need to
3376				 * check for the value used on this
3377				 * platform.
3378				 */
3379#ifdef _WIN32
3380				/*
3381				 * Npcap doesn't use Windows's AF_INET6,
3382				 * as that collides with AF_IPX on
3383				 * some BSDs (both have the value 23).
3384				 * Instead, it uses 24.
3385				 */
3386				return (gen_loopback_linktype(cstate, 24));
3387#else /* _WIN32 */
3388#ifdef AF_INET6
3389				return (gen_loopback_linktype(cstate, AF_INET6));
3390#else /* AF_INET6 */
3391				/*
3392				 * I guess this platform doesn't support
3393				 * IPv6, so we just reject all packets.
3394				 */
3395				return gen_false(cstate);
3396#endif /* AF_INET6 */
3397#endif /* _WIN32 */
3398			}
3399
3400		default:
3401			/*
3402			 * Not a type on which we support filtering.
3403			 * XXX - support those that have AF_ values
3404			 * #defined on this platform, at least?
3405			 */
3406			return gen_false(cstate);
3407		}
3408
3409#ifdef HAVE_NET_PFVAR_H
3410	case DLT_PFLOG:
3411		/*
3412		 * af field is host byte order in contrast to the rest of
3413		 * the packet.
3414		 */
3415		if (proto == ETHERTYPE_IP)
3416			return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3417			    BPF_B, (bpf_int32)AF_INET));
3418		else if (proto == ETHERTYPE_IPV6)
3419			return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3420			    BPF_B, (bpf_int32)AF_INET6));
3421		else
3422			return gen_false(cstate);
3423		/*NOTREACHED*/
3424#endif /* HAVE_NET_PFVAR_H */
3425
3426	case DLT_ARCNET:
3427	case DLT_ARCNET_LINUX:
3428		/*
3429		 * XXX should we check for first fragment if the protocol
3430		 * uses PHDS?
3431		 */
3432		switch (proto) {
3433
3434		default:
3435			return gen_false(cstate);
3436
3437		case ETHERTYPE_IPV6:
3438			return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3439				(bpf_int32)ARCTYPE_INET6));
3440
3441		case ETHERTYPE_IP:
3442			b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3443				     (bpf_int32)ARCTYPE_IP);
3444			b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3445				     (bpf_int32)ARCTYPE_IP_OLD);
3446			gen_or(b0, b1);
3447			return (b1);
3448
3449		case ETHERTYPE_ARP:
3450			b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3451				     (bpf_int32)ARCTYPE_ARP);
3452			b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3453				     (bpf_int32)ARCTYPE_ARP_OLD);
3454			gen_or(b0, b1);
3455			return (b1);
3456
3457		case ETHERTYPE_REVARP:
3458			return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3459					(bpf_int32)ARCTYPE_REVARP));
3460
3461		case ETHERTYPE_ATALK:
3462			return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3463					(bpf_int32)ARCTYPE_ATALK));
3464		}
3465		/*NOTREACHED*/
3466
3467	case DLT_LTALK:
3468		switch (proto) {
3469		case ETHERTYPE_ATALK:
3470			return gen_true(cstate);
3471		default:
3472			return gen_false(cstate);
3473		}
3474		/*NOTREACHED*/
3475
3476	case DLT_FRELAY:
3477		/*
3478		 * XXX - assumes a 2-byte Frame Relay header with
3479		 * DLCI and flags.  What if the address is longer?
3480		 */
3481		switch (proto) {
3482
3483		case ETHERTYPE_IP:
3484			/*
3485			 * Check for the special NLPID for IP.
3486			 */
3487			return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3488
3489		case ETHERTYPE_IPV6:
3490			/*
3491			 * Check for the special NLPID for IPv6.
3492			 */
3493			return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3494
3495		case LLCSAP_ISONS:
3496			/*
3497			 * Check for several OSI protocols.
3498			 *
3499			 * Frame Relay packets typically have an OSI
3500			 * NLPID at the beginning; we check for each
3501			 * of them.
3502			 *
3503			 * What we check for is the NLPID and a frame
3504			 * control field of UI, i.e. 0x03 followed
3505			 * by the NLPID.
3506			 */
3507			b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3508			b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3509			b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3510			gen_or(b1, b2);
3511			gen_or(b0, b2);
3512			return b2;
3513
3514		default:
3515			return gen_false(cstate);
3516		}
3517		/*NOTREACHED*/
3518
3519	case DLT_MFR:
3520		bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented");
3521
3522        case DLT_JUNIPER_MFR:
3523        case DLT_JUNIPER_MLFR:
3524        case DLT_JUNIPER_MLPPP:
3525	case DLT_JUNIPER_ATM1:
3526	case DLT_JUNIPER_ATM2:
3527	case DLT_JUNIPER_PPPOE:
3528	case DLT_JUNIPER_PPPOE_ATM:
3529        case DLT_JUNIPER_GGSN:
3530        case DLT_JUNIPER_ES:
3531        case DLT_JUNIPER_MONITOR:
3532        case DLT_JUNIPER_SERVICES:
3533        case DLT_JUNIPER_ETHER:
3534        case DLT_JUNIPER_PPP:
3535        case DLT_JUNIPER_FRELAY:
3536        case DLT_JUNIPER_CHDLC:
3537        case DLT_JUNIPER_VP:
3538        case DLT_JUNIPER_ST:
3539        case DLT_JUNIPER_ISM:
3540        case DLT_JUNIPER_VS:
3541        case DLT_JUNIPER_SRX_E2E:
3542        case DLT_JUNIPER_FIBRECHANNEL:
3543	case DLT_JUNIPER_ATM_CEMIC:
3544
3545		/* just lets verify the magic number for now -
3546		 * on ATM we may have up to 6 different encapsulations on the wire
3547		 * and need a lot of heuristics to figure out that the payload
3548		 * might be;
3549		 *
3550		 * FIXME encapsulation specific BPF_ filters
3551		 */
3552		return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3553
3554	case DLT_BACNET_MS_TP:
3555		return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3556
3557	case DLT_IPNET:
3558		return gen_ipnet_linktype(cstate, proto);
3559
3560	case DLT_LINUX_IRDA:
3561		bpf_error(cstate, "IrDA link-layer type filtering not implemented");
3562
3563	case DLT_DOCSIS:
3564		bpf_error(cstate, "DOCSIS link-layer type filtering not implemented");
3565
3566	case DLT_MTP2:
3567	case DLT_MTP2_WITH_PHDR:
3568		bpf_error(cstate, "MTP2 link-layer type filtering not implemented");
3569
3570	case DLT_ERF:
3571		bpf_error(cstate, "ERF link-layer type filtering not implemented");
3572
3573	case DLT_PFSYNC:
3574		bpf_error(cstate, "PFSYNC link-layer type filtering not implemented");
3575
3576	case DLT_LINUX_LAPD:
3577		bpf_error(cstate, "LAPD link-layer type filtering not implemented");
3578
3579	case DLT_USB_FREEBSD:
3580	case DLT_USB_LINUX:
3581	case DLT_USB_LINUX_MMAPPED:
3582	case DLT_USBPCAP:
3583		bpf_error(cstate, "USB link-layer type filtering not implemented");
3584
3585	case DLT_BLUETOOTH_HCI_H4:
3586	case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3587		bpf_error(cstate, "Bluetooth link-layer type filtering not implemented");
3588
3589	case DLT_CAN20B:
3590	case DLT_CAN_SOCKETCAN:
3591		bpf_error(cstate, "CAN link-layer type filtering not implemented");
3592
3593	case DLT_IEEE802_15_4:
3594	case DLT_IEEE802_15_4_LINUX:
3595	case DLT_IEEE802_15_4_NONASK_PHY:
3596	case DLT_IEEE802_15_4_NOFCS:
3597		bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented");
3598
3599	case DLT_IEEE802_16_MAC_CPS_RADIO:
3600		bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented");
3601
3602	case DLT_SITA:
3603		bpf_error(cstate, "SITA link-layer type filtering not implemented");
3604
3605	case DLT_RAIF1:
3606		bpf_error(cstate, "RAIF1 link-layer type filtering not implemented");
3607
3608	case DLT_IPMB_KONTRON:
3609	case DLT_IPMB_LINUX:
3610		bpf_error(cstate, "IPMB link-layer type filtering not implemented");
3611
3612	case DLT_AX25_KISS:
3613		bpf_error(cstate, "AX.25 link-layer type filtering not implemented");
3614
3615	case DLT_NFLOG:
3616		/* Using the fixed-size NFLOG header it is possible to tell only
3617		 * the address family of the packet, other meaningful data is
3618		 * either missing or behind TLVs.
3619		 */
3620		bpf_error(cstate, "NFLOG link-layer type filtering not implemented");
3621
3622	default:
3623		/*
3624		 * Does this link-layer header type have a field
3625		 * indicating the type of the next protocol?  If
3626		 * so, off_linktype.constant_part will be the offset of that
3627		 * field in the packet; if not, it will be OFFSET_NOT_SET.
3628		 */
3629		if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3630			/*
3631			 * Yes; assume it's an Ethernet type.  (If
3632			 * it's not, it needs to be handled specially
3633			 * above.)
3634			 */
3635			return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3636			/*NOTREACHED */
3637		} else {
3638			/*
3639			 * No; report an error.
3640			 */
3641			description = pcap_datalink_val_to_description_or_dlt(cstate->linktype);
3642			bpf_error(cstate, "%s link-layer type filtering not implemented",
3643			    description);
3644			/*NOTREACHED */
3645		}
3646	}
3647}
3648
3649/*
3650 * Check for an LLC SNAP packet with a given organization code and
3651 * protocol type; we check the entire contents of the 802.2 LLC and
3652 * snap headers, checking for DSAP and SSAP of SNAP and a control
3653 * field of 0x03 in the LLC header, and for the specified organization
3654 * code and protocol type in the SNAP header.
3655 */
3656static struct block *
3657gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
3658{
3659	u_char snapblock[8];
3660
3661	snapblock[0] = LLCSAP_SNAP;		/* DSAP = SNAP */
3662	snapblock[1] = LLCSAP_SNAP;		/* SSAP = SNAP */
3663	snapblock[2] = 0x03;			/* control = UI */
3664	snapblock[3] = (u_char)(orgcode >> 16);	/* upper 8 bits of organization code */
3665	snapblock[4] = (u_char)(orgcode >> 8);	/* middle 8 bits of organization code */
3666	snapblock[5] = (u_char)(orgcode >> 0);	/* lower 8 bits of organization code */
3667	snapblock[6] = (u_char)(ptype >> 8);	/* upper 8 bits of protocol type */
3668	snapblock[7] = (u_char)(ptype >> 0);	/* lower 8 bits of protocol type */
3669	return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3670}
3671
3672/*
3673 * Generate code to match frames with an LLC header.
3674 */
3675static struct block *
3676gen_llc_internal(compiler_state_t *cstate)
3677{
3678	struct block *b0, *b1;
3679
3680	switch (cstate->linktype) {
3681
3682	case DLT_EN10MB:
3683		/*
3684		 * We check for an Ethernet type field less than
3685		 * 1500, which means it's an 802.3 length field.
3686		 */
3687		b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3688		gen_not(b0);
3689
3690		/*
3691		 * Now check for the purported DSAP and SSAP not being
3692		 * 0xFF, to rule out NetWare-over-802.3.
3693		 */
3694		b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
3695		gen_not(b1);
3696		gen_and(b0, b1);
3697		return b1;
3698
3699	case DLT_SUNATM:
3700		/*
3701		 * We check for LLC traffic.
3702		 */
3703		b0 = gen_atmtype_llc(cstate);
3704		return b0;
3705
3706	case DLT_IEEE802:	/* Token Ring */
3707		/*
3708		 * XXX - check for LLC frames.
3709		 */
3710		return gen_true(cstate);
3711
3712	case DLT_FDDI:
3713		/*
3714		 * XXX - check for LLC frames.
3715		 */
3716		return gen_true(cstate);
3717
3718	case DLT_ATM_RFC1483:
3719		/*
3720		 * For LLC encapsulation, these are defined to have an
3721		 * 802.2 LLC header.
3722		 *
3723		 * For VC encapsulation, they don't, but there's no
3724		 * way to check for that; the protocol used on the VC
3725		 * is negotiated out of band.
3726		 */
3727		return gen_true(cstate);
3728
3729	case DLT_IEEE802_11:
3730	case DLT_PRISM_HEADER:
3731	case DLT_IEEE802_11_RADIO:
3732	case DLT_IEEE802_11_RADIO_AVS:
3733	case DLT_PPI:
3734		/*
3735		 * Check that we have a data frame.
3736		 */
3737		b0 = gen_check_802_11_data_frame(cstate);
3738		return b0;
3739
3740	default:
3741		bpf_error(cstate, "'llc' not supported for %s",
3742			  pcap_datalink_val_to_description_or_dlt(cstate->linktype));
3743		/*NOTREACHED*/
3744	}
3745}
3746
3747struct block *
3748gen_llc(compiler_state_t *cstate)
3749{
3750	/*
3751	 * Catch errors reported by us and routines below us, and return NULL
3752	 * on an error.
