lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Sun, 18 May 2014 11:26:46 -0700
From:	Guy Harris <>
To:	Guy Harris <>
Cc:	"David Laight" <David.Laight@...LAB.COM>,,
	Jay Schulist <>,
	Andi Kleen <>,,
	Eric Dumazet <>
Subject: Re: [tcpdump-workers] Modular arithmetic

On Sep 10, 2012, at 10:50 AM, Guy Harris <> wrote:

> On Sep 10, 2012, at 3:41 AM, "David Laight" <David.Laight@...LAB.COM> wrote:
>>>> What about the other OS - eg all the BSDs?
>>>> I had a vague idea that BPF was supposed to be reasonable portable.
>>> Yes, does it mean BPF is frozen ?
>>> Or is BSD so hard to update these days ?
>> Not really - but it some other places that need updating in order
>> to make this useful for cross-platform tools (like tcpdump).
>> The 'real fun (tm)' happens when NetBSD tries to run Linux binaries
>> that include the Linux libpcap.
> Additional fun happens when a Linux system with a kernel that doesn't have the mod instruction tries to run Linux binaries that include a Linux libpcap that generates code using the mod instruction; this is not a BSD-vs.-Linux issue, it's a "kernel that lacks the mod instruction vs. libpcap that generates code that includes the mod instruction" issue.
> BSD/OS X, Linux, Solaris, and the WinPcap driver need, if they adopt new BPF instructions, to have a mechanism by which libpcap (or anything else using BPF filtering) can inquire about the capabilities of the OS BPF interpreter; libpcap would use that to determine what code to generate if generating code for the in-kernel BPF interpreter.

In this particular case, there's no choice about what to generate - either you have mod and XOR instructions or you don't.

Furthermore, if the kernel rejects a particular BPF program, libpcap just falls back on filtering in userland, so we can support % and ^ operators in libpcap on all platforms, albeit with a performance hit on Linux prior to 3.7 and, currently, on other platforms.  I don't think there's anything inherently troublesome about BPF_MOD and BPF_XOR, so I'll file bugs against the various BSDs and OS X suggesting that they be added.

So I've checked in a change to libpcap to implement BPF_MOD and BPF_XOR and to add % and ^ operators (yes, the same zero-divide checks in bpf_validate() done for BPF_DIV are done for BPF_MOD, and the optimizer was updated to handle BPF_MOD like BPF_DIV and to handle BPF_XOR like BPF_OR).  The pcap-filter man page documents it, but warns that filters using them might be run in userland on pre-3.7 Linux and non-Linux platforms.--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists