1.\" Copyright (c) 2007 Seccuris Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed by Robert N. M. Watson under contract to 5.\" Seccuris Inc. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" Copyright (c) 1990 The Regents of the University of California. 29.\" All rights reserved. 30.\" 31.\" Redistribution and use in source and binary forms, with or without 32.\" modification, are permitted provided that: (1) source code distributions 33.\" retain the above copyright notice and this paragraph in its entirety, (2) 34.\" distributions including binary code include the above copyright notice and 35.\" this paragraph in its entirety in the documentation or other materials 36.\" provided with the distribution, and (3) all advertising materials mentioning 37.\" features or use of this software display the following acknowledgement: 38.\" ``This product includes software developed by the University of California, 39.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 40.\" the University nor the names of its contributors may be used to endorse 41.\" or promote products derived from this software without specific prior 42.\" written permission. 43.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 44.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 45.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 46.\" 47.\" This document is derived in part from the enet man page (enet.4) 48.\" distributed with 4.3BSD Unix. 49.\" 50.\" $FreeBSD$ 51.\" 52.Dd June 15, 2010 53.Dt BPF 4 54.Os 55.Sh NAME 56.Nm bpf 57.Nd Berkeley Packet Filter 58.Sh SYNOPSIS 59.Cd device bpf 60.Sh DESCRIPTION 61The Berkeley Packet Filter 62provides a raw interface to data link layers in a protocol 63independent fashion. 64All packets on the network, even those destined for other hosts, 65are accessible through this mechanism. 66.Pp 67The packet filter appears as a character special device, 68.Pa /dev/bpf . 69After opening the device, the file descriptor must be bound to a 70specific network interface with the 71.Dv BIOCSETIF 72ioctl. 73A given interface can be shared by multiple listeners, and the filter 74underlying each descriptor will see an identical packet stream. 75.Pp 76A separate device file is required for each minor device. 77If a file is in use, the open will fail and 78.Va errno 79will be set to 80.Er EBUSY . 81.Pp 82Associated with each open instance of a 83.Nm 84file is a user-settable packet filter. 85Whenever a packet is received by an interface, 86all file descriptors listening on that interface apply their filter. 87Each descriptor that accepts the packet receives its own copy. 88.Pp 89The packet filter will support any link level protocol that has fixed length 90headers. 91Currently, only Ethernet, 92.Tn SLIP , 93and 94.Tn PPP 95drivers have been modified to interact with 96.Nm . 97.Pp 98Since packet data is in network byte order, applications should use the 99.Xr byteorder 3 100macros to extract multi-byte values. 101.Pp 102A packet can be sent out on the network by writing to a 103.Nm 104file descriptor. 105The writes are unbuffered, meaning only one packet can be processed per write. 106Currently, only writes to Ethernets and 107.Tn SLIP 108links are supported. 109.Sh BUFFER MODES 110.Nm 111devices deliver packet data to the application via memory buffers provided by 112the application. 113The buffer mode is set using the 114.Dv BIOCSETBUFMODE 115ioctl, and read using the 116.Dv BIOCGETBUFMODE 117ioctl. 118.Ss Buffered read mode 119By default, 120.Nm 121devices operate in the 122.Dv BPF_BUFMODE_BUFFER 123mode, in which packet data is copied explicitly from kernel to user memory 124using the 125.Xr read 2 126system call. 127The user process will declare a fixed buffer size that will be used both for 128sizing internal buffers and for all 129.Xr read 2 130operations on the file. 131This size is queried using the 132.Dv BIOCGBLEN 133ioctl, and is set using the 134.Dv BIOCSBLEN 135ioctl. 136Note that an individual packet larger than the buffer size is necessarily 137truncated. 138.Ss Zero-copy buffer mode 139.Nm 140devices may also operate in the 141.Dv BPF_BUFMODE_ZEROCOPY 142mode, in which packet data is written directly into two user memory buffers 143by the kernel, avoiding both system call and copying overhead. 144Buffers are of fixed (and equal) size, page-aligned, and an even multiple of 145the page size. 146The maximum zero-copy buffer size is returned by the 147.Dv BIOCGETZMAX 148ioctl. 