Can't install an inbound/outbound filter in the Linux kernel ?

[John Cormie <johncormie () gmail com>]

I've noticed that using either the inbound or outbound keyword in my
capture expression results in a filter that cannot be installed in the
kernel and gets processed in user mode instead. I believe the problem
is that these filters generate BPF code that
pcap-linux.c:fix_program() is unable to rewrite. In particular,
pcap-linux.c:fix_offset() bails out on a "ldh [0]" instruction.

fix_offset() already knows how to map sll_header.sll_protocol (offset
14) to Linux's SKF_AD_PROTOCOL. Would a patch to remap sll_pkttype (0)
=> SKF_AD_PKTTYPE as well be welcome or am I missing something?
Something like:

==== libpcap/pcap-linux.c ====
4735a4736,4741
>       } else if (p->k == 0) {
>               /*
>                * It's the packet type field; map it to the special magic
>                * kernel offset for that field.
>                */
>               p->k = SKF_AD_OFF + SKF_AD_PKTTYPE;

fixes the problem for me.

Thanks for reading!
JC
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.