BPF ga ƙananan yara, ɓangaren sifili: BPF na al'ada

Berkeley Packet Filters (BPF) fasaha ce ta Linux kernel wacce ta kasance a kan shafukan farko na wallafe-wallafen fasahar harshen Ingilishi shekaru da yawa yanzu. Taruruka suna cike da rahotanni game da amfani da haɓaka BPF. David Miller, mai kula da tsarin cibiyar sadarwa na Linux, ya kira maganarsa a Linux Plumbers 2018 "Wannan magana ba game da XDP bane" (XDP shine shari'ar amfani guda ɗaya don BPF). Brendan Gregg ya ba da jawabi mai taken Linux BPF Superpowers. Toke Høiland-Jørgensen yayi dariyacewa kernel yanzu microkernel ne. Thomas Graf ya inganta ra'ayin cewa BPF shine javascript don kernel.

Har yanzu babu wani tsari na tsari na BPF akan Habré, sabili da haka a cikin jerin labaran zan yi ƙoƙarin yin magana game da tarihin fasaha, kwatanta gine-ginen gine-gine da kayan aikin ci gaba, da kuma fayyace wuraren aikace-aikace da aikace-aikacen yin amfani da BPF. Wannan labarin, sifili, a cikin jerin, yana ba da labari da tarihi da gine-gine na BPF na gargajiya, kuma yana bayyana sirrin ka'idodin aikinsa. tcpdump, seccomp, strace, da dai sauransu.

Ci gaban BPF yana sarrafawa ta hanyar sadarwar sadarwar Linux, manyan aikace-aikacen da ake da su na BPF suna da alaƙa da cibiyoyin sadarwa don haka, tare da izini. @eucariot, Na kira jerin "BPF ga ƙananan yara", don girmama babban jerin "Cibiyoyin sadarwa don ƙananan yara".

Wani ɗan gajeren hanya a cikin tarihin BPFc)

Fasahar BPF ta zamani ingantaccen sigar tsohuwar fasaha ce mai suna iri ɗaya, yanzu ana kiranta BPF na al'ada don guje wa rudani. An ƙirƙiri sanannen abin amfani bisa ga al'adar BPF tcpdump, inji seccomp, da kuma ƙananan sanannun kayayyaki xt_bpf to iptables da classifier cls_bpf. A cikin Linux na zamani, ana fassara shirye-shiryen BPF na yau da kullun ta atomatik zuwa sabon nau'i, duk da haka, daga mahangar mai amfani, API ɗin ya kasance a wurin kuma ana samun sabbin abubuwan amfani ga BPF na gargajiya, kamar yadda za mu gani a wannan labarin, har yanzu ana samun su. Saboda wannan dalili, da kuma saboda bin tarihin ci gaban BPF na gargajiya a cikin Linux, zai zama ƙarin haske game da yadda kuma dalilin da yasa ya samo asali zuwa tsarin zamani, na yanke shawarar farawa da labarin game da BPF na gargajiya.

A ƙarshen shekaru tamanin na ƙarni na ƙarshe, injiniyoyi daga sanannen dakin gwaje-gwaje na Lawrence Berkeley sun zama masu sha'awar tambayar yadda ake tace fakitin cibiyar sadarwa yadda yakamata akan kayan aikin zamani a ƙarshen tamanin na ƙarni na ƙarshe. Babban manufar tacewa, wanda aka fara aiwatar da shi a cikin fasahar CSPF (CMU/Stanford Packet Filter), shine tace fakitin da ba dole ba da wuri, watau. a cikin sararin kernel, tunda wannan yana guje wa kwafin bayanan da ba dole ba cikin sararin mai amfani. Don samar da tsaro na lokacin aiki don gudanar da lambar mai amfani a sararin kernel, an yi amfani da injin kama-da-wane mai yashi.

Koyaya, injunan kama-da-wane don masu tacewa an ƙera su don yin aiki akan injuna masu tarin yawa kuma basu yi aiki yadda yakamata akan sabbin injinan RISC ba. A sakamakon haka, ta hanyar kokarin injiniyoyi daga Berkeley Labs, da aka ɓullo da wani sabon BPF (Berkeley Packet Filters) fasaha da aka ɓullo da, da kama-da-wane inji gine wanda aka tsara bisa Motorola 6502 processor - da workhorse na irin wadannan sanannun kayayyakin. Apple II ko Nes. Sabuwar injin kama-da-wane ya haɓaka aikin tacewa sau goma idan aka kwatanta da hanyoyin da ake dasu.

BPF injin gine-gine

Za mu saba da gine-gine ta hanyar aiki, nazarin misalai. Koyaya, don farawa da, bari mu ce injin ɗin yana da rajista biyu na 32-bit waɗanda ke isa ga mai amfani, mai tarawa. A da kuma index rajista X, 64 bytes na ƙwaƙwalwar ajiya (kalmomi 16), akwai don rubutu da karatu na gaba, da ƙaramin tsarin umarni don aiki tare da waɗannan abubuwa. Hakanan ana samun umarnin tsalle don aiwatar da maganganun sharadi a cikin shirye-shiryen, amma don tabbatar da kammala shirin akan lokaci, tsalle-tsalle za a iya yin gaba kawai, watau, musamman, an hana ƙirƙirar madaukai.

Tsarin gaba ɗaya don fara injin shine kamar haka. Mai amfani ya ƙirƙira shirin don gine-ginen BPF da, ta amfani da wasu injin kernel (kamar tsarin kira), lodi da haɗa shirin zuwa ga wasu zuwa janareta na taron a cikin kernel (misali, wani taron shine zuwan fakiti na gaba akan katin sadarwar). Lokacin da wani abu ya faru, kernel yana gudanar da shirin (misali, a cikin mai fassara), kuma ƙwaƙwalwar na'ura ta yi daidai da ga wasu yankin ƙwaƙwalwar kernel (misali, bayanan fakiti mai shigowa).

Abin da ke sama zai ishe mu mu fara kallon misalai: za mu saba da tsarin da tsarin umarni kamar yadda ya cancanta. Idan kuna son yin nazarin tsarin umarni na injin kama-da-wane nan da nan kuma ku koyi game da duk iyawar sa, to zaku iya karanta ainihin labarin. Tace Fakitin BSD da/ko rabin farkon fayil ɗin Takaddun bayanai/cibiyar sadarwa/filter.txt daga takardun kernel. Bugu da ƙari, za ku iya nazarin gabatarwar libpcap: Hanyar Gine-gine da Ingantawa don ɗaukar fakiti, wanda McCanne, ɗaya daga cikin mawallafin BPF, yayi magana game da tarihin halitta libpcap.