149Note that an individual packet larger than the buffer size is necessarily 150truncated. 151.Pp 152The user process registers two memory buffers using the 153.Dv BIOCSETZBUF 154ioctl, which accepts a 155.Vt struct bpf_zbuf 156pointer as an argument: 157.Bd -literal 158struct bpf_zbuf { 159 void *bz_bufa; 160 void *bz_bufb; 161 size_t bz_buflen; 162}; 163.Ed 164.Pp 165.Vt bz_bufa 166is a pointer to the userspace address of the first buffer that will be 167filled, and 168.Vt bz_bufb 169is a pointer to the second buffer. 170.Nm 171will then cycle between the two buffers as they fill and are acknowledged. 172.Pp 173Each buffer begins with a fixed-length header to hold synchronization and 174data length information for the buffer: 175.Bd -literal 176struct bpf_zbuf_header { 177 volatile u_int bzh_kernel_gen; /* Kernel generation number. */ 178 volatile u_int bzh_kernel_len; /* Length of data in the buffer. */ 179 volatile u_int bzh_user_gen; /* User generation number. */ 180 /* ...padding for future use... */ 181}; 182.Ed 183.Pp 184The header structure of each buffer, including all padding, should be zeroed 185before it is configured using 186.Dv BIOCSETZBUF . 187Remaining space in the buffer will be used by the kernel to store packet 188data, laid out in the same format as with buffered read mode. 189.Pp 190The kernel and the user process follow a simple acknowledgement protocol via 191the buffer header to synchronize access to the buffer: when the header 192generation numbers, 193.Vt bzh_kernel_gen 194and 195.Vt bzh_user_gen , 196hold the same value, the kernel owns the buffer, and when they differ, 197userspace owns the buffer. 198.Pp 199While the kernel owns the buffer, the contents are unstable and may change 200asynchronously; while the user process owns the buffer, its contents are 201stable and will not be changed until the buffer has been acknowledged. 202.Pp 203Initializing the buffer headers to all 0's before registering the buffer has 204the effect of assigning initial ownership of both buffers to the kernel. 205The kernel signals that a buffer has been assigned to userspace by modifying 206.Vt bzh_kernel_gen , 207and userspace acknowledges the buffer and returns it to the kernel by setting 208the value of 209.Vt bzh_user_gen 210to the value of 211.Vt bzh_kernel_gen . 212.Pp 213In order to avoid caching and memory re-ordering effects, the user process 214must use atomic operations and memory barriers when checking for and 215acknowledging buffers: 216.Bd -literal 217#include <machine/atomic.h> 218 219/* 220 * Return ownership of a buffer to the kernel for reuse. 221 */ 222static void 223buffer_acknowledge(struct bpf_zbuf_header *bzh) 224{ 225 226 atomic_store_rel_int(&bzh->bzh_user_gen, bzh->bzh_kernel_gen); 227} 228 229/* 230 * Check whether a buffer has been assigned to userspace by the kernel. 231 * Return true if userspace owns the buffer, and false otherwise. 232 */ 233static int 234buffer_check(struct bpf_zbuf_header *bzh) 235{ 236 237 return (bzh->bzh_user_gen != 238 atomic_load_acq_int(&bzh->bzh_kernel_gen)); 239} 240.Ed 241.Pp 242The user process may force the assignment of the next buffer, if any data 243is pending, to userspace using the 244.Dv BIOCROTZBUF 245ioctl. 246This allows the user process to retrieve data in a partially filled buffer 247before the buffer is full, such as following a timeout; the process must 248recheck for buffer ownership using the header generation numbers, as the 249buffer will not be assigned to userspace if no data was present. 250.Pp 251As in the buffered read mode, 252.Xr kqueue 2 , 253.Xr poll 2 , 254and 255.Xr select 2 256may be used to sleep awaiting the availability of a completed buffer. 257They will return a readable file descriptor when ownership of the next buffer 258is assigned to user space. 259.Pp 260In the current implementation, the kernel may assign zero, one, or both 261buffers to the user process; however, an earlier implementation maintained 262the invariant that at most one buffer could be assigned to the user process 263at a time. 264In order to both ensure progress and high performance, user processes should 265acknowledge a completely processed buffer as quickly as possible, returning 266it for reuse, and not block waiting on a second buffer while holding another 267buffer. 