diff options
Diffstat (limited to 'share/man')
-rw-r--r-- | share/man/man4/bpf.4 | 1264 |
1 files changed, 726 insertions, 538 deletions
diff --git a/share/man/man4/bpf.4 b/share/man/man4/bpf.4 index 0ee78d2378e..3f21709f634 100644 --- a/share/man/man4/bpf.4 +++ b/share/man/man4/bpf.4 @@ -1,7 +1,5 @@ -.\" -*- nroff -*- -.\" -.\" $OpenBSD: bpf.4,v 1.6 2001/01/29 02:11:08 niklas Exp $ -.\" $NetBSD: bpf.4,v 1.7 1995/09/27 18:31:50 thorpej Exp $ +.\" $OpenBSD: bpf.4,v 1.7 2001/03/26 05:36:06 aaron Exp $ +.\" $NetBSD: bpf.4,v 1.7 1995/09/27 18:31:50 thorpej Exp $ .\" .\" Copyright (c) 1990 The Regents of the University of California. .\" All rights reserved. @@ -25,629 +23,806 @@ .\" This document is derived in part from the enet man page (enet.4) .\" distributed with 4.3BSD Unix. .\" -.TH BPF 4 "23 May 1991" -.SH NAME -bpf \- Berkeley Packet Filter -.SH SYNOPSIS -.B "pseudo-device bpfilter 16" -.SH DESCRIPTION -The Berkeley Packet Filter -provides a raw interface to data link layers in a protocol -independent fashion. -All packets on the network, even those destined for other hosts, -are accessible through this mechanism. -.PP +.Dd May 23, 1991 +.Dt BPF 4 +.Os +.Sh NAME +.Nm bpf +.Nd Berkeley Packet Filter +.Sh SYNOPSIS +.Cd pseudo-device bpfilter 8 +.Sh DESCRIPTION +The Berkeley Packet Filter provides a raw interface to data link layers in +a protocol-independent fashion. +All packets on the network, even those destined for other hosts, are +accessible through this mechanism. +.Pp The packet filter appears as a character special device, -.I /dev/bpf0, /dev/bpf1, +.Pa /dev/bpf0 , +.Pa /dev/bpf1 , etc. -After opening the device, the file descriptor must be bound to a -specific network interface with the BIOSETIF ioctl. -A given interface can be shared be multiple listeners, and the filter +After opening the device, the file descriptor must be bound to a specific +network interface with the +.Dv BIOSETIF +ioctl. +A given interface can be shared between multiple listeners and the filter underlying each descriptor will see an identical packet stream. -The total number of open -files is limited to the value given in the kernel configuration; the -example given in the SYNOPSIS above sets the limit to 16. -.PP +The total number of open files is limited to the value given in the kernel +configuration; the example given in the +.Sx SYNOPSIS +above sets the limit to 8. +.Pp A separate device file is required for each minor device. If a file is in use, the open will fail and -.I errno -will be set to EBUSY. -.PP +.Va errno +will be set to +.Er EBUSY . +.Pp Associated with each open instance of a -.I bpf -file is a user-settable packet filter. -Whenever a packet is received by an interface, -all file descriptors listening on that interface apply their filter. +.Nm +file is a user-settable +packet filter. +Whenever a packet is received by an interface, all file descriptors +listening on that interface apply their filter. Each descriptor that accepts the packet receives its own copy. -.PP -Reads from these files return the next group of packets -that have matched the filter. -To improve performance, the buffer passed to read must be -the same size as the buffers used internally by -.I bpf. -This size is returned by the BIOCGBLEN ioctl (see below), and under -BSD, can be set with BIOCSBLEN. -Note that an individual packet larger than this size is necessarily -truncated. -.PP +.Pp +Reads from these files return the next group of packets that have matched +the filter. +To improve performance, the buffer passed to read must be the same size as +the buffers used internally by +.Nm bpf . +This size is returned by the +.Dv BIOCGBLEN +ioctl (see below), and under BSD, can be set with +.Dv BIOCSBLEN . +Note that an individual packet larger than this size is necessarily truncated. +.Pp The packet filter will support any link level protocol that has fixed length -headers. Currently, only Ethernet, SLIP and PPP drivers have been -modified to interact with -.I bpf. -.PP +headers. +Currently, only Ethernet, SLIP, and PPP drivers have been modified to +interact with +.Nm bpf . +.Pp Since packet data is in network byte order, applications should use the -.I byteorder(3n) +.Xr byteorder 3 macros to extract multi-byte values. -.PP +.Pp A packet can be sent out on the network by writing to a -.I bpf -file descriptor. The writes are unbuffered, meaning only one -packet can be processed per write. +.Nm +file descriptor. +The writes are unbuffered, meaning only one packet can be processed per write. Currently, only writes to Ethernets and SLIP links are supported. -.SH IOCTLS -The -.I ioctl -command codes below are defined in <net/bpf.h>. All commands require -these includes: -.ft B -.nf - - #include <sys/types.h> - #include <sys/time.h> - #include <sys/ioctl.h> - #include <net/bpf.h> - -.fi -.ft R -Additionally, BIOCGETIF and BIOCSETIF require \fB<net/if.h>\fR. - +.Ss Ioctls +The ioctl command codes below are defined in +.Aq Pa net/bpf.h . +All commands require these includes: +.Pp +.Bd -offset indent +.Cd #include <sys/types.h> +.Cd #include <sys/time.h> +.Cd #include <sys/ioctl.h> +.Cd #include <net/bpf.h> +.Ed +.Pp +Additionally, +.Dv BIOCGETIF +and +.Dv BIOCSETIF +require +.Aq Pa net/if.h . +.Pp The (third) argument to the -.I ioctl -should be a pointer to the type indicated. -.TP 10 -.B BIOCGBLEN (u_int) +.Xr ioctl 2 +call should be a pointer to the type indicated. +.Bl -tag -width Ds +.It Dv BIOCGBLEN Pf ( Li int Ns No ) Returns the required buffer length for reads on -.I bpf +.Nm files. -.TP 10 -.B BIOCSBLEN (u_int) +.It Dv BIOCSBLEN Pf ( Li u_int Ns No ) Sets the buffer length for reads on -.I bpf -files. The buffer must be set before the file is attached to an interface -with BIOCSETIF. -If the requested buffer size cannot be accommodated, the closest -allowable size will be set and returned in the argument. -A read call will result in EIO if it is passed a buffer that is not this size. -.TP 10 -.B BIOCGDLT (u_int) +.Nm +files. +The buffer must be set before the file is attached to an interface with +.Dv BIOCSETIF . +If the requested buffer size cannot be accomodated, the closest allowable +size will be set and returned in the argument. +A read call will reseult in +.Er EIO +if it is passed a buffer that is not this size. +.It Dv BIOCGDLT Pf ( Li u_int Ns No ) Returns the type of the data link layer underlying the attached interface. -EINVAL is returned if no interface has been specified. -The device types, prefixed with ``DLT_'', are defined in <net/bpf.h>. -.TP 10 -.B BIOCPROMISC +.Er EINVAL +is returned if no interface has been specified. +The device types, prefixed with +.Dq DLT_ , +are defined in +.Aq Pa net/bpf.h . +.It Dv BIOCPROMISC Forces the interface into promiscuous mode. All packets, not just those destined for the local host, are processed. -Since more than one file can be listening on a given interface, -a listener that opened its interface non-promiscuously may receive -packets promiscuously. This problem can be remedied with an -appropriate filter. -.IP +Since more than one file can be listening on a given interface, a listener +that opened its interface non-promiscuously may receive packets promiscuously. +This problem can be remedied with an appropriate filter. +.Pp The interface remains in promiscuous mode until all files listening promiscuously are closed. -.TP 10 -.B BIOCFLUSH -Flushes the buffer of incoming packets, -and resets the statistics that are returned by BIOCGSTATS. -.TP 10 -.B BIOCGETIF (struct ifreq) +.It Dv BIOCFLUSH +Flushes the buffer of incoming packets and resets the statistics that are +returned by +.Dv BIOCGSTATS . +.It Dv BIOCGETIF Pf ( Li "struct ifreq" Ns No ) Returns the name of the hardware interface that the file is listening on. -The name is returned in the ifr_name field of -.I ifr. +The name is returned in the +.Fa ifr_name +field of the +.Li struct ifreq . All other fields are undefined. -.TP 10 -.B BIOCSETIF (struct ifreq) -Sets the hardware interface associated with the file. This -command must be performed before any packets can be read. +.It Dv BIOCSETIF Pf ( Li "struct ifreq" Ns No ) +Sets the hardware interface associated with the file. +This command must be performed before any packets can be read. The device is indicated by name using the -.I ifr_name +.Fa ifr_name field of the -.I ifreq. -Additionally, performs the actions of BIOCFLUSH. -.TP 10 -.B BIOCSRTIMEOUT, BIOCGRTIMEOUT (struct timeval) +.Li struct ifreq . +Additionally, performs the actions of +.Dv BIOCFLUSH . +.It Xo Dv BIOCSRTIMEOUT , Dv BIOCGRTIMEOUT ( +.Li struct timeval Ns No ) +.Xc Set or get the read timeout parameter. The -.I timeval -specifies the length of time to wait before timing -out on a read request. +.Ar timeval +specifies the length of time to wait before timing out on a read request. This parameter is initialized to zero by -.IR open(2), +.Xr open 2 , indicating no timeout. -.TP 10 -.B BIOCGSTATS (struct bpf_stat) +.It Dv BIOCGSTATS Pf ( Li "struct bpf_stat" Ns No ) Returns the following structure of packet statistics: -.ft B -.nf - +.Pp +.Bd -literal -offset indent struct bpf_stat { u_int bs_recv; u_int bs_drop; }; -.fi -.ft R -.IP +.Ed +.Pp The fields are: -.RS -.TP 15 -.I bs_recv -the number of packets received by the descriptor since opened or reset -(including any buffered since the last read call); -and -.TP -.I bs_drop -the number of packets which were accepted by the filter but dropped by the -kernel because of buffer overflows -(i.e., the application's reads aren't keeping up with the packet traffic). -.RE -.TP 10 -.B BIOCIMMEDIATE (u_int) -Enable or disable ``immediate mode'', based on the truth value of the argument. -When immediate mode is enabled, reads return immediately upon packet -reception. Otherwise, a read will block until either the kernel buffer -becomes full or a timeout occurs. +.Pp +.Bl -tag -width bs_recv +.It Fa bs_recv +Number of packets received by the descriptor since opened or reset (including +any buffered since the last read call). +.It Fa bs_drop +Number of packets which were accepted by the filter but dropped by the kernel +because of buffer overflows (i.e., the application's reads aren't keeping up +with the packet traffic). +.El +.It Dv BIOCIMMEDIATE Pf ( Li u_int Ns No ) +Enable or disable +.Dq immediate mode , +based on the truth value of the argument. +When immediate mode is enabled, reads return immediately upon packet reception. +Otherwise, a read will block until either the kernel buffer becomes full or a +timeout occurs. This is useful for programs like -.I rarpd(8c), +.Xr rarpd 8 , which must respond to messages in real time. The default for a new file is off. -.TP 10 -.B BIOCSETF (struct bpf_program) -Sets the filter program used by the kernel to discard uninteresting -packets. An array of instructions and its length is passed in using -the following structure: -.ft B -.nf - +.It Dv BIOCSETF Pf ( Li "struct bpf_program" Ns No ) +Sets the filter program used by the kernel to discard uninteresting packets. +An array of instructions and its length is passed in using the following +structure: +.Pp +.Bd -literal -offset indent struct bpf_program { int bf_len; struct bpf_insn *bf_insns; }; -.fi -.ft R -.IP +.Ed +.Pp The filter program is pointed to by the -.I bf_insns -field while its length in units of `struct bpf_insn' is given by the -.I bf_len +.Fa bf_insns +field while its length in units of +.Li struct bpf_insn +is given by the +.Fa bf_len field. -Also, the actions of BIOCFLUSH are performed. -.IP -See section \fBFILTER MACHINE\fP for an explanation of the filter language. -.TP 10 -.B BIOCVERSION (struct bpf_version) +Also, the actions of +.Dv BIOCFLUSH +are performed. +.Pp +See section +.Sx FILTER MACHINE +for an explanation of the filter language. +.It Dv BIOCVERSION Pf ( Li "struct bpf_version" Ns No ) Returns the major and minor version numbers of the filter language currently -recognized by the kernel. Before installing a filter, applications must check -that the current version is compatible with the running kernel. Version -numbers are compatible if the major numbers match and the application minor -is less than or equal to the kernel minor. The kernel version number is -returned in the following structure: -.ft B -.nf - +recognized by the kernel. +Before installating a filter, applications must check that the current version +is compatible with the running kernel. +Version numbers are compatible if the major numbers match and the application +minor is less than or equal to the kernel minor. +The kernel version number is returned in the following structure: +.Pp +.Bd -literal -offset indent struct bpf_version { u_short bv_major; u_short bv_minor; }; -.fi -.ft R -.IP +.Ed +.Pp The current version numbers are given by -.B BPF_MAJOR_VERSION +.Dv BPF_MAJOR_VERSION and -.B BPF_MINOR_VERSION -from <net/bpf.h>. -An incompatible filter -may result in undefined behavior (most likely, an error returned by -.I ioctl() -or haphazard packet matching). -.TP 10 -.B BIOCSRSIG BIOCGRSIG (u_int signal) -Set or get the receive signal. This signal will be sent to the process or process group -specified by FIOSETOWN. It defaults to SIGIO. -.SH STANDARD IOCTLS -.I bpf -now supports several standard -.I ioctls -which allow the user to do async and/or non-blocking I/O to an open -.I bpf +.Dv BPF_MINOR_VERSION +from +.Aq Pa net/bpf.h . +An incompatible filter may result in undefined behavior (most likely, an +error returned by +.Xr ioctl 2 +or haphazard packet mactching). +.It Xo Dv BIOCSRSIG , Dv BIOCGRSIG ( +.Li u_int Ns No ) +.Xc +Set or get the receive signal. +This signal will be sent to the process or process group specified by +.Dv FIOSETOWN . +It defaults to +.Dv SIGIO . +.El +.Ss Standard ioctls +.Nm +now supports several standard ioctls which allow the user to do asynchronous +and/or non-blocking I/O to an open +.Nm file descriptor. -.TP 10 -.B FIONREAD (int) +.Bl -tag -width Ds +.It Dv FIONREAD Pf ( Li int Ns No ) Returns the number of bytes that are immediately available for reading. -.TP 10 -.B SIOCGIFADDR (struct ifreq) +.It Dv SIOCGIFADDR Pf ( Li "struct ifreq" Ns No ) Returns the address associated with the interface. -.TP 10 -.B FIONBIO (int) -Set or clear non-blocking I/O. If arg is non-zero, then doing a -.I read -when no data is available will return -1 and -.I errno -will be set to EWOULDBLOCK. -If arg is zero, non-blocking I/O is disabled. Note: setting this -overrides the timeout set by BIOCSRTIMEOUT. -.TP 10 -.B FIOASYNC (int) -Enable or disable async I/O. When enabled (arg is non-zero), the process or -process group specified by FIOSETOWN will start receiving SIGIO's when packets -arrive. Note that you must do an FIOSETOWN in order for this to take effect, as -the system will not default this for you. -The signal may be changed via BIOCSRSIG. -.TP 10 -.B FIOSETOWN FIOGETOWN (int) -Set or get the process or process group (if negative) that should receive SIGIO -when packets are available. The signal may be changed using BIOCSRSIG (see above). -.SH BPF HEADER +.It Dv FIONBIO Pf ( Li int Ns No ) +Set or clear non-blocking I/O. +If the argument is non-zero, then doing a read when no data is available will +return \-1 and +.Va errno +will be set to +.Er EWOULDBLOCK . +If the argument is zero, non-blocking I/O is disabled. +Note: setting this overrides the timeout set by +.Dv BIOCSRTIMEOUT . +.It Dv FIOASYNC Pf ( Li int Ns No ) +Enable or disable asynchronous I/O. +When enabled (argument is non-zero), the process or process group specified +by +.Dv FIOSETOWN +will start receiving +.Dv SIGIO +signals when packets arrive. +Note that you must perform an +.Dv FIOSETOWN +command in order for this to take effect, as the system will not do it by +default. +The signal may be changed via +.Dv BIOCSRSIG . +.It Xo Dv FIOSETOWN , Dv FIOGETOWN ( +.Li int Ns No ) +.Xc +Set or get the process or process group (if negative) that should receive +.Dv SIGIO +when packets are available. +The signal may be changed using +.Dv BIOCSRSIG +(see above). +.El +.Ss BPF header The following structure is prepended to each packet returned by -.I read(2): -.in 15 -.ft B -.nf - +.Xr read 2 : +.Pp +.Bd -literal -offset indent struct bpf_hdr { struct timeval bh_tstamp; u_long bh_caplen; u_long bh_datalen; u_short bh_hdrlen; }; -.fi -.ft R -.in -15 -.PP -The fields, whose values are stored in host order, and are: -.TP 15 -.I bh_tstamp -The time at which the packet was processed by the packet filter. -.TP -.I bh_caplen -The length of the captured portion of the packet. This is the minimum of -the truncation amount specified by the filter and the length of the packet. -.TP -.I bh_datalen -The length of the packet off the wire. +.Ed +.Pp +The fields, stored in host order, are as follows: +.Bl -tag -width Ds +.It Fa bh_tstamp +Time at which the packet was processed by the packet filter. +.It Fa bh_caplen +Length of the captured portion of the packet. +This is the minimum of the truncation amount specified by the filter and the +length of the packet. +.It Fa bh_datalen +Length of the packet off the wire. This value is independent of the truncation amount specified by the filter. -.TP -.I bh_hdrlen -The length of the BPF header, which may not be equal to -.I sizeof(struct bpf_hdr). -.RE -.PP +.It Fa bh_hdrlen +Length of the BPF header, which may not be equal to +.Li sizeof(struct bpf_hdr) . +.El +.Pp The -.I bh_hdrlen -field exists to account for -padding between the header and the link level protocol. -The purpose here is to guarantee proper alignment of the packet -data structures, which is required on alignment sensitive -architectures and improves performance on many other architectures. -The packet filter insures that the -.I bpf_hdr -and the \fInetwork layer\fR header will be word aligned. Suitable precautions -must be taken when accessing the link layer protocol fields on alignment -restricted machines. (This isn't a problem on an Ethernet, since -the type field is a short falling on an even offset, -and the addresses are probably accessed in a bytewise fashion). -.PP -Additionally, individual packets are padded so that each starts -on a word boundary. This requires that an application -has some knowledge of how to get from packet to packet. -The macro BPF_WORDALIGN is defined in <net/bpf.h> to facilitate -this process. It rounds up its argument -to the nearest word aligned value (where a word is BPF_ALIGNMENT bytes wide). -.PP -For example, if `p' points to the start of a packet, this expression -will advance it to the next packet: -.sp -.RS -.ce 1 -.nf -p = (char *)p + BPF_WORDALIGN(p->bh_hdrlen + p->bh_caplen) -.fi -.RE -.PP -For the alignment mechanisms to work properly, the -buffer passed to -.I read(2) +.Fa bh_hdrlen +field exists to account for padding between the header and the link level +protocol. +The purpose here is to guarantee proper alignment of the packet data +structures, which is required on alignment-sensitive architectures and +improves