Mun ci gaba don yin la'akari da duk mahimman misalan amfani da BPF na gargajiya akan Linux: tcpdump (libpcap), na biyu, xt_bpf, cls_bpf.

tppdump

An gudanar da ci gaban BPF a cikin layi daya tare da haɓaka gaban gaba don tace fakiti - sanannen mai amfani. tcpdump. Kuma, tun da yake wannan shine mafi tsufa kuma sanannen misali na yin amfani da BPF na gargajiya, wanda ake samu akan tsarin aiki da yawa, za mu fara nazarin fasahar da ita.

(Na gudanar da duk misalan a cikin wannan labarin akan Linux 5.6.0-rc6. An gyara fitar da wasu umarni don ingantaccen karatu.)

Misali: lura da fakitin IPv6

Bari mu yi tunanin cewa muna so mu kalli duk fakitin IPv6 akan hanyar sadarwa eth0. Don yin wannan za mu iya gudanar da shirin tcpdump da sauki tace ip6:

$ sudo tcpdump -i eth0 ip6

Kamar wancan tcpdump tace ip6 a cikin BPF architecture bytecode kuma aika shi zuwa kernel (duba cikakkun bayanai a cikin sashe Tcpdump: loading). Za a gudanar da tacewa da aka ɗora don kowane fakitin da ke wucewa ta hanyar sadarwa eth0. Idan tace ta dawo da ƙimar mara sifili n, sannan har zuwa n Za a kwafi bytes na fakitin zuwa sararin mai amfani kuma za mu gan shi a cikin fitarwa tcpdump.

Ya bayyana cewa a sauƙaƙe za mu iya gano ko wane bytecode aka aika zuwa kernel tcpdump tare da taimakon tcpdump, idan muka gudanar da shi tare da zabin -d:

$ sudo tcpdump -i eth0 -d ip6
(000) ldh      [12]
(001) jeq      #0x86dd          jt 2    jf 3
(002) ret      #262144
(003) ret      #0

A kan sifilin layi muna gudanar da umarni ldh [12], wanda ke nufin “load into register A rabin kalma (16 bits) dake a address 12” kuma tambaya daya tilo ita ce wace irin memory muke magana? Amsar ita ce a x fara (x+1)th byte na fakitin hanyar sadarwa da aka tantance. Mun karanta fakiti daga cibiyar sadarwa ta Ethernet eth0kuma wannan yana nufincewa fakitin yayi kama da wannan (don sauƙi, muna ɗauka cewa babu alamun VLAN a cikin fakitin):

       6              6          2
|Destination MAC|Source MAC|Ether Type|...|

Don haka bayan aiwatar da umarnin ldh [12] a cikin rajista A za a yi filin Ether Type - nau'in fakitin da aka watsa a cikin wannan firam ɗin Ethernet. A kan layi na 1 muna kwatanta abubuwan da ke cikin rajista A (nau'in kunshin) c 0x86ddkuma wannan kuma akwai Nau'in da muke sha'awar shine IPv6. A layi na 1, ban da umarnin kwatanta, akwai ƙarin ginshiƙai guda biyu - jt 2 и jf 3 - alamomin da kuke buƙatar zuwa idan kwatancen ya yi nasara (A == 0x86dd) kuma bai yi nasara ba. Don haka, a cikin yanayin nasara (IPv6) za mu je layi na 2, kuma a cikin yanayin da bai yi nasara ba - zuwa layi na 3. A kan layi na 3 shirin ya ƙare tare da lambar 0 (kada ku kwafi fakitin), akan layi na 2 shirin ya ƙare tare da lambar. 262144 (kwafe ni iyakar kunshin kilobytes 256).

Misali mafi rikitarwa: muna kallon fakitin TCP ta tashar tashar jirgin ruwa

Bari mu ga yadda tacewa yayi kama da kwafin duk fakitin TCP tare da tashar tashar tashar 666. Za mu yi la'akari da shari'ar IPv4, tun da yanayin IPv6 ya fi sauƙi. Bayan nazarin wannan misalin, zaku iya bincika tacewar IPv6 da kanku azaman motsa jiki (ip6 and tcp dst port 666) da tacewa ga shari'ar gaba ɗaya (tcp dst port 666). Don haka, tacewa da muke sha'awar yayi kama da haka:

$ sudo tcpdump -i eth0 -d ip and tcp dst port 666
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 10
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 10
(004) ldh      [20]
(005) jset     #0x1fff          jt 10   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldh      [x + 16]
(008) jeq      #0x29a           jt 9    jf 10
(009) ret      #262144
(010) ret      #0

Mun riga mun san abin da layukan 0 da 1 suke yi. A kan layi 2 mun riga mun bincika cewa wannan fakitin IPv4 ne (Nau'in Ether = 0x800) da kuma saka shi a cikin rajista A 24th byte na fakitin. Kunshin mu yayi kama

       14            8      1     1
|ethernet header|ip fields|ttl|protocol|...|

wanda ke nufin mu loda cikin rajista A filin Protocol na taken IP, wanda yake da ma'ana, saboda muna son kwafin fakitin TCP kawai. Muna kwatanta Protocol da 0x6 (IPPROTO_TCP) a layi 3.

A kan layi na 4 da 5 muna loda rabin kalmomin da ke a adireshin 20 kuma muna amfani da umarnin jset duba idan an saita ɗaya daga cikin ukun tutoci - sanye da abin rufe fuska da aka fitar jset an share manyan filaye uku mafi mahimmanci. Biyu daga cikin rago ukun suna gaya mana ko fakitin wani yanki ne na fakitin IP da aka ɓaɓɓe, kuma idan haka ne, ko guntuwar ƙarshe ce. An adana bit na uku kuma dole ne ya zama sifili. Ba ma son duba fakitin da ba su cika ko karye ba, don haka muna duba duk ragi uku.

