Sometimes, depending on the bpf filter rules used in $PATTERN,

the example script of the manpage feeds awk(1) with values larger
than UINT32_MAX.  Then awk prints a negative value, and this
messes up $BPFPROG.  Trying to load the resulting bpf byte codes
with ngctl then fails.

For example, the output for PATTERN="udp and dst net 255.255.0.0/16"
should be (all in one line):

    bpf_prog_len=10
    bpf_prog=[
      { code=40 jt=0 jf=0 k=12 }
      { code=21 jt=7 jf=0 k=34525 }
      { code=21 jt=0 jf=6 k=2048 }
      { code=48 jt=0 jf=0 k=23 }
      { code=21 jt=0 jf=4 k=17 }
      { code=32 jt=0 jf=0 k=30 }
      { code=84 jt=0 jf=0 k=4294901760 }
      { code=21 jt=0 jf=1 k=4294901760 }
      { code=6 jt=0 jf=0 k=8192 }
      { code=6 jt=0 jf=0 k=0 }
    ]

The two k=4294901760 values are displayed as k=-2147483648 by awk.

Replace the awk script of the manpage example with a slower but
safer version, that doesn't really attempt to convert the byte
code printed by tcpdump from string to number and back.

PR:		docs/123255
Submitted by:	Eugenio Maffione, eugenio.maffione at telecomitalia.it
MFC after:	3 days

share/man/man4/ng_bpf.4

@@ -156,21 +156,14 @@ INHOOK="hook1"
 MATCHHOOK="hook2"
 NOTMATCHHOOK="hook3"
 
-cat > /tmp/bpf.awk << xxENDxx
-{
-  if (!init) {
-    printf "bpf_prog_len=%d bpf_prog=[", \\$1;
-    init=1;
-  } else {
-    printf " { code=%d jt=%d jf=%d k=%d }", \\$1, \\$2, \\$3, \\$4;
-  }
-}
-END {
-  print " ]"
-}
-xxENDxx
-
-BPFPROG=`tcpdump -s 8192 -ddd ${PATTERN} | awk -f /tmp/bpf.awk`
+BPFPROG=$( tcpdump -s 8192 -ddd ${PATTERN} | \\
+           ( read len ; \\
+             echo -n "bpf_prog_len=$len" ; \\
+             echo -n "bpf_prog=[" ; \\
+             while read code jt jf k ; do \\
+                 echo -n " { code=$code jt=$jt jf=$jf k=$k }" ; \\
+             done ; \\
+             echo " ]" ) )
 
 ngctl msg ${NODEPATH} setprogram { thisHook=\\"${INHOOK}\\" \\
   ifMatch=\\"${MATCHHOOK}\\" \\