performance on many other architectures. +The packet filter ensures that the +.Fa bpf_hdr +and the network layer header will be word aligned. +Suitable precuations must be taken when accessing the link layer protocol +fields on alignment restricted machines. +(This isn't a problem on an Ethernet, since the type field is a +.Li short +falling on an even offset, and the addresses are probably accessed in a +bytewise fashion). +.Pp +Additionally, individual packets are padded so that each starts on a +word boundary. +This requires that an application has some knowledge of how to get from packet +to packet. +The macro +.Dv BPF_WORDALIGN +is defined in +.Aq Pa net/bpf.h +to facilitate this process. +It rounds up its argument to the nearest word aligned value (where a word is +.Dv BPF_ALIGNMENT +bytes wide). +For example, if +.Va p +points to the start of a packet, this expression will advance it to the +next packet: +.Pp +.Dl p = (char *)p + BPF_WORDALIGN(p->bh_hdrlen + p->bh_caplen); +.Pp +For the alignment mechanisms to work properly, the buffer passed to +.Xr read 2 must itself be word aligned. -.I malloc(3) +.Xr malloc 3 will always return an aligned buffer. -.ft R -.SH FILTER MACHINE -A filter program is an array of instructions, with all branches forwardly -directed, terminated by a \fBreturn\fP instruction. -Each instruction performs some action on the pseudo-machine state, -which consists of an accumulator, index register, scratch memory store, -and implicit program counter. - +.Ss Filter machine +A filter program is an array of instructions with all branches forwardly +directed, terminated by a +.Dq return +instruction. +Each instruction performs some action on the pseudo-machine state, which +consists of an accumulator, index register, scratch memory store, and +implicit program counter. +.Pp The following structure defines the instruction format: -.RS -.ft B -.nf - +.Pp +.Bd -literal -offset indent struct bpf_insn { - u_short code; - u_char jt; - u_char jf; + u_short code; + u_char jt; + u_char jf; long k; }; -.fi -.ft R -.RE - -The \fIk\fP field is used in different ways by different instructions, -and the \fIjt\fP and \fIjf\fP fields are used as offsets -by the branch instructions. +.Ed +.Pp +The +.Fa k +field is used in different ways by different instructions, and the +.Fa jt +and +.Fa jf +fields are used as offsets by the branch instructions. The opcodes are encoded in a semi-hierarchical fashion. -There are eight classes of instructions: BPF_LD, BPF_LDX, BPF_ST, BPF_STX, -BPF_ALU, BPF_JMP, BPF_RET, and BPF_MISC. Various other mode and -operator bits are or'd into the class to give the actual instructions. -The classes and modes are defined in <net/bpf.h>. - -Below are the semantics for each defined BPF instruction. +There are eight classes of instructions: +.Dv BPF_LD , +.Dv BPF_LDX , +.Dv BPF_ST , +.Dv BPF_STX , +.Dv BPF_ALU , +.Dv BPF_JMP , +.Dv BPF_RET , +and +.Dv BPF_MISC . +Various other mode and operator bits are logically OR'd into the class to +given the actual instructions. +The classes and modes are defined in +.Aq Pa net/bpf.h . +Below are the semantics for each defined +.Nm +instruction. We use the convention that A is the accumulator, X is the index register, P[] packet data, and M[] scratch memory store. -P[i:n] gives the data at byte offset ``i'' in the packet, -interpreted as a word (n=4), -unsigned halfword (n=2), or unsigned byte (n=1). -M[i] gives the i'th word in the scratch memory store, which is only -addressed in word units. The memory store is indexed from 0 to BPF_MEMWORDS-1. -\fIk\fP, \fIjt\fP, and \fIjf\fP are the corresponding fields in the -instruction definition. ``len'' refers to the length of the packet. - -.TP 10 -.B BPF_LD -These instructions copy a value into the accumulator. The type of the -source operand is specified by an ``addressing mode'' and can be -a constant (\fBBPF_IMM\fP), packet data at a fixed offset (\fBBPF_ABS\fP), -packet data at a variable offset (\fBBPF_IND\fP), the packet length -(\fBBPF_LEN\fP), -or a word in the scratch memory store (\fBBPF_MEM\fP). -For \fBBPF_IND\fP and \fBBPF_ABS\fP, the data size must be specified as a word -(\fBBPF_W\fP), halfword (\fBBPF_H\fP), or byte (\fBBPF_B\fP). -The semantics of all the recognized BPF_LD instructions follow. - -.RS -.TP 30 -.B BPF_LD+BPF_W+BPF_ABS +P[i:n] gives the data at byte offset +.Dq i +in the packet, interpreted as a word (n=4), unsigned halfword (n=2), or +unsigned byte (n=1). +M[i] gives the i'th word in the scratch memory store, which is only addressed +in word units. +The memory store is indexed from 0 to +.Dv BPF_MEMWORDS Ns No \-1 . +.Fa k , +.Fa jt , +and +.Fa jf +are the corresponding fields in the instruction definition. +.Dq len +refers to