]> The Tcpdump Group git mirrors - libpcap/blobdiff - gencode.c
projects / libpcap / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add to the beginning a note from Rick Jones that 11i (11.11) and later
[libpcap] / gencode.c
diff --git a/gencode.c b/gencode.c
index 71aec3d9a7d0855f6cd411e9f687193cd21ea635..535f4a64b262997527dd831a3485f7a6cdbd399e 100644 (file)
--- a/gencode.c
+++ b/gencode.c
@@ -20,8 +20,8 @@
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  */
 #ifndef lint
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  */
 #ifndef lint
-static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.177 2002-08-08 09:09:58 guy Exp $ (LBL)";
+static const char rcsid[] _U_ =
+    "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.216 2005-01-12 09:02:55 hannes Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -33,7 +33,6 @@ static const char rcsid[] =
 #else /* WIN32 */
 #include <sys/types.h>
 #include <sys/socket.h>
 #else /* WIN32 */
 #include <sys/types.h>
 #include <sys/socket.h>
-#include <sys/time.h>
 #endif /* WIN32 */
 
 /*
 #endif /* WIN32 */
 
 /*
@@ -59,6 +58,10 @@ static const char rcsid[] =
 #include <setjmp.h>
 #include <stdarg.h>
 
 #include <setjmp.h>
 #include <stdarg.h>
 
+#ifdef MSDOS
+#include "pcap-dos.h"
+#endif
+
 #include "pcap-int.h"
 
 #include "ethertype.h"
 #include "pcap-int.h"
 
 #include "ethertype.h"
@@ -70,6 +73,10 @@ static const char rcsid[] =
 #include "ppp.h"
 #include "sll.h"
 #include "arcnet.h"
 #include "ppp.h"
 #include "sll.h"
 #include "arcnet.h"
+#include "pf.h"
+#ifndef offsetof
+#define offsetof(s, e) ((size_t)&((s *)0)->e)
+#endif
 #ifdef INET6
 #ifndef WIN32
 #include <netdb.h>     /* for "struct addrinfo" */
 #ifdef INET6
 #ifndef WIN32
 #include <netdb.h>     /* for "struct addrinfo" */
@@ -93,14 +100,12 @@ static const char rcsid[] =
 static jmp_buf top_ctx;
 static pcap_t *bpf_pcap;
 
 static jmp_buf top_ctx;
 static pcap_t *bpf_pcap;
 
-/* Hack for updating VLAN offsets. */
-static u_int   orig_linktype = -1, orig_nl = -1, orig_nl_nosnap = -1;
+/* Hack for updating VLAN, MPLS offsets. */
+static u_int   orig_linktype = -1U, orig_nl = -1U, orig_nl_nosnap = -1U;
 
 /* XXX */
 #ifdef PCAP_FDDIPAD
 
 /* XXX */
 #ifdef PCAP_FDDIPAD
-int    pcap_fddipad = PCAP_FDDIPAD;
-#else
-int    pcap_fddipad;
+static int     pcap_fddipad;
 #endif
 
 /* VARARGS */
 #endif
 
 /* VARARGS */
@@ -119,7 +124,7 @@ bpf_error(const char *fmt, ...)
        /* NOTREACHED */
 }
 
        /* NOTREACHED */
 }
 
-static void init_linktype(int);
+static void init_linktype(pcap_t *);
 
 static int alloc_reg(void);
 static void free_reg(int);
 
 static int alloc_reg(void);
 static void free_reg(int);
@@ -129,8 +134,10 @@ static struct block *root;
 /*
  * We divy out chunks of memory rather than call malloc each time so
  * we don't have to worry about leaking memory.  It's probably
 /*
  * We divy out chunks of memory rather than call malloc each time so
  * we don't have to worry about leaking memory.  It's probably
- * not a big deal if all this memory was wasted but it this ever
+ * not a big deal if all this memory was wasted but if this ever
  * goes into a library that would probably not be a good idea.
  * goes into a library that would probably not be a good idea.
+ *
+ * XXX - this *is* in a library....
  */
 #define NCHUNKS 16
 #define CHUNK0SIZE 1024
  */
 #define NCHUNKS 16
 #define CHUNK0SIZE 1024
@@ -160,6 +167,8 @@ static struct block *gen_ncmp(bpf_u_int32, bpf_u_int32, bpf_u_int32,
 static struct block *gen_uncond(int);
 static inline struct block *gen_true(void);
 static inline struct block *gen_false(void);
 static struct block *gen_uncond(int);
 static inline struct block *gen_true(void);
 static inline struct block *gen_false(void);
+static struct block *gen_ether_linktype(int);
+static struct block *gen_linux_sll_linktype(int);
 static struct block *gen_linktype(int);
 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
 static struct block *gen_llc(int);
 static struct block *gen_linktype(int);
 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
 static struct block *gen_llc(int);
@@ -172,6 +181,7 @@ static struct block *gen_ehostop(const u_char *, int);
 static struct block *gen_fhostop(const u_char *, int);
 static struct block *gen_thostop(const u_char *, int);
 static struct block *gen_wlanhostop(const u_char *, int);
 static struct block *gen_fhostop(const u_char *, int);
 static struct block *gen_thostop(const u_char *, int);
 static struct block *gen_wlanhostop(const u_char *, int);
+static struct block *gen_ipfchostop(const u_char *, int);
 static struct block *gen_dnhostop(bpf_u_int32, int, u_int);
 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
 #ifdef INET6
 static struct block *gen_dnhostop(bpf_u_int32, int, u_int);
 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
 #ifdef INET6
@@ -206,7 +216,8 @@ newchunk(n)
        u_int n;
 {
        struct chunk *cp;
        u_int n;
 {
        struct chunk *cp;
-       int k, size;
+       int k;
+       size_t size;
 
 #ifndef __NetBSD__
        /* XXX Round up to nearest long. */
 
 #ifndef __NetBSD__
        /* XXX Round up to nearest long. */
@@ -223,6 +234,8 @@ newchunk(n)
                        bpf_error("out of memory");
                size = CHUNK0SIZE << k;
                cp->m = (void *)malloc(size);
                        bpf_error("out of memory");
                size = CHUNK0SIZE << k;
                cp->m = (void *)malloc(size);
+               if (cp->m == NULL)
+                       bpf_error("out of memory");
                memset((char *)cp->m, 0, size);
                cp->n_left = size;
                if (n > size)
                memset((char *)cp->m, 0, size);
                cp->n_left = size;
                if (n > size)
@@ -331,7 +344,7 @@ pcap_compile(pcap_t *p, struct bpf_program *program,
        }
 
        lex_init(buf ? buf : "");
        }
 
        lex_init(buf ? buf : "");
-       init_linktype(pcap_datalink(p));
+       init_linktype(p);
        (void)pcap_parse();
 
        if (n_errors)
        (void)pcap_parse();
 
        if (n_errors)
@@ -568,15 +581,15 @@ gen_ncmp(datasize, offset, mask, jtype, jvalue, reverse)
 {
        struct slist *s;
        struct block *b;
 {
        struct slist *s;
        struct block *b;
+
        s = new_stmt(BPF_LD|datasize|BPF_ABS);
        s->s.k = offset;
        s = new_stmt(BPF_LD|datasize|BPF_ABS);
        s->s.k = offset;
+
        if (mask != 0xffffffff) {
                s->next = new_stmt(BPF_ALU|BPF_AND|BPF_K);
                s->next->s.k = mask;
        }
        if (mask != 0xffffffff) {
                s->next = new_stmt(BPF_ALU|BPF_AND|BPF_K);
                s->next->s.k = mask;
        }
+
        b = new_block(JMP(jtype));
        b->stmts = s;
        b->s.k = jvalue;
        b = new_block(JMP(jtype));
        b->stmts = s;
        b->s.k = jvalue;
@@ -590,6 +603,12 @@ gen_ncmp(datasize, offset, mask, jtype, jvalue, reverse)
  * layer.  These variables give the necessary offsets.
  */
 
  * layer.  These variables give the necessary offsets.
  */
 
+/*
+ * This is the offset of the beginning of the MAC-layer header.
+ * It's usually 0, except for ATM LANE.
+ */
+static u_int off_mac;
+
 /*
  * "off_linktype" is the offset to information in the link-layer header
  * giving the packet type.
 /*
  * "off_linktype" is the offset to information in the link-layer header
  * giving the packet type.
@@ -616,6 +635,12 @@ static u_int off_linktype;
  */
 static int is_atm = 0;
 
  */
 static int is_atm = 0;
 
+/*
+ * TRUE if "lane" appeared in the filter; it causes us to generate
+ * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
+ */
+static int is_lane = 0;
+
 /*
  * These are offsets for the ATM pseudo-header.
  */
 /*
  * These are offsets for the ATM pseudo-header.
  */
@@ -624,9 +649,10 @@ static u_int off_vci;
 static u_int off_proto;
 
 /*
 static u_int off_proto;
 
 /*
- * This is the offset to the message type for Q.2931 messages.
+ * This is the offset of the first byte after the ATM pseudo_header,
+ * or -1 if there is no ATM pseudo-header.
  */
  */
-static u_int off_msg_type;
+static u_int off_payload;
 
 /*
  * These are offsets to the beginning of the network-layer header.
 
 /*
  * These are offsets to the beginning of the network-layer header.
@@ -656,32 +682,43 @@ static u_int off_nl_nosnap;
 static int linktype;
 
 static void
 static int linktype;
 
 static void
-init_linktype(type)
-       int type;
+init_linktype(p)
+       pcap_t *p;
 {
 {
-       linktype = type;
+       linktype = pcap_datalink(p);
+#ifdef PCAP_FDDIPAD
+       pcap_fddipad = p->fddipad;
+#endif
 
        /*
         * Assume it's not raw ATM with a pseudo-header, for now.
         */
 
        /*
         * Assume it's not raw ATM with a pseudo-header, for now.
         */
+       off_mac = 0;
        is_atm = 0;
        is_atm = 0;
+       is_lane = 0;
        off_vpi = -1;
        off_vci = -1;
        off_proto = -1;
        off_vpi = -1;
        off_vci = -1;
        off_proto = -1;
-       off_msg_type = -1;
+       off_payload = -1;
 
        orig_linktype = -1;
        orig_nl = -1;
        orig_nl_nosnap = -1;
 
 
        orig_linktype = -1;
        orig_nl = -1;
        orig_nl_nosnap = -1;
 
-       switch (type) {
+       switch (linktype) {
 
        case DLT_ARCNET:
                off_linktype = 2;
 
        case DLT_ARCNET:
                off_linktype = 2;
-               off_nl = 6;     /* XXX in reality, variable! */
+               off_nl = 6;             /* XXX in reality, variable! */
                off_nl_nosnap = 6;      /* no 802.2 LLC */
                return;
 
                off_nl_nosnap = 6;      /* no 802.2 LLC */
                return;
 
+       case DLT_ARCNET_LINUX:
+               off_linktype = 4;
+               off_nl = 8;             /* XXX in reality, variable! */
+               off_nl_nosnap = 8;      /* no 802.2 LLC */
+               return;
+
        case DLT_EN10MB:
                off_linktype = 12;
                off_nl = 14;            /* Ethernet II */
        case DLT_EN10MB:
                off_linktype = 12;
                off_nl = 14;            /* Ethernet II */
@@ -713,7 +750,14 @@ init_linktype(type)
                off_nl_nosnap = 4;      /* no 802.2 LLC */
                return;
 
                off_nl_nosnap = 4;      /* no 802.2 LLC */
                return;
 
+       case DLT_ENC:
+               off_linktype = 0;
+               off_nl = 12;
+               off_nl_nosnap = 12;     /* no 802.2 LLC */
+               return;
+
        case DLT_PPP:
        case DLT_PPP:
+       case DLT_PPP_WITHDIRECTION:
        case DLT_C_HDLC:                /* BSD/OS Cisco HDLC */
        case DLT_PPP_SERIAL:            /* NetBSD sync/async serial PPP */
                off_linktype = 2;
        case DLT_C_HDLC:                /* BSD/OS Cisco HDLC */
        case DLT_PPP_SERIAL:            /* NetBSD sync/async serial PPP */
                off_linktype = 2;
@@ -798,7 +842,9 @@ init_linktype(type)
                 *
                 * XXX - the header is actually variable-length.  We
                 * assume a 24-byte link-layer header, as appears in
                 *
                 * XXX - the header is actually variable-length.  We
                 * assume a 24-byte link-layer header, as appears in
-                * data frames in networks with no bridges.
+                * data frames in networks with no bridges.  If the
+                * fromds and tods 802.11 header bits are both set,
+                * it's actually supposed to be 30 bytes.
                 */
                off_linktype = 24;
                off_nl = 32;            /* 802.11+802.2+SNAP */
                 */
                off_linktype = 24;
                off_nl = 32;            /* 802.11+802.2+SNAP */
@@ -821,6 +867,49 @@ init_linktype(type)
                off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
                return;
 
                off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
                return;
 