3753	 */
3754	if (setjmp(cstate->top_ctx))
3755		return (NULL);
3756
3757	return gen_llc_internal(cstate);
3758}
3759
3760struct block *
3761gen_llc_i(compiler_state_t *cstate)
3762{
3763	struct block *b0, *b1;
3764	struct slist *s;
3765
3766	/*
3767	 * Catch errors reported by us and routines below us, and return NULL
3768	 * on an error.
3769	 */
3770	if (setjmp(cstate->top_ctx))
3771		return (NULL);
3772
3773	/*
3774	 * Check whether this is an LLC frame.
3775	 */
3776	b0 = gen_llc_internal(cstate);
3777
3778	/*
3779	 * Load the control byte and test the low-order bit; it must
3780	 * be clear for I frames.
3781	 */
3782	s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3783	b1 = new_block(cstate, JMP(BPF_JSET));
3784	b1->s.k = 0x01;
3785	b1->stmts = s;
3786	gen_not(b1);
3787	gen_and(b0, b1);
3788	return b1;
3789}
3790
3791struct block *
3792gen_llc_s(compiler_state_t *cstate)
3793{
3794	struct block *b0, *b1;
3795
3796	/*
3797	 * Catch errors reported by us and routines below us, and return NULL
3798	 * on an error.
3799	 */
3800	if (setjmp(cstate->top_ctx))
3801		return (NULL);
3802
3803	/*
3804	 * Check whether this is an LLC frame.
3805	 */
3806	b0 = gen_llc_internal(cstate);
3807
3808	/*
3809	 * Now compare the low-order 2 bit of the control byte against
3810	 * the appropriate value for S frames.
3811	 */
3812	b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3813	gen_and(b0, b1);
3814	return b1;
3815}
3816
3817struct block *
3818gen_llc_u(compiler_state_t *cstate)
3819{
3820	struct block *b0, *b1;
3821
3822	/*
3823	 * Catch errors reported by us and routines below us, and return NULL
3824	 * on an error.
3825	 */
3826	if (setjmp(cstate->top_ctx))
3827		return (NULL);
3828
3829	/*
3830	 * Check whether this is an LLC frame.
3831	 */
3832	b0 = gen_llc_internal(cstate);
3833
3834	/*
3835	 * Now compare the low-order 2 bit of the control byte against
3836	 * the appropriate value for U frames.
3837	 */
3838	b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3839	gen_and(b0, b1);
3840	return b1;
3841}
3842
3843struct block *
3844gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3845{
3846	struct block *b0, *b1;
3847
3848	/*
3849	 * Catch errors reported by us and routines below us, and return NULL
3850	 * on an error.
3851	 */
3852	if (setjmp(cstate->top_ctx))
3853		return (NULL);
3854
3855	/*
3856	 * Check whether this is an LLC frame.
3857	 */
3858	b0 = gen_llc_internal(cstate);
3859
3860	/*
3861	 * Now check for an S frame with the appropriate type.
3862	 */
3863	b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3864	gen_and(b0, b1);
3865	return b1;
3866}
3867
3868struct block *
3869gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3870{
3871	struct block *b0, *b1;
3872
3873	/*
3874	 * Catch errors reported by us and routines below us, and return NULL
3875	 * on an error.
3876	 */
3877	if (setjmp(cstate->top_ctx))
3878		return (NULL);
3879
3880	/*
3881	 * Check whether this is an LLC frame.
3882	 */
3883	b0 = gen_llc_internal(cstate);
3884
3885	/*
3886	 * Now check for a U frame with the appropriate type.
3887	 */
3888	b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3889	gen_and(b0, b1);
3890	return b1;
3891}
3892
3893/*
3894 * Generate code to match a particular packet type, for link-layer types
3895 * using 802.2 LLC headers.
3896 *
3897 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3898 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3899 *
3900 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3901 * value, if <= ETHERMTU.  We use that to determine whether to
3902 * match the DSAP or both DSAP and LSAP or to check the OUI and
3903 * protocol ID in a SNAP header.
3904 */
3905static struct block *
3906gen_llc_linktype(compiler_state_t *cstate, int proto)
3907{
3908	/*
3909	 * XXX - handle token-ring variable-length header.
3910	 */
3911	switch (proto) {
3912
3913	case LLCSAP_IP:
3914	case LLCSAP_ISONS:
3915	case LLCSAP_NETBEUI:
3916		/*
3917		 * XXX - should we check both the DSAP and the
3918		 * SSAP, like this, or should we check just the
3919		 * DSAP, as we do for other SAP values?
3920		 */
3921		return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
3922			     ((proto << 8) | proto));
3923
3924	case LLCSAP_IPX:
3925		/*
3926		 * XXX - are there ever SNAP frames for IPX on
3927		 * non-Ethernet 802.x networks?
3928		 */
3929		return gen_cmp(cstate, OR_LLC, 0, BPF_B,
3930		    (bpf_int32)LLCSAP_IPX);
3931
3932	case ETHERTYPE_ATALK:
3933		/*
3934		 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3935		 * SNAP packets with an organization code of
3936		 * 0x080007 (Apple, for Appletalk) and a protocol
3937		 * type of ETHERTYPE_ATALK (Appletalk).
3938		 *
3939		 * XXX - check for an organization code of
3940		 * encapsulated Ethernet as well?
3941		 */
3942		return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
3943
3944	default:
3945		/*
3946		 * XXX - we don't have to check for IPX 802.3
3947		 * here, but should we check for the IPX Ethertype?
3948		 */
3949		if (proto <= ETHERMTU) {
3950			/*
3951			 * This is an LLC SAP value, so check
3952			 * the DSAP.
3953			 */
3954			return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto);
3955		} else {
3956			/*
3957			 * This is an Ethernet type; we assume that it's
3958			 * unlikely that it'll appear in the right place
3959			 * at random, and therefore check only the
3960			 * location that would hold the Ethernet type
3961			 * in a SNAP frame with an organization code of
3962			 * 0x000000 (encapsulated Ethernet).
3963			 *
3964			 * XXX - if we were to check for the SNAP DSAP and
3965			 * LSAP, as per XXX, and were also to check for an
3966			 * organization code of 0x000000 (encapsulated
3967			 * Ethernet), we'd do
3968			 *
3969			 *	return gen_snap(cstate, 0x000000, proto);
3970			 *
3971			 * here; for now, we don't, as per the above.
3972			 * I don't know whether it's worth the extra CPU
3973			 * time to do the right check or not.
3974			 */
3975			return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto);
3976		}
3977	}
3978}
3979
3980static struct block *
3981gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
3982    int dir, int proto, u_int src_off, u_int dst_off)
3983{
3984	struct block *b0, *b1;
3985	u_int offset;
3986
3987	switch (dir) {
3988
3989	case Q_SRC:
3990		offset = src_off;
3991		break;
3992
3993	case Q_DST:
3994		offset = dst_off;
3995		break;
3996
3997	case Q_AND:
3998		b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3999		b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
4000		gen_and(b0, b1);
4001		return b1;
4002
4003	case Q_DEFAULT:
4004	case Q_OR:
4005		b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
4006		b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
4007		gen_or(b0, b1);
4008		return b1;
4009
4010	case Q_ADDR1:
4011		bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4012		/*NOTREACHED*/
4013
4014	case Q_ADDR2:
4015		bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4016		/*NOTREACHED*/
4017
4018	case Q_ADDR3:
4019		bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4020		/*NOTREACHED*/
4021
4022	case Q_ADDR4:
4023		bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4024		/*NOTREACHED*/
4025
4026	case Q_RA:
4027		bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4028		/*NOTREACHED*/
4029
4030	case Q_TA:
4031		bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4032		/*NOTREACHED*/
4033
4034	default:
4035		abort();
4036		/*NOTREACHED*/
4037	}
4038	b0 = gen_linktype(cstate, proto);
4039	b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask);
4040	gen_and(b0, b1);
4041	return b1;
4042}
4043
4044#ifdef INET6
4045static struct block *
4046gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
4047    struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off)
4048{
4049	struct block *b0, *b1;
4050	u_int offset;
4051	uint32_t *a, *m;
4052
4053	switch (dir) {
4054
4055	case Q_SRC:
4056		offset = src_off;
4057		break;
4058
4059	case Q_DST:
4060		offset = dst_off;
4061		break;
4062
4063	case Q_AND:
4064		b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
4065		b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
4066		gen_and(b0, b1);
4067		return b1;
4068
4069	case Q_DEFAULT:
4070	case Q_OR:
4071		b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
4072		b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
4073		gen_or(b0, b1);
4074		return b1;
4075
4076	case Q_ADDR1:
4077		bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4078		/*NOTREACHED*/
4079
4080	case Q_ADDR2:
4081		bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4082		/*NOTREACHED*/
4083
4084	case Q_ADDR3:
4085		bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4086		/*NOTREACHED*/
4087
4088	case Q_ADDR4:
4089		bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4090		/*NOTREACHED*/
4091
4092	case Q_RA:
4093		bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4094		/*NOTREACHED*/
4095
4096	case Q_TA:
4097		bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4098		/*NOTREACHED*/
4099
4100	default:
4101		abort();
4102		/*NOTREACHED*/
4103	}
4104	/* this order is important */
4105	a = (uint32_t *)addr;
4106	m = (uint32_t *)mask;
4107	b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
4108	b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
4109	gen_and(b0, b1);
4110	b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
4111	gen_and(b0, b1);
4112	b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
4113	gen_and(b0, b1);
4114	b0 = gen_linktype(cstate, proto);
4115	gen_and(b0, b1);
4116	return b1;
4117}
4118#endif
4119
4120static struct block *
4121gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4122{
4123	register struct block *b0, *b1;
4124
4125	switch (dir) {
4126	case Q_SRC:
4127		return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
4128
4129	case Q_DST:
4130		return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
4131
4132	case Q_AND:
4133		b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4134		b1 = gen_ehostop(cstate, eaddr, Q_DST);
4135		gen_and(b0, b1);
4136		return b1;
4137
4138	case Q_DEFAULT:
4139	case Q_OR:
4140		b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4141		b1 = gen_ehostop(cstate, eaddr, Q_DST);
4142		gen_or(b0, b1);
4143		return b1;
4144
4145	case Q_ADDR1:
4146		bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers");
4147		/*NOTREACHED*/
4148
4149	case Q_ADDR2:
4150		bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers");
4151		/*NOTREACHED*/
4152
4153	case Q_ADDR3:
4154		bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers");
4155		/*NOTREACHED*/
4156
4157	case Q_ADDR4:
4158		bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers");
4159		/*NOTREACHED*/
4160
4161	case Q_RA:
4162		bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
4163		/*NOTREACHED*/
4164
4165	case Q_TA:
4166		bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
4167		/*NOTREACHED*/
4168	}
4169	abort();
4170	/*NOTREACHED*/
4171}
4172
4173/*
4174 * Like gen_ehostop, but for DLT_FDDI
4175 */
4176static struct block *
4177gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4178{
4179	struct block *b0, *b1;
4180
4181	switch (dir) {
4182	case Q_SRC:
4183		return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4184
4185	case Q_DST:
4186		return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4187
4188	case Q_AND:
4189		b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4190		b1 = gen_fhostop(cstate, eaddr, Q_DST);
4191		gen_and(b0, b1);
4192		return b1;
4193
4194	case Q_DEFAULT:
4195	case Q_OR:
4196		b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4197		b1 = gen_fhostop(cstate, eaddr, Q_DST);
4198		gen_or(b0, b1);
4199		return b1;
4200
4201	case Q_ADDR1:
4202		bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4203		/*NOTREACHED*/
4204
4205	case Q_ADDR2:
4206		bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4207		/*NOTREACHED*/
4208
4209	case Q_ADDR3:
4210		bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4211		/*NOTREACHED*/
4212
4213	case Q_ADDR4:
4214		bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4215		/*NOTREACHED*/
4216
4217	case Q_RA:
4218		bpf_error(cstate, "'ra' is only supported on 802.11");
4219		/*NOTREACHED*/
4220
4221	case Q_TA:
4222		bpf_error(cstate, "'ta' is only supported on 802.11");
4223		/*NOTREACHED*/
4224	}
4225	abort();
4226	/*NOTREACHED*/
4227}
4228
4229/*
4230 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4231 */
4232static struct block *
4233gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4234{
4235	register struct block *b0, *b1;
4236
4237	switch (dir) {
4238	case Q_SRC:
4239		return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4240
4241	case Q_DST:
4242		return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4243
4244	case Q_AND:
4245		b0 = gen_thostop(cstate, eaddr, Q_SRC);
4246		b1 = gen_thostop(cstate, eaddr, Q_DST);
4247		gen_and(b0, b1);
4248		return b1;
4249
4250	case Q_DEFAULT:
4251	case Q_OR:
4252		b0 = gen_thostop(cstate, eaddr, Q_SRC);
4253		b1 = gen_thostop(cstate, eaddr, Q_DST);
4254		gen_or(b0, b1);
4255		return b1;
4256
4257	case Q_ADDR1:
4258		bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4259		/*NOTREACHED*/
4260
4261	case Q_ADDR2:
4262		bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4263		/*NOTREACHED*/
4264
4265	case Q_ADDR3:
4266		bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4267		/*NOTREACHED*/
4268
4269	case Q_ADDR4:
4270		bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4271		/*NOTREACHED*/
4272
4273	case Q_RA:
4274		bpf_error(cstate, "'ra' is only supported on 802.11");
4275		/*NOTREACHED*/
4276
4277	case Q_TA:
4278		bpf_error(cstate, "'ta' is only supported on 802.11");
4279		/*NOTREACHED*/
4280	}
4281	abort();
4282	/*NOTREACHED*/
4283}
4284
4285/*
4286 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4287 * various 802.11 + radio headers.
