Update config.{guess,sub}, timestamps 2023-01-01,2023-01-21

[libpcap] / pcap-pf.c
diff --git a/pcap-pf.c b/pcap-pf.c

index dbb6de153b87d65252cb485d88062a53e8b05b6f..bd27933eff69e312717d908b9202e1ed7fdb2c20 100644 (file)
--- a/pcap-pf.c
+++ b/pcap-pf.c
@@ -22,13 +22,8 @@
   *     Extraction/creation by Jeffrey Mogul, DECWRL
   */
  
   *     Extraction/creation by Jeffrey Mogul, DECWRL
   */
  
-#ifndef lint
-static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/libpcap/pcap-pf.c,v 1.68 2002-08-02 03:28:05 guy Exp $ (LBL)";
-#endif
-
  #ifdef HAVE_CONFIG_H
  #ifdef HAVE_CONFIG_H
-#include "config.h"
+#include <config.h>
  #endif
  
  #include <sys/types.h>
  #endif
  
  #include <sys/types.h>
@@ -53,7 +48,6 @@ struct rtentry;
  #include <netinet/tcp.h>
  #include <netinet/tcpip.h>
  
  #include <netinet/tcp.h>
  #include <netinet/tcpip.h>
  
-#include <ctype.h>
  #include <errno.h>
  #include <netdb.h>
  #include <stdio.h>
  #include <errno.h>
  #include <netdb.h>
  #include <stdio.h>
@@ -61,12 +55,39 @@ struct rtentry;
  #include <string.h>
  #include <unistd.h>
  
  #include <string.h>
  #include <unistd.h>
  
+/*
+ * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the
+ * native OS version, as we need various BPF ioctls from it.
+ */
+#define PCAP_DONT_INCLUDE_PCAP_BPF_H
+#include <net/bpf.h>
+
  #include "pcap-int.h"
  
  #ifdef HAVE_OS_PROTO_H
  #include "os-proto.h"
  #endif
  
  #include "pcap-int.h"
  
  #ifdef HAVE_OS_PROTO_H
  #include "os-proto.h"
  #endif
  
+/*
+ * FDDI packets are padded to make everything line up on a nice boundary.
+ */
+#define       PCAP_FDDIPAD 3
+
+/*
+ * Private data for capturing on Ultrix and DEC OSF/1^WDigital UNIX^W^W
+ * Tru64 UNIX packetfilter devices.
+ */
+struct pcap_pf {
+       int     filtering_in_kernel; /* using kernel filter */
+       u_long  TotPkts;        /* can't oflow for 79 hrs on ether */
+       u_long  TotAccepted;    /* count accepted by filter */
+       u_long  TotDrops;       /* count of dropped packets */
+       long    TotMissed;      /* missed by i/f during this run */
+       long    OrigMissed;     /* missed by i/f before this run */
+};
+
+static int pcap_setfilter_pf(pcap_t *, struct bpf_program *);
+
  /*
   * BUFSPACE is the size in bytes of the packet read buffer.  Most tcpdump
   * applications aren't going to need more than 200 bytes of packet header
  /*
   * BUFSPACE is the size in bytes of the packet read buffer.  Most tcpdump
   * applications aren't going to need more than 200 bytes of packet header
@@ -75,21 +96,16 @@ struct rtentry;
   */
  #define BUFSPACE (200 * 256)
  
   */
  #define BUFSPACE (200 * 256)
  
-int
-pcap_read(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
+static int
+pcap_read_pf(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
  {
  {
+       struct pcap_pf *pf = pc->priv;
         register u_char *p, *bp;
         register u_char *p, *bp;
-       struct bpf_insn *fcode;
         register int cc, n, buflen, inc;
         register struct enstamp *sp;
         register int cc, n, buflen, inc;
         register struct enstamp *sp;
-#ifdef LBL_ALIGN
         struct enstamp stamp;
         struct enstamp stamp;
-#endif
-#ifdef PCAP_FDDIPAD
-       register int pad;
-#endif
+       register u_int pad;
  
