BPF - All your packets belong to me

BPF
All your Packets belong to Me
@_xhr_
xhr@giessen.ccc.de

xhr GPN 2014 4
NIC
¯
Link-Layer Driver
¯
Protocol Stack
¯
Userland
Packet Flow

xhr GPN 2014 6
NIC
¯
Link-Layer Driver
¯
Filter
¯
Buffer
¯
Userland
Packet Flow

xhr GPN 2014 7
BPF is rather old...
McCanne. Jacobson.The BSD Packet Filter:
A New Architecture for User-level Packet
Capture. in USENIX. 1993.

xhr GPN 2014 8
Have you met ...

xhr GPN 2014 9
tcpdump -i eth0 ip6
That's the filter

xhr GPN 2014 10
0 ldh [12]
1 jeq #0x86dd jt 2 jf 3
2 ret #65535
3 ret #0
Ethernet Protocol Type
0x86dd == IPv6
Accept Packet
Drop Packet

xhr GPN 2014 11
Linux got a BPF JIT in 2011
Check net/core/filter.c

xhr GPN 2014 12
Packet Filter only for
Packets?

xhr GPN 2014 15
So, how does this work?

xhr GPN 2014 16
Attach a filter to a socket

xhr GPN 2014 17
[...]
struct sock_filter code[] = {
{ 0x28, 0, 0, 0x0000000c },
[...]
};
struct sock_fprog bpf = {
.len = ARRAY_SIZE(code),
.filter = code,
};
sock = socket(PF_PACKET, SOCK_RAW,
htons(ETH_P_ALL));
ret = setsockopt(sock, SOL_SOCKET,
SO_ATTACH_FILTER, &bpf, sizeof(bpf));
[...]

xhr GPN 2014 18
So, how can I use this?

xhr GPN 2014 19
Need for Space

xhr GPN 2014 20
A 32 bit wide accumulator
X 32 bit wide X register
M[] 16 x 32 bit "scratch
memory"

xhr GPN 2014 21
Some Instructions

xhr GPN 2014 22
ld*
st*
j*
ret
$alu
Load Instructions
Store Instructions
Jumps
Return
ALU instructions

xhr GPN 2014 23
Hmm … k. IDE anyone?

xhr GPN 2014 24
tools/net/
bpf_asm
bpf_dbg

xhr GPN 2014 29
Packet Filtering

xhr GPN 2014 30
Can I haz xt_bpf, plz?

xhr GPN 2014 31
iptables -A <CHAIN>
-m bpf
--bytecode "…"
-j <TARGET>

xhr GPN 2014 32
And Why?
Because we can!!1
Full packet control
Fine grained filters

xhr GPN 2014 33
Q & A
xhr
xhr@giessen.ccc.de
@_xhr_

BPF - All your packets belong to me

More Related Content

What's hot

Viewers also liked

Similar to BPF - All your packets belong to me

Recently uploaded

BPF - All your packets belong to me