4288 */
4289static struct block *
4290gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4291{
4292	register struct block *b0, *b1, *b2;
4293	register struct slist *s;
4294
4295#ifdef ENABLE_WLAN_FILTERING_PATCH
4296	/*
4297	 * TODO GV 20070613
4298	 * We need to disable the optimizer because the optimizer is buggy
4299	 * and wipes out some LD instructions generated by the below
4300	 * code to validate the Frame Control bits
4301	 */
4302	cstate->no_optimize = 1;
4303#endif /* ENABLE_WLAN_FILTERING_PATCH */
4304
4305	switch (dir) {
4306	case Q_SRC:
4307		/*
4308		 * Oh, yuk.
4309		 *
4310		 *	For control frames, there is no SA.
4311		 *
4312		 *	For management frames, SA is at an
4313		 *	offset of 10 from the beginning of
4314		 *	the packet.
4315		 *
4316		 *	For data frames, SA is at an offset
4317		 *	of 10 from the beginning of the packet
4318		 *	if From DS is clear, at an offset of
4319		 *	16 from the beginning of the packet
4320		 *	if From DS is set and To DS is clear,
4321		 *	and an offset of 24 from the beginning
4322		 *	of the packet if From DS is set and To DS
4323		 *	is set.
4324		 */
4325
4326		/*
4327		 * Generate the tests to be done for data frames
4328		 * with From DS set.
4329		 *
4330		 * First, check for To DS set, i.e. check "link[1] & 0x01".
4331		 */
4332		s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4333		b1 = new_block(cstate, JMP(BPF_JSET));
4334		b1->s.k = 0x01;	/* To DS */
4335		b1->stmts = s;
4336
4337		/*
4338		 * If To DS is set, the SA is at 24.
4339		 */
4340		b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4341		gen_and(b1, b0);
4342
4343		/*
4344		 * Now, check for To DS not set, i.e. check
4345		 * "!(link[1] & 0x01)".
4346		 */
4347		s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4348		b2 = new_block(cstate, JMP(BPF_JSET));
4349		b2->s.k = 0x01;	/* To DS */
4350		b2->stmts = s;
4351		gen_not(b2);
4352
4353		/*
4354		 * If To DS is not set, the SA is at 16.
4355		 */
4356		b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4357		gen_and(b2, b1);
4358
4359		/*
4360		 * Now OR together the last two checks.  That gives
4361		 * the complete set of checks for data frames with
4362		 * From DS set.
4363		 */
4364		gen_or(b1, b0);
4365
4366		/*
4367		 * Now check for From DS being set, and AND that with
4368		 * the ORed-together checks.
4369		 */
4370		s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4371		b1 = new_block(cstate, JMP(BPF_JSET));
4372		b1->s.k = 0x02;	/* From DS */
4373		b1->stmts = s;
4374		gen_and(b1, b0);
4375
4376		/*
4377		 * Now check for data frames with From DS not set.
4378		 */
4379		s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4380		b2 = new_block(cstate, JMP(BPF_JSET));
4381		b2->s.k = 0x02;	/* From DS */
4382		b2->stmts = s;
4383		gen_not(b2);
4384
4385		/*
4386		 * If From DS isn't set, the SA is at 10.
4387		 */
4388		b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4389		gen_and(b2, b1);
4390
4391		/*
4392		 * Now OR together the checks for data frames with
4393		 * From DS not set and for data frames with From DS
4394		 * set; that gives the checks done for data frames.
4395		 */
4396		gen_or(b1, b0);
4397
4398		/*
4399		 * Now check for a data frame.
4400		 * I.e, check "link[0] & 0x08".
4401		 */
4402		s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4403		b1 = new_block(cstate, JMP(BPF_JSET));
4404		b1->s.k = 0x08;
4405		b1->stmts = s;
4406
4407		/*
4408		 * AND that with the checks done for data frames.
4409		 */
4410		gen_and(b1, b0);
4411
4412		/*
4413		 * If the high-order bit of the type value is 0, this
4414		 * is a management frame.
4415		 * I.e, check "!(link[0] & 0x08)".
4416		 */
4417		s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4418		b2 = new_block(cstate, JMP(BPF_JSET));
4419		b2->s.k = 0x08;
4420		b2->stmts = s;
4421		gen_not(b2);
4422
4423		/*
4424		 * For management frames, the SA is at 10.
4425		 */
4426		b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4427		gen_and(b2, b1);
4428
4429		/*
4430		 * OR that with the checks done for data frames.
4431		 * That gives the checks done for management and
4432		 * data frames.
4433		 */
4434		gen_or(b1, b0);
4435
4436		/*
4437		 * If the low-order bit of the type value is 1,
4438		 * this is either a control frame or a frame
4439		 * with a reserved type, and thus not a
4440		 * frame with an SA.
4441		 *
4442		 * I.e., check "!(link[0] & 0x04)".
4443		 */
4444		s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4445		b1 = new_block(cstate, JMP(BPF_JSET));
4446		b1->s.k = 0x04;
4447		b1->stmts = s;
4448		gen_not(b1);
4449
4450		/*
4451		 * AND that with the checks for data and management
4452		 * frames.
4453		 */
4454		gen_and(b1, b0);
4455		return b0;
4456
4457	case Q_DST:
4458		/*
4459		 * Oh, yuk.
4460		 *
4461		 *	For control frames, there is no DA.
4462		 *
4463		 *	For management frames, DA is at an
4464		 *	offset of 4 from the beginning of
4465		 *	the packet.
4466		 *
4467		 *	For data frames, DA is at an offset
4468		 *	of 4 from the beginning of the packet
4469		 *	if To DS is clear and at an offset of
4470		 *	16 from the beginning of the packet
4471		 *	if To DS is set.
4472		 */
4473
4474		/*
4475		 * Generate the tests to be done for data frames.
4476		 *
4477		 * First, check for To DS set, i.e. "link[1] & 0x01".
4478		 */
4479		s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4480		b1 = new_block(cstate, JMP(BPF_JSET));
4481		b1->s.k = 0x01;	/* To DS */
4482		b1->stmts = s;
4483
4484		/*
4485		 * If To DS is set, the DA is at 16.
4486		 */
4487		b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4488		gen_and(b1, b0);
4489
4490		/*
4491		 * Now, check for To DS not set, i.e. check
4492		 * "!(link[1] & 0x01)".
4493		 */
4494		s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4495		b2 = new_block(cstate, JMP(BPF_JSET));
4496		b2->s.k = 0x01;	/* To DS */
4497		b2->stmts = s;
4498		gen_not(b2);
4499
4500		/*
4501		 * If To DS is not set, the DA is at 4.
4502		 */
4503		b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4504		gen_and(b2, b1);
4505
4506		/*
4507		 * Now OR together the last two checks.  That gives
4508		 * the complete set of checks for data frames.
4509		 */
4510		gen_or(b1, b0);
4511
4512		/*
4513		 * Now check for a data frame.
4514		 * I.e, check "link[0] & 0x08".
4515		 */
4516		s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4517		b1 = new_block(cstate, JMP(BPF_JSET));
4518		b1->s.k = 0x08;
4519		b1->stmts = s;
4520
4521		/*
4522		 * AND that with the checks done for data frames.
4523		 */
4524		gen_and(b1, b0);
4525
4526		/*
4527		 * If the high-order bit of the type value is 0, this
4528		 * is a management frame.
4529		 * I.e, check "!(link[0] & 0x08)".
4530		 */
4531		s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4532		b2 = new_block(cstate, JMP(BPF_JSET));
4533		b2->s.k = 0x08;
4534		b2->stmts = s;
4535		gen_not(b2);
4536
4537		/*
4538		 * For management frames, the DA is at 4.
4539		 */
4540		b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4541		gen_and(b2, b1);
4542
4543		/*
4544		 * OR that with the checks done for data frames.
4545		 * That gives the checks done for management and
4546		 * data frames.
4547		 */
4548		gen_or(b1, b0);
4549
4550		/*
4551		 * If the low-order bit of the type value is 1,
4552		 * this is either a control frame or a frame
4553		 * with a reserved type, and thus not a
4554		 * frame with an SA.
4555		 *
4556		 * I.e., check "!(link[0] & 0x04)".
4557		 */
4558		s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4559		b1 = new_block(cstate, JMP(BPF_JSET));
4560		b1->s.k = 0x04;
4561		b1->stmts = s;
4562		gen_not(b1);
4563
4564		/*
4565		 * AND that with the checks for data and management
4566		 * frames.
4567		 */
4568		gen_and(b1, b0);
4569		return b0;
4570
4571	case Q_AND:
4572		b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4573		b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4574		gen_and(b0, b1);
4575		return b1;
4576
4577	case Q_DEFAULT:
4578	case Q_OR:
4579		b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4580		b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4581		gen_or(b0, b1);
4582		return b1;
4583
4584	/*
4585	 * XXX - add BSSID keyword?
4586	 */
4587	case Q_ADDR1:
4588		return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4589
4590	case Q_ADDR2:
4591		/*
4592		 * Not present in CTS or ACK control frames.
4593		 */
4594		b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4595			IEEE80211_FC0_TYPE_MASK);
4596		gen_not(b0);
4597		b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4598			IEEE80211_FC0_SUBTYPE_MASK);
4599		gen_not(b1);
4600		b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4601			IEEE80211_FC0_SUBTYPE_MASK);
4602		gen_not(b2);
4603		gen_and(b1, b2);
4604		gen_or(b0, b2);
4605		b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4606		gen_and(b2, b1);
4607		return b1;
4608
4609	case Q_ADDR3:
4610		/*
4611		 * Not present in control frames.
4612		 */
4613		b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4614			IEEE80211_FC0_TYPE_MASK);
4615		gen_not(b0);
4616		b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4617		gen_and(b0, b1);
4618		return b1;
4619
4620	case Q_ADDR4:
4621		/*
4622		 * Present only if the direction mask has both "From DS"
4623		 * and "To DS" set.  Neither control frames nor management
4624		 * frames should have both of those set, so we don't
4625		 * check the frame type.
4626		 */
4627		b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4628			IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4629		b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4630		gen_and(b0, b1);
4631		return b1;
4632
4633	case Q_RA:
4634		/*
4635		 * Not present in management frames; addr1 in other
4636		 * frames.
4637		 */
4638
4639		/*
4640		 * If the high-order bit of the type value is 0, this
4641		 * is a management frame.
4642		 * I.e, check "(link[0] & 0x08)".
4643		 */
4644		s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4645		b1 = new_block(cstate, JMP(BPF_JSET));
4646		b1->s.k = 0x08;
4647		b1->stmts = s;
4648
4649		/*
4650		 * Check addr1.
4651		 */
4652		b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4653
4654		/*
4655		 * AND that with the check of addr1.
4656		 */
4657		gen_and(b1, b0);
4658		return (b0);
4659
4660	case Q_TA:
4661		/*
4662		 * Not present in management frames; addr2, if present,
4663		 * in other frames.
4664		 */
4665
4666		/*
4667		 * Not present in CTS or ACK control frames.
4668		 */
4669		b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4670			IEEE80211_FC0_TYPE_MASK);
4671		gen_not(b0);
4672		b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4673			IEEE80211_FC0_SUBTYPE_MASK);
4674		gen_not(b1);
4675		b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4676			IEEE80211_FC0_SUBTYPE_MASK);
4677		gen_not(b2);
4678		gen_and(b1, b2);
4679		gen_or(b0, b2);
4680
4681		/*
4682		 * If the high-order bit of the type value is 0, this
4683		 * is a management frame.
4684		 * I.e, check "(link[0] & 0x08)".
4685		 */
4686		s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4687		b1 = new_block(cstate, JMP(BPF_JSET));
4688		b1->s.k = 0x08;
4689		b1->stmts = s;
4690
4691		/*
4692		 * AND that with the check for frames other than
4693		 * CTS and ACK frames.
4694		 */
4695		gen_and(b1, b2);
4696
4697		/*
4698		 * Check addr2.
4699		 */
4700		b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4701		gen_and(b2, b1);
4702		return b1;
4703	}
4704	abort();
4705	/*NOTREACHED*/
4706}
4707
4708/*
4709 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4710 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4711 * as the RFC states.)
4712 */
4713static struct block *
4714gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4715{
4716	register struct block *b0, *b1;
4717
4718	switch (dir) {
4719	case Q_SRC:
4720		return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4721
4722	case Q_DST:
4723		return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4724
4725	case Q_AND:
4726		b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4727		b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4728		gen_and(b0, b1);
4729		return b1;
4730
4731	case Q_DEFAULT:
4732	case Q_OR:
4733		b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4734		b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4735		gen_or(b0, b1);
4736		return b1;
4737
4738	case Q_ADDR1:
4739		bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4740		/*NOTREACHED*/
4741
4742	case Q_ADDR2:
4743		bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4744		/*NOTREACHED*/
4745
4746	case Q_ADDR3:
4747		bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4748		/*NOTREACHED*/
4749
4750	case Q_ADDR4:
4751		bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4752		/*NOTREACHED*/
4753
4754	case Q_RA:
4755		bpf_error(cstate, "'ra' is only supported on 802.11");
4756		/*NOTREACHED*/
4757
4758	case Q_TA:
4759		bpf_error(cstate, "'ta' is only supported on 802.11");
4760		/*NOTREACHED*/
4761	}
4762	abort();
4763	/*NOTREACHED*/
4764}
4765
4766/*
4767 * This is quite tricky because there may be pad bytes in front of the
4768 * DECNET header, and then there are two possible data packet formats that
4769 * carry both src and dst addresses, plus 5 packet types in a format that
4770 * carries only the src node, plus 2 types that use a different format and
4771 * also carry just the src node.
