Berkeley Packet Filters (BPF) ndiukadaulo wa Linux kernel womwe wakhala patsamba loyamba lazofalitsa zaukadaulo mu Chingerezi kwa zaka zingapo tsopano. Misonkhano imadzazidwa ndi malipoti okhudza kugwiritsa ntchito ndi chitukuko cha BPF. David Miller, wosamalira ma network a Linux, amayimbira nkhani yake ku Linux Plumbers 2018 "Kukamba uku sikukukhudza XDP" (XDP ndi imodzi yogwiritsira ntchito BPF). Brendan Gregg akupereka nkhani zamutu Linux BPF Superpowers. Toke HΓΈiland-JΓΈrgensen amasekakuti kernel tsopano ndi microkernel. Thomas Graf amalimbikitsa lingaliro lakuti BPF ndi javascript ya kernel.
Kukula kwa BPF kumayendetsedwa ndi Linux networking community, ntchito zazikulu zomwe zilipo za BPF ndizogwirizana ndi maukonde choncho, ndi chilolezo. @eucariot, Ndinatcha mndandanda wakuti "BPF kwa ana aang'ono", polemekeza mndandanda waukulu "Network kwa ang'ono".
Maphunziro ochepa m'mbiri ya BPF (c)
Ukadaulo wamakono wa BPF ndi mtundu wowongoleredwa komanso wokulitsidwa waukadaulo wakale wokhala ndi dzina lomwelo, lomwe tsopano limatchedwa BPF yapamwamba kuti mupewe chisokonezo. Chida chodziwika bwino chidapangidwa kutengera BPF yachikale tcpdump, makina seccomp, komanso ma module osadziwika bwino xt_bpf chifukwa iptables ndi classifier cls_bpf. Mu Linux yamakono, mapulogalamu apamwamba a BPF amamasuliridwa kukhala mawonekedwe atsopano, komabe, kuchokera kwa ogwiritsa ntchito, API yakhalabe m'malo mwake ndipo ntchito zatsopano za BPF zachikale, monga momwe tidzaonera m'nkhaniyi, zikupezekabe. Pazifukwa izi, komanso chifukwa chotsatira mbiri ya chitukuko cha BPF yapamwamba ku Linux, zidzamveka bwino momwe ndi chifukwa chake zidasinthira kukhala mawonekedwe ake amakono, ndinaganiza zoyamba ndi nkhani yokhudza BPF yakale.
Kumapeto kwa zaka makumi asanu ndi atatu za zaka zapitazo, akatswiri a Lawrence Berkeley Laboratory otchuka adachita chidwi ndi funso la momwe angasefedwe bwino mapaketi amtundu pa hardware yomwe inali yamakono kumapeto kwa zaka makumi asanu ndi atatu zapitazo. Lingaliro loyambirira la kusefa, lomwe lidakhazikitsidwa muukadaulo wa CSPF (CMU/Stanford Packet Filter), linali kusefa mapaketi osafunikira mwachangu momwe mungathere, mwachitsanzo. mu kernel space, chifukwa izi zimapewa kukopera deta yosafunikira m'malo ogwiritsa ntchito. Kuti apereke chitetezo chanthawi yothamanga pakuyendetsa nambala ya ogwiritsa ntchito mu kernel space, makina owoneka bwino a sandboxed adagwiritsidwa ntchito.
Komabe, makina enieni a zosefera zomwe zilipo adapangidwa kuti azigwira ntchito pamakina opangira ma stack ndipo sanayende bwino pamakina atsopano a RISC. Zotsatira zake, mwa khama la akatswiri ochokera ku Berkeley Labs, teknoloji yatsopano ya BPF (Berkeley Packet Filters) inapangidwa, makina opangira makina omwe adapangidwa pogwiritsa ntchito purosesa ya Motorola 6502 - ntchito yaikulu ya zinthu zodziwika bwino monga. Apple II kapena NDA. Makina atsopanowa adawonjezera magwiridwe antchito kambirimbiri poyerekeza ndi mayankho omwe analipo kale.
