🥇BPF ya ana aang'ono, gawo ziro: BPF yapamwamba

Berkeley Packet Filters (BPF) ndiukadaulo wa Linux kernel womwe wakhala patsamba loyamba lazofalitsa zaukadaulo mu Chingerezi kwa zaka zingapo tsopano. Misonkhano imadzazidwa ndi malipoti okhudza kugwiritsa ntchito ndi chitukuko cha BPF. David Miller, wosamalira ma network a Linux, amayimbira nkhani yake ku Linux Plumbers 2018 "Kukamba uku sikukukhudza XDP" (XDP ndi imodzi yogwiritsira ntchito BPF). Brendan Gregg akupereka nkhani zamutu Linux BPF Superpowers. Toke Høiland-Jørgensen amasekakuti kernel tsopano ndi microkernel. Thomas Graf amalimbikitsa lingaliro lakuti BPF ndi javascript ya kernel.

Palibe kufotokozera mwadongosolo kwa BPF pa Habré, choncho mndandanda wa nkhani zomwe ndikuyesera kufotokoza mbiri ya luso lamakono, kufotokoza zomangamanga ndi zida zachitukuko, ndikulongosola madera ogwiritsira ntchito ndi machitidwe ogwiritsira ntchito BPF. Nkhaniyi, zero, mndandanda, ikufotokoza mbiri ndi zomangamanga za BPF yapamwamba, komanso ikuwulula zinsinsi za mfundo zake zogwirira ntchito. tcpdump, seccomp, strace, ndi zina zambiri.

Kukula kwa BPF kumayendetsedwa ndi Linux networking community, ntchito zazikulu zomwe zilipo za BPF ndizogwirizana ndi maukonde choncho, ndi chilolezo. @eucariot, Ndinatcha mndandanda wakuti "BPF kwa ana aang'ono", polemekeza mndandanda waukulu "Network kwa ang'ono".

Maphunziro ochepa m'mbiri ya BPF (c)

Ukadaulo wamakono wa BPF ndi mtundu wowongoleredwa komanso wokulitsidwa waukadaulo wakale wokhala ndi dzina lomwelo, lomwe tsopano limatchedwa BPF yapamwamba kuti mupewe chisokonezo. Chida chodziwika bwino chidapangidwa kutengera BPF yachikale tcpdump, makina seccomp, komanso ma module osadziwika bwino xt_bpf chifukwa iptables ndi classifier cls_bpf. Mu Linux yamakono, mapulogalamu apamwamba a BPF amamasuliridwa kukhala mawonekedwe atsopano, komabe, kuchokera kwa ogwiritsa ntchito, API yakhalabe m'malo mwake ndipo ntchito zatsopano za BPF zachikale, monga momwe tidzaonera m'nkhaniyi, zikupezekabe. Pazifukwa izi, komanso chifukwa chotsatira mbiri ya chitukuko cha BPF yapamwamba ku Linux, zidzamveka bwino momwe ndi chifukwa chake zidasinthira kukhala mawonekedwe ake amakono, ndinaganiza zoyamba ndi nkhani yokhudza BPF yakale.

Kumapeto kwa zaka makumi asanu ndi atatu za zaka zapitazo, akatswiri a Lawrence Berkeley Laboratory otchuka adachita chidwi ndi funso la momwe angasefedwe bwino mapaketi amtundu pa hardware yomwe inali yamakono kumapeto kwa zaka makumi asanu ndi atatu zapitazo. Lingaliro loyambirira la kusefa, lomwe lidakhazikitsidwa muukadaulo wa CSPF (CMU/Stanford Packet Filter), linali kusefa mapaketi osafunikira mwachangu momwe mungathere, mwachitsanzo. mu kernel space, chifukwa izi zimapewa kukopera deta yosafunikira m'malo ogwiritsa ntchito. Kuti apereke chitetezo chanthawi yothamanga pakuyendetsa nambala ya ogwiritsa ntchito mu kernel space, makina owoneka bwino a sandboxed adagwiritsidwa ntchito.

Komabe, makina enieni a zosefera zomwe zilipo adapangidwa kuti azigwira ntchito pamakina opangira ma stack ndipo sanayende bwino pamakina atsopano a RISC. Zotsatira zake, mwa khama la akatswiri ochokera ku Berkeley Labs, teknoloji yatsopano ya BPF (Berkeley Packet Filters) inapangidwa, makina opangira makina omwe adapangidwa pogwiritsa ntchito purosesa ya Motorola 6502 - ntchito yaikulu ya zinthu zodziwika bwino monga. Apple II kapena NDA. Makina atsopanowa adawonjezera magwiridwe antchito kambirimbiri poyerekeza ndi mayankho omwe analipo kale.

BPF makina zomangamanga

Tidzadziwana ndi zomangamanga m'njira yogwira ntchito, kusanthula zitsanzo. Komabe, poyambira, tiyeni tinene kuti makinawo anali ndi zolembera ziwiri za 32-bit zofikiridwa ndi wogwiritsa ntchito, accumulator. A ndi index registry X, 64 bytes of memory (mawu 16), opezeka polemba ndi kuwerenga motsatira, ndi dongosolo laling'ono la malamulo ogwirira ntchito ndi zinthu izi. Malangizo odumpha ogwiritsira ntchito mawu ovomerezeka analiponso m'mapulogalamu, koma kuti atsimikize kukwaniritsidwa kwa nthawi yake pulogalamuyo, kudumpha kungapitirire patsogolo, i.e., makamaka, zinali zoletsedwa kupanga malupu.

Chiwembu choyambira makinawo ndi chotere. Wogwiritsa ntchito amapanga pulogalamu yomanga BPF ndikugwiritsa ntchito ena makina a kernel (monga kuyimba foni), amanyamula ndikulumikiza pulogalamuyo kwa ena kwa jenereta ya zochitika mu kernel (mwachitsanzo, chochitika ndikufika kwa paketi yotsatira pa intaneti khadi). Chochitika chikachitika, kernel imayendetsa pulogalamuyo (mwachitsanzo, mwa womasulira), ndipo kukumbukira kwa makina kumafanana ndi kwa ena kernel memory dera (mwachitsanzo, deta ya paketi yomwe ikubwera).

Zomwe zili pamwambazi zidzakhala zokwanira kuti tiyambe kuyang'ana zitsanzo: tidzadziwa bwino dongosolo ndi mtundu wa lamulo ngati kuli kofunikira. Ngati mukufuna kuphunzira nthawi yomweyo dongosolo lamakina a makina enieni ndikuphunzira za kuthekera kwake konse, ndiye kuti mutha kuwerenga nkhani yoyambirira. Zosefera Paketi ya BSD ndi/kapena theka loyamba la fayilo Documentation/networking/filter.txt kuchokera ku zolemba za kernel. Komanso, mukhoza kuphunzira ulaliki libpcap: Njira Yomanga ndi Kukhathamiritsa Kwa Packet Capture, momwe McCanne, mmodzi mwa olemba BPF, amakamba za mbiri ya chilengedwe libpcap.

