tcpdump mailing list archives
Can't install an inbound/outbound filter in the Linux kernel ?
From: John Cormie <johncormie () gmail com>
Date: Mon, 1 Mar 2010 18:05:20 -0800
I've noticed that using either the inbound or outbound keyword in my capture expression results in a filter that cannot be installed in the kernel and gets processed in user mode instead. I believe the problem is that these filters generate BPF code that pcap-linux.c:fix_program() is unable to rewrite. In particular, pcap-linux.c:fix_offset() bails out on a "ldh [0]" instruction. fix_offset() already knows how to map sll_header.sll_protocol (offset 14) to Linux's SKF_AD_PROTOCOL. Would a patch to remap sll_pkttype (0) => SKF_AD_PKTTYPE as well be welcome or am I missing something? Something like: ==== libpcap/pcap-linux.c ==== 4735a4736,4741
} else if (p->k == 0) { /* * It's the packet type field; map it to the special magic * kernel offset for that field. */ p->k = SKF_AD_OFF + SKF_AD_PKTTYPE;
fixes the problem for me. Thanks for reading! JC - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Can't install an inbound/outbound filter in the Linux kernel ? John Cormie (Mar 01)
- <Possible follow-ups>
- Can't install an inbound/outbound filter in the Linux kernel ? John Cormie (Mar 02)