Loading...
Note: File does not exist in v3.1.
1.. SPDX-License-Identifier: GPL-2.0
2
3.. _networking-filter:
4
5=======================================================
6Linux Socket Filtering aka Berkeley Packet Filter (BPF)
7=======================================================
8
9Notice
10------
11
12This file used to document the eBPF format and mechanisms even when not
13related to socket filtering. The ../bpf/index.rst has more details
14on eBPF.
15
16Introduction
17------------
18
19Linux Socket Filtering (LSF) is derived from the Berkeley Packet Filter.
20Though there are some distinct differences between the BSD and Linux
21Kernel filtering, but when we speak of BPF or LSF in Linux context, we
22mean the very same mechanism of filtering in the Linux kernel.
23
24BPF allows a user-space program to attach a filter onto any socket and
25allow or disallow certain types of data to come through the socket. LSF
26follows exactly the same filter code structure as BSD's BPF, so referring
27to the BSD bpf.4 manpage is very helpful in creating filters.
28
29On Linux, BPF is much simpler than on BSD. One does not have to worry
30about devices or anything like that. You simply create your filter code,
31send it to the kernel via the SO_ATTACH_FILTER option and if your filter
32code passes the kernel check on it, you then immediately begin filtering
33data on that socket.
34
35You can also detach filters from your socket via the SO_DETACH_FILTER
36option. This will probably not be used much since when you close a socket
37that has a filter on it the filter is automagically removed. The other
38less common case may be adding a different filter on the same socket where
39you had another filter that is still running: the kernel takes care of
40removing the old one and placing your new one in its place, assuming your
41filter has passed the checks, otherwise if it fails the old filter will
42remain on that socket.
43
44SO_LOCK_FILTER option allows to lock the filter attached to a socket. Once
45set, a filter cannot be removed or changed. This allows one process to
46setup a socket, attach a filter, lock it then drop privileges and be
47assured that the filter will be kept until the socket is closed.
48
49The biggest user of this construct might be libpcap. Issuing a high-level
50filter command like `tcpdump -i em1 port 22` passes through the libpcap
51internal compiler that generates a structure that can eventually be loaded
52via SO_ATTACH_FILTER to the kernel. `tcpdump -i em1 port 22 -ddd`
53displays what is being placed into this structure.
54
55Although we were only speaking about sockets here, BPF in Linux is used
56in many more places. There's xt_bpf for netfilter, cls_bpf in the kernel
57qdisc layer, SECCOMP-BPF (SECure COMPuting [1]_), and lots of other places
58such as team driver, PTP code, etc where BPF is being used.
59
60.. [1] Documentation/userspace-api/seccomp_filter.rst
61
62Original BPF paper:
63
64Steven McCanne and Van Jacobson. 1993. The BSD packet filter: a new
65architecture for user-level packet capture. In Proceedings of the
66USENIX Winter 1993 Conference Proceedings on USENIX Winter 1993
67Conference Proceedings (USENIX'93). USENIX Association, Berkeley,
68CA, USA, 2-2. [http://www.tcpdump.org/papers/bpf-usenix93.pdf]
69
70Structure
71---------
72
73User space applications include <linux/filter.h> which contains the
74following relevant structures::
75
76 struct sock_filter { /* Filter block */
77 __u16 code; /* Actual filter code */
78 __u8 jt; /* Jump true */
79 __u8 jf; /* Jump false */
80 __u32 k; /* Generic multiuse field */
81 };
82
83Such a structure is assembled as an array of 4-tuples, that contains
84a code, jt, jf and k value. jt and jf are jump offsets and k a generic
85value to be used for a provided code::
86
87 struct sock_fprog { /* Required for SO_ATTACH_FILTER. */
88 unsigned short len; /* Number of filter blocks */
89 struct sock_filter __user *filter;
90 };
91
92For socket filtering, a pointer to this structure (as shown in
93follow-up example) is being passed to the kernel through setsockopt(2).
