summaryrefslogtreecommitdiffstats
path: root/share/man/man4/bpf.4
Commit message (Collapse)AuthorAgeFilesLines
* MFC: r257287brueffer2013-11-111-7/+13
| | | | | | New sentence -> new line and some mdoc cleanup. Approved by: re (glebius)
* General mdoc(7) and typo fixes.gjb2012-05-121-2/+2
| | | | | | PR: 167776 Submitted by: Nobuyuki Koganemaru (kogane!jp.freebsd.org) MFC after: 3 days
* - Improve performace for writer-only BPF users.melifaro2012-04-061-4/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linux and Solaris (at least OpenSolaris) has PF_PACKET socket families to send raw ethernet frames. The only FreeBSD interface that can be used to send raw frames is BPF. As a result, many programs like cdpd, lldpd, various dhcp stuff uses BPF only to send data. This leads us to the situation when software like cdpd, being run on high-traffic-volume interface significantly reduces overall performance since we have to acquire additional locks for every packet. Here we add sysctl that changes BPF behavior in the following way: If program came and opens BPF socket without explicitly specifyin read filter we assume it to be write-only and add it to special writer-only per-interface list. This makes bpf_peers_present() return 0, so no additional overhead is introduced. After filter is supplied, descriptor is added to original per-interface list permitting packets to be captured. Unfortunately, pcap_open_live() sets catch-all filter itself for the purpose of setting snap length. Fortunately, most programs explicitly sets (event catch-all) filter after that. tcpdump(1) is a good example. So a bit hackis approach is taken: we upgrade description only after second BIOCSETF is received. Sysctl is named net.bpf.optimize_writers and is turned off by default. - While here, document all sysctl variables in bpf.4 Sponsored by Yandex LLC Reviewed by: glebius (previous version) Reviewed by: silence on -net@ Approved by: (mentor) MFC after: 4 weeks
* Revert r228986 until it can be reworked to avoid panicing the kernel when thelstewart2011-12-311-65/+36
| | | | | | | same interface is attached multiple times with different DLTs, as is done in net80211 for example. Reported by: adrian
* - Introduce the net.bpf.tscfg sysctl tree and associated code so as to make onelstewart2011-12-301-36/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | aspect of time stamp configuration per interface rather than per BPF descriptor. Prior to this, the order in which BPF devices were opened and the per descriptor time stamp configuration settings could cause non-deterministic and unintended behaviour with respect to time stamping. With the new scheme, a BPF attached interface's tscfg sysctl entry can be set to "default", "none", "fast", "normal" or "external". Setting "default" means use the system default option (set with the net.bpf.tscfg.default sysctl), "none" means do not generate time stamps for tapped packets, "fast" means generate time stamps for tapped packets using a hz granularity system clock read, "normal" means generate time stamps for tapped packets using a full timecounter granularity system clock read and "external" (currently unimplemented) means use the time stamp provided with the packet from an underlying source. - Utilise the recently introduced sysclock_getsnapshot() and sysclock_snap2bintime() KPIs to ensure the system clock is only read once per packet, regardless of the number of BPF descriptors and time stamp formats requested. Use the per BPF attached interface time stamp configuration to control if sysclock_getsnapshot() is called and whether the system clock read is fast or normal. The per BPF descriptor time stamp configuration is then used to control how the system clock snapshot is converted to a bintime by sysclock_snap2bintime(). - Remove all FAST related BPF descriptor flag variants. Performing a "fast" read of the system clock is now controlled per BPF attached interface using the net.bpf.tscfg sysctl tree. - Update the bpf.4 man page. Committed on behalf of Julien Ridoux and Darryl Veitch from the University of Melbourne, Australia, as part of the FreeBSD Foundation funded "Feed-Forward Clock Synchronization Algorithms" project. For more information, see http://www.synclab.org/radclock/ In collaboration with: Julien Ridoux (jridoux at unimelb edu au)