Tsopano tikupitiliza kulingalira zitsanzo zonse zofunikira zogwiritsira ntchito BPF yapamwamba pa Linux: tcpdump (libpcap), kupha, xt_bpf, cls_bpf.

wcputu

Kukula kwa BPF kunachitika limodzi ndi chitukuko cha frontend kwa kusefa paketi - chida chodziwika bwino. tcpdump. Ndipo, popeza ichi ndiye chitsanzo chakale komanso chodziwika bwino chogwiritsa ntchito BPF yachikale, yomwe imapezeka pamakina ambiri ogwiritsira ntchito, tiyamba nawo maphunziro aukadaulo.

(Ndinayendetsa zitsanzo zonse m'nkhaniyi pa Linux 5.6.0-rc6. Zotsatira za malamulo ena zasinthidwa kuti ziwerengedwe bwino.)

Chitsanzo: kuyang'ana mapaketi a IPv6

Tiyerekeze kuti tikufuna kuyang'ana mapaketi onse a IPv6 pa mawonekedwe eth0. Kuti tichite izi tikhoza kuyendetsa pulogalamuyo tcpdump ndi fyuluta yosavuta ip6:

$ sudo tcpdump -i eth0 ip6

Motero tcpdump amapanga fyuluta ip6 mu BPF kamangidwe ka bytecode ndikutumiza ku kernel (onani zambiri m'gawolo Tcpdump: kutsitsa). Fyuluta yodzaza idzayendetsedwa pa paketi iliyonse yomwe ikudutsa mawonekedwe eth0. Ngati fyulutayo ibweza mtengo wosakhala ziro n, kenako mpaka n ma byte a paketi adzakopera ku malo ogwiritsira ntchito ndipo tidzawona muzotuluka tcpdump.

Zikuoneka kuti titha kudziwa mosavuta ndi bytecode yomwe idatumizidwa ku kernel tcpdump ndi chithandizo cha tcpdump, ngati tiyendetsa ndi mwayi -d:

$ sudo tcpdump -i eth0 -d ip6
(000) ldh      [12]
(001) jeq      #0x86dd          jt 2    jf 3
(002) ret      #262144
(003) ret      #0

Pa mzere wa zero timayendetsa lamulo ldh [12], lomwe limatanthauza “kulowetsa mu registry A theka la mawu (16 bits) lomwe lili pa adilesi 12 ” ndipo funso lokhalo ndiloti ndi kukumbukira kotani komwe tikulankhula? Yankho ndiloti pa x akuyamba (x+1)th byte ya paketi ya netiweki yowunikidwa. Timawerenga mapaketi kuchokera ku mawonekedwe a Ethernet eth0,ndi izi amatanthauzakuti paketiyo ikuwoneka motere (kuti zikhale zosavuta, tikuganiza kuti palibe ma tag a VLAN mu paketi):

       6              6          2
|Destination MAC|Source MAC|Ether Type|...|

Choncho pambuyo popereka lamulo ldh [12] mu kaundula A padzakhala munda Ether Type - mtundu wa paketi yofalitsidwa mu chimango cha Efaneti. Pamzere 1 timafanizira zomwe zili m'kaundula A (mtundu wa paketi) c 0x86dd,ndi izi ndipo alipo Mtundu womwe timakonda ndi IPv6. Pamzere 1, kuwonjezera pa lamulo lofananiza, pali zigawo zina ziwiri - jt 2 и jf 3 - zizindikiro zomwe muyenera kupitako ngati kufananitsa kwapambana (A == 0x86dd) ndipo sizinaphule kanthu. Kotero, muzochitika zopambana (IPv6) timapita ku mzere 2, ndipo ngati sitinapambane - ku mzere 3. Pa mzere wa 3 pulogalamuyo imatha ndi code 0 (osatengera paketi), pa mzere 2 pulogalamuyo imathera ndi code. 262144 (ndikopereni phukusi lopambana la 256 kilobytes).

Chitsanzo chovuta kwambiri: timayang'ana mapaketi a TCP potengera kopita

Tiyeni tiwone momwe fyuluta ikuwonekera yomwe imakopera mapaketi onse a TCP okhala ndi doko la 666. Tidzalingalira za IPv4, popeza vuto la IPv6 ndilosavuta. Mutaphunzira chitsanzo ichi, mukhoza kufufuza IPv6 fyuluta nokha ngati masewera olimbitsa thupi (ip6 and tcp dst port 666) ndi fyuluta ya mlandu wamba (tcp dst port 666). Chifukwa chake, fyuluta yomwe tikufuna ikuwoneka motere:

$ sudo tcpdump -i eth0 -d ip and tcp dst port 666
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 10
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 10
(004) ldh      [20]
(005) jset     #0x1fff          jt 10   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldh      [x + 16]
(008) jeq      #0x29a           jt 9    jf 10
(009) ret      #262144
(010) ret      #0

Tikudziwa kale zomwe mizere 0 ndi 1 imachita. Pa mzere wa 2 tawona kale kuti iyi ndi paketi ya IPv4 (Ether Type = 0x800) ndikuchiyika mu kaundula A 24 byte ya paketi. Phukusi lathu likuwoneka ngati

       14            8      1     1
|ethernet header|ip fields|ttl|protocol|...|

kutanthauza kuti timalowetsa mu kaundula A gawo la Protocol la mutu wa IP, zomwe ndi zomveka, chifukwa tikufuna kukopera mapaketi a TCP okha. Timafananiza Protocol ndi 0x6 (IPPROTO_TCP) Pa intaneti 3.

Pa mizere 4 ndi 5 timayika mawu apakati omwe ali pa adilesi 20 ndikugwiritsa ntchito lamulo jset onani ngati chimodzi mwa zitatucho chakhazikitsidwa mbendera - kuvala chigoba choperekedwa jset zigawo zitatu zofunika kwambiri zachotsedwa. Awiri mwa magawo atatuwa amatiuza ngati paketiyo ndi gawo la paketi ya IP yogawanika, ndipo ngati ndi choncho, kaya ndi chidutswa chomaliza. Gawo lachitatu lasungidwa ndipo liyenera kukhala ziro. Sitikufuna kuyang'ana mapaketi osakwanira kapena osweka, kotero timayang'ana ma bits onse atatu.

Mzere 6 ndiwosangalatsa kwambiri pamndandandawu. Kufotokozera ldxb 4*([14]&0xf) zikutanthauza kuti timalowetsa mu kaundula X magawo anayi ochepera apakati pa khumi ndi asanu a paketi kuchulukitsa ndi 4. Mabala anayi osafunikira kwambiri a baiti khumi ndi chisanu ndi gawo. Utali Wamutu Wapaintaneti Mutu wa IPv4, womwe umasunga kutalika kwa mutu m'mawu, ndiye muyenera kuchulukitsa ndi 4. Chochititsa chidwi, mawuwa 4*([14]&0xf) ndi dzina la dongosolo la maadiresi lapadera lomwe lingagwiritsidwe ntchito mu fomu iyi ndi kaundula X,ndi. ifenso sitinganene ldb 4*([14]&0xf) ngakhale ldxb 5*([14]&0xf) (tikhoza kufotokoza zosiyana, mwachitsanzo, ldxb 4*([16]&0xf)). Zikuwonekeratu kuti njira yoyankhuliranayi idawonjezedwa ku BPF ndendende kuti alandire X (index register) utali wamutu wa IPv4.