4772 *
4773 * Yuck.
4774 *
4775 * Instead of doing those all right, we just look for data packets with
4776 * 0 or 1 bytes of padding.  If you want to look at other packets, that
4777 * will require a lot more hacking.
4778 *
4779 * To add support for filtering on DECNET "areas" (network numbers)
4780 * one would want to add a "mask" argument to this routine.  That would
4781 * make the filter even more inefficient, although one could be clever
4782 * and not generate masking instructions if the mask is 0xFFFF.
4783 */
4784static struct block *
4785gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
4786{
4787	struct block *b0, *b1, *b2, *tmp;
4788	u_int offset_lh;	/* offset if long header is received */
4789	u_int offset_sh;	/* offset if short header is received */
4790
4791	switch (dir) {
4792
4793	case Q_DST:
4794		offset_sh = 1;	/* follows flags */
4795		offset_lh = 7;	/* flgs,darea,dsubarea,HIORD */
4796		break;
4797
4798	case Q_SRC:
4799		offset_sh = 3;	/* follows flags, dstnode */
4800		offset_lh = 15;	/* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4801		break;
4802
4803	case Q_AND:
4804		/* Inefficient because we do our Calvinball dance twice */
4805		b0 = gen_dnhostop(cstate, addr, Q_SRC);
4806		b1 = gen_dnhostop(cstate, addr, Q_DST);
4807		gen_and(b0, b1);
4808		return b1;
4809
4810	case Q_DEFAULT:
4811	case Q_OR:
4812		/* Inefficient because we do our Calvinball dance twice */
4813		b0 = gen_dnhostop(cstate, addr, Q_SRC);
4814		b1 = gen_dnhostop(cstate, addr, Q_DST);
4815		gen_or(b0, b1);
4816		return b1;
4817
4818	case Q_ADDR1:
4819		bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4820		/*NOTREACHED*/
4821
4822	case Q_ADDR2:
4823		bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4824		/*NOTREACHED*/
4825
4826	case Q_ADDR3:
4827		bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4828		/*NOTREACHED*/
4829
4830	case Q_ADDR4:
4831		bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4832		/*NOTREACHED*/
4833
4834	case Q_RA:
4835		bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4836		/*NOTREACHED*/
4837
4838	case Q_TA:
4839		bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4840		/*NOTREACHED*/
4841
4842	default:
4843		abort();
4844		/*NOTREACHED*/
4845	}
4846	b0 = gen_linktype(cstate, ETHERTYPE_DN);
4847	/* Check for pad = 1, long header case */
4848	tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4849	    (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4850	b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
4851	    BPF_H, (bpf_int32)ntohs((u_short)addr));
4852	gen_and(tmp, b1);
4853	/* Check for pad = 0, long header case */
4854	tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4855	b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4856	gen_and(tmp, b2);
4857	gen_or(b2, b1);
4858	/* Check for pad = 1, short header case */
4859	tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4860	    (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4861	b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4862	gen_and(tmp, b2);
4863	gen_or(b2, b1);
4864	/* Check for pad = 0, short header case */
4865	tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4866	b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4867	gen_and(tmp, b2);
4868	gen_or(b2, b1);
4869
4870	/* Combine with test for cstate->linktype */
4871	gen_and(b0, b1);
4872	return b1;
4873}
4874
4875/*
4876 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4877 * test the bottom-of-stack bit, and then check the version number
4878 * field in the IP header.
4879 */
4880static struct block *
4881gen_mpls_linktype(compiler_state_t *cstate, int proto)
4882{
4883	struct block *b0, *b1;
4884
4885        switch (proto) {
4886
4887        case Q_IP:
4888                /* match the bottom-of-stack bit */
4889                b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4890                /* match the IPv4 version number */
4891                b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4892                gen_and(b0, b1);
4893                return b1;
4894
4895       case Q_IPV6:
4896                /* match the bottom-of-stack bit */
4897                b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4898                /* match the IPv4 version number */
4899                b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4900                gen_and(b0, b1);
4901                return b1;
4902
4903       default:
4904                abort();
4905        }
4906}
4907
4908static struct block *
4909gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4910    int proto, int dir, int type)
4911{
4912	struct block *b0, *b1;
4913	const char *typestr;
4914
4915	if (type == Q_NET)
4916		typestr = "net";
4917	else
4918		typestr = "host";
4919
4920	switch (proto) {
4921
4922	case Q_DEFAULT:
4923		b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
4924		/*
4925		 * Only check for non-IPv4 addresses if we're not
4926		 * checking MPLS-encapsulated packets.
4927		 */
4928		if (cstate->label_stack_depth == 0) {
4929			b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
4930			gen_or(b0, b1);
4931			b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
4932			gen_or(b1, b0);
4933		}
4934		return b0;
4935
4936	case Q_LINK:
4937		bpf_error(cstate, "link-layer modifier applied to %s", typestr);
4938
4939	case Q_IP:
4940		return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16);
4941
4942	case Q_RARP:
4943		return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4944
4945	case Q_ARP:
4946		return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4947
4948	case Q_SCTP:
4949		bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4950
4951	case Q_TCP:
4952		bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4953
4954	case Q_UDP:
4955		bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4956
4957	case Q_ICMP:
4958		bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4959
4960	case Q_IGMP:
4961		bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4962
4963	case Q_IGRP:
4964		bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4965
4966	case Q_ATALK:
4967		bpf_error(cstate, "AppleTalk host filtering not implemented");
4968
4969	case Q_DECNET:
4970		return gen_dnhostop(cstate, addr, dir);
4971
4972	case Q_LAT:
4973		bpf_error(cstate, "LAT host filtering not implemented");
4974
4975	case Q_SCA:
4976		bpf_error(cstate, "SCA host filtering not implemented");
4977
4978	case Q_MOPRC:
4979		bpf_error(cstate, "MOPRC host filtering not implemented");
4980
4981	case Q_MOPDL:
4982		bpf_error(cstate, "MOPDL host filtering not implemented");
4983
4984	case Q_IPV6:
4985		bpf_error(cstate, "'ip6' modifier applied to ip host");
4986
4987	case Q_ICMPV6:
4988		bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4989
4990	case Q_AH:
4991		bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4992
4993	case Q_ESP:
4994		bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4995
4996	case Q_PIM:
4997		bpf_error(cstate, "'pim' modifier applied to %s", typestr);
4998
4999	case Q_VRRP:
5000		bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
5001
5002	case Q_AARP:
5003		bpf_error(cstate, "AARP host filtering not implemented");
5004
5005	case Q_ISO:
5006		bpf_error(cstate, "ISO host filtering not implemented");
5007
5008	case Q_ESIS:
5009		bpf_error(cstate, "'esis' modifier applied to %s", typestr);
5010
5011	case Q_ISIS:
5012		bpf_error(cstate, "'isis' modifier applied to %s", typestr);
5013
5014	case Q_CLNP:
5015		bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
5016
5017	case Q_STP:
5018		bpf_error(cstate, "'stp' modifier applied to %s", typestr);
5019
5020	case Q_IPX:
5021		bpf_error(cstate, "IPX host filtering not implemented");
5022
5023	case Q_NETBEUI:
5024		bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
5025
5026	case Q_ISIS_L1:
5027		bpf_error(cstate, "'l1' modifier applied to %s", typestr);
5028
5029	case Q_ISIS_L2:
5030		bpf_error(cstate, "'l2' modifier applied to %s", typestr);
5031
5032	case Q_ISIS_IIH:
5033		bpf_error(cstate, "'iih' modifier applied to %s", typestr);
5034
5035	case Q_ISIS_SNP:
5036		bpf_error(cstate, "'snp' modifier applied to %s", typestr);
5037
5038	case Q_ISIS_CSNP:
5039		bpf_error(cstate, "'csnp' modifier applied to %s", typestr);
5040
5041	case Q_ISIS_PSNP:
5042		bpf_error(cstate, "'psnp' modifier applied to %s", typestr);
5043
5044	case Q_ISIS_LSP:
5045		bpf_error(cstate, "'lsp' modifier applied to %s", typestr);
5046
5047	case Q_RADIO:
5048		bpf_error(cstate, "'radio' modifier applied to %s", typestr);
5049
5050	case Q_CARP:
5051		bpf_error(cstate, "'carp' modifier applied to %s", typestr);
5052
5053	default:
5054		abort();
5055	}
5056	/*NOTREACHED*/
5057}
5058
5059#ifdef INET6
5060static struct block *
5061gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
5062    struct in6_addr *mask, int proto, int dir, int type)
5063{
5064	const char *typestr;
5065
5066	if (type == Q_NET)
5067		typestr = "net";
5068	else
5069		typestr = "host";
5070
5071	switch (proto) {
5072
5073	case Q_DEFAULT:
5074		return gen_host6(cstate, addr, mask, Q_IPV6, dir, type);
5075
5076	case Q_LINK:
5077		bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
5078
5079	case Q_IP:
5080		bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
5081
5082	case Q_RARP:
5083		bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
5084
5085	case Q_ARP:
5086		bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
5087
5088	case Q_SCTP:
5089		bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr);
5090
5091	case Q_TCP:
5092		bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr);
5093
5094	case Q_UDP:
5095		bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr);
5096
5097	case Q_ICMP:
5098		bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr);
5099
5100	case Q_IGMP:
5101		bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr);
5102
5103	case Q_IGRP:
5104		bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr);
5105
5106	case Q_ATALK:
5107		bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr);
5108
5109	case Q_DECNET:
5110		bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
5111
5112	case Q_LAT:
5113		bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr);
5114
5115	case Q_SCA:
5116		bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr);
5117
5118	case Q_MOPRC:
5119		bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr);
5120
5121	case Q_MOPDL:
5122		bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr);
5123
5124	case Q_IPV6:
5125		return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
5126
5127	case Q_ICMPV6:
5128		bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr);
5129
5130	case Q_AH:
5131		bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr);
5132
5133	case Q_ESP:
5134		bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr);
5135
5136	case Q_PIM:
5137		bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr);
5138
5139	case Q_VRRP:
5140		bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr);
5141
5142	case Q_AARP:
5143		bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr);
5144
5145	case Q_ISO:
5146		bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr);
5147
5148	case Q_ESIS:
5149		bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr);
5150
5151	case Q_ISIS:
5152		bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr);
5153
5154	case Q_CLNP:
5155		bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr);
5156
5157	case Q_STP:
5158		bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr);
5159
5160	case Q_IPX:
5161		bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr);
5162
5163	case Q_NETBEUI:
5164		bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr);
5165
5166	case Q_ISIS_L1:
5167		bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr);
5168
5169	case Q_ISIS_L2:
5170		bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr);
5171
5172	case Q_ISIS_IIH:
5173		bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr);
5174
5175	case Q_ISIS_SNP:
5176		bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr);
5177
5178	case Q_ISIS_CSNP:
5179		bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr);
5180
5181	case Q_ISIS_PSNP:
5182		bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr);
5183
5184	case Q_ISIS_LSP:
5185		bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr);
5186
5187	case Q_RADIO:
5188		bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr);
5189
5190	case Q_CARP:
5191		bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr);
5192
5193	default:
5194		abort();
5195	}
5196	/*NOTREACHED*/
5197}
5198#endif
5199
5200#ifndef INET6
5201static struct block *
5202gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
5203    struct addrinfo *alist, int proto, int dir)
5204{
5205	struct block *b0, *b1, *tmp;
5206	struct addrinfo *ai;
5207	struct sockaddr_in *sin;
5208
5209	if (dir != 0)
5210		bpf_error(cstate, "direction applied to 'gateway'");
5211
5212	switch (proto) {
5213	case Q_DEFAULT:
5214	case Q_IP:
5215	case Q_ARP:
5216	case Q_RARP:
5217		switch (cstate->linktype) {
5218		case DLT_EN10MB:
5219		case DLT_NETANALYZER:
5220		case DLT_NETANALYZER_TRANSPARENT:
5221			b1 = gen_prevlinkhdr_check(cstate);
5222			b0 = gen_ehostop(cstate, eaddr, Q_OR);
5223			if (b1 != NULL)
5224				gen_and(b1, b0);
5225			break;
5226		case DLT_FDDI:
5227			b0 = gen_fhostop(cstate, eaddr, Q_OR);
5228			break;
5229		case DLT_IEEE802:
5230			b0 = gen_thostop(cstate, eaddr, Q_OR);
5231			break;
5232		case DLT_IEEE802_11:
5233		case DLT_PRISM_HEADER:
5234		case DLT_IEEE802_11_RADIO_AVS:
5235		case DLT_IEEE802_11_RADIO:
5236		case DLT_PPI:
5237			b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5238			break;
5239		case DLT_SUNATM:
5240			/*
5241			 * This is LLC-multiplexed traffic; if it were
5242			 * LANE, cstate->linktype would have been set to
5243			 * DLT_EN10MB.