+       case DLT_IEEE802_11_RADIO_AVS:
+               /*
+                * Same as 802.11, but with an additional header before
+                * the 802.11 header, containing a bunch of additional
+                * information including radio-level information.
+                *
+                * The header is 64 bytes long, at least in its
+                * current incarnation.
+                *
+                * XXX - same variable-length header problem, only
+                * more so; this header is also variable-length,
+                * with the length being the 32-bit big-endian
+                * number at an offset of 4 from the beginning
+                * of the radio header.
+                */
+               off_linktype = 64+24;
+               off_nl = 64+32;         /* Radio+802.11+802.2+SNAP */
+               off_nl_nosnap = 64+27;  /* Radio+802.11+802.2 */
+               return;
+
+       case DLT_IEEE802_11_RADIO:
+               /*
+                * Same as 802.11, but with an additional header before
+                * the 802.11 header, containing a bunch of additional
+                * information including radio-level information.
+                *
+                * XXX - same variable-length header problem, only
+                * even *more* so; this header is also variable-length,
+                * with the length being the 16-bit number at an offset
+                * of 2 from the beginning of the radio header, and it's
+                * device-dependent (different devices might supply
+                * different amounts of information), so we can't even
+                * assume a fixed length for the current version of the
+                * header.
+                *
+                * Therefore, currently, only raw "link[N:M]" filtering is
+                * supported.
+                */
+               off_linktype = -1;
+               off_nl = -1;
+               off_nl_nosnap = -1;
+               return;
+
        case DLT_ATM_RFC1483:
        case DLT_ATM_CLIP:      /* Linux ATM defines this */
                /*
        case DLT_ATM_RFC1483:
        case DLT_ATM_CLIP:      /* Linux ATM defines this */
                /*
@@ -838,13 +927,14 @@ init_linktype(type)
                 * pseudo-header.
                 */
                is_atm = 1;
                 * pseudo-header.
                 */
                is_atm = 1;
-               off_linktype = SUNATM_PKT_BEGIN_POS;
                off_vpi = SUNATM_VPI_POS;
                off_vci = SUNATM_VCI_POS;
                off_proto = PROTO_POS;
                off_vpi = SUNATM_VPI_POS;
                off_vci = SUNATM_VCI_POS;
                off_proto = PROTO_POS;
-               off_msg_type = SUNATM_PKT_BEGIN_POS+MSG_TYPE_POS;
-               off_nl = SUNATM_PKT_BEGIN_POS+8;        /* 802.2+SNAP */
-               off_nl_nosnap = SUNATM_PKT_BEGIN_POS+3; /* 802.2 */
+               off_mac = -1;   /* LLC-encapsulated, so no MAC-layer header */
+               off_payload = SUNATM_PKT_BEGIN_POS;
+               off_linktype = off_payload;
+               off_nl = off_payload+8;         /* 802.2+SNAP */
+               off_nl_nosnap = off_payload+3;  /* 802.2 */
                return;
 
        case DLT_RAW:
                return;
 
        case DLT_RAW:
@@ -870,6 +960,22 @@ init_linktype(type)
                off_nl_nosnap = 0;      /* no 802.2 LLC */
                return;
 
                off_nl_nosnap = 0;      /* no 802.2 LLC */
                return;
 
+       case DLT_IP_OVER_FC:
+               /*
+                * RFC 2625 IP-over-Fibre-Channel doesn't really have a
+                * link-level type field.  We set "off_linktype" to the
+                * offset of the LLC header.
+                *
+                * To check for Ethernet types, we assume that SSAP = SNAP
+                * is being used and pick out the encapsulated Ethernet type.
+                * XXX - should we generate code to check for SNAP? RFC
+                * 2625 says SNAP should be used.
+                */
+               off_linktype = 16;
+               off_nl = 24;            /* IPFC+802.2+SNAP */
+               off_nl_nosnap = 19;     /* IPFC+802.2 */
+               return;
+
        case DLT_FRELAY:
                /*
                 * XXX - we should set this to handle SNAP-encapsulated
        case DLT_FRELAY:
                /*
                 * XXX - we should set this to handle SNAP-encapsulated
@@ -879,6 +985,69 @@ init_linktype(type)
                off_nl = 0;
                off_nl_nosnap = 0;      /* no 802.2 LLC */
                return;
                off_nl = 0;
                off_nl_nosnap = 0;      /* no 802.2 LLC */
                return;
+
+       case DLT_APPLE_IP_OVER_IEEE1394:
+               off_linktype = 16;
+               off_nl = 18;
+               off_nl_nosnap = 0;      /* no 802.2 LLC */
+               return;
+
+       case DLT_LINUX_IRDA:
+               /*
+                * Currently, only raw "link[N:M]" filtering is supported.
+                */
+               off_linktype = -1;
+               off_nl = -1;
+               off_nl_nosnap = -1;
+               return;
+
+       case DLT_DOCSIS:
+               /*
+                * Currently, only raw "link[N:M]" filtering is supported.
+                */
+               off_linktype = -1;
+               off_nl = -1;
+               off_nl_nosnap = -1;
+               return;
+
+       case DLT_SYMANTEC_FIREWALL:
+               off_linktype = 6;
+               off_nl = 44;            /* Ethernet II */
+               off_nl_nosnap = 44;     /* XXX - what does it do with 802.3 packets? */
+               return;
+
+       case DLT_PFLOG:
+               off_linktype = 0;
+               /* XXX read from header? */
+               off_nl = PFLOG_HDRLEN;
+               off_nl_nosnap = PFLOG_HDRLEN;
+               return;
+
+        case DLT_JUNIPER_MLPPP:
+                off_linktype = 4;
+               off_nl = 4;
+               off_nl_nosnap = -1;
+                break;
+
+       case DLT_JUNIPER_ATM1:
+               off_linktype = 4; /* in reality variable between 4-8 */
+               off_nl = 4;
+               off_nl_nosnap = 14;
+               return;
+
+       case DLT_JUNIPER_ATM2:
+               off_linktype = 8; /* in reality variable between 8-12 */
+               off_nl = 8;
+               off_nl_nosnap = 18;
+               return;
+
+#ifdef DLT_PFSYNC
+       case DLT_PFSYNC:
+               off_linktype = -1;
+               off_nl = 4;
+               off_nl_nosnap = 4;
+               return;
+#endif
        }
        bpf_error("unknown data link type %d", linktype);
        /* NOTREACHED */
        }
        bpf_error("unknown data link type %d", linktype);
        /* NOTREACHED */
@@ -920,361 +1089,431 @@ gen_false()
 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
 
 static struct block *
 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
 
 static struct block *
-gen_linktype(proto)
+gen_ether_linktype(proto)
        register int proto;
 {
        register int proto;
 {
-       struct block *b0, *b1, *b2;
+       struct block *b0, *b1;
 
 
-       switch (linktype) {
+       switch (proto) {
 
 
-       case DLT_EN10MB:
-               switch (proto) {
+       case LLCSAP_ISONS:
+               /*
+                * OSI protocols always use 802.2 encapsulation.
+                * XXX - should we check both the DSAP and the
+                * SSAP, like this, or should we check just the
+                * DSAP?
+                */
+               b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
+               gen_not(b0);
+               b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
+                            ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
+               gen_and(b0, b1);
+               return b1;
 
 
-               case LLCSAP_ISONS:
-                       /*
-                        * OSI protocols always use 802.2 encapsulation.
-                        * XXX - should we check both the DSAP and the
-                        * SSAP, like this, or should we check just the
-                        * DSAP?
-                        */
-                       b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
-                       gen_not(b0);
-                       b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
-                                    ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
-                       gen_and(b0, b1);
-                       return b1;
+       case LLCSAP_IP:
+               b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
+               gen_not(b0);
+               b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
+                            ((LLCSAP_IP << 8) | LLCSAP_IP));
+               gen_and(b0, b1);
+               return b1;
 
 
-               case LLCSAP_NETBEUI:
-                       /*
-                        * NetBEUI always uses 802.2 encapsulation.
-                        * XXX - should we check both the DSAP and the
-                        * SSAP, like this, or should we check just the
-                        * DSAP?
-                        */
-                       b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
-                       gen_not(b0);
-                       b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
-                                    ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
-                       gen_and(b0, b1);
-                       return b1;
+       case LLCSAP_NETBEUI:
+               /*
+                * NetBEUI always uses 802.2 encapsulation.
+                * XXX - should we check both the DSAP and the
+                * SSAP, like this, or should we check just the
+                * DSAP?
+                */
+               b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
+               gen_not(b0);
+               b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
+                            ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
+               gen_and(b0, b1);
+               return b1;
 
 
-               case LLCSAP_IPX:
-                       /*
-                        * Check for;
-                        *
-                        *      Ethernet_II frames, which are Ethernet
-                        *      frames with a frame type of ETHERTYPE_IPX;
-                        *
-                        *      Ethernet_802.3 frames, which are 802.3
-                        *      frames (i.e., the type/length field is
-                        *      a length field, <= ETHERMTU, rather than
-                        *      a type field) with the first two bytes
-                        *      after the Ethernet/802.3 header being
-                        *      0xFFFF;
-                        *
-                        *      Ethernet_802.2 frames, which are 802.3
-                        *      frames with an 802.2 LLC header and
-                        *      with the IPX LSAP as the DSAP in the LLC
-                        *      header;
-                        *
-                        *      Ethernet_SNAP frames, which are 802.3
-                        *      frames with an LLC header and a SNAP
-                        *      header and with an OUI of 0x000000
-                        *      (encapsulated Ethernet) and a protocol
-                        *      ID of ETHERTYPE_IPX in the SNAP header.
-                        *
-                        * XXX - should we generate the same code both
-                        * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
-                        */
+       case LLCSAP_IPX:
+               /*
+                * Check for;
+                *
+                *      Ethernet_II frames, which are Ethernet
+                *      frames with a frame type of ETHERTYPE_IPX;
+                *
+                *      Ethernet_802.3 frames, which are 802.3
+                *      frames (i.e., the type/length field is
+                *      a length field, <= ETHERMTU, rather than
+                *      a type field) with the first two bytes
+                *      after the Ethernet/802.3 header being
+                *      0xFFFF;
+                *
+                *      Ethernet_802.2 frames, which are 802.3
+                *      frames with an 802.2 LLC header and
+                *      with the IPX LSAP as the DSAP in the LLC
+                *      header;
+                *
+                *      Ethernet_SNAP frames, which are 802.3
+                *      frames with an LLC header and a SNAP
+                *      header and with an OUI of 0x000000
+                *      (encapsulated Ethernet) and a protocol
+                *      ID of ETHERTYPE_IPX in the SNAP header.
+                *
+                * XXX - should we generate the same code both
+                * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
+                */
 
 
-                       /*
-                        * This generates code to check both for the
-                        * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
-                        */
-                       b0 = gen_cmp(off_linktype + 2, BPF_B,
-                           (bpf_int32)LLCSAP_IPX);
-                       b1 = gen_cmp(off_linktype + 2, BPF_H,
-                           (bpf_int32)0xFFFF);
-                       gen_or(b0, b1);
+               /*
+                * This generates code to check both for the
+                * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
+                */
+               b0 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)LLCSAP_IPX);
+               b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)0xFFFF);
+               gen_or(b0, b1);
 
 
-                       /*
-                        * Now we add code to check for SNAP frames with
-                        * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
-                        */
-                       b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
-                       gen_or(b0, b1);
+               /*
+                * Now we add code to check for SNAP frames with
+                * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
+                */
+               b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
+               gen_or(b0, b1);
 
 
-                       /*
-                        * Now we generate code to check for 802.3
-                        * frames in general.
-                        */
-                       b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
-                       gen_not(b0);
+               /*
+                * Now we generate code to check for 802.3
+                * frames in general.
+                */
+               b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
+               gen_not(b0);
 
 
-                       /*
-                        * Now add the check for 802.3 frames before the
-                        * check for Ethernet_802.2 and Ethernet_802.3,
-                        * as those checks should only be done on 802.3
-                        * frames, not on Ethernet frames.
-                        */
-                       gen_and(b0, b1);
+               /*
+                * Now add the check for 802.3 frames before the
+                * check for Ethernet_802.2 and Ethernet_802.3,
+                * as those checks should only be done on 802.3
+                * frames, not on Ethernet frames.
+                */
+               gen_and(b0, b1);
 
 
-                       /*
-                        * Now add the check for Ethernet_II frames, and
-                        * do that before checking for the other frame
-                        * types.
-                        */
-                       b0 = gen_cmp(off_linktype, BPF_H,
-                           (bpf_int32)ETHERTYPE_IPX);
-                       gen_or(b0, b1);
-                       return b1;
+               /*
+                * Now add the check for Ethernet_II frames, and
+                * do that before checking for the other frame
+                * types.
+                */
+               b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)ETHERTYPE_IPX);
+               gen_or(b0, b1);
+               return b1;
 