BPF makina zomangamanga
Tidzadziwana ndi zomangamanga m'njira yogwira ntchito, kusanthula zitsanzo. Komabe, poyambira, tiyeni tinene kuti makinawo anali ndi zolembera ziwiri za 32-bit zofikiridwa ndi wogwiritsa ntchito, accumulator. A ndi index registry X, 64 bytes of memory (mawu 16), opezeka polemba ndi kuwerenga motsatira, ndi dongosolo laling'ono la malamulo ogwirira ntchito ndi zinthu izi. Malangizo odumpha ogwiritsira ntchito mawu ovomerezeka analiponso m'mapulogalamu, koma kuti atsimikize kukwaniritsidwa kwa nthawi yake pulogalamuyo, kudumpha kungapitirire patsogolo, i.e., makamaka, zinali zoletsedwa kupanga malupu.
Chiwembu choyambira makinawo ndi chotere. Wogwiritsa ntchito amapanga pulogalamu yomanga BPF ndikugwiritsa ntchito ena makina a kernel (monga kuyimba foni), amanyamula ndikulumikiza pulogalamuyo kwa ena kwa jenereta ya zochitika mu kernel (mwachitsanzo, chochitika ndikufika kwa paketi yotsatira pa intaneti khadi). Chochitika chikachitika, kernel imayendetsa pulogalamuyo (mwachitsanzo, mwa womasulira), ndipo kukumbukira kwa makina kumafanana ndi kwa ena kernel memory dera (mwachitsanzo, deta ya paketi yomwe ikubwera).
Zomwe zili pamwambazi zidzakhala zokwanira kuti tiyambe kuyang'ana zitsanzo: tidzadziwa bwino dongosolo ndi mtundu wa lamulo ngati kuli kofunikira. Ngati mukufuna kuphunzira nthawi yomweyo dongosolo lamakina a makina enieni ndikuphunzira za kuthekera kwake konse, ndiye kuti mutha kuwerenga nkhani yoyambirira. Zosefera Paketi ya BSD ndi/kapena theka loyamba la fayilo Documentation/networking/filter.txt kuchokera ku zolemba za kernel. Komanso, mukhoza kuphunzira ulaliki libpcap: Njira Yomanga ndi Kukhathamiritsa Kwa Packet Capture, momwe McCanne, mmodzi mwa olemba BPF, amakamba za mbiri ya chilengedwe libpcap.
Kukula kwa BPF kunachitika limodzi ndi chitukuko cha frontend kwa kusefa paketi - chida chodziwika bwino. tcpdump. Ndipo, popeza ichi ndiye chitsanzo chakale komanso chodziwika bwino chogwiritsa ntchito BPF yachikale, yomwe imapezeka pamakina ambiri ogwiritsira ntchito, tiyamba nawo maphunziro aukadaulo.
(Ndinayendetsa zitsanzo zonse m'nkhaniyi pa Linux 5.6.0-rc6. Zotsatira za malamulo ena zasinthidwa kuti ziwerengedwe bwino.)
Chitsanzo: kuyang'ana mapaketi a IPv6
Tiyerekeze kuti tikufuna kuyang'ana mapaketi onse a IPv6 pa mawonekedwe eth0. Kuti tichite izi tikhoza kuyendetsa pulogalamuyo tcpdump ndi fyuluta yosavuta ip6:
$ sudo tcpdump -i eth0 ip6
Motero tcpdump amapanga fyuluta ip6 mu BPF kamangidwe ka bytecode ndikutumiza ku kernel (onani zambiri m'gawolo Tcpdump: kutsitsa). Fyuluta yodzaza idzayendetsedwa pa paketi iliyonse yomwe ikudutsa mawonekedwe eth0. Ngati fyulutayo ibweza mtengo wosakhala ziro n, kenako mpaka n ma byte a paketi adzakopera ku malo ogwiritsira ntchito ndipo tidzawona muzotuluka tcpdump.