the length of the packet. +.Pp +.Bl -tag -width Ds +.It Dv BPF_LD +These instructions copy a value into the accumulator. +The type of the source operand is specified by an +.Dq addressing mode +and can be a constant +.Pf ( Dv BPF_IMM ) , +packet data at a fixed offset +.Pf ( Dv BPF_ABS ) , +packet data at a variable offset +.Pf ( Dv BPF_IND ) , +the packet length +.Pf ( Dv BPF_LEN ) , +or a word in the scratch memory store +.Pf ( Dv BPF_MEM ) . +For +.Dv BPF_IND +and +.Dv BPF_ABS , +the data size must be specified as a word +.Pf ( Dv BPF_W ) , +halfword +.Pf ( Dv BPF_H ) , +or byte +.Pf ( Dv BPF_B ) . +The semantics of all recognized +.Dv BPF_LD +instructions follow. +.Pp +.Bl -tag -width 32n -compact +.Sm off +.It Xo Dv BPF_LD No + Dv BPF_W No + +.Dv BPF_ABS +.Xc +.Sm on A <- P[k:4] -.TP -.B BPF_LD+BPF_H+BPF_ABS +.Sm off +.It Xo Dv BPF_LD No + Dv BPF_H No + +.Dv BPF_ABS +.Xc +.Sm on A <- P[k:2] -.TP -.B BPF_LD+BPF_B+BPF_ABS +.Sm off +.It Xo Dv BPF_LD No + Dv BPF_B No + +.Dv BPF_ABS +.Xc +.Sm on A <- P[k:1] -.TP -.B BPF_LD+BPF_W+BPF_IND +.Sm off +.It Xo Dv BPF_LD No + Dv BPF_W No + +.Dv BPF_IND +.Xc +.Sm on A <- P[X+k:4] -.TP -.B BPF_LD+BPF_H+BPF_IND +.Sm off +.It Xo Dv BPF_LD No + Dv BPF_H No + +.Dv BPF_IND +.Xc +.Sm on A <- P[X+k:2] -.TP -.B BPF_LD+BPF_B+BPF_IND +.Sm off +.It Xo Dv BPF_LD No + Dv BPF_B No + +.Dv BPF_IND +.Xc +.Sm on A <- P[X+k:1] -.TP -.B BPF_LD+BPF_W+BPF_LEN +.Sm off +.It Xo Dv BPF_LD No + Dv BPF_W No + +.Dv BPF_LEN +.Xc +.Sm on A <- len -.TP -.B BPF_LD+BPF_IMM +.Sm off +.It Dv BPF_LD No + Dv BPF_IMM +.Sm on A <- k -.TP -.B BPF_LD+BPF_MEM +.It Dv BPF_LD No + Dv BPF_MEM +.Sm on A <- M[k] -.RE - -.TP 10 -.B BPF_LDX -These instructions load a value into the index register. Note that -the addressing modes are more restricted than those of the accumulator loads, -but they include -.B BPF_MSH, +.El +.It Dv BPF_LDX +These instructions load a value into the index register. +Note that the addressign modes are more restricted than those of the +accumulator loads, but they include +.Dv BPF_MSH , a hack for efficiently loading the IP header length. -.RS -.TP 30 -.B BPF_LDX+BPF_W+BPF_IMM +.Pp +.Bl -tag -width 32n -compact +.Sm off +.It Xo Dv BPF_LDX No + Dv BPF_W No + +.Dv BPF_IMM +.Xc +.Sm on X <- k -.TP -.B BPF_LDX+BPF_W+BPF_MEM +.Sm off +.It Xo Dv BPF_LDX No + Dv BPF_W No + +.Dv BPF_MEM +.Xc +.Sm on X <- M[k] -.TP -.B BPF_LDX+BPF_W+BPF_LEN +.Sm off +.It Xo Dv BPF_LDX No + Dv BPF_W No + +.Dv BPF_LEN +.Xc +.Sm on X <- len -.TP -.B BPF_LDX+BPF_B+BPF_MSH +.Sm off +.It Xo Dv BPF_LDX No + Dv BPF_B No + +.Dv BPF_MSH +.Xc +.Sm on X <- 4*(P[k:1]&0xf) -.RE - -.TP 10 -.B BPF_ST +.El +.It Dv BPF_ST This instruction stores the accumulator into the scratch memory. -We do not need an addressing mode since there is only one possibility -for the destination. -.RS -.TP 30 -.B BPF_ST +We do not need an addressing mode since there is only one possibility for +the destination. +.Pp +.Bl -tag -width 32n -compact +.It Dv BPF_ST M[k] <- A -.RE - -.TP 10 -.B BPF_STX +.El +.It Dv BPF_STX This instruction stores the index register in the scratch memory store. -.RS -.TP 30 -.B BPF_STX +.Pp +.Bl -tag -width 32n -compact +.It Dv BPF_STX M[k] <- X -.RE - -.TP 10 -.B BPF_ALU -The alu instructions perform operations between the accumulator and -index register or constant, and store the result back in the accumulator. -For binary operations, a source mode is required (\fBBPF_K\fP or -\fBBPF_X\fP). -.RS -.TP 30 -.B BPF_ALU+BPF_ADD+BPF_K +.El +.It Dv BPF_ALU +The ALU instructions perform operations between the accumulator and index +register or constant, and store the result back in the accumulator. +For binary operations, a source mode is required +.Pf ( Dv BPF_K +or +.Dv BPF_X ) . +.Pp +.Bl -tag -width 32n -compact +.Sm off +.It Xo Dv BPF_ALU No + BPF_ADD No + +.Dv BPF_K +.Xc +.Sm on A <- A + k -.TP -.B BPF_ALU+BPF_SUB+BPF_K +.Sm off +.It Xo Dv BPF_ALU No + BPF_SUB No + +.Dv BPF_K +.Xc +.Sm on A <- A - k -.TP -.B BPF_ALU+BPF_MUL+BPF_K +.Sm off +.It Xo Dv BPF_ALU No + BPF_MUL No + +.Dv BPF_K +.Xc +.Sm on A <- A * k -.TP -.B BPF_ALU+BPF_DIV+BPF_K +.Sm off +.It Xo Dv BPF_ALU No + BPF_DIV No + +.Dv BPF_K +.Xc +.Sm on A <- A / k -.TP -.B BPF_ALU+BPF_AND+BPF_K +.Sm off +.It Xo Dv BPF_ALU No + BPF_AND No + +.Dv BPF_K +.Xc +.Sm on A <- A & k -.TP -.B BPF_ALU+BPF_OR+BPF_K +.Sm off +.It Xo Dv BPF_ALU No + BPF_OR No + +.Dv BPF_K +.Xc +.Sm on A <- A | k -.TP -.B BPF_ALU+BPF_LSH+BPF_K +.Sm off +.It Xo Dv BPF_ALU No + BPF_LSH No + +.Dv BPF_K +.Xc +.Sm on A <- A << k -.TP -.B BPF_ALU+BPF_RSH+BPF_K +.Sm off +.It Xo Dv BPF_ALU No + BPF_RSH No + +.Dv BPF_K +.Xc +.Sm on A <- A >> k -.TP -.B BPF_ALU+BPF_ADD+BPF_X +.Sm off +.It Xo Dv BPF_ALU No + BPF_ADD No + +.Dv BPF_X +.Xc +.Sm on A <- A + X -.TP -.B BPF_ALU+BPF_SUB+BPF_X +.Sm off +.It Xo Dv BPF_ALU No + BPF_SUB No + +.Dv BPF_X +.Xc +.Sm on A <- A - X -.TP -.B BPF_ALU+BPF_MUL+BPF_X +.Sm off +.It Xo Dv BPF_ALU No + BPF_MUL No + +.Dv BPF_X +.Xc +.Sm on A <- A * X -.TP -.B BPF_ALU+BPF_DIV+BPF_X +.Sm off +.It Xo Dv BPF_ALU No + BPF_DIV No + +.Dv BPF_X +.Xc +.Sm on A <- A / X -.TP -.B BPF_ALU+BPF_AND+BPF_X +.Sm off +.It Xo Dv BPF_ALU No + BPF_AND No + +.Dv BPF_X +.Xc +.Sm on A <- A & X -.TP -.B BPF_ALU+BPF_OR+BPF_X +.Sm off +.It Xo Dv BPF_ALU No + BPF_OR No + +.Dv BPF_X +.Xc +.Sm on A <- A | X -.TP -.B BPF_ALU+BPF_LSH+BPF_X +.Sm off +.It Xo Dv BPF_ALU No + BPF_LSH No + +.Dv BPF_X +.Xc +.Sm on A <- A << X -.TP -.B BPF_ALU+BPF_RSH+BPF_X +.Sm off +.It Xo Dv BPF_ALU No + BPF_RSH No + +.Dv BPF_X +.Xc +.Sm on A <- A >> X -.TP -.B BPF_ALU+BPF_NEG +.Sm off +.It Dv BPF_ALU No + BPF_NEG +.Sm on A <- -A -.RE - -.TP 10 -.B BPF_JMP -The jump instructions alter flow of control. Conditional jumps -compare the accumulator against a constant (\fBBPF_K\fP) or -the index register (\fBBPF_X\fP). If the result is true (or non-zero), -the true branch is taken, otherwise the false branch is taken. +.El +.It Dv BPF_JMP +The jump instructions alter flow of control. +Conditional jumps compare the accumulator against a constant +.Pf ( Dv BPF_K ) +or the index register +.Pf ( Dv BPF_X ) . +If the result is true (or non-zero), the true branch is taken, otherwise the +false branch is taken. Jump offsets are encoded in 8 bits so the longest jump is 256 instructions. -However, the jump always (\fBBPF_JA\fP) opcode uses the 32 bit \fIk\fP +However, the jump always +.Pf ( Dv BPF_JA ) +opcode uses the 32-bit +.Fa k field as the offset, allowing arbitrarily distant destinations. All conditionals use unsigned comparison conventions. -.RS -.TP 30 -.B BPF_JMP+BPF_JA +.Pp +.Bl -tag -width 32n -compact +.Sm off +.It Dv BPF_JMP No + BPF_JA pc += k -.TP -.B BPF_JMP+BPF_JGT+BPF_K +.Sm on +.Sm off +.It Xo Dv BPF_JMP No + BPF_JGT No + +.Dv BPF_K +.Xc +.Sm on pc += (A > k) ? jt : jf -.TP -.B BPF_JMP+BPF_JGE+BPF_K +.Sm off +.It Xo Dv BPF_JMP No + BPF_JGE No + +.Dv BPF_K +.Xc +.Sm on pc += (A >= k) ? jt : jf -.TP -.B BPF_JMP+BPF_JEQ+BPF_K +.Sm off +.It Xo Dv BPF_JMP No + BPF_JEQ No + +.Dv BPF_K +.Xc +.Sm on pc += (A == k) ? jt : jf -.TP -.B BPF_JMP+BPF_JSET+BPF_K +.Sm off +.It Xo Dv BPF_JMP No + BPF_JSET No + +.Dv BPF_K +.Xc +.Sm on pc += (A & k) ? jt : jf -.TP -.B BPF_JMP+BPF_JGT+BPF_X +.Sm off +.It Xo Dv BPF_JMP No + BPF_JGT No + +.Dv BPF_X +.Xc +.Sm on pc += (A > X) ? jt : jf -.TP -.B BPF_JMP+BPF_JGE+BPF_X +.Sm off +.It Xo Dv BPF_JMP No + BPF_JGE No + +.Dv BPF_X +.Xc +.Sm on pc += (A >= X) ? jt : jf -.TP -.B BPF_JMP+BPF_JEQ+BPF_X +.Sm off +.It Xo Dv BPF_JMP No + BPF_JEQ No + +.Dv BPF_X +.Xc +.Sm on pc += (A == X) ? jt : jf -.TP -.B BPF_JMP+BPF_JSET+BPF_X +.Sm off +.It Xo Dv BPF_JMP No + BPF_JSET No + +.Dv BPF_X +.Xc +.Sm on pc += (A & X) ? jt : jf -.RE -.TP 10 -.B BPF_RET +.El +.It Dv BPF_RET The return instructions terminate the filter program and specify the amount -of packet to accept (i.e., they return the truncation amount). A return -value of zero indicates that the packet should be ignored. -The return value is either a constant (\fBBPF_K\fP) or the accumulator -(\fBBPF_A\fP). -.RS -.TP 30 -.B BPF_RET+BPF_A -accept A bytes -.TP -.B BPF_RET+BPF_K -accept k bytes -.RE -.TP 10 -.B BPF_MISC -The miscellaneous category was created for anything that doesn't -fit into the above classes, and for any new instructions that might need to -be added. Currently, these are the register transfer instructions -that copy the index register to the accumulator or vice versa. -.RS -.TP 30 -.B BPF_MISC+BPF_TAX +of packet to accept (i.e., they return the truncation amount). +A return value of zero indicates that the packet should be ignored. +The return value is either a constnat +.Pf ( Dv BPF_K ) +of the accumulator +.Pf ( Dv BPF_A ) . +.Pp +.Bl -tag -width 32n -compact +.It Dv BPF_RET No + Dv BPF_A +Accept A bytes. +.It Dv BPF_RET No + Dv BPF_K +Accept k bytes. +.El +.It Dv BPF_MISC +The miscellaneous category was created for anything that doesn't fit into +the above classes, and for any new instructions that might need to be added. +Currently, these are the register transfer instructions that copy the index +register to the accumulator or vice versa. +.Pp +.Bl -tag -width 32n -compact +.Sm off +.It Dv BPF_MISC No + Dv BPF_TAX +.Sm on X <- A -.TP -.B BPF_MISC+BPF_TXA +.Sm off +.It Dv BPF_MISC No + Dv BPF_TXA +.Sm on A <- X -.RE -.PP -The BPF interface provides the following macros to facilitate -array initializers: -.RS -\fBBPF_STMT\fI(opcode, operand)\fR -.br -and -.br -\fBBPF_JUMP\fI(opcode, operand, true_offset, false_offset)\fR -.RE -.PP -.SH EXAMPLES -The following filter is taken from