5244			 */
5245			bpf_error(cstate,
5246			    "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5247			break;
5248		case DLT_IP_OVER_FC:
5249			b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5250			break;
5251		default:
5252			bpf_error(cstate,
5253			    "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5254		}
5255		b1 = NULL;
5256		for (ai = alist; ai != NULL; ai = ai->ai_next) {
5257			/*
5258			 * Does it have an address?
5259			 */
5260			if (ai->ai_addr != NULL) {
5261				/*
5262				 * Yes.  Is it an IPv4 address?
5263				 */
5264				if (ai->ai_addr->sa_family == AF_INET) {
5265					/*
5266					 * Generate an entry for it.
5267					 */
5268					sin = (struct sockaddr_in *)ai->ai_addr;
5269					tmp = gen_host(cstate,
5270					    ntohl(sin->sin_addr.s_addr),
5271					    0xffffffff, proto, Q_OR, Q_HOST);
5272					/*
5273					 * Is it the *first* IPv4 address?
5274					 */
5275					if (b1 == NULL) {
5276						/*
5277						 * Yes, so start with it.
5278						 */
5279						b1 = tmp;
5280					} else {
5281						/*
5282						 * No, so OR it into the
5283						 * existing set of
5284						 * addresses.
5285						 */
5286						gen_or(b1, tmp);
5287						b1 = tmp;
5288					}
5289				}
5290			}
5291		}
5292		if (b1 == NULL) {
5293			/*
5294			 * No IPv4 addresses found.
5295			 */
5296			return (NULL);
5297		}
5298		gen_not(b1);
5299		gen_and(b0, b1);
5300		return b1;
5301	}
5302	bpf_error(cstate, "illegal modifier of 'gateway'");
5303	/*NOTREACHED*/
5304}
5305#endif
5306
5307static struct block *
5308gen_proto_abbrev_internal(compiler_state_t *cstate, int proto)
5309{
5310	struct block *b0;
5311	struct block *b1;
5312
5313	switch (proto) {
5314
5315	case Q_SCTP:
5316		b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT);
5317		b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
5318		gen_or(b0, b1);
5319		break;
5320
5321	case Q_TCP:
5322		b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT);
5323		b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
5324		gen_or(b0, b1);
5325		break;
5326
5327	case Q_UDP:
5328		b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT);
5329		b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
5330		gen_or(b0, b1);
5331		break;
5332
5333	case Q_ICMP:
5334		b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5335		break;
5336
5337#ifndef	IPPROTO_IGMP
5338#define	IPPROTO_IGMP	2
5339#endif
5340
5341	case Q_IGMP:
5342		b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5343		break;
5344
5345#ifndef	IPPROTO_IGRP
5346#define	IPPROTO_IGRP	9
5347#endif
5348	case Q_IGRP:
5349		b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5350		break;
5351
5352#ifndef IPPROTO_PIM
5353#define IPPROTO_PIM	103
5354#endif
5355
5356	case Q_PIM:
5357		b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT);
5358		b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
5359		gen_or(b0, b1);
5360		break;
5361
5362#ifndef IPPROTO_VRRP
5363#define IPPROTO_VRRP	112
5364#endif
5365
5366	case Q_VRRP:
5367		b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5368		break;
5369
5370#ifndef IPPROTO_CARP
5371#define IPPROTO_CARP	112
5372#endif
5373
5374	case Q_CARP:
5375		b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5376		break;
5377
5378	case Q_IP:
5379		b1 = gen_linktype(cstate, ETHERTYPE_IP);
5380		break;
5381
5382	case Q_ARP:
5383		b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5384		break;
5385
5386	case Q_RARP:
5387		b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5388		break;
5389
5390	case Q_LINK:
5391		bpf_error(cstate, "link layer applied in wrong context");
5392
5393	case Q_ATALK:
5394		b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5395		break;
5396
5397	case Q_AARP:
5398		b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5399		break;
5400
5401	case Q_DECNET:
5402		b1 = gen_linktype(cstate, ETHERTYPE_DN);
5403		break;
5404
5405	case Q_SCA:
5406		b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5407		break;
5408
5409	case Q_LAT:
5410		b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5411		break;
5412
5413	case Q_MOPDL:
5414		b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5415		break;
5416
5417	case Q_MOPRC:
5418		b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5419		break;
5420
5421	case Q_IPV6:
5422		b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5423		break;
5424
5425#ifndef IPPROTO_ICMPV6
5426#define IPPROTO_ICMPV6	58
5427#endif
5428	case Q_ICMPV6:
5429		b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5430		break;
5431
5432#ifndef IPPROTO_AH
5433#define IPPROTO_AH	51
5434#endif
5435	case Q_AH:
5436		b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT);
5437		b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT);
5438		gen_or(b0, b1);
5439		break;
5440
5441#ifndef IPPROTO_ESP
5442#define IPPROTO_ESP	50
5443#endif
5444	case Q_ESP:
5445		b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT);
5446		b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
5447		gen_or(b0, b1);
5448		break;
5449
5450	case Q_ISO:
5451		b1 = gen_linktype(cstate, LLCSAP_ISONS);
5452		break;
5453
5454	case Q_ESIS:
5455		b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5456		break;
5457
5458	case Q_ISIS:
5459		b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5460		break;
5461
5462	case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5463		b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5464		b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5465		gen_or(b0, b1);
5466		b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5467		gen_or(b0, b1);
5468		b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5469		gen_or(b0, b1);
5470		b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5471		gen_or(b0, b1);
5472		break;
5473
5474	case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5475		b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5476		b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5477		gen_or(b0, b1);
5478		b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5479		gen_or(b0, b1);
5480		b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5481		gen_or(b0, b1);
5482		b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5483		gen_or(b0, b1);
5484		break;
5485
5486	case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5487		b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5488		b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5489		gen_or(b0, b1);
5490		b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5491		gen_or(b0, b1);
5492		break;
5493
5494	case Q_ISIS_LSP:
5495		b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5496		b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5497		gen_or(b0, b1);
5498		break;
5499
5500	case Q_ISIS_SNP:
5501		b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5502		b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5503		gen_or(b0, b1);
5504		b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5505		gen_or(b0, b1);
5506		b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5507		gen_or(b0, b1);
5508		break;
5509
5510	case Q_ISIS_CSNP:
5511		b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5512		b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5513		gen_or(b0, b1);
5514		break;
5515
5516	case Q_ISIS_PSNP:
5517		b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5518		b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5519		gen_or(b0, b1);
5520		break;
5521
5522	case Q_CLNP:
5523		b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5524		break;
5525
5526	case Q_STP:
5527		b1 = gen_linktype(cstate, LLCSAP_8021D);
5528		break;
5529
5530	case Q_IPX:
5531		b1 = gen_linktype(cstate, LLCSAP_IPX);
5532		break;
5533
5534	case Q_NETBEUI:
5535		b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5536		break;
5537
5538	case Q_RADIO:
5539		bpf_error(cstate, "'radio' is not a valid protocol type");
5540
5541	default:
5542		abort();
5543	}
5544	return b1;
5545}
5546
5547struct block *
5548gen_proto_abbrev(compiler_state_t *cstate, int proto)
5549{
5550	/*
5551	 * Catch errors reported by us and routines below us, and return NULL
5552	 * on an error.
5553	 */
5554	if (setjmp(cstate->top_ctx))
5555		return (NULL);
5556
5557	return gen_proto_abbrev_internal(cstate, proto);
5558}
5559
5560static struct block *
5561gen_ipfrag(compiler_state_t *cstate)
5562{
5563	struct slist *s;
5564	struct block *b;
5565
5566	/* not IPv4 frag other than the first frag */
5567	s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5568	b = new_block(cstate, JMP(BPF_JSET));
5569	b->s.k = 0x1fff;
5570	b->stmts = s;
5571	gen_not(b);
5572
5573	return b;
5574}
5575
5576/*
5577 * Generate a comparison to a port value in the transport-layer header
5578 * at the specified offset from the beginning of that header.
5579 *
5580 * XXX - this handles a variable-length prefix preceding the link-layer
5581 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5582 * variable-length link-layer headers (such as Token Ring or 802.11
5583 * headers).
5584 */
5585static struct block *
5586gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v)
5587{
5588	return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5589}
5590
5591static struct block *
5592gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v)
5593{
5594	return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5595}
5596
5597struct block *
5598gen_portop(compiler_state_t *cstate, int port, int proto, int dir)
5599{
5600	struct block *b0, *b1, *tmp;
5601
5602	/* ip proto 'proto' and not a fragment other than the first fragment */
5603	tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5604	b0 = gen_ipfrag(cstate);
5605	gen_and(tmp, b0);
5606
5607	switch (dir) {
5608	case Q_SRC:
5609		b1 = gen_portatom(cstate, 0, (bpf_int32)port);
5610		break;
5611
5612	case Q_DST:
5613		b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5614		break;
5615
5616	case Q_AND:
5617		tmp = gen_portatom(cstate, 0, (bpf_int32)port);
5618		b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5619		gen_and(tmp, b1);
5620		break;
5621
5622	case Q_DEFAULT:
5623	case Q_OR:
5624		tmp = gen_portatom(cstate, 0, (bpf_int32)port);
5625		b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5626		gen_or(tmp, b1);
5627		break;
5628
5629	case Q_ADDR1:
5630		bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports");
5631		/*NOTREACHED*/
5632
5633	case Q_ADDR2:
5634		bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports");
5635		/*NOTREACHED*/
5636
5637	case Q_ADDR3:
5638		bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports");
5639		/*NOTREACHED*/
5640
5641	case Q_ADDR4:
5642		bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports");
5643		/*NOTREACHED*/
5644
5645	case Q_RA:
5646		bpf_error(cstate, "'ra' is not a valid qualifier for ports");
5647		/*NOTREACHED*/
5648
5649	case Q_TA:
5650		bpf_error(cstate, "'ta' is not a valid qualifier for ports");
5651		/*NOTREACHED*/
5652
5653	default:
5654		abort();
5655		/*NOTREACHED*/
5656	}
5657	gen_and(b0, b1);
5658
5659	return b1;
5660}
5661
5662static struct block *
5663gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir)
5664{
5665	struct block *b0, *b1, *tmp;
5666
5667	/*
5668	 * ether proto ip
5669	 *
5670	 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5671	 * not LLC encapsulation with LLCSAP_IP.
5672	 *
5673	 * For IEEE 802 networks - which includes 802.5 token ring
5674	 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5675	 * says that SNAP encapsulation is used, not LLC encapsulation
5676	 * with LLCSAP_IP.
5677	 *
5678	 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5679	 * RFC 2225 say that SNAP encapsulation is used, not LLC
5680	 * encapsulation with LLCSAP_IP.
5681	 *
5682	 * So we always check for ETHERTYPE_IP.
5683	 */
5684	b0 = gen_linktype(cstate, ETHERTYPE_IP);
5685
5686	switch (ip_proto) {
5687	case IPPROTO_UDP:
5688	case IPPROTO_TCP:
5689	case IPPROTO_SCTP:
5690		b1 = gen_portop(cstate, port, ip_proto, dir);
5691		break;
5692
5693	case PROTO_UNDEF:
5694		tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5695		b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5696		gen_or(tmp, b1);
5697		tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5698		gen_or(tmp, b1);
5699		break;
5700
5701	default:
5702		abort();
5703	}
5704	gen_and(b0, b1);
5705	return b1;
5706}
5707
5708struct block *
5709gen_portop6(compiler_state_t *cstate, int port, int proto, int dir)
5710{
5711	struct block *b0, *b1, *tmp;
5712
5713	/* ip6 proto 'proto' */
5714	/* XXX - catch the first fragment of a fragmented packet? */
5715	b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5716
5717	switch (dir) {
5718	case Q_SRC:
5719		b1 = gen_portatom6(cstate, 0, (bpf_int32)port);
5720		break;
5721
5722	case Q_DST:
5723		b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5724		break;
5725
5726	case Q_AND:
5727		tmp = gen_portatom6(cstate, 0, (bpf_int32)port);
5728		b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5729		gen_and(tmp, b1);
5730		break;
5731
5732	case Q_DEFAULT:
5733	case Q_OR:
5734		tmp = gen_portatom6(cstate, 0, (bpf_int32)port);
5735		b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5736		gen_or(tmp, b1);
5737		break;
5738
5739	default:
5740		abort();
5741	}
5742	gen_and(b0, b1);
5743
5744	return b1;
5745}
5746
5747static struct block *
5748gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir)
5749{
5750	struct block *b0, *b1, *tmp;
5751
5752	/* link proto ip6 */
5753	b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5754
5755	switch (ip_proto) {
5756	case IPPROTO_UDP:
5757	case IPPROTO_TCP:
5758	case IPPROTO_SCTP:
5759		b1 = gen_portop6(cstate, port, ip_proto, dir);
5760		break;
5761
5762	case PROTO_UNDEF:
5763		tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5764		b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5765		gen_or(tmp, b1);
5766		tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5767		gen_or(tmp, b1);
5768		break;
5769
5770	default:
5771		abort();
5772	}
5773	gen_and(b0, b1);
5774	return b1;
5775}
5776
5777/* gen_portrange code */
5778static struct block *
5779gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1,
5780    bpf_int32 v2)
5781{
5782	struct block *b1, *b2;
5783
5784	if (v1 > v2) {
5785		/*
5786		 * Reverse the order of the ports, so v1 is the lower one.
