From owner-freebsd-hackers@freebsd.org Wed Dec 30 15:37:21 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D15FA56615 for ; Wed, 30 Dec 2015 15:37:21 +0000 (UTC) (envelope-from mybsdmailing@gmail.com) Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48F481B6D; Wed, 30 Dec 2015 15:37:21 +0000 (UTC) (envelope-from mybsdmailing@gmail.com) Received: by mail-oi0-x229.google.com with SMTP id l9so175456991oia.2; Wed, 30 Dec 2015 07:37:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KElUYpmIZdA8OVliE7iphtjxrp2NPLk5+AMQjPKUoZY=; b=Bg/oF2USjTMs+frWJZj5VSlz5/3H+8YLCwSdClJZhUEP5DSl6aT3+YD6mRY70r5YBA V7C4TVfElj5OTDJdmnb4NZxDtgGjhP4gOZ/8a+ak6Jmgq+CB63lA0SRRnpDYrcbT2Gv1 /8dnpnj1985TZKikZfVSo010XumKtDpZgqSLx8eIi2DtbQHvl47yT3o6Y2tfsUJOyako Dg7b8MeGRN594rioQtWGsMztCUCpn7i2RQd649Klf8NiSxD6Fi+Zg0zfjgL8lAAPw/YA F9NIJ9c2jBKA+QvzjIIBQq2704C7UOkqJa2VtVJEW3l54P1NzhdMmoJ5kQbE13jPpzp1 kpGg== MIME-Version: 1.0 X-Received: by 10.202.209.138 with SMTP id i132mr40117339oig.122.1451489840542; Wed, 30 Dec 2015 07:37:20 -0800 (PST) Received: by 10.202.177.69 with HTTP; Wed, 30 Dec 2015 07:37:20 -0800 (PST) In-Reply-To: References: <56839C88.3090708@freebsd.org> Date: Wed, 30 Dec 2015 09:37:20 -0600 Message-ID: Subject: Re: BPF Berkeley Packet Filter Question From: Juan Herrera To: Daniel Janzon Cc: Julian Elischer , freebsd-hackers@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2015 15:37:21 -0000 Hello Julian, Daniel I am using raw ethernet, and testing with ARP Brief Explanation of what I want to do I am sending ARP requests packets(encapsulated with my metadata at the end), so it is Raw Ethernet like this "ARP Req bytes + Metadata bytes", I already did a test to filter with BPF jumbo ethernet packets and I can filter if I want against the last byte in the packet, but to do this I need to place in my program code the C filter code (generated with tcpdump), exacly the byte position I want to use for filtering, so the issue with this is that when I receive another ethernet frame that it is not an ARP Req, the byte position to filter will not be the right one(because it moves) to use because the packet is bigger or smaller so my metadata has shift left or shift right depending on the case, so I want BPF to read the total packet length to return it in a variable, and then I use this variable to calculate the right byte to use for filtering, depending on the packet length. I need to match with a specific metadata field base on length, but dont know how to use BPF to read packet's length. Thanks! 2015-12-30 6:11 GMT-06:00 Daniel Janzon : > Hello Julian, > > I'm not sure I follow what you want to do but maybe I can help you get in > the right direction. > > You can define a BPF program with macros, like > > struct bpf_insn instructions[] = { > ... > BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, proto, 0, 1), > BPF_STMT(BPF_RET + BPF_K, (uint16_t)-1), > BPF_STMT(BPF_RET + BPF_K, 0) > }; > > struct bpf_program bpf_program = { 4, (struct bpf_insn*)&instructions }; > ioctl(fd, BIOCSETF, (struct bpf_program*)&bpf_program); > > etc, google for a complete example. > > Then you can use the -d option of tcpdump to get some help to find the > right instructions, for instance > > tcpdump -i em0 -d host 10.10.10.1 and greater 150 # capture packets > greater than 150 > > You will probably have to modify the output a bit to get what you want so > you will have to learn a bit how it works. See the section Filter machine > in the bpf manual (man 4 bpf). > > Hope that helps. > > All the best, > Daniel Janzon > > > On Wed, Dec 30, 2015 at 9:58 AM Julian Elischer > wrote: > >> On 30/12/2015 12:46 PM, Juan Herrera wrote: >> > Hello BSD folks, >> > >> > I am developing a networking application in C and I have a question >> > regarding BPF (Berkeley Packet Filters), I will give you an idea of the >> app >> > first, I need to send a packet from machine A to machine B (any kind of >> > packet) so for this I wrote a packet generator application which will >> send >> > a packet to machine B, but before sending the packet I need to append >> some >> > metadata values at the end of the packet, already done, so in machine B >> I >> > have a raw socket listener app ready to receive incoming packets from >> > machine A, however I want to implement filtering with BPF on machine B, >> but >> > as my metadata was appended at the end of the packet (have to be at the >> > end), I need to read the packet length with(using) Berkeley Packet >> Filter >> > to match a specific field to filter one of the bytes at the end of my >> > packet (metadata appended), in other words I need to know the incoming >> > packet length to filtered against one of the metadatas fields and be >> able >> > to drop the packet before reaching user space applications(drop it in >> > kernel space). >> > >> > So my question is, Can I use BPF to read the packet length ? >> to continue on my previous mail. >> >> you can also use netgraph to do this in several ways as well. >> But I'd need more information to be able to explain what to do. >> >> > >> > TIA! >> > _______________________________________________ >> > freebsd-hackers@freebsd.org mailing list >> > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> > To unsubscribe, send any mail to " >> freebsd-hackers-unsubscribe@freebsd.org" >> > >> >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org >> " >> >