Documentation
¶
Overview ¶
Provides an API for compiling and manipulating BPF filters. A filter can be either compiled from tcpdump-like expressions, or created from basic BPF instructions. Filters can then be either applied to packet sources (see the capture package) or directly run against binary data.
Index ¶
- Constants
- type Builder
- func (b *Builder) ADD(s Src, val uint32) *Builder
- func (b *Builder) AND(s Src, val uint32) *Builder
- func (b *Builder) AppendInstruction(code Code, jt, jf uint8, k uint32) *Builder
- func (b *Builder) Build() *Filter
- func (b *Builder) DIV(s Src, val uint32) *Builder
- func (b *Builder) JA(j string) *Builder
- func (b *Builder) JEQ(s Src, jt, jf string, cmp uint32) *Builder
- func (b *Builder) JGE(s Src, jt, jf string, cmp uint32) *Builder
- func (b *Builder) JGT(s Src, jt, jf string, cmp uint32) *Builder
- func (b *Builder) JSET(s Src, jt, jf string, cmp uint32) *Builder
- func (b *Builder) LD(s Size, m Mode, val uint32) *Builder
- func (b *Builder) LDX(s Size, m Mode, val uint32) *Builder
- func (b *Builder) LSH(s Src, val uint32) *Builder
- func (b *Builder) Label(name string) *Builder
- func (b *Builder) MOD(s Src, val uint32) *Builder
- func (b *Builder) MUL(s Src, val uint32) *Builder
- func (b *Builder) NEG() *Builder
- func (b *Builder) OR(s Src, val uint32) *Builder
- func (b *Builder) RET(s Src, bytes uint32) *Builder
- func (b *Builder) RSH(s Src, val uint32) *Builder
- func (b *Builder) ST(off uint32) *Builder
- func (b *Builder) STX(off uint32) *Builder
- func (b *Builder) SUB(s Src, val uint32) *Builder
- func (b *Builder) TAX() *Builder
- func (b *Builder) TXA() *Builder
- func (b *Builder) XOR(s Src, val uint32) *Builder
- type Code
- type Filter
- type Mode
- type Size
- type Src
Examples ¶
Constants ¶
const ( LD Code = syscall.BPF_LD LDX = syscall.BPF_LDX ST = syscall.BPF_ST STX = syscall.BPF_STX ALU = syscall.BPF_ALU JMP = syscall.BPF_JMP RET = syscall.BPF_RET MISC = syscall.BPF_MISC )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Builder ¶
type Builder struct {
// contains filtered or unexported fields
}
A Builder is used to compile a BPF filter from basic BPF instructions.
Example ¶
package main
import (
"log"
"github.com/ghedo/go.pkt/filter"
)
func main() {
// Build a filter to match ARP packets on top of Ethernet
flt := filter.NewBuilder().
LD(filter.Half, filter.ABS, 12).
JEQ(filter.Const, "", "fail", 0x806).
RET(filter.Const, 0x40000).
Label("fail").
RET(filter.Const, 0x0).
Build()
if flt.Match([]byte("random data")) {
log.Println("MATCH!!!")
}
}
Output:
func (*Builder) ADD ¶
Append an ADD instruction to the filter, which adds a value to the accumulator. s represents the source operand type and can be either Const (which adds the supplied value) or Index (which adds the index register value).
func (*Builder) AND ¶
Append an AND instruction to the filter, which performs the binary "and" between the accumulator and a value. s represents the source operand type and can be either Const (which uses the supplied value) or Index (which uses the index register value).
func (*Builder) AppendInstruction ¶
Append a raw BPF instruction
func (*Builder) DIV ¶
Append a DIV instruction to the filter, which divides the accumulator by a value. s represents the source operand type and can be either Const (which divides by the supplied value) or Index (which divides by the index register value).
func (*Builder) JA ¶
Append a JA instruction to the filter, which performs a jump to the given label.
func (*Builder) JEQ ¶
Append a JEQ instruction to the filter, which performs a jump to the jt label if the accumulator value equals cmp (if s is Const) or the index register (if s is Index), otherwise jumps to jf.
func (*Builder) JGE ¶
Append a JGE instruction to the filter, which performs a jump to the jt label if the accumulator value is greater than or equals cmp (if s is Const) or the index register (if s is Index), otherwise jumps to jf.
func (*Builder) JGT ¶
Append a JGT instruction to the filter, which performs a jump to the jt label if the accumulator value is greater than cmp (if s is Const) or the index register (if s is Index), otherwise jumps to jf.
func (*Builder) LD ¶
Append an LD instruction to the filter, which loads a value of size s into the accumulator. m represents the addressing mode of the source operand and can be IMM (load a constant value), ABS (load packet data at the given fixed offset), IND (load packet data at the given relative offset), LEN (load the packet length or MEM (load a value from memory at the given offset).
func (*Builder) LDX ¶
Append a LDX (load index) instruction to the filter, which loads a value of size s into the index register. m represents the addressing mode of the source operand and can be IMM (load a constant value), LEN (load the packet length, MEM (load a value from memory at the given offset) or MSH (load the length of the IP header).
func (*Builder) LSH ¶
Append an LSH instruction to the filter, which shifts to the left the accumulator register by a value. s represents the source operand type and can be either Const (which shifts by the supplied value) or Index (which shifts by the index register value).
func (*Builder) Label ¶
Define a new label at the next instruction position. Labels are used in jump instructions to identify the jump target.
func (*Builder) MOD ¶
Append a MOD instruction to the filter, which computes the accumulator modulo a value. s represents the source operand type and can be either Const (which divides by the supplied value) or Index (which divides by the index register value).
func (*Builder) MUL ¶
Append a MUL instruction to the filter, which multiplies a value to the accumulator. s represents the source operand type and can be either Const (which multiplies the supplied value) or Index (which multiplies the index register value).
func (*Builder) OR ¶
Append an OR instruction to the filter, which performs the binary "or" between the accumulator and a value. s represents the source operand type and can be either Const (which uses the supplied value) or Index (which uses the index register value).
func (*Builder) RET ¶
Append a RET instruction to the filter, which terminates the filter program and specifies the amount of the packet to accept. s represents the source operand type and can be either Const (which returns the supplied value) or Acc (which returns the accumulator value).
func (*Builder) RSH ¶
Append an RSH instruction to the filter, which shifts to the right the accumulator register by a value. s represents the source operand type and can be either Const (which shifts by the supplied value) or Index (which shifts by the index register value).
func (*Builder) ST ¶
Append a ST (store) instruction to the filter, which stores the value of the accumulator in memory at the given offset.
func (*Builder) STX ¶
Append a STX (store index) instruction to the filter, which stores the value of the index register in memory at the given offset.
func (*Builder) SUB ¶
Append a SUB instruction to the filter, which subtracts a value from the accumulator. s represents the source operand type and can be either Const (which subtracts the supplied value) or Index (which subtracts the index register value).
func (*Builder) TAX ¶
Append a TAX instruction to the filter. TAX transfers the accumulator value into the index register.
func (*Builder) TXA ¶
Append a TXA instruction to the filter. TXA transfers the index register value into the accumulator.
type Filter ¶
type Filter struct {
// contains filtered or unexported fields
}
Example ¶
package main
import (
"log"
"github.com/ghedo/go.pkt/filter"
"github.com/ghedo/go.pkt/packet"
)
func main() {
// Match UDP or TCP packets on top of Ethernet
flt, err := filter.Compile("udp or tcp", packet.Eth, false)
if err != nil {
log.Fatal(err)
}
if flt.Match([]byte("random data")) {
log.Println("MATCH!!!")
}
}
Output:
Source Files