* mdoc: drop redundant .Pp and .LP callsuqs2010-10-081-9/+0
| | | | They have no effect when coming in pairs, or before .Bl/.Bd
* Fix incorrect usage of 'assure' and 'insure'.brucec2010-08-281-1/+1
| | | | Approved by: rrs (mentor)
* Fix a bunch of typos and spelling mistakes.joel2010-07-311-2/+2
|
* Implement flexible BPF timestamping framework.jkim2010-06-151-8/+91
| | | | | | | | | | | | | | | | | | | | | | | | | | | - Allow setting format, resolution and accuracy of BPF time stamps per listener. Previously, we were only able to use microtime(9). Now we can set various resolutions and accuracies with ioctl(2) BIOCSTSTAMP command. Similarly, we can get the current resolution and accuracy with BIOCGTSTAMP command. Document all supported options in bpf(4) and their uses. - Introduce new time stamp 'struct bpf_ts' and header 'struct bpf_xhdr'. The new time stamp has both 64-bit second and fractional parts. bpf_xhdr has this time stamp instead of 'struct timeval' for bh_tstamp. The new structures let us use bh_tstamp of same size on both 32-bit and 64-bit platforms without adding additional shims for 32-bit binaries. On 64-bit platforms, size of BPF header does not change compared to bpf_hdr as its members are already all 64-bit long. On 32-bit platforms, the size may increase by 8 bytes. For backward compatibility, struct bpf_hdr with struct timeval is still the default header unless new time stamp format is explicitly requested. However, the behaviour may change in the future and all relevant code is wrapped around "#ifdef BURN_BRIDGES" for now. - Add experimental support for tagging mbufs with time stamps from a lower layer, e.g., device driver. Currently, mbuf_tags(9) is used to tag mbufs. The time stamps must be uptime in 'struct bintime' format as binuptime(9) and getbinuptime(9) do. Reviewed by: net@
* Bump __FreeBSD_version to 800043, because of the bpf(4) change.ed2008-08-131-5/+3
| | | | | | | | | | | | bpf(4) now uses cdevpriv to distinguish multiple file descriptors, where it used to be implemented using device cloning. Ports like libpcap properly detect the change in their configure scripts, but it doesn't hurt to increase __FreeBSD_version. While there, change the bpf(4) manual page to refer to /dev/bpf instead of /dev/bpfN. Requested by: mlaier
* Update man page for addition of BIOCSETFNR. Subversion didn't wantdwmalone2008-07-071-3/+12
| | | | to commit this at the same time for some reason.
* Maintain and observe a ZBUF_FLAG_IMMUTABLE flag on zero-copy BPFrwatson2008-04-071-8/+8
| | | | | | | | | | | | | | | | | | | | | | buffer kernel descriptors, which is used to allow the buffer currently in the BPF "store" position to be assigned to userspace when it fills, even if userspace hasn't acknowledged the buffer in the "hold" position yet. To implement this, notify the buffer model when a buffer becomes full, and check that the store buffer is writable, not just for it being full, before trying to append new packet data. Shared memory buffers will be assigned to userspace at most once per fill, be it in the store or in the hold position. This removes the restriction that at most one shared memory can by owned by userspace, reducing the chances that userspace will need to call select() after acknowledging one buffer in order to wait for the next buffer when under high load. This more fully realizes the goal of zero system calls in order to process a high-speed packet stream from BPF. Update bpf.4 to reflect that both buffers may be owned by userspace at once; caution against assuming this.