 
-               case ETHERTYPE_ATALK:
-               case ETHERTYPE_AARP:
-                       /*
-                        * EtherTalk (AppleTalk protocols on Ethernet link
-                        * layer) may use 802.2 encapsulation.
-                        */
+       case ETHERTYPE_ATALK:
+       case ETHERTYPE_AARP:
+               /*
+                * EtherTalk (AppleTalk protocols on Ethernet link
+                * layer) may use 802.2 encapsulation.
+                */
+
+               /*
+                * Check for 802.2 encapsulation (EtherTalk phase 2?);
+                * we check for an Ethernet type field less than
+                * 1500, which means it's an 802.3 length field.
+                */
+               b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
+               gen_not(b0);
+
+               /*
+                * 802.2-encapsulated ETHERTYPE_ATALK packets are
+                * SNAP packets with an organization code of
+                * 0x080007 (Apple, for Appletalk) and a protocol
+                * type of ETHERTYPE_ATALK (Appletalk).
+                *
+                * 802.2-encapsulated ETHERTYPE_AARP packets are
+                * SNAP packets with an organization code of
+                * 0x000000 (encapsulated Ethernet) and a protocol
+                * type of ETHERTYPE_AARP (Appletalk ARP).
+                */
+               if (proto == ETHERTYPE_ATALK)
+                       b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
+               else    /* proto == ETHERTYPE_AARP */
+                       b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
+               gen_and(b0, b1);
 
 
+               /*
+                * Check for Ethernet encapsulation (Ethertalk
+                * phase 1?); we just check for the Ethernet
+                * protocol type.
+                */
+               b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
+
+               gen_or(b0, b1);
+               return b1;
+
+       default:
+               if (proto <= ETHERMTU) {
                        /*
                        /*
-                        * Check for 802.2 encapsulation (EtherTalk phase 2?);
-                        * we check for an Ethernet type field less than
-                        * 1500, which means it's an 802.3 length field.
+                        * This is an LLC SAP value, so the frames
+                        * that match would be 802.2 frames.
+                        * Check that the frame is an 802.2 frame
+                        * (i.e., that the length/type field is
+                        * a length field, <= ETHERMTU) and
+                        * then check the DSAP.
                         */
                        b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
                        gen_not(b0);
                         */
                        b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
                        gen_not(b0);
-
-                       /*
-                        * 802.2-encapsulated ETHERTYPE_ATALK packets are
-                        * SNAP packets with an organization code of
-                        * 0x080007 (Apple, for Appletalk) and a protocol
-                        * type of ETHERTYPE_ATALK (Appletalk).
-                        *
-                        * 802.2-encapsulated ETHERTYPE_AARP packets are
-                        * SNAP packets with an organization code of
-                        * 0x000000 (encapsulated Ethernet) and a protocol
-                        * type of ETHERTYPE_AARP (Appletalk ARP).
-                        */
-                       if (proto == ETHERTYPE_ATALK)
-                               b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
-                       else    /* proto == ETHERTYPE_AARP */
-                               b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
+                       b1 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)proto);
                        gen_and(b0, b1);
                        gen_and(b0, b1);
-
+                       return b1;
+               } else {
                        /*
                        /*
-                        * Check for Ethernet encapsulation (Ethertalk
-                        * phase 1?); we just check for the Ethernet
-                        * protocol type.
+                        * This is an Ethernet type, so compare
+                        * the length/type field with it (if
+                        * the frame is an 802.2 frame, the length
+                        * field will be <= ETHERMTU, and, as
+                        * "proto" is > ETHERMTU, this test
+                        * will fail and the frame won't match,
+                        * which is what we want).
                         */
                         */
-                       b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
+                       return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
+               }
+       }
+}
 
 
-                       gen_or(b0, b1);
-                       return b1;
+static struct block *
+gen_linux_sll_linktype(proto)
+       register int proto;
+{
+       struct block *b0, *b1;
 
 
-               default:
-                       if (proto <= ETHERMTU) {
-                               /*
-                                * This is an LLC SAP value, so the frames
-                                * that match would be 802.2 frames.
-                                * Check that the frame is an 802.2 frame
-                                * (i.e., that the length/type field is
-                                * a length field, <= ETHERMTU) and
-                                * then check the DSAP.
-                                */
-                               b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
-                               gen_not(b0);
-                               b1 = gen_cmp(off_linktype + 2, BPF_B,
-                                    (bpf_int32)proto);
-                               gen_and(b0, b1);
-                               return b1;
-                       } else {
-                               /*
-                                * This is an Ethernet type, so compare
-                                * the length/type field with it (if
-                                * the frame is an 802.2 frame, the length
-                                * field will be <= ETHERMTU, and, as
-                                * "proto" is > ETHERMTU, this test
-                                * will fail and the frame won't match,
-                                * which is what we want).
-                                */
-                               return gen_cmp(off_linktype, BPF_H,
-                                   (bpf_int32)proto);
-                       }
-               }
-               break;
+       switch (proto) {
 
 
-       case DLT_IEEE802_11:
-       case DLT_PRISM_HEADER:
-       case DLT_FDDI:
-       case DLT_IEEE802:
-       case DLT_ATM_RFC1483:
-       case DLT_ATM_CLIP:
-               return gen_llc(proto);
-               break;
+       case LLCSAP_IP:
+               b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
+               b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
+                            ((LLCSAP_IP << 8) | LLCSAP_IP));
+               gen_and(b0, b1);
+               return b1;
 
 
-       case DLT_SUNATM:
+       case LLCSAP_ISONS:
                /*
                /*
-                * Check for LLC encapsulation and then check the protocol.
-                * XXX - also check for LANE and then check for an Ethernet
-                * type?
+                * OSI protocols always use 802.2 encapsulation.
+                * XXX - should we check both the DSAP and the
+                * SSAP, like this, or should we check just the
+                * DSAP?
                 */
                 */
-               b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
-               b1 = gen_llc(proto);
+               b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
+               b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
+                            ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
                gen_and(b0, b1);
                return b1;
 
                gen_and(b0, b1);
                return b1;
 
-       case DLT_LINUX_SLL:
-               switch (proto) {
+       case LLCSAP_NETBEUI:
+               /*
+                * NetBEUI always uses 802.2 encapsulation.
+                * XXX - should we check both the DSAP and the
+                * LSAP, like this, or should we check just the
+                * DSAP?
+                */
+               b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
+               b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
+                            ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
+               gen_and(b0, b1);
+               return b1;
 
 
-               case LLCSAP_ISONS:
-                       /*
-                        * OSI protocols always use 802.2 encapsulation.
-                        * XXX - should we check both the DSAP and the
-                        * LSAP, like this, or should we check just the
-                        * DSAP?
-                        */
-                       b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
-                       b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
-                                    ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
-                       gen_and(b0, b1);
-                       return b1;
+       case LLCSAP_IPX:
+               /*
+                *      Ethernet_II frames, which are Ethernet
+                *      frames with a frame type of ETHERTYPE_IPX;
+                *
+                *      Ethernet_802.3 frames, which have a frame
+                *      type of LINUX_SLL_P_802_3;
+                *
+                *      Ethernet_802.2 frames, which are 802.3
+                *      frames with an 802.2 LLC header (i.e, have
+                *      a frame type of LINUX_SLL_P_802_2) and
+                *      with the IPX LSAP as the DSAP in the LLC
+                *      header;
+                *
+                *      Ethernet_SNAP frames, which are 802.3
+                *      frames with an LLC header and a SNAP
+                *      header and with an OUI of 0x000000
+                *      (encapsulated Ethernet) and a protocol
+                *      ID of ETHERTYPE_IPX in the SNAP header.
+                *
+                * First, do the checks on LINUX_SLL_P_802_2
+                * frames; generate the check for either
+                * Ethernet_802.2 or Ethernet_SNAP frames, and
+                * then put a check for LINUX_SLL_P_802_2 frames
+                * before it.
+                */
+               b0 = gen_cmp(off_linktype + 2, BPF_B,
+                   (bpf_int32)LLCSAP_IPX);
+               b1 = gen_snap(0x000000, ETHERTYPE_IPX,
+                   off_linktype + 2);
+               gen_or(b0, b1);
+               b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
+               gen_and(b0, b1);
 
 
-               case LLCSAP_NETBEUI:
-                       /*
-                        * NetBEUI always uses 802.2 encapsulation.
-                        * XXX - should we check both the DSAP and the
-                        * LSAP, like this, or should we check just the
-                        * DSAP?
-                        */
-                       b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
-                       b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
-                                    ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
-                       gen_and(b0, b1);
-                       return b1;
+               /*
+                * Now check for 802.3 frames and OR that with
+                * the previous test.
+                */
+               b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_3);
+               gen_or(b0, b1);
 
 
-               case LLCSAP_IPX:
-                       /*
-                        *      Ethernet_II frames, which are Ethernet
-                        *      frames with a frame type of ETHERTYPE_IPX;
-                        *
-                        *      Ethernet_802.3 frames, which have a frame
-                        *      type of LINUX_SLL_P_802_3;
-                        *
-                        *      Ethernet_802.2 frames, which are 802.3
-                        *      frames with an 802.2 LLC header (i.e, have
-                        *      a frame type of LINUX_SLL_P_802_2) and
-                        *      with the IPX LSAP as the DSAP in the LLC
-                        *      header;
-                        *
-                        *      Ethernet_SNAP frames, which are 802.3
-                        *      frames with an LLC header and a SNAP
-                        *      header and with an OUI of 0x000000
-                        *      (encapsulated Ethernet) and a protocol
-                        *      ID of ETHERTYPE_IPX in the SNAP header.
-                        *
-                        * First, do the checks on LINUX_SLL_P_802_2
-                        * frames; generate the check for either
-                        * Ethernet_802.2 or Ethernet_SNAP frames, and
-                        * then put a check for LINUX_SLL_P_802_2 frames
-                        * before it.
-                        */
-                       b0 = gen_cmp(off_linktype + 2, BPF_B,
-                           (bpf_int32)LLCSAP_IPX);
-                       b1 = gen_snap(0x000000, ETHERTYPE_IPX,
+               /*
+                * Now add the check for Ethernet_II frames, and
+                * do that before checking for the other frame
+                * types.
+                */
+               b0 = gen_cmp(off_linktype, BPF_H,
+                   (bpf_int32)ETHERTYPE_IPX);
+               gen_or(b0, b1);
+               return b1;
+
+       case ETHERTYPE_ATALK:
+       case ETHERTYPE_AARP:
+               /*
+                * EtherTalk (AppleTalk protocols on Ethernet link
+                * layer) may use 802.2 encapsulation.
+                */
+
+               /*
+                * Check for 802.2 encapsulation (EtherTalk phase 2?);
+                * we check for the 802.2 protocol type in the
+                * "Ethernet type" field.
+                */
+               b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
+
+               /*
+                * 802.2-encapsulated ETHERTYPE_ATALK packets are
+                * SNAP packets with an organization code of
+                * 0x080007 (Apple, for Appletalk) and a protocol
+                * type of ETHERTYPE_ATALK (Appletalk).
+                *
+                * 802.2-encapsulated ETHERTYPE_AARP packets are
+                * SNAP packets with an organization code of
+                * 0x000000 (encapsulated Ethernet) and a protocol
+                * type of ETHERTYPE_AARP (Appletalk ARP).
+                */
+               if (proto == ETHERTYPE_ATALK)
+                       b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
                            off_linktype + 2);
                            off_linktype + 2);
-                       gen_or(b0, b1);
-                       b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
-                       gen_and(b0, b1);
+               else    /* proto == ETHERTYPE_AARP */
+                       b1 = gen_snap(0x000000, ETHERTYPE_AARP,
+                           off_linktype + 2);
+               gen_and(b0, b1);
 
 
-                       /*
-                        * Now check for 802.3 frames and OR that with
-                        * the previous test.
-                        */
-                       b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_3);
-                       gen_or(b0, b1);
+               /*
+                * Check for Ethernet encapsulation (Ethertalk
+                * phase 1?); we just check for the Ethernet
+                * protocol type.
+                */
+               b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
+
+               gen_or(b0, b1);
+               return b1;
 
 
+       default:
+               if (proto <= ETHERMTU) {
                        /*
                        /*
-                        * Now add the check for Ethernet_II frames, and
-                        * do that before checking for the other frame
-                        * types.
+                        * This is an LLC SAP value, so the frames
+                        * that match would be 802.2 frames.
+                        * Check for the 802.2 protocol type
+                        * in the "Ethernet type" field, and
+                        * then check the DSAP.
                         */
                        b0 = gen_cmp(off_linktype, BPF_H,
                         */
                        b0 = gen_cmp(off_linktype, BPF_H,
-                           (bpf_int32)ETHERTYPE_IPX);
-                       gen_or(b0, b1);
+                           LINUX_SLL_P_802_2);
+                       b1 = gen_cmp(off_linktype + 2, BPF_B,
+                            (bpf_int32)proto);
+                       gen_and(b0, b1);
                        return b1;
                        return b1;
-
-               case ETHERTYPE_ATALK:
-               case ETHERTYPE_AARP:
+               } else {
                        /*
                        /*
-                        * EtherTalk (AppleTalk protocols on Ethernet link
-                        * layer) may use 802.2 encapsulation.
+                        * This is an Ethernet type, so compare
+                        * the length/type field with it (if
+                        * the frame is an 802.2 frame, the length
+                        * field will be <= ETHERMTU, and, as
+                        * "proto" is > ETHERMTU, this test
+                        * will fail and the frame won't match,
+                        * which is what we want).
                         */
                         */
+                       return gen_cmp(off_linktype, BPF_H,
+                           (bpf_int32)proto);
+               }
+       }
+}
+
+static struct block *
+gen_linktype(proto)
+       register int proto;
+{
+       struct block *b0, *b1, *b2;
+
+       switch (linktype) {
+
+       case DLT_EN10MB:
+               return gen_ether_linktype(proto);
+               /*NOTREACHED*/
+               break;
+
+       case DLT_C_HDLC:
+               switch (proto) {
+
+               case LLCSAP_ISONS:
+                       proto = (proto << 8 | LLCSAP_ISONS);
+                       /* fall through */
+
+               default:
+                       return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
+                       /*NOTREACHED*/
+                       break;
+               }
+               break;
+
+       case DLT_IEEE802_11:
+       case DLT_PRISM_HEADER:
+       case DLT_IEEE802_11_RADIO:
+       case DLT_FDDI:
+       case DLT_IEEE802:
+       case DLT_ATM_RFC1483:
+       case DLT_ATM_CLIP:
+       case DLT_IP_OVER_FC:
+               return gen_llc(proto);
+               /*NOTREACHED*/
+               break;
 