268.Sh IOCTLS 269The 270.Xr ioctl 2 271command codes below are defined in 272.In net/bpf.h . 273All commands require 274these includes: 275.Bd -literal 276 #include <sys/types.h> 277 #include <sys/time.h> 278 #include <sys/ioctl.h> 279 #include <net/bpf.h> 280.Ed 281.Pp 282Additionally, 283.Dv BIOCGETIF 284and 285.Dv BIOCSETIF 286require 287.In sys/socket.h 288and 289.In net/if.h . 290.Pp 291In addition to 292.Dv FIONREAD 293the following commands may be applied to any open 294.Nm 295file. 296The (third) argument to 297.Xr ioctl 2 298should be a pointer to the type indicated. 299.Bl -tag -width BIOCGETBUFMODE 300.It Dv BIOCGBLEN 301.Pq Li u_int 302Returns the required buffer length for reads on 303.Nm 304files. 305.It Dv BIOCSBLEN 306.Pq Li u_int 307Sets the buffer length for reads on 308.Nm 309files. 310The buffer must be set before the file is attached to an interface 311with 312.Dv BIOCSETIF . 313If the requested buffer size cannot be accommodated, the closest 314allowable size will be set and returned in the argument. 315A read call will result in 316.Er EIO 317if it is passed a buffer that is not this size. 318.It Dv BIOCGDLT 319.Pq Li u_int 320Returns the type of the data link layer underlying the attached interface. 321.Er EINVAL 322is returned if no interface has been specified. 323The device types, prefixed with 324.Dq Li DLT_ , 325are defined in 326.In net/bpf.h . 327.It Dv BIOCPROMISC 328Forces the interface into promiscuous mode. 329All packets, not just those destined for the local host, are processed. 330Since more than one file can be listening on a given interface, 331a listener that opened its interface non-promiscuously may receive 332packets promiscuously. 333This problem can be remedied with an appropriate filter. 334.It Dv BIOCFLUSH 335Flushes the buffer of incoming packets, 336and resets the statistics that are returned by BIOCGSTATS. 337.It Dv BIOCGETIF 338.Pq Li "struct ifreq" 339Returns the name of the hardware interface that the file is listening on. 340The name is returned in the ifr_name field of 341the 342.Li ifreq 343structure. 344All other fields are undefined. 345.It Dv BIOCSETIF 346.Pq Li "struct ifreq" 347Sets the hardware interface associate with the file. 348This 349command must be performed before any packets can be read. 350The device is indicated by name using the 351.Li ifr_name 352field of the 353.Li ifreq 354structure. 355Additionally, performs the actions of 356.Dv BIOCFLUSH . 357.It Dv BIOCSRTIMEOUT 358.It Dv BIOCGRTIMEOUT 359.Pq Li "struct timeval" 360Set or get the read timeout parameter. 361The argument 362specifies the length of time to wait before timing 363out on a read request. 364This parameter is initialized to zero by 365.Xr open 2 , 366indicating no timeout. 367.It Dv BIOCGSTATS 368.Pq Li "struct bpf_stat" 369Returns the following structure of packet statistics: 370.Bd -literal 371struct bpf_stat { 372 u_int bs_recv; /* number of packets received */ 373 u_int bs_drop; /* number of packets dropped */ 374}; 375.Ed 376.Pp 377The fields are: 378.Bl -hang -offset indent 379.It Li bs_recv 380the number of packets received by the descriptor since opened or reset 381(including any buffered since the last read call); 382and 383.It Li bs_drop 384the number of packets which were accepted by the filter but dropped by the 385kernel because of buffer overflows 386(i.e., the application's reads are not keeping up with the packet traffic). 387.El 388.It Dv BIOCIMMEDIATE 389.Pq Li u_int 390Enable or disable 391.Dq immediate mode , 392based on the truth value of the argument. 393When immediate mode is enabled, reads return immediately upon packet 394reception. 395Otherwise, a read will block until either the kernel buffer 396becomes full or a timeout occurs. 397This is useful for programs like 398.Xr rarpd 8 399which must respond to messages in real time. 400The default for a new file is off. 401.It Dv BIOCSETF 402.It Dv BIOCSETFNR 403.Pq Li "struct bpf_program" 404Sets the read filter program used by the kernel to discard uninteresting 405packets. 406An array of instructions and its length is passed in using 407the following structure: 408.Bd -literal 409struct bpf_program { 410 int bf_len; 411 struct bpf_insn *bf_insns; 412}; 413.Ed 414.Pp 415The filter program is pointed to by the 416.Li bf_insns 417field while its length in units of 418.Sq Li struct bpf_insn 419is given by the 420.Li bf_len 421field. 