bpf - all your packets belong to me
DESCRIPTION
My talk at the GPN 2014 about the Berkely Packet Filter and its internal assemblerTRANSCRIPT
![Page 2: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/2.jpg)
xhr GPN 2014 2
BPF ?
![Page 3: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/3.jpg)
xhr GPN 2014 3
tcpdump ?
![Page 4: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/4.jpg)
xhr GPN 2014 4
NIC¯
Link-Layer Driver¯
Protocol Stack¯
Userland
Packet Flow
![Page 5: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/5.jpg)
xhr GPN 2014 5
Smart Idea
![Page 6: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/6.jpg)
xhr GPN 2014 6
NIC¯
Link-Layer Driver¯
Filter¯
Buffer¯
Userland
Packet Flow
![Page 7: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/7.jpg)
xhr GPN 2014 7
BPF is rather old...McCanne. Jacobson.The BSD Packet Filter: A New Architecture for User-level Packet Capture. in USENIX. 1993.
![Page 8: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/8.jpg)
xhr GPN 2014 8
Have you met ...
![Page 9: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/9.jpg)
xhr GPN 2014 9
tcpdump -i eth0 ip6
That's the filter
![Page 10: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/10.jpg)
xhr GPN 2014 10
0 ldh [12]1 jeq #0x86dd jt 2 jf 32 ret #655353 ret #0
Ethernet Protocol Type
0x86dd == IPv6
Accept Packet
Drop Packet
![Page 11: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/11.jpg)
xhr GPN 2014 11
Linux got a BPF JIT in 2011
Check net/core/filter.c
![Page 12: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/12.jpg)
xhr GPN 2014 12
Packet Filter only for Packets?
![Page 13: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/13.jpg)
xhr GPN 2014 13
seccomp?
![Page 14: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/14.jpg)
xhr GPN 2014 14
![Page 15: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/15.jpg)
xhr GPN 2014 15
So, how does this work?
![Page 16: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/16.jpg)
xhr GPN 2014 16
Attach a filter to a socket
![Page 17: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/17.jpg)
xhr GPN 2014 17
[...]
struct sock_filter code[] = { { 0x28, 0, 0, 0x0000000c }, [...]};
struct sock_fprog bpf = {.len = ARRAY_SIZE(code),.filter = code,
};
sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
ret = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
[...]
![Page 18: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/18.jpg)
xhr GPN 2014 18
So, how can I use this?
![Page 19: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/19.jpg)
xhr GPN 2014 19
Need for Space
![Page 20: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/20.jpg)
xhr GPN 2014 20
A 32 bit wide accumulator
X 32 bit wide X register
M[] 16 x 32 bit "scratch memory"
![Page 21: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/21.jpg)
xhr GPN 2014 21
Some Instructions
![Page 22: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/22.jpg)
xhr GPN 2014 22
ld*
st*
j*
ret
$alu
Load Instructions
Store Instructions
Jumps
Return
ALU instructions
![Page 23: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/23.jpg)
xhr GPN 2014 23
Hmm … k. IDE anyone?
![Page 24: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/24.jpg)
xhr GPN 2014 24
tools/net/
bpf_asm
bpf_dbg
![Page 25: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/25.jpg)
xhr GPN 2014 25
Demo
![Page 26: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/26.jpg)
xhr GPN 2014 28
What now?
![Page 27: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/27.jpg)
xhr GPN 2014 29
Packet Filtering
![Page 28: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/28.jpg)
xhr GPN 2014 30
Can I haz xt_bpf, plz?
![Page 29: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/29.jpg)
xhr GPN 2014 31
iptables -A <CHAIN> \-m bpf \--bytecode "…" \-j <TARGET>
![Page 30: BPF - All your packets belong to me](https://reader034.vdocument.in/reader034/viewer/2022042715/558e02221a28ab866c8b45ca/html5/thumbnails/30.jpg)
xhr GPN 2014 32
And Why?
Because we can!!1
Full packet control
Fine grained filters