README
¶
bpfutils
Currently under development, API may change without prior notice
Go package with helper functions for golang.org/x/net/bpf and BPF filter in github.com/google/gopacket/pcap.
Documentation
¶
Overview ¶
Package bpfutils implements several helper functions for handling BPF filters from golang.org/x/net/bpf and github.com/golang/gopacket/pcap.
Index ¶
- Constants
- func AsmString(a []bpf.Instruction) string
- func ChainFilter(a, b []bpf.Instruction, ct ChainType) []bpf.Instruction
- func ChainPcapFilter(a, b []pcap.BPFInstruction, ct ChainType) ([]pcap.BPFInstruction, error)
- func String(a []pcap.BPFInstruction) string
- func ToBpfInstruction(in pcap.BPFInstruction) bpf.Instruction
- func ToBpfInstructions(in []pcap.BPFInstruction) ([]bpf.Instruction, bool)
- func ToBpfRawInstruction(in pcap.BPFInstruction) bpf.RawInstruction
- func ToBpfRawInstructions(in []pcap.BPFInstruction) []bpf.RawInstruction
- func ToPcapBPFInstruction(in bpf.RawInstruction) pcap.BPFInstruction
- func ToPcapBPFInstructions(in []bpf.RawInstruction) []pcap.BPFInstruction
- type ChainType
Constants ¶
const ( UNDEFINED = iota AND OR )
Possible ChainType values
Variables ¶
This section is empty.
Functions ¶
func AsmString ¶
func AsmString(a []bpf.Instruction) string
AsmString returns []bpf.Instruction as bpf_asm instructions as defined in https://www.kernel.org/doc/Documentation/networking/filter.txt
func ChainFilter ¶
func ChainFilter(a, b []bpf.Instruction, ct ChainType) []bpf.Instruction
ChainFilter combines two BPF filters to a single BPF filter by rewriting the `ret #k` and `ret a` instructions.
For `ret #k`, in the first BPF block `ret #k` is replaced with `jmp`, if the second block has to be evaluated as well:
- AND-case: only evaluate second block, if a packet would be returned after the first block (ret constant > 0)
- OR-case: only evaluate second block, if the packet would not be returned after the first block (ret constant == 0)
For `ret a`, in the first BPF block `ret a` is replaced with a conditional Jump (jeq/jneq), if the second block has to be evaluated as well:
- AND-case: only evaluate second block, if a packet would be returned after the first block (register a > 0)
- OR-case: only evaluate second block, if the packet would not be returned after the first block (register a == 0)
func ChainPcapFilter ¶
func ChainPcapFilter(a, b []pcap.BPFInstruction, ct ChainType) ([]pcap.BPFInstruction, error)
ChainPcapFilter combines two []pcap.BPFInstruction BPF filter. Details see function ChainFilter
func String ¶
func String(a []pcap.BPFInstruction) string
String disassembles []pcap.BPFInstruction an return them in the Go representation of bpf.Instruction
func ToBpfInstruction ¶
func ToBpfInstruction(in pcap.BPFInstruction) bpf.Instruction
ToBpfInstruction converts a pcap.BPFInstruction into a bpf.Instruction
func ToBpfInstructions ¶
func ToBpfInstructions(in []pcap.BPFInstruction) ([]bpf.Instruction, bool)
ToBpfInstructions converts a []pcap.BPFInstruction into a []bpf.Instructions
func ToBpfRawInstruction ¶
func ToBpfRawInstruction(in pcap.BPFInstruction) bpf.RawInstruction
ToBpfRawInstruction converts a pcap.BPFInstruction into a bpf.RawInstruction #nosec
func ToBpfRawInstructions ¶
func ToBpfRawInstructions(in []pcap.BPFInstruction) []bpf.RawInstruction
ToBpfRawInstructions converts a []pcap.BPFInstruction into a []bpf.RawInstruction #nosec
func ToPcapBPFInstruction ¶
func ToPcapBPFInstruction(in bpf.RawInstruction) pcap.BPFInstruction
ToPcapBPFInstruction converts a bpf.RawInstruction into a pcap.BPFInstruction #nosec
func ToPcapBPFInstructions ¶
func ToPcapBPFInstructions(in []bpf.RawInstruction) []pcap.BPFInstruction
ToPcapBPFInstructions converts a []bpf.RawInstruction into a []pcap.BPFInstruction #nosec
Source Files