 
+       case DLT_SUNATM:
+               /*
+                * If "is_lane" is set, check for a LANE-encapsulated
+                * version of this protocol, otherwise check for an
+                * LLC-encapsulated version of this protocol.
+                *
+                * We assume LANE means Ethernet, not Token Ring.
+                */
+               if (is_lane) {
                        /*
                        /*
-                        * Check for 802.2 encapsulation (EtherTalk phase 2?);
-                        * we check for the 802.2 protocol type in the
-                        * "Ethernet type" field.
+                        * Check that the packet doesn't begin with an
+                        * LE Control marker.  (We've already generated
+                        * a test for LANE.)
                         */
                         */
-                       b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
+                       b0 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
+                       gen_not(b0);
 
                        /*
 
                        /*
-                        * 802.2-encapsulated ETHERTYPE_ATALK packets are
-                        * SNAP packets with an organization code of
-                        * 0x080007 (Apple, for Appletalk) and a protocol
-                        * type of ETHERTYPE_ATALK (Appletalk).
-                        *
-                        * 802.2-encapsulated ETHERTYPE_AARP packets are
-                        * SNAP packets with an organization code of
-                        * 0x000000 (encapsulated Ethernet) and a protocol
-                        * type of ETHERTYPE_AARP (Appletalk ARP).
+                        * Now generate an Ethernet test.
                         */
                         */
-                       if (proto == ETHERTYPE_ATALK)
-                               b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
-                                   off_linktype + 2);
-                       else    /* proto == ETHERTYPE_AARP */
-                               b1 = gen_snap(0x000000, ETHERTYPE_AARP,
-                                   off_linktype + 2);
+                       b1 = gen_ether_linktype(proto);
                        gen_and(b0, b1);
                        gen_and(b0, b1);
-
+                       return b1;
+               } else {
                        /*
                        /*
-                        * Check for Ethernet encapsulation (Ethertalk
-                        * phase 1?); we just check for the Ethernet
-                        * protocol type.
+                        * Check for LLC encapsulation and then check the
+                        * protocol.
                         */
                         */
-                       b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
-
-                       gen_or(b0, b1);
+                       b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
+                       b1 = gen_llc(proto);
+                       gen_and(b0, b1);
                        return b1;
                        return b1;
-
-               default:
-                       if (proto <= ETHERMTU) {
-                               /*
-                                * This is an LLC SAP value, so the frames
-                                * that match would be 802.2 frames.
-                                * Check for the 802.2 protocol type
-                                * in the "Ethernet type" field, and
-                                * then check the DSAP.
-                                */
-                               b0 = gen_cmp(off_linktype, BPF_H,
-                                   LINUX_SLL_P_802_2);
-                               b1 = gen_cmp(off_linktype + 2, BPF_B,
-                                    (bpf_int32)proto);
-                               gen_and(b0, b1);
-                               return b1;
-                       } else {
-                               /*
-                                * This is an Ethernet type, so compare
-                                * the length/type field with it (if
-                                * the frame is an 802.2 frame, the length
-                                * field will be <= ETHERMTU, and, as
-                                * "proto" is > ETHERMTU, this test
-                                * will fail and the frame won't match,
-                                * which is what we want).
-                                */
-                               return gen_cmp(off_linktype, BPF_H,
-                                   (bpf_int32)proto);
-                       }
                }
                }
+
+       case DLT_LINUX_SLL:
+               return gen_linux_sll_linktype(proto);
+               /*NOTREACHED*/
                break;
 
        case DLT_SLIP:
                break;
 
        case DLT_SLIP:
@@ -1298,9 +1537,11 @@ gen_linktype(proto)
                default:
                        return gen_false();             /* always false */
                }
                default:
                        return gen_false();             /* always false */
                }
+               /*NOTREACHED*/
                break;
 
        case DLT_PPP:
                break;
 
        case DLT_PPP:
+       case DLT_PPP_WITHDIRECTION:
        case DLT_PPP_SERIAL:
        case DLT_PPP_ETHER:
                /*
        case DLT_PPP_SERIAL:
        case DLT_PPP_ETHER:
                /*
@@ -1310,7 +1551,7 @@ gen_linktype(proto)
                switch (proto) {
 
                case ETHERTYPE_IP:
                switch (proto) {
 
                case ETHERTYPE_IP:
-                       proto = PPP_IP;                 /* XXX was 0x21 */
+                       proto = PPP_IP;
                        break;
 
 #ifdef INET6
                        break;
 
 #ifdef INET6
@@ -1405,9 +1646,13 @@ gen_linktype(proto)
 
        case DLT_NULL:
        case DLT_LOOP:
 
        case DLT_NULL:
        case DLT_LOOP:
+       case DLT_ENC:
                /*
                 * For DLT_NULL, the link-layer header is a 32-bit
                /*
                 * For DLT_NULL, the link-layer header is a 32-bit
-                * word containing an AF_ value in *host* byte order.
+                * word containing an AF_ value in *host* byte order,
+                * and for DLT_ENC, the link-layer header begins
+                * with a 32-bit work containing an AF_ value in
+                * host byte order.
                 *
                 * In addition, if we're reading a saved capture file,
                 * the host byte order in the capture may not be the
                 *
                 * In addition, if we're reading a saved capture file,
                 * the host byte order in the capture may not be the
@@ -1445,7 +1690,7 @@ gen_linktype(proto)
                        return gen_false();
                }
 
                        return gen_false();
                }
 
-               if (linktype == DLT_NULL) {
+               if (linktype == DLT_NULL || linktype == DLT_ENC) {
                        /*
                         * The AF_ value is in host byte order, but
                         * the BPF interpreter will convert it to
                        /*
                         * The AF_ value is in host byte order, but
                         * the BPF interpreter will convert it to
@@ -1465,38 +1710,66 @@ gen_linktype(proto)
                }
                return (gen_cmp(0, BPF_W, (bpf_int32)proto));
 
                }
                return (gen_cmp(0, BPF_W, (bpf_int32)proto));
 
+       case DLT_PFLOG:
+               /*
+                * af field is host byte order in contrast to the rest of
+                * the packet.
+                */
+               if (proto == ETHERTYPE_IP)
+                       return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
+                           (bpf_int32)AF_INET));
+#ifdef INET6
+               else if (proto == ETHERTYPE_IPV6)
+                       return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
+                           (bpf_int32)AF_INET6));
+#endif /* INET6 */
+               else
+                       return gen_false();
+               /*NOTREACHED*/
+               break;
+
        case DLT_ARCNET:
        case DLT_ARCNET:
+       case DLT_ARCNET_LINUX:
                /*
                 * XXX should we check for first fragment if the protocol
                 * uses PHDS?
                 */
                /*
                 * XXX should we check for first fragment if the protocol
                 * uses PHDS?
                 */
-               switch(proto) {
+               switch (proto) {
+
                default:
                        return gen_false();
                default:
                        return gen_false();
+
 #ifdef INET6
                case ETHERTYPE_IPV6:
 #ifdef INET6
                case ETHERTYPE_IPV6:
-                       return(gen_cmp(2, BPF_B,
-                                       (bpf_int32)htonl(ARCTYPE_INET6)));
+                       return (gen_cmp(off_linktype, BPF_B,
+                               (bpf_int32)ARCTYPE_INET6));
 #endif /* INET6 */
 #endif /* INET6 */
+
                case ETHERTYPE_IP:
                case ETHERTYPE_IP:
-                       b0 = gen_cmp(2, BPF_B, (bpf_int32)htonl(ARCTYPE_IP));
-                       b1 = gen_cmp(2, BPF_B,
-                                       (bpf_int32)htonl(ARCTYPE_IP_OLD));
+                       b0 = gen_cmp(off_linktype, BPF_B,
+                                    (bpf_int32)ARCTYPE_IP);
+                       b1 = gen_cmp(off_linktype, BPF_B,
+                                    (bpf_int32)ARCTYPE_IP_OLD);
                        gen_or(b0, b1);
                        gen_or(b0, b1);
-                       return(b1);
+                       return (b1);
+
                case ETHERTYPE_ARP:
                case ETHERTYPE_ARP:
-                       b0 = gen_cmp(2, BPF_B, (bpf_int32)htonl(ARCTYPE_ARP));
-                       b1 = gen_cmp(2, BPF_B,
-                                       (bpf_int32)htonl(ARCTYPE_ARP_OLD));
+                       b0 = gen_cmp(off_linktype, BPF_B,
+                                    (bpf_int32)ARCTYPE_ARP);
+                       b1 = gen_cmp(off_linktype, BPF_B,
+                                    (bpf_int32)ARCTYPE_ARP_OLD);
                        gen_or(b0, b1);
                        gen_or(b0, b1);
-                       return(b1);
+                       return (b1);
+
                case ETHERTYPE_REVARP:
                case ETHERTYPE_REVARP:
-                       return(gen_cmp(2, BPF_B,
-                                       (bpf_int32)htonl(ARCTYPE_REVARP)));
+                       return (gen_cmp(off_linktype, BPF_B,
+                                       (bpf_int32)ARCTYPE_REVARP));
+
                case ETHERTYPE_ATALK:
                case ETHERTYPE_ATALK:
-                       return(gen_cmp(2, BPF_B,
-                                       (bpf_int32)htonl(ARCTYPE_ATALK)));
+                       return (gen_cmp(off_linktype, BPF_B,
+                                       (bpf_int32)ARCTYPE_ATALK));
                }
                }
+               /*NOTREACHED*/
                break;
 
        case DLT_LTALK:
                break;
 
        case DLT_LTALK:
@@ -1506,6 +1779,7 @@ gen_linktype(proto)
                default:
                        return gen_false();
                }
                default:
                        return gen_false();
                }
+               /*NOTREACHED*/
                break;
 
        case DLT_FRELAY:
                break;
 
        case DLT_FRELAY:
@@ -1551,7 +1825,26 @@ gen_linktype(proto)
                default:
                        return gen_false();
                }
                default:
                        return gen_false();
                }
+               /*NOTREACHED*/
                break;
                break;
+
+        case DLT_JUNIPER_MLPPP:
+       case DLT_JUNIPER_ATM1:
+       case DLT_JUNIPER_ATM2:
+               /* just lets verify the magic number for now -
+                * we may have up to 6 different encapsulations on the wire
+                * and need a lot of heuristics to figure out that the payload
+                * might be;
+                *
+                * FIXME encapsulation specific BPF_ filters
+                */
+               return gen_mcmp(0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
+
+       case DLT_LINUX_IRDA:
+               bpf_error("IrDA link-layer type filtering not implemented");
+
+       case DLT_DOCSIS:
+               bpf_error("DOCSIS link-layer type filtering not implemented");
        }
 
        /*
        }
 
        /*
@@ -1564,7 +1857,7 @@ gen_linktype(proto)
         *
         * Therefore, if "off_linktype" is -1, there's an error.
         */
         *
         * Therefore, if "off_linktype" is -1, there's an error.
         */
-       if (off_linktype == -1)
+       if (off_linktype == (u_int)-1)
                abort();
 
        /*
                abort();
 
        /*
@@ -1596,7 +1889,7 @@ gen_snap(orgcode, ptype, offset)
 
        snapblock[0] = LLCSAP_SNAP;     /* DSAP = SNAP */
        snapblock[1] = LLCSAP_SNAP;     /* SSAP = SNAP */
 
        snapblock[0] = LLCSAP_SNAP;     /* DSAP = SNAP */
        snapblock[1] = LLCSAP_SNAP;     /* SSAP = SNAP */
-       snapblock[2] = 0x03;    /* control = UI */
+       snapblock[2] = 0x03;            /* control = UI */
        snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
        snapblock[4] = (orgcode >> 8);  /* middle 8 bits of organization code */
        snapblock[5] = (orgcode >> 0);  /* lower 8 bits of organization code */
        snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
        snapblock[4] = (orgcode >> 8);  /* middle 8 bits of organization code */
        snapblock[5] = (orgcode >> 0);  /* lower 8 bits of organization code */
@@ -1617,6 +1910,10 @@ gen_llc(proto)
         */
        switch (proto) {
 
