Re: protochain, BPF_JA, and sk_chk_filter

[Guy Harris <guy () alum mit edu>]

On Sep 18, 2008, at 8:23 PM, Robert Edmonds wrote:

> right, but the LSF filter validation code treats it as unsigned.

Doesn't matter - whether the problem is that the branch goes too far  
forward, or goes backward, it's not something the kernel can accept  
(and we're talking about a 1-sphere anyway, so "goes too far forward"  
and "goes backward" are really the same thing).

> i don't suppose the bpf compiler could be taught to generate separate
> kernel-only and userspace-only filter programs?

It could, but, currently, the libpcap API is

        1) bpf_compile, which takes an expression and generates code

and

        2) pcap_setfilter(), which takes code and makes it the filter

and 1) has no clue whether the program is being generated for the  
kernel or userland and 2) takes raw generated code, not a filter  
expression from which to generate code, as an argument, so there's no  
place to *tell* it what kind of code to generate.

The bug isn't that it's handing Bad Code(TM) to the kernel, the bug is  
that it's emitting a warning - and, if the warning is considered  
useful (i.e., "the kernel can't handle that filter, so if you need to  
have the filtering done in the kernel for performance, you might want  
to consider a different filter"), that might not even be a bug.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.