Layi na 6 shine mafi ban sha'awa a cikin wannan jeri. Magana ldxb 4*([14]&0xf) yana nufin mu loda cikin rajista X mafi ƙarancin mahimmin ragi huɗu na byte na goma sha biyar na fakitin an ninka su da 4. Mafi ƙanƙanta mahimmin ragi huɗu na byte na sha biyar shine filin. Tsawon Shugaban Intanet IPv4 header, wanda ke adana tsawon rubutun cikin kalmomi, don haka kuna buƙatar ninka ta 4. Abin sha'awa, furcin. 4*([14]&0xf) nadi ne don tsarin tuntuɓar na musamman wanda za a iya amfani da shi kawai a cikin wannan fom kuma don rajista kawai X, i.e. mu ma ba za mu iya cewa ba ldb 4*([14]&0xf) ba kuma ldxb 5*([14]&0xf) (zamu iya ƙididdige wani biya daban kawai, misali, ldxb 4*([16]&0xf)). A bayyane yake cewa an ƙara wannan makircin magana zuwa BPF daidai don karɓa X (rajista index) IPv4 tsayin kai.

Don haka akan layi na 7 muna ƙoƙarin loda rabin kalma a (X+16). Tunawa da cewa 14 bytes suna shagaltar da kai ta Ethernet, kuma X ya ƙunshi tsayin taken IPv4, mun fahimci cewa a cikin A An ɗora wa tashar tashar jirgin ruwa ta TCP:

       14           X           2             2
|ethernet header|ip header|source port|destination port|

A ƙarshe, akan layi na 8 muna kwatanta tashar tashar jiragen ruwa tare da ƙimar da ake so kuma akan layi 9 ko 10 muna mayar da sakamakon - ko za a kwafi fakitin ko a'a.

Tcpdump: loading

A cikin misalan da suka gabata, musamman ba mu yi dalla-dalla kan yadda muke loda lambar BPF a cikin kernel don tace fakiti ba. Gabaɗaya magana, tcpdump ported zuwa yawancin tsarin kuma don aiki tare da masu tacewa tcpdump yana amfani da ɗakin karatu libpcap. A taƙaice, don sanya matattara a kan abin dubawa ta amfani da libpcap, kuna buƙatar yin waɗannan masu biyowa:

• ƙirƙirar nau'in siffantawa pcap_t daga sunan dubawa: pcap_create,
• kunna dubawa: pcap_activate,
• hada tace: pcap_compile,
• haɗa tace: pcap_setfilter.

Don ganin yadda aikin yake pcap_setfilter An aiwatar da shi a cikin Linux, muna amfani da shi strace (an cire wasu layukan):

$ sudo strace -f -e trace=%network tcpdump -p -i eth0 ip
socket(AF_PACKET, SOCK_RAW, 768)        = 3
bind(3, {sa_family=AF_PACKET, sll_protocol=htons(ETH_P_ALL), sll_ifindex=if_nametoindex("eth0"), sll_hatype=ARPHRD_NETROM, sll_pkttype=PACKET_HOST, sll_halen=0}, 20) = 0
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, {len=4, filter=0xb00bb00bb00b}, 16) = 0
...

A kan layi biyu na farko na fitarwa muna ƙirƙirar danyen soket don karanta duk firam ɗin Ethernet kuma ku ɗaure shi zuwa wurin dubawa eth0... Daga misalin mu na farko mun san cewa tace ip zai ƙunshi umarnin BPF guda huɗu, kuma akan layi na uku mun ga yadda ake amfani da zaɓin SO_ATTACH_FILTER tsarin kira setsockopt muna lodawa da haɗa matattara mai tsayi 4. Wannan ita ce tacewa.

Shi ne ya kamata a lura da cewa a cikin classic BPF loading da a haɗa da tace ko da yaushe faruwa a matsayin atomic aiki, da kuma a cikin sabon version na BPF loading da shirin da kuma ɗaure shi zuwa taron janareta an rabu cikin lokaci.

Boyayyen Gaskiya

Cikakken cikakken sigar fitarwa yayi kama da haka:

$ sudo strace -f -e trace=%network tcpdump -p -i eth0 ip
socket(AF_PACKET, SOCK_RAW, 768)        = 3
bind(3, {sa_family=AF_PACKET, sll_protocol=htons(ETH_P_ALL), sll_ifindex=if_nametoindex("eth0"), sll_hatype=ARPHRD_NETROM, sll_pkttype=PACKET_HOST, sll_halen=0}, 20) = 0
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, {len=1, filter=0xbeefbeefbeef}, 16) = 0
recvfrom(3, 0x7ffcad394257, 1, MSG_TRUNC, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, {len=4, filter=0xb00bb00bb00b}, 16) = 0
...

Kamar yadda aka ambata a sama, muna lodawa da haɗa matatar mu zuwa soket akan layi na 5, amma menene ya faru akan layi 3 da 4? Sai ya zama cewa wannan libpcap yana kula da mu - don kada abin da ke fitowa daga tacewar mu ya haɗa da fakitin da ba su gamsar da shi ba, ɗakin karatu haɗi dummy tace ret #0 (zubar da duk fakiti), yana canza soket zuwa yanayin da ba tare da toshewa ba kuma yana ƙoƙarin cire duk fakitin da za su iya zama daga masu tacewa a baya.

Gabaɗaya, don tace fakiti akan Linux ta amfani da BPF na yau da kullun, kuna buƙatar samun tacewa a cikin tsari kamar struct sock_fprog da buɗaɗɗen soket, bayan haka za a iya haɗa tacewa zuwa soket ta amfani da tsarin kira setsockopt.

Abin sha'awa, ana iya haɗa tacewa zuwa kowane soket, ba kawai danye ba. nan misali shirin da ke yanke duka sai dai baiti biyu na farko daga duk bayanan UDP masu shigowa. (Na ƙara sharhi a cikin lambar don kada in rikitar da labarin.)

Ƙarin bayani game da amfani setsockopt don haɗa masu tacewa, duba soka (7), amma game da rubuta naku tacewa kamar struct sock_fprog ba tare da taimako ba tcpdump za mu yi magana a cikin sashin Shirya BPF da hannayenmu.

Classic BPF da karni na XNUMX

An haɗa BPF a cikin Linux a cikin 1997 kuma ya kasance dokin aiki na dogon lokaci libpcap ba tare da wasu canje-canje na musamman ba (takamaiman canje-canje na Linux, ba shakka, Yana da aka, amma ba su canza hoton duniya ba). Alamun farko masu tsanani da BPF za su samo asali sun zo a cikin 2011, lokacin da Eric Dumazet ya ba da shawara faci, wanda ke ƙara Just In Time Compiler zuwa kernel - mai fassara don canza BPF bytecode zuwa ɗan ƙasa x86_64 lambar.