422See section 423.Sx "FILTER MACHINE" 424for an explanation of the filter language. 425The only difference between 426.Dv BIOCSETF 427and 428.Dv BIOCSETFNR 429is 430.Dv BIOCSETF 431performs the actions of 432.Dv BIOCFLUSH 433while 434.Dv BIOCSETFNR 435does not. 436.It Dv BIOCSETWF 437.Pq Li "struct bpf_program" 438Sets the write filter program used by the kernel to control what type of 439packets can be written to the interface. 440See the 441.Dv BIOCSETF 442command for more 443information on the 444.Nm 445filter program. 446.It Dv BIOCVERSION 447.Pq Li "struct bpf_version" 448Returns the major and minor version numbers of the filter language currently 449recognized by the kernel. 450Before installing a filter, applications must check 451that the current version is compatible with the running kernel. 452Version numbers are compatible if the major numbers match and the application minor 453is less than or equal to the kernel minor. 454The kernel version number is returned in the following structure: 455.Bd -literal 456struct bpf_version { 457 u_short bv_major; 458 u_short bv_minor; 459}; 460.Ed 461.Pp 462The current version numbers are given by 463.Dv BPF_MAJOR_VERSION 464and 465.Dv BPF_MINOR_VERSION 466from 467.In net/bpf.h . 468An incompatible filter 469may result in undefined behavior (most likely, an error returned by 470.Fn ioctl 471or haphazard packet matching). 472.It Dv BIOCSHDRCMPLT 473.It Dv BIOCGHDRCMPLT 474.Pq Li u_int 475Set or get the status of the 476.Dq header complete 477flag. 478Set to zero if the link level source address should be filled in automatically 479by the interface output routine. 480Set to one if the link level source 481address will be written, as provided, to the wire. 482This flag is initialized to zero by default. 483.It Dv BIOCSSEESENT 484.It Dv BIOCGSEESENT 485.Pq Li u_int 486These commands are obsolete but left for compatibility. 487Use 488.Dv BIOCSDIRECTION 489and 490.Dv BIOCGDIRECTION 491instead. 492Set or get the flag determining whether locally generated packets on the 493interface should be returned by BPF. 494Set to zero to see only incoming packets on the interface. 495Set to one to see packets originating locally and remotely on the interface. 496This flag is initialized to one by default. 497.It Dv BIOCSDIRECTION 498.It Dv BIOCGDIRECTION 499.Pq Li u_int 500Set or get the setting determining whether incoming, outgoing, or all packets 501on the interface should be returned by BPF. 502Set to 503.Dv BPF_D_IN 504to see only incoming packets on the interface. 505Set to 506.Dv BPF_D_INOUT 507to see packets originating locally and remotely on the interface. 508Set to 509.Dv BPF_D_OUT 510to see only outgoing packets on the interface. 511This setting is initialized to 512.Dv BPF_D_INOUT 513by default. 514.It Dv BIOCSTSTAMP 515.It Dv BIOCGTSTAMP 516.Pq Li u_int 517Set or get format and resolution of the time stamps returned by BPF. 518Set to 519.Dv BPF_T_MICROTIME , 520.Dv BPF_T_MICROTIME_FAST , 521.Dv BPF_T_MICROTIME_MONOTONIC , 522or 523.Dv BPF_T_MICROTIME_MONOTONIC_FAST 524to get time stamps in 64-bit 525.Vt struct timeval 526format. 527Set to 528.Dv BPF_T_NANOTIME , 529.Dv BPF_T_NANOTIME_FAST , 530.Dv BPF_T_NANOTIME_MONOTONIC , 531or 532.Dv BPF_T_NANOTIME_MONOTONIC_FAST 533to get time stamps in 64-bit 534.Vt struct timespec 535format. 536Set to 537.Dv BPF_T_BINTIME , 538.Dv BPF_T_BINTIME_FAST , 539.Dv BPF_T_NANOTIME_MONOTONIC , 540or 541.Dv BPF_T_BINTIME_MONOTONIC_FAST 542to get time stamps in 64-bit 543.Vt struct bintime 544format. 545Set to 546.Dv BPF_T_NONE 547to ignore time stamp. 548All 64-bit time stamp formats are wrapped in 549.Vt struct bpf_ts . 550The 551.Dv BPF_T_MICROTIME_FAST , 552.Dv BPF_T_NANOTIME_FAST , 553.Dv BPF_T_BINTIME_FAST , 554.Dv BPF_T_MICROTIME_MONOTONIC_FAST , 555.Dv BPF_T_NANOTIME_MONOTONIC_FAST , 556and 557.Dv BPF_T_BINTIME_MONOTONIC_FAST 558are analogs of corresponding formats without _FAST suffix but do not perform 559a full time counter query, so their accuracy is one timer tick. 560The 561.Dv BPF_T_MICROTIME_MONOTONIC , 562.Dv BPF_T_NANOTIME_MONOTONIC , 563.Dv BPF_T_BINTIME_MONOTONIC , 564.Dv BPF_T_MICROTIME_MONOTONIC_FAST , 565.Dv BPF_T_NANOTIME_MONOTONIC_FAST , 566and 567.Dv BPF_T_BINTIME_MONOTONIC_FAST 568store the time elapsed since kernel boot. 569This setting is initialized to 570.Dv BPF_T_MICROTIME 571by default. 