  
-       fcode = pc->md.use_bpf ? NULL : pc->fcode.bf_insns;
   again:
         cc = pc->cc;
         if (cc == 0) {
   again:
         cc = pc->cc;
         if (cc == 0) {
@@ -108,35 +124,50 @@ pcap_read(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
                                 (void)lseek(pc->fd, 0L, SEEK_SET);
                                 goto again;
                         }
                                 (void)lseek(pc->fd, 0L, SEEK_SET);
                                 goto again;
                         }
-                       snprintf(pc->errbuf, sizeof(pc->errbuf), "pf read: %s",
-                               pcap_strerror(errno));
+                       pcap_fmt_errmsg_for_errno(pc->errbuf,
+                           sizeof(pc->errbuf), errno, "pf read");
                         return (-1);
                 }
                         return (-1);
                 }
-               bp = pc->buffer + pc->offset;
+               bp = (u_char *)pc->buffer + pc->offset;
         } else
                 bp = pc->bp;
         /*
          * Loop through each packet.
         } else
                 bp = pc->bp;
         /*
          * Loop through each packet.
+        *
+        * This assumes that a single buffer of packets will have
+        * <= INT_MAX packets, so the packet count doesn't overflow.
          */
         n = 0;
          */
         n = 0;
-#ifdef PCAP_FDDIPAD
-       if (pc->linktype == DLT_FDDI)
-               pad = pcap_fddipad;
-       else
-               pad = 0;
-#endif
+       pad = pc->fddipad;
         while (cc > 0) {
         while (cc > 0) {
+               /*
+                * Has "pcap_breakloop()" been called?
+                * If so, return immediately - if we haven't read any
+                * packets, clear the flag and return -2 to indicate
+                * that we were told to break out of the loop, otherwise
+                * leave the flag set, so that the *next* call will break
+                * out of the loop without having read any packets, and
+                * return the number of packets we've processed so far.
+                */
+               if (pc->break_loop) {
+                       if (n == 0) {
+                               pc->break_loop = 0;
+                               return (-2);
+                       } else {
+                               pc->cc = cc;
+                               pc->bp = bp;
+                               return (n);
+                       }
+               }
                 if (cc < sizeof(*sp)) {
                         snprintf(pc->errbuf, sizeof(pc->errbuf),
                             "pf short read (%d)", cc);
                         return (-1);
                 }
                 if (cc < sizeof(*sp)) {
                         snprintf(pc->errbuf, sizeof(pc->errbuf),
                             "pf short read (%d)", cc);
                         return (-1);
                 }
-#ifdef LBL_ALIGN
                 if ((long)bp & 3) {
                         sp = &stamp;
                         memcpy((char *)sp, (char *)bp, sizeof(*sp));
                 } else
                 if ((long)bp & 3) {
                         sp = &stamp;
                         memcpy((char *)sp, (char *)bp, sizeof(*sp));
                 } else
-#endif
                         sp = (struct enstamp *)bp;
                 if (sp->ens_stamplen != sizeof(*sp)) {
                         snprintf(pc->errbuf, sizeof(pc->errbuf),
                         sp = (struct enstamp *)bp;
                 if (sp->ens_stamplen != sizeof(*sp)) {
                         snprintf(pc->errbuf, sizeof(pc->errbuf),
@@ -154,33 +185,34 @@ pcap_read(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
                 inc = ENALIGN(buflen + sp->ens_stamplen);
                 cc -= inc;
                 bp += inc;
                 inc = ENALIGN(buflen + sp->ens_stamplen);
                 cc -= inc;
                 bp += inc;
-#ifdef PCAP_FDDIPAD
-               p += pad;
-               buflen -= pad;
-#endif
-               pc->md.TotPkts++;
-               pc->md.TotDrops += sp->ens_dropped;
-               pc->md.TotMissed = sp->ens_ifoverflows;
-               if (pc->md.OrigMissed < 0)
-                       pc->md.OrigMissed = pc->md.TotMissed;
+               pf->TotPkts++;
+               pf->TotDrops += sp->ens_dropped;
+               pf->TotMissed = sp->ens_ifoverflows;
+               if (pf->OrigMissed < 0)
+                       pf->OrigMissed = pf->TotMissed;
  
