summaryrefslogtreecommitdiff
path: root/bpfc.8
diff options
context:
space:
mode:
Diffstat (limited to 'bpfc.8')
-rw-r--r--bpfc.8320
1 files changed, 320 insertions, 0 deletions
diff --git a/bpfc.8 b/bpfc.8
new file mode 100644
index 0000000..622014c
--- /dev/null
+++ b/bpfc.8
@@ -0,0 +1,320 @@
+.\" netsniff-ng - the packet sniffing beast
+.\" Copyright 2013 Daniel Borkmann.
+.\" Subject to the GPL, version 2.
+
+.TH BPFC 8 "03 March 2013" "Linux" "netsniff-ng toolkit"
+.SH NAME
+bpfc \- a Berkeley Packet Filter assembler/compiler
+
+.SH SYNOPSIS
+
+\fB bpfc\fR { [\fIoptions\fR] | [\fIsource-file\fR] }
+
+.SH DESCRIPTION
+
+bpfc is a small Berkeley Packet Filter assembler/compiler which is able to
+translate BPF assembler-like mnemonics into a numerical or C-like format,
+that can be read by tools such as netsniff-ng, iptables (xt_bpf) and many
+others. BPF is the one and only upstream filtering construct that is used
+in combination with packet(7) sockets. The Linux kernel and also BSD kernels
+implement ``virtual machine'' like constructs and JIT compilers that mimic
+a small register-based machine in BPF architecture and execute filter code
+that is e.g. composed by bpfc on a data buffer that is given by network
+packets. The purpose of this is to shift computation in time, so that the
+kernel can drop (or truncate) incoming packets as early as possible without
+having to push them to user space for further analysis first. Meanwhile,
+BPF constructs also find application in other areas like the communication
+between user and kernel space.
+
+By the time of writing this man page, the only available BPF compiler is
+part of the pcap(3) library and accessible through a high-level filter
+language that might be familiar for many people as tcpdump-like filters.
+
+However, quite often, it is useful to bypass that compiler and write
+optimized code that couldn't be produced by the pcap(3) compiler, was
+wrongly optimized, or is defective on purpose in order to debug test kernel
+code. Also, a reason to use bpfc could be to try out some new BPF extensions
+that are not supported by other compilers. Furthermore, bpfc can be of good
+use to verify JIT compiler behaviour or to find possible bugs that need
+to be fixed.
+
+bpfc is implemented with the help of flex(1) and bison(1), tokenizes the
+source file in a first stage and parses it's content into an AST. In two
+code generation stages it emits target opcodes. bpfc furthermore supports
+Linux kernel BPF extensions. More about that can be found in the syntax
+section.
+
+The Linux kernel BPF JIT compiler is automatically turned on if detected
+by netsniff-ng. However, it can also be manually turned on through the
+command ``echo "1" > /proc/sys/net/core/bpf_jit_enable'' (normal working
+mode) or ``echo "2" > /proc/sys/net/core/bpf_jit_enable'' (debug mode
+where emitted opcodes of the image are printed to the kernel log). An
+architecture generic BPF JIT image disassembler can be found in the kernel
+source tree under: tools/net/bpf_jit_disasm.c
+
+.SH OPTIONS
+
+.SS -i <source-file/->, --input <source-file/->
+Read BPF assembly instruction from an input file or from stdin.
+
+.SS -f <format>, --format <format>
+Specify a different output format than the default that is netsniff-ng
+compatible. The <format> specifier can be: C, netsniff-ng, xt_bpf, tcpdump.
+
+.SS -b, --bypass
+Bypass basic filter validation when emitting opcodes. This can be useful
+for explicitly creating malformed BPF expressions that should be injected
+into the kernel, e.g. for bug testing.
+
+.SS -V, --verbose
+Be more verbose and display some bpfc debugging information.
+
+.SS -d, --dump
+Dump all supported instructions to stdout.
+
+.SS -v, --version
+Show versioning information.
+
+.SS -h, --help
+Show user help.