         */
        switch (proto) {
 
+       case LLCSAP_IP:
+               return gen_cmp(off_linktype, BPF_H, (long)
+                            ((LLCSAP_IP << 8) | LLCSAP_IP));
+
        case LLCSAP_ISONS:
                return gen_cmp(off_linktype, BPF_H, (long)
                             ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
        case LLCSAP_ISONS:
                return gen_cmp(off_linktype, BPF_H, (long)
                             ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
@@ -1786,10 +2083,10 @@ gen_ehostop(eaddr, dir)
 
        switch (dir) {
        case Q_SRC:
 
        switch (dir) {
        case Q_SRC:
-               return gen_bcmp(6, 6, eaddr);
+               return gen_bcmp(off_mac + 6, 6, eaddr);
 
        case Q_DST:
 
        case Q_DST:
-               return gen_bcmp(0, 6, eaddr);
+               return gen_bcmp(off_mac + 0, 6, eaddr);
 
        case Q_AND:
                b0 = gen_ehostop(eaddr, Q_SRC);
 
        case Q_AND:
                b0 = gen_ehostop(eaddr, Q_SRC);
@@ -1892,7 +2189,7 @@ gen_wlanhostop(eaddr, dir)
        register const u_char *eaddr;
        register int dir;
 {
        register const u_char *eaddr;
        register int dir;
 {
-       register struct block *b0, *b1, *b2, *b3;
+       register struct block *b0, *b1, *b2;
        register struct slist *s;
 
        switch (dir) {
        register struct slist *s;
 
        switch (dir) {
@@ -1917,74 +2214,84 @@ gen_wlanhostop(eaddr, dir)
                 */
 
                /*
                 */
 
                /*
-                * If the low-order bit of the type value is 1,
-                * this is either a control frame or a frame
-                * with a reserved type, and thus not a
-                * frame with an SA.
+                * Generate the tests to be done for data frames
+                * with From DS set.
                 *
                 *
-                * I.e., first check "!(link[0] & 0x04)".
+                * First, check for To DS set, i.e. check "link[1] & 0x01".
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 0;
-               b0 = new_block(JMP(BPF_JSET));
-               b0->s.k = 0x04;
-               b0->stmts = s;
-               gen_not(b0);
+               s->s.k = 1;
+               b1 = new_block(JMP(BPF_JSET));
+               b1->s.k = 0x01; /* To DS */
+               b1->stmts = s;
 
                /*
 
                /*
-                * If the high-order bit of the type value is 0, this
-                * is a management frame.
-                * I.e, check "!(link[0] & 0x08)".
+                * If To DS is set, the SA is at 24.
+                */
+               b0 = gen_bcmp(24, 6, eaddr);
+               gen_and(b1, b0);
+
+               /*
+                * Now, check for To DS not set, i.e. check
+                * "!(link[1] & 0x01)".
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 0;
+               s->s.k = 1;
                b2 = new_block(JMP(BPF_JSET));
                b2 = new_block(JMP(BPF_JSET));
-               b2->s.k = 0x08;
+               b2->s.k = 0x01; /* To DS */
                b2->stmts = s;
                gen_not(b2);
 
                /*
                b2->stmts = s;
                gen_not(b2);
 
                /*
-                * For management frames, test the SA at 10.
+                * If To DS is not set, the SA is at 16.
                 */
                 */
-               b1 = gen_bcmp(10, 6, eaddr);
+               b1 = gen_bcmp(16, 6, eaddr);
                gen_and(b2, b1);
                gen_and(b2, b1);
-               b3 = b1;
 
                /*
 
                /*
-                * If the high-order bit of the type value is 0, this
-                * is a data frame; check From DS.
-                *
-                * I.e., check "(link[0] & 0x08) && !(link[1] & 0x02)".
+                * Now OR together the last two checks.  That gives
+                * the complete set of checks for data frames with
+                * From DS set.
+                */
+               gen_or(b1, b0);
+
+               /*
+                * Now check for From DS being set, and AND that with
+                * the ORed-together checks.
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 0;
+               s->s.k = 1;
                b1 = new_block(JMP(BPF_JSET));
                b1 = new_block(JMP(BPF_JSET));
-               b1->s.k = 0x08;
+               b1->s.k = 0x02; /* From DS */
                b1->stmts = s;
                b1->stmts = s;
+               gen_and(b1, b0);
 
 
+               /*
+                * Now check for data frames with From DS not set.
+                */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s->s.k = 1;
                b2 = new_block(JMP(BPF_JSET));
                b2->s.k = 0x02; /* From DS */
                b2->stmts = s;
                gen_not(b2);
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s->s.k = 1;
                b2 = new_block(JMP(BPF_JSET));
                b2->s.k = 0x02; /* From DS */
                b2->stmts = s;
                gen_not(b2);
-               gen_and(b1, b2);
 
                /*
 
                /*
-                * For data frames with From DS not set, test the SA at 10;
-                * then combine that test with the management frame test.
+                * If From DS isn't set, the SA is at 10.
                 */
                b1 = gen_bcmp(10, 6, eaddr);
                gen_and(b2, b1);
                 */
                b1 = gen_bcmp(10, 6, eaddr);
                gen_and(b2, b1);
-               gen_or(b3, b1);
-               b3 = b1;
 
                /*
 
                /*
-                * Now, check for a data frame with From DS set and
-                * To DS not set.
-                *
-                * I.e., check "(link[0] & 0x08) && (link[1] & 0x02)
-                * && !(link[1] & 0x01)".
+                * Now OR together the checks for data frames with
+                * From DS not set and for data frames with From DS
+                * set; that gives the checks done for data frames.
+                */
+               gen_or(b1, b0);
+
+               /*
+                * Now check for a data frame.
+                * I.e, check "link[0] & 0x08".
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s->s.k = 0;
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s->s.k = 0;
@@ -1992,65 +2299,57 @@ gen_wlanhostop(eaddr, dir)
                b1->s.k = 0x08;
                b1->stmts = s;
 
                b1->s.k = 0x08;
                b1->stmts = s;
 
-               s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 1;
-               b2 = new_block(JMP(BPF_JSET));
-               b2->s.k = 0x02; /* From DS */
-               b2->stmts = s;
-               gen_and(b1, b2);
-               b1 = b2;
+               /*
+                * AND that with the checks done for data frames.
+                */
+               gen_and(b1, b0);
 
 
+               /*
+                * If the high-order bit of the type value is 0, this
+                * is a management frame.
+                * I.e, check "!(link[0] & 0x08)".
+                */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 1;
+               s->s.k = 0;
                b2 = new_block(JMP(BPF_JSET));
                b2 = new_block(JMP(BPF_JSET));
-               b2->s.k = 0x01; /* To DS */
+               b2->s.k = 0x08;
                b2->stmts = s;
                gen_not(b2);
                b2->stmts = s;
                gen_not(b2);
-               gen_and(b1, b2);        /* Data && From DS and not To DS */
 
                /*
 
                /*
-                * Test the SA at 16, and OR the previous SA tests
-                * with it.
+                * For management frames, the SA is at 10.
                 */
                 */
-               b1 = gen_bcmp(16, 6, eaddr);
+               b1 = gen_bcmp(10, 6, eaddr);
                gen_and(b2, b1);
                gen_and(b2, b1);
-               gen_or(b3, b1);
-               b3 = b1;
 
                /*
 
                /*
-                * And now for a data frame with From DS set and To DS set.
+                * OR that with the checks done for data frames.
+                * That gives the checks done for management and
+                * data frames.
+                */
+               gen_or(b1, b0);
+
+               /*
+                * If the low-order bit of the type value is 1,
+                * this is either a control frame or a frame
+                * with a reserved type, and thus not a
+                * frame with an SA.
+                *
+                * I.e., check "!(link[0] & 0x04)".
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s->s.k = 0;
                b1 = new_block(JMP(BPF_JSET));
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s->s.k = 0;
                b1 = new_block(JMP(BPF_JSET));
-               b1->s.k = 0x08;
+               b1->s.k = 0x04;
                b1->stmts = s;
                b1->stmts = s;
-
-               s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 1;
-               b2 = new_block(JMP(BPF_JSET));
-               b2->s.k = 0x02; /* From DS */
-               b2->stmts = s;
-               gen_and(b1, b2);
-               b1 = b2;
-
-               s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 1;
-               b2 = new_block(JMP(BPF_JSET));
-               b2->s.k = 0x01; /* To DS */
-               b2->stmts = s;
-               gen_and(b1, b2);        /* Data && From DS and To DS */
+               gen_not(b1);
 
                /*
 
                /*
-                * Test the SA at 24, and OR the previous SA tests
-                * with it.
+                * AND that with the checks for data and management
+                * frames.
                 */
                 */
-               b1 = gen_bcmp(24, 6, eaddr);
-               gen_and(b2, b1);
-               gen_or(b3, b1);
-
-               gen_and(b0, b1);
-               return b1;
+               gen_and(b1, b0);
+               return b0;
 
        case Q_DST:
                /*
 
        case Q_DST:
                /*
@@ -2070,44 +2369,48 @@ gen_wlanhostop(eaddr, dir)
                 */
 
                /*
                 */
 
                /*
-                * If the low-order bit of the type value is 1,
-                * this is either a control frame or a frame
-                * with a reserved type, and thus not a
-                * frame with a DA.
+                * Generate the tests to be done for data frames.
                 *
                 *
-                * I.e., first check "!(link[0] & 0x04)".
+                * First, check for To DS set, i.e. "link[1] & 0x01".
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 0;
-               b0 = new_block(JMP(BPF_JSET));
-               b0->s.k = 0x04;
-               b0->stmts = s;
-               gen_not(b0);
+               s->s.k = 1;
+               b1 = new_block(JMP(BPF_JSET));
+               b1->s.k = 0x01; /* To DS */
+               b1->stmts = s;
 
                /*
 
                /*
-                * If the high-order bit of the type value is 0, this
-                * is a management frame.
-                * I.e, check "!(link[0] & 0x08)".
+                * If To DS is set, the DA is at 16.
+                */
+               b0 = gen_bcmp(16, 6, eaddr);
+               gen_and(b1, b0);
+
+               /*
+                * Now, check for To DS not set, i.e. check
+                * "!(link[1] & 0x01)".
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 0;
+               s->s.k = 1;
                b2 = new_block(JMP(BPF_JSET));
                b2 = new_block(JMP(BPF_JSET));
-               b2->s.k = 0x08;
+               b2->s.k = 0x01; /* To DS */
                b2->stmts = s;
                gen_not(b2);
 
                /*
                b2->stmts = s;
                gen_not(b2);
 
                /*
-                * For management frames, test the DA at 4.
+                * If To DS is not set, the DA is at 4.
                 */
                b1 = gen_bcmp(4, 6, eaddr);
                gen_and(b2, b1);
                 */
                b1 = gen_bcmp(4, 6, eaddr);
                gen_and(b2, b1);
-               b3 = b1;
 
                /*
 
                /*
-                * If the high-order bit of the type value is 0, this
-                * is a data frame; check To DS.
-                *
-                * I.e., check "(link[0] & 0x08) && !(link[1] & 0x01)".
+                * Now OR together the last two checks.  That gives
+                * the complete set of checks for data frames.
+                */
+               gen_or(b1, b0);
+
+               /*
+                * Now check for a data frame.
+                * I.e, check "link[0] & 0x08".
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s->s.k = 0;
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s->s.k = 0;
@@ -2115,51 +2418,57 @@ gen_wlanhostop(eaddr, dir)
                b1->s.k = 0x08;
                b1->stmts = s;
 
                b1->s.k = 0x08;
                b1->stmts = s;
 
+               /*
+                * AND that with the checks done for data frames.
+                */
+               gen_and(b1, b0);
+
+               /*
+                * If the high-order bit of the type value is 0, this
+                * is a management frame.
+                * I.e, check "!(link[0] & 0x08)".
+                */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 1;
+               s->s.k = 0;
                b2 = new_block(JMP(BPF_JSET));
                b2 = new_block(JMP(BPF_JSET));
-               b2->s.k = 0x01; /* To DS */
+               b2->s.k = 0x08;
                b2->stmts = s;
                gen_not(b2);
                b2->stmts = s;
                gen_not(b2);
-               gen_and(b1, b2);
 
                /*
 
                /*
-                * For data frames with To DS not set, test the DA at 4;
-                * then combine that test with the management frame test.
+                * For management frames, the DA is at 4.
                 */
                b1 = gen_bcmp(4, 6, eaddr);
                gen_and(b2, b1);
                 */
                b1 = gen_bcmp(4, 6, eaddr);
                gen_and(b2, b1);
-               gen_or(b3, b1);
-               b3 = b1;
 
                /*
 
                /*
-                * Now, check for a data frame with To DS set.
+                * OR that with the checks done for data frames.
+                * That gives the checks done for management and
+                * data frames.
+                */
+               gen_or(b1, b0);
+
+               /*
+                * If the low-order bit of the type value is 1,
+                * this is either a control frame or a frame
+                * with a reserved type, and thus not a
+                * frame with an SA.
                 *
                 *
-                * I.e., check "(link[0] & 0x08) && (link[1] & 0x01)".
+                * I.e., check "!(link[0] & 0x04)".
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s->s.k = 0;
                b1 = new_block(JMP(BPF_JSET));
                 */
                s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                s->s.k = 0;
                b1 = new_block(JMP(BPF_JSET));
-               b1->s.k = 0x08;
+               b1->s.k = 0x04;
                b1->stmts = s;
                b1->stmts = s;
-
-               s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-               s->s.k = 1;
-               b2 = new_block(JMP(BPF_JSET));
-               b2->s.k = 0x01; /* To DS */
-               b2->stmts = s;
-               gen_and(b1, b2);
+               gen_not(b1);
 