                 /*
                  * Short-circuit evaluation: if using BPF filter
  
                 /*
                  * Short-circuit evaluation: if using BPF filter
-                * in kernel, no need to do it now.
+                * in kernel, no need to do it now - we already know
+                * the packet passed the filter.
+                *
+                * Note: the filter code was generated assuming
+                * that pc->fddipad was the amount of padding
+                * before the header, as that's what's required
+                * in the kernel, so we run the filter before
+                * skipping that padding.
                  */
                  */
-               if (fcode == NULL ||
-                   bpf_filter(fcode, p, sp->ens_count, buflen)) {
+               if (pf->filtering_in_kernel ||
+                   pcap_filter(pc->fcode.bf_insns, p, sp->ens_count, buflen)) {
                         struct pcap_pkthdr h;
                         struct pcap_pkthdr h;
-                       pc->md.TotAccepted++;
+                       pf->TotAccepted++;
                         h.ts = sp->ens_tstamp;
                         h.ts = sp->ens_tstamp;
-#ifdef PCAP_FDDIPAD
                         h.len = sp->ens_count - pad;
                         h.len = sp->ens_count - pad;
-#else
-                       h.len = sp->ens_count;
-#endif
+                       p += pad;
+                       buflen -= pad;
                         h.caplen = buflen;
                         (*callback)(user, &h, p);
                         h.caplen = buflen;
                         (*callback)(user, &h, p);
-                       if (++n >= cnt && cnt > 0) {
+                       if (++n >= cnt && !PACKET_COUNT_IS_UNLIMITED(cnt)) {
                                 pc->cc = cc;
                                 pc->bp = bp;
                                 return (n);
                                 pc->cc = cc;
                                 pc->bp = bp;
                                 return (n);
@@ -191,9 +223,24 @@ pcap_read(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
         return (n);
  }
  
         return (n);
  }
  
-int
-pcap_stats(pcap_t *p, struct pcap_stat *ps)
+static int
+pcap_inject_pf(pcap_t *p, const void *buf, int size)
  {
  {
+       int ret;
+
+       ret = write(p->fd, buf, size);
+       if (ret == -1) {
+               pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
+                   errno, "send");
+               return (-1);
+       }
+       return (ret);
+}
+
+static int
+pcap_stats_pf(pcap_t *p, struct pcap_stat *ps)
+{
+       struct pcap_pf *pf = p->priv;
  
         /*
          * If packet filtering is being done in the kernel:
  
         /*
          * If packet filtering is being done in the kernel:
@@ -212,7 +259,7 @@ pcap_stats(pcap_t *p, struct pcap_stat *ps)
          *      full.
          *
          *      "ps_ifdrop" counts packets dropped by the network
          *      full.
          *
          *      "ps_ifdrop" counts packets dropped by the network
-        *      inteface (regardless of whether they would have passed
+        *      interface (regardless of whether they would have passed
          *      the input filter, of course).
          *
          * If packet filtering is not being done in the kernel:
          *      the input filter, of course).
          *
          * If packet filtering is not being done in the kernel:
@@ -224,49 +271,98 @@ pcap_stats(pcap_t *p, struct pcap_stat *ps)
          *      the userland filter.
          *
          *      "ps_ifdrop" counts packets dropped by the network
          *      the userland filter.
          *
          *      "ps_ifdrop" counts packets dropped by the network
-        *      inteface (regardless of whether they would have passed
+        *      interface (regardless of whether they would have passed
          *      the input filter, of course).
          *
          * These statistics don't include packets not yet read from
          * the kernel by libpcap, but they may include packets not
          * yet read from libpcap by the application.
          */
          *      the input filter, of course).
          *
          * These statistics don't include packets not yet read from
          * the kernel by libpcap, but they may include packets not
          * yet read from libpcap by the application.
          */
-       ps->ps_recv = p->md.TotAccepted;
-       ps->ps_drop = p->md.TotDrops;
-       ps->ps_ifdrop = p->md.TotMissed - p->md.OrigMissed;
+       ps->ps_recv = pf->TotAccepted;
+       ps->ps_drop = pf->TotDrops;
+       ps->ps_ifdrop = pf->TotMissed - pf->OrigMissed;
         return (0);
  }
  
         return (0);
  }
  
-pcap_t *
-pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf)
+/*
+ * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably
+ * don't get DLT_DOCSIS defined.
+ */
+#ifndef DLT_DOCSIS
+#define DLT_DOCSIS     143
+#endif
+
+static int
+pcap_activate_pf(pcap_t *p)
  {
  {
-       pcap_t *p;
+       struct pcap_pf *pf = p->priv;
         short enmode;
         int backlog = -1;       /* request the most */
         struct enfilter Filter;
         struct endevp devparams;
         short enmode;
         int backlog = -1;       /* request the most */
         struct enfilter Filter;
         struct endevp devparams;
+       int err;
  