+
+.SH SYNTAX
+
+The BPF architecture resp. register machine consists of the following
+elements:
+
+ Element Description
+
+ A 32 bit wide accumulator
+ X 32 bit wide X register
+ M[] 16 x 32 bit wide misc registers aka ``scratch
+memory store'', addressable from 0 to 15
+
+A program, that is translated by bpfc into ``opcodes'' is an array that
+consists of the following elements:
+
+ o:16, jt:8, jf:8, k:32
+
+The element o is a 16 bit wide opcode that has a particular instruction
+encoded, jt and jf are two 8 bit wide jump targets, one for condition
+``true'', one for condition ``false''. Last but not least the 32 bit wide
+element k contains a miscellaneous argument that can be interpreted in
+different ways depending on the given instruction resp. opcode.
+
+The instruction set consists of load, store, branch, alu, miscellaneous
+and return instructions that are also represented in bpfc syntax. This
+table also includes own bpfc extensions. All operations are based on
+unsigned data structures:
+
+ Instruction Addressing mode Description
+
+ ld 1, 2, 3, 4, 10 Load word into A
+ ldi 4 Load word into A
+ ldh 1, 2 Load half-word into A
+ ldb 1, 2 Load byte into A
+ ldx 3, 4, 5, 10 Load word into X
+ ldxi 4 Load word into X
+ ldxb 5 Load byte into X
+
+ st 3 Copy A into M[]
+ stx 3 Copy X into M[]
+
+ jmp 6 Jump to label
+ ja 6 Jump to label
+ jeq 7, 8 Jump on k == A
+ jneq 8 Jump on k != A
+ jne 8 Jump on k != A
+ jlt 8 Jump on k < A
+ jle 8 Jump on k <= A
+ jgt 7, 8 Jump on k > A
+ jge 7, 8 Jump on k >= A
+ jset 7, 8 Jump on k & A
+
+ add 0, 4 A + <x>
+ sub 0, 4 A - <x>
+ mul 0, 4 A * <x>
+ div 0, 4 A / <x>
+ mod 0, 4 A % <x>
+ neg 0, 4 !A
+ and 0, 4 A & <x>
+ or 0, 4 A | <x>
+ xor 0, 4 A ^ <x>
+ lsh 0, 4 A << <x>
+ rsh 0, 4 A >> <x>
+
+ tax Copy A into X
+ txa Copy X into A
+
+ ret 4, 9 Return
+
+ Addressing mode Syntax Description
+
+ 0 x Register X
+ 1 [k] BHW at byte offset k in the packet
+ 2 [x + k] BHW at the offset X + k in the packet
+ 3 M[k] Word at offset k in M[]
+ 4 #k Literal value stored in k
+ 5 4*([k]&0xf) Lower nibble * 4 at byte offset k in the packet
+ 6 L Jump label L
+ 7 #k,Lt,Lf Jump to Lt if true, otherwise jump to Lf
+ 8 #k,Lt Jump to Lt if predicate is true
+ 9 a Accumulator A
+ 10 extension BPF extension (see next table)
+
+ Extension (and alias) Description
+
+ #len, len, #pktlen, pktlen Length of packet (skb->len)
+ #pto, pto, #proto, proto Ethernet type field (skb->protocol)
+ #type, type Packet type (**) (skb->pkt_type)
+ #poff, poff Detected payload start offset
+ #ifx, ifx, #ifidx, ifidx Interface index (skb->dev->ifindex)
+ #nla, nla Netlink attribute of type X with offset A
+ #nlan, nlan Nested Netlink attribute of type X with offset A
+ #mark, mark Packet mark (skb->mark)
+ #que, que, #queue, queue, #Q, Q NIC queue index (skb->queue_mapping)
+ #hat, hat, #hatype, hatype NIC hardware type (**) (skb->dev->type)
+ #rxh, rxh, #rxhash, rxhash Receive hash (skb->rxhash)
+ #cpu, cpu Current CPU (raw_smp_processor_id())
+ #vlant, vlant, #vlan_tci, vlan_tci VLAN TCI value (vlan_tx_tag_get(skb))
+ #vlanp, vlanp VLAN present (vlan_tx_tag_present(skb))
+
+ Further extension details (**) Value
+
+ #type, type 0 - to us / host
+ 1 - to all / broadcast
+ 2 - to group / multicast
+ 3 - to others (promiscuous mode)
+ 4 - outgoing of any type
+
+ #hat, hat, #hatype, hatype 1 - Ethernet 10Mbps
+ 8 - APPLEtalk
+ 19 - ATM
+ 24 - IEEE 1394 IPv4 - RFC 2734
+ 32 - InfiniBand
+ 768 - IPIP tunnel
+ 769 - IP6IP6 tunnel
+ 772 - Loopback device
+ 778 - GRE over IP
+ 783 - Linux-IrDA
+ 801 - IEEE 802.11
+ 802 - IEEE 802.11 + Prism2 header
+ 803 - IEEE 802.11 + radiotap header
+ 823 - GRE over IP6
+ [...] See include/uapi/linux/if_arp.h
+
+Note that the majority of BPF extensions are available on Linux only.