5787		 */
5788		bpf_int32 vtemp;
5789
5790		vtemp = v1;
5791		v1 = v2;
5792		v2 = vtemp;
5793	}
5794
5795	b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1);
5796	b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2);
5797
5798	gen_and(b1, b2);
5799
5800	return b2;
5801}
5802
5803struct block *
5804gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto,
5805    int dir)
5806{
5807	struct block *b0, *b1, *tmp;
5808
5809	/* ip proto 'proto' and not a fragment other than the first fragment */
5810	tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5811	b0 = gen_ipfrag(cstate);
5812	gen_and(tmp, b0);
5813
5814	switch (dir) {
5815	case Q_SRC:
5816		b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5817		break;
5818
5819	case Q_DST:
5820		b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5821		break;
5822
5823	case Q_AND:
5824		tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5825		b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5826		gen_and(tmp, b1);
5827		break;
5828
5829	case Q_DEFAULT:
5830	case Q_OR:
5831		tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5832		b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5833		gen_or(tmp, b1);
5834		break;
5835
5836	case Q_ADDR1:
5837		bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges");
5838		/*NOTREACHED*/
5839
5840	case Q_ADDR2:
5841		bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges");
5842		/*NOTREACHED*/
5843
5844	case Q_ADDR3:
5845		bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges");
5846		/*NOTREACHED*/
5847
5848	case Q_ADDR4:
5849		bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges");
5850		/*NOTREACHED*/
5851
5852	case Q_RA:
5853		bpf_error(cstate, "'ra' is not a valid qualifier for port ranges");
5854		/*NOTREACHED*/
5855
5856	case Q_TA:
5857		bpf_error(cstate, "'ta' is not a valid qualifier for port ranges");
5858		/*NOTREACHED*/
5859
5860	default:
5861		abort();
5862		/*NOTREACHED*/
5863	}
5864	gen_and(b0, b1);
5865
5866	return b1;
5867}
5868
5869static struct block *
5870gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto,
5871    int dir)
5872{
5873	struct block *b0, *b1, *tmp;
5874
5875	/* link proto ip */
5876	b0 = gen_linktype(cstate, ETHERTYPE_IP);
5877
5878	switch (ip_proto) {
5879	case IPPROTO_UDP:
5880	case IPPROTO_TCP:
5881	case IPPROTO_SCTP:
5882		b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir);
5883		break;
5884
5885	case PROTO_UNDEF:
5886		tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
5887		b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
5888		gen_or(tmp, b1);
5889		tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
5890		gen_or(tmp, b1);
5891		break;
5892
5893	default:
5894		abort();
5895	}
5896	gen_and(b0, b1);
5897	return b1;
5898}
5899
5900static struct block *
5901gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1,
5902    bpf_int32 v2)
5903{
5904	struct block *b1, *b2;
5905
5906	if (v1 > v2) {
5907		/*
5908		 * Reverse the order of the ports, so v1 is the lower one.
5909		 */
5910		bpf_int32 vtemp;
5911
5912		vtemp = v1;
5913		v1 = v2;
5914		v2 = vtemp;
5915	}
5916
5917	b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1);
5918	b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2);
5919
5920	gen_and(b1, b2);
5921
5922	return b2;
5923}
5924
5925struct block *
5926gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto,
5927    int dir)
5928{
5929	struct block *b0, *b1, *tmp;
5930
5931	/* ip6 proto 'proto' */
5932	/* XXX - catch the first fragment of a fragmented packet? */
5933	b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5934
5935	switch (dir) {
5936	case Q_SRC:
5937		b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5938		break;
5939
5940	case Q_DST:
5941		b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5942		break;
5943
5944	case Q_AND:
5945		tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5946		b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5947		gen_and(tmp, b1);
5948		break;
5949
5950	case Q_DEFAULT:
5951	case Q_OR:
5952		tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5953		b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5954		gen_or(tmp, b1);
5955		break;
5956
5957	default:
5958		abort();
5959	}
5960	gen_and(b0, b1);
5961
5962	return b1;
5963}
5964
5965static struct block *
5966gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto,
5967    int dir)
5968{
5969	struct block *b0, *b1, *tmp;
5970
5971	/* link proto ip6 */
5972	b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5973
5974	switch (ip_proto) {
5975	case IPPROTO_UDP:
5976	case IPPROTO_TCP:
5977	case IPPROTO_SCTP:
5978		b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir);
5979		break;
5980
5981	case PROTO_UNDEF:
5982		tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
5983		b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
5984		gen_or(tmp, b1);
5985		tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
5986		gen_or(tmp, b1);
5987		break;
5988
5989	default:
5990		abort();
5991	}
5992	gen_and(b0, b1);
5993	return b1;
5994}
5995
5996static int
5997lookup_proto(compiler_state_t *cstate, const char *name, int proto)
5998{
5999	register int v;
6000
6001	switch (proto) {
6002
6003	case Q_DEFAULT:
6004	case Q_IP:
6005	case Q_IPV6:
6006		v = pcap_nametoproto(name);
6007		if (v == PROTO_UNDEF)
6008			bpf_error(cstate, "unknown ip proto '%s'", name);
6009		break;
6010
6011	case Q_LINK:
6012		/* XXX should look up h/w protocol type based on cstate->linktype */
6013		v = pcap_nametoeproto(name);
6014		if (v == PROTO_UNDEF) {
6015			v = pcap_nametollc(name);
6016			if (v == PROTO_UNDEF)
6017				bpf_error(cstate, "unknown ether proto '%s'", name);
6018		}
6019		break;
6020
6021	case Q_ISO:
6022		if (strcmp(name, "esis") == 0)
6023			v = ISO9542_ESIS;
6024		else if (strcmp(name, "isis") == 0)
6025			v = ISO10589_ISIS;
6026		else if (strcmp(name, "clnp") == 0)
6027			v = ISO8473_CLNP;
6028		else
6029			bpf_error(cstate, "unknown osi proto '%s'", name);
6030		break;
6031
6032	default:
6033		v = PROTO_UNDEF;
6034		break;
6035	}
6036	return v;
6037}
6038
6039#if 0
6040struct stmt *
6041gen_joinsp(struct stmt **s, int n)
6042{
6043	return NULL;
6044}
6045#endif
6046
6047static struct block *
6048gen_protochain(compiler_state_t *cstate, int v, int proto, int dir)
6049{
6050#ifdef NO_PROTOCHAIN
6051	return gen_proto(cstate, v, proto, dir);
6052#else
6053	struct block *b0, *b;
6054	struct slist *s[100];
6055	int fix2, fix3, fix4, fix5;
6056	int ahcheck, again, end;
6057	int i, max;
6058	int reg2 = alloc_reg(cstate);
6059
6060	memset(s, 0, sizeof(s));
6061	fix3 = fix4 = fix5 = 0;
6062
6063	switch (proto) {
6064	case Q_IP:
6065	case Q_IPV6:
6066		break;
6067	case Q_DEFAULT:
6068		b0 = gen_protochain(cstate, v, Q_IP, dir);
6069		b = gen_protochain(cstate, v, Q_IPV6, dir);
6070		gen_or(b0, b);
6071		return b;
6072	default:
6073		bpf_error(cstate, "bad protocol applied for 'protochain'");
6074		/*NOTREACHED*/
6075	}
6076
6077	/*
6078	 * We don't handle variable-length prefixes before the link-layer
6079	 * header, or variable-length link-layer headers, here yet.
6080	 * We might want to add BPF instructions to do the protochain
6081	 * work, to simplify that and, on platforms that have a BPF
6082	 * interpreter with the new instructions, let the filtering
6083	 * be done in the kernel.  (We already require a modified BPF
6084	 * engine to do the protochain stuff, to support backward
6085	 * branches, and backward branch support is unlikely to appear
6086	 * in kernel BPF engines.)
6087	 */
6088	if (cstate->off_linkpl.is_variable)
6089		bpf_error(cstate, "'protochain' not supported with variable length headers");
6090
6091	cstate->no_optimize = 1; /* this code is not compatible with optimizer yet */
6092
6093	/*
6094	 * s[0] is a dummy entry to protect other BPF insn from damage
6095	 * by s[fix] = foo with uninitialized variable "fix".  It is somewhat
6096	 * hard to find interdependency made by jump table fixup.
6097	 */
6098	i = 0;
6099	s[i] = new_stmt(cstate, 0);	/*dummy*/
6100	i++;
6101
6102	switch (proto) {
6103	case Q_IP:
6104		b0 = gen_linktype(cstate, ETHERTYPE_IP);
6105
6106		/* A = ip->ip_p */
6107		s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6108		s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
6109		i++;
6110		/* X = ip->ip_hl << 2 */
6111		s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
6112		s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6113		i++;
6114		break;
6115
6116	case Q_IPV6:
6117		b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6118
6119		/* A = ip6->ip_nxt */
6120		s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6121		s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
6122		i++;
6123		/* X = sizeof(struct ip6_hdr) */
6124		s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
6125		s[i]->s.k = 40;
6126		i++;
6127		break;
6128
6129	default:
6130		bpf_error(cstate, "unsupported proto to gen_protochain");
6131		/*NOTREACHED*/
6132	}
6133
6134	/* again: if (A == v) goto end; else fall through; */
6135	again = i;
6136	s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6137	s[i]->s.k = v;
6138	s[i]->s.jt = NULL;		/*later*/
6139	s[i]->s.jf = NULL;		/*update in next stmt*/
6140	fix5 = i;
6141	i++;
6142
6143#ifndef IPPROTO_NONE
6144#define IPPROTO_NONE	59
6145#endif
6146	/* if (A == IPPROTO_NONE) goto end */
6147	s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6148	s[i]->s.jt = NULL;	/*later*/
6149	s[i]->s.jf = NULL;	/*update in next stmt*/
6150	s[i]->s.k = IPPROTO_NONE;
6151	s[fix5]->s.jf = s[i];
6152	fix2 = i;
6153	i++;
6154
6155	if (proto == Q_IPV6) {
6156		int v6start, v6end, v6advance, j;
6157
6158		v6start = i;
6159		/* if (A == IPPROTO_HOPOPTS) goto v6advance */
6160		s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6161		s[i]->s.jt = NULL;	/*later*/
6162		s[i]->s.jf = NULL;	/*update in next stmt*/
6163		s[i]->s.k = IPPROTO_HOPOPTS;
6164		s[fix2]->s.jf = s[i];
6165		i++;
6166		/* if (A == IPPROTO_DSTOPTS) goto v6advance */
6167		s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6168		s[i]->s.jt = NULL;	/*later*/
6169		s[i]->s.jf = NULL;	/*update in next stmt*/
6170		s[i]->s.k = IPPROTO_DSTOPTS;
6171		i++;
6172		/* if (A == IPPROTO_ROUTING) goto v6advance */
6173		s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6174		s[i]->s.jt = NULL;	/*later*/
6175		s[i]->s.jf = NULL;	/*update in next stmt*/
6176		s[i]->s.k = IPPROTO_ROUTING;
6177		i++;
6178		/* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
6179		s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6180		s[i]->s.jt = NULL;	/*later*/
6181		s[i]->s.jf = NULL;	/*later*/
6182		s[i]->s.k = IPPROTO_FRAGMENT;
6183		fix3 = i;
6184		v6end = i;
6185		i++;
6186
6187		/* v6advance: */
6188		v6advance = i;
6189
6190		/*
6191		 * in short,
6192		 * A = P[X + packet head];
6193		 * X = X + (P[X + packet head + 1] + 1) * 8;
6194		 */
6195		/* A = P[X + packet head] */
6196		s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6197		s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6198		i++;
6199		/* MEM[reg2] = A */
6200		s[i] = new_stmt(cstate, BPF_ST);
6201		s[i]->s.k = reg2;
6202		i++;
6203		/* A = P[X + packet head + 1]; */
6204		s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6205		s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
6206		i++;
6207		/* A += 1 */
6208		s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6209		s[i]->s.k = 1;
6210		i++;
6211		/* A *= 8 */
6212		s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6213		s[i]->s.k = 8;
6214		i++;
6215		/* A += X */
6216		s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
6217		s[i]->s.k = 0;
6218		i++;
6219		/* X = A; */
6220		s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6221		i++;
6222		/* A = MEM[reg2] */
6223		s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6224		s[i]->s.k = reg2;
6225		i++;
6226
6227		/* goto again; (must use BPF_JA for backward jump) */
6228		s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6229		s[i]->s.k = again - i - 1;
6230		s[i - 1]->s.jf = s[i];
6231		i++;
6232
6233		/* fixup */
6234		for (j = v6start; j <= v6end; j++)
6235			s[j]->s.jt = s[v6advance];
6236	} else {
6237		/* nop */
6238		s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6239		s[i]->s.k = 0;
6240		s[fix2]->s.jf = s[i];
6241		i++;
6242	}
6243
6244	/* ahcheck: */
6245	ahcheck = i;
6246	/* if (A == IPPROTO_AH) then fall through; else goto end; */
6247	s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6248	s[i]->s.jt = NULL;	/*later*/
6249	s[i]->s.jf = NULL;	/*later*/
6250	s[i]->s.k = IPPROTO_AH;
6251	if (fix3)
6252		s[fix3]->s.jf = s[ahcheck];
6253	fix4 = i;
6254	i++;
6255
6256	/*
6257	 * in short,
6258	 * A = P[X];
6259	 * X = X + (P[X + 1] + 2) * 4;
6260	 */
6261	/* A = X */
6262	s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6263	i++;
6264	/* A = P[X + packet head]; */
6265	s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6266	s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6267	i++;
6268	/* MEM[reg2] = A */
6269	s[i] = new_stmt(cstate, BPF_ST);
6270	s[i]->s.k = reg2;
6271	i++;
6272	/* A = X */
6273	s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6274	i++;
6275	/* A += 1 */
6276	s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6277	s[i]->s.k = 1;
6278	i++;
6279	/* X = A */
6280	s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6281	i++;
6282	/* A = P[X + packet head] */
6283	s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6284	s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6285	i++;
6286	/* A += 2 */
6287	s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6288	s[i]->s.k = 2;
6289	i++;
6290	/* A *= 4 */
6291	s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6292	s[i]->s.k = 4;
6293	i++;
6294	/* X = A; */
6295	s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6296	i++;
6297	/* A = MEM[reg2] */
6298	s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6299	s[i]->s.k = reg2;
6300	i++;
6301
6302	/* goto again; (must use BPF_JA for backward jump) */
6303	s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6304	s[i]->s.k = again - i - 1;
6305	i++;
6306
6307	/* end: nop */
6308	end = i;
6309	s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6310	s[i]->s.k = 0;
6311	s[fix2]->s.jt = s[end];
6312	s[fix4]->s.jf = s[end];
6313	s[fix5]->s.jt = s[end];
6314	i++;
6315
6316	/*
6317	 * make slist chain
6318	 */
6319	max = i;
6320	for (i = 0; i < max - 1; i++)
6321		s[i]->next = s[i + 1];
6322	s[max - 1]->next = NULL;
6323
6324	/*
6325	 * emit final check
6326	 */
6327	b = new_block(cstate, JMP(BPF_JEQ));
6328	b->stmts = s[1];	/*remember, s[0] is dummy*/
6329	b->s.k = v;
6330
6331	free_reg(cstate, reg2);
6332
6333	gen_and(b0, b);
6334	return b;
6335#endif
6336}
6337
6338static struct block *
6339gen_check_802_11_data_frame(compiler_state_t *cstate)
6340{
6341	struct slist *s;
6342	struct block *b0, *b1;
6343
6344	/*
6345	 * A data frame has the 0x08 bit (b3) in the frame control field set
6346	 * and the 0x04 bit (b2) clear.
