1.. SPDX-License-Identifier: GPL-2.0
2
3.. _networking-filter:
4
5=======================================================
6Linux Socket Filtering aka Berkeley Packet Filter (BPF)
7=======================================================
8
9Notice
10------
11
12This file used to document the eBPF format and mechanisms even when not
13related to socket filtering.  The ../bpf/index.rst has more details
14on eBPF.
15
16Introduction
17------------
18
19Linux Socket Filtering (LSF) is derived from the Berkeley Packet Filter.
20Though there are some distinct differences between the BSD and Linux
21Kernel filtering, but when we speak of BPF or LSF in Linux context, we
22mean the very same mechanism of filtering in the Linux kernel.
23
24BPF allows a user-space program to attach a filter onto any socket and
25allow or disallow certain types of data to come through the socket. LSF
26follows exactly the same filter code structure as BSD's BPF, so referring
27to the BSD bpf.4 manpage is very helpful in creating filters.
28
29On Linux, BPF is much simpler than on BSD. One does not have to worry
30about devices or anything like that. You simply create your filter code,
31send it to the kernel via the SO_ATTACH_FILTER option and if your filter
32code passes the kernel check on it, you then immediately begin filtering
33data on that socket.
34
35You can also detach filters from your socket via the SO_DETACH_FILTER
36option. This will probably not be used much since when you close a socket
37that has a filter on it the filter is automagically removed. The other
38less common case may be adding a different filter on the same socket where
39you had another filter that is still running: the kernel takes care of
40removing the old one and placing your new one in its place, assuming your
41filter has passed the checks, otherwise if it fails the old filter will
42remain on that socket.
43
44SO_LOCK_FILTER option allows to lock the filter attached to a socket. Once
45set, a filter cannot be removed or changed. This allows one process to
46setup a socket, attach a filter, lock it then drop privileges and be
47assured that the filter will be kept until the socket is closed.
48
49The biggest user of this construct might be libpcap. Issuing a high-level
50filter command like `tcpdump -i em1 port 22` passes through the libpcap
51internal compiler that generates a structure that can eventually be loaded
52via SO_ATTACH_FILTER to the kernel. `tcpdump -i em1 port 22 -ddd`
53displays what is being placed into this structure.
54
55Although we were only speaking about sockets here, BPF in Linux is used
56in many more places. There's xt_bpf for netfilter, cls_bpf in the kernel
57qdisc layer, SECCOMP-BPF (SECure COMPuting [1]_), and lots of other places
58such as team driver, PTP code, etc where BPF is being used.
59
60.. [1] Documentation/userspace-api/seccomp_filter.rst
61
62Original BPF paper:
63
64Steven McCanne and Van Jacobson. 1993. The BSD packet filter: a new
65architecture for user-level packet capture. In Proceedings of the
66USENIX Winter 1993 Conference Proceedings on USENIX Winter 1993
67Conference Proceedings (USENIX'93). USENIX Association, Berkeley,
68CA, USA, 2-2. [http://www.tcpdump.org/papers/bpf-usenix93.pdf]
69
70Structure
71---------
72
73User space applications include <linux/filter.h> which contains the
74following relevant structures::
75
76	struct sock_filter {	/* Filter block */
77		__u16	code;   /* Actual filter code */
78		__u8	jt;	/* Jump true */
79		__u8	jf;	/* Jump false */
80		__u32	k;      /* Generic multiuse field */
81	};
82
83Such a structure is assembled as an array of 4-tuples, that contains
84a code, jt, jf and k value. jt and jf are jump offsets and k a generic
85value to be used for a provided code::
86
87	struct sock_fprog {			/* Required for SO_ATTACH_FILTER. */
88		unsigned short		   len;	/* Number of filter blocks */
89		struct sock_filter __user *filter;
90	};
91
92For socket filtering, a pointer to this structure (as shown in
93follow-up example) is being passed to the kernel through setsockopt(2).