+
+There are two types of comments in bpfc source-files:
+
+ 1. Multi-line C-style comments: /* put comment here */
+ 2. Single-line ASM-style comments: ; put comment here
+
+Used Abbreviations:
+
+ BHW: byte, half-word, or word
+
+.SH SOURCE EXAMPLES
+
+In this section, we give a couple of examples for bpfc source-files, in other
+words, some small example filter programs:
+
+.SS Only return packet headers (truncate packets):
+
+ ld poff
+ ret a
+
+.SS Only allow ARP packets:
+
+ ldh [12]
+ jne #0x806, drop
+ ret #-1
+ drop: ret #0
+
+.SS Only allow IPv4 TCP packets:
+
+ ldh [12]
+ jne #0x800, drop
+ ldb [23]
+ jneq #6, drop
+ ret #-1
+ drop: ret #0
+
+.SS Only allow IPv4 TCP, SSH traffic:
+
+ ldh [12]
+ jne #0x800, drop
+ ldb [23]
+ jneq #6, drop
+ ldh [20]
+ jset #0x1fff, drop
+ ldxb 4 * ([14] & 0xf)
+ ldh [x + 14]
+ jeq #0x16, pass
+ ldh [x + 16]
+ jne #0x16, drop
+ pass: ret #-1
+ drop: ret #0
+
+.SS Allow any (hardware accelerated) VLAN:
+
+ ld vlanp
+ jeq #0, drop
+ ret #-1
+ drop: ret #0
+
+.SS Only allow traffic for (hardware accelerated) VLAN 10:
+
+ ld vlant
+ jneq #10, drop
+ ret #-1
+ drop: ret #0
+
+.SS More pedantic check for the above VLAN example:
+
+ ld vlanp
+ jeq #0, drop
+ ld vlant
+ jneq #10, drop
+ ret #-1
+ drop: ret #0
+
+.SH USAGE EXAMPLE
+
+.SS bpfc fubar
+Compile the source file ``fubar'' into BPF opcodes. Opcodes will be
+directed to stdout.
+
+.SS bpfc -f xt_bpf -b -i fubar, resp. iptables -A INPUT -m bpf --bytecode "`bpfc -f xt_bpf -i fubar`" -j LOG
+Compile the source file ``fubar'' into BPF opcodes, bypass basic filter
+validation and emit opcodes in netfilter's xt_bpf readable format.
+
+.SS bpfc -
+Read bpfc instruction from stdin and emit opcodes to stdout.
+
+.SS bpfc foo > bar, resp. netsniff-ng -f bar ...
+Compile filter instructions from file foo and redirect bpfc's output into
+the file bar, that can then be read by netsniff-ng(8) through option -f.
+
+.SS bpfc -f tcpdump -i fubar
+Output opcodes from source file fubar in the same behaviour as ``tcpdump -ddd''.
+
+.SH LEGAL
+bpfc is licensed under the GNU GPL version 2.0.
+
+.SH HISTORY
+.B bpfc
+was originally written for the netsniff-ng toolkit by Daniel Borkmann. It
+is currently maintained by Tobias Klauser <tklauser@distanz.ch> and Daniel
+Borkmann <dborkma@tik.ee.ethz.ch>.
+
+.SH SEE ALSO
+.BR netsniff-ng (8),
+.BR trafgen (8),
+.BR mausezahn (8),
+.BR ifpps (8),
+.BR flowtop (8),
+.BR astraceroute (8),
+.BR curvetun (8)
+
+.SH AUTHOR
+Manpage was written by Daniel Borkmann.