An ALUOp is an arithmetic or logic operation.
type ALUOp uint16
ALU binary operation types.
const ( ALUOpAdd ALUOp = iota << 4 ALUOpSub ALUOpMul ALUOpDiv ALUOpOr ALUOpAnd ALUOpShiftLeft ALUOpShiftRight ALUOpMod ALUOpXor )
ALUOpConstant executes A = A <Op> Val.
type ALUOpConstant struct { Op ALUOp Val uint32 }
func (a ALUOpConstant) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a ALUOpConstant) String() string
String returns the instruction in assembler notation.
ALUOpX executes A = A <Op> X
type ALUOpX struct { Op ALUOp }
func (a ALUOpX) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a ALUOpX) String() string
String returns the instruction in assembler notation.
An Extension is a function call provided by the kernel that performs advanced operations that are expensive or impossible within the BPF virtual machine.
Extensions are only implemented by the Linux kernel.
TODO: should we prune this list? Some of these extensions seem either broken or near-impossible to use correctly, whereas other (len, random, ifindex) are quite useful.
type Extension int
Extension functions available in the Linux kernel.
const ( // ExtLen returns the length of the packet. ExtLen Extension = 1 // ExtProto returns the packet's L3 protocol type. ExtProto Extension = 0 // ExtType returns the packet's type (skb->pkt_type in the kernel) // // TODO: better documentation. How nice an API do we want to // provide for these esoteric extensions? ExtType Extension = 4 // ExtPayloadOffset returns the offset of the packet payload, or // the first protocol header that the kernel does not know how to // parse. ExtPayloadOffset Extension = 52 // ExtInterfaceIndex returns the index of the interface on which // the packet was received. ExtInterfaceIndex Extension = 8 // ExtNetlinkAttr returns the netlink attribute of type X at // offset A. ExtNetlinkAttr Extension = 12 // ExtNetlinkAttrNested returns the nested netlink attribute of // type X at offset A. ExtNetlinkAttrNested Extension = 16 // ExtMark returns the packet's mark value. ExtMark Extension = 20 // ExtQueue returns the packet's assigned hardware queue. ExtQueue Extension = 24 // ExtLinkLayerType returns the packet's hardware address type // (e.g. Ethernet, Infiniband). ExtLinkLayerType Extension = 28 // ExtRXHash returns the packets receive hash. // // TODO: figure out what this rxhash actually is. ExtRXHash Extension = 32 // ExtCPUID returns the ID of the CPU processing the current // packet. ExtCPUID Extension = 36 // ExtVLANTag returns the packet's VLAN tag. ExtVLANTag Extension = 44 // ExtVLANTagPresent returns non-zero if the packet has a VLAN // tag. // // TODO: I think this might be a lie: it reads bit 0x1000 of the // VLAN header, which changed meaning in recent revisions of the // spec - this extension may now return meaningless information. ExtVLANTagPresent Extension = 48 // ExtVLANProto returns 0x8100 if the frame has a VLAN header, // 0x88a8 if the frame has a "Q-in-Q" double VLAN header, or some // other value if no VLAN information is present. ExtVLANProto Extension = 60 // ExtRand returns a uniformly random uint32. ExtRand Extension = 56 )
An Instruction is one instruction executed by the BPF virtual machine.
type Instruction interface { // Assemble assembles the Instruction into a RawInstruction. Assemble() (RawInstruction, error) }
func Disassemble(raw []RawInstruction) (insts []Instruction, allDecoded bool)
Disassemble attempts to parse raw back into Instructions. Unrecognized RawInstructions are assumed to be an extension not implemented by this package, and are passed through unchanged to the output. The allDecoded value reports whether insts contains no RawInstructions.
Jump skips the following Skip instructions in the program.
type Jump struct { Skip uint32 }
func (a Jump) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a Jump) String() string
String returns the instruction in assembler notation.
JumpIf skips the following Skip instructions in the program if A <Cond> Val is true.
type JumpIf struct { Cond JumpTest Val uint32 SkipTrue uint8 SkipFalse uint8 }
func (a JumpIf) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a JumpIf) String() string
String returns the instruction in assembler notation.
JumpIfX skips the following Skip instructions in the program if A <Cond> X is true.
type JumpIfX struct { Cond JumpTest SkipTrue uint8 SkipFalse uint8 }
func (a JumpIfX) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a JumpIfX) String() string
String returns the instruction in assembler notation.