JIT compiler shine na farko a cikin jerin canje-canje: a cikin 2012 ya bayyana iya rubuta tacewa don sarkakiya, ta amfani da BPF, a cikin Janairu 2013 akwai ya kara da cewa koyaushe xt_bpf, wanda ke ba ka damar rubuta dokoki don iptables tare da taimakon BPF, kuma a cikin Oktoba 2013 ya kasance ya kara da cewa kuma module cls_bpf, wanda ke ba ka damar rubuta rabe-raben zirga-zirga ta amfani da BPF.

Za mu dubi dukan waɗannan misalan dalla-dalla nan ba da jimawa ba, amma da farko zai zama da amfani a gare mu mu koyi yadda ake rubutawa da kuma tattara shirye-shirye na son rai na BPF, tun da damar da ɗakin karatu ya bayar. libpcap iyakance (misali mai sauƙi: an samar da tace libpcap iya dawo da ƙima biyu kawai - 0 ko 0x40000) ko gabaɗaya, kamar yadda yake a cikin yanayin seccomp, ba a zartar ba.

Shirya BPF da hannayenmu

Bari mu saba da tsarin binary na umarnin BPF, abu ne mai sauqi:

   16    8    8     32
| code | jt | jf |  k  |

Kowane umarni ya ƙunshi 64 ragowa, wanda farkon 16 ragowa shine lambar koyarwa, sannan akwai indents guda takwas-bit guda biyu. jt и jf, da 32 bits don hujja K, dalilinsa ya bambanta daga umarni zuwa umarni. Misali, umarnin ret, wanda ya ƙare shirin yana da lambar 6, kuma ana ɗaukar ƙimar dawowa daga akai-akai K. A cikin C, umarnin BPF guda ɗaya ana wakilta azaman tsari

struct sock_filter {
        __u16   code;
        __u8    jt;
        __u8    jf;
        __u32   k;
}

kuma dukkan shirin yana cikin tsari ne

struct sock_fprog {
        unsigned short len;
        struct sock_filter *filter;
}

Don haka, za mu iya riga rubuta shirye-shirye (misali, mun san lambobin umarni daga [1]). Wannan shine yadda tace zatayi kama ip6 daga misalin mu na farko:

struct sock_filter code[] = {
        { 0x28, 0, 0, 0x0000000c },
        { 0x15, 0, 1, 0x000086dd },
        { 0x06, 0, 0, 0x00040000 },
        { 0x06, 0, 0, 0x00000000 },
};
struct sock_fprog prog = {
        .len = ARRAY_SIZE(code),
        .filter = code,
};

shirin prog za mu iya amfani da doka a cikin kira

setsockopt(sk, SOL_SOCKET, SO_ATTACH_FILTER, &prog, sizeof(prog))

Rubutun shirye-shirye a cikin nau'i na lambobin na'ura ba shi da matukar dacewa, amma wani lokacin ya zama dole (misali, don gyara kuskure, ƙirƙirar gwaje-gwajen naúrar, rubuta labarai akan Habré, da sauransu). Don saukakawa, a cikin fayil <linux/filter.h> An ayyana macro masu taimako - misali ɗaya kamar na sama ana iya sake rubutawa kamar

struct sock_filter code[] = {
        BPF_STMT(BPF_LD|BPF_H|BPF_ABS, 12),
        BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, ETH_P_IPV6, 0, 1),
        BPF_STMT(BPF_RET|BPF_K, 0x00040000),
        BPF_STMT(BPF_RET|BPF_K, 0),
}

Koyaya, wannan zaɓin bai dace sosai ba. Wannan shine abin da masu shirye-shiryen kernel na Linux suka yi tunani, don haka a cikin kundin adireshi tools/bpf kernels za ku iya nemo mai haɗawa da mai gyara don aiki tare da BPF na al'ada.

Harshen taro yana kama da fitowar gyara kuskure tcpdump, amma ƙari za mu iya ƙididdige alamun alama. Misali, ga shirin da ke sauke duk fakiti ban da TCP/IPv4:

$ cat /tmp/tcp-over-ipv4.bpf
ldh [12]
jne #0x800, drop
ldb [23]
jneq #6, drop
ret #-1
drop: ret #0

Ta hanyar tsoho, mai tarawa yana samar da lamba a cikin tsari <количество инструкций>,<code1> <jt1> <jf1> <k1>,..., ga misalinmu tare da TCP zai kasance

$ tools/bpf/bpf_asm /tmp/tcp-over-ipv4.bpf
6,40 0 0 12,21 0 3 2048,48 0 0 23,21 0 1 6,6 0 0 4294967295,6 0 0 0,

Don dacewa da masu shirye-shiryen C, ana iya amfani da tsarin fitarwa daban-daban:

$ tools/bpf/bpf_asm -c /tmp/tcp-over-ipv4.bpf
{ 0x28,  0,  0, 0x0000000c },
{ 0x15,  0,  3, 0x00000800 },
{ 0x30,  0,  0, 0x00000017 },
{ 0x15,  0,  1, 0x00000006 },
{ 0x06,  0,  0, 0xffffffff },
{ 0x06,  0,  0, 0000000000 },

Ana iya kwafi wannan rubutu cikin ma'anar tsarin nau'in struct sock_filter, kamar yadda muka yi a farkon wannan sashe.

Linux da netsniff-ng kari

Baya ga daidaitattun BPF, Linux da tools/bpf/bpf_asm goyon baya da saitin da ba daidai ba. Ainihin, ana amfani da umarni don shiga cikin filayen tsari struct sk_buff, wanda ke bayyana fakitin hanyar sadarwa a cikin kernel. Koyaya, akwai kuma wasu nau'ikan umarnin taimako, misali ldw cpu zai loda cikin rajista A sakamakon gudanar da aikin kwaya raw_smp_processor_id(). (A cikin sabon nau'in BPF, waɗannan abubuwan haɓakawa marasa daidaituwa an ƙara su don samar da shirye-shirye tare da saiti na mataimakan kernel don samun damar ƙwaƙwalwar ajiya, tsari, da samar da abubuwan da suka faru.) Ga misali mai ban sha'awa na tacewa wanda muke kwafi kawai fakitin buga kai zuwa sararin mai amfani ta amfani da tsawo poff, biya diyya:

ld poff
ret a

Ba za a iya amfani da kari na BPF a ciki ba tcpdump, amma wannan dalili ne mai kyau don sanin fakitin kayan aiki netsniff-ng, wanda, a tsakanin sauran abubuwa, ya ƙunshi ci-gaba shirin netsniff-ng, wanda, ban da tacewa ta amfani da BPF, kuma ya ƙunshi ingantaccen janareta na zirga-zirga, kuma ya fi ci gaba tools/bpf/bpf_asm, mai tarawa BPF da ake kira bpfc. Kunshin ya ƙunshi cikakkun bayanai dalla-dalla, duba kuma hanyoyin haɗin gwiwa a ƙarshen labarin.

sarkakiya

Don haka, mun riga mun san yadda ake rubuta shirye-shiryen BPF na rikice-rikice na sabani kuma muna shirye don duba sabbin misalai, na farko wanda shine fasahar seccomp, wanda ke ba da izini, ta amfani da matattarar BPF, don sarrafa saiti da saiti na muhawarar kiran tsarin da ke akwai don tsarin da aka bayar da zuriyarsa.

