You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

82 lines
3.1 KiB

  1. // Copyright 2016 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. /*
  5. Package bpf implements marshaling and unmarshaling of programs for the
  6. Berkeley Packet Filter virtual machine, and provides a Go implementation
  7. of the virtual machine.
  8. BPF's main use is to specify a packet filter for network taps, so that
  9. the kernel doesn't have to expensively copy every packet it sees to
  10. userspace. However, it's been repurposed to other areas where running
  11. user code in-kernel is needed. For example, Linux's seccomp uses BPF
  12. to apply security policies to system calls. For simplicity, this
  13. documentation refers only to packets, but other uses of BPF have their
  14. own data payloads.
  15. BPF programs run in a restricted virtual machine. It has almost no
  16. access to kernel functions, and while conditional branches are
  17. allowed, they can only jump forwards, to guarantee that there are no
  18. infinite loops.
  19. The virtual machine
  20. The BPF VM is an accumulator machine. Its main register, called
  21. register A, is an implicit source and destination in all arithmetic
  22. and logic operations. The machine also has 16 scratch registers for
  23. temporary storage, and an indirection register (register X) for
  24. indirect memory access. All registers are 32 bits wide.
  25. Each run of a BPF program is given one packet, which is placed in the
  26. VM's read-only "main memory". LoadAbsolute and LoadIndirect
  27. instructions can fetch up to 32 bits at a time into register A for
  28. examination.
  29. The goal of a BPF program is to produce and return a verdict (uint32),
  30. which tells the kernel what to do with the packet. In the context of
  31. packet filtering, the returned value is the number of bytes of the
  32. packet to forward to userspace, or 0 to ignore the packet. Other
  33. contexts like seccomp define their own return values.
  34. In order to simplify programs, attempts to read past the end of the
  35. packet terminate the program execution with a verdict of 0 (ignore
  36. packet). This means that the vast majority of BPF programs don't need
  37. to do any explicit bounds checking.
  38. In addition to the bytes of the packet, some BPF programs have access
  39. to extensions, which are essentially calls to kernel utility
  40. functions. Currently, the only extensions supported by this package
  41. are the Linux packet filter extensions.
  42. Examples
  43. This packet filter selects all ARP packets.
  44. bpf.Assemble([]bpf.Instruction{
  45. // Load "EtherType" field from the ethernet header.
  46. bpf.LoadAbsolute{Off: 12, Size: 2},
  47. // Skip over the next instruction if EtherType is not ARP.
  48. bpf.JumpIf{Cond: bpf.JumpNotEqual, Val: 0x0806, SkipTrue: 1},
  49. // Verdict is "send up to 4k of the packet to userspace."
  50. bpf.RetConstant{Val: 4096},
  51. // Verdict is "ignore packet."
  52. bpf.RetConstant{Val: 0},
  53. })
  54. This packet filter captures a random 1% sample of traffic.
  55. bpf.Assemble([]bpf.Instruction{
  56. // Get a 32-bit random number from the Linux kernel.
  57. bpf.LoadExtension{Num: bpf.ExtRand},
  58. // 1% dice roll?
  59. bpf.JumpIf{Cond: bpf.JumpLessThan, Val: 2^32/100, SkipFalse: 1},
  60. // Capture.
  61. bpf.RetConstant{Val: 4096},
  62. // Ignore.
  63. bpf.RetConstant{Val: 0},
  64. })
  65. */
  66. package bpf // import "golang.org/x/net/bpf"