* Introduce support for zero-copy BPF buffering, which reduces thecsjp2008-03-241-15/+240
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | overhead of packet capture by allowing a user process to directly "loan" buffer memory to the kernel rather than using read(2) to explicitly copy data from kernel address space. The user process will issue new BPF ioctls to set the shared memory buffer mode and provide pointers to buffers and their size. The kernel then wires and maps the pages into kernel address space using sf_buf(9), which on supporting architectures will use the direct map region. The current "buffered" access mode remains the default, and support for zero-copy buffers must, for the time being, be explicitly enabled using a sysctl for the kernel to accept requests to use it. The kernel and user process synchronize use of the buffers with atomic operations, avoiding the need for system calls under load; the user process may use select()/poll()/kqueue() to manage blocking while waiting for network data if the user process is able to consume data faster than the kernel generates it. Patchs to libpcap are available to allow libpcap applications to transparently take advantage of this support. Detailed information on the new API may be found in bpf(4), including specific atomic operations and memory barriers required to synchronize buffer use safely. These changes modify the base BPF implementation to (roughly) abstrac the current buffer model, allowing the new shared memory model to be added, and add new monitoring statistics for netstat to print. The implementation, with the exception of some monitoring hanges that break the netstat monitoring ABI for BPF, will be MFC'd. Zerocopy bpf buffers are still considered experimental are disabled by default. To experiment with this new facility, adjust the net.bpf.zerocopy_enable sysctl variable to 1. Changes to libpcap will be made available as a patch for the time being, and further refinements to the implementation are expected. Sponsored by: Seccuris Inc. In collaboration with: rwatson Tested by: pwood, gallatin MFC after: 4 months [1] [1] Certain portions will probably not be MFCed, specifically things that can break the monitoring ABI.
* Add three new ioctl(2) commands for bpf(4).jkim2007-02-261-6/+40
| | | | | | | | | | | | | | | | | | | | | | - BIOCGDIRECTION and BIOCSDIRECTION get or set the setting determining whether incoming, outgoing, or all packets on the interface should be returned by BPF. Set to BPF_D_IN to see only incoming packets on the interface. Set to BPF_D_INOUT to see packets originating locally and remotely on the interface. Set to BPF_D_OUT to see only outgoing packets on the interface. This setting is initialized to BPF_D_INOUT by default. BIOCGSEESENT and BIOCSSEESENT are obsoleted by these but kept for backward compatibility. - BIOCFEEDBACK sets packet feedback mode. This allows injected packets to be fed back as input to the interface when output via the interface is successful. When BPF_D_INOUT direction is set, injected outgoing packet is not returned by BPF to avoid duplication. This flag is initialized to zero by default. Note that libpcap has been modified to support BPF_D_OUT direction for pcap_setdirection(3) and PCAP_D_OUT direction is functional now. Reviewed by: rwatson
* -mdoc sweep.ru2005-11-181-4/+12
|
* Add documentation for the BIOCLOCK and BIOCSETWF ioctl commands. Alsocsjp2005-08-231-1/+10
| | | | | | | modify the documentation for BIOCSETF to note that it sets the read filter. Pointed out by: simon
* Expand *n't contractions.ru2005-02-131-3/+3
|
* Sort sections.ru2005-01-211-27/+27
|
* (fast) ethernet -> (Fast) Ethernetbrueffer2004-12-211-1/+1
| | | | MFC after: 3 days
* Mechanically kill hard sentence breaks and double whitespaces.ru2004-07-031-108/+65
|
* Assorted markup, spelling, and grammar fixes.ru2004-06-161-1/+1
|
* Add a man page for the kernel part of bpf. I made some edits to thedwmalone2004-05-191-1/+2
| | | | | | | man page after Orla, so the mistakes are probably mine. Leave a note on the door welcoming the mdoc police. Submitted by: Orla McGann <orly@cnri.dit.ie>
* mdoc(7): Use the new feature of the .In macro.ru2003-09-081-7/+7
|
* Hiten's patchset for section four manpages, slightly edited by me.ru2003-06-281-43/+62
|
* Correct typo.dd2002-03-301-1/+1
| | | | | PR: 36544 Submitted by: dak@klemm.delta6.net
* mdoc(7) police: markup nit.ru2002-03-181-1/+3
|
* Add a bugs notice indicating that the SEESENT flag may behave incorrectlyrwatson2002-03-131-0/+5
| | | | | on interfaces with hardware loopback, and point-to-point interfaces (unclear why that is, may need to be tracked down).