572.It Dv BIOCFEEDBACK 573.Pq Li u_int 574Set packet feedback mode. 575This allows injected packets to be fed back as input to the interface when 576output via the interface is successful. 577When 578.Dv BPF_D_INOUT 579direction is set, injected outgoing packet is not returned by BPF to avoid 580duplication. 581This flag is initialized to zero by default. 582.It Dv BIOCLOCK 583Set the locked flag on the 584.Nm 585descriptor. 586This prevents the execution of 587ioctl commands which could change the underlying operating parameters of 588the device. 589.It Dv BIOCGETBUFMODE 590.It Dv BIOCSETBUFMODE 591.Pq Li u_int 592Get or set the current 593.Nm 594buffering mode; possible values are 595.Dv BPF_BUFMODE_BUFFER , 596buffered read mode, and 597.Dv BPF_BUFMODE_ZBUF , 598zero-copy buffer mode. 599.It Dv BIOCSETZBUF 600.Pq Li struct bpf_zbuf 601Set the current zero-copy buffer locations; buffer locations may be 602set only once zero-copy buffer mode has been selected, and prior to attaching 603to an interface. 604Buffers must be of identical size, page-aligned, and an integer multiple of 605pages in size. 606The three fields 607.Vt bz_bufa , 608.Vt bz_bufb , 609and 610.Vt bz_buflen 611must be filled out. 612If buffers have already been set for this device, the ioctl will fail. 613.It Dv BIOCGETZMAX 614.Pq Li size_t 615Get the largest individual zero-copy buffer size allowed. 616As two buffers are used in zero-copy buffer mode, the limit (in practice) is 617twice the returned size. 618As zero-copy buffers consume kernel address space, conservative selection of 619buffer size is suggested, especially when there are multiple 620.Nm 621descriptors in use on 32-bit systems. 622.It Dv BIOCROTZBUF 623Force ownership of the next buffer to be assigned to userspace, if any data 624present in the buffer. 625If no data is present, the buffer will remain owned by the kernel. 626This allows consumers of zero-copy buffering to implement timeouts and 627retrieve partially filled buffers. 628In order to handle the case where no data is present in the buffer and 629therefore ownership is not assigned, the user process must check 630.Vt bzh_kernel_gen 631against 632.Vt bzh_user_gen . 633.El 634.Sh BPF HEADER 635One of the following structures is prepended to each packet returned by 636.Xr read 2 637or via a zero-copy buffer: 638.Bd -literal 639struct bpf_xhdr { 640 struct bpf_ts bh_tstamp; /* time stamp */ 641 uint32_t bh_caplen; /* length of captured portion */ 642 uint32_t bh_datalen; /* original length of packet */ 643 u_short bh_hdrlen; /* length of bpf header (this struct 644 plus alignment padding) */ 645}; 646 647struct bpf_hdr { 648 struct timeval bh_tstamp; /* time stamp */ 649 uint32_t bh_caplen; /* length of captured portion */ 650 uint32_t bh_datalen; /* original length of packet */ 651 u_short bh_hdrlen; /* length of bpf header (this struct 652 plus alignment padding) */ 653}; 654.Ed 655.Pp 656The fields, whose values are stored in host order, and are: 657.Pp 658.Bl -tag -compact -width bh_datalen 659.It Li bh_tstamp 660The time at which the packet was processed by the packet filter. 661.It Li bh_caplen 662The length of the captured portion of the packet. 663This is the minimum of 664the truncation amount specified by the filter and the length of the packet. 665.It Li bh_datalen 666The length of the packet off the wire. 667This value is independent of the truncation amount specified by the filter. 668.It Li bh_hdrlen 669The length of the 670.Nm 671header, which may not be equal to 672.\" XXX - not really a function call 673.Fn sizeof "struct bpf_xhdr" 674or 675.Fn sizeof "struct bpf_hdr" . 676.El 677.Pp 678The 679.Li bh_hdrlen 680field exists to account for 681padding between the header and the link level protocol. 682The purpose here is to guarantee proper alignment of the packet 683data structures, which is required on alignment sensitive 684architectures and improves performance on many other architectures. 685The packet filter ensures that the 686.Vt bpf_xhdr , 687.Vt bpf_hdr 688and the network layer 689header will be word aligned. 690Currently, 691.Vt bpf_hdr 692is used when the time stamp is set to 693.Dv BPF_T_MICROTIME , 694.Dv BPF_T_MICROTIME_FAST , 695.Dv BPF_T_MICROTIME_MONOTONIC , 696.Dv BPF_T_MICROTIME_MONOTONIC_FAST , 697or 698.Dv BPF_T_NONE 699for backward compatibility reasons. 700Otherwise, 701.Vt bpf_xhdr 702is used. 703However, 704.Vt bpf_hdr 705may be deprecated in the near future. 