6347	 */
6348	s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6349	b0 = new_block(cstate, JMP(BPF_JSET));
6350	b0->s.k = 0x08;
6351	b0->stmts = s;
6352
6353	s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6354	b1 = new_block(cstate, JMP(BPF_JSET));
6355	b1->s.k = 0x04;
6356	b1->stmts = s;
6357	gen_not(b1);
6358
6359	gen_and(b1, b0);
6360
6361	return b0;
6362}
6363
6364/*
6365 * Generate code that checks whether the packet is a packet for protocol
6366 * <proto> and whether the type field in that protocol's header has
6367 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6368 * IP packet and checks the protocol number in the IP header against <v>.
6369 *
6370 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6371 * against Q_IP and Q_IPV6.
6372 */
6373static struct block *
6374gen_proto(compiler_state_t *cstate, int v, int proto, int dir)
6375{
6376	struct block *b0, *b1;
6377#ifndef CHASE_CHAIN
6378	struct block *b2;
6379#endif
6380
6381	if (dir != Q_DEFAULT)
6382		bpf_error(cstate, "direction applied to 'proto'");
6383
6384	switch (proto) {
6385	case Q_DEFAULT:
6386		b0 = gen_proto(cstate, v, Q_IP, dir);
6387		b1 = gen_proto(cstate, v, Q_IPV6, dir);
6388		gen_or(b0, b1);
6389		return b1;
6390
6391	case Q_LINK:
6392		return gen_linktype(cstate, v);
6393
6394	case Q_IP:
6395		/*
6396		 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6397		 * not LLC encapsulation with LLCSAP_IP.
6398		 *
6399		 * For IEEE 802 networks - which includes 802.5 token ring
6400		 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6401		 * says that SNAP encapsulation is used, not LLC encapsulation
6402		 * with LLCSAP_IP.
6403		 *
6404		 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6405		 * RFC 2225 say that SNAP encapsulation is used, not LLC
6406		 * encapsulation with LLCSAP_IP.
6407		 *
6408		 * So we always check for ETHERTYPE_IP.
6409		 */
6410		b0 = gen_linktype(cstate, ETHERTYPE_IP);
6411#ifndef CHASE_CHAIN
6412		b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v);
6413#else
6414		b1 = gen_protochain(cstate, v, Q_IP);
6415#endif
6416		gen_and(b0, b1);
6417		return b1;
6418
6419	case Q_ARP:
6420		bpf_error(cstate, "arp does not encapsulate another protocol");
6421		/*NOTREACHED*/
6422
6423	case Q_RARP:
6424		bpf_error(cstate, "rarp does not encapsulate another protocol");
6425		/*NOTREACHED*/
6426
6427	case Q_SCTP:
6428		bpf_error(cstate, "'sctp proto' is bogus");
6429		/*NOTREACHED*/
6430
6431	case Q_TCP:
6432		bpf_error(cstate, "'tcp proto' is bogus");
6433		/*NOTREACHED*/
6434
6435	case Q_UDP:
6436		bpf_error(cstate, "'udp proto' is bogus");
6437		/*NOTREACHED*/
6438
6439	case Q_ICMP:
6440		bpf_error(cstate, "'icmp proto' is bogus");
6441		/*NOTREACHED*/
6442
6443	case Q_IGMP:
6444		bpf_error(cstate, "'igmp proto' is bogus");
6445		/*NOTREACHED*/
6446
6447	case Q_IGRP:
6448		bpf_error(cstate, "'igrp proto' is bogus");
6449		/*NOTREACHED*/
6450
6451	case Q_ATALK:
6452		bpf_error(cstate, "AppleTalk encapsulation is not specifiable");
6453		/*NOTREACHED*/
6454
6455	case Q_DECNET:
6456		bpf_error(cstate, "DECNET encapsulation is not specifiable");
6457		/*NOTREACHED*/
6458
6459	case Q_LAT:
6460		bpf_error(cstate, "LAT does not encapsulate another protocol");
6461		/*NOTREACHED*/
6462
6463	case Q_SCA:
6464		bpf_error(cstate, "SCA does not encapsulate another protocol");
6465		/*NOTREACHED*/
6466
6467	case Q_MOPRC:
6468		bpf_error(cstate, "MOPRC does not encapsulate another protocol");
6469		/*NOTREACHED*/
6470
6471	case Q_MOPDL:
6472		bpf_error(cstate, "MOPDL does not encapsulate another protocol");
6473		/*NOTREACHED*/
6474
6475	case Q_IPV6:
6476		b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6477#ifndef CHASE_CHAIN
6478		/*
6479		 * Also check for a fragment header before the final
6480		 * header.
6481		 */
6482		b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6483		b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v);
6484		gen_and(b2, b1);
6485		b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v);
6486		gen_or(b2, b1);
6487#else
6488		b1 = gen_protochain(cstate, v, Q_IPV6);
6489#endif
6490		gen_and(b0, b1);
6491		return b1;
6492
6493	case Q_ICMPV6:
6494		bpf_error(cstate, "'icmp6 proto' is bogus");
6495		/*NOTREACHED*/
6496
6497	case Q_AH:
6498		bpf_error(cstate, "'ah proto' is bogus");
6499		/*NOTREACHED*/
6500
6501	case Q_ESP:
6502		bpf_error(cstate, "'ah proto' is bogus");
6503		/*NOTREACHED*/
6504
6505	case Q_PIM:
6506		bpf_error(cstate, "'pim proto' is bogus");
6507		/*NOTREACHED*/
6508
6509	case Q_VRRP:
6510		bpf_error(cstate, "'vrrp proto' is bogus");
6511		/*NOTREACHED*/
6512
6513	case Q_AARP:
6514		bpf_error(cstate, "'aarp proto' is bogus");
6515		/*NOTREACHED*/
6516
6517	case Q_ISO:
6518		switch (cstate->linktype) {
6519
6520		case DLT_FRELAY:
6521			/*
6522			 * Frame Relay packets typically have an OSI
6523			 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6524			 * generates code to check for all the OSI
6525			 * NLPIDs, so calling it and then adding a check
6526			 * for the particular NLPID for which we're
6527			 * looking is bogus, as we can just check for
6528			 * the NLPID.
6529			 *
6530			 * What we check for is the NLPID and a frame
6531			 * control field value of UI, i.e. 0x03 followed
6532			 * by the NLPID.
6533			 *
6534			 * XXX - assumes a 2-byte Frame Relay header with
6535			 * DLCI and flags.  What if the address is longer?
6536			 *
6537			 * XXX - what about SNAP-encapsulated frames?
6538			 */
6539			return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6540			/*NOTREACHED*/
6541
6542		case DLT_C_HDLC:
6543			/*
6544			 * Cisco uses an Ethertype lookalike - for OSI,
6545			 * it's 0xfefe.
6546			 */
6547			b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6548			/* OSI in C-HDLC is stuffed with a fudge byte */
6549			b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v);
6550			gen_and(b0, b1);
6551			return b1;
6552
6553		default:
6554			b0 = gen_linktype(cstate, LLCSAP_ISONS);
6555			b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v);
6556			gen_and(b0, b1);
6557			return b1;
6558		}
6559
6560	case Q_ESIS:
6561		bpf_error(cstate, "'esis proto' is bogus");
6562		/*NOTREACHED*/
6563
6564	case Q_ISIS:
6565		b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6566		/*
6567		 * 4 is the offset of the PDU type relative to the IS-IS
6568		 * header.
6569		 */
6570		b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v);
6571		gen_and(b0, b1);
6572		return b1;
6573
6574	case Q_CLNP:
6575		bpf_error(cstate, "'clnp proto' is not supported");
6576		/*NOTREACHED*/
6577
6578	case Q_STP:
6579		bpf_error(cstate, "'stp proto' is bogus");
6580		/*NOTREACHED*/
6581
6582	case Q_IPX:
6583		bpf_error(cstate, "'ipx proto' is bogus");
6584		/*NOTREACHED*/
6585
6586	case Q_NETBEUI:
6587		bpf_error(cstate, "'netbeui proto' is bogus");
6588		/*NOTREACHED*/
6589
6590	case Q_ISIS_L1:
6591		bpf_error(cstate, "'l1 proto' is bogus");
6592		/*NOTREACHED*/
6593
6594	case Q_ISIS_L2:
6595		bpf_error(cstate, "'l2 proto' is bogus");
6596		/*NOTREACHED*/
6597
6598	case Q_ISIS_IIH:
6599		bpf_error(cstate, "'iih proto' is bogus");
6600		/*NOTREACHED*/
6601
6602	case Q_ISIS_SNP:
6603		bpf_error(cstate, "'snp proto' is bogus");
6604		/*NOTREACHED*/
6605
6606	case Q_ISIS_CSNP:
6607		bpf_error(cstate, "'csnp proto' is bogus");
6608		/*NOTREACHED*/
6609
6610	case Q_ISIS_PSNP:
6611		bpf_error(cstate, "'psnp proto' is bogus");
6612		/*NOTREACHED*/
6613
6614	case Q_ISIS_LSP:
6615		bpf_error(cstate, "'lsp proto' is bogus");
6616		/*NOTREACHED*/
6617
6618	case Q_RADIO:
6619		bpf_error(cstate, "'radio proto' is bogus");
6620		/*NOTREACHED*/
6621
6622	case Q_CARP:
6623		bpf_error(cstate, "'carp proto' is bogus");
6624		/*NOTREACHED*/
6625
6626	default:
6627		abort();
6628		/*NOTREACHED*/
6629	}
6630	/*NOTREACHED*/
6631}
6632
6633struct block *
6634gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
6635{
6636	int proto = q.proto;
6637	int dir = q.dir;
6638	int tproto;
6639	u_char *eaddr;
6640	bpf_u_int32 mask, addr;
6641	struct addrinfo *res, *res0;
6642	struct sockaddr_in *sin4;
6643#ifdef INET6
6644	int tproto6;
6645	struct sockaddr_in6 *sin6;
6646	struct in6_addr mask128;
6647#endif /*INET6*/
6648	struct block *b, *tmp;
6649	int port, real_proto;
6650	int port1, port2;
6651
6652	/*
6653	 * Catch errors reported by us and routines below us, and return NULL
6654	 * on an error.
