Archives by Category
Contact
- Hagen Paul Pfeifer
- http://jauu.net
- hagen@jauu.net (encrypted preferred)
- KeyId: 0x98350C22
- Telephone: +49 174 5455209
Follow this blog
Subscribe to the RSS Feed (2.0)BPF Opcode Analysis
- Published in: networking
- | Time: 00:23:11 CEST
- | SHA1: e53e544ce70703072b82ba91b97b4b45cb97df5c
The following paragraphs explain the correlation between filter rules provided by any PCAP based filter program, the resulting intermediate OPCODE representation and the kernel side interpretation. The most brilliant logic within PCAP is not the sniffing functionality nor the dump file format, it is rather the optimization logic. To eliminate useless calculations, to generate efficient instruction, to skip possible IPv4 options, jump over IPv6 extension headers and so on. At the same time the optimizer must be able to eliminate useless/duplicate expressions like “IP AND IP” (this is the most trivial example, but it can be quite complex).
Processing Sequence for some common filter expressions
No Expression
A stub filter return immediately by processing BPF_RET|BPF_K and returning
fentry->k. Where fentry->k is the requested packet length in bytes. You will
see this expression in nearly all subsequent filter.
IP Expression
- taken (ICMP generator)
BPF_LD|BPF_H|BPF_ABSBPF_JMP|BPF_JEQ|BPF_KBPF_RET|BPF_K
ICMP Expression
- taken (ICMP generator)
BPF_LD|BPF_H|BPF_ABSBPF_JMP|BPF_JEQ|BPF_KBPF_LD|BPF_B|BPF_ABSBPF_JMP|BPF_JEQ|BPF_KBPF_RET|BPF_K
- not taken (IPv6/ICMP generator)
BPF_LD|BPF_H|BPF_ABSBPF_JMP|BPF_JEQ|BPF_KBPF_RET|BPF_K
TCP Expression
- taken (TCP generator)
BPF_LD|BPF_H|BPF_ABSBPF_JMP|BPF_JEQ|BPF_KBPF_JMP|BPF_JEQ|BPF_KBPF_LD|BPF_B|BPF_ABSBPF_JMP|BPF_JEQ|BPF_KBPF_RET|BPF_K
- not taken (ICMP generator)
BPF_LD|BPF_H|BPF_ABSBPF_JMP|BPF_JEQ|BPF_KBPF_JMP|BPF_JEQ|BPF_KBPF_LD|BPF_B|BPF_ABSBPF_JMP|BPF_JEQ|BPF_KBPF_RET|BPF_K
UDP Expression
- not taken (ICMP generator)
BPF_LD|BPF_H|BPF_ABSBPF_JMP|BPF_JEQ|BPF_KBPF_JMP|BPF_JEQ|BPF_KBPF_LD|BPF_B|BPF_ABSBPF_JMP|BPF_JEQ|BPF_KBPF_RET|BPF_K
Conclusions
There are several possibilities to optimize the generated BPF filter especially in coherence with the kernel interpreter. Next step is to analyse the cache line behavior and try to align the structure for the common case and reduce memory loads.