Linux 上的经典 BPF:过滤器不起作用

classic BPF on Linux: filter does not work

我正在尝试通过将经典 BPF 附加到原始套接字来测试用于数据包过滤的经典 BPF。我想捕获源端口第一个字节 == 8 的 TCP 数据包 (tcpdump 'tcp[1:1] = 0x50'),但我在套接字上看不到传入的数据包。没有过滤器我的代码工作正常。

代码示例如下:

#include<stdio.h> //for printf
#include<string.h> //memset
#include<sys/socket.h>    //for socket ofcourse
#include<stdlib.h> //for exit(0);
#include<errno.h> //For errno - the error number
#include<netinet/tcp.h>   //Provides declarations for tcp header
#include<netinet/ip.h>    //Provides declarations for ip header
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/filter.h>


#define ARRAY_SIZE(arr) (sizeof(arr)/sizeof((arr)[0])
/* 
   96 bit (12 bytes) pseudo header needed for tcp header checksum calculation 
*/
struct pseudo_header
{
    u_int32_t source_address;
    u_int32_t dest_address;
    u_int8_t placeholder;
    u_int8_t protocol;
    u_int16_t tcp_length;
};

/*
  Generic checksum calculation function
*/
unsigned short csum(unsigned short *ptr,int nbytes) 
{
    register long sum;
    unsigned short oddbyte;
    register short answer;

    sum=0;
    while(nbytes>1) {
        sum+=*ptr++;
        nbytes-=2;
    }
    if(nbytes==1) {
        oddbyte=0;
        *((u_char*)&oddbyte)=*(u_char*)ptr;
        sum+=oddbyte;
    }

    sum = (sum>>16)+(sum & 0xffff);
    sum = sum + (sum>>16);
    answer=(short)~sum;

    return(answer);
}

int main (void)
{
    struct sock_filter code[] = {

        { 0x28,  0,  0, 0x0000000c },
        { 0x15,  0,  9, 0x00000800 },
        { 0x30,  0,  0, 0x00000017 },
        { 0x15,  0,  7, 0x00000006 },
        { 0x28,  0,  0, 0x00000014 },
        { 0x45,  4,  0, 0x00001fff },
        { 0xb1,  0,  0, 0x0000000e },
        { 0x50,  0,  0, 0x0000000f },
        { 0x15,  0,  2, 0x00000050 },
        { 0x06,  0,  0, 0xffffffff },
        { 0x06,  0,  0, 0xffffffff },
        { 0x06,  0,  0, 0000000000 },
    };

    struct sock_fprog bpf;
//    bpf.len = ARRAY_SIZE(code);
    bpf.len = 12;
    bpf.filter = code;
//Create a raw socke
    int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP);
    if(s == -1)
    {
        //socket creation failed, may be because of non-root privileges
        perror("Failed to create socket");
        exit(1);
    }

    setsockopt(s, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
    perror("setsockopt");
//Datagram to represent the packet
    char datagram[4096] , source_ip[32] , *data , *pseudogram;

//zero out the packet buffer
    memset (datagram, 0, 4096);

//IP header
    struct iphdr *iph = (struct iphdr *) datagram;

//TCP header
    struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip));
    struct sockaddr_in sin;
    struct pseudo_header psh;

//Data part
    data = datagram + sizeof(struct iphdr) + sizeof(struct tcphdr);
    strcpy(data , "ABCDEFGHIJKLMNOPQRSTUVWXYZ");

//some address resolution
    strcpy(source_ip , "127.0.0.1");
    sin.sin_family = AF_INET;
    sin.sin_port = htons(80);
    sin.sin_addr.s_addr = inet_addr ("127.0.0.1");

    bind(s, (struct sockaddr *)&sin, sizeof(sin));
    perror("bind");

//Fill in the IP Header
    iph->ihl = 5;
    iph->version = 4;
    iph->tos = 0;
    iph->tot_len = sizeof (struct iphdr) + sizeof (struct tcphdr) + strlen(data);
    iph->id = htonl (54321); //Id of this packet
    iph->frag_off = 0;
    iph->ttl = 255;
    iph->protocol = IPPROTO_TCP;
    iph->check = 0;      //Set to 0 before calculating checksum
    iph->saddr = inet_addr ( source_ip );    //Spoof the source ip address
    iph->daddr = sin.sin_addr.s_addr;

//Ip checksum
    iph->check = csum ((unsigned short *) datagram, iph->tot_len);

//TCP Header
    tcph->source = htons (1234);
    tcph->dest = htons (80);
    tcph->seq = 0;
    tcph->ack_seq = 0;
    tcph->doff = 5;  //tcp header size
    tcph->fin=0;
    tcph->syn=1;
    tcph->rst=0;
    tcph->psh=0;
    tcph->ack=0;
    tcph->urg=0;
    tcph->window = htons (5840); /* maximum allowed window size */
    tcph->check = 0; //leave checksum 0 now, filled later by pseudo header
    tcph->urg_ptr = 0;