A JumpTest is a comparison operator used in conditional jumps.
type JumpTest uint16
Supported operators for conditional jumps. K can be RegX for JumpIfX
const ( // K == A JumpEqual JumpTest = iota // K != A JumpNotEqual // K > A JumpGreaterThan // K < A JumpLessThan // K >= A JumpGreaterOrEqual // K <= A JumpLessOrEqual // K & A != 0 JumpBitsSet // K & A == 0 JumpBitsNotSet )
LoadAbsolute loads packet[Off:Off+Size] as an integer value into register A.
type LoadAbsolute struct { Off uint32 Size int // 1, 2 or 4 }
func (a LoadAbsolute) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a LoadAbsolute) String() string
String returns the instruction in assembler notation.
LoadConstant loads Val into register Dst.
type LoadConstant struct { Dst Register Val uint32 }
func (a LoadConstant) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a LoadConstant) String() string
String returns the instruction in assembler notation.
LoadExtension invokes a linux-specific extension and stores the result in register A.
type LoadExtension struct { Num Extension }
func (a LoadExtension) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a LoadExtension) String() string
String returns the instruction in assembler notation.
LoadIndirect loads packet[X+Off:X+Off+Size] as an integer value into register A.
type LoadIndirect struct { Off uint32 Size int // 1, 2 or 4 }
func (a LoadIndirect) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a LoadIndirect) String() string
String returns the instruction in assembler notation.
LoadMemShift multiplies the first 4 bits of the byte at packet[Off] by 4 and stores the result in register X.
This instruction is mainly useful to load into X the length of an IPv4 packet header in a single instruction, rather than have to do the arithmetic on the header's first byte by hand.
type LoadMemShift struct { Off uint32 }
func (a LoadMemShift) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a LoadMemShift) String() string
String returns the instruction in assembler notation.
LoadScratch loads scratch[N] into register Dst.
type LoadScratch struct { Dst Register N int // 0-15 }
func (a LoadScratch) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a LoadScratch) String() string
String returns the instruction in assembler notation.
NegateA executes A = -A.
type NegateA struct{}
func (a NegateA) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a NegateA) String() string
String returns the instruction in assembler notation.
A RawInstruction is a raw BPF virtual machine instruction.
type RawInstruction struct { // Operation to execute. Op uint16 // For conditional jump instructions, the number of instructions // to skip if the condition is true/false. Jt uint8 Jf uint8 // Constant parameter. The meaning depends on the Op. K uint32 }
func Assemble(insts []Instruction) ([]RawInstruction, error)
Assemble converts insts into raw instructions suitable for loading into a BPF virtual machine.
Currently, no optimization is attempted, the assembled program flow is exactly as provided.
func (ri RawInstruction) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (ri RawInstruction) Disassemble() Instruction
Disassemble parses ri into an Instruction and returns it. If ri is not recognized by this package, ri itself is returned.
A Register is a register of the BPF virtual machine.
type Register uint16
const ( // RegA is the accumulator register. RegA is always the // destination register of ALU operations. RegA Register = iota // RegX is the indirection register, used by LoadIndirect // operations. RegX )
RetA exits the BPF program, returning the value of register A.
type RetA struct{}
func (a RetA) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a RetA) String() string
String returns the instruction in assembler notation.
RetConstant exits the BPF program, returning a constant value.
type RetConstant struct { Val uint32 }
func (a RetConstant) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a RetConstant) String() string
String returns the instruction in assembler notation.
A Setter is a type which can attach a compiled BPF filter to itself.
type Setter interface { SetBPF(filter []RawInstruction) error }
StoreScratch stores register Src into scratch[N].
type StoreScratch struct { Src Register N int // 0-15 }
func (a StoreScratch) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a StoreScratch) String() string
String returns the instruction in assembler notation.
TAX copies the value of register A to register X.
type TAX struct{}
func (a TAX) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a TAX) String() string
String returns the instruction in assembler notation.
TXA copies the value of register X to register A.
type TXA struct{}
func (a TXA) Assemble() (RawInstruction, error)
Assemble implements the Instruction Assemble method.
func (a TXA) String() string
String returns the instruction in assembler notation.
A VM is an emulated BPF virtual machine.
type VM struct {
// contains filtered or unexported fields
}
func NewVM(filter []Instruction) (*VM, error)
NewVM returns a new VM using the input BPF program.
▹ Example
func (v *VM) Run(in []byte) (int, error)
Run runs the VM's BPF program against the input bytes. Run returns the number of bytes accepted by the BPF program, and any errors which occurred while processing the program.