BPF - All your packets belong to me
Jun 27, 2015
My talk at the GPN 2014 about the Berkely Packet Filter and its internal assembler
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
xhr GPN 2014 2
BPF ?
xhr GPN 2014 3
tcpdump ?
xhr GPN 2014 4
NIC¯
Link-Layer Driver¯
Protocol Stack¯
Userland
Packet Flow
xhr GPN 2014 5
Smart Idea
xhr GPN 2014 6
NIC¯
Link-Layer Driver¯
Filter¯
Buffer¯
Userland
Packet Flow
xhr GPN 2014 7
BPF is rather old...McCanne. Jacobson.The BSD Packet Filter: A New Architecture for User-level Packet Capture. in USENIX. 1993.
xhr GPN 2014 8
Have you met ...
xhr GPN 2014 9
tcpdump -i eth0 ip6
That's the filter
xhr GPN 2014 10
0 ldh [12]1 jeq #0x86dd jt 2 jf 32 ret #655353 ret #0
Ethernet Protocol Type
0x86dd == IPv6
Accept Packet
Drop Packet
xhr GPN 2014 11
Linux got a BPF JIT in 2011
Check net/core/filter.c
xhr GPN 2014 12
Packet Filter only for Packets?
xhr GPN 2014 13
seccomp?
xhr GPN 2014 14
xhr GPN 2014 15
So, how does this work?
xhr GPN 2014 16
Attach a filter to a socket
xhr GPN 2014 17
[...]
struct sock_filter code[] = { { 0x28, 0, 0, 0x0000000c }, [...]};
struct sock_fprog bpf = {.len = ARRAY_SIZE(code),.filter = code,
};
sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
ret = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
[...]
xhr GPN 2014 18
So, how can I use this?
xhr GPN 2014 19
Need for Space
xhr GPN 2014 20
A 32 bit wide accumulator
X 32 bit wide X register
M[] 16 x 32 bit "scratch memory"
xhr GPN 2014 21
Some Instructions
xhr GPN 2014 22
ld*
st*
j*
ret
$alu
Load Instructions
Store Instructions
Jumps
Return
ALU instructions
xhr GPN 2014 23
Hmm … k. IDE anyone?
xhr GPN 2014 24
tools/net/
bpf_asm
bpf_dbg
xhr GPN 2014 25
Demo
xhr GPN 2014 28
What now?
xhr GPN 2014 29
Packet Filtering
xhr GPN 2014 30
Can I haz xt_bpf, plz?
xhr GPN 2014 31
iptables -A <CHAIN> \-m bpf \--bytecode "…" \-j <TARGET>
xhr GPN 2014 32
And Why?
Because we can!!1
Full packet control
Fine grained filters
Related Documents