An ƙara sigar farko ta seccomp a cikin kernel a cikin 2005 kuma ba ta shahara sosai ba, tunda ta ba da zaɓi ɗaya kawai - don iyakance saitin tsarin kiran da ake samu don tsari zuwa masu zuwa: read, write, exit и sigreturn, kuma an kashe tsarin da ya saba wa ka'idoji ta amfani da shi SIGKILL. Koyaya, a cikin 2012, seccomp ya kara da ikon yin amfani da matattarar BPF, yana ba ku damar ayyana saitin tsarin kiran tsarin da aka yarda har ma da yin bincike kan mahawararsu. (Abin sha'awa, Chrome yana ɗaya daga cikin masu amfani da wannan aikin na farko, kuma mutanen Chrome a halin yanzu suna haɓaka tsarin KRSI dangane da sabon sigar BPF da ƙyale gyare-gyaren Modulolin Tsaro na Linux.) Ana iya samun hanyoyin haɗi zuwa ƙarin takaddun bayanai a ƙarshe. na labarin.

Yi la'akari da cewa an riga an sami labaran kan cibiya game da amfani da seccomp, watakila wani zai so ya karanta su kafin (ko maimakon) karanta ƙananan sashe na gaba. A cikin labarin Kwantena da tsaro: seccomp yana ba da misalai na yin amfani da seccomp, duka nau'in 2007 da sigar ta amfani da BPF (an samar da masu tacewa ta amfani da libseccomp), yayi magana game da haɗin seccomp tare da Docker, kuma yana ba da alaƙa masu amfani da yawa. A cikin labarin Ware daemons tare da tsarin ko "ba kwa buƙatar Docker don wannan!" Ya ƙunshi, musamman, yadda ake ƙara baƙar fata ko jerin jerin sunayen kira na tsarin daemon da ke gudana systemd.

Na gaba za mu ga yadda ake rubutawa da loda matattara don seccomp a bare C da kuma amfani da ɗakin karatu libseccomp kuma menene riba da rashin amfani na kowane zaɓi, kuma a ƙarshe, bari mu ga yadda shirin ke amfani da seccomp strace.

Rubuce-rubuce da ɗora matattara don seccomp

Mun riga mun san yadda ake rubuta shirye-shiryen BPF, don haka bari mu fara duba hanyar haɗin shirye-shiryen seccomp. Kuna iya saita tacewa a matakin tsari, kuma duk matakan yara zasu gaji hane-hane. Ana yin wannan ta amfani da tsarin kira seccomp(2):

seccomp(SECCOMP_SET_MODE_FILTER, flags, &filter)

inda &filter - wannan nuni ne ga tsarin da muka saba da shi struct sock_fprog, i.e. Farashin BPF.

Ta yaya shirye-shirye na seccomp ya bambanta da shirye-shirye don soket? mahallin da aka watsa. A wajen kwasfa, an ba mu wurin ma’adana da ke dauke da fakitin, sannan a bangaren seccomp an yi mana tsari kamar haka.

struct seccomp_data {
    int   nr;
    __u32 arch;
    __u64 instruction_pointer;
    __u64 args[6];
};

Yana da nr shine lambar kiran tsarin da za a kaddamar, arch - gine-gine na yanzu (ƙari akan wannan a ƙasa), args - har zuwa shida tsarin kira muhawara, kuma instruction_pointer mai nuni ne ga umarnin sararin mai amfani wanda ya yi kiran tsarin. Don haka, alal misali, don loda lambar kiran tsarin cikin rajista A sai mu ce

ldw [0]

Akwai wasu fasalulluka don shirye-shiryen seccomp, alal misali, mahallin za a iya isa gare shi ta hanyar daidaitawa-bit 32 kawai kuma ba za ku iya loda rabin kalma ko byte ba - lokacin ƙoƙarin loda tacewa. ldh [0] tsarin kira seccomp zai dawo EINVAL. Aikin yana duba matatar da aka ɗora seccomp_check_filter() kwaya. (Abin ban dariya shi ne, a cikin ainihin alƙawarin da ya ƙara aikin seccomp, sun manta da ƙara izini don amfani da umarnin zuwa wannan aikin. mod (sauran rabo) kuma yanzu babu shi don shirye-shiryen BPF na biyu, tunda ƙari zai karye ABI.)

Ainihin, mun riga mun san komai don rubutawa da karanta shirye-shiryen seccomp. Yawancin lokaci dabaru na shirin ana shirya su azaman fari ko baƙar fata jerin kiran tsarin, misali shirin

ld [0]
jeq #304, bad
jeq #176, bad
jeq #239, bad
jeq #279, bad
good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
bad: ret #0

duba jerin baƙaƙe na tsarin kira huɗu masu lamba 304, 176, 239, 279. Menene waɗannan kiran tsarin? Ba za mu iya cewa tabbas ba, tunda ba mu san wane irin gine-gine aka rubuta shirin ba. Saboda haka, mawallafa na seccomp bayar fara duk shirye-shirye tare da binciken gine-gine (ana nuna gine-gine na yanzu a cikin mahallin a matsayin filin arch Tsarin struct seccomp_data). Tare da binciken gine-gine, farkon misalin zai yi kama da:

ld [4]
jne #0xc000003e, bad_arch ; SCMP_ARCH_X86_64

sannan lambobin kiran tsarin mu zasu sami wasu dabi'u.