  
-       p = (pcap_t *)malloc(sizeof(*p));
-       if (p == NULL) {
-               snprintf(ebuf, PCAP_ERRBUF_SIZE,
-                   "pcap_open_live: %s", pcap_strerror(errno));
-               return (0);
-       }
-       memset(p, 0, sizeof(*p));
-       p->fd = pfopen(device, O_RDONLY);
+       /*
+        * Initially try a read/write open (to allow the inject
+        * method to work).  If that fails due to permission
+        * issues, fall back to read-only.  This allows a
+        * non-root user to be granted specific access to pcap
+        * capabilities via file permissions.
+        *
+        * XXX - we should have an API that has a flag that
+        * controls whether to open read-only or read-write,
+        * so that denial of permission to send (or inability
+        * to send, if sending packets isn't supported on
+        * the device in question) can be indicated at open
+        * time.
+        *
+        * XXX - we assume here that "pfopen()" does not, in fact, modify
+        * its argument, even though it takes a "char *" rather than a
+        * "const char *" as its first argument.  That appears to be
+        * the case, at least on Digital UNIX 4.0.
+        *
+        * XXX - is there an error that means "no such device"?  Is
+        * there one that means "that device doesn't support pf"?
+        */
+       p->fd = pfopen(p->opt.device, O_RDWR);
+       if (p->fd == -1 && errno == EACCES)
+               p->fd = pfopen(p->opt.device, O_RDONLY);
         if (p->fd < 0) {
         if (p->fd < 0) {
-               snprintf(ebuf, PCAP_ERRBUF_SIZE, "pf open: %s: %s\n\
-your system may not be properly configured; see the packetfilter(4) man page\n"
-                       device, pcap_strerror(errno));
+               if (errno == EACCES) {
+                       snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
+                           "pf open: %s: Permission denied\n"
+"your system may not be properly configured; see the packetfilter(4) man page",
+                           p->opt.device);
+                       err = PCAP_ERROR_PERM_DENIED;
+               } else {
+                       pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
+                           errno, "pf open: %s", p->opt.device);
+                       err = PCAP_ERROR;
+               }
                 goto bad;
         }
                 goto bad;
         }
-       p->md.OrigMissed = -1;
-       enmode = ENTSTAMP|ENBATCH|ENNONEXCL;
-       if (promisc)
+
+       /*
+        * Turn a negative snapshot value (invalid), a snapshot value of
+        * 0 (unspecified), or a value bigger than the normal maximum
+        * value, into the maximum allowed value.
+        *
+        * If some application really *needs* a bigger snapshot
+        * length, we should just increase MAXIMUM_SNAPLEN.
+        */
+       if (p->snapshot <= 0 || p->snapshot > MAXIMUM_SNAPLEN)
+               p->snapshot = MAXIMUM_SNAPLEN;
+
+       pf->OrigMissed = -1;
+       enmode = ENTSTAMP|ENNONEXCL;
+       if (!p->opt.immediate)
+               enmode |= ENBATCH;
+       if (p->opt.promisc)
                 enmode |= ENPROMISC;
         if (ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode) < 0) {
                 enmode |= ENPROMISC;
         if (ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode) < 0) {
-               snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCMBIS: %s",
-                   pcap_strerror(errno));
+               pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
+                   errno, "EIOCMBIS");
+               err = PCAP_ERROR;
                 goto bad;
         }
  #ifdef ENCOPYALL
                 goto bad;
         }
  #ifdef ENCOPYALL
@@ -276,14 +372,16 @@ your system may not be properly configured; see the packetfilter(4) man page\n"
  #endif
         /* set the backlog */
         if (ioctl(p->fd, EIOCSETW, (caddr_t)&backlog) < 0) {
  #endif
         /* set the backlog */
         if (ioctl(p->fd, EIOCSETW, (caddr_t)&backlog) < 0) {
-               snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCSETW: %s",
-                   pcap_strerror(errno));
+               pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
+                   errno, "EIOCSETW");
+               err = PCAP_ERROR;
                 goto bad;
         }
         /* discover interface type */
         if (ioctl(p->fd, EIOCDEVP, (caddr_t)&devparams) < 0) {
                 goto bad;
         }
         /* discover interface type */
         if (ioctl(p->fd, EIOCDEVP, (caddr_t)&devparams) < 0) {
-               snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCDEVP: %s",
-                   pcap_strerror(errno));
+               pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
+                   errno, "EIOCDEVP");
+               err = PCAP_ERROR;
                 goto bad;
         }
         /* HACK: to compile prior to Ultrix 4.2 */
                 goto bad;
         }
         /* HACK: to compile prior to Ultrix 4.2 */
@@ -295,6 +393,25 @@ your system may not be properly configured; see the packetfilter(4) man page\n"
         case ENDT_10MB:
                 p->linktype = DLT_EN10MB;
                 p->offset = 2;
         case ENDT_10MB:
                 p->linktype = DLT_EN10MB;
                 p->offset = 2;
+               /*
+                * This is (presumably) a real Ethernet capture; give it a
+                * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
+                * that an application can let you choose it, in case you're
+                * capturing DOCSIS traffic that a Cisco Cable Modem
+                * Termination System is putting out onto an Ethernet (it
+                * doesn't put an Ethernet header onto the wire, it puts raw
+                * DOCSIS frames out on the wire inside the low-level
+                * Ethernet framing).
+                */
+               p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
+               /*
+                * If that fails, just leave the list empty.
+                */
+               if (p->dlt_list != NULL) {
+                       p->dlt_list[0] = DLT_EN10MB;
+                       p->dlt_list[1] = DLT_DOCSIS;
+                       p->dlt_count = 2;
+               }
                 break;
  