                /*
 
                /*
-                * Test the DA at 16, and OR the previous DA tests
-                * with it.
+                * AND that with the checks for data and management
+                * frames.
                 */
                 */
-               b1 = gen_bcmp(16, 6, eaddr);
-               gen_and(b2, b1);
-               gen_or(b3, b1);
-
-               gen_and(b0, b1);
-               return b1;
+               gen_and(b1, b0);
+               return b0;
 
        case Q_AND:
                b0 = gen_wlanhostop(eaddr, Q_SRC);
 
        case Q_AND:
                b0 = gen_wlanhostop(eaddr, Q_SRC);
@@ -2178,6 +2487,42 @@ gen_wlanhostop(eaddr, dir)
        /* NOTREACHED */
 }
 
        /* NOTREACHED */
 }
 
+/*
+ * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
+ * (We assume that the addresses are IEEE 48-bit MAC addresses,
+ * as the RFC states.)
+ */
+static struct block *
+gen_ipfchostop(eaddr, dir)
+       register const u_char *eaddr;
+       register int dir;
+{
+       register struct block *b0, *b1;
+
+       switch (dir) {
+       case Q_SRC:
+               return gen_bcmp(10, 6, eaddr);
+
+       case Q_DST:
+               return gen_bcmp(2, 6, eaddr);
+
+       case Q_AND:
+               b0 = gen_ipfchostop(eaddr, Q_SRC);
+               b1 = gen_ipfchostop(eaddr, Q_DST);
+               gen_and(b0, b1);
+               return b1;
+
+       case Q_DEFAULT:
+       case Q_OR:
+               b0 = gen_ipfchostop(eaddr, Q_SRC);
+               b1 = gen_ipfchostop(eaddr, Q_DST);
+               gen_or(b0, b1);
+               return b1;
+       }
+       abort();
+       /* NOTREACHED */
+}
+
 /*
  * This is quite tricky because there may be pad bytes in front of the
  * DECNET header, and then there are two possible data packet formats that
 /*
  * This is quite tricky because there may be pad bytes in front of the
  * DECNET header, and then there are two possible data packet formats that
@@ -2234,7 +2579,7 @@ gen_dnhostop(addr, dir, base_off)
                return b1;
 
        case Q_ISO:
                return b1;
 
        case Q_ISO:
-               bpf_error("ISO host filtering not implemented");
+               bpf_error("ISO host filtering not implemented");
 
        default:
                abort();
 
        default:
                abort();
@@ -2282,7 +2627,7 @@ gen_host(addr, mask, proto, dir)
 
        case Q_DEFAULT:
                b0 = gen_host(addr, mask, Q_IP, dir);
 
        case Q_DEFAULT:
                b0 = gen_host(addr, mask, Q_IP, dir);
-               if (off_linktype != -1) {
+               if (off_linktype != (u_int)-1) {
                    b1 = gen_host(addr, mask, Q_ARP, dir);
                    gen_or(b0, b1);
                    b0 = gen_host(addr, mask, Q_RARP, dir);
                    b1 = gen_host(addr, mask, Q_ARP, dir);
                    gen_or(b0, b1);
                    b0 = gen_host(addr, mask, Q_RARP, dir);
@@ -2522,9 +2867,25 @@ gen_gateway(eaddr, alist, proto, dir)
                        b0 = gen_thostop(eaddr, Q_OR);
                else if (linktype == DLT_IEEE802_11)
                        b0 = gen_wlanhostop(eaddr, Q_OR);
                        b0 = gen_thostop(eaddr, Q_OR);
                else if (linktype == DLT_IEEE802_11)
                        b0 = gen_wlanhostop(eaddr, Q_OR);
+               else if (linktype == DLT_SUNATM && is_lane) {
+                       /*
+                        * Check that the packet doesn't begin with an
+                        * LE Control marker.  (We've already generated
+                        * a test for LANE.)
+                        */
+                       b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
+                       gen_not(b1);
+
+                       /*
+                        * Now check the MAC address.
+                        */
+                       b0 = gen_ehostop(eaddr, Q_OR);
+                       gen_and(b1, b0);
+               } else if (linktype == DLT_IP_OVER_FC)
+                       b0 = gen_ipfchostop(eaddr, Q_OR);
                else
                        bpf_error(
                else
                        bpf_error(
-                           "'gateway' supported only on ethernet/FDDI/token ring/802.11");
+                           "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
 
                b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
                while (*alist) {
 
                b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
                while (*alist) {
@@ -2545,9 +2906,7 @@ struct block *
 gen_proto_abbrev(proto)
        int proto;
 {
 gen_proto_abbrev(proto)
        int proto;
 {
-#ifdef INET6
        struct block *b0;
        struct block *b0;
-#endif
        struct block *b1;
 
        switch (proto) {
        struct block *b1;
 
        switch (proto) {
@@ -2694,31 +3053,91 @@ gen_proto_abbrev(proto)
                break;
 
        case Q_ISO:
                break;
 
        case Q_ISO:
-               b1 = gen_linktype(LLCSAP_ISONS);
+               b1 = gen_linktype(LLCSAP_ISONS);
+               break;
+
+       case Q_ESIS:
+               b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
+               break;
+
+       case Q_ISIS:
+               b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
+               break;
+
+       case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
+               b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
+               b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
+               gen_or(b0, b1);
+               b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               break;
+
+       case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
+               b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
+               b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
+               gen_or(b0, b1);
+               b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               break;
+
+       case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
+               b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
+               b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               break;
+
+       case Q_ISIS_LSP:
+               b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
+               b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               break;
+
+       case Q_ISIS_SNP:
+               b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
+               b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
+               b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
                break;
 
                break;
 
-       case Q_ESIS:
-               b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
+       case Q_ISIS_CSNP:
+               b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
+               b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
                break;
 
                break;
 
-       case Q_ISIS:
-               b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
+       case Q_ISIS_PSNP:
+               b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
+               b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
+               gen_or(b0, b1);
                break;
 
        case Q_CLNP:
                break;
 
        case Q_CLNP:
-               b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
+               b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
                break;
 
        case Q_STP:
                break;
 
        case Q_STP:
-               b1 = gen_linktype(LLCSAP_8021D);
+               b1 = gen_linktype(LLCSAP_8021D);
                break;
 
        case Q_IPX:
                break;
 
        case Q_IPX:
-               b1 = gen_linktype(LLCSAP_IPX);
+               b1 = gen_linktype(LLCSAP_IPX);
                break;
 
        case Q_NETBEUI:
                break;
 
        case Q_NETBEUI:
-               b1 = gen_linktype(LLCSAP_NETBEUI);
+               b1 = gen_linktype(LLCSAP_NETBEUI);
                break;
 
        default:
                break;
 
        default:
@@ -2824,7 +3243,23 @@ gen_port(port, ip_proto, dir)
 {
        struct block *b0, *b1, *tmp;
 
 {
        struct block *b0, *b1, *tmp;
 
-       /* ether proto ip */
+       /*
+        * ether proto ip
+        *
+        * For FDDI, RFC 1188 says that SNAP encapsulation is used,
+        * not LLC encapsulation with LLCSAP_IP.
+        *
+        * For IEEE 802 networks - which includes 802.5 token ring
+        * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
+        * says that SNAP encapsulation is used, not LLC encapsulation
+        * with LLCSAP_IP.
+        *
+        * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
+        * RFC 2225 say that SNAP encapsulation is used, not LLC
+        * encapsulation with LLCSAP_IP.
+        *
+        * So we always check for ETHERTYPE_IP.
+        */
        b0 =  gen_linktype(ETHERTYPE_IP);
 
        switch (ip_proto) {
        b0 =  gen_linktype(ETHERTYPE_IP);
 
        switch (ip_proto) {
@@ -3289,6 +3724,21 @@ gen_proto(v, proto, dir)
                /*FALLTHROUGH*/
 #endif
        case Q_IP:
                /*FALLTHROUGH*/
 #endif
        case Q_IP:
+               /*
+                * For FDDI, RFC 1188 says that SNAP encapsulation is used,
+                * not LLC encapsulation with LLCSAP_IP.
+                *
+                * For IEEE 802 networks - which includes 802.5 token ring
+                * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
+                * says that SNAP encapsulation is used, not LLC encapsulation
+                * with LLCSAP_IP.
+                *
+                * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
+                * RFC 2225 say that SNAP encapsulation is used, not LLC
+                * encapsulation with LLCSAP_IP.
+                *
+                * So we always check for ETHERTYPE_IP.
+                */
                b0 = gen_linktype(ETHERTYPE_IP);
 #ifndef CHASE_CHAIN
                b1 = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)v);
                b0 = gen_linktype(ETHERTYPE_IP);
 #ifndef CHASE_CHAIN
                b1 = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)v);
@@ -3321,8 +3771,20 @@ gen_proto(v, proto, dir)
                         * XXX - what about SNAP-encapsulated frames?
                         */
                        return gen_cmp(2, BPF_H, (0x03<<8) | v);
                         * XXX - what about SNAP-encapsulated frames?
                         */
                        return gen_cmp(2, BPF_H, (0x03<<8) | v);
+                       /*NOTREACHED*/
                        break;
 
                        break;
 
+               case DLT_C_HDLC:
+                       /*
+                        * Cisco uses an Ethertype lookalike - for OSI,
+                        * it's 0xfefe.
+                        */
+                       b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
+                       /* OSI in C-HDLC is stuffed with a fudge byte */
+                       b1 = gen_cmp(off_nl_nosnap+1, BPF_B, (long)v);
+                       gen_and(b0, b1);
+                       return b1;
+
                default:
                        b0 = gen_linktype(LLCSAP_ISONS);
                        b1 = gen_cmp(off_nl_nosnap, BPF_B, (long)v);
                default:
                        b0 = gen_linktype(LLCSAP_ISONS);
                        b1 = gen_cmp(off_nl_nosnap, BPF_B, (long)v);
@@ -3330,6 +3792,16 @@ gen_proto(v, proto, dir)
                        return b1;
                }
 
                        return b1;
                }
 
+       case Q_ISIS:
+               b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
+               /*
+                * 4 is the offset of the PDU type relative to the IS-IS
+                * header.
+                */
+               b1 = gen_cmp(off_nl_nosnap+4, BPF_B, (long)v);
+               gen_and(b0, b1);
+               return b1;
+
        case Q_ARP:
                bpf_error("arp does not encapsulate another protocol");
                /* NOTREACHED */
        case Q_ARP:
                bpf_error("arp does not encapsulate another protocol");
                /* NOTREACHED */
@@ -3511,11 +3983,39 @@ gen_scode(name, q)
                                free(eaddr);
                                return b;
 
                                free(eaddr);
                                return b;
 
-                       default:
-                               bpf_error(
-                       "only ethernet/FDDI/token ring/802.11 supports link-level host name");
-                               break;
+                       case DLT_IP_OVER_FC:
+                               eaddr = pcap_ether_hostton(name);
+                               if (eaddr == NULL)
+                                       bpf_error(
+                                           "unknown Fibre Channel host '%s'", name);
+                               b = gen_ipfchostop(eaddr, dir);
+                               free(eaddr);
+                               return b;
+
+                       case DLT_SUNATM:
+                               if (!is_lane)
+                                       break;
+
+                               /*
+                                * Check that the packet doesn't begin
+                                * with an LE Control marker.  (We've
+                                * already generated a test for LANE.)
+                                */
+                               tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H,
+                                   0xFF00);
+                               gen_not(tmp);
+
+                               eaddr = pcap_ether_hostton(name);
+                               if (eaddr == NULL)
+                                       bpf_error(
+                                           "unknown ether host '%s'", name);
+                               b = gen_ehostop(eaddr, dir);
+                               gen_and(tmp, b);
+                               free(eaddr);
+                               return b;
                        }
                        }
+
+                       bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
                } else if (proto == Q_DECNET) {
                        unsigned short dn_addr = __pcap_nametodnaddr(name);
                        /*
                } else if (proto == Q_DECNET) {
                        unsigned short dn_addr = __pcap_nametodnaddr(name);
                        /*
@@ -3529,7 +4029,7 @@ gen_scode(name, q)
                        if (alist == NULL || *alist == NULL)
                                bpf_error("unknown host '%s'", name);
                        tproto = proto;
                        if (alist == NULL || *alist == NULL)
                                bpf_error("unknown host '%s'", name);
                        tproto = proto;
-                       if (off_linktype == -1 && tproto == Q_DEFAULT)
+                       if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
                                tproto = Q_IP;
                        b = gen_host(**alist++, 0xffffffff, tproto, dir);
                        while (*alist) {
                                tproto = Q_IP;
                        b = gen_host(**alist++, 0xffffffff, tproto, dir);
                        while (*alist) {
@@ -3712,6 +4212,7 @@ gen_mcode(s1, s2, masklen, q)
                bpf_error("Mask syntax for networks only");
                /* NOTREACHED */
        }
                bpf_error("Mask syntax for networks only");
                /* NOTREACHED */
        }
+       /* NOTREACHED */
 }
 