Chifukwa chake pa mzere 7 timayesa kukweza mawu theka (X+16). Kukumbukira kuti ma byte 14 amakhala ndi mutu wa Ethernet, ndi X ili ndi kutalika kwa mutu wa IPv4, timamvetsetsa kuti mu A Doko lopita la TCP lakwezedwa:

       14           X           2             2
|ethernet header|ip header|source port|destination port|

Pomaliza, pamzere wa 8 timafanizira doko lolowera ndi mtengo womwe tikufuna ndipo pamizere 9 kapena 10 timabwezera zotsatira - kaya kukopera paketi kapena ayi.

Tcpdump: kutsitsa

M'zitsanzo zam'mbuyomu, sitinakhazikike mwatsatanetsatane momwe timayika BPF bytecode mu kernel kuti tisefa paketi. Nthawi zambiri, tcpdump kutumizidwa ku machitidwe ambiri ndikugwira ntchito ndi zosefera tcpdump amagwiritsa ntchito laibulale libpcap. Mwachidule, kuyika zosefera pa mawonekedwe pogwiritsa ntchito libpcap, muyenera kuchita izi:

pangani mtundu wofotokozera pcap_t kuchokera ku dzina la mawonekedwe: pcap_create,
yambitsani mawonekedwe: pcap_activate,
phatikiza zosefera: pcap_compile,
gwirizanitsani fyuluta: pcap_setfilter.

Kuti muwone momwe ntchito pcap_setfilter kukhazikitsidwa ku Linux, timagwiritsa ntchito strace (mizere ina yachotsedwa):

$ sudo strace -f -e trace=%network tcpdump -p -i eth0 ip
socket(AF_PACKET, SOCK_RAW, 768)        = 3
bind(3, {sa_family=AF_PACKET, sll_protocol=htons(ETH_P_ALL), sll_ifindex=if_nametoindex("eth0"), sll_hatype=ARPHRD_NETROM, sll_pkttype=PACKET_HOST, sll_halen=0}, 20) = 0
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, {len=4, filter=0xb00bb00bb00b}, 16) = 0
...

Pamizere iwiri yoyamba yotulutsa timapanga socket yaiwisi kuti muwerenge mafelemu onse a Efaneti ndikumangiriza ku mawonekedwe eth0. A chitsanzo chathu choyamba ife tikudziwa kuti fyuluta ip adzakhala ndi malangizo anayi a BPF, ndipo pamzere wachitatu tikuwona momwe mungagwiritsire ntchito njirayo SO_ATTACH_FILTER kuyitana kwadongosolo setsockopt timanyamula ndikugwirizanitsa fyuluta ya kutalika kwa 4. Ichi ndi fyuluta yathu.

Ndizofunikira kudziwa kuti mu BPF yachikale, kutsitsa ndi kulumikiza fyuluta nthawi zonse kumachitika ngati ntchito ya atomiki, ndipo mu mtundu watsopano wa BPF, kutsitsa pulogalamuyo ndikuyimanga ku jenereta ya zochitika kumasiyanitsidwa ndi nthawi.

Choonadi Chobisika

Mtundu wokwanira pang'ono wazotulutsa umawoneka motere:

$ sudo strace -f -e trace=%network tcpdump -p -i eth0 ip
socket(AF_PACKET, SOCK_RAW, 768)        = 3
bind(3, {sa_family=AF_PACKET, sll_protocol=htons(ETH_P_ALL), sll_ifindex=if_nametoindex("eth0"), sll_hatype=ARPHRD_NETROM, sll_pkttype=PACKET_HOST, sll_halen=0}, 20) = 0
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, {len=1, filter=0xbeefbeefbeef}, 16) = 0
recvfrom(3, 0x7ffcad394257, 1, MSG_TRUNC, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, {len=4, filter=0xb00bb00bb00b}, 16) = 0
...

Monga tafotokozera pamwambapa, timayika ndikuyika fyuluta yathu pamzere wa 5, koma chimachitika ndi chiyani pa mizere 3 ndi 4? Iwo likukhalira kuti libpcap amatisamalira - kotero kuti zotulutsa za fyuluta yathu siziphatikiza mapaketi omwe sakukhutiritsa, laibulale amalumikizana dummy fyuluta ret #0 (kuponya mapaketi onse), sinthani soketi kuti ikhale yosatsekereza ndikuyesa kuchotsa mapaketi onse omwe atha kukhala kuchokera pazosefera zam'mbuyomu.

Pazonse, kuti musefa phukusi pa Linux pogwiritsa ntchito BPF yachikale, muyenera kukhala ndi fyuluta mu mawonekedwe ngati struct sock_fprog ndi socket yotseguka, pambuyo pake fyulutayo ikhoza kumangirizidwa pazitsulo pogwiritsa ntchito kuyitana kwadongosolo setsockopt.

Chosangalatsa ndichakuti, fyulutayo imatha kulumikizidwa ku socket iliyonse, osati yaiwisi yokha. Pano chitsanzo pulogalamu yomwe imadula mabayiti onse kupatula awiri oyamba kuchokera pama datagram onse a UDP omwe akubwera. (Ndawonjezera ndemanga mu code kuti ndisasokoneze nkhaniyo.)

Zambiri zokhudzana ndi kugwiritsa ntchito setsockopt zolumikizira zosefera, onani soketi (7), koma za kulemba zosefera zanu ngati struct sock_fprog popanda thandizo tcpdump tikambirana mugawo Kupanga BPF ndi manja athu.

Classic BPF ndi XNUMXst century

BPF idaphatikizidwa mu Linux mu 1997 ndipo yakhala yovutirapo kwa nthawi yayitali libpcap popanda kusintha kwapadera (kusintha kwa Linux, kumene, zinali, koma sanasinthe chithunzi cha dziko lonse). Zizindikiro zoyamba zazikulu zomwe BPF ingasinthe zidabwera mu 2011, pomwe Eric Dumazet adafunsira chigamba, yomwe imawonjezera Just In Time Compiler ku kernel - womasulira kuti asinthe BPF bytecode kukhala mbadwa x86_64 kodi.

JIT compiler anali woyamba pamndandanda wakusintha: mu 2012 adawonekera luso lolembera zosefera gawo, pogwiritsa ntchito BPF, mu January 2013 panali anawonjezera gawo xt_bpf, zomwe zimakulolani kulemba malamulo a iptables mothandizidwa ndi BPF, ndipo mu October 2013 anali anawonjezera komanso module cls_bpf, zomwe zimakulolani kuti mulembe magulu a magalimoto pogwiritsa ntchito BPF.