6655	 */
6656	if (setjmp(cstate->top_ctx))
6657		return (NULL);
6658
6659	switch (q.addr) {
6660
6661	case Q_NET:
6662		addr = pcap_nametonetaddr(name);
6663		if (addr == 0)
6664			bpf_error(cstate, "unknown network '%s'", name);
6665		/* Left justify network addr and calculate its network mask */
6666		mask = 0xffffffff;
6667		while (addr && (addr & 0xff000000) == 0) {
6668			addr <<= 8;
6669			mask <<= 8;
6670		}
6671		return gen_host(cstate, addr, mask, proto, dir, q.addr);
6672
6673	case Q_DEFAULT:
6674	case Q_HOST:
6675		if (proto == Q_LINK) {
6676			switch (cstate->linktype) {
6677
6678			case DLT_EN10MB:
6679			case DLT_NETANALYZER:
6680			case DLT_NETANALYZER_TRANSPARENT:
6681				eaddr = pcap_ether_hostton(name);
6682				if (eaddr == NULL)
6683					bpf_error(cstate,
6684					    "unknown ether host '%s'", name);
6685				tmp = gen_prevlinkhdr_check(cstate);
6686				b = gen_ehostop(cstate, eaddr, dir);
6687				if (tmp != NULL)
6688					gen_and(tmp, b);
6689				free(eaddr);
6690				return b;
6691
6692			case DLT_FDDI:
6693				eaddr = pcap_ether_hostton(name);
6694				if (eaddr == NULL)
6695					bpf_error(cstate,
6696					    "unknown FDDI host '%s'", name);
6697				b = gen_fhostop(cstate, eaddr, dir);
6698				free(eaddr);
6699				return b;
6700
6701			case DLT_IEEE802:
6702				eaddr = pcap_ether_hostton(name);
6703				if (eaddr == NULL)
6704					bpf_error(cstate,
6705					    "unknown token ring host '%s'", name);
6706				b = gen_thostop(cstate, eaddr, dir);
6707				free(eaddr);
6708				return b;
6709
6710			case DLT_IEEE802_11:
6711			case DLT_PRISM_HEADER:
6712			case DLT_IEEE802_11_RADIO_AVS:
6713			case DLT_IEEE802_11_RADIO:
6714			case DLT_PPI:
6715				eaddr = pcap_ether_hostton(name);
6716				if (eaddr == NULL)
6717					bpf_error(cstate,
6718					    "unknown 802.11 host '%s'", name);
6719				b = gen_wlanhostop(cstate, eaddr, dir);
6720				free(eaddr);
6721				return b;
6722
6723			case DLT_IP_OVER_FC:
6724				eaddr = pcap_ether_hostton(name);
6725				if (eaddr == NULL)
6726					bpf_error(cstate,
6727					    "unknown Fibre Channel host '%s'", name);
6728				b = gen_ipfchostop(cstate, eaddr, dir);
6729				free(eaddr);
6730				return b;
6731			}
6732
6733			bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6734		} else if (proto == Q_DECNET) {
6735			unsigned short dn_addr;
6736
6737			if (!__pcap_nametodnaddr(name, &dn_addr)) {
6738#ifdef	DECNETLIB
6739				bpf_error(cstate, "unknown decnet host name '%s'\n", name);
6740#else
6741				bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n",
6742					name);
6743#endif
6744			}
6745			/*
6746			 * I don't think DECNET hosts can be multihomed, so
6747			 * there is no need to build up a list of addresses
6748			 */
6749			return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr));
6750		} else {
6751#ifdef INET6
6752			memset(&mask128, 0xff, sizeof(mask128));
6753#endif
6754			res0 = res = pcap_nametoaddrinfo(name);
6755			if (res == NULL)
6756				bpf_error(cstate, "unknown host '%s'", name);
6757			cstate->ai = res;
6758			b = tmp = NULL;
6759			tproto = proto;
6760#ifdef INET6
6761			tproto6 = proto;
6762#endif
6763			if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6764			    tproto == Q_DEFAULT) {
6765				tproto = Q_IP;
6766#ifdef INET6
6767				tproto6 = Q_IPV6;
6768#endif
6769			}
6770			for (res = res0; res; res = res->ai_next) {
6771				switch (res->ai_family) {
6772				case AF_INET:
6773#ifdef INET6
6774					if (tproto == Q_IPV6)
6775						continue;
6776#endif
6777
6778					sin4 = (struct sockaddr_in *)
6779						res->ai_addr;
6780					tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
6781						0xffffffff, tproto, dir, q.addr);
6782					break;
6783#ifdef INET6
6784				case AF_INET6:
6785					if (tproto6 == Q_IP)
6786						continue;
6787
6788					sin6 = (struct sockaddr_in6 *)
6789						res->ai_addr;
6790					tmp = gen_host6(cstate, &sin6->sin6_addr,
6791						&mask128, tproto6, dir, q.addr);
6792					break;
6793#endif
6794				default:
6795					continue;
6796				}
6797				if (b)
6798					gen_or(b, tmp);
6799				b = tmp;
6800			}
6801			cstate->ai = NULL;
6802			freeaddrinfo(res0);
6803			if (b == NULL) {
6804				bpf_error(cstate, "unknown host '%s'%s", name,
6805				    (proto == Q_DEFAULT)
6806					? ""
6807					: " for specified address family");
6808			}
6809			return b;
6810		}
6811
6812	case Q_PORT:
6813		if (proto != Q_DEFAULT &&
6814		    proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6815			bpf_error(cstate, "illegal qualifier of 'port'");
6816		if (pcap_nametoport(name, &port, &real_proto) == 0)
6817			bpf_error(cstate, "unknown port '%s'", name);
6818		if (proto == Q_UDP) {
6819			if (real_proto == IPPROTO_TCP)
6820				bpf_error(cstate, "port '%s' is tcp", name);
6821			else if (real_proto == IPPROTO_SCTP)
6822				bpf_error(cstate, "port '%s' is sctp", name);
6823			else
6824				/* override PROTO_UNDEF */
6825				real_proto = IPPROTO_UDP;
6826		}
6827		if (proto == Q_TCP) {
6828			if (real_proto == IPPROTO_UDP)
6829				bpf_error(cstate, "port '%s' is udp", name);
6830
6831			else if (real_proto == IPPROTO_SCTP)
6832				bpf_error(cstate, "port '%s' is sctp", name);
6833			else
6834				/* override PROTO_UNDEF */
6835				real_proto = IPPROTO_TCP;
6836		}
6837		if (proto == Q_SCTP) {
6838			if (real_proto == IPPROTO_UDP)
6839				bpf_error(cstate, "port '%s' is udp", name);
6840
6841			else if (real_proto == IPPROTO_TCP)
6842				bpf_error(cstate, "port '%s' is tcp", name);
6843			else
6844				/* override PROTO_UNDEF */
6845				real_proto = IPPROTO_SCTP;
6846		}
6847		if (port < 0)
6848			bpf_error(cstate, "illegal port number %d < 0", port);
6849		if (port > 65535)
6850			bpf_error(cstate, "illegal port number %d > 65535", port);
6851		b = gen_port(cstate, port, real_proto, dir);
6852		gen_or(gen_port6(cstate, port, real_proto, dir), b);
6853		return b;
6854
6855	case Q_PORTRANGE:
6856		if (proto != Q_DEFAULT &&
6857		    proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6858			bpf_error(cstate, "illegal qualifier of 'portrange'");
6859		if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6860			bpf_error(cstate, "unknown port in range '%s'", name);
6861		if (proto == Q_UDP) {
6862			if (real_proto == IPPROTO_TCP)
6863				bpf_error(cstate, "port in range '%s' is tcp", name);
6864			else if (real_proto == IPPROTO_SCTP)
6865				bpf_error(cstate, "port in range '%s' is sctp", name);
6866			else
6867				/* override PROTO_UNDEF */
6868				real_proto = IPPROTO_UDP;
6869		}
6870		if (proto == Q_TCP) {
6871			if (real_proto == IPPROTO_UDP)
6872				bpf_error(cstate, "port in range '%s' is udp", name);
6873			else if (real_proto == IPPROTO_SCTP)
6874				bpf_error(cstate, "port in range '%s' is sctp", name);
6875			else
6876				/* override PROTO_UNDEF */
6877				real_proto = IPPROTO_TCP;
6878		}
6879		if (proto == Q_SCTP) {
6880			if (real_proto == IPPROTO_UDP)
6881				bpf_error(cstate, "port in range '%s' is udp", name);
6882			else if (real_proto == IPPROTO_TCP)
6883				bpf_error(cstate, "port in range '%s' is tcp", name);
6884			else
6885				/* override PROTO_UNDEF */
6886				real_proto = IPPROTO_SCTP;
6887		}
6888		if (port1 < 0)
6889			bpf_error(cstate, "illegal port number %d < 0", port1);
6890		if (port1 > 65535)
6891			bpf_error(cstate, "illegal port number %d > 65535", port1);
6892		if (port2 < 0)
6893			bpf_error(cstate, "illegal port number %d < 0", port2);
6894		if (port2 > 65535)
6895			bpf_error(cstate, "illegal port number %d > 65535", port2);
6896
6897		b = gen_portrange(cstate, port1, port2, real_proto, dir);
6898		gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
6899		return b;
6900
6901	case Q_GATEWAY:
6902#ifndef INET6
6903		eaddr = pcap_ether_hostton(name);
6904		if (eaddr == NULL)
6905			bpf_error(cstate, "unknown ether host: %s", name);
6906
6907		res = pcap_nametoaddrinfo(name);
6908		cstate->ai = res;
6909		if (res == NULL)
6910			bpf_error(cstate, "unknown host '%s'", name);
6911		b = gen_gateway(cstate, eaddr, res, proto, dir);
6912		cstate->ai = NULL;
6913		freeaddrinfo(res);
6914		if (b == NULL)
6915			bpf_error(cstate, "unknown host '%s'", name);
6916		return b;
6917#else
6918		bpf_error(cstate, "'gateway' not supported in this configuration");
6919#endif /*INET6*/
6920
6921	case Q_PROTO:
6922		real_proto = lookup_proto(cstate, name, proto);
6923		if (real_proto >= 0)
6924			return gen_proto(cstate, real_proto, proto, dir);
6925		else
6926			bpf_error(cstate, "unknown protocol: %s", name);
6927
6928	case Q_PROTOCHAIN:
6929		real_proto = lookup_proto(cstate, name, proto);
6930		if (real_proto >= 0)
6931			return gen_protochain(cstate, real_proto, proto, dir);
6932		else
6933			bpf_error(cstate, "unknown protocol: %s", name);
6934
6935	case Q_UNDEF:
6936		syntax(cstate);
6937		/*NOTREACHED*/
6938	}
6939	abort();
6940	/*NOTREACHED*/
6941}
6942
6943struct block *
6944gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
6945    unsigned int masklen, struct qual q)
6946{
6947	register int nlen, mlen;
6948	bpf_u_int32 n, m;
6949
6950	/*
6951	 * Catch errors reported by us and routines below us, and return NULL
6952	 * on an error.
6953	 */
6954	if (setjmp(cstate->top_ctx))
6955		return (NULL);
6956
6957	nlen = __pcap_atoin(s1, &n);
6958	if (nlen < 0)
6959		bpf_error(cstate, "invalid IPv4 address '%s'", s1);
6960	/* Promote short ipaddr */
6961	n <<= 32 - nlen;
6962
6963	if (s2 != NULL) {
6964		mlen = __pcap_atoin(s2, &m);
6965		if (mlen < 0)
6966			bpf_error(cstate, "invalid IPv4 address '%s'", s2);
6967		/* Promote short ipaddr */
6968		m <<= 32 - mlen;
6969		if ((n & ~m) != 0)
6970			bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
6971			    s1, s2);
6972	} else {
6973		/* Convert mask len to mask */
6974		if (masklen > 32)
6975			bpf_error(cstate, "mask length must be <= 32");
6976		if (masklen == 0) {
6977			/*
6978			 * X << 32 is not guaranteed by C to be 0; it's
6979			 * undefined.
6980			 */
6981			m = 0;
6982		} else
6983			m = 0xffffffff << (32 - masklen);
6984		if ((n & ~m) != 0)
6985			bpf_error(cstate, "non-network bits set in \"%s/%d\"",
6986			    s1, masklen);
6987	}
6988
6989	switch (q.addr) {
6990
6991	case Q_NET:
6992		return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
6993
6994	default:
6995		bpf_error(cstate, "Mask syntax for networks only");
6996		/*NOTREACHED*/
6997	}
6998	/*NOTREACHED*/
6999}
7000
7001struct block *
7002gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
7003{
7004	bpf_u_int32 mask;
7005	int proto;
7006	int dir;
7007	register int vlen;
7008
7009	/*
7010	 * Catch errors reported by us and routines below us, and return NULL
7011	 * on an error.
7012	 */
7013	if (setjmp(cstate->top_ctx))
7014		return (NULL);
7015
7016	proto = q.proto;
7017	dir = q.dir;
7018	if (s == NULL)
7019		vlen = 32;
7020	else if (q.proto == Q_DECNET) {
7021		vlen = __pcap_atodn(s, &v);
7022		if (vlen == 0)
7023			bpf_error(cstate, "malformed decnet address '%s'", s);
7024	} else {
7025		vlen = __pcap_atoin(s, &v);
7026		if (vlen < 0)
7027			bpf_error(cstate, "invalid IPv4 address '%s'", s);
7028	}
7029
7030	switch (q.addr) {
7031
7032	case Q_DEFAULT:
7033	case Q_HOST:
7034	case Q_NET:
7035		if (proto == Q_DECNET)
7036			return gen_host(cstate, v, 0, proto, dir, q.addr);
7037		else if (proto == Q_LINK) {
7038			bpf_error(cstate, "illegal link layer address");
7039		} else {
70