[netgraph] ng_bpf filter large list of IP addresses

[Eugene Grosbein]

31.03.2018 20:46, Reshad Patuck wrote:

[skip]

> Please let me know what I am doing wrong with the ngctl config file and if there is another way,
> maybe something more direct to load a binary bpf filter directly into ng_bpf.

[skip]

Please read ngctl(8) manual page carefully. There are other ways.
First, you may move all arguments to ngctl from command line to a file and run ngctl -f filename.
Second, as for many other utilities, you can use dash (-) instead of filename to make ngctl
read its arguments from standard input, e.g. this is the same as "ngctl ls":

# echo ls | ngctl -f -
There are 9 total nodes:
  Name: em0             Type: ether           ID: 00000001   Num hooks: 0

Then, for shell script, you can use << such as:

#!/bin/sh

ngctl -f - << EOF
msg em1-bpf: setprogram $program
EOF

All these methods impose no limits on size of such control messages.

However, there is loader tunnable net.graph.maxdgram that imposes another
limit on size of binary representation of control message that ngctl passes to a kernel
and you may need to increase it at some point. I increase it upto 8 megabytes for my purposes.