tcpdump mailing list archives
Re: protochain, BPF_JA, and sk_chk_filter
From: Robert Edmonds <edmonds () debian org>
Date: Fri, 19 Sep 2008 03:23:59 +0000 (UTC)
On 2008-09-18, Guy Harris <guy () alum mit edu> wrote:
On Sep 17, 2008, at 2:26 PM, Robert Edmonds wrote:the comparison succeeds because the large unsigned k-value for this instruction (0xfffffff0) is much larger than the number of remaining bpf instructions (flen-pc-1).It's so large, in fact, that its high-order bit is set - so, in effect, it's a *negative* offset, making it a backwards branch.
right, but the LSF filter validation code treats it as unsigned.
This means that protochain filters cannot be interpreted in any kernel- based implementation of BPF I know of, as they all prohibit loops so that you don't put a kernel thread into an infinite loop.
i don't suppose the bpf compiler could be taught to generate separate kernel-only and userspace-only filter programs? -- Robert Edmonds edmonds () debian org - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- protochain, BPF_JA, and sk_chk_filter Robert Edmonds (Sep 18)
- Message not available
- Re: protochain, BPF_JA, and sk_chk_filter Robert Edmonds (Sep 19)
- Re: protochain, BPF_JA, and sk_chk_filter Guy Harris (Sep 19)
- Re: protochain, BPF_JA, and sk_chk_filter Jefferson Ogata (Sep 19)
- Re: protochain, BPF_JA, and sk_chk_filter Robert Edmonds (Sep 19)
- Message not available