706Suitable precautions 707must be taken when accessing the link layer protocol fields on alignment 708restricted machines. 709(This is not a problem on an Ethernet, since 710the type field is a short falling on an even offset, 711and the addresses are probably accessed in a bytewise fashion). 712.Pp 713Additionally, individual packets are padded so that each starts 714on a word boundary. 715This requires that an application 716has some knowledge of how to get from packet to packet. 717The macro 718.Dv BPF_WORDALIGN 719is defined in 720.In net/bpf.h 721to facilitate 722this process. 723It rounds up its argument to the nearest word aligned value (where a word is 724.Dv BPF_ALIGNMENT 725bytes wide). 726.Pp 727For example, if 728.Sq Li p 729points to the start of a packet, this expression 730will advance it to the next packet: 731.Dl p = (char *)p + BPF_WORDALIGN(p->bh_hdrlen + p->bh_caplen) 732.Pp 733For the alignment mechanisms to work properly, the 734buffer passed to 735.Xr read 2 736must itself be word aligned. 737The 738.Xr malloc 3 739function 740will always return an aligned buffer. 741.Sh FILTER MACHINE 742A filter program is an array of instructions, with all branches forwardly 743directed, terminated by a 744.Em return 745instruction. 746Each instruction performs some action on the pseudo-machine state, 747which consists of an accumulator, index register, scratch memory store, 748and implicit program counter. 749.Pp 750The following structure defines the instruction format: 751.Bd -literal 752struct bpf_insn { 753 u_short code; 754 u_char jt; 755 u_char jf; 756 u_long k; 757}; 758.Ed 759.Pp 760The 761.Li k 762field is used in different ways by different instructions, 763and the 764.Li jt 765and 766.Li jf 767fields are used as offsets 768by the branch instructions. 769The opcodes are encoded in a semi-hierarchical fashion. 770There are eight classes of instructions: 771.Dv BPF_LD , 772.Dv BPF_LDX , 773.Dv BPF_ST , 774.Dv BPF_STX , 775.Dv BPF_ALU , 776.Dv BPF_JMP , 777.Dv BPF_RET , 778and 779.Dv BPF_MISC . 780Various other mode and 781operator bits are or'd into the class to give the actual instructions. 782The classes and modes are defined in 783.In net/bpf.h . 784.Pp 785Below are the semantics for each defined 786.Nm 787instruction. 788We use the convention that A is the accumulator, X is the index register, 789P[] packet data, and M[] scratch memory store. 790P[i:n] gives the data at byte offset 791.Dq i 792in the packet, 793interpreted as a word (n=4), 794unsigned halfword (n=2), or unsigned byte (n=1). 795M[i] gives the i'th word in the scratch memory store, which is only 796addressed in word units. 797The memory store is indexed from 0 to 798.Dv BPF_MEMWORDS 799- 1. 800.Li k , 801.Li jt , 802and 803.Li jf 804are the corresponding fields in the 805instruction definition. 806.Dq len 807refers to the length of the packet. 808.Bl -tag -width BPF_STXx 809.It Dv BPF_LD 810These instructions copy a value into the accumulator. 811The type of the source operand is specified by an 812.Dq addressing mode 813and can be a constant 814.Pq Dv BPF_IMM , 815packet data at a fixed offset 816.Pq Dv BPF_ABS , 817packet data at a variable offset 818.Pq Dv BPF_IND , 819the packet length 820.Pq Dv BPF_LEN , 821or a word in the scratch memory store 822.Pq Dv BPF_MEM . 823For 824.Dv BPF_IND 825and 826.Dv BPF_ABS , 827the data size must be specified as a word 828.Pq Dv BPF_W , 829halfword 830.Pq Dv BPF_H , 831or byte 832.Pq Dv BPF_B . 833The semantics of all the recognized 834.Dv BPF_LD 835instructions follow. 836.Bd -literal 837BPF_LD+BPF_W+BPF_ABS A <- P[k:4] 838BPF_LD+BPF_H+BPF_ABS A <- P[k:2] 839BPF_LD+BPF_B+BPF_ABS A <- P[k:1] 840BPF_LD+BPF_W+BPF_IND A <- P[X+k:4] 841BPF_LD+BPF_H+BPF_IND A <- P[X+k:2] 842BPF_LD+BPF_B+BPF_IND A <- P[X+k:1] 843BPF_LD+BPF_W+BPF_LEN A <- len 844BPF_LD+BPF_IMM A <- k 845BPF_LD+BPF_MEM A <- M[k] 846.Ed 847.It Dv BPF_LDX 848These instructions load a value into the index register. 849Note that 850the addressing modes are more restrictive than those of the accumulator loads, 851but they include 852.Dv BPF_MSH , 853a hack for efficiently loading the IP header length. 854.Bd -literal 855BPF_LDX+BPF_W+BPF_IMM X <- k 856BPF_LDX+BPF_W+BPF_MEM X <- M[k] 857BPF_LDX+BPF_W+BPF_LEN X <- len 858BPF_LDX+BPF_B+BPF_MSH X <- 4*(P[k:1]&0xf) 859.Ed 860.It Dv BPF_ST 861This instruction stores the accumulator into the scratch memory. 