Muna rubutawa kuma muna ɗaukar matattara don amfani da seccomp libseccomp

Rubutun tacewa a cikin lambar asali ko a cikin taron BPF yana ba ku damar samun cikakken iko akan sakamakon, amma a lokaci guda, wani lokacin ya fi dacewa a sami lambar šaukuwa da/ko karantawa. Laburaren zai taimake mu da wannan libseccomp, wanda ke ba da daidaitaccen dubawa don rubuta baƙar fata ko fari.

Bari mu, alal misali, rubuta shirin da ke gudanar da fayil ɗin binary na zaɓin mai amfani, bayan shigar da baƙar fata jerin kira na tsarin a baya. labarin da ke sama (an sauƙaƙa shirin don ƙarin karantawa, ana iya samun cikakken sigar a nan):

#include <seccomp.h>
#include <unistd.h>
#include <err.h>

static int sys_numbers[] = {
        __NR_mount,
        __NR_umount2,
       // ... еще 40 системных вызовов ...
        __NR_vmsplice,
        __NR_perf_event_open,
};

int main(int argc, char **argv)
{
        scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);

        for (size_t i = 0; i < sizeof(sys_numbers)/sizeof(sys_numbers[0]); i++)
                seccomp_rule_add(ctx, SCMP_ACT_TRAP, sys_numbers[i], 0);

        seccomp_load(ctx);

        execvp(argv[1], &argv[1]);
        err(1, "execlp: %s", argv[1]);
}

Da farko za mu ayyana tsararru sys_numbers na lambobin tsarin kira 40+ don toshewa. Sa'an nan, fara mahallin ctx kuma ku gaya wa ɗakin karatu abin da muke so mu ƙyale (SCMP_ACT_ALLOW) duk kiran tsarin ta tsohuwa (yana da sauƙin gina baƙar fata). Sa'an nan, daya bayan daya, mu ƙara duk tsarin kira daga blacklist. Don amsa kiran tsarin daga lissafin, muna buƙatar SCMP_ACT_TRAP, a wannan yanayin seccomp zai aika da sigina zuwa tsari SIGSYS tare da bayanin wane kira tsarin ya keta ka'idoji. A ƙarshe, muna loda shirin a cikin kwaya ta amfani da seccomp_load, wanda zai tattara shirin kuma ya haɗa shi zuwa tsarin ta amfani da tsarin kira seccomp(2).

Domin samun nasarar haɗawa, dole ne a haɗa shirin tare da ɗakin karatu libseccomp, alal misali:

cc -std=c17 -Wall -Wextra -c -o seccomp_lib.o seccomp_lib.c
cc -o seccomp_lib seccomp_lib.o -lseccomp

Misalin ƙaddamar da nasara:

$ ./seccomp_lib echo ok
ok

Misalin kiran tsarin da aka katange:

$ sudo ./seccomp_lib mount -t bpf bpf /tmp
Bad system call

Muna amfani stracedon cikakkun bayanai:

$ sudo strace -e seccomp ./seccomp_lib mount -t bpf bpf /tmp
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=50, filter=0x55d8e78428e0}) = 0
--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0xboobdeadbeef, si_syscall=__NR_mount, si_arch=AUDIT_ARCH_X86_64} ---
+++ killed by SIGSYS (core dumped) +++
Bad system call

ta yaya za mu san cewa an dakatar da shirin saboda amfani da kiran tsarin da ba bisa ka'ida ba mount(2).

Don haka, mun rubuta tace ta amfani da ɗakin karatu libseccomp, daidaita lambar da ba maras muhimmanci ba zuwa layi hudu. A cikin misalin da ke sama, idan akwai adadi mai yawa na kiran tsarin, za a iya rage lokacin aiwatarwa sosai, tun da rajistan kawai jerin kwatancen ne. Don ingantawa, libseccomp kwanan nan ya samu faci hada, wanda ke ƙara goyon baya ga sifa ta tace SCMP_FLTATR_CTL_OPTIMIZE. Saita wannan sifa zuwa 2 zai canza tacewa zuwa shirin bincike na binary.

Idan kana son ganin yadda masu tace binciken binary ke aiki, duba sauki rubutun, wanda ke haifar da irin waɗannan shirye-shirye a cikin mai haɗa BPF ta hanyar buga lambobin kiran tsarin, misali:

$ echo 1 3 6 8 13 | ./generate_bin_search_bpf.py
ld [0]
jeq #6, bad
jgt #6, check8
jeq #1, bad
jeq #3, bad
ret #0x7fff0000
check8:
jeq #8, bad
jeq #13, bad
ret #0x7fff0000
bad: ret #0

Ba za ku iya rubuta wani abu cikin sauri ba, tunda shirye-shiryen BPF ba za su iya yin tsalle-tsalle ba (ba za mu iya yi ba, misali, jmp A ko jmp [label+X]) sabili da haka duk sauye-sauye suna nan tsaye.

seccomp da strace

Kowa ya san amfanin strace kayan aiki ne da ba makawa don nazarin halayen matakai akan Linux. Duk da haka, da yawa kuma sun ji labarin al'amurran da suka shafi aiki lokacin amfani da wannan kayan aiki. Gaskiyar ita ce strace aiwatar da amfani ptrace(2), kuma a cikin wannan tsarin ba za mu iya ƙayyade abin da saitin tsarin kira muke buƙatar dakatar da tsarin ba, watau, alal misali, umarni.

$ time strace du /usr/share/ >/dev/null 2>&1

real    0m3.081s
user    0m0.531s
sys     0m2.073s

и

$ time strace -e open du /usr/share/ >/dev/null 2>&1

real    0m2.404s
user    0m0.193s
sys     0m1.800s

ana sarrafa su kusan lokaci guda, kodayake a cikin akwati na biyu muna so mu gano kiran tsarin guda ɗaya kawai.

Sabon zaɓi --seccomp-bpf, kara da cewa strace sigar 5.3, yana ba ku damar hanzarta aiwatarwa sau da yawa kuma lokacin farawa ƙarƙashin alamar kiran tsarin ɗaya ya riga ya yi daidai da lokacin farawa na yau da kullun:

$ time strace --seccomp-bpf -e open du /usr/share/ >/dev/null 2>&1

real    0m0.148s
user    0m0.017s
sys     0m0.131s

$ time du /usr/share/ >/dev/null 2>&1

real    0m0.140s
user    0m0.024s
sys     0m0.116s

(A nan, ba shakka, akwai ɗan yaudara a cikin cewa ba mu nemo babban tsarin kiran wannan umarni ba. Idan muna bin diddigin, misali. newfsstat, to, strace zai birki da kyar kamar babu --seccomp-bpf.)