 struct block *
 }
 
 struct block *
@@ -3865,6 +4366,8 @@ gen_ecode(eaddr, q)
        register const u_char *eaddr;
        struct qual q;
 {
        register const u_char *eaddr;
        struct qual q;
 {
+       struct block *b, *tmp;
+
        if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
                if (linktype == DLT_EN10MB)
                        return gen_ehostop(eaddr, (int)q.dir);
        if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
                if (linktype == DLT_EN10MB)
                        return gen_ehostop(eaddr, (int)q.dir);
@@ -3874,7 +4377,25 @@ gen_ecode(eaddr, q)
                        return gen_thostop(eaddr, (int)q.dir);
                if (linktype == DLT_IEEE802_11)
                        return gen_wlanhostop(eaddr, (int)q.dir);
                        return gen_thostop(eaddr, (int)q.dir);
                if (linktype == DLT_IEEE802_11)
                        return gen_wlanhostop(eaddr, (int)q.dir);
-               bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11");
+               if (linktype == DLT_SUNATM && is_lane) {
+                       /*
+                        * Check that the packet doesn't begin with an
+                        * LE Control marker.  (We've already generated
+                        * a test for LANE.)
+                        */
+                       tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
+                       gen_not(tmp);
+
+                       /*
+                        * Now check the MAC address.
+                        */
+                       b = gen_ehostop(eaddr, (int)q.dir);
+                       gen_and(tmp, b);
+                       return b;
+               }
+               if (linktype == DLT_IP_OVER_FC)
+                       return gen_ipfchostop(eaddr, (int)q.dir);
+               bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
        }
        bpf_error("ethernet address used in non-ether expression");
        /* NOTREACHED */
        }
        bpf_error("ethernet address used in non-ether expression");
        /* NOTREACHED */
@@ -3948,6 +4469,14 @@ gen_load(proto, index, size)
                bpf_error("unsupported index operation");
 
        case Q_LINK:
                bpf_error("unsupported index operation");
 
        case Q_LINK:
+               /*
+                * XXX - what about ATM LANE?  Should the index be
+                * relative to the beginning of the AAL5 frame, so
+                * that 0 refers to the beginning of the LE Control
+                * field, or relative to the beginning of the LAN
+                * frame, so that 0 refers, for Ethernet LANE, to
+                * the beginning of the destination address?
+                */
                s = xfer_to_x(index);
                tmp = new_stmt(BPF_LD|BPF_IND|size);
                sappend(s, tmp);
                s = xfer_to_x(index);
                tmp = new_stmt(BPF_LD|BPF_IND|size);
                sappend(s, tmp);
@@ -4276,7 +4805,7 @@ gen_broadcast(proto)
 
        case Q_DEFAULT:
        case Q_LINK:
 
        case Q_DEFAULT:
        case Q_LINK:
-               if (linktype == DLT_ARCNET)
+               if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
                        return gen_ahostop(abroadcast, Q_DST);
                if (linktype == DLT_EN10MB)
                        return gen_ehostop(ebroadcast, Q_DST);
                        return gen_ahostop(abroadcast, Q_DST);
                if (linktype == DLT_EN10MB)
                        return gen_ehostop(ebroadcast, Q_DST);
@@ -4286,6 +4815,24 @@ gen_broadcast(proto)
                        return gen_thostop(ebroadcast, Q_DST);
                if (linktype == DLT_IEEE802_11)
                        return gen_wlanhostop(ebroadcast, Q_DST);
                        return gen_thostop(ebroadcast, Q_DST);
                if (linktype == DLT_IEEE802_11)
                        return gen_wlanhostop(ebroadcast, Q_DST);
+               if (linktype == DLT_IP_OVER_FC)
+                       return gen_ipfchostop(ebroadcast, Q_DST);
+               if (linktype == DLT_SUNATM && is_lane) {
+                       /*
+                        * Check that the packet doesn't begin with an
+                        * LE Control marker.  (We've already generated
+                        * a test for LANE.)
+                        */
+                       b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
+                       gen_not(b1);
+
+                       /*
+                        * Now check the MAC address.
+                        */
+                       b0 = gen_ehostop(ebroadcast, Q_DST);
+                       gen_and(b1, b0);
+                       return b0;
+               }
                bpf_error("not a broadcast link");
                break;
 
                bpf_error("not a broadcast link");
                break;
 
@@ -4299,7 +4846,8 @@ gen_broadcast(proto)
                gen_and(b0, b2);
                return b2;
        }
                gen_and(b0, b2);
                return b2;
        }
-       bpf_error("only ether/ip broadcast filters supported");
+       bpf_error("only link-layer/IP broadcast filters supported");
+       /* NOTREACHED */
 }
 
 /*
 }
 
 /*
@@ -4326,14 +4874,14 @@ struct block *
 gen_multicast(proto)
        int proto;
 {
 gen_multicast(proto)
        int proto;
 {
-       register struct block *b0, *b1, *b2, *b3;
+       register struct block *b0, *b1, *b2;
        register struct slist *s;
 
        switch (proto) {
 
        case Q_DEFAULT:
        case Q_LINK:
        register struct slist *s;
 
        switch (proto) {
 
        case Q_DEFAULT:
        case Q_LINK:
-               if (linktype == DLT_ARCNET)
+               if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
                        /* all ARCnet multicasts use the same address */
                        return gen_ahostop(abroadcast, Q_DST);
 
                        /* all ARCnet multicasts use the same address */
                        return gen_ahostop(abroadcast, Q_DST);
 
@@ -4375,44 +4923,48 @@ gen_multicast(proto)
                         */
 
                        /*
                         */
 
                        /*
-                        * If the low-order bit of the type value is 1,
-                        * this is either a control frame or a frame
-                        * with a reserved type, and thus not a
-                        * frame with a DA.
+                        * Generate the tests to be done for data frames.
                         *
                         *
-                        * I.e., first check "!(link[0] & 0x04)".
+                        * First, check for To DS set, i.e. "link[1] & 0x01".
                         */
                        s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                         */
                        s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-                       s->s.k = 0;
-                       b0 = new_block(JMP(BPF_JSET));
-                       b0->s.k = 0x04;
-                       b0->stmts = s;
-                       gen_not(b0);
+                       s->s.k = 1;
+                       b1 = new_block(JMP(BPF_JSET));
+                       b1->s.k = 0x01; /* To DS */
+                       b1->stmts = s;
 
                        /*
 
                        /*
-                        * If the high-order bit of the type value is 0,
-                        * this is a management frame.
-                        * I.e, check "!(link[0] & 0x08)".
+                        * If To DS is set, the DA is at 16.
+                        */
+                       b0 = gen_mac_multicast(16);
+                       gen_and(b1, b0);
+
+                       /*
+                        * Now, check for To DS not set, i.e. check
+                        * "!(link[1] & 0x01)".
                         */
                        s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                         */
                        s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-                       s->s.k = 0;
+                       s->s.k = 1;
                        b2 = new_block(JMP(BPF_JSET));
                        b2 = new_block(JMP(BPF_JSET));
-                       b2->s.k = 0x08;
+                       b2->s.k = 0x01; /* To DS */
                        b2->stmts = s;
                        gen_not(b2);
 
                        /*
                        b2->stmts = s;
                        gen_not(b2);
 
                        /*
-                        * For management frames, test the DA at 4.
+                        * If To DS is not set, the DA is at 4.
                         */
                        b1 = gen_mac_multicast(4);
                        gen_and(b2, b1);
                         */
                        b1 = gen_mac_multicast(4);
                        gen_and(b2, b1);
-                       b3 = b1;
 
                        /*
 
                        /*
-                        * If the high-order bit of the type value is 0,
-                        * this is a data frame; check To DS.
-                        *
-                        * I.e., check "(link[0] & 0x08) && !(link[1] & 0x01)".
+                        * Now OR together the last two checks.  That gives
+                        * the complete set of checks for data frames.
+                        */
+                       gen_or(b1, b0);
+
+                       /*
+                        * Now check for a data frame.
+                        * I.e, check "link[0] & 0x08".
                         */
                        s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                        s->s.k = 0;
                         */
                        s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                        s->s.k = 0;
@@ -4420,52 +4972,77 @@ gen_multicast(proto)
                        b1->s.k = 0x08;
                        b1->stmts = s;
 
                        b1->s.k = 0x08;
                        b1->stmts = s;
 
+                       /*
+                        * AND that with the checks done for data frames.
+                        */
+                       gen_and(b1, b0);
+
+                       /*
+                        * If the high-order bit of the type value is 0, this
+                        * is a management frame.
+                        * I.e, check "!(link[0] & 0x08)".
+                        */
                        s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                        s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-                       s->s.k = 1;
+                       s->s.k = 0;
                        b2 = new_block(JMP(BPF_JSET));
                        b2 = new_block(JMP(BPF_JSET));
-                       b2->s.k = 0x01; /* To DS */
+                       b2->s.k = 0x08;
                        b2->stmts = s;
                        gen_not(b2);
                        b2->stmts = s;
                        gen_not(b2);
-                       gen_and(b1, b2);
 
                        /*
 
                        /*
-                        * For data frames with To DS not set, test the DA
-                        * at 4; then combine that test with the management
-                        * frame test.
+                        * For management frames, the DA is at 4.
                         */
                        b1 = gen_mac_multicast(4);
                        gen_and(b2, b1);
                         */
                        b1 = gen_mac_multicast(4);
                        gen_and(b2, b1);
-                       gen_or(b3, b1);
-                       b3 = b1;
 
                        /*
 
                        /*
-                        * Now, check for a data frame with To DS set.
+                        * OR that with the checks done for data frames.
+                        * That gives the checks done for management and
+                        * data frames.
+                        */
+                       gen_or(b1, b0);
+
+                       /*
+                        * If the low-order bit of the type value is 1,
+                        * this is either a control frame or a frame
+                        * with a reserved type, and thus not a
+                        * frame with an SA.
                         *
                         *
-                        * I.e., check "(link[0] & 0x08) && (link[1] & 0x01)".
+                        * I.e., check "!(link[0] & 0x04)".
                         */
                        s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                        s->s.k = 0;
                        b1 = new_block(JMP(BPF_JSET));
                         */
                        s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
                        s->s.k = 0;
                        b1 = new_block(JMP(BPF_JSET));
-                       b1->s.k = 0x08;
+                       b1->s.k = 0x04;
                        b1->stmts = s;
                        b1->stmts = s;
+                       gen_not(b1);
 
 
-                       s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
-                       s->s.k = 1;
-                       b2 = new_block(JMP(BPF_JSET));
-                       b2->s.k = 0x01; /* To DS */
-                       b2->stmts = s;
-                       gen_and(b1, b2);
+                       /*
+                        * AND that with the checks for data and management
+                        * frames.
+                        */
+                       gen_and(b1, b0);
+                       return b0;
+               }
+
+               if (linktype == DLT_IP_OVER_FC) {
+                       b0 = gen_mac_multicast(2);
+                       return b0;
+               }
 
 
+               if (linktype == DLT_SUNATM && is_lane) {
                        /*
                        /*
-                        * Test the DA at 16, and OR the previous DA tests
-                        * with it.
+                        * Check that the packet doesn't begin with an
+                        * LE Control marker.  (We've already generated
+                        * a test for LANE.)
                         */
                         */
-                       b1 = gen_mac_multicast(16);
-                       gen_and(b2, b1);
-                       gen_or(b3, b1);
+                       b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
+                       gen_not(b1);
 
 
-                       gen_and(b0, b1);
-                       return b1;
+                       /* ether[off_mac] & 1 != 0 */
+                       b0 = gen_mac_multicast(off_mac);
+                       gen_and(b1, b0);
+                       return b0;
                }
 
                /* Link not known to support multicasts */
                }
 
                /* Link not known to support multicasts */
@@ -4486,7 +5063,8 @@ gen_multicast(proto)
                return b1;
 #endif /* INET6 */
        }
                return b1;
 #endif /* INET6 */
        }
-       bpf_error("only IP multicast filters supported on ethernet/FDDI");
+       bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
+       /* NOTREACHED */
 }
 
 /*
 }
 
 /*
@@ -4505,7 +5083,6 @@ gen_inbound(dir)
         */
        switch (linktype) {
        case DLT_SLIP:
         */
        switch (linktype) {
        case DLT_SLIP:
-       case DLT_PPP:
                b0 = gen_relation(BPF_JEQ,
                          gen_load(Q_LINK, gen_loadi(0), 1),
                          gen_loadi(0),
                b0 = gen_relation(BPF_JEQ,
                          gen_load(Q_LINK, gen_loadi(0), 1),
                          gen_loadi(0),
@@ -4533,8 +5110,37 @@ gen_inbound(dir)
                }
                break;
 
                }
                break;
 
+       case DLT_PFLOG:
+               b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_B,
+                   (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
+               break;
+
+       case DLT_PPP_WITHDIRECTION:
+               if (dir) {
+                       /* match outgoing packets */
+                       b0 = gen_cmp(0, BPF_B, PPP_WITHDIRECTION_OUT);
+               } else {
+                       /* match incoming packets */
+                       b0 = gen_cmp(0, BPF_B, PPP_WITHDIRECTION_IN);
+               }
+               break;
+
+        case DLT_JUNIPER_MLPPP:
+       case DLT_JUNIPER_ATM1:
+       case DLT_JUNIPER_ATM2:
+               /* juniper flags (including direction) are stored
+                * the byte after the 3-byte magic number */
+               if (dir) {
+                       /* match outgoing packets */
+                       b0 = gen_mcmp(3, BPF_B, 0, 0x01);
+               } else {
+                       /* match incoming packets */
+                       b0 = gen_mcmp(3, BPF_B, 1, 0x01);
+               }
+           break;
+
        default:
        default:
-               bpf_error("inbound/outbound not supported on linktype %d\n",
+               bpf_error("inbound/outbound not supported on linktype %d",
                    linktype);
                b0 = NULL;
                /* NOTREACHED */
                    linktype);
                b0 = NULL;
                /* NOTREACHED */
@@ -4542,13 +5148,123 @@ gen_inbound(dir)
        return (b0);
 }
 
        return (b0);
 }
 
+/* PF firewall log matched interface */
+struct block *
+gen_pf_ifname(const char *ifname)
+{
+       struct block *b0;
+       u_int len, off;
+
+       if (linktype == DLT_PFLOG) {
+               len = sizeof(((struct pfloghdr *)0)->ifname);
+               off = offsetof(struct pfloghdr, ifname);
+       } else {
+               bpf_error("ifname not supported on linktype 0x%x", linktype);
+               /* NOTREACHED */
+       }
+       if (strlen(ifname) >= len) {
+               bpf_error("ifname interface names can only be %d characters",
+                   len-1);
+               /* NOTREACHED */
+       }
+       b0 = gen_bcmp(off, strlen(ifname), (const u_char *)ifname);
+       return (b0);
+}
+
+/* PF firewall log matched interface */
+struct block *
+gen_pf_ruleset(char *ruleset)
+{
+       struct block *b0;
+
+       if (linktype != DLT_PFLOG) {
+               bpf_error("ruleset not supported on linktype 0x%x", linktype);
+               /* NOTREACHED */
+       }
+       if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
+               bpf_error("ruleset names can only be %ld characters",
+                   (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
+               /* NOTREACHED */
+       }
+       b0 = gen_bcmp(offsetof(struct pfloghdr, ruleset),
+           strlen(ruleset), (const u_char *)ruleset);
+       return (b0);
+}
+
+/* PF firewall log rule number */
+struct block *
+gen_pf_rnr(int rnr)
+{
+       struct block *b0;
+
+       if (linktype == DLT_PFLOG) {
+               b0 = gen_cmp(offsetof(struct pfloghdr, rulenr), BPF_W,
+                        (bpf_int32)rnr);
+       } else {
+               bpf_error("rnr not supported on linktype 0x%x", linktype);
+               /* NOTREACHED */
+       }
+
+       return (b0);
+}
+
+/* PF firewall log sub-rule number */
+struct block *
+gen_pf_srnr(int srnr)
+{
+       struct block *b0;
+
+       if (linktype != DLT_PFLOG) {
+               bpf_error("srnr not supported on linktype 0x%x", linktype);
+               /* NOTREACHED */
+       }
+
+       b0 = gen_cmp(offsetof(struct pfloghdr, subrulenr), BPF_W,
+           (bpf_int32)srnr);
+       return (b0);
+}
+
+/* PF firewall log reason code */
+struct block *
+gen_pf_reason(int reason)
+{
+       struct block *b0;
+
+       if (linktype == DLT_PFLOG) {
+               b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_B,
+                   (bpf_int32)reason);
+       } else {
+               bpf_error("reason not supported on linktype 0x%x", linktype);
+               /* NOTREACHED */
+       }
+
+       return (b0);
+}
+
+/* PF firewall log action */
+struct block *
+gen_pf_action(int action)
+{
+       struct block *b0;
+
+       if (linktype == DLT_PFLOG) {
+               b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_B,
+                   (bpf_int32)action);
+       } else {
+               bpf_error("action not supported on linktype 0x%x", linktype);
+               /* NOTREACHED */
+       }
+
+       return (b0);
+}
+
 struct block *
 gen_acode(eaddr, q)
        register const u_char *eaddr;
        struct qual q;
 {
        if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
 struct block *
 gen_acode(eaddr, q)
        register const u_char *eaddr;
        struct qual q;
 {
        if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
-               if (linktype == DLT_ARCNET)
+               if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
                        return gen_ahostop(eaddr, (int)q.dir);
        }
        bpf_error("ARCnet address used in non-arc expression");
                        return gen_ahostop(eaddr, (int)q.dir);
        }
        bpf_error("ARCnet address used in non-arc expression");
@@ -4627,7 +5343,78 @@ gen_vlan(vlan_num)
        if (vlan_num >= 0) {
                struct block *b1;
 
        if (vlan_num >= 0) {
                struct block *b1;
 
-               b1 = gen_cmp(orig_nl, BPF_H, (bpf_int32)vlan_num);
+               b1 = gen_mcmp(orig_nl, BPF_H, (bpf_int32)vlan_num, 0x0fff);
+               gen_and(b0, b1);
+               b0 = b1;
+       }
+
+       return (b0);
+}
+
+/*
+ * support for MPLS
+ */
+struct block *
+gen_mpls(label_num)
+       int label_num;
+{
+       struct  block   *b0;
+
+       /*
+        * Change the offsets to point to the type and data fields within
+        * the MPLS packet.  This is somewhat of a kludge.
+        */
+       if (orig_nl == (u_int)-1) {
+               orig_linktype = off_linktype;   /* save original values */
+               orig_nl = off_nl;
+               orig_nl_nosnap = off_nl_nosnap;
+
+               switch (linktype) {
+
+               case DLT_EN10MB:
+                       off_linktype = 16;
+                       off_nl_nosnap = 18;
+                       off_nl = 18;
+
+                       b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
+                       break;
+
+               case DLT_PPP:
+                       off_linktype = 6;
+                       off_nl_nosnap = 8;
+                       off_nl = 8;
+
+                       b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)PPP_MPLS_UCAST);
+                       break;
+
+               case DLT_C_HDLC:
+                       off_linktype = 6;
+                       off_nl_nosnap = 8;
+                       off_nl = 8;
+
+                       b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
+                       break;
+
+                       /* FIXME add other DLT_s ...
+                        * for Frame-Relay/and ATM this may get messy due to SNAP headers
+                        * leave it for now */
+
+               default:
+                       bpf_error("no MPLS support for data link type %d",
+                                 linktype);
+                       /*NOTREACHED*/
+               }
+       } else {
+               bpf_error("'mpls' can't be combined with 'vlan' or another 'mpls'");
+               /*NOTREACHED*/
+       }
+
+       /* If a specific MPLS label is requested, check it */
+       if (label_num >= 0) {
+               struct block *b1;
+
+               label_num = label_num << 12; /* label is shifted 12 bits on the wire */
+               b1 = gen_mcmp(orig_nl, BPF_W, (bpf_int32)label_num, 0xfffff000); /* only compare the first 20 bits */
                gen_and(b0, b1);
                b0 = b1;
        }
                gen_and(b0, b1);
                b0 = b1;
        }
@@ -4649,7 +5436,7 @@ gen_atmfield_code(atmfield, jvalue, jtype, reverse)
        case A_VPI:
                if (!is_atm)
                        bpf_error("'vpi' supported only on raw ATM");
        case A_VPI:
                if (!is_atm)
                        bpf_error("'vpi' supported only on raw ATM");
-               if (off_vpi == -1)
+               if (off_vpi == (u_int)-1)
                        abort();
                b0 = gen_ncmp(BPF_B, off_vpi, 0xffffffff, (u_int)jtype,
                    (u_int)jvalue, reverse);
                        abort();
                b0 = gen_ncmp(BPF_B, off_vpi, 0xffffffff, (u_int)jtype,
                    (u_int)jvalue, reverse);
@@ -4658,30 +5445,30 @@ gen_atmfield_code(atmfield, jvalue, jtype, reverse)
        case A_VCI:
                if (!is_atm)
                        bpf_error("'vci' supported only on raw ATM");
        case A_VCI:
                if (!is_atm)
                        bpf_error("'vci' supported only on raw ATM");
-               if (off_vci == -1)
+               if (off_vci == (u_int)-1)
                        abort();
                b0 = gen_ncmp(BPF_H, off_vci, 0xffffffff, (u_int)jtype,
                    (u_int)jvalue, reverse);
                break;
 
        case A_PROTOTYPE:
                        abort();
                b0 = gen_ncmp(BPF_H, off_vci, 0xffffffff, (u_int)jtype,
                    (u_int)jvalue, reverse);
                break;
 
        case A_PROTOTYPE:
-               if (off_proto == -1)
+               if (off_proto == (u_int)-1)
                        abort();        /* XXX - this isn't on FreeBSD */
                b0 = gen_ncmp(BPF_B, off_proto, 0x0f, (u_int)jtype,
                    (u_int)jvalue, reverse);
                break;
 
        case A_MSGTYPE:
                        abort();        /* XXX - this isn't on FreeBSD */
                b0 = gen_ncmp(BPF_B, off_proto, 0x0f, (u_int)jtype,
                    (u_int)jvalue, reverse);
                break;
 
        case A_MSGTYPE:
-               if (off_msg_type == -1)
+               if (off_payload == (u_int)-1)
                        abort();
                        abort();
-               b0 = gen_ncmp(BPF_B, off_msg_type, 0xffffffff,
+               b0 = gen_ncmp(BPF_B, off_payload + MSG_TYPE_POS, 0xffffffff,
                    (u_int)jtype, (u_int)jvalue, reverse);
                break;
 
        case A_CALLREFTYPE:
                if (!is_atm)
                        bpf_error("'callref' supported only on raw ATM");
                    (u_int)jtype, (u_int)jvalue, reverse);
                break;
 
        case A_CALLREFTYPE:
                if (!is_atm)
                        bpf_error("'callref' supported only on raw ATM");
-               if (off_proto == -1)
+               if (off_proto == (u_int)-1)
                        abort();
                b0 = gen_ncmp(BPF_B, off_proto, 0xffffffff, (u_int)jtype,
                    (u_int)jvalue, reverse);
                        abort();
                b0 = gen_ncmp(BPF_B, off_proto, 0xffffffff, (u_int)jtype,
                    (u_int)jvalue, reverse);
@@ -4760,6 +5547,24 @@ gen_atmtype_abbrev(type)
                if (!is_atm)
                        bpf_error("'lane' supported only on raw ATM");
                b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
                if (!is_atm)
                        bpf_error("'lane' supported only on raw ATM");
                b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
+
+               /*
+                * Arrange that all subsequent tests assume LANE
+                * rather than LLC-encapsulated packets, and set
+                * the offsets appropriately for LANE-encapsulated
+                * Ethernet.
+                *
+                * "off_mac" is the offset of the Ethernet header,
+                * which is 2 bytes past the ATM pseudo-header
+                * (skipping the pseudo-header and 2-byte LE Client
+                * field).  The other offsets are Ethernet offsets
+                * relative to "off_mac".
+                */
+               is_lane = 1;
+               off_mac = off_payload + 2;      /* MAC header */
+               off_linktype = off_mac + 12;
+               off_nl = off_mac + 14;          /* Ethernet II */
+               off_nl_nosnap = off_mac + 17;   /* 802.3+802.2 */
                break;
 
        case A_LLC:
                break;
 
        case A_LLC:
@@ -4767,6 +5572,7 @@ gen_atmtype_abbrev(type)
                if (!is_atm)
                        bpf_error("'llc' supported only on raw ATM");
                b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
                if (!is_atm)
                        bpf_error("'llc' supported only on raw ATM");
                b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
+               is_lane = 0;
                break;
 
        default:
                break;
 
        default:
@@ -4793,15 +5599,15 @@ gen_msg_abbrev(type)
                break;
 
        case A_CALLPROCEED:
                break;
 
        case A_CALLPROCEED:
-               b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 
+               b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
                break;
 
        case A_CONNECT:
                b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
                break;
 
        case A_CONNECT:
                b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
-               break;                 
+               break;
 
        case A_CONNECTACK:
 
        case A_CONNECTACK:
-               b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);  
+               b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
                break;
 
        case A_RELEASE:
                break;
 
        case A_RELEASE:
@@ -4809,7 +5615,7 @@ gen_msg_abbrev(type)
                break;
 
        case A_RELEASE_DONE:
                break;
 
        case A_RELEASE_DONE:
-               b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);  
+               b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
                break;
 
        default:
                break;
 
        default:
@@ -4836,9 +5642,9 @@ gen_atmmulti_abbrev(type)
                if (!is_atm)
                        bpf_error("'oamf4' supported only on raw ATM");
                /* OAM F4 type */
                if (!is_atm)
                        bpf_error("'oamf4' supported only on raw ATM");
                /* OAM F4 type */
-               b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 
+               b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
                b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
                b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
-               gen_or(b0, b1); 
+               gen_or(b0, b1);
                b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
                gen_and(b0, b1);
                break;
                b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
                gen_and(b0, b1);
                break;
[mirror] the LIBpcap interface to various kernel packet capture mechanism