         case ENDT_FDDI:
                 break;
  
         case ENDT_FDDI:
@@ -345,93 +462,220 @@ your system may not be properly configured; see the packetfilter(4) man page\n"
                  * framing", there's not much we can do, as that
                  * doesn't specify a particular type of header.
                  */
                  * framing", there's not much we can do, as that
                  * doesn't specify a particular type of header.
                  */
-               snprintf(ebuf, PCAP_ERRBUF_SIZE, "unknown data-link type %u",
-                   devparams.end_dev_type);
+               snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
+                   "unknown data-link type %u", devparams.end_dev_type);
+               err = PCAP_ERROR;
                 goto bad;
         }
         /* set truncation */
                 goto bad;
         }
         /* set truncation */
-#ifdef PCAP_FDDIPAD
-       if (p->linktype == DLT_FDDI)
+       if (p->linktype == DLT_FDDI) {
+               p->fddipad = PCAP_FDDIPAD;
+
                 /* packetfilter includes the padding in the snapshot */
                 /* packetfilter includes the padding in the snapshot */
-               snaplen += pcap_fddipad;
-#endif
-       if (ioctl(p->fd, EIOCTRUNCATE, (caddr_t)&snaplen) < 0) {
-               snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCTRUNCATE: %s",
-                   pcap_strerror(errno));
+               p->snapshot += PCAP_FDDIPAD;
+       } else
+               p->fddipad = 0;
+       if (ioctl(p->fd, EIOCTRUNCATE, (caddr_t)&p->snapshot) < 0) {
+               pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
+                   errno, "EIOCTRUNCATE");
+               err = PCAP_ERROR;
                 goto bad;
         }
                 goto bad;
         }
-       p->snapshot = snaplen;
         /* accept all packets */
         memset(&Filter, 0, sizeof(Filter));
         Filter.enf_Priority = 37;       /* anything > 2 */
         Filter.enf_FilterLen = 0;       /* means "always true" */
         if (ioctl(p->fd, EIOCSETF, (caddr_t)&Filter) < 0) {
         /* accept all packets */
         memset(&Filter, 0, sizeof(Filter));
         Filter.enf_Priority = 37;       /* anything > 2 */
         Filter.enf_FilterLen = 0;       /* means "always true" */
         if (ioctl(p->fd, EIOCSETF, (caddr_t)&Filter) < 0) {
-               snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCSETF: %s",
-                   pcap_strerror(errno));
+               pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
+                   errno, "EIOCSETF");
+               err = PCAP_ERROR;
                 goto bad;
         }
  
