📄 network layer - bsd packet filter.htm
字号:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0062)http://www.geocities.com/marco_corvi/games/lkpe/socket/bpf.htm -->
<HTML><HEAD><TITLE>The network layer</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"><LINK
href="Network layer - BSD Packet Filter_file/style.css" rel=stylesheet>
<META content="MSHTML 6.00.2800.1170" name=GENERATOR></HEAD>
<BODY>
<H2>Network layer - BSD Packet Filter</H2>
<DIV>References:<BR>McCanne, S. and Jacobson V., "The BSD Packet Filter: A New
Architecture for User-level Packet Capture". Proceedings of the 1993 Winter
USENIX Technical Conference, San Diego, CA. <BR></DIV><BR clear=all><BR
clear=all><BR clear=all>
<DIV>To be able to attach a BPF filter to the socket you need to have compiled
the kernel with the CONFIG_FILTER option. Infact the
<CODE>sock_setsockopt</CODE> commands SO_ATTACH_FILTER and SO_DETACH_FILTER are
conditioned to it (see net/core/sock.c). These act on the socket's
<CODE>sock</CODE>. The first copies the filter code from userspace in a
temporary <CODE>sock_fprog</CODE>, and calls <CODE>sk_attach_filter</CODE>. The
second sets to NULL the sock's <CODE>filter</CODE>, and calls
<CODE>sk_filter_realease</CODE> to free the filter: this does some sock
bookkeeping, and free the filter if its ref-count drops to 0 (see
include/net/sock.h). </DIV>
<DIV>The filter structures are defined in include/linux/filter.h. An instruction
is stored in a <CODE>sock_filter</CODE> structure, which is exactly as described
in the paper: 16 bits of opcode, 8 bits of jump true, 8 of jump false, and 32
bits of multiuse field. A filter program <CODE>sock_fprog</CODE> is an array of
instructions: it contains the <CODE>len</CODE> of the filter and a pointer to
the instructions. Finally a kernel <CODE>sk_filter</CODE> is a
<CODE>sock_fprog</CODE> with prepended a <CODE>refcnt</CODE>. </DIV>
<DIV>A number of macros are available to write BPF code. Two can be used to
write the filter statements,
<UL>
<LI>BPF_STMT( code, k ): initializer of a BPF statement;
<LI>BPF_JUMP( code, k, jt, jf): initializer of a BPF jump statement;
</LI></UL>The instruction codes are
<CENTER>
<TABLE cellPadding=2 border=1 CELLSAPCING="0">
<TBODY>
<TR>
<TD rowSpan=8>Instrcution code</TD>
<TD>BPF_LD</TD>
<TD>load in A register</TD>
<TD>A = k, A = M[k], A = P[k], A = P[X=k]</TD></TR>
<TR>
<TD>BPF_LDX</TD>
<TD>load in X (index) register</TD>
<TD>X = k, X = M[k], X = len, X = 4*(P[k]&0xf)</TD></TR>
<TR>
<TD>BPF_ST</TD>
<TD>store A register in scratch memory</TD>
<TD>M[k] = A
<TD></TD>
<TR>
<TD>BPF_STX</TD>
<TD>store X (index) register in scratch memory</TD>
<TD>M[k] = X
<TD></TD>
<TR>
<TD>BPF_ALU</TD>
<TD>perform arithmetical operations</TD>
<TD>A = A+k, A = A-k, A = A*k, A = A/k, A = A&k, A = A|k, A =
A<<k, A = A>>k, A = A+X, A = A-X, A = A*X, ..., A = -A</TD></TR>
<TR>
<TD>BPF_JMP</TD>
<TD>jump instructions</TD>
<TD>...</TD></TR>
<TR>
<TD>BPF_RET</TD>
<TD>return the number of accepted bytes</TD>
<TD>ret A, ret k</TD></TR>
<TR>
<TD>BPF_MISC</TD>
<TD>miscellaneous instruction</TD>
<TD>X = A, A = X</TD></TR>
<TR>
<TD rowSpan=3>size</TD>
<TD>BPF_W</TD>
<TD>word (32 bits)</TD>
<TD> </TD></TR>
<TR>
<TD>BPF_H</TD>
<TD>half-word (16 bits)</TD>
<TD> </TD></TR>
<TR>
<TD>BPF_B</TD>
<TD>byte (8 bits)</TD>
<TD> </TD></TR>
<TR>
<TD rowSpan=6>addressing mode</TD>
<TD>BPF_IMM</TD>
<TD>constant</TD>
<TD> </TD></TR>
<TR>
<TD>BPF_ABS</TD>
<TD>absolute packet offset</TD>
<TD> </TD></TR>
<TR>
<TD>BPF_IND</TD>