//Now the TCP checksum
    psh.source_address = inet_addr( source_ip );
    psh.dest_address = sin.sin_addr.s_addr;
    psh.placeholder = 0;
    psh.protocol = IPPROTO_TCP;
    psh.tcp_length = htons(sizeof(struct tcphdr) + strlen(data) );

    int psize = sizeof(struct pseudo_header) + sizeof(struct tcphdr) + strlen(data);
    pseudogram = malloc(psize);

    memcpy(pseudogram , (char*) &psh , sizeof (struct pseudo_header));
    memcpy(pseudogram + sizeof(struct pseudo_header) , tcph , sizeof(struct tcphdr) + strlen(data));

    tcph->check = csum( (unsigned short*) pseudogram , psize);

//IP_HDRINCL to tell the kernel that headers are included in the packet
    int one = 1;
    const int *val = &one;

    if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
    {
        perror("Error setting IP_HDRINCL");
        exit(0);
    }

//loop if you want to flood :)
    while (1)
    {
        //Send the packet
        if (sendto (s, datagram, iph->tot_len ,  0, (struct sockaddr *) &sin, sizeof (sin)) < 0)
        {
            perror("sendto failed");
        }
        //Data send successfully
        else
        {
            char bbuf[500];
            int re = 0;
            printf ("Packet Send. Length : %d \n" , iph->tot_len);
            if (recvfrom(s, bbuf, 500, 0, (struct sockaddr *) &sin, &re) < 0)
                printf("Recv failed\n");
            else
            {
                printf("%x %x %x %x %x \n", bbuf[0], bbuf[1], bbuf[2], bbuf[3], bbuf[4] );
            }
            if (recvfrom(s, bbuf, 500, 0, (struct sockaddr *) &sin, &re) < 0)
                printf("Recv failed\n");
            else
            {
                printf("%x %x %x %x %x \n", bbuf[0], bbuf[1], bbuf[2], bbuf[3], bbuf[4] );
            }
        }
        break;
    }

    return 0;
}

过滤器代码由 bpf_asm -c 从以下生成:

ldh      [12]
jneq      #0x800, drop
ldb      [23]
jneq      #0x6, drop
ldh      [20]
jset     #0x1fff, good
ldxb     4*([14]&0xf)
ldb      [x + 15]
jneq      #0x50, drop
ret #-1
good: ret      #-1
drop: ret      #0

我还尝试了以下说明: 我还尝试了以下方法:

tcpdump 'ether[35:1] = 0x50'

ldb      [35]
jneq      #0x50, drop
ret      #-1
drop: ret      #0

它仅适用于 tcpdump =(

就您的程序而言,BPF 过滤器似乎直接应用于以太网负载(从 IP headers 开始)而不是整个以太网帧。

在这种情况下,您程序中的前两个检查没有被适配:

{ 0x28,  0,  0, 0x0000000c }, // Load ethertype byte
{ 0x15,  0,  9, 0x00000800 }, // Goto drop if it is not == 0x800 (IPv4)
{ 0x30,  0,  0, 0x00000017 }, // Load IP protocole number
{ 0x15,  0,  7, 0x00000006 }, // Goto drop if it is not == 0x6 (TCP)

相反,我们应该:

  • 跳过以太网类型检查(我们已经知道我们有 IP)。
  • 更改 IP 协议编号的偏移量。

过滤器的开头变为:

{ 0x30,  0,  0, 0x00000009 }, // …09 Instead of …17: we start from beginning of IP header
{ 0x15,  0,  7, 0x00000006 },

事实上,由于您创建了一个仅接收 TCP 数据包的套接字(int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP);,另请参阅 man 7 raw),我们也可以简单地取消此检查。

所以整个过滤器将是:

struct sock_filter code[] = {

    { 0x30,  0,  0, 0x00000009 },
    { 0x15,  0,  7, 0x00000006 },
    { 0x28,  0,  0, 0x00000014 },
    { 0x45,  4,  0, 0x00001fff },
    { 0xb1,  0,  0, 0x0000000e },
    { 0x50,  0,  0, 0x00000013 },
    { 0x15,  0,  2, 0x00000050 },
    { 0x06,  0,  0, 0xffffffff },
    { 0x06,  0,  0, 0xffffffff },
    { 0x06,  0,  0, 0000000000 },

};

或者更简单地说:

struct sock_filter code[] = {

    { 0x28,  0,  0, 0x00000014 },
    { 0x45,  4,  0, 0x00001fff },
    { 0xb1,  0,  0, 0x0000000e },
    { 0x50,  0,  0, 0x00000013 },
    { 0x15,  0,  2, 0x00000050 },
    { 0x06,  0,  0, 0xffffffff },
    { 0x06,  0,  0, 0xffffffff },
    { 0x06,  0,  0, 0000000000 },

};

旁注:

#define ARRAY_SIZE(arr) (sizeof(arr)/sizeof((arr)[0]))
                                                     ^ ending parenthesis missing