the Reverse ARP Daemon. It accepts -only Reverse ARP requests. -.RS -.nf - +.El +.El +.Pp +The +.Nm +interface provides the following macros to facilitate array initializers: +.Pp +.Bd -offset indent +.Dv BPF_STMT Ns No ( Ns Ar opcode , +.Ar operand Ns No ) +.Pp +.Dv BPF_JUMP Ns No ( Ns Ar opcode , +.Ar operand , +.Ar true_offset , +.Ar false_offset Ns No ) +.Ed +.Sh EXAMPLES +The following filter is taken from the Reverse ARP daemon. +It accepts only Reverse ARP requests. +.Pp +.Bd -literal -offset indent struct bpf_insn insns[] = { BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_REVARP, 0, 3), BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1), BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) + - sizeof(struct ether_header)), + sizeof(struct ether_header)), BPF_STMT(BPF_RET+BPF_K, 0), }; -.fi -.RE -.PP +.Ed +.Pp This filter accepts only IP packets between host 128.3.112.15 and 128.3.112.35. -.RS -.nf - +.Pp +.Bd -literal -offset indent struct bpf_insn insns[] = { BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 8), @@ -661,16 +836,16 @@ struct bpf_insn insns[] = { BPF_STMT(BPF_RET+BPF_K, (u_int)-1), BPF_STMT(BPF_RET+BPF_K, 0), }; -.fi -.RE -.PP -Finally, this filter returns only TCP finger packets. We must parse -the IP header to reach the TCP header. The \fBBPF_JSET\fP instruction -checks that the IP fragment offset is 0 so we are sure -that we have a TCP header. -.RS -.nf - +.Ed +.Pp +Finally, this filter returns only TCP finger packets. +We must parse the IP header to reach the TCP header. +The +.Dv BPF_JSET +instruction checks that the IP fragment offset is 0 so we are sure that we +have a TCP header. +.Pp +.Bd -literal -offset indent struct bpf_insn insns[] = { BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 10), @@ -686,38 +861,51 @@ struct bpf_insn insns[] = { BPF_STMT(BPF_RET+BPF_K, (u_int)-1), BPF_STMT(BPF_RET+BPF_K, 0), }; -.fi -.RE -.SH SEE ALSO -tcpdump(8), signal(3), ioctl(2), read(2), select(2) -.LP -McCanne, S., Jacobson V., -.RI ` "An efficient, extensible, and portable network monitor" ' -.SH FILES -/dev/bpf0, /dev/bpf1, ... -.SH BUGS -The read buffer must be of a fixed size (returned by the BIOCGBLEN ioctl). -.PP +.Ed +.Sh SEE ALSO +.Xr ioctl 2 , +.Xr read 2 , +.Xr select 2 , +.Xr signal 3 , +.Xr tcpdump 8 +.Rs +.%A McCanne, S., Jacobson V. +.%J "An efficient, extensible, and portable network monitor" +.Re +.Sh FILES +.Bl -tag -width /dev/bpf[0-9] -compact +.It Pa /dev/bpf[0-9] +BPF devices +.El +.Sh AUTHORS +Steve McCanne of Lawrence Berkeley Laboratary implemented BPF in Summer 1990. +Much of the design is due to Van Jacobson. +.Sh HISTORY +The Enet packet filter was created in 1980 by Mike Accetta and Rick Rashid +at Carnegie-Mellon University. +Jeffrey Mogul, at Stanford, ported the code to BSD and continued its +development from 1983 on. +Since then, it has evolved into the Ultrix Packet Filter at DEC, a STREAMS +NIT module under SunOS 4.1, and BPF. +.Sh BUGS +The read buffer must be of a fixed size (returned by the +.Dv BIOCGBLEN +ioctl). +.Pp A file that does not request promiscuous mode may receive promiscuously -received packets as a side effect of another file requesting this -mode on the same hardware interface. This could be fixed in the kernel -with additional processing overhead. However, we favor the model where -all files must assume that the interface is promiscuous, and if -so desired, must utilize a filter to reject foreign packets. -.PP +received packets as a side effect of another file requesting this mode on +the same hardware interface. +This could be fixed in the kernel with additional processing overead. +However, we favor the model where all files must assume that the interface +is promiscuous, and if so desired, must utilize a filter to reject foreign +packets. +.Pp Data link protocols with variable length headers are not currently supported. -.PP -Under SunOS, if a BPF application reads more than 2^31 bytes of -data, read will fail in EINVAL. You can either fix the bug in SunOS, -or lseek to 0 when read fails for this reason. -.SH HISTORY -.PP -The Enet packet filter was created in 1980 by Mike Accetta and -Rick Rashid at Carnegie-Mellon University. Jeffrey Mogul, at -Stanford, ported the code to BSD and continued its development from -1983 on. Since then, it has evolved into the Ultrix Packet Filter -at DEC, a STREAMS NIT module under SunOS 4.1, and BPF. -.SH AUTHORS -.PP -Steven McCanne, of Lawrence Berkeley Laboratory, implemented BPF in -Summer 1990. Much of the design is due to Van Jacobson. +.Pp +Under SunOS, if a +.Nm +application reads more than 2^31 bytes of data, read will fail with +.Er EINVAL . +You can either fix the bug in SunOS, or lseek to 0 when read fails for this +reason. + |