From ee1c9973848d643813f15e29cd438528ad3ec1aa Mon Sep 17 00:00:00 2001 From: David Gwynne Date: Fri, 8 Apr 2016 03:49:17 +0000 Subject: document bpf_filter and bpf_mfilter --- share/man/man9/bpf_mtap.9 | 57 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 54 insertions(+), 3 deletions(-) (limited to 'share/man') diff --git a/share/man/man9/bpf_mtap.9 b/share/man/man9/bpf_mtap.9 index 6889cc12ed1..9cb118cdae4 100644 --- a/share/man/man9/bpf_mtap.9 +++ b/share/man/man9/bpf_mtap.9 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bpf_mtap.9,v 1.4 2016/03/29 10:40:13 dlg Exp $ +.\" $OpenBSD: bpf_mtap.9,v 1.5 2016/04/08 03:49:16 dlg Exp $ .\" .\" Copyright (c) 2016 David Gwynne .\" @@ -14,10 +14,12 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 29 2016 $ +.Dd $Mdocdate: April 8 2016 $ .Dt BPF_MTAP 9 .Os .Sh NAME +.Nm bpf_filter , +.Nm bpf_mfilter , .Nm bpf_tap , .Nm bpf_mtap , .Nm bpf_mtap_hdr , @@ -26,6 +28,19 @@ .Nd BPF kernel API .Sh SYNOPSIS .In net/bpf.h +.Ft u_int +.Fo bpf_filter +.Fa "const struct bpf_insn *pc" +.Fa "const u_char *pkt" +.Fa "u_int wirelen" +.Fa "u_int pktlen" +.Fc +.Ft u_int +.Fo bpf_mfilter +.Fa "const struct bpf_insn *pc" +.Fa "const struct mbuf *m" +.Fa "u_int wirelen" +.Fc .Ft int .Fn bpf_tap "caddr_t bpf" "u_char *pkt" "u_int pktlen" "u_int direction" .Ft int @@ -44,10 +59,30 @@ .Ft int .Fn bpf_mtap_ether "caddr_t bpf" "struct mbuf *m" "u_int direction" .Sh DESCRIPTION -The BPF kernel API provides incoming linkage from device drivers. +The BPF kernel API provides functions for evaluating BPF instructions +against packets, and incoming linkage from device drivers. A packet is parsed by the filters associated with each interface and, if accepted, stashed into the corresponding buffer. .Pp +.Fn bpf_filter +executes the BPF program referenced by +.Fa pc +against the packet buffer starting at +.Fa pkt +of +.Fa pktlen +bytes in length. +.Fa wirelen +is the length of the original packet on the wire. +.Pp +.Fn bpf_mfilter +executes the BPF program referenced by +.Fa pc +against the packet in the mbuf +.Fa m . +.Fa wirelen +is the length of the original packet on the wire. +.Pp .Fn bfp_tap runs the filters on the BPF interface referenced by .Fa bpf @@ -109,6 +144,12 @@ and m->m_pkthdr.pf.prio before matching occurs. .Sh CONTEXT +.Fn bpf_filter , +and +.Fn bpf_mfilter +can be called from process context, or from an interrupt context. +.Pp +.Fn bpf_mtap , .Fn bpf_tap , .Fn bpf_mtap , .Fn bpf_mtap_hdr , @@ -118,6 +159,16 @@ and can be called from process context, or from an interrupt context at or below .Dv IPL_NET . .Sh RETURN VALUES +.Fn bpf_filter , +and +.Fn bpf_mfilter +return -1 (cast to an unsigned integer) if the filter program is +.Dv NULL, +or the result of the filter program. +Filter programs should return the maximum number of bytes of the +packet to capture, or 0 if the packet does not match the filter +program. +.Pp .Fn bpf_tap , .Fn bpf_mtap , .Fn bpf_mtap_hdr , -- cgit v1.2.3