Re: [libpcap] libpcap 'inbound'/'outbound' filter fixes for Linux (#3)

[Guy Harris <guy () alum mit edu>]

On Dec 21, 2011, at 8:46 AM, Michael Richardson wrote:

> > > > > > "David" == David Ward <reply+i-2621989-4d73cbe91d92dde3eff5e1859db3c6b41d58755f-25774 () reply github com> 
> > > > > > writes:
>    David> I'm sending a couple of fixes to the 'inbound' and 'outbound'
>    David> filters in libpcap affecting Linux. I have compiled and
>    David> tested under Linux as well as FreeBSD (to make sure it
>    David> doesn't affect non-Linux builds).
>
>    David> Note that the behavior of the 'inbound' filter for Linux
>    David> cooked captures is slightly modified, with the intent of
>    David> making the meaning of 'inbound' consistent across all link
>    David> types and with pcap_setdirection(). Since installing an
>    David> 'inbound' filter for Linux cooked captures into the kernel
>    David> was broken anyway, it doesn't seem that there would be any
>    David> impact.
>
>    David> I'm not sure if there is a more preferred way to handle the
>    David> LSF- or PF_PACKET-specific includes/defines in gencode.h.

Ultimately, the right way is probably to have per-packet-source routines for that, to handle either other capture 
mechanisms (either now or in the future) that supply packet direction as packet meta-data or capture file formats that 
might supply that data (pcap-ng can - but it's optional, so I'm not sure whether an "inbound" or "outbound" filter 
should only match packets that have the direction information or should match all packets that don't have it; my guess 
is that the former is better).

> I merged it, it looked good to me.

I fixed it to fail the compilation of the filter if you're reading a savefile, as pcap has no per-packet direction 
metadata and we don't support it in pcap-ng yet.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.