                 goto bad;
         }
  
-       if (to_ms != 0) {
+       if (p->opt.timeout != 0) {
                 struct timeval timeout;
                 struct timeval timeout;
-               timeout.tv_sec = to_ms / 1000;
-               timeout.tv_usec = (to_ms * 1000) % 1000000;
+               timeout.tv_sec = p->opt.timeout / 1000;
+               timeout.tv_usec = (p->opt.timeout * 1000) % 1000000;
                 if (ioctl(p->fd, EIOCSRTIMEOUT, (caddr_t)&timeout) < 0) {
                 if (ioctl(p->fd, EIOCSRTIMEOUT, (caddr_t)&timeout) < 0) {
-                       snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCSRTIMEOUT: %s",
-                               pcap_strerror(errno));
+                       pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
+                           errno, "EIOCSRTIMEOUT");
+                       err = PCAP_ERROR;
                         goto bad;
                 }
         }
                         goto bad;
                 }
         }
+
         p->bufsize = BUFSPACE;
         p->bufsize = BUFSPACE;
-       p->buffer = (u_char*)malloc(p->bufsize + p->offset);
+       p->buffer = malloc(p->bufsize + p->offset);
+       if (p->buffer == NULL) {
+               pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
+                   errno, "malloc");
+               err = PCAP_ERROR;
+               goto bad;
+       }
  
  
-       return (p);
+       /*
+        * "select()" and "poll()" work on packetfilter devices.
+        */
+       p->selectable_fd = p->fd;
+
+       p->read_op = pcap_read_pf;
+       p->inject_op = pcap_inject_pf;
+       p->setfilter_op = pcap_setfilter_pf;
+       p->setdirection_op = NULL;      /* Not implemented. */
+       p->set_datalink_op = NULL;      /* can't change data link type */
+       p->getnonblock_op = pcap_getnonblock_fd;
+       p->setnonblock_op = pcap_setnonblock_fd;
+       p->stats_op = pcap_stats_pf;
+
+       return (0);
   bad:
   bad:
-       if (p->fd >= 0)
-               close(p->fd);
-       free(p);
-       return (NULL);
+       pcap_cleanup_live_common(p);
+       return (err);
  }
  
  }
  
-int
-pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf)
+pcap_t *
+pcap_create_interface(const char *device _U_, char *ebuf)
  {
  {
+       pcap_t *p;
+
+       p = PCAP_CREATE_COMMON(ebuf, struct pcap_pf);
+       if (p == NULL)
+               return (NULL);
+
+       p->activate_op = pcap_activate_pf;
+       return (p);
+}
+
+/*
+ * XXX - is there an error from pfopen() that means "no such device"?
+ * Is there one that means "that device doesn't support pf"?
+ */
+static int
+can_be_bound(const char *name _U_)
+{
+       return (1);
+}
+
+static int
+get_if_flags(const char *name _U_, bpf_u_int32 *flags _U_, char *errbuf _U_)
+{
+       /*
+        * Nothing we can do other than mark loopback devices as "the
+        * connected/disconnected status doesn't apply".
+        *
+        * XXX - is there a way to find out whether an adapter has
+        * something plugged into it?
+        */
+       if (*flags & PCAP_IF_LOOPBACK) {
+               /*
+                * Loopback devices aren't wireless, and "connected"/
+                * "disconnected" doesn't apply to them.
+                */
+               *flags |= PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE;
+               return (0);
+       }
         return (0);
  }
  