Tiwona zitsanzo zonsezi mwatsatanetsatane posachedwa, koma choyamba zitithandiza kuphunzira kulemba ndikuphatikiza mapulogalamu osagwirizana a BPF, popeza kuthekera koperekedwa ndi laibulale. libpcap zochepa (chitsanzo chosavuta: zosefera zopangidwa libpcap ikhoza kubweza zikhalidwe ziwiri zokha - 0 kapena 0x40000) kapena nthawi zambiri, monga momwe zimakhalira ndi seccomp, sizigwira ntchito.

Kupanga BPF ndi manja athu

Tiyeni tidziŵe mawonekedwe a binary a malangizo a BPF, ndi osavuta:

   16    8    8     32
| code | jt | jf |  k  |

Langizo lililonse limakhala ndi ma bits 64, momwe ma bits 16 oyamba ndi code ya malangizo, ndiye pali ma indents awiri asanu ndi atatu, jt и jf, ndi ma bits 32 pazokangana K, zomwe cholinga chake chimasiyana kuchokera ku lamulo ndi lamulo. Mwachitsanzo, lamulo ret, yomwe imathetsa pulogalamuyi ili ndi code 6, ndipo mtengo wobwezera umatengedwa kuchokera nthawi zonse K. Mu C, malangizo amodzi a BPF amaimiridwa ngati dongosolo

struct sock_filter {
        __u16   code;
        __u8    jt;
        __u8    jf;
        __u32   k;
}

ndipo pulogalamu yonseyo ili mu mawonekedwe a dongosolo

struct sock_fprog {
        unsigned short len;
        struct sock_filter *filter;
}

Chifukwa chake, titha kulemba kale mapulogalamu (mwachitsanzo, timadziwa manambala a malangizo kuchokera [1]). Izi ndi momwe fyulutayo idzawonekera ip6 kuchokera chitsanzo chathu choyamba:

struct sock_filter code[] = {
        { 0x28, 0, 0, 0x0000000c },
        { 0x15, 0, 1, 0x000086dd },
        { 0x06, 0, 0, 0x00040000 },
        { 0x06, 0, 0, 0x00000000 },
};
struct sock_fprog prog = {
        .len = ARRAY_SIZE(code),
        .filter = code,
};

pulogalamu prog tikhoza kugwiritsa ntchito mwalamulo kuitana

setsockopt(sk, SOL_SOCKET, SO_ATTACH_FILTER, &prog, sizeof(prog))

Kulemba mapulogalamu mu mawonekedwe a makina amakina sikophweka, koma nthawi zina kumakhala kofunikira (mwachitsanzo, kuchotsa zolakwika, kupanga mayesero a unit, kulemba zolemba za Habré, etc.). Kuti zitheke, mu fayilo <linux/filter.h> macros othandizira amatanthauzidwa - chitsanzo chomwecho monga pamwambapa chikhoza kulembedwanso monga

struct sock_filter code[] = {
        BPF_STMT(BPF_LD|BPF_H|BPF_ABS, 12),
        BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, ETH_P_IPV6, 0, 1),
        BPF_STMT(BPF_RET|BPF_K, 0x00040000),
        BPF_STMT(BPF_RET|BPF_K, 0),
}

Komabe, njira imeneyi si yabwino kwambiri. Izi ndi zomwe opanga mapulogalamu a Linux kernel adaganiza, chifukwa chake mu bukhuli tools/bpf ma maso mungapeze chophatikizira ndi debugger kuti mugwire ntchito ndi BPF yapamwamba.

Chilankhulo cha Assembly chikufanana kwambiri ndi kutulutsa kosokoneza tcpdump, koma kuwonjezera apo tingatchule zilembo zophiphiritsa. Mwachitsanzo, nayi pulogalamu yomwe imagwetsa mapaketi onse kupatula TCP/IPv4:

$ cat /tmp/tcp-over-ipv4.bpf
ldh [12]
jne #0x800, drop
ldb [23]
jneq #6, drop
ret #-1
drop: ret #0

Mwachikhazikitso, assembler amapanga code mu mawonekedwe <количество инструкций>,<code1> <jt1> <jf1> <k1>,..., mwachitsanzo chathu ndi TCP chidzakhala

$ tools/bpf/bpf_asm /tmp/tcp-over-ipv4.bpf
6,40 0 0 12,21 0 3 2048,48 0 0 23,21 0 1 6,6 0 0 4294967295,6 0 0 0,

Kuti opanga mapulogalamu a C akhale osavuta, mitundu yosiyanasiyana yotulutsa ingagwiritsidwe ntchito:

$ tools/bpf/bpf_asm -c /tmp/tcp-over-ipv4.bpf
{ 0x28,  0,  0, 0x0000000c },
{ 0x15,  0,  3, 0x00000800 },
{ 0x30,  0,  0, 0x00000017 },
{ 0x15,  0,  1, 0x00000006 },
{ 0x06,  0,  0, 0xffffffff },
{ 0x06,  0,  0, 0000000000 },

Mawuwa atha kukopera kutanthauzira kwamtundu wamtundu struct sock_filter, monga tinachitira kuchiyambi kwa chigawo chino.

Linux ndi netsniff-ng zowonjezera

Kuphatikiza pa BPF wamba, Linux ndi tools/bpf/bpf_asm thandizo ndi sanali muyezo. Kwenikweni, malangizo amagwiritsidwa ntchito kuti apeze magawo a dongosolo struct sk_buff, yomwe imalongosola paketi ya netiweki mu kernel. Komabe, palinso mitundu ina ya malangizo othandizira, mwachitsanzo ldw cpu idzalowa mu registry A zotsatira za ntchito ya kernel raw_smp_processor_id(). (Mu mtundu watsopano wa BPF, zowonjezera zosavomerezeka izi zakulitsidwa kuti zipereke mapulogalamu okhala ndi gulu la othandizira kernel kuti azitha kukumbukira, mapangidwe, ndi kupanga zochitika.) pakiti mitu mu malo ogwiritsa ntchito pogwiritsa ntchito chowonjezera poff, kuchotsera malipiro:

ld poff
ret a

Zowonjezera za BPF sizingagwiritsidwe ntchito tcpdump, koma ichi ndi chifukwa chabwino chodziwira phukusi lothandizira netsniff-ng, yomwe, mwa zina, ili ndi pulogalamu yapamwamba netsniff-ng, yomwe, kuwonjezera pa kusefa pogwiritsa ntchito BPF, ilinso ndi jenereta yabwino yamagalimoto, komanso yapamwamba kwambiri kuposa tools/bpf/bpf_asm, BPF assembler adayitana bpfc. Phukusili lili ndi zolembedwa zambiri, onaninso maulalo kumapeto kwa nkhaniyo.

gawo

Kotero, ife tikudziwa kale kulemba BPF mapulogalamu mongokhalira zovuta ndi okonzeka kuyang'ana zitsanzo zatsopano, woyamba amene ndi luso seccomp, amene amalola, ntchito zosefera BPF, kusamalira akonzedwa ndi ya dongosolo kuitana mikangano zilipo ndondomeko yoperekedwa ndi mbadwa zake.