Zikuoneka kuti titha kudziwa mosavuta ndi bytecode yomwe idatumizidwa ku kernel tcpdump ndi chithandizo cha tcpdump, ngati tiyendetsa ndi mwayi -d:
$ sudo tcpdump -i eth0 -d ip6
(000) ldh [12]
(001) jeq #0x86dd jt 2 jf 3
(002) ret #262144
(003) ret #0
Pa mzere wa zero timayendetsa lamulo ldh [12], lomwe limatanthauza βkulowetsa mu registry A theka la mawu (16 bits) lomwe lili pa adilesi 12 β ndipo funso lokhalo ndiloti ndi kukumbukira kotani komwe tikulankhula? Yankho ndiloti pa x akuyamba (x+1)th byte ya paketi ya netiweki yowunikidwa. Timawerenga mapaketi kuchokera ku mawonekedwe a Ethernet eth0,ndi izi amatanthauzakuti paketiyo ikuwoneka motere (kuti zikhale zosavuta, tikuganiza kuti palibe ma tag a VLAN mu paketi):
6 6 2
|Destination MAC|Source MAC|Ether Type|...|
Choncho pambuyo popereka lamulo ldh [12] mu kaundula A padzakhala munda Ether Type - mtundu wa paketi yofalitsidwa mu chimango cha Efaneti. Pamzere 1 timafanizira zomwe zili m'kaundula A (mtundu wa paketi) c 0x86dd,ndi izi ndipo alipo Mtundu womwe timakonda ndi IPv6. Pamzere 1, kuwonjezera pa lamulo lofananiza, pali zigawo zina ziwiri - jt 2 ΠΈ jf 3 - zizindikiro zomwe muyenera kupitako ngati kufananitsa kwapambana (A == 0x86dd) ndipo sizinaphule kanthu. Kotero, muzochitika zopambana (IPv6) timapita ku mzere 2, ndipo ngati sitinapambane - ku mzere 3. Pa mzere wa 3 pulogalamuyo imatha ndi code 0 (osatengera paketi), pa mzere 2 pulogalamuyo imathera ndi code. 262144 (ndikopereni phukusi lopambana la 256 kilobytes).
Chitsanzo chovuta kwambiri: timayang'ana mapaketi a TCP potengera kopita
Tiyeni tiwone momwe fyuluta ikuwonekera yomwe imakopera mapaketi onse a TCP okhala ndi doko la 666. Tidzalingalira za IPv4, popeza vuto la IPv6 ndilosavuta. Mutaphunzira chitsanzo ichi, mukhoza kufufuza IPv6 fyuluta nokha ngati masewera olimbitsa thupi (ip6 and tcp dst port 666) ndi fyuluta ya mlandu wamba (tcp dst port 666). Chifukwa chake, fyuluta yomwe tikufuna ikuwoneka motere:
$ sudo tcpdump -i eth0 -d ip and tcp dst port 666
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 10
(002) ldb [23]
(003) jeq #0x6 jt 4 jf 10
(004) ldh [20]
(005) jset #0x1fff jt 10 jf 6
(006) ldxb 4*([14]&0xf)
(007) ldh [x + 16]
(008) jeq #0x29a jt 9 jf 10
(009) ret #262144
(010) ret #0
Tikudziwa kale zomwe mizere 0 ndi 1 imachita. Pa mzere wa 2 tawona kale kuti iyi ndi paketi ya IPv4 (Ether Type = 0x800) ndikuchiyika mu kaundula A 24 byte ya paketi. Phukusi lathu likuwoneka ngati
kutanthauza kuti timalowetsa mu kaundula A gawo la Protocol la mutu wa IP, zomwe ndi zomveka, chifukwa tikufuna kukopera mapaketi a TCP okha. Timafananiza Protocol ndi 0x6 (IPPROTO_TCP) Pa intaneti 3.
Pa mizere 4 ndi 5 timayika mawu apakati omwe ali pa adilesi 20 ndikugwiritsa ntchito lamulo jset onani ngati chimodzi mwa zitatucho chakhazikitsidwa mbendera - kuvala chigoba choperekedwa jset zigawo zitatu zofunika kwambiri zachotsedwa. Awiri mwa magawo atatuwa amatiuza ngati paketiyo ndi gawo la paketi ya IP yogawanika, ndipo ngati ndi choncho, kaya ndi chidutswa chomaliza. Gawo lachitatu lasungidwa ndipo liyenera kukhala ziro. Sitikufuna kuyang'ana mapaketi osakwanira kapena osweka, kotero timayang'ana ma bits onse atatu.
Mzere 6 ndiwosangalatsa kwambiri pamndandandawu. Kufotokozera ldxb 4*([14]&0xf) zikutanthauza kuti timalowetsa mu kaundula X magawo anayi ochepera apakati pa khumi ndi asanu a paketi kuchulukitsa ndi 4. Mabala anayi osafunikira kwambiri a baiti khumi ndi chisanu ndi gawo. Utali Wamutu Wapaintaneti Mutu wa IPv4, womwe umasunga kutalika kwa mutu m'mawu, ndiye muyenera kuchulukitsa ndi 4. Chochititsa chidwi, mawuwa 4*([14]&0xf) ndi dzina la dongosolo la maadiresi lapadera lomwe lingagwiritsidwe ntchito mu fomu iyi ndi kaundula X,ndi. ifenso sitinganene ldb 4*([14]&0xf) ngakhale ldxb 5*([14]&0xf) (tikhoza kufotokoza zosiyana, mwachitsanzo, ldxb 4*([16]&0xf)). Zikuwonekeratu kuti njira yoyankhuliranayi idawonjezedwa ku BPF ndendende kuti alandire X (index register) utali wamutu wa IPv4.
