In some email I received from Jason R Thorpe, sie wrote:
> On Thu, May 03, 2001 at 10:01:18AM +1000, Darren Reed wrote:
>
> > > BPF "expressions" are literally BPF bytecodes.
> >
> > Well, one of the goals of IPFilter is it can parse (as rules) a textual
> > representation of what's currently loaded into the kernel. At the moment
> > that means collecting hex output, as the bytecode instructions are less
> > suited to being displayed all on the one line.
>
> For BPF bytecodes, that's problematic -- the optimizer often turns what
> you originally had into something almost totally non-decompilable :-)
Well, that's why I output hex, means I don't try decompile it. But only
because I don't want to have to parse this:
pass in { ld [12]; jeq #0x1020304; jt 4; jf 2; ld [16]; jeq #0x1020304; jt 4; jf 5;
ret #68; ret #0; }
although the current output would be this:
pass in { 0x0020000 0x0000000c 0x00150400 0x01020304 0x00200000 0x0000000e 0x00150001
0x01020304 0x00060000 0x00000068 0x00060000 0x00000000 }
That's using an original input of:
pass in { host 1.2.3.4 }
The output doesn't recognisably match the input, but it is a representation
and you could (if sadistic enough) write the rules using hex too.
I apologize if I didn't convey this in my original message, as was intended.
Darren
p.s the bytecodes might be wrong, this is just meant to be illustrative.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