  int
         return (0);
  }
  
  int
-pcap_setfilter(pcap_t *p, struct bpf_program *fp)
+pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf)
  {
  {
+       return (pcap_findalldevs_interfaces(devlistp, errbuf, can_be_bound,
+           get_if_flags));
+}
+
+static int
+pcap_setfilter_pf(pcap_t *p, struct bpf_program *fp)
+{
+       struct pcap_pf *pf = p->priv;
+       struct bpf_version bv;
+
         /*
         /*
-        * See if BIOCSETF works.  If it does, the kernel supports
-        * BPF-style filters, and we do not need to do post-filtering.
+        * See if BIOCVERSION works.  If not, we assume the kernel doesn't
+        * support BPF-style filters (it's not documented in the bpf(7)
+        * or packetfiler(7) man pages, but the code used to fail if
+        * BIOCSETF worked but BIOCVERSION didn't, and I've seen it do
+        * kernel filtering in DU 4.0, so presumably BIOCVERSION works
+        * there, at least).
          */
          */
-       p->md.use_bpf = (ioctl(p->fd, BIOCSETF, (caddr_t)fp) >= 0);
-       if (p->md.use_bpf) {
-               struct bpf_version bv;
+       if (ioctl(p->fd, BIOCVERSION, (caddr_t)&bv) >= 0) {
+               /*
+                * OK, we have the version of the BPF interpreter;
+                * is it the same major version as us, and the same
+                * or better minor version?
+                */
+               if (bv.bv_major == BPF_MAJOR_VERSION &&
+                   bv.bv_minor >= BPF_MINOR_VERSION) {
+                       /*
+                        * Yes.  Try to install the filter.
+                        */
+                       if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
+                               pcap_fmt_errmsg_for_errno(p->errbuf,
+                                   sizeof(p->errbuf), errno, "BIOCSETF");
+                               return (-1);
+                       }
  
  
-               if (ioctl(p->fd, BIOCVERSION, (caddr_t)&bv) < 0) {
-                       snprintf(p->errbuf, sizeof(p->errbuf),
-                           "BIOCVERSION: %s", pcap_strerror(errno));
-                       return (-1);
-               }
-               else if (bv.bv_major != BPF_MAJOR_VERSION ||
-                        bv.bv_minor < BPF_MINOR_VERSION) {
-                       fprintf(stderr,
-               "requires bpf language %d.%d or higher; kernel is %d.%d",
-                               BPF_MAJOR_VERSION, BPF_MINOR_VERSION,
-                             bv.bv_major, bv.bv_minor);
-                       /* don't give up, just be inefficient */
-                       p->md.use_bpf = 0;
+                       /*
+                        * OK, that succeeded.  We're doing filtering in
+                        * the kernel.  (We assume we don't have a
+                        * userland filter installed - that'd require
+                        * a previous version check to have failed but
+                        * this one to succeed.)
+                        *
+                        * XXX - this message should be supplied to the
+                        * application as a warning of some sort,
+                        * except that if it's a GUI application, it's
+                        * not clear that it should be displayed in
+                        * a window to annoy the user.
+                        */
+                       fprintf(stderr, "tcpdump: Using kernel BPF filter\n");
+                       pf->filtering_in_kernel = 1;
+
+                       /*
+                        * Discard any previously-received packets,
+                        * as they might have passed whatever filter
+                        * was formerly in effect, but might not pass
+                        * this filter (BIOCSETF discards packets buffered
+                        * in the kernel, so you can lose packets in any
+                        * case).
+                        */
+                       p->cc = 0;
+                       return (0);
                 }
                 }
-       } else {
-               if (install_bpf_program(p, fp) < 0)
-                       return (-1);
+
+               /*
+                * We can't use the kernel's BPF interpreter; don't give
+                * up, just log a message and be inefficient.
+                *
+                * XXX - this should really be supplied to the application
+                * as a warning of some sort.
+                */
+               fprintf(stderr,
+           "tcpdump: Requires BPF language %d.%d or higher; kernel is %d.%d\n",
+                   BPF_MAJOR_VERSION, BPF_MINOR_VERSION,
+                   bv.bv_major, bv.bv_minor);
         }
  
         }
  
-       /*XXX this goes in tcpdump*/
-       if (p->md.use_bpf)
-               fprintf(stderr, "tcpdump: Using kernel BPF filter\n");
-       else
-               fprintf(stderr, "tcpdump: Filtering in user process\n");
+       /*
+        * We couldn't do filtering in the kernel; do it in userland.
+        */
+       if (install_bpf_program(p, fp) < 0)
+               return (-1);
+
+       /*
+        * XXX - this message should be supplied by the application as
+        * a warning of some sort.
+        */
+       fprintf(stderr, "tcpdump: Filtering in user process\n");
+       pf->filtering_in_kernel = 0;
         return (0);
  }
         return (0);
  }
+
+/*
+ * Libpcap version string.
+ */
+const char *
+pcap_lib_version(void)
+{
+       return (PCAP_VERSION_STRING);
+}