862We do not need an addressing mode since there is only one possibility 863for the destination. 864.Bd -literal 865BPF_ST M[k] <- A 866.Ed 867.It Dv BPF_STX 868This instruction stores the index register in the scratch memory store. 869.Bd -literal 870BPF_STX M[k] <- X 871.Ed 872.It Dv BPF_ALU 873The alu instructions perform operations between the accumulator and 874index register or constant, and store the result back in the accumulator. 875For binary operations, a source mode is required 876.Dv ( BPF_K 877or 878.Dv BPF_X ) . 879.Bd -literal 880BPF_ALU+BPF_ADD+BPF_K A <- A + k 881BPF_ALU+BPF_SUB+BPF_K A <- A - k 882BPF_ALU+BPF_MUL+BPF_K A <- A * k 883BPF_ALU+BPF_DIV+BPF_K A <- A / k 884BPF_ALU+BPF_AND+BPF_K A <- A & k 885BPF_ALU+BPF_OR+BPF_K A <- A | k 886BPF_ALU+BPF_LSH+BPF_K A <- A << k 887BPF_ALU+BPF_RSH+BPF_K A <- A >> k 888BPF_ALU+BPF_ADD+BPF_X A <- A + X 889BPF_ALU+BPF_SUB+BPF_X A <- A - X 890BPF_ALU+BPF_MUL+BPF_X A <- A * X 891BPF_ALU+BPF_DIV+BPF_X A <- A / X 892BPF_ALU+BPF_AND+BPF_X A <- A & X 893BPF_ALU+BPF_OR+BPF_X A <- A | X 894BPF_ALU+BPF_LSH+BPF_X A <- A << X 895BPF_ALU+BPF_RSH+BPF_X A <- A >> X 896BPF_ALU+BPF_NEG A <- -A 897.Ed 898.It Dv BPF_JMP 899The jump instructions alter flow of control. 900Conditional jumps 901compare the accumulator against a constant 902.Pq Dv BPF_K 903or the index register 904.Pq Dv BPF_X . 905If the result is true (or non-zero), 906the true branch is taken, otherwise the false branch is taken. 907Jump offsets are encoded in 8 bits so the longest jump is 256 instructions. 908However, the jump always 909.Pq Dv BPF_JA 910opcode uses the 32 bit 911.Li k 912field as the offset, allowing arbitrarily distant destinations. 913All conditionals use unsigned comparison conventions. 914.Bd -literal 915BPF_JMP+BPF_JA pc += k 916BPF_JMP+BPF_JGT+BPF_K pc += (A > k) ? jt : jf 917BPF_JMP+BPF_JGE+BPF_K pc += (A >= k) ? jt : jf 918BPF_JMP+BPF_JEQ+BPF_K pc += (A == k) ? jt : jf 919BPF_JMP+BPF_JSET+BPF_K pc += (A & k) ? jt : jf 920BPF_JMP+BPF_JGT+BPF_X pc += (A > X) ? jt : jf 921BPF_JMP+BPF_JGE+BPF_X pc += (A >= X) ? jt : jf 922BPF_JMP+BPF_JEQ+BPF_X pc += (A == X) ? jt : jf 923BPF_JMP+BPF_JSET+BPF_X pc += (A & X) ? jt : jf 924.Ed 925.It Dv BPF_RET 926The return instructions terminate the filter program and specify the amount 927of packet to accept (i.e., they return the truncation amount). 928A return value of zero indicates that the packet should be ignored. 929The return value is either a constant 930.Pq Dv BPF_K 931or the accumulator 932.Pq Dv BPF_A . 933.Bd -literal 934BPF_RET+BPF_A accept A bytes 935BPF_RET+BPF_K accept k bytes 936.Ed 937.It Dv BPF_MISC 938The miscellaneous category was created for anything that does not 939fit into the above classes, and for any new instructions that might need to 940be added. 941Currently, these are the register transfer instructions 942that copy the index register to the accumulator or vice versa. 943.Bd -literal 944BPF_MISC+BPF_TAX X <- A 945BPF_MISC+BPF_TXA A <- X 946.Ed 947.El 948.Pp 949The 950.Nm 951interface provides the following macros to facilitate 952array initializers: 953.Fn BPF_STMT opcode operand 954and 955.Fn BPF_JUMP opcode operand true_offset false_offset . 956.Sh SYSCTL VARIABLES 957A set of 958.Xr sysctl 8 959variables controls the behaviour of the 960.Nm 961subsystem 962.Bl -tag -width indent 963.It Va net.bpf.optimize_writers: No 0 964Various programs use BPF to send (but not receive) raw packets 965(cdpd, lldpd, dhcpd, dhcp relays, etc. are good examples of such programs). 966They do not need incoming packets to be send to them. 967Turning this option on 968makes new BPF users to be attached to write-only interface list until program 969explicitly specifies read filter via 970.Fn pcap_set_filter . 971This removes any performance degradation for high-speed interfaces. 972.It Va net.bpf.stats: 973Binary interface for retrieving general statistics. 974.It Va net.bpf.zerocopy_enable: No 0 975Permits zero-copy to be used with net BPF readers. 976Use with caution. 977.It Va net.bpf.maxinsns: No 512 978Maximum number of instructions that BPF program can contain. 979Use 980.Xr tcpdump 1 981.Fl d 982option to determine approximate number of instruction for any filter. 983.It Va net.bpf.maxbufsize: No 524288 984Maximum buffer size to allocate for packets buffer. 985.It Va net.bpf.bufsize: No 4096 986Default buffer size to allocate for packets buffer. 