Ta yaya wannan zaɓi ke aiki? Ba tare da ita ba strace ya haɗu da tsari kuma ya fara amfani da shi PTRACE_SYSCALL. Lokacin da tsarin sarrafawa ya fitar da (kowane) tsarin kira, ana canja wurin sarrafawa zuwa strace, wanda ke kallon muhawarar tsarin kira kuma yana gudanar da shi PTRACE_SYSCALL. Bayan wani lokaci, tsarin yana kammala kiran tsarin kuma lokacin fita, ana sake canja wurin sarrafawa strace, wanda ke kallon ƙimar dawowa kuma ya fara aiwatar da amfani da shi PTRACE_SYSCALL, da sauransu.

Tare da seccomp, duk da haka, ana iya inganta wannan tsari daidai yadda muke so. Wato, idan muna so mu dubi kawai kiran tsarin X, to za mu iya rubuta BPF tace don X mayar da daraja SECCOMP_RET_TRACE, da kuma kiraye-kirayen da ba su da sha'awar mu - SECCOMP_RET_ALLOW:

ld [0]
jneq #X, ignore
trace: ret #0x7ff00000
ignore: ret #0x7fff0000

A wannan yanayin strace da farko ya fara tsari kamar yadda PTRACE_CONT, Ana sarrafa matatar mu don kowane kiran tsarin, idan tsarin kiran ba haka bane X, to, tsarin ya ci gaba da gudana, amma idan wannan X, to seccomp zai canja wurin sarrafawa stracewanda zai duba muhawarar kuma ya fara aiki kamar PTRACE_SYSCALL (tunda seccomp ba shi da ikon tafiyar da shirin yayin fita daga tsarin kira). Lokacin da tsarin kira ya dawo, strace zai sake farawa da tsari ta amfani da PTRACE_CONT kuma zai jira sabbin saƙonni daga seccomp.

Lokacin amfani da zaɓin --seccomp-bpf akwai hani guda biyu. Da fari dai, ba zai yiwu a shiga tsarin da ya riga ya kasance ba (zaɓi -p shirye-shirye strace), tunda ba a goyan bayan wannan ta hanyar seccomp. Na biyu, babu yiwuwar ba duba tsarin yara, tun da seccomp filtata ana gadon su ta duk matakan yara ba tare da ikon kashe wannan ba.

Dan karin bayani kan yadda daidai strace yana aiki tare da seccomp za a iya samu daga rahoton kwanan nan. A gare mu, mafi ban sha'awa gaskiyar ita ce, har yanzu ana amfani da BPF na yau da kullun da seccomp ke wakilta.

xt_bpf

Bari yanzu mu koma duniyar hanyoyin sadarwa.

Bayan Fage: dogon lokaci da suka wuce, a cikin 2007, ainihin shine ya kara da cewa koyaushe xt_u32 don netfilter. An rubuta ta ta hanyar kwatanci tare da ma fi daɗaɗɗen rabe-raben zirga-zirga cls_u32 kuma ya ba ku damar rubuta ƙa'idodin binary na sabani don iptables ta amfani da ayyuka masu sauƙi masu zuwa: loda 32 ragowa daga fakiti kuma aiwatar da tsarin ayyukan lissafi akan su. Misali,

sudo iptables -A INPUT -m u32 --u32 "6&0xFF=1" -j LOG --log-prefix "seen-by-xt_u32"

Yana loda rago 32 na taken IP, farawa daga padding 6, kuma yana shafa musu abin rufe fuska. 0xFF (dauki low byte). Wannan filin protocol IP header kuma muna kwatanta shi da 1 (ICMP). Kuna iya haɗa cak masu yawa a cikin doka ɗaya, kuma kuna iya aiwatar da afareta @ - matsar X bytes zuwa dama. Misali, ka'ida

iptables -m u32 --u32 "6&0xFF=0x6 && 0>>22&0x3C@4=0x29"

bincika idan Lambar Jeri TCP bai daidaita ba 0x29. Ba zan ƙara yin ƙarin bayani ba, tun da ya riga ya bayyana cewa rubuta irin waɗannan dokoki da hannu ba su dace sosai ba. A cikin labarin BPF - bytecode manta, akwai hanyoyi da yawa tare da misalan amfani da tsara tsarin mulki don xt_u32. Duba kuma hanyoyin haɗin gwiwa a ƙarshen wannan labarin.

Tun 2013 module maimakon module xt_u32 za ka iya amfani da BPF tushen module xt_bpf. Duk wanda ya karanta wannan zuwa yanzu ya kamata ya kasance a sarari game da ƙa'idar aikinsa: gudanar da BPF bytecode azaman ka'idodin iptables. Kuna iya ƙirƙirar sabuwar doka, misali, kamar wannan:

iptables -A INPUT -m bpf --bytecode <байткод> -j LOG

a nan <байткод> - wannan shine lambar a cikin tsarin fitarwa mai haɗawa bpf_asm ta tsohuwa, misali,

$ cat /tmp/test.bpf
ldb [9]
jneq #17, ignore
ret #1
ignore: ret #0

$ bpf_asm /tmp/test.bpf
4,48 0 0 9,21 0 1 17,6 0 0 1,6 0 0 0,

# iptables -A INPUT -m bpf --bytecode "$(bpf_asm /tmp/test.bpf)" -j LOG

A cikin wannan misalin muna tace duk fakitin UDP. Ma'anar shirin BPF a cikin tsari xt_bpf, ba shakka, yana nuna bayanan fakiti, a cikin yanayin iptables, zuwa farkon taken IPv4. Koma darajar daga shirin BPF booleaninda false yana nufin fakitin bai dace ba.

A bayyane yake cewa module xt_bpf yana goyan bayan rikitattun tacewa fiye da misalin da ke sama. Bari mu kalli misalai na gaske daga Cloudfare. Har kwanan nan sun yi amfani da module xt_bpf don kare kai daga hare-haren DDoS. A cikin labarin Gabatar da Kayan aikin BPF suna bayanin yadda (da kuma dalilin da yasa) suke samar da tacewa na BPF da buga hanyoyin haɗin kai zuwa saitin abubuwan amfani don ƙirƙirar irin waɗannan filtattun. Alal misali, amfani da kayan aiki bpfgen zaka iya ƙirƙirar shirin BPF wanda yayi daidai da tambayar DNS don suna habr.com:

$ ./bpfgen --assembly dns -- habr.com
ldx 4*([0]&0xf)
ld #20
add x
tax

lb_0:
    ld [x + 0]
    jneq #0x04686162, lb_1
    ld [x + 4]
    jneq #0x7203636f, lb_1
    ldh [x + 8]
    jneq #0x6d00, lb_1
    ret #65535

lb_1:
    ret #0

A cikin shirin za mu fara loda cikin rajista X farkon adireshin layi x04habrx03comx00 a cikin UDP datagram sannan a duba buƙatar: 0x04686162 <-> "x04hab" da sauransu.