Chifukwa chake pa mzere 7 timayesa kukweza mawu theka (X+16). Kukumbukira kuti ma byte 14 amakhala ndi mutu wa Ethernet, ndi X ili ndi kutalika kwa mutu wa IPv4, timamvetsetsa kuti mu A Doko lopita la TCP lakwezedwa:
14 X 2 2
|ethernet header|ip header|source port|destination port|
Pomaliza, pamzere wa 8 timafanizira doko lolowera ndi mtengo womwe tikufuna ndipo pamizere 9 kapena 10 timabwezera zotsatira - kaya kukopera paketi kapena ayi.
Tcpdump: kutsitsa
M'zitsanzo zam'mbuyomu, sitinakhazikike mwatsatanetsatane momwe timayika BPF bytecode mu kernel kuti tisefa paketi. Nthawi zambiri, tcpdump kutumizidwa ku machitidwe ambiri ndikugwira ntchito ndi zosefera tcpdump amagwiritsa ntchito laibulale libpcap. Mwachidule, kuyika zosefera pa mawonekedwe pogwiritsa ntchito libpcap, muyenera kuchita izi:
pangani mtundu wofotokozera pcap_t kuchokera ku dzina la mawonekedwe: pcap_create,
Pamizere iwiri yoyamba yotulutsa timapanga socket yaiwisi kuti muwerenge mafelemu onse a Efaneti ndikumangiriza ku mawonekedwe eth0. A chitsanzo chathu choyamba ife tikudziwa kuti fyuluta ip adzakhala ndi malangizo anayi a BPF, ndipo pamzere wachitatu tikuwona momwe mungagwiritsire ntchito njirayo SO_ATTACH_FILTER kuyitana kwadongosolo setsockopt timanyamula ndikugwirizanitsa fyuluta ya kutalika kwa 4. Ichi ndi fyuluta yathu.
Ndizofunikira kudziwa kuti mu BPF yachikale, kutsitsa ndi kulumikiza fyuluta nthawi zonse kumachitika ngati ntchito ya atomiki, ndipo mu mtundu watsopano wa BPF, kutsitsa pulogalamuyo ndikuyimanga ku jenereta ya zochitika kumasiyanitsidwa ndi nthawi.
Zambiri zokhudzana ndi kugwiritsa ntchito setsockopt zolumikizira zosefera, onani soketi (7), koma za kulemba zosefera zanu ngati struct sock_fprog popanda thandizo tcpdump tikambirana mugawo Kupanga BPF ndi manja athu.
Classic BPF ndi XNUMXst century
BPF idaphatikizidwa mu Linux mu 1997 ndipo yakhala yovutirapo kwa nthawi yayitali libpcap popanda kusintha kwapadera (kusintha kwa Linux, kumene, zinali, koma sanasinthe chithunzi cha dziko lonse). Zizindikiro zoyamba zazikulu zomwe BPF ingasinthe zidabwera mu 2011, pomwe Eric Dumazet adafunsira chigamba, yomwe imawonjezera Just In Time Compiler ku kernel - womasulira kuti asinthe BPF bytecode kukhala mbadwa x86_64 kodi.
JIT compiler anali woyamba pamndandanda wakusintha: mu 2012 adawonekera luso lolembera zosefera gawo, pogwiritsa ntchito BPF, mu January 2013 panali anawonjezera gawo xt_bpf, zomwe zimakulolani kulemba malamulo a iptables mothandizidwa ndi BPF, ndipo mu October 2013 anali anawonjezera komanso module cls_bpf, zomwe zimakulolani kuti mulembe magulu a magalimoto pogwiritsa ntchito BPF.
