[tcpdump-workers] Re: bpf filter rule again

Fri, 12 Jan 2001 19:20:07 -0800 

> Thanks so much for the help on the bpf_optimize() question.
> I was using libpcap 0.5.2.  I downloaded current libpcap-2001-01-10 and
> it did seem to get better as I increased my filter rule, but now I get
> these error from libpcap in pcap_setfilter():
> 
> ERROR <BIOCSETF: Invalid argument> <errno: 22> 

At least in FreeBSD (and the code all comes from 4.4-Lite, so the other
BSDs are probably similar), BIOCSETF, which sets the filter on a given
BPF device to be a particular program, can return EINVAL if:

        1) the filter program has too many instructions;

        2) the filter program isn't legal (i.e., doesn't pass the
           validator).

At least in FreeBSD 3.4, the maximum number of instructions is 512, but:

> code[511]: BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 0x1e)
> code[512]: BPF_STMT(BPF_ALU|BPF_AND|BPF_K,0xffffff00)
> code[513]: BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0xa027800, 515, 514)
> code[514]: BPF_JUMP(BPF_JMP|BPF_JA, 1249)
> code[515]: BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 0x1a)
> code[516]: BPF_STMT(BPF_ALU|BPF_AND|BPF_K,0xffffff00)
> code[517]: BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0xc0a84a00, 521, 518)

there's a lot more than 512 instructions in the program.

I.e., the filter is probably too complex for the BPF code in the kernel
of whatever flavor of BSD you're running.

The Linux kernel packet filtering mechanism does similar checks; the
libpcap 0.6 code for Linux will, if it gets back an error on an attempt
to give the packet filter to the kernel, fall back on doing the
filtering in userland; if the error is anything other than "hey, you
forgot to configure the socket filter code into your kernel", it prints
a warning message.

Perhaps the BSD code should do the same.  (Printing the warning isn't
ideal, as it works for tty-based programs such as tcpdump and Tethereal,
but doesn't necessarily work for GUI programs, but, until we have a way
to return a warning indication from "pcap_setfilter()", it's all we can
do.)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to