add a BPF_RND load location that provides a random value.

this will be used so a bpf filter can make a decision based on a
random number, which in turn will be used so a filter can perform
random sa

add a BPF_RND load location that provides a random value.

this will be used so a bpf filter can make a decision based on a
random number, which in turn will be used so a filter can perform
random sampling of packets rather than capturing all packets. random
sampling means that we don't have to figure out how to make bpf
coordinate multiple concurrent calls to do counter based sampling.

BPF_RND is currently backed with arc4random.

discussed with many including jmatthew@, alex wilson, claudio@,
sthen@, deraadt@, and tb@
ok kn@ tb@ jmatthew@

i call this extended bpf... xBPF.

show more ...

If you use sys/param.h, you don't need sys/types.h

Don't waste time zero'ing memory until there is some chance it might
be used.

Also noted by dlg@.

ok phessler@ mpi@

Kill some unsightly whitespace.

mark the bpf_mem ops as Static.

Static is a nop in _KERNEL, but is static in userland and therefore libpcap

mark the program and buffer as const in bpf_filter()

other projects have already done this, and there's software (eg,
gopacket) which now expects it.

based on a discussion with jasper@ and canacar@

mark the program and buffer as const in bpf_filter()

other projects have already done this, and there's software (eg,
gopacket) which now expects it.

based on a discussion with jasper@ and canacar@
ok jasper@

show more ...

refactor bpf_filter a bit.

the code was confusing around how it dealt with packets in mbufs
vs plain memory buffers with a lenght.

this renames bpf_filter to _bpf_filter, and changes it so the pack

refactor bpf_filter a bit.

the code was confusing around how it dealt with packets in mbufs
vs plain memory buffers with a lenght.

this renames bpf_filter to _bpf_filter, and changes it so the packet
memory is referred to by an opaque pointer, and callers have to
provide a set of operations to extra values from that opaque pointer.

bpf_filter is now provided as a wrapper around _bpf_filter. it
provides a set of operators that work on a straight buffer with a
lenght.

this also adds a bpf_mfilter function which takes an mbuf instead
of a buffer, and it provides explicit operations for extracting
values from mbufs.

if we want to use bpf filters against other data structures (usb
or scsi packets maybe?) we are able to provide functions for
extracting payloads from them and use _bpf_filter as is.

ok canacar@

show more ...

test mbuf pointers against NULL not 0
ok krw@ miod@

better boundchecks in validation; from Guy Harris; ok millert@ dlg@

ansify function declaration things.

ok mpi@ henning@ krw@

Unbreak userland as well, since bpf_filter.c is also used in libpcap.
Noticed by robert at openbsd pap st, thanks.

Unbreak previous commit by adding the proper header file.

Clear the filter memory area before using it. Leaving it uninitialized may
leak previous kernel stack contents through a malicioius BPF filter.
Reported by Dan Rosenberg via Alistair Crooks. ok deraa

Clear the filter memory area before using it. Leaving it uninitialized may
leak previous kernel stack contents through a malicioius BPF filter.
Reported by Dan Rosenberg via Alistair Crooks. ok deraadt@, krw@,
claudio@

show more ...

Fix validation of div by constant; from Guy Harris; ok deraadt@ miod@

Accept BPF_MUL as a valid instruction in bpf_validate() also improve
the comments. Based on diff from Guy Harris

Fix some "that that"s.

ok miod@ jmc@

Fix handling of errors wrt to MINDEX. From NetBSD bpf_filter 1.32;
ok henning@ deraadt@ canacar@

add missing break; now filters containing a division can pass
validation; from NetBSD; ok deraadt@

Avoid sign extend by casting to u_char *; from NetBSD via Guy Harris.
Also change another cast, for the sake of consistency, as prompted by djm@
ok deraadt@ djm@ canacar@

No part of the code defines UNALIGNED_ACCESS, use reverted tests for
__STRICT_ALIGNMENT instead.

Help pedro@ deraadt@, ok deraadt@

- make the k field in struct bpf_insn unsigned, as promised in the
manual page.
- more strict bpf code validation, preventing arbitrary kernel memory
read and writes.
Some help from frantzen@ and can

- make the k field in struct bpf_insn unsigned, as promised in the
manual page.
- more strict bpf code validation, preventing arbitrary kernel memory
read and writes.
Some help from frantzen@ and canacar@; testing jmc@ markus@;
ok canacar@ henning@ franzen@

show more ...

prevent backward jumps; pls@egsys.hu; ok canacar, deraadt

de-register. deraadt ok

add missing includes
ok tedu@

protos for userland build