94
95Example
96-------
97
98::
99
100    #include <sys/socket.h>
101    #include <sys/types.h>
102    #include <arpa/inet.h>
103    #include <linux/if_ether.h>
104    /* ... */
105
106    /* From the example above: tcpdump -i em1 port 22 -dd */
107    struct sock_filter code[] = {
108	    { 0x28,  0,  0, 0x0000000c },
109	    { 0x15,  0,  8, 0x000086dd },
110	    { 0x30,  0,  0, 0x00000014 },
111	    { 0x15,  2,  0, 0x00000084 },
112	    { 0x15,  1,  0, 0x00000006 },
113	    { 0x15,  0, 17, 0x00000011 },
114	    { 0x28,  0,  0, 0x00000036 },
115	    { 0x15, 14,  0, 0x00000016 },
116	    { 0x28,  0,  0, 0x00000038 },
117	    { 0x15, 12, 13, 0x00000016 },
118	    { 0x15,  0, 12, 0x00000800 },
119	    { 0x30,  0,  0, 0x00000017 },
120	    { 0x15,  2,  0, 0x00000084 },
121	    { 0x15,  1,  0, 0x00000006 },
122	    { 0x15,  0,  8, 0x00000011 },
123	    { 0x28,  0,  0, 0x00000014 },
124	    { 0x45,  6,  0, 0x00001fff },
125	    { 0xb1,  0,  0, 0x0000000e },
126	    { 0x48,  0,  0, 0x0000000e },
127	    { 0x15,  2,  0, 0x00000016 },
128	    { 0x48,  0,  0, 0x00000010 },
129	    { 0x15,  0,  1, 0x00000016 },
130	    { 0x06,  0,  0, 0x0000ffff },
131	    { 0x06,  0,  0, 0x00000000 },
132    };
133
134    struct sock_fprog bpf = {
135	    .len = ARRAY_SIZE(code),
136	    .filter = code,
137    };
138
139    sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
140    if (sock < 0)
141	    /* ... bail out ... */
142
143    ret = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
144    if (ret < 0)
145	    /* ... bail out ... */
146
147    /* ... */
148    close(sock);
149
150The above example code attaches a socket filter for a PF_PACKET socket
151in order to let all IPv4/IPv6 packets with port 22 pass. The rest will
152be dropped for this socket.
153
154The setsockopt(2) call to SO_DETACH_FILTER doesn't need any arguments
155and SO_LOCK_FILTER for preventing the filter to be detached, takes an
156integer value with 0 or 1.
157
158Note that socket filters are not restricted to PF_PACKET sockets only,
159but can also be used on other socket families.
160
161Summary of system calls:
162
163 * setsockopt(sockfd, SOL_SOCKET, SO_ATTACH_FILTER, &val, sizeof(val));
164 * setsockopt(sockfd, SOL_SOCKET, SO_DETACH_FILTER, &val, sizeof(val));
165 * setsockopt(sockfd, SOL_SOCKET, SO_LOCK_FILTER,   &val, sizeof(val));
166
167Normally, most use cases for socket filtering on packet sockets will be
168covered by libpcap in high-level syntax, so as an application developer
169you should stick to that. libpcap wraps its own layer around all that.
170
171Unless i) using/linking to libpcap is not an option, ii) the required BPF
172filters use Linux extensions that are not supported by libpcap's compiler,
173iii) a filter might be more complex and not cleanly implementable with
174libpcap's compiler, or iv) particular filter codes should be optimized
175differently than libpcap's internal compiler does; then in such cases
176writing such a filter "by hand" can be of an alternative. For example,
177xt_bpf and cls_bpf users might have requirements that could result in
178more complex filter code, or one that cannot be expressed with libpcap
179(e.g. different return codes for various code paths). Moreover, BPF JIT
180implementors may wish to manually write test cases and thus need low-level
181access to BPF code as well.
182
183BPF engine and instruction set
184------------------------------
185
186Under tools/bpf/ there's a small helper tool called bpf_asm which can
187be used to write low-level filters for example scenarios mentioned in the
188previous section. Asm-like syntax mentioned here has been implemented in
189bpf_asm and will be used for further explanations (instead of dealing with
190less readable opcodes directly, principles are the same). The syntax is
191closely modelled after Steven McCanne's and Van Jacobson's BPF paper.
192
193The BPF architecture consists of the following basic elements:
194
195  =======          ====================================================
196  Element          Description
197  =======          ====================================================
198  A                32 bit wide accumulator
199  X                32 bit wide X register
200  M[]              16 x 32 bit wide misc registers aka "scratch memory
201		   store", addressable from 0 to 15
202  =======          ====================================================
203
204A program, that is translated by bpf_asm into "opcodes" is an array that
205consists of the following elements (as already mentioned)::
206
207  op:16, jt:8, jf:8, k:32
208
209The element op is a 16 bit wide opcode that has a particular instruction
210encoded. jt and jf are two 8 bit wide jump targets, one for condition
211"jump if true", the other one "jump if false". Eventually, element k
212contains a miscellaneous argument that can be interpreted in different
213ways depending on the given instruction in op.