Mtundu woyamba wa seccomp udawonjezedwa ku kernel mu 2005 ndipo sunali wotchuka kwambiri, chifukwa udapereka njira imodzi yokha - kuchepetsa kuyimba kwadongosolo komwe kungapezeke kunjira zotsatirazi: read, write, exit и sigreturn, ndipo ndondomeko yomwe inaphwanya malamulo inaphedwa pogwiritsa ntchito SIGKILL. Komabe, mu 2012, seccomp adawonjezera kuthekera kogwiritsa ntchito zosefera za BPF, kukulolani kuti mufotokozere mafoni ololedwa amachitidwe komanso ngakhale kuwunika pazokambirana zawo. (Chochititsa chidwi n'chakuti Chrome inali m'modzi mwa anthu oyambirira kugwiritsa ntchito ntchitoyi, ndipo anthu a Chrome pakali pano akupanga makina a KRSI pogwiritsa ntchito BPF yatsopano komanso kulola kusintha kwa Linux Security Modules.) Maulalo ku zolemba zowonjezera angapezeke pamapeto pake. za nkhani.

Zindikirani kuti pakhala pali zolemba pakhoma za kugwiritsa ntchito seccomp, mwina wina angafune kuziwerenga kale (kapena m'malo) powerenga ndime zotsatirazi. M'nkhani Zotengera ndi chitetezo: seccomp amapereka zitsanzo za kugwiritsa ntchito seccomp, onse 2007 Baibulo ndi Baibulo ntchito BPF (zosefera amapangidwa pogwiritsa ntchito libseccomp), amakamba za kugwirizana kwa seccomp ndi Docker, komanso amapereka maulalo ambiri zothandiza. M'nkhani Kupatula ma daemoni ndi systemd kapena "simukufuna Docker pa izi!" Imakhudza, makamaka, momwe mungawonjezerere blacklists kapena whitelists of system call for daemons running systemd.

Kenako tiwona momwe tingalembere ndikuyika zosefera seccomp mu bare C ndi kugwiritsa ntchito laibulale libseccomp ndi zabwino ndi zoyipa za njira iliyonse, ndipo pomaliza, tiyeni tiwone momwe seccomp imagwiritsidwira ntchito ndi pulogalamuyi strace.

Kulemba ndi kutsitsa zosefera za seccomp

Timadziwa kale kulemba mapulogalamu a BPF, kotero tiyeni tione kaye mawonekedwe a pulogalamu ya seccomp. Mukhoza kukhazikitsa fyuluta pa mlingo ndondomeko, ndi njira zonse mwana adzalandira zoletsa. Izi zimachitika pogwiritsa ntchito foni yamakono seccomp(2):

seccomp(SECCOMP_SET_MODE_FILTER, flags, &filter)

kumene &filter - ichi ndi cholozera ku kapangidwe kake komwe tikudziwa kale struct sock_fprog,ndi. Pulogalamu ya BPF.

Kodi mapulogalamu a seccomp amasiyana bwanji ndi mapulogalamu a sockets? Nkhani yotumizidwa. Pankhani ya sockets, tinapatsidwa malo okumbukira omwe ali ndi paketi, ndipo ngati seccomp tinapatsidwa dongosolo ngati.

struct seccomp_data {
    int   nr;
    __u32 arch;
    __u64 instruction_pointer;
    __u64 args[6];
};

ndi nr ndi nambala ya foni yomwe ikuyenera kukhazikitsidwa, arch - zomangamanga zamakono (zambiri pa izi pansipa), args - mpaka mikangano isanu ndi umodzi yoyitana, ndi instruction_pointer ndi cholozera ku malangizo a malo ogwiritsira ntchito omwe adayitanira dongosolo. Chifukwa chake, mwachitsanzo, kutsitsa nambala yoyimba mu kaundula A tiyenera kunena

ldw [0]

Palinso zinthu zina zamapulogalamu a seccomp, mwachitsanzo, nkhaniyo imangopezeka mwa mayendedwe a 32-bit ndipo simungathe kuyika theka la liwu kapena byte - poyesa kukweza fyuluta. ldh [0] kuyitana kwadongosolo seccomp adzabwerera EINVAL. Ntchito imayang'ana zosefera zodzaza seccomp_check_filter() maso. (Chosangalatsa ndichakuti, muzochita zoyambirira zomwe zidawonjezera magwiridwe antchito a seccomp, adayiwala kuwonjezera chilolezo kuti agwiritse ntchito malangizowo pa ntchitoyi. mod (gawo lotsala) ndipo silikupezeka pa mapulogalamu a BPF a seccomp, kuyambira pakuwonjezeredwa idzasweka ABI.)

Kwenikweni, timadziwa kale zonse zolembera ndikuwerenga mapulogalamu a seccomp. Kawirikawiri ndondomeko ya pulogalamuyo imakonzedwa ngati mndandanda woyera kapena wakuda wa mafoni a dongosolo, mwachitsanzo pulogalamu

ld [0]
jeq #304, bad
jeq #176, bad
jeq #239, bad
jeq #279, bad
good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
bad: ret #0

imayang'ana mndandanda wakuda wa mafoni anayi amtundu wa 304, 176, 239, 279. Kodi mafoni amtunduwu ndi ati? Sitinganene motsimikiza, popeza sitikudziwa kuti pulogalamuyo inalembedwera kuti? Choncho, olemba a seccomp kupereka yambitsani mapulogalamu onse ndi cheke cha zomangamanga (zomangamanga zikuwonetsedwa m'nkhaniyo ngati gawo arch zomangamanga struct seccomp_data). Poyang'aniridwa ndi zomangamanga, chiyambi cha chitsanzo chimawoneka ngati:

ld [4]
jne #0xc000003e, bad_arch ; SCMP_ARCH_X86_64

ndiyeno manambala athu oyimbira amapeza zinthu zina.

Timalemba ndikuyika zosefera kuti tigwiritse ntchito seccomp `libseccomp`

Kulemba zosefera m'makhodi achilengedwe kapena mumsonkhano wa BPF kumakupatsani mwayi wolamulira zonse pazotsatira, koma nthawi yomweyo, ndikwabwino kukhala ndi ma code osavuta komanso / kapena owerengeka. Laibulale itithandiza pa izi libsecomp, yomwe imapereka mawonekedwe okhazikika polemba zosefera zakuda kapena zoyera.

