Require a live capture for all Linux BPF extensions.
On Linux compiling a filter that includes "inbound", "outbound" or
"ifindex" for a pcap_t that was created using pcap_open_dead() produces
bytecode that uses BPF extensions if the DLT is not one of the known
DLTs:
$ filtertest RAW '(inbound and ifindex 1) or (outbound and ifindex 2)'
(000) ldh [type]
(001) jeq #0x4 jt 2 jf 4
(002) ld [ifidx]
(003) jeq #0x2 jt 6 jf 7
(004) ld [ifidx]
(005) jeq #0x1 jt 6 jf 7
(006) ret #262144
(007) ret #0
This is because both gen_ifindex() and gen_inbound_outbound() assume
that a live capture is equivalent to rfile == NULL, which is not true.
Fix this by using the logic that already works correctly for the "vlan"
keyword. Define a new flag for bpf_codegen_flags and set it in
setup_socket() (which is in the code path for a live capture only) if
any BPF extensions are available. Check for the flag in a new helper
function and use it instead of the incorrect rfile tests. Set the flag
in filtertest as well. Now pcap_compile() handles both cases correctly
on Linux:
$ filtertest RAW 'ifindex 1'
filtertest: ifindex not supported on Raw IP (not a live capture)
$ filtertest -l RAW 'ifindex 1'
(000) ld [ifidx]
(001) jeq #0x1 jt 2 jf 3
(002) ret #262144
(003) ret #0
Make two existing accept tests for "inbound" and "outbound" specific to
the extensions and add a similar test for "ifindex". Add more reject
tests to cover the three keywords on Linux w/o extensions and non-Linux
OSes separately.
projects / libpcap / commit
