add BIOCSETFNR, which is like BIOCSETF but doesnt reset the buffer or stats.

from Matthew Luckie <mjl@luckie.org.nz> via tech@
deraadt@ likes it.

Put checksum flags in bpf_hdr to use them in userland dhcpleased.

Thus, dhcpleased accept non-calculated checksums which were verified by
hardware/hypervisor.

With tweaks from dlg@

ok bluhm@
mkay

Put checksum flags in bpf_hdr to use them in userland dhcpleased.

Thus, dhcpleased accept non-calculated checksums which were verified by
hardware/hypervisor.

With tweaks from dlg@

ok bluhm@
mkay tobhe@

show more ...

add a timeout between capturing a packet and making the buffer readable.

before this, there were three reasons that a bpf read will finish.

the first is the obvious one: the bpf packet buffer in th

add a timeout between capturing a packet and making the buffer readable.

before this, there were three reasons that a bpf read will finish.

the first is the obvious one: the bpf packet buffer in the kernel
fills up. by default this is about 32k, so if you're only capturing
a small packet packet every few seconds, it can take a long time
for the buffer to fill up before you can read them.

the second is if bpf has been configured to enable immediate mode with
ioctl(BIOCIMMEDIATE). this means that when any packet is written into
the bpf buffer, the buffer is immediately readable. this is fine
if the packet rate is low, but if the packet rate is high you don't
get the benefit of buffering many packets that bpf is supposed to
provide.

the third mechanism is if bpf has been configured with the BIOCSRTIMEOUT
ioctl, which sets a maximum wait time on a bpf read. BIOCSRTIMEOUT
means than a clock starts ticking down when a program (eg pflogd)
reads from bpf. when the clock reaches zero then the read returns
with whatever is in the bpf packet buffer. however, there could be
nothing in the buffer, and the read will still complete.

deraadt@ noticed this behaviour with pflogd. it wants packets logged
by pf to end up on disk in a timely fashion, but it's fine with
tolerating a bit of delay so it can take advantatage of buffering
to amortise the cost of the reads per packet. it currently does
this with BIOCSRTIMEOUT set to half a second, which means it's
always waking up every half second even if there's nothing to log.

this diff adds BIOCSWTIMEOUT, which specifies a timeout from when
bpf first puts a packet in the capture buffer, and when the buffer
becomes readable.

by default this wait timeout is infinite, meaning the buffer has
to be filled before it becomes readable. BIOCSWTIMEOUT can be set
to enable the new functionality. BIOCIMMEDIATE is turned into a
variation of BIOCSWTIMEOUT with the wait time set to 0, ie, wait 0
seconds between when a packet is written to the buffer and when the
buffer becomes readable. combining BIOCSWTIMEOUT and
BIOCIMMEDIATE simplifies the code a lot.

for pflogd, this means if there are no packets to capture, pflogd
won't wake up every half second to do nothing. however, when a
packet is logged by pf, bpf will wait another half second to see
if any more packets arrive (or the buffer fills up) before the read
fires.

discussed a lot with deraadt@ and sashan@
ok sashan@

show more ...

add a BPF_RND load location that provides a random value.

this will be used so a bpf filter can make a decision based on a
random number, which in turn will be used so a filter can perform
random sa

add a BPF_RND load location that provides a random value.

this will be used so a bpf filter can make a decision based on a
random number, which in turn will be used so a filter can perform
random sampling of packets rather than capturing all packets. random
sampling means that we don't have to figure out how to make bpf
coordinate multiple concurrent calls to do counter based sampling.

BPF_RND is currently backed with arc4random.

discussed with many including jmatthew@, alex wilson, claudio@,
sthen@, deraadt@, and tb@
ok kn@ tb@ jmatthew@

i call this extended bpf... xBPF.

show more ...

extend the bpf_hdr struct to include some metadata if available.

the metadata is set if the mbuf is passed with an m_pktrhdr, and
copies the mbufs rcvif, priority, flowid. it also carries the
direct

extend the bpf_hdr struct to include some metadata if available.

the metadata is set if the mbuf is passed with an m_pktrhdr, and
copies the mbufs rcvif, priority, flowid. it also carries the
direction of the packet.

it also makes bpf_hdr a multiple of 4 bytes, which simplifies some
calculations a bit. it also requires no changes in userland because
libpcap just thinks the extra bytes in the header are padding and
skips over them to the payload.

this helps me verify things like whether the stack and a network
card agree about toeplitz hashes, and paves the way for doing more
interesting packet captures. being able to see where a packet came
from as it is leaving a machine is very useful.

ok mpi@

show more ...

remove the "copy function" argument to bpf_mtap_hdr.

it was previously (ab)used by pflog, which has since been fixed.
apart from that nothing else used it, so we can trim the cruft.

ok kn@ claudio@

remove the "copy function" argument to bpf_mtap_hdr.

it was previously (ab)used by pflog, which has since been fixed.
apart from that nothing else used it, so we can trim the cruft.

ok kn@ claudio@ visa@
visa@ also made sure i fixed ipw(4) so i386 won't break.

show more ...

make bpf_mtap_hdr take a const void *, not a caddr_t.

this makes it easier to call at least, and makes it consistent with
bpf_tap_hdr.

ok stsp@ sashan@

extend BIOCSFILDROP so it can be configured to not capture packets.

this just provides the macros for the different values for BIOCGFILDROP
and BIOCSFILDROP, the implementation behing them is coming

extend BIOCSFILDROP so it can be configured to not capture packets.

this just provides the macros for the different values for BIOCGFILDROP
and BIOCSFILDROP, the implementation behing them is coming.

ok sthen@ mikeb@ claudio@ visa@

show more ...

Add support for dumping USB transfers via bpf(4) using USBPcap headers.

ok deraadt@, dlg@

add bpf_tap_hdr(), for handling a buffer (not an mbuf) with a header.

internally it uses mbufs to handle the chain of buffers, but the
caller doesnt have to deal with that or allocate a temporary bu

add bpf_tap_hdr(), for handling a buffer (not an mbuf) with a header.

internally it uses mbufs to handle the chain of buffers, but the
caller doesnt have to deal with that or allocate a temporary buffer
with the header attached.

ok mpi@

show more ...

add support for bpf on "subsystems", not just network interfaces

bpf assumed that it was being unconditionally attached to network
interfaces, and maintained a pointer to a struct ifnet *. this was

add support for bpf on "subsystems", not just network interfaces

bpf assumed that it was being unconditionally attached to network
interfaces, and maintained a pointer to a struct ifnet *. this was
mostly used to get at the name of the interface, which is how
userland asks to be attached to a particular interface. this diff
adds a pointer to the name and uses it instead of the interface
pointer for these lookups. this in turn allows bpf to be attached
to arbitrary subsystems in the kernel which just have to supply a
name rather than an interface pointer. for example, bpf could be
attached to pf_test so you can see what packets are about to be
filtered. mpi@ is using this to look at usb transfers.

bpf still uses the interface pointer for bpfwrite, and for enabling
and disabling promisc. however, these are nopped out for subsystems.

ok mpi@

show more ...

The pcap people gave us ID 267 for DLT_OPENFLOW

Via https://github.com/the-tcpdump-group/libpcap/issues/542

OK sthen@ jsg@

Add DLT_USER1..15 with the same values as the upstream libpcap repository.
Suggested by reyk@ as a quick fix to unbreak ports/net/wireshark.

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@

add __BEGIN_DECLS/__END_DECLS to the public userland side of net/bpf.h,
so c++ programs can use them.

OK jca@

bpf_tap() is long dead! Long live bpf_mtap() & friends.

ok natano@ deraadt@

Remove #ifdef's for architectures of the past around SIZEOF_BPF_HDR
This is still a mess. Why don't we just clean this up?

make the bpf tap functions take const struct mbuf *

this makes it more obvious that the bpf code should only read
packets, never modify them.

now possible because the paths that care about M_FILDRO

make the bpf tap functions take const struct mbuf *

this makes it more obvious that the bpf code should only read
packets, never modify them.

now possible because the paths that care about M_FILDROP set it
after calling bpf_mtap.

ok mpi@ visa@ deraadt@

show more ...

mark the packet buffer in bpf_filter as bounded by the pktlen arg

ok guenther@

mark the program and buffer as const in bpf_filter()

other projects have already done this, and there's software (eg,
gopacket) which now expects it.

based on a discussion with jasper@ and canacar@

mark the program and buffer as const in bpf_filter()

other projects have already done this, and there's software (eg,
gopacket) which now expects it.

based on a discussion with jasper@ and canacar@
ok jasper@

show more ...

refactor bpf_filter a bit.

the code was confusing around how it dealt with packets in mbufs
vs plain memory buffers with a lenght.

this renames bpf_filter to _bpf_filter, and changes it so the pack

refactor bpf_filter a bit.

the code was confusing around how it dealt with packets in mbufs
vs plain memory buffers with a lenght.

this renames bpf_filter to _bpf_filter, and changes it so the packet
memory is referred to by an opaque pointer, and callers have to
provide a set of operations to extra values from that opaque pointer.

bpf_filter is now provided as a wrapper around _bpf_filter. it
provides a set of operators that work on a straight buffer with a
lenght.

this also adds a bpf_mfilter function which takes an mbuf instead
of a buffer, and it provides explicit operations for extracting
values from mbufs.

if we want to use bpf filters against other data structures (usb
or scsi packets maybe?) we are able to provide functions for
extracting payloads from them and use _bpf_filter as is.

ok canacar@

show more ...

BIOCGQUEUE and BIOCSQUEUE are no more

make bpf_mtap et al return whether the mbuf should be dropped

ok mpi@

remove __vax__

Store a unique ID, an interface index, rather than a pointer to the
receiving interface in the packet header of every mbuf.

The interface pointer should now be retrieved when necessary with
if_get()

Store a unique ID, an interface index, rather than a pointer to the
receiving interface in the packet header of every mbuf.

The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.

Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.

Tested by jmatthew@ and krw@, discussed with many.

ok mikeb@, bluhm@, dlg@

show more ...