987.El 988.Sh EXAMPLES 989The following filter is taken from the Reverse ARP Daemon. 990It accepts only Reverse ARP requests. 991.Bd -literal 992struct bpf_insn insns[] = { 993 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), 994 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_REVARP, 0, 3), 995 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20), 996 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1), 997 BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) + 998 sizeof(struct ether_header)), 999 BPF_STMT(BPF_RET+BPF_K, 0), 1000}; 1001.Ed 1002.Pp 1003This filter accepts only IP packets between host 128.3.112.15 and 1004128.3.112.35. 1005.Bd -literal 1006struct bpf_insn insns[] = { 1007 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), 1008 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 8), 1009 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 26), 1010 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 2), 1011 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 30), 1012 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 3, 4), 1013 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 0, 3), 1014 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 30), 1015 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 1), 1016 BPF_STMT(BPF_RET+BPF_K, (u_int)-1), 1017 BPF_STMT(BPF_RET+BPF_K, 0), 1018}; 1019.Ed 1020.Pp 1021Finally, this filter returns only TCP finger packets. 1022We must parse the IP header to reach the TCP header. 1023The 1024.Dv BPF_JSET 1025instruction 1026checks that the IP fragment offset is 0 so we are sure 1027that we have a TCP header. 1028.Bd -literal 1029struct bpf_insn insns[] = { 1030 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), 1031 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 10), 1032 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 23), 1033 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, 8), 1034 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20), 1035 BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x1fff, 6, 0), 1036 BPF_STMT(BPF_LDX+BPF_B+BPF_MSH, 14), 1037 BPF_STMT(BPF_LD+BPF_H+BPF_IND, 14), 1038 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 2, 0), 1039 BPF_STMT(BPF_LD+BPF_H+BPF_IND, 16), 1040 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 0, 1), 1041 BPF_STMT(BPF_RET+BPF_K, (u_int)-1), 1042 BPF_STMT(BPF_RET+BPF_K, 0), 1043}; 1044.Ed 1045.Sh SEE ALSO 1046.Xr tcpdump 1 , 1047.Xr ioctl 2 , 1048.Xr kqueue 2 , 1049.Xr poll 2 , 1050.Xr select 2 , 1051.Xr byteorder 3 , 1052.Xr ng_bpf 4 , 1053.Xr bpf 9 1054.Rs 1055.%A McCanne, S. 1056.%A Jacobson V. 1057.%T "An efficient, extensible, and portable network monitor" 1058.Re 1059.Sh HISTORY 1060The Enet packet filter was created in 1980 by Mike Accetta and 1061Rick Rashid at Carnegie-Mellon University. 1062Jeffrey Mogul, at 1063Stanford, ported the code to 1064.Bx 1065and continued its development from 10661983 on. 1067Since then, it has evolved into the Ultrix Packet Filter at 1068.Tn DEC , 1069a 1070.Tn STREAMS 1071.Tn NIT 1072module under 1073.Tn SunOS 4.1 , 1074and 1075.Tn BPF . 1076.Sh AUTHORS 1077.An -nosplit 1078.An Steven McCanne , 1079of Lawrence Berkeley Laboratory, implemented BPF in 1080Summer 1990. 1081Much of the design is due to 1082.An Van Jacobson . 1083.Pp 1084Support for zero-copy buffers was added by 1085.An Robert N. M. Watson 1086under contract to Seccuris Inc. 1087.Sh BUGS 1088The read buffer must be of a fixed size (returned by the 1089.Dv BIOCGBLEN 1090ioctl). 1091.Pp 1092A file that does not request promiscuous mode may receive promiscuously 1093received packets as a side effect of another file requesting this 1094mode on the same hardware interface. 1095This could be fixed in the kernel with additional processing overhead. 1096However, we favor the model where 1097all files must assume that the interface is promiscuous, and if 1098so desired, must utilize a filter to reject foreign packets. 1099.Pp 1100Data link protocols with variable length headers are not currently supported. 1101.Pp 1102The 1103.Dv SEESENT , 1104.Dv DIRECTION , 1105and 1106.Dv FEEDBACK 1107settings have been observed to work incorrectly on some interface 1108types, including those with hardware loopback rather than software loopback, 1109and point-to-point interfaces. 1110They appear to function correctly on a 1111broad range of Ethernet-style interfaces. 1112