* mdoc(7) police: s/BSD/.Bx/ where appropriate.ru2001-08-141-1/+3
|
* mdoc(7) police:ru2001-08-071-4/+2
| | | | | | | Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text. Not only this slows down the mdoc(7) processing significantly, but it also has an undesired (in this case) effect of disabling hyphenation within the entire enclosed block.
* bpf(4) hasn't used a static number of devices for over 2 years now, andjhb2001-07-191-5/+0
| | | | | | | | the SYNOPSIS hasn't had an example number of devices since rev 1.2 which was over 5 and a half years ago, so remove a sentence claiming that the example in the SYNOPSIS limited bpf to 16 devices. MFC after: 3 days
* mdoc(7) police: removed HISTORY info from the .Os call.ru2001-07-101-1/+1
|
* mdoc(7) police: remove extraneous .Pp before and/or after .Sh.dd2001-07-091-2/+0
|
* Remove duplicate words.dd2001-06-241-1/+1
|
* Correct cross-references:sobomax2001-06-051-1/+1
| | | | | | | | | | | | ng_bpf.8 --> ng_bpf.4 ng_ether.8 --> ng_ether.4 ng_iface.8 --> ng_iface.4 ng_pppoe.8 --> ng_pppoe.4 ng_socket.8 --> ng_socket.4 ng_tty.8 --> ng_tty.4 ng_{type}.4 --> /dev/null MFC after: 1 week
* pseudo-device -> device in kernel config lines. Removed whitespace at EOL.schweikh2001-05-011-40/+40
| | | | Reviewed by: joerg, dd
* mdoc(7) police: split punctuation characters + misc fixes.ru2001-02-011-3/+4
|
* Prepare for mdoc(7)NG.ru2000-12-291-21/+15
|
* mdoc(7) police: do not split author names in the AUTHORS section.ru2000-11-221-0/+1
|
* mdoc(7) police: use the new features of the Nm macro.ru2000-11-201-4/+4
|
* Introduce a new bd_seesent flag to the BPF descriptor, indicating whether orrwatson2000-03-181-0/+8
| | | | | | | | | | | | | | | | not the current BPF device should report locally generated packets or not. This allows sniffing applications to see only packets that are not generated locally, which can be useful for debugging bridging problems, or other situations where MAC addresses are not sufficient to identify locally sourced packets. Default to true for this flag, so as to provide existing behavior by default. Introduce two new ioctls, BIOCGSEESENT and BIOCSSEESENT, which may be used to manipulate this flag from userland, given appropriate privilege. Modify bpf.4 to document these two new ioctl arguments. Reviewed by: asmodai
* Add a reference to ng_bpf(8).archie2000-01-251-1/+2
|
* mdoc(7)'fyphantom1999-10-301-8/+19
|
* Document the use of pseudo_AF_HDRCMPLT with BPF.msmith1999-10-151-0/+8
|
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* Rename bpfilter to bpf.des1999-07-061-2/+2
|
* Fix typo: if_name -> ifr_namedanny1999-01-101-3/+3
| | | | Submitted by: Casper <casper@acc.am>
* Back out previous commit. The bpfilter -> bpf transition will have to be ades1998-11-031-2/+2
| | | | flag day unless we can hack config(8) to smooth things over.
* Rename the 'bpfilter' pseudo-device to 'bpf'. The old syntax is still legaldes1998-11-031-2/+2
| | | | and will stick around for a while.
* Fix example in manual page.jkoshy1998-05-251-4/+4
| | | | | PR: 5443 Submitted by: AMAGAI Yoshiji <amagai@nue.org>
* .Sh AUTHOR -> .Sh AUTHORS according to mdoc specs.charnier1998-03-121-4/+5
| | | | Use .An/.Aq.
OpenPOWER on IntegriCloud