94
95Example
96-------
97
98::
99
100 #include <sys/socket.h>
101 #include <sys/types.h>
102 #include <arpa/inet.h>
103 #include <linux/if_ether.h>
104 /* ... */
105
106 /* From the example above: tcpdump -i em1 port 22 -dd */
107 struct sock_filter code[] = {
108 { 0x28, 0, 0, 0x0000000c },
109 { 0x15, 0, 8, 0x000086dd },
110 { 0x30, 0, 0, 0x00000014 },
111 { 0x15, 2, 0, 0x00000084 },
112 { 0x15, 1, 0, 0x00000006 },
113 { 0x15, 0, 17, 0x00000011 },
114 { 0x28, 0, 0, 0x00000036 },
115 { 0x15, 14, 0, 0x00000016 },
116 { 0x28, 0, 0, 0x00000038 },
117 { 0x15, 12, 13, 0x00000016 },
118 { 0x15, 0, 12, 0x00000800 },
119 { 0x30, 0, 0, 0x00000017 },
120 { 0x15, 2, 0, 0x00000084 },
121 { 0x15, 1, 0, 0x00000006 },
122 { 0x15, 0, 8, 0x00000011 },
123 { 0x28, 0, 0, 0x00000014 },
124 { 0x45, 6, 0, 0x00001fff },
125 { 0xb1, 0, 0, 0x0000000e },
126 { 0x48, 0, 0, 0x0000000e },
127 { 0x15, 2, 0, 0x00000016 },
128 { 0x48, 0, 0, 0x00000010 },
129 { 0x15, 0, 1, 0x00000016 },
130 { 0x06, 0, 0, 0x0000ffff },
131 { 0x06, 0, 0, 0x00000000 },
132 };
133
134 struct sock_fprog bpf = {
135 .len = ARRAY_SIZE(code),
136 .filter = code,
137 };
138
139 sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
140 if (sock < 0)
141 /* ... bail out ... */
142
143 ret = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
144 if (ret < 0)
145 /* ... bail out ... */
146
147 /* ... */
148 close(sock);
149
150The above example code attaches a socket filter for a PF_PACKET socket
151in order to let all IPv4/IPv6 packets with port 22 pass. The rest will
152be dropped for this socket.
153
154The setsockopt(2) call to SO_DETACH_FILTER doesn't need any arguments
155and SO_LOCK_FILTER for preventing the filter to be detached, takes an
156integer value with 0 or 1.
157
158Note that socket filters are not restricted to PF_PACKET sockets only,
159but can also be used on other socket families.
160
161Summary of system calls:
162
163 * setsockopt(sockfd, SOL_SOCKET, SO_ATTACH_FILTER, &val, sizeof(val));
164 * setsockopt(sockfd, SOL_SOCKET, SO_DETACH_FILTER, &val, sizeof(val));
165 * setsockopt(sockfd, SOL_SOCKET, SO_LOCK_FILTER, &val, sizeof(val));
166
167Normally, most use cases for socket filtering on packet sockets will be
168covered by libpcap in high-level syntax, so as an application developer
169you should stick to that. libpcap wraps its own layer around all that.
170
171Unless i) using/linking to libpcap is not an option, ii) the required BPF
172filters use Linux extensions that are not supported by libpcap's compiler,
173iii) a filter might be more complex and not cleanly implementable with
174libpcap's compiler, or iv) particular filter codes should be optimized
175differently than libpcap's internal compiler does; then in such cases
176writing such a filter "by hand" can be of an alternative. For example,
177xt_bpf and cls_bpf users might have requirements that could result in
178more complex filter code, or one that cannot be expressed with libpcap
179(e.g. different return codes for various code paths). Moreover, BPF JIT
180implementors may wish to manually write test cases and thus need low-level
181access to BPF code as well.
182
183BPF engine and instruction set
184------------------------------
185
186Under tools/bpf/ there's a small helper tool called bpf_asm which can
187be used to write low-level filters for example scenarios mentioned in the
188previous section. Asm-like syntax mentioned here has been implemented in
189bpf_asm and will be used for further explanations (instead of dealing with
190less readable opcodes directly, principles are the same). The syntax is
191closely modelled after Steven McCanne's and Van Jacobson's BPF paper.
