From: David Ahern <dsa@cumulusnetworks.com>
To: Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Quentin Monnet <quentin.monnet@6wind.com>,
netdev@vger.kernel.org, roopa@cumulusnetworks.com
Subject: Re: [RFC PATCH net-next 1/2] bpf: Save original ebpf instructions
Date: Wed, 8 Feb 2017 18:28:51 -0700 [thread overview]
Message-ID: <d6fe10c7-2275-43a3-715e-f76aafdec328@cumulusnetworks.com> (raw)
In-Reply-To: <c19a41f5-7737-d971-67e0-919276b47b95@cumulusnetworks.com>
On 2/8/17 12:40 PM, David Ahern wrote:
> On 2/8/17 3:52 AM, Daniel Borkmann wrote:
>> for cBPF dumps it looks like this in ss. Can you tell me what these
>> 11 insns do? Likely you can, but can a normal admin?
>>
>> # ss -0 -b
>> Netid Recv-Q Send-Q Local
>> Address:Port Peer
>> Address:Port
>> p_raw 0 0
>> *:em1 *
>> bpf filter (11): 0x28 0 0 12, 0x15 0 8 2048, 0x30 0 0 23, 0x15 0 6
>> 17, 0x28 0 0 20, 0x45 4 0 8191, 0xb1 0 0 14, 0x48 0 0 16, 0x15 0 1 68,
>> 0x06 0 0 4294967295, 0x06 0 0 0,
>
...
>
> It's not rocket science. We should be able to write tools that do the
> same for bpf as objdump does for assembly. It is a matter of someone
> having the need and taking the initiative. BTW, the bpf option was added
Just a couple of hours of hacking this afternoon and leveraging some of
the verifier code in the kernel, the above bpf filter in more human
friendly terms:
BPF_LD | BPF_ABS | BPF_H 0xc : val = *(u16 *)skb[12]
BPF_JMP | BPF_JEQ | BPF_K 0 8 0x800 : if !(val == 0x800) goto pc+8
BPF_LD | BPF_ABS | BPF_B 0x17 : val = *(u8 *)skb[23]
BPF_JMP | BPF_JEQ | BPF_K 0 6 0x11 : if !(val == 0x11) goto pc+6
BPF_LD | BPF_ABS | BPF_H 0x14 : val = *(u16 *)skb[20]
BPF_JMP | BPF_JSET | BPF_K 4 0 0x1fff : if ((val & 0x1fff) != 0) goto
pc+4
BPF_LDX | BPF_MSH | BPF_B 0xe :
BPF_LD | BPF_IND | BPF_H 0x10 : val = *(u16 *)skb[16]
BPF_JMP | BPF_JEQ | BPF_K 0 1 0x44 : if !(val == 0x44) goto pc+1
BPF_RET ffffffff : ret ffffffff
BPF_RET 0 : ret 0
(long lines so I chopped the reprint of the hex on the left)
That said, verifying that the program attached to a cgroup is correct
for a VRF does not require it to be pretty printed or viewed by humans.
I can automate the checks on namespace id and and device index.
next prev parent reply other threads:[~2017-02-09 2:41 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-03 20:38 [RFC PATCH net-next 0/2] bpf: Allow retrieval of ebpf filters David Ahern
2017-02-03 20:38 ` [RFC PATCH net-next 1/2] bpf: Save original ebpf instructions David Ahern
2017-02-03 21:09 ` Daniel Borkmann
2017-02-03 22:28 ` David Ahern
2017-02-06 10:56 ` Quentin Monnet
2017-02-06 14:13 ` Daniel Borkmann
2017-02-06 19:21 ` Alexei Starovoitov
2017-02-07 17:22 ` David Ahern
2017-02-08 10:52 ` Daniel Borkmann
2017-02-08 19:40 ` David Ahern
2017-02-09 1:28 ` David Ahern [this message]
2017-02-09 11:25 ` Daniel Borkmann
2017-02-10 5:22 ` Alexei Starovoitov
2017-02-10 22:45 ` Daniel Borkmann
2017-02-03 20:38 ` [RFC PATCH net-next 2/2] bpf: Add support to retrieve program attached to a cgroup David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6fe10c7-2275-43a3-715e-f76aafdec328@cumulusnetworks.com \
--to=dsa@cumulusnetworks.com \
--cc=alexei.starovoitov@gmail.com \
--cc=daniel@iogearbox.net \
--cc=netdev@vger.kernel.org \
--cc=quentin.monnet@6wind.com \
--cc=roopa@cumulusnetworks.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.