Tiyeni, mwachitsanzo, tilembe pulogalamu yomwe imayendetsa fayilo ya binary yomwe wogwiritsa ntchito asankha, atayikapo kale mndandanda wazomwe zimayimbidwa kuchokera pakompyuta. nkhani yomwe ili pamwambayi (pulogalamuyi yasinthidwa kuti iwerengedwe kwambiri, mtundu wonse ukhoza kupezeka apa):

#include <seccomp.h>
#include <unistd.h>
#include <err.h>

static int sys_numbers[] = {
        __NR_mount,
        __NR_umount2,
       // ... еще 40 системных вызовов ...
        __NR_vmsplice,
        __NR_perf_event_open,
};

int main(int argc, char **argv)
{
        scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);

        for (size_t i = 0; i < sizeof(sys_numbers)/sizeof(sys_numbers[0]); i++)
                seccomp_rule_add(ctx, SCMP_ACT_TRAP, sys_numbers[i], 0);

        seccomp_load(ctx);

        execvp(argv[1], &argv[1]);
        err(1, "execlp: %s", argv[1]);
}

Choyamba timatanthauzira gulu sys_numbers ya 40+ manambala oyimba dongosolo kuti atseke. Kenako, yambitsani nkhaniyo ctx ndikuwuza laibulale zomwe tikufuna kulola (SCMP_ACT_ALLOW) mafoni onse amachitidwe mosasintha (ndikosavuta kupanga mindandanda yakuda). Kenako, m'modzi ndi m'modzi, timawonjezera mafoni onse amtundu wakuda. Poyankha kuyimba kwadongosolo kuchokera pamndandanda, tikupempha SCMP_ACT_TRAP, Pankhaniyi seccomp idzatumiza chizindikiro ku ndondomekoyi SIGSYS ndi kufotokoza komwe kuyitana kwadongosolo kunaphwanya malamulo. Pomaliza, timayika pulogalamuyo mu kernel pogwiritsa ntchito seccomp_load, yomwe idzaphatikiza pulogalamuyo ndikuyiphatikiza ndi ndondomekoyi pogwiritsa ntchito foni yamakono seccomp(2).

Kuti mupange bwino, pulogalamuyi iyenera kulumikizidwa ndi laibulale libseccomp, mwachitsanzo:

cc -std=c17 -Wall -Wextra -c -o seccomp_lib.o seccomp_lib.c
cc -o seccomp_lib seccomp_lib.o -lseccomp

Chitsanzo cha kuyambitsa kopambana:

$ ./seccomp_lib echo ok
ok

Chitsanzo cha foni yoletsedwa:

$ sudo ./seccomp_lib mount -t bpf bpf /tmp
Bad system call

Timagwiritsa ntchito stracezatsatanetsatane:

$ sudo strace -e seccomp ./seccomp_lib mount -t bpf bpf /tmp
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=50, filter=0x55d8e78428e0}) = 0
--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0xboobdeadbeef, si_syscall=__NR_mount, si_arch=AUDIT_ARCH_X86_64} ---
+++ killed by SIGSYS (core dumped) +++
Bad system call

tingadziŵe bwanji kuti pulogalamuyo inathetsedwa chifukwa chogwiritsa ntchito foni yoletsedwa mount(2).

Kotero, tinalemba fyuluta pogwiritsa ntchito laibulale libseccomp, kuyika kachidindo kosachepera m'mizere inayi. Mu chitsanzo pamwambapa, ngati pali mafoni ambiri, nthawi yoperekera ikhoza kuchepetsedwa, chifukwa cheke ndi mndandanda wa mafananidwe. Kukhathamiritsa, libseccomp posachedwapa chigamba chinaphatikizidwa, zomwe zimawonjezera kuthandizira mawonekedwe a fyuluta SCMP_FLTATR_CTL_OPTIMIZE. Kuyika chizindikiro ichi kukhala 2 kudzasintha fyulutayo kukhala pulogalamu yofufuzira ya binary.

Ngati mukufuna kuwona momwe zosefera zosaka za binary zimagwirira ntchito, yang'anani zolemba zosavuta, yomwe imapanga mapulogalamu otere mu BPF assembler poyimba manambala oyimba foni, mwachitsanzo:

$ echo 1 3 6 8 13 | ./generate_bin_search_bpf.py
ld [0]
jeq #6, bad
jgt #6, check8
jeq #1, bad
jeq #3, bad
ret #0x7fff0000
check8:
jeq #8, bad
jeq #13, bad
ret #0x7fff0000
bad: ret #0

Ndikosatheka kulemba chilichonse mwachangu, chifukwa mapulogalamu a BPF sangathe kudumphadumpha (sitingachite, mwachitsanzo, jmp A kapena jmp [label+X]) ndipo chifukwa chake zosintha zonse ndizokhazikika.

seccomp ndi strace

Aliyense amadziwa zothandiza strace ndi chida chofunikira kwambiri powerenga machitidwe a Linux. Komabe, ambiri amvaponso zovuta zogwirira ntchito mukamagwiritsa ntchito izi. Zoona zake n’zakuti strace kugwiritsidwa ntchito ptrace(2), ndipo mumakina awa sitingathe kufotokozera kuti ndi mafoni ati omwe tiyenera kuyimitsa, mwachitsanzo, malamulo.

$ time strace du /usr/share/ >/dev/null 2>&1

real    0m3.081s
user    0m0.531s
sys     0m2.073s

$ time strace -e open du /usr/share/ >/dev/null 2>&1

real    0m2.404s
user    0m0.193s
sys     0m1.800s

zimakonzedwa pafupifupi nthawi yomweyo, ngakhale chachiwiri tikufuna kutsatira kuyimba kamodzi kokha.

Njira yatsopano --seccomp-bpf, onjezani ku strace Mtundu wa 5.3, umakupatsani mwayi wofulumizitsa ntchitoyi nthawi zambiri ndipo nthawi yoyambira motsatizana ndi kuyimba kwina kumafanana kale ndi nthawi yoyambira:

$ time strace --seccomp-bpf -e open du /usr/share/ >/dev/null 2>&1

real    0m0.148s
user    0m0.017s
sys     0m0.131s

$ time du /usr/share/ >/dev/null 2>&1

real    0m0.140s
user    0m0.024s
sys     0m0.116s

(Apa, ndithudi, pali chinyengo pang'ono kuti sitikutsata kuyitanidwa kwa dongosolo la lamuloli. Ngati timatsata, mwachitsanzo, newfsstat, ndiye strace angasweke molimba ngati opanda --seccomp-bpf.)

Kodi njira imeneyi imagwira ntchito bwanji? Popanda iye strace zimagwirizana ndi ndondomekoyi ndikuyamba kugwiritsa ntchito PTRACE_SYSCALL. Pamene ndondomeko yoyendetsedwa ikupereka (iliyonse) kuyimba kwadongosolo, kuwongolera kumasamutsidwa strace, yomwe imayang'ana zotsutsana za kuyitana kwadongosolo ndikuyendetsa nayo PTRACE_SYSCALL. Pakapita nthawi, njirayi imamaliza kuyimba foni ndipo ikatuluka, kuwongolera kumasinthidwanso strace, yomwe imayang'ana mayendedwe obwerera ndikuyamba njirayo pogwiritsa ntchito PTRACE_SYSCALL, ndi zina zotero.

Ndi seccomp, komabe, njirayi imatha kukongoletsedwa monga momwe timafunira. Inde, ngati tikufuna kuyang'ana kokha pa kuyitana kwadongosolo X, ndiye ife tikhoza kulemba BPF fyuluta kuti X mtengo wobwerera SECCOMP_RET_TRACE, ndi mafoni amene alibe chidwi kwa ife - SECCOMP_RET_ALLOW:

ld [0]
jneq #X, ignore
trace: ret #0x7ff00000
ignore: ret #0x7fff0000

Pankhaniyi strace poyamba akuyamba ndondomeko monga PTRACE_CONT, fyuluta yathu imakonzedwa pa kuyimba kulikonse, ngati kuyimba kwadongosolo sikuli X, ndiye kuti ndondomekoyi ikupitirirabe, koma ngati izi X, ndiye seccomp adzasamutsa ulamuliro straceyomwe idzayang'ane pazokangana ndikuyamba ndondomekoyi ngati PTRACE_SYSCALL (popeza seccomp ilibe kuthekera koyendetsa pulogalamu potuluka pa foni yam'manja). Kuitana kwadongosolo kukabweranso, strace adzayambitsanso ndondomeko ntchito PTRACE_CONT ndipo adikirira mauthenga atsopano kuchokera ku seccomp.

Pogwiritsa ntchito njira --seccomp-bpf pali zoletsa ziwiri. Choyamba, sizingatheke kujowina njira yomwe ilipo kale (option -p mapulogalamu strace), popeza izi sizimathandizidwa ndi seccomp. Kachiwiri, palibe kuthekera osati yang'anani njira za ana, popeza zosefera za seccomp zimatengera njira zonse za mwana popanda kuletsa izi.

Mwatsatanetsatane pang'ono momwe ndendende strace imagwira ntchito ndi seccomp angapezeke kuchokera lipoti laposachedwa. Kwa ife, chochititsa chidwi kwambiri ndichakuti BPF yapamwamba yoimiridwa ndi seccomp ikugwiritsidwabe ntchito lero.

`xt_bpf`

Tiyeni tsopano tibwerere kudziko lamanetiweki.

Mbiri: kalekale, mu 2007, maziko anali anawonjezera gawo xt_u32 za netfilter. Linalembedwa mofananiza ndi gulu lakale kwambiri la magalimoto cls_u32 ndikukulolani kuti mulembe malamulo osasinthika a binary a iptables pogwiritsa ntchito njira zosavuta izi: tsitsani ma bits 32 kuchokera pa phukusi ndikuchita masamu angapo. Mwachitsanzo,

sudo iptables -A INPUT -m u32 --u32 "6&0xFF=1" -j LOG --log-prefix "seen-by-xt_u32"

Imanyamula ma bits 32 a mutu wa IP, kuyambira pa padding 6, ndikuyika chigoba kwa iwo. 0xFF (tenga low byte). Munda uwu protocol Mutu wa IP ndipo timawuyerekeza ndi 1 (ICMP). Mutha kuphatikiza macheke ambiri mu lamulo limodzi, ndipo mutha kupha woyendetsa @ - sunthani ma byte a X kumanja. Mwachitsanzo, lamulo

iptables -m u32 --u32 "6&0xFF=0x6 && 0>>22&0x3C@4=0x29"

imayang'ana ngati Nambala Yotsatizana ya TCP siyofanana 0x29. Sindingapite mwatsatanetsatane, chifukwa zikuwonekeratu kuti kulemba malamulo oterowo ndi manja sikophweka. M'nkhani BPF - kuyiwalika bytecode, pali maulalo angapo okhala ndi zitsanzo zakugwiritsa ntchito ndi kupanga malamulo kwa xt_u32. Onaninso maulalo kumapeto kwa nkhaniyi.

Kuyambira 2013 gawo m'malo mwa module xt_u32 mutha kugwiritsa ntchito gawo la BPF xt_bpf. Aliyense amene wawerenga mpaka pano ayenera kukhala omveka bwino za mfundo ya ntchito yake: kuthamanga BPF bytecode monga malamulo iptables. Mukhoza kupanga lamulo latsopano, mwachitsanzo, monga chonchi:

iptables -A INPUT -m bpf --bytecode <байткод> -j LOG

apa <байткод> - iyi ndi code mu assembler linanena bungwe mtundu bpf_asm mwachisawawa, mwachitsanzo,

$ cat /tmp/test.bpf
ldb [9]
jneq #17, ignore
ret #1
ignore: ret #0

$ bpf_asm /tmp/test.bpf
4,48 0 0 9,21 0 1 17,6 0 0 1,6 0 0 0,

# iptables -A INPUT -m bpf --bytecode "$(bpf_asm /tmp/test.bpf)" -j LOG

Mu chitsanzo ichi tikusefa mapaketi onse a UDP. Nkhani ya pulogalamu ya BPF mu gawo xt_bpf, ndithudi, amalozera ku data ya paketi, ngati iptables, kumayambiriro kwa mutu wa IPv4. Kubweza mtengo kuchokera ku pulogalamu ya BPF booleankumene false zikutanthauza kuti paketi sinafanane.

Zikuwonekeratu kuti module xt_bpf imathandizira zosefera zovuta kwambiri kuposa chitsanzo pamwambapa. Tiyeni tiwone zitsanzo zenizeni kuchokera ku Cloudfare. Mpaka posachedwa adagwiritsa ntchito module xt_bpf kuteteza ku DDoS. M'nkhani Kuyambitsa Zida za BPF amafotokoza momwe (ndi chifukwa chake) amapangira zosefera za BPF ndikusindikiza maulalo kumagulu azinthu zothandizira kupanga zosefera zotere. Mwachitsanzo, kugwiritsa ntchito mankhwala bpfgen mutha kupanga pulogalamu ya BPF yomwe ikufanana ndi funso la DNS la dzina habr.com:

$ ./bpfgen --assembly dns -- habr.com
ldx 4*([0]&0xf)
ld #20
add x
tax

lb_0:
    ld [x + 0]
    jneq #0x04686162, lb_1
    ld [x + 4]
    jneq #0x7203636f, lb_1
    ldh [x + 8]
    jneq #0x6d00, lb_1
    ret #65535

lb_1:
    ret #0

Mu pulogalamu timayika koyamba mu kaundula X chiyambi cha adilesi x04habrx03comx00 mkati mwa datagram ya UDP ndiyeno onani pempho: 0x04686162 <-> "x04hab" ndi zina zotero.

Patapita nthawi, Cloudfare inasindikiza p0f -> BPF compiler code. M'nkhani Kuyambitsa p0f BPF compiler amalankhula za p0f ndi momwe angasinthire siginecha za p0f kukhala BPF:

$ ./bpfgen p0f -- 4:64:0:0:*,0::ack+:0
39,0 0 0 0,48 0 0 8,37 35 0 64,37 0 34 29,48 0 0 0,
84 0 0 15,21 0 31 5,48 0 0 9,21 0 29 6,40 0 0 6,
...

Pakadali pano sagwiritsanso ntchito Cloudfare xt_bpf, popeza adasamukira ku XDP - imodzi mwazosankha zogwiritsa ntchito mtundu watsopano wa BPF, onani. L4Drop: Kuchepetsa kwa XDP DDoS.

`cls_bpf`

Chitsanzo chomaliza chogwiritsira ntchito BPF yapamwamba mu kernel ndi classifier cls_bpf kwa kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe kake cls_u32.

Komabe, sitidzafotokozanso ntchitoyo cls_bpf, popeza kuchokera ku chidziwitso cha BPF yapamwamba izi sizidzatipatsa kalikonse - takhala tikudziwa kale ntchito zonse. Kuphatikiza apo, m'nkhani zotsatila zonena za Extended BPF, tikumana ndi gululi kangapo.

Chifukwa china chosalankhula za kugwiritsa ntchito BPF yachikale c cls_bpf Vuto ndiloti, poyerekeza ndi BPF Yowonjezera, kuchuluka kwa kugwiritsidwa ntchito pankhaniyi ndikochepa kwambiri: mapulogalamu akale sangasinthe zomwe zili m'maphukusi ndipo sangathe kupulumutsa boma pakati pa mafoni.

Chifukwa chake ndi nthawi yoti tisiyane ndi BPF yapamwamba ndikuyang'ana zam'tsogolo.

Kutsanzikana ndi BPF yapamwamba

Tinayang'ana momwe teknoloji ya BPF, yopangidwa kumayambiriro kwa zaka makumi asanu ndi anayi, idakhala bwino kwa kotala la zaka zana mpaka kumapeto idapeza ntchito zatsopano. Komabe, mofanana ndi kusintha kuchokera ku makina osungira kupita ku RISC, omwe adathandizira chitukuko cha BPF yapamwamba, m'zaka za m'ma 32 panali kusintha kwa makina a 64-bit mpaka XNUMX-bit ndipo BPF yapamwamba inayamba kutha. Kuonjezera apo, luso la BPF lachikale ndilochepa kwambiri, ndipo kuwonjezera pa zomangamanga zakale - sitingathe kupulumutsa boma pakati pa mafoni ku mapulogalamu a BPF, palibe kuthekera kwa kuyanjana kwachindunji kwa wogwiritsa ntchito, palibe kuthekera kocheza. ndi kernel, kupatula powerenga magawo ochepa a mapangidwe sk_buff ndikuyambitsa ntchito zosavuta zothandizira, simungathe kusintha zomwe zili m'mapaketi ndikuwalozeranso.

M'malo mwake, pakali pano zonse zomwe zatsala za BPF yapamwamba mu Linux ndi mawonekedwe a API, ndipo mkati mwa kernel mapulogalamu onse apamwamba, kaya zosefera za socket kapena zosefera za seccomp, zimasinthidwa zokha kukhala mtundu watsopano, BPF Yowonjezera. (Tikambilana ndendende mmene izi zidzacitikila m’nkhani yotsatila.)

Kusintha kwa zomangamanga zatsopano kunayamba mu 2013, pamene Alexey Starovoitov anakonza ndondomeko ya BPF. Mu 2014 zigamba zofanana anayamba kuwonekera mu mtima. Monga momwe ndikumvera, pulani yoyamba inali yongokulitsa zomanga ndi JIT compiler kuti aziyenda bwino pamakina a 64-bit, koma m'malo mwake kukhathamiritsa uku kunali chiyambi cha mutu watsopano pakukula kwa Linux.

Zolemba zina mumndandanda uno zifotokoza za kamangidwe ndi kagwiritsidwe kaukadaulo watsopano, womwe poyamba umadziwika kuti BPF wamkati, kenako BPF wokulirapo, ndipo pano ndi BPF basi.

powatsimikizira

Steven McCanne ndi Van Jacobson, "The BSD Packet Filter: A New Architecture for User-level Packet Capture", https://www.tcpdump.org/papers/bpf-usenix93.pdf
Steven McCanne, "libpcap: An Architecture and Optimization Methodology for Packet Capture". https://sharkfestus.wireshark.org/sharkfest.11/presentations/McCanne-Sharkfest'11_Keynote_Address.pdf
tcpdump, libpcap: https://www.tcpdump.org/
IPtable U32 Match Tutorial.
BPF - kuyiwalika bytecode: https://blog.cloudflare.com/bpf-the-forgotten-bytecode/
Kuyambitsa Chida cha BPF: https://blog.cloudflare.com/introducing-the-bpf-tools/
bpf_cls: http://man7.org/linux/man-pages/man8/tc-bpf.8.html
Chidule chachidule: https://lwn.net/Articles/656307/
https://github.com/torvalds/linux/blob/master/Documentation/userspace-api/seccomp_filter.rst
habr: Zotengera ndi chitetezo: seccomp
habr: Kupatula ma daemoni ndi systemd kapena "simukufuna Docker pa izi!"
Paul Chaignon, "strace --seccomp-bpf: kuyang'ana pansi pa hood", https://fosdem.org/2020/schedule/event/debugging_strace_bpf/
netsniff-ng: http://netsniff-ng.org/

Source: www.habr.com

BPF ya ana aang'ono, gawo la ziro: BPF yapamwamba

Maphunziro ochepa m'mbiri ya BPF (c)

BPF makina zomangamanga

wcputu

Chitsanzo: kuyang'ana mapaketi a IPv6

Chitsanzo chovuta kwambiri: timayang'ana mapaketi a TCP potengera kopita

Tcpdump: kutsitsa

Classic BPF ndi XNUMXst century

Kupanga BPF ndi manja athu

Linux ndi netsniff-ng zowonjezera

gawo

Kulemba ndi kutsitsa zosefera za seccomp

Timalemba ndikuyika zosefera kuti tigwiritse ntchito seccomp `libseccomp`

seccomp ndi strace

`xt_bpf`

`cls_bpf`

Kutsanzikana ndi BPF yapamwamba

powatsimikizira

Kuwonjezera ndemanga kuletsa reply

BPF ya ana aang'ono, gawo la ziro: BPF yapamwamba

Maphunziro ochepa m'mbiri ya BPF (c)

BPF makina zomangamanga

wcputu

Chitsanzo: kuyang'ana mapaketi a IPv6

Chitsanzo chovuta kwambiri: timayang'ana mapaketi a TCP potengera kopita

Tcpdump: kutsitsa

Classic BPF ndi XNUMXst century

Kupanga BPF ndi manja athu

Linux ndi netsniff-ng zowonjezera

gawo

Kulemba ndi kutsitsa zosefera za seccomp

Timalemba ndikuyika zosefera kuti tigwiritse ntchito seccomp libseccomp

seccomp ndi strace

xt_bpf

cls_bpf

Kutsanzikana ndi BPF yapamwamba

powatsimikizira

Kuwonjezera ndemanga kuletsa reply

Timalemba ndikuyika zosefera kuti tigwiritse ntchito seccomp `libseccomp`

`xt_bpf`

`cls_bpf`