Tiyeni tidziΕ΅e mawonekedwe a binary a malangizo a BPF, ndi osavuta:
16 8 8 32
| code | jt | jf | k |
Langizo lililonse limakhala ndi ma bits 64, momwe ma bits 16 oyamba ndi code ya malangizo, ndiye pali ma indents awiri asanu ndi atatu, jt ΠΈ jf, ndi ma bits 32 pazokangana K, zomwe cholinga chake chimasiyana kuchokera ku lamulo ndi lamulo. Mwachitsanzo, lamulo ret, yomwe imathetsa pulogalamuyi ili ndi code 6, ndipo mtengo wobwezera umatengedwa kuchokera nthawi zonse K. Mu C, malangizo amodzi a BPF amaimiridwa ngati dongosolo
Komabe, njira imeneyi si yabwino kwambiri. Izi ndi zomwe opanga mapulogalamu a Linux kernel adaganiza, chifukwa chake mu bukhuli tools/bpf ma maso mungapeze chophatikizira ndi debugger kuti mugwire ntchito ndi BPF yapamwamba.
Chilankhulo cha Assembly chikufanana kwambiri ndi kutulutsa kosokoneza tcpdump, koma kuwonjezera apo tingatchule zilembo zophiphiritsa. Mwachitsanzo, nayi pulogalamu yomwe imagwetsa mapaketi onse kupatula TCP/IPv4:
$ cat /tmp/tcp-over-ipv4.bpf
ldh [12]
jne #0x800, drop
ldb [23]
jneq #6, drop
ret #-1
drop: ret #0
Mwachikhazikitso, assembler amapanga code mu mawonekedwe <ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΠΈΠ½ΡΡΡΡΠΊΡΠΈΠΉ>,<code1> <jt1> <jf1> <k1>,..., mwachitsanzo chathu ndi TCP chidzakhala
Kuphatikiza pa BPF wamba, Linux ndi tools/bpf/bpf_asm thandizo ndi sanali muyezo. Kwenikweni, malangizo amagwiritsidwa ntchito kuti apeze magawo a dongosolo struct sk_buff, yomwe imalongosola paketi ya netiweki mu kernel. Komabe, palinso mitundu ina ya malangizo othandizira, mwachitsanzo ldw cpu idzalowa mu registry A zotsatira za ntchito ya kernel raw_smp_processor_id(). (Mu mtundu watsopano wa BPF, zowonjezera zosavomerezeka izi zakulitsidwa kuti zipereke mapulogalamu okhala ndi gulu la othandizira kernel kuti azitha kukumbukira, mapangidwe, ndi kupanga zochitika.) pakiti mitu mu malo ogwiritsa ntchito pogwiritsa ntchito chowonjezera poff, kuchotsera malipiro:
ld poff
ret a
Zowonjezera za BPF sizingagwiritsidwe ntchito tcpdump, koma ichi ndi chifukwa chabwino chodziwira phukusi lothandizira netsniff-ng, yomwe, mwa zina, ili ndi pulogalamu yapamwamba netsniff-ng, yomwe, kuwonjezera pa kusefa pogwiritsa ntchito BPF, ilinso ndi jenereta yabwino yamagalimoto, komanso yapamwamba kwambiri kuposa tools/bpf/bpf_asm, BPF assembler adayitana bpfc. Phukusili lili ndi zolembedwa zambiri, onaninso maulalo kumapeto kwa nkhaniyo.
gawo
Kotero, ife tikudziwa kale kulemba BPF mapulogalamu mongokhalira zovuta ndi okonzeka kuyang'ana zitsanzo zatsopano, woyamba amene ndi luso seccomp, amene amalola, ntchito zosefera BPF, kusamalira akonzedwa ndi ya dongosolo kuitana mikangano zilipo ndondomeko yoperekedwa ndi mbadwa zake.
Mtundu woyamba wa seccomp udawonjezedwa ku kernel mu 2005 ndipo sunali wotchuka kwambiri, chifukwa udapereka njira imodzi yokha - kuchepetsa kuyimba kwadongosolo komwe kungapezeke kunjira zotsatirazi: read, write, exit ΠΈ sigreturn, ndipo ndondomeko yomwe inaphwanya malamulo inaphedwa pogwiritsa ntchito SIGKILL. Komabe, mu 2012, seccomp adawonjezera kuthekera kogwiritsa ntchito zosefera za BPF, kukulolani kuti mufotokozere mafoni ololedwa amachitidwe komanso ngakhale kuwunika pazokambirana zawo. (Chochititsa chidwi n'chakuti Chrome inali m'modzi mwa anthu oyambirira kugwiritsa ntchito ntchitoyi, ndipo anthu a Chrome pakali pano akupanga makina a KRSI pogwiritsa ntchito BPF yatsopano komanso kulola kusintha kwa Linux Security Modules.) Maulalo ku zolemba zowonjezera angapezeke pamapeto pake. za nkhani.