192
193The BPF architecture consists of the following basic elements:
194
195 ======= ====================================================
196 Element Description
197 ======= ====================================================
198 A 32 bit wide accumulator
199 X 32 bit wide X register
200 M[] 16 x 32 bit wide misc registers aka "scratch memory
201 store", addressable from 0 to 15
202 ======= ====================================================
203
204A program, that is translated by bpf_asm into "opcodes" is an array that
205consists of the following elements (as already mentioned)::
206
207 op:16, jt:8, jf:8, k:32
208
209The element op is a 16 bit wide opcode that has a particular instruction
210encoded. jt and jf are two 8 bit wide jump targets, one for condition
211"jump if true", the other one "jump if false". Eventually, element k
212contains a miscellaneous argument that can be interpreted in different
213ways depending on the given instruction in op.
214
215The instruction set consists of load, store, branch, alu, miscellaneous
216and return instructions that are also represented in bpf_asm syntax. This
217table lists all bpf_asm instructions available resp. what their underlying
218opcodes as defined in linux/filter.h stand for:
219
220 =========== =================== =====================
221 Instruction Addressing mode Description
222 =========== =================== =====================
223 ld 1, 2, 3, 4, 12 Load word into A
224 ldi 4 Load word into A
225 ldh 1, 2 Load half-word into A
226 ldb 1, 2 Load byte into A
227 ldx 3, 4, 5, 12 Load word into X
228 ldxi 4 Load word into X
229 ldxb 5 Load byte into X
230
231 st 3 Store A into M[]
232 stx 3 Store X into M[]
233
234 jmp 6 Jump to label
235 ja 6 Jump to label
236 jeq 7, 8, 9, 10 Jump on A == <x>
237 jneq 9, 10 Jump on A != <x>
238 jne 9, 10 Jump on A != <x>
239 jlt 9, 10 Jump on A < <x>
240 jle 9, 10 Jump on A <= <x>
241 jgt 7, 8, 9, 10 Jump on A > <x>
242 jge 7, 8, 9, 10 Jump on A >= <x>
243 jset 7, 8, 9, 10 Jump on A & <x>
244
245 add 0, 4 A + <x>
246 sub 0, 4 A - <x>
247 mul 0, 4 A * <x>
248 div 0, 4 A / <x>
249 mod 0, 4 A % <x>
250 neg !A
251 and 0, 4 A & <x>
252 or 0, 4 A | <x>
253 xor 0, 4 A ^ <x>
254 lsh 0, 4 A << <x>
255 rsh 0, 4 A >> <x>
256
257 tax Copy A into X
258 txa Copy X into A
259
260 ret 4, 11 Return
261 =========== =================== =====================
262
263The next table shows addressing formats from the 2nd column:
264
265 =============== =================== ===============================================
266 Addressing mode Syntax Description
267 =============== =================== ===============================================
268 0 x/%x Register X
269 1 [k] BHW at byte offset k in the packet
270 2 [x + k] BHW at the offset X + k in the packet
271 3 M[k] Word at offset k in M[]
272 4 #k Literal value stored in k
273 5 4*([k]&0xf) Lower nibble * 4 at byte offset k in the packet
274 6 L Jump label L
275 7 #k,Lt,Lf Jump to Lt if true, otherwise jump to Lf
276 8 x/%x,Lt,Lf Jump to Lt if true, otherwise jump to Lf
277 9 #k,Lt Jump to Lt if predicate is true
278 10 x/%x,Lt Jump to Lt if predicate is true
279 11 a/%a Accumulator A
280 12 extension BPF extension
281 =============== =================== ===============================================
282
283The Linux kernel also has a couple of BPF extensions that are used along
284with the class of load instructions by "overloading" the k argument with
285a negative offset + a particular extension offset. The result of such BPF
286extensions are loaded into A.
