On 2008-09-18, Guy Harris <[EMAIL PROTECTED]> wrote: > > On Sep 17, 2008, at 2:26 PM, Robert Edmonds wrote: > >> the comparison succeeds because the large unsigned k-value for this >> instruction (0xfffffff0) is much larger than the number of remaining >> bpf >> instructions (flen-pc-1). > > It's so large, in fact, that its high-order bit is set - so, in > effect, it's a *negative* offset, making it a backwards branch.
right, but the LSF filter validation code treats it as unsigned. > This means that protochain filters cannot be interpreted in any kernel- > based implementation of BPF I know of, as they all prohibit loops so > that you don't put a kernel thread into an infinite loop. i don't suppose the bpf compiler could be taught to generate separate kernel-only and userspace-only filter programs? -- Robert Edmonds [EMAIL PROTECTED] - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
