On Aug 2, 2011, at 4:42 PM, ramkumar p wrote:
> I am receiving warning that kernel filter failed: invalid argument when I
> enable ip6 protochain 6 to filter tcp traffic.
That warning means that the filter code generated for "ip6 protochain 6" was
rejected by the Linux kernel socket filter code. It's only a warning; libpcap
will do the filtering in user mode (without any filtering being done in the
kernel, so there is a greater risk of dropped packets).
The kernel is correct to reject the filter code. "ip6 protochain" requires
parsing through an indefinite number of extension headers, so the BPF code has
a loop. No kernel implementation of BPF I know of (*BSD, Mac OS X, Linux,
WinPcap, Tru64 UNIX, etc.) allows BPF programs that loop, as, if somebody has
sufficient privilege to give the kernel a filter program (and often systems are
set up to allow at least some users to capture network traffic), that would
give them sufficient privilege to make at least one kernel thread or process or
interrupt routine loop infinitely; the intent of BPF is to allow only "safe"
filters to be given to the kernel.
That could, in theory, be fixed - for example, BSD/OS's BPF interpreter had an
instruction that would do IPv6 extension header parsing - but the Linux
kernel's BPF interpreter doesn't have any instructions to handle that, and
nobody's implemented, for example, the proof-carrying code mechanism mentioned
in the BPF+ paper mentioned on the Related Projects page:
http://www.tcpdump.org/related.html
to allow the kernel to determine whether a given looping BPF program is "safe".-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