287
288Possible BPF extensions are shown in the following table:
289
290 =================================== =================================================
291 Extension Description
292 =================================== =================================================
293 len skb->len
294 proto skb->protocol
295 type skb->pkt_type
296 poff Payload start offset
297 ifidx skb->dev->ifindex
298 nla Netlink attribute of type X with offset A
299 nlan Nested Netlink attribute of type X with offset A
300 mark skb->mark
301 queue skb->queue_mapping
302 hatype skb->dev->type
303 rxhash skb->hash
304 cpu raw_smp_processor_id()
305 vlan_tci skb_vlan_tag_get(skb)
306 vlan_avail skb_vlan_tag_present(skb)
307 vlan_tpid skb->vlan_proto
308 rand get_random_u32()
309 =================================== =================================================
310
311These extensions can also be prefixed with '#'.
312Examples for low-level BPF:
313
314**ARP packets**::
315
316 ldh [12]
317 jne #0x806, drop
318 ret #-1
319 drop: ret #0
320
321**IPv4 TCP packets**::
322
323 ldh [12]
324 jne #0x800, drop
325 ldb [23]
326 jneq #6, drop
327 ret #-1
328 drop: ret #0
329
330**icmp random packet sampling, 1 in 4**::
331
332 ldh [12]
333 jne #0x800, drop
334 ldb [23]
335 jneq #1, drop
336 # get a random uint32 number
337 ld rand
338 mod #4
339 jneq #1, drop
340 ret #-1
341 drop: ret #0
342
343**SECCOMP filter example**::
344
345 ld [4] /* offsetof(struct seccomp_data, arch) */
346 jne #0xc000003e, bad /* AUDIT_ARCH_X86_64 */
347 ld [0] /* offsetof(struct seccomp_data, nr) */
348 jeq #15, good /* __NR_rt_sigreturn */
349 jeq #231, good /* __NR_exit_group */
350 jeq #60, good /* __NR_exit */
351 jeq #0, good /* __NR_read */
352 jeq #1, good /* __NR_write */
353 jeq #5, good /* __NR_fstat */
354 jeq #9, good /* __NR_mmap */
355 jeq #14, good /* __NR_rt_sigprocmask */
356 jeq #13, good /* __NR_rt_sigaction */
357 jeq #35, good /* __NR_nanosleep */
358 bad: ret #0 /* SECCOMP_RET_KILL_THREAD */
359 good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
360
361Examples for low-level BPF extension:
362
363**Packet for interface index 13**::
364
365 ld ifidx
366 jneq #13, drop
367 ret #-1
368 drop: ret #0
369
370**(Accelerated) VLAN w/ id 10**::
371
372 ld vlan_tci
373 jneq #10, drop
374 ret #-1
375 drop: ret #0
376
377The above example code can be placed into a file (here called "foo"), and
378then be passed to the bpf_asm tool for generating opcodes, output that xt_bpf
379and cls_bpf understands and can directly be loaded with. Example with above
380ARP code::
381
382 $ ./bpf_asm foo
383 4,40 0 0 12,21 0 1 2054,6 0 0 4294967295,6 0 0 0,
384
385In copy and paste C-like output::
386
387 $ ./bpf_asm -c foo
388 { 0x28, 0, 0, 0x0000000c },
389 { 0x15, 0, 1, 0x00000806 },
390 { 0x06, 0, 0, 0xffffffff },
391 { 0x06, 0, 0, 0000000000 },
392
393In particular, as usage with xt_bpf or cls_bpf can result in more complex BPF
394filters that might not be obvious at first, it's good to test filters before
395attaching to a live system. For that purpose, there's a small tool called
396bpf_dbg under tools/bpf/ in the kernel source directory. This debugger allows
397for testing BPF filters against given pcap files, single stepping through the
398BPF code on the pcap's packets and to do BPF machine register dumps.
399
400Starting bpf_dbg is trivial and just requires issuing::
401
402 # ./bpf_dbg
403
404In case input and output do not equal stdin/stdout, bpf_dbg takes an
405alternative stdin source as a first argument, and an alternative stdout
406sink as a second one, e.g. `./bpf_dbg test_in.txt test_out.txt`.
407
408Other than that, a particular libreadline configuration can be set via
409file "~/.bpf_dbg_init" and the command history is stored in the file
410"~/.bpf_dbg_history".
411
412Interaction in bpf_dbg happens through a shell that also has auto-completion
413support (follow-up example commands starting with '>' denote bpf_dbg shell).
414The usual workflow would be to ...
415
416* load bpf 6,40 0 0 12,21 0 3 2048,48 0 0 23,21 0 1 1,6 0 0 65535,6 0 0 0
417 Loads a BPF filter from standard output of bpf_asm, or transformed via
418 e.g. ``tcpdump -iem1 -ddd port 22 | tr '\n' ','``. Note that for JIT
419 debugging (next section), this command creates a temporary socket and
420 loads the BPF code into the kernel. Thus, this will also be useful for
421 JIT developers.
422
423* load pcap foo.pcap
424
425 Loads standard tcpdump pcap file.
426
427* run [<n>]
428
429bpf passes:1 fails:9
430 Runs through all packets from a pcap to account how many passes and fails
431 the filter will generate. A limit of packets to traverse can be given.
432
433* disassemble::
434
435 l0: ldh [12]
436 l1: jeq #0x800, l2, l5
437 l2: ldb [23]
438 l3: jeq #0x1, l4, l5
439 l4: ret #0xffff
440 l5: ret #0
441
442 Prints out BPF code disassembly.
443
444* dump::
445
446 /* { op, jt, jf, k }, */
447 { 0x28, 0, 0, 0x0000000c },
448 { 0x15, 0, 3, 0x00000800 },
449 { 0x30, 0, 0, 0x00000017 },
450 { 0x15, 0, 1, 0x00000001 },
451 { 0x06, 0, 0, 0x0000ffff },
452 { 0x06, 0, 0, 0000000000 },
453
454 Prints out C-style BPF code dump.
455
456* breakpoint 0::
457
458 breakpoint at: l0: ldh [12]
459
460* breakpoint 1::
461
462 breakpoint at: l1: jeq #0x800, l2, l5
463
464 ...
465
466 Sets breakpoints at particular BPF instructions. Issuing a `run` command
467 will walk through the pcap file continuing from the current packet and
468 break when a breakpoint is being hit (another `run` will continue from
469 the currently active breakpoint executing next instructions):
470
471 * run::
472
473 -- register dump --
474 pc: [0] <-- program counter
475 code: [40] jt[0] jf[0] k[12] <-- plain BPF code of current instruction
476 curr: l0: ldh [12] <-- disassembly of current instruction
477 A: [00000000][0] <-- content of A (hex, decimal)
478 X: [00000000][0] <-- content of X (hex, decimal)
479 M[0,15]: [00000000][0] <-- folded content of M (hex, decimal)
480 -- packet dump -- <-- Current packet from pcap (hex)
481 len: 42
482 0: 00 19 cb 55 55 a4 00 14 a4 43 78 69 08 06 00 01
483 16: 08 00 06 04 00 01 00 14 a4 43 78 69 0a 3b 01 26
484 32: 00 00 00 00 00 00 0a 3b 01 01
485 (breakpoint)
486 >
487
488 * breakpoint::
489
490 breakpoints: 0 1
491
492 Prints currently set breakpoints.
493
494* step [-<n>, +<n>]
495
496 Performs single stepping through the BPF program from the current pc
497 offset. Thus, on each step invocation, above register dump is issued.
498 This can go forwards and backwards in time, a plain `step` will break
499 on the next BPF instruction, thus +1. (No `run` needs to be issued here.)
500
501* select <n>
502
503 Selects a given packet from the pcap file to continue from. Thus, on
504 the next `run` or `step`, the BPF program is being evaluated against
505 the user pre-selected packet. Numbering starts just as in Wireshark
506 with index 1.
507
508* quit
509
510 Exits bpf_dbg.
511
512JIT compiler
513------------
514
515The Linux kernel has a built-in BPF JIT compiler for x86_64, SPARC,
516PowerPC, ARM, ARM64, MIPS, RISC-V, s390, and ARC and can be enabled through
517CONFIG_BPF_JIT. The JIT compiler is transparently invoked for each
518attached filter from user space or for internal kernel users if it has
519been previously enabled by root::
520
521 echo 1 > /proc/sys/net/core/bpf_jit_enable
522
523For JIT developers, doing audits etc, each compile run can output the generated
524opcode image into the kernel log via::
525
526 echo 2 > /proc/sys/net/core/bpf_jit_enable
527
528Example output from dmesg::
529
530 [ 3389.935842] flen=6 proglen=70 pass=3 image=ffffffffa0069c8f
531 [ 3389.935847] JIT code: 00000000: 55 48 89 e5 48 83 ec 60 48 89 5d f8 44 8b 4f 68
532 [ 3389.935849] JIT code: 00000010: 44 2b 4f 6c 4c 8b 87 d8 00 00 00 be 0c 00 00 00
533 [ 3389.935850] JIT code: 00000020: e8 1d 94 ff e0 3d 00 08 00 00 75 16 be 17 00 00
534 [ 3389.935851] JIT code: 00000030: 00 e8 28 94 ff e0 83 f8 01 75 07 b8 ff ff 00 00
535 [ 3389.935852] JIT code: 00000040: eb 02 31 c0 c9 c3
536
537When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is permanently set to 1 and
538setting any other value than that will return in failure. This is even the case for
539setting bpf_jit_enable to 2, since dumping the final JIT image into the kernel log
540is discouraged and introspection through bpftool (under tools/bpf/bpftool/) is the
541generally recommended approach instead.
542
543In the kernel source tree under tools/bpf/, there's bpf_jit_disasm for
544generating disassembly out of the kernel log's hexdump::
545
546 # ./bpf_jit_disasm
547 70 bytes emitted from JIT compiler (pass:3, flen:6)
548 ffffffffa0069c8f + <x>:
549 0: push %rbp
550 1: mov %rsp,%rbp
551 4: sub $0x60,%rsp
552 8: mov %rbx,-0x8(%rbp)
553 c: mov 0x68(%rdi),%r9d
554 10: sub 0x6c(%rdi),%r9d
555 14: mov 0xd8(%rdi),%r8
556 1b: mov $0xc,%esi
557 20: callq 0xffffffffe0ff9442
558 25: cmp $0x800,%eax
559 2a: jne 0x0000000000000042
560 2c: mov $0x17,%esi
561 31: callq 0xffffffffe0ff945e
562 36: cmp $0x1,%eax
563 39: jne 0x0000000000000042
564 3b: mov $0xffff,%eax
565 40: jmp 0x0000000000000044
566 42: xor %eax,%eax
567 44: leaveq
568 45: retq
569
570 Issuing option `-o` will "annotate" opcodes to resulting assembler
571 instructions, which can be very useful for JIT developers:
572
573 # ./bpf_jit_disasm -o
574 70 bytes emitted from JIT compiler (pass:3, flen:6)
575 ffffffffa0069c8f + <x>:
576 0: push %rbp
577 55
578 1: mov %rsp,%rbp
579 48 89 e5
580 4: sub $0x60,%rsp
581 48 83 ec 60
582 8: mov %rbx,-0x8(%rbp)
583 48 89 5d f8
584 c: mov 0x68(%rdi),%r9d
585 44 8b 4f 68
586 10: sub 0x6c(%rdi),%r9d
587 44 2b 4f 6c
588 14: mov 0xd8(%rdi),%r8
589 4c 8b 87 d8 00 00 00
590 1b: mov $0xc,%esi
591 be 0c 00 00 00
592 20: callq 0xffffffffe0ff9442
593 e8 1d 94 ff e0
594 25: cmp $0x800,%eax
595 3d 00 08 00 00
596 2a: jne 0x0000000000000042
597 75 16
598 2c: mov $0x17,%esi
599 be 17 00 00 00
600 31: callq 0xffffffffe0ff945e
601 e8 28 94 ff e0
602 36: cmp $0x1,%eax
603 83 f8 01
604 39: jne 0x0000000000000042
605 75 07
606 3b: mov $0xffff,%eax
607 b8 ff ff 00 00
608 40: jmp 0x0000000000000044
609 eb 02
610 42: xor %eax,%eax
611 31 c0
612 44: leaveq
613 c9
614 45: retq
615 c3
616
617For BPF JIT developers, bpf_jit_disasm, bpf_asm and bpf_dbg provides a useful
618toolchain for developing and testing the kernel's JIT compiler.
619
620BPF kernel internals
621--------------------
622Internally, for the kernel interpreter, a different instruction set
623format with similar underlying principles from BPF described in previous
624paragraphs is being used. However, the instruction set format is modelled
625closer to the underlying architecture to mimic native instruction sets, so
626that a better performance can be achieved (more details later). This new
627ISA is called eBPF. See the ../bpf/index.rst for details. (Note: eBPF which
628originates from [e]xtended BPF is not the same as BPF extensions! While
629eBPF is an ISA, BPF extensions date back to classic BPF's 'overloading'
630of BPF_LD | BPF_{B,H,W} | BPF_ABS instruction.)
631
632The new instruction set was originally designed with the possible goal in
633mind to write programs in "restricted C" and compile into eBPF with a optional
634GCC/LLVM backend, so that it can just-in-time map to modern 64-bit CPUs with
635minimal performance overhead over two steps, that is, C -> eBPF -> native code.
636
637Currently, the new format is being used for running user BPF programs, which
638includes seccomp BPF, classic socket filters, cls_bpf traffic classifier,
639team driver's classifier for its load-balancing mode, netfilter's xt_bpf
640extension, PTP dissector/classifier, and much more. They are all internally
641converted by the kernel into the new instruction set representation and run
642in the eBPF interpreter. For in-kernel handlers, this all works transparently
643by using bpf_prog_create() for setting up the filter, resp.
644bpf_prog_destroy() for destroying it. The function
645bpf_prog_run(filter, ctx) transparently invokes eBPF interpreter or JITed
646code to run the filter. 'filter' is a pointer to struct bpf_prog that we
647got from bpf_prog_create(), and 'ctx' the given context (e.g.
648skb pointer). All constraints and restrictions from bpf_check_classic() apply
649before a conversion to the new layout is being done behind the scenes!
650
651Currently, the classic BPF format is being used for JITing on most
65232-bit architectures, whereas x86-64, aarch64, s390x, powerpc64,
653sparc64, arm32, riscv64, riscv32, loongarch64, arc perform JIT compilation
654from eBPF instruction set.
655
656Testing
657-------
658
659Next to the BPF toolchain, the kernel also ships a test module that contains
660various test cases for classic and eBPF that can be executed against
661the BPF interpreter and JIT compiler. It can be found in lib/test_bpf.c and
662enabled via Kconfig::
663
664 CONFIG_TEST_BPF=m
665
666After the module has been built and installed, the test suite can be executed
667via insmod or modprobe against 'test_bpf' module. Results of the test cases
668including timings in nsec can be found in the kernel log (dmesg).
669
670Misc
671----
672
673Also trinity, the Linux syscall fuzzer, has built-in support for BPF and
674SECCOMP-BPF kernel fuzzing.
675
676Written by
677----------
678
679The document was written in the hope that it is found useful and in order
680to give potential BPF hackers or security auditors a better overview of
681the underlying architecture.
682
683- Jay Schulist <jschlst@samba.org>
684- Daniel Borkmann <daniel@iogearbox.net>
685- Alexei Starovoitov <ast@kernel.org>