<TD>relative packet offset</TD>
<TD> </TD></TR>
<TR>
<TD>BPF_MEM</TD>
<TD>from scratch memory</TD>
<TD> </TD></TR>
<TR>
<TD>BPF_LEN</TD>
<TD>packet length</TD>
<TD> </TD></TR>
<TR>
<TD>BPF_MSH</TD>
<TD>...</TD>
<TD> </TD></TR>
<TR>
<TD rowSpan=9>arithmetical operations</TD>
<TD>BPF_ADD</TD>
<TD>addition</TD>
<TD>A = A + k, A = A + X</TD></TR>
<TR>
<TD>BPF_SUB</TD>
<TD>subtraction</TD>
<TD>A = A - k, A = A - X</TD></TR>
<TR>
<TD>BPF_MUL</TD>
<TD>multiplication</TD>
<TD>A = A * k, A = A * X</TD></TR>
<TR>
<TD>BPF_DIV</TD>
<TD>division</TD>
<TD>A = A / k, A = A / X</TD></TR>
<TR>
<TD>BPF_OR</TD>
<TD>bitwise or</TD>
<TD>A = A | k, A = A | X</TD></TR>
<TR>
<TD>BPF_AND</TD>
<TD>bitwise and</TD>
<TD>A = A & k, A = A & X</TD></TR>
<TR>
<TD>BPF_LSH</TD>
<TD>left shift</TD>
<TD>A = A << k, A = A << X</TD></TR>
<TR>
<TD>BPF_RSH</TD>
<TD>right shift</TD>
<TD>A = A >> k, A = A >> X</TD></TR>
<TR>
<TD>BPF_NEG</TD>
<TD>negative</TD>
<TD>A = - A</TD></TR>
<TR>
<TD rowSpan=5>jump instructions</TD>
<TD>BPF_JA</TD>
<TD>jump</TD>
<TD>pc += k</TD></TR>
<TR>
<TD>BPF_JEQ</TD>
<TD>jump if equal</TD>
<TD>pc += (A==k)? jt : jf<BR>pc += (A==X)? jt : jf</TD></TR>
<TR>
<TD>BPF_JGT</TD>
<TD>jump if greater</TD>
<TD>pc += (A>k)? jt : jf<BR>pc += (A>X)? jt : jf</TD></TR>
<TR>
<TD>BPF_JGE</TD>
<TD>jump if greater or equal</TD>
<TD>pc += (A>=k)? jt : jf<BR>pc += (A>=X)? jt : jf</TD></TR>
<TR>
<TD>BPF_JSET</TD>
<TD>jump if in set</TD>
<TD>pc += (A & k) ? jt : jf<BR>pc += (A & X) ? jt : jf</TD></TR>
<TR>
<TD rowSpan=3>registers</TD>
<TD>BPF_K</TD>
<TD>constant</TD>
<TD> </TD></TR>
<TR>
<TD>BPF_X</TD>
<TD>index register</TD>
<TD> </TD></TR>
<TR>
<TD>BPF_A</TD>
<TD>accumulator register</TD>
<TD> </TD></TR>
<TR>
<TD rowSpan=2>exchange instructions</TD>
<TD>BPF_TAX</TD>
<TD>copy A into X</TD>
<TD>X = A</TD></TR>
<TR>
<TD>BPF_TXA</TD>
<TD>copy X into A</TD>
<TD>A = X</TD></TR></TBODY></TABLE></CENTER></DIV>
<DIV>Instructions are composed by adding the pieces together, instruction code,
optionally the size, and the addressing mode. <BR><PRE>struct bpf_insn insns[] = {
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_REVARP, 0, 3),
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1),
BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) + sizeof(struct ether_header)),
BPF_STMT(BPF_RET+BPF_K, 0),
};
</PRE><BR></DIV><BR clear=all><FONT size=-1>Marco Corvi - 2003</FONT> <!-- text below generated by server. PLEASE REMOVE --></OBJECT></LAYER>
<DIV></DIV></SPAN></STYLE></NOSCRIPT></TABLE></SCRIPT></APPLET>
<SCRIPT
language=JavaScript>var PUpage="76001084"; var PUprop="geocities"; </SCRIPT>
<SCRIPT language=JavaScript
src="Network layer - BSD Packet Filter_file/pu5geo.js"></SCRIPT>
<SCRIPT language=JavaScript
src="Network layer - BSD Packet Filter_file/ygIELib9.js"></SCRIPT>
<SCRIPT language=JavaScript>var yviContents='http://us.toto.geo.yahoo.com/toto?s=76001084&l=NE&b=1&t=1057747022';yviR='us';yfiEA(0);</SCRIPT>
<SCRIPT language=JavaScript
src="Network layer - BSD Packet Filter_file/mc.js"></SCRIPT>
<SCRIPT language=JavaScript
src="Network layer - BSD Packet Filter_file/geov2.js"></SCRIPT>
<SCRIPT language=javascript>geovisit();</SCRIPT>
<NOSCRIPT><IMG height=1 alt=setstats
src="Network layer - BSD Packet Filter_file/visit.gif" width=1
border=0></NOSCRIPT> <IMG height=1 alt=1
src="Network layer - BSD Packet Filter_file/serv.gif" width=1> <!-- w32.geo.scd.yahoo.com compressed/chunked Wed Jul 9 03:37:02 PDT 2003 --></BODY></HTML>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -