I have many questions :)
This compiles fine. My question is whether or not I'm jeq'ing
correctly to the "ldh [6]" line. I would think
that L1 would jump straight to the label at the end returning 1514
bytes but I can't figure out how else
to write it. Is my program executing the ldh and the last jeq?
I'm confused by the Lt and Lf mentions in the documentation. Replacing
them with a value doesn't work.
I'm counting lines here, starting with 0: e.g. jeq #0xccddeeff,2,5 ...
results in
Syntax error at line 4: 2! syntax error, unexpected number, expecting
label! I tried adding more labels
like L3, L4 etc. and that does work, though, it seems with large
filters like 'port 80' you could have > L8.
If that is the case, how do you jump to specific instructions? I tried
prefixing instructions with a label to no avail.
e.g.
ld [8]
jeq #0xccddeeff,L2,L5
L2: ldh [6]
...
L5: ret #0
Is there a way to simply move onto the next instruction if the present
one is true.
$ cat ethernet.txt
; tcpdump equivalent
; 'ether src aa:bb:cc:dd:ee:ff'
ld [8] ; load 4 bytes from src MAC
jeq #0xccddeeff,L1,L2
ldh [6] ; load 2 bytes from src MAC
jeq #0xaabb,L1,L2
L1: ret #1514 ; true then return 1514 bytes of packet
L2: ret #0
$ bpfc -Li ethernet.bpfc
{ 0x20, 0, 0, 0x00000008 },
{ 0x15, 2, 3, 0xccddeeff },
{ 0x28, 0, 0, 0x00000006 },
{ 0x15, 0, 1, 0x0000aabb },
{ 0x6, 0, 0, 0x000005ea },
{ 0x6, 0, 0, 0x00000000 },
I'm confused about the the terminology here too. I imagine that
"-L|--lla Compile low-level BPF" means compile to
low-level BPF rather than _output_ a low-level
filter. I think it's just the ambiguous wording because mnemonics like
ld, jeq look higher level than 0x20, 0x28.
I can't figure out how to pass a high-level filter, '-Hi'. Would
someone be able to give me an example?
One more, I'm really interested in the undocumented extensions like
#type Packet class1 , e.g. Broadcast, Multicast, Outgoing, ...
#ifidx Network device index the packet was received on
#mark Generic packet mark, i.e. for netfilter
#queue Queue mapping number for multiqueue devices
#hatype Network device type2 for ARP protocol hardware identifiers
#rxhash The packet hash computed on reception
#cpu CPU number the packet was received on
I'm trying to load #cpu, confused on what that really means, into the
accumulator and match CPU 0.
This is just a guess, I don't really have any good idea on how to proceed.
ld #cpu
jeq #0,L1,L2
L1: ret #1514
L2: ret #0
Does anyone have examples of compiling these with bpfc?
I suppose my biggest problem is that I find this bpfc documentation
complex and hard to understand.
Sorry for all the questions, had to offload them before bed ;)