Zindikirani kuti pakhala pali zolemba pakhoma za kugwiritsa ntchito seccomp, mwina wina angafune kuziwerenga kale (kapena m'malo) powerenga ndime zotsatirazi. M'nkhani Zotengera ndi chitetezo: seccomp amapereka zitsanzo za kugwiritsa ntchito seccomp, onse 2007 Baibulo ndi Baibulo ntchito BPF (zosefera amapangidwa pogwiritsa ntchito libseccomp), amakamba za kugwirizana kwa seccomp ndi Docker, komanso amapereka maulalo ambiri zothandiza. M'nkhani Kupatula ma daemoni ndi systemd kapena "simukufuna Docker pa izi!" Imakhudza, makamaka, momwe mungawonjezerere blacklists kapena whitelists of system call for daemons running systemd.
Kenako tiwona momwe tingalembere ndikuyika zosefera seccomp mu bare C ndi kugwiritsa ntchito laibulale libseccomp ndi zabwino ndi zoyipa za njira iliyonse, ndipo pomaliza, tiyeni tiwone momwe seccomp imagwiritsidwira ntchito ndi pulogalamuyi strace.
Kulemba ndi kutsitsa zosefera za seccomp
Timadziwa kale kulemba mapulogalamu a BPF, kotero tiyeni tione kaye mawonekedwe a pulogalamu ya seccomp. Mukhoza kukhazikitsa fyuluta pa mlingo ndondomeko, ndi njira zonse mwana adzalandira zoletsa. Izi zimachitika pogwiritsa ntchito foni yamakono seccomp(2):
seccomp(SECCOMP_SET_MODE_FILTER, flags, &filter)
kumene &filter - ichi ndi cholozera ku kapangidwe kake komwe tikudziwa kale struct sock_fprog,ndi. Pulogalamu ya BPF.
Kodi mapulogalamu a seccomp amasiyana bwanji ndi mapulogalamu a sockets? Nkhani yotumizidwa. Pankhani ya sockets, tinapatsidwa malo okumbukira omwe ali ndi paketi, ndipo ngati seccomp tinapatsidwa dongosolo ngati.
ndi nr ndi nambala ya foni yomwe ikuyenera kukhazikitsidwa, arch - zomangamanga zamakono (zambiri pa izi pansipa), args - mpaka mikangano isanu ndi umodzi yoyitana, ndi instruction_pointer ndi cholozera ku malangizo a malo ogwiritsira ntchito omwe adayitanira dongosolo. Chifukwa chake, mwachitsanzo, kutsitsa nambala yoyimba mu kaundula A tiyenera kunena
ldw [0]
Palinso zinthu zina zamapulogalamu a seccomp, mwachitsanzo, nkhaniyo imangopezeka mwa mayendedwe a 32-bit ndipo simungathe kuyika theka la liwu kapena byte - poyesa kukweza fyuluta. ldh [0] kuyitana kwadongosolo seccomp adzabwerera EINVAL. Ntchito imayang'ana zosefera zodzaza seccomp_check_filter() maso. (Chosangalatsa ndichakuti, muzochita zoyambirira zomwe zidawonjezera magwiridwe antchito a seccomp, adayiwala kuwonjezera chilolezo kuti agwiritse ntchito malangizowo pa ntchitoyi. mod (gawo lotsala) ndipo silikupezeka pa mapulogalamu a BPF a seccomp, kuyambira pakuwonjezeredwa idzasweka ABI.)
Kwenikweni, timadziwa kale zonse zolembera ndikuwerenga mapulogalamu a seccomp. Kawirikawiri ndondomeko ya pulogalamuyo imakonzedwa ngati mndandanda woyera kapena wakuda wa mafoni a dongosolo, mwachitsanzo pulogalamu
ld [0]
jeq #304, bad
jeq #176, bad
jeq #239, bad
jeq #279, bad
good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
bad: ret #0
imayang'ana mndandanda wakuda wa mafoni anayi amtundu wa 304, 176, 239, 279. Kodi mafoni amtunduwu ndi ati? Sitinganene motsimikiza, popeza sitikudziwa kuti pulogalamuyo inalembedwera kuti? Choncho, olemba a seccomp kupereka yambitsani mapulogalamu onse ndi cheke cha zomangamanga (zomangamanga zikuwonetsedwa m'nkhaniyo ngati gawo arch zomangamanga struct seccomp_data). Poyang'aniridwa ndi zomangamanga, chiyambi cha chitsanzo chimawoneka ngati:
ld [4]
jne #0xc000003e, bad_arch ; SCMP_ARCH_X86_64
$ echo 1 3 6 8 13 | ./generate_bin_search_bpf.py
ld [0]
jeq #6, bad
jgt #6, check8
jeq #1, bad
jeq #3, bad
ret #0x7fff0000
check8:
jeq #8, bad
jeq #13, bad
ret #0x7fff0000
bad: ret #0
Ndikosatheka kulemba chilichonse mwachangu, chifukwa mapulogalamu a BPF sangathe kudumphadumpha (sitingachite, mwachitsanzo, jmp A kapena jmp [label+X]) ndipo chifukwa chake zosintha zonse ndizokhazikika.
seccomp ndi strace
Aliyense amadziwa zothandiza strace ndi chida chofunikira kwambiri powerenga machitidwe a Linux. Komabe, ambiri amvaponso zovuta zogwirira ntchito mukamagwiritsa ntchito izi. Zoona zake nβzakuti strace kugwiritsidwa ntchito ptrace(2), ndipo mumakina awa sitingathe kufotokozera kuti ndi mafoni ati omwe tiyenera kuyimitsa, mwachitsanzo, malamulo.
$ time strace du /usr/share/ >/dev/null 2>&1
real 0m3.081s
user 0m0.531s
sys 0m2.073s
ΠΈ
$ time strace -e open du /usr/share/ >/dev/null 2>&1
real 0m2.404s
user 0m0.193s
sys 0m1.800s
Njira yatsopano --seccomp-bpf, onjezani ku strace Mtundu wa 5.3, umakupatsani mwayi wofulumizitsa ntchitoyi nthawi zambiri ndipo nthawi yoyambira motsatizana ndi kuyimba kwina kumafanana kale ndi nthawi yoyambira:
$ time strace --seccomp-bpf -e open du /usr/share/ >/dev/null 2>&1
real 0m0.148s
user 0m0.017s
sys 0m0.131s
$ time du /usr/share/ >/dev/null 2>&1
real 0m0.140s
user 0m0.024s
sys 0m0.116s
Imanyamula ma bits 32 a mutu wa IP, kuyambira pa padding 6, ndikuyika chigoba kwa iwo. 0xFF (tenga low byte). Munda uwu protocol Mutu wa IP ndipo timawuyerekeza ndi 1 (ICMP). Mutha kuphatikiza macheke ambiri mu lamulo limodzi, ndipo mutha kupha woyendetsa @ - sunthani ma byte a X kumanja. Mwachitsanzo, lamulo
Mu chitsanzo ichi tikusefa mapaketi onse a UDP. Nkhani ya pulogalamu ya BPF mu gawo xt_bpf, ndithudi, amalozera ku data ya paketi, ngati iptables, kumayambiriro kwa mutu wa IPv4. Kubweza mtengo kuchokera ku pulogalamu ya BPF booleankumene false zikutanthauza kuti paketi sinafanane.
Zikuwonekeratu kuti module xt_bpf imathandizira zosefera zovuta kwambiri kuposa chitsanzo pamwambapa. Tiyeni tiwone zitsanzo zenizeni kuchokera ku Cloudfare. Mpaka posachedwa adagwiritsa ntchito module xt_bpf kuteteza ku DDoS. M'nkhani Kuyambitsa Zida za BPF amafotokoza momwe (ndi chifukwa chake) amapangira zosefera za BPF ndikusindikiza maulalo kumagulu azinthu zothandizira kupanga zosefera zotere. Mwachitsanzo, kugwiritsa ntchito mankhwala bpfgen mutha kupanga pulogalamu ya BPF yomwe ikufanana ndi funso la DNS la dzina habr.com:
$ ./bpfgen --assembly dns -- habr.com
ldx 4*([0]&0xf)
ld #20
add x
tax
lb_0:
ld [x + 0]
jneq #0x04686162, lb_1
ld [x + 4]
jneq #0x7203636f, lb_1
ldh [x + 8]
jneq #0x6d00, lb_1
ret #65535
lb_1:
ret #0
Mu pulogalamu timayika koyamba mu kaundula X chiyambi cha adilesi x04habrx03comx00 mkati mwa datagram ya UDP ndiyeno onani pempho: 0x04686162 <-> "x04hab" ndi zina zotero.
