On 01/25/2013 04:27 AM, Jon Schipp wrote:
I have many questions :)
Indeed, quite a lot at once, let me try to answer.
This compiles fine. My question is whether or not I'm jeq'ing
correctly to the "ldh [6]" line. I would think
that L1 would jump straight to the label at the end returning 1514
bytes but I can't figure out how else
to write it. Is my program executing the ldh and the last jeq?
I'm confused by the Lt and Lf mentions in the documentation. Replacing
them with a value doesn't work.
I'm counting lines here, starting with 0: e.g. jeq #0xccddeeff,2,5 ...
results in
Syntax error at line 4: 2! syntax error, unexpected number, expecting
label! I tried adding more labels
You cannot use line numbers as labels, see my example below.
like L3, L4 etc. and that does work, though, it seems with large
filters like 'port 80' you could have > L8.
If that is the case, how do you jump to specific instructions? I tried
prefixing instructions with a label to no avail.
e.g.
ld [8]
jeq #0xccddeeff,L2,L5
L2: ldh [6]
...
L5: ret #0
Is there a way to simply move onto the next instruction if the present
one is true.
Yes.
This one seems actually not what you've intended to write. Why? Because what
you are doing is the following:
$ cat ethernet.txt
; tcpdump equivalent
; 'ether src aa:bb:cc:dd:ee:ff'
ld [8] ; load 4 bytes from src MAC
Does what you've commented.
jeq #0xccddeeff,L1,L2
Here, you compare the accumulator against the hex value 0xccddeeff. If it's
equal,
then you jump to the label L1, if not then you drop the packet on L2 (returning
0).
If you jump to L1 however, from your filter you allow basically a packet with a
src
MAC in the form of <XY>:cc:dd:ee:ff, where <XY> \in [0,255]. Meaning, that your
second load will never be executed.
ldh [6] ; load 2 bytes from src MAC
Does what you've commented.
jeq #0xaabb,L1,L2
L1: ret #1514 ; true then return 1514 bytes of packet
L2: ret #0
What you should do instead is sth like the following (compiled, but untested):
$ bpfc -
ld [8]
jneq #0xccddeeff,drop
ldh [6]
jneq #0xaabb,drop
ret #-1
drop:
ret #0
{ 0x20, 0, 0, 0x00000008 },
{ 0x15, 0, 3, 0xccddeeff },
{ 0x28, 0, 0, 0x00000006 },
{ 0x15, 0, 1, 0x0000aabb },
{ 0x6, 0, 0, 0xffffffff },
{ 0x6, 0, 0, 0x00000000 },
Those jmp constructions with two jump fields in bpfc are actually long forms
and recently I've added an extension, which actually makes more sense. Look at
the jneq: if the accumulator does not equal this value, it jumps to drop;
otherwise it continues with the next instruction.
Hope this helps?
I'm confused about the the terminology here too. I imagine that
"-L|--lla Compile low-level BPF" means compile to
low-level BPF rather than _output_ a low-level
filter. I think it's just the ambiguous wording because mnemonics like
ld, jeq look higher level than 0x20, 0x28.
It always outputs those kind of opcodes, since they are read by netniff-ng's
-f option.
It's called low level, since there will be a higher level language added to
it as mentioned in the TODO file.
I can't figure out how to pass a high-level filter, '-Hi'. Would
someone be able to give me an example?
Still in development work, so you won't be able currently.
One more, I'm really interested in the undocumented extensions like
#type Packet class1 , e.g. Broadcast, Multicast, Outgoing, ...
#ifidx Network device index the packet was received on
#mark Generic packet mark, i.e. for netfilter
#queue Queue mapping number for multiqueue devices
#hatype Network device type2 for ARP protocol hardware identifiers
#rxhash The packet hash computed on reception
#cpu CPU number the packet was received on
I'm trying to load #cpu, confused on what that really means, into the
accumulator and match CPU 0.
This is just a guess, I don't really have any good idea on how to proceed.
ld #cpu
jeq #0,L1,L2
L1: ret #1514
L2: ret #0
This example seems to be correct.
It means, a packet that arrives on CPU0 shall pass this particular filter,
you've provided. A packet arriving on CPU1 will be dropped instead.
--
