2

Are Berkeley Packet Filter opcode values implementation defined?

I always thought of tcpdump/libpcap as authoritative in the BPF arena. I noticed that the linux kernel and tcpdump read BPF filters differently. The BPF mnemonics and behavior is the same, but the actual opcode values themselves seem different. I went looking on the internets for "The Standard", but everything I've found only has mnemonics.

Crazy Chenz
  • 12,650
  • 12
  • 50
  • 62

1 Answers1

1

No, other than instructions that some BPF interpreters/JITs support but others don't, they have the same binary values. Compare, for example, the current libpcap pcap/bpf.h with, at least, the Linux linux/bpf_common.h and linux/filter.h in the 3.19 kernel, and note the comment in linux/filter.h that reads:

/*
 *      Try and keep these values and structures similar to BSD, especially
 *      the BPF code definitions which need to match so you can share filters
 */

and the code in libpcap that uses the same compiler to generate BPF code for the Linux kernel, the *BSD/OS X/Solaris 11/etc. kernels, and the userland BPF interpreter, with only small code changes to deal with fetching packet metadata (rather than packet data).

  • Got it... I think I was looking at a bug then. I've been using a 3.1 kernel source tree. In there, there is a sk_run_filter() function that implements what appears to be BPF. The problem is that it uses an enum for opcodes instead of the CPP opcodes for its switch statements. In the enum cases, the opcodes do not match the CPP opcodes. But it appears that at some point this enum was removed. Just so happens I was using one of the few kernel sources with this junk code. The latest 2.6 kernel and 3.4+ kernel seems to have fixed/not-have this issue. – Crazy Chenz Jun 08 '15 at 07:30