Patapita nthawi, Cloudfare inasindikiza p0f -> BPF compiler code. M'nkhani Kuyambitsa p0f BPF compiler amalankhula za p0f ndi momwe angasinthire siginecha za p0f kukhala BPF:
Pakadali pano sagwiritsanso ntchito Cloudfare xt_bpf, popeza adasamukira ku XDP - imodzi mwazosankha zogwiritsa ntchito mtundu watsopano wa BPF, onani. L4Drop: Kuchepetsa kwa XDP DDoS.
cls_bpf
Chitsanzo chomaliza chogwiritsira ntchito BPF yapamwamba mu kernel ndi classifier cls_bpf kwa kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe kake cls_u32.
Komabe, sitidzafotokozanso ntchitoyo cls_bpf, popeza kuchokera ku chidziwitso cha BPF yapamwamba izi sizidzatipatsa kalikonse - takhala tikudziwa kale ntchito zonse. Kuphatikiza apo, m'nkhani zotsatila zonena za Extended BPF, tikumana ndi gululi kangapo.
Chifukwa china chosalankhula za kugwiritsa ntchito BPF yachikale c cls_bpf Vuto ndiloti, poyerekeza ndi BPF Yowonjezera, kuchuluka kwa kugwiritsidwa ntchito pankhaniyi ndikochepa kwambiri: mapulogalamu akale sangasinthe zomwe zili m'maphukusi ndipo sangathe kupulumutsa boma pakati pa mafoni.
Chifukwa chake ndi nthawi yoti tisiyane ndi BPF yapamwamba ndikuyang'ana zam'tsogolo.
Kutsanzikana ndi BPF yapamwamba
Tinayang'ana momwe teknoloji ya BPF, yopangidwa kumayambiriro kwa zaka makumi asanu ndi anayi, idakhala bwino kwa kotala la zaka zana mpaka kumapeto idapeza ntchito zatsopano. Komabe, mofanana ndi kusintha kuchokera ku makina osungira kupita ku RISC, omwe adathandizira chitukuko cha BPF yapamwamba, m'zaka za m'ma 32 panali kusintha kwa makina a 64-bit mpaka XNUMX-bit ndipo BPF yapamwamba inayamba kutha. Kuonjezera apo, luso la BPF lachikale ndilochepa kwambiri, ndipo kuwonjezera pa zomangamanga zakale - sitingathe kupulumutsa boma pakati pa mafoni ku mapulogalamu a BPF, palibe kuthekera kwa kuyanjana kwachindunji kwa wogwiritsa ntchito, palibe kuthekera kocheza. ndi kernel, kupatula powerenga magawo ochepa a mapangidwe sk_buff ndikuyambitsa ntchito zosavuta zothandizira, simungathe kusintha zomwe zili m'mapaketi ndikuwalozeranso.
M'malo mwake, pakali pano zonse zomwe zatsala za BPF yapamwamba mu Linux ndi mawonekedwe a API, ndipo mkati mwa kernel mapulogalamu onse apamwamba, kaya zosefera za socket kapena zosefera za seccomp, zimasinthidwa zokha kukhala mtundu watsopano, BPF Yowonjezera. (Tikambilana ndendende mmene izi zidzacitikila mβnkhani yotsatila.)
Kusintha kwa zomangamanga zatsopano kunayamba mu 2013, pamene Alexey Starovoitov anakonza ndondomeko ya BPF. Mu 2014 zigamba zofanana anayamba kuwonekera mu mtima. Monga momwe ndikumvera, pulani yoyamba inali yongokulitsa zomanga ndi JIT compiler kuti aziyenda bwino pamakina a 64-bit, koma m'malo mwake kukhathamiritsa uku kunali chiyambi cha mutu watsopano pakukula kwa Linux.
Zolemba zina mumndandanda uno zifotokoza za kamangidwe ndi kagwiritsidwe kaukadaulo watsopano, womwe poyamba umadziwika kuti BPF wamkati, kenako BPF wokulirapo, ndipo pano ndi BPF basi.
powatsimikizira
Steven McCanne ndi Van Jacobson, "The BSD Packet Filter: A New Architecture for User-level Packet Capture", https://www.tcpdump.org/papers/bpf-usenix93.pdf
Steven McCanne, "libpcap: An Architecture and Optimization Methodology for Packet Capture". https://sharkfestus.wireshark.org/sharkfest.11/presentations/McCanne-Sharkfest'11_Keynote_Address.pdf