Bayan ɗan lokaci, Cloudfare ya buga lambar p0f -> BPF mai tarawa. A cikin labarin Gabatar da p0f BPF mai tarawa suna magana game da menene p0f da yadda ake canza sa hannun p0f zuwa BPF:

$ ./bpfgen p0f -- 4:64:0:0:*,0::ack+:0
39,0 0 0 0,48 0 0 8,37 35 0 64,37 0 34 29,48 0 0 0,
84 0 0 15,21 0 31 5,48 0 0 9,21 0 29 6,40 0 0 6,
...

A halin yanzu ba a amfani da Cloudfare xt_bpf, tun lokacin da suka koma XDP - ɗaya daga cikin zaɓuɓɓuka don amfani da sabon sigar BPF, duba. L4Drop: Ragewar XDP DDoS.

cls_bpf

Misali na ƙarshe na amfani da BPF na al'ada a cikin kwaya shine mai rarrabawa cls_bpf don tsarin sarrafa zirga-zirgar ababen hawa a cikin Linux, wanda aka ƙara zuwa Linux a ƙarshen 2013 kuma a zahiri maye gurbin tsohon cls_u32.

Koyaya, yanzu ba za mu kwatanta aikin ba cls_bpf, Tun daga ra'ayi na ilimi game da classic BPF wannan ba zai ba mu wani abu ba - mun riga mun saba da duk ayyukan. Bugu da kari, a cikin labarai masu zuwa suna magana game da Extended BPF, za mu haɗu da wannan classifier fiye da sau ɗaya.

Wani dalili ba don magana game da yin amfani da classic BPF c cls_bpf Matsalar ita ce, idan aka kwatanta da Extended BPF, iyakar zartarwa a cikin wannan yanayin yana ƙunshe sosai: shirye-shiryen gargajiya ba za su iya canza abin da ke cikin fakiti ba kuma ba za su iya ajiye yanayi tsakanin kira ba.

Don haka lokaci ya yi da za a yi bankwana da BPF na al'ada kuma mu dubi gaba.

Barka da zuwa classic BPF

Mun kalli yadda fasahar BPF, wacce ta ci gaba a farkon shekarun 32, ta yi nasarar rayuwa kwata na karni kuma har zuwa karshen ta sami sabbin aikace-aikace. Duk da haka, kama da sauyi daga injunan tari zuwa RISC, wanda ya zama ƙwaƙƙwaran haɓakar BPF na al'ada, a cikin 64s an sami sauyi daga na'urori XNUMX-bit zuwa XNUMX-bit kuma BPF na al'ada ya fara zama mara amfani. Bugu da ƙari, ƙarfin BPF na gargajiya yana da iyaka sosai, kuma ban da gine-ginen da suka wuce - ba mu da ikon adana jihar tsakanin kira zuwa shirye-shiryen BPF, babu yiwuwar hulɗar mai amfani kai tsaye, babu yiwuwar yin hulɗa da juna. tare da kwaya, ban da karanta ƙayyadaddun adadin filayen tsarin sk_buff da ƙaddamar da ayyuka mafi sauƙi na mataimaka, ba za ku iya canza abubuwan da ke cikin fakiti ba kuma ku tura su.

A zahiri, a halin yanzu duk abin da ya saura na BPF na al'ada a cikin Linux shine ƙirar API, kuma a cikin kernel duk shirye-shirye na yau da kullun, kasancewa masu tace soket ko matattarar seccomp, ana fassara su ta atomatik zuwa sabon tsari, Extended BPF. (Za mu yi magana game da ainihin yadda hakan ya faru a talifi na gaba.)

Canjin zuwa sabon gine-gine ya fara ne a cikin 2013, lokacin da Alexey Starovoitov ya ba da shawarar tsarin sabunta BPF. A cikin 2014 madaidaicin faci ya fara bayyana a cikin gindi. Kamar yadda na fahimta, shirin farko shine kawai don inganta gine-gine da kuma JIT compiler don yin aiki da kyau akan na'urori 64-bit, amma a maimakon haka waɗannan abubuwan ingantawa sun nuna farkon sabon babi a ci gaban Linux.

Ƙarin abubuwan da ke cikin wannan jerin za su rufe gine-gine da aikace-aikace na sabuwar fasaha, da farko da aka sani da BPF na ciki, sannan kuma BPF mai tsawo, kuma yanzu kawai BPF.

nassoshi

1. Steven McCanne da Van Jacobson, "Tacewar fakitin BSD: Sabon Tsarin Gine-gine don Ɗaukar Fakitin matakin Mai amfani", https://www.tcpdump.org/papers/bpf-usenix93.pdf
2. Steven McCanne, "libpcap: Tsarin Tsarin Gine-gine da Ingantawa don Kama Fakiti", https://sharkfestus.wireshark.org/sharkfest.11/presentations/McCanne-Sharkfest'11_Keynote_Address.pdf
3. tcpdump, libpcap: https://www.tcpdump.org/
4. Koyarwar Match na IPtable U32.
5. BPF - bytecode da aka manta: https://blog.cloudflare.com/bpf-the-forgotten-bytecode/
6. Gabatar da Kayan aikin BPF: https://blog.cloudflare.com/introducing-the-bpf-tools/
7. bpf_cls: http://man7.org/linux/man-pages/man8/tc-bpf.8.html
8. Bayanin taƙaitaccen bayani: https://lwn.net/Articles/656307/
9. https://github.com/torvalds/linux/blob/master/Documentation/userspace-api/seccomp_filter.rst
10. habr: Kwantena da tsaro: seccomp
11. habr: Ware daemons tare da systemd ko "ba kwa buƙatar Docker don wannan!"
12. Paul Chaignon, "strace --seccomp-bpf: kallon karkashin kaho", https://fosdem.org/2020/schedule/event/debugging_strace_bpf/
13. netsniff-ng: http://netsniff-ng.org/

source: www.habr.com