214
215The instruction set consists of load, store, branch, alu, miscellaneous
216and return instructions that are also represented in bpf_asm syntax. This
217table lists all bpf_asm instructions available resp. what their underlying
218opcodes as defined in linux/filter.h stand for:
219
220  ===========      ===================  =====================
221  Instruction      Addressing mode      Description
222  ===========      ===================  =====================
223  ld               1, 2, 3, 4, 12       Load word into A
224  ldi              4                    Load word into A
225  ldh              1, 2                 Load half-word into A
226  ldb              1, 2                 Load byte into A
227  ldx              3, 4, 5, 12          Load word into X
228  ldxi             4                    Load word into X
229  ldxb             5                    Load byte into X
230
231  st               3                    Store A into M[]
232  stx              3                    Store X into M[]
233
234  jmp              6                    Jump to label
235  ja               6                    Jump to label
236  jeq              7, 8, 9, 10          Jump on A == <x>
237  jneq             9, 10                Jump on A != <x>
238  jne              9, 10                Jump on A != <x>
239  jlt              9, 10                Jump on A <  <x>
240  jle              9, 10                Jump on A <= <x>
241  jgt              7, 8, 9, 10          Jump on A >  <x>
242  jge              7, 8, 9, 10          Jump on A >= <x>
243  jset             7, 8, 9, 10          Jump on A &  <x>
244
245  add              0, 4                 A + <x>
246  sub              0, 4                 A - <x>
247  mul              0, 4                 A * <x>
248  div              0, 4                 A / <x>
249  mod              0, 4                 A % <x>
250  neg                                   !A
251  and              0, 4                 A & <x>
252  or               0, 4                 A | <x>
253  xor              0, 4                 A ^ <x>
254  lsh              0, 4                 A << <x>
255  rsh              0, 4                 A >> <x>
256
257  tax                                   Copy A into X
258  txa                                   Copy X into A
259
260  ret              4, 11                Return
261  ===========      ===================  =====================
262
263The next table shows addressing formats from the 2nd column:
264
265  ===============  ===================  ===============================================
266  Addressing mode  Syntax               Description
267  ===============  ===================  ===============================================
268   0               x/%x                 Register X
269   1               [k]                  BHW at byte offset k in the packet
270   2               [x + k]              BHW at the offset X + k in the packet
271   3               M[k]                 Word at offset k in M[]
272   4               #k                   Literal value stored in k
273   5               4*([k]&0xf)          Lower nibble * 4 at byte offset k in the packet
274   6               L                    Jump label L
275   7               #k,Lt,Lf             Jump to Lt if true, otherwise jump to Lf
276   8               x/%x,Lt,Lf           Jump to Lt if true, otherwise jump to Lf
277   9               #k,Lt                Jump to Lt if predicate is true
278  10               x/%x,Lt              Jump to Lt if predicate is true
279  11               a/%a                 Accumulator A
280  12               extension            BPF extension
281  ===============  ===================  ===============================================
282
283The Linux kernel also has a couple of BPF extensions that are used along
284with the class of load instructions by "overloading" the k argument with
285a negative offset + a particular extension offset. The result of such BPF
286extensions are loaded into A.
287
288Possible BPF extensions are shown in the following table:
289
290  ===================================   =================================================
291  Extension                             Description
292  ===================================   =================================================
293  len                                   skb->len
294  proto                                 skb->protocol
295  type                                  skb->pkt_type
296  poff                                  Payload start offset
297  ifidx                                 skb->dev->ifindex
298  nla                                   Netlink attribute of type X with offset A
299  nlan                                  Nested Netlink attribute of type X with offset A
300  mark                                  skb->mark
301  queue                                 skb->queue_mapping
302  hatype                                skb->dev->type
303  rxhash                                skb->hash
304  cpu                                   raw_smp_processor_id()
305  vlan_tci                              skb_vlan_tag_get(skb)
306  vlan_avail                            skb_vlan_tag_present(skb)
307  vlan_tpid                             skb->vlan_proto
308  rand                                  get_random_u32()
309  ===================================   =================================================
310
311These extensions can also be prefixed with '#'.
312Examples for low-level BPF:
313
314**ARP packets**::
315
316  ldh [12]
317  jne #0x806, drop
318  ret #-1
319  drop: ret #0
320
321**IPv4 TCP packets**::
322
323  ldh [12]
324  jne #0x800, drop
325  ldb [23]
326  jneq #6, drop
327  ret #-1
328  drop: ret #0
329
330**icmp random packet sampling, 1 in 4**::
331
332  ldh [12]
333  jne #0x800, drop
334  ldb [23]
335  jneq #1, drop
336  # get a random uint32 number
337  ld rand
338  mod #4
339  jneq #1, drop
340  ret #-1
341  drop: ret #0
342
343**SECCOMP filter example**::
344
345  ld [4]                  /* offsetof(struct seccomp_data, arch) */
346  jne #0xc000003e, bad    /* AUDIT_ARCH_X86_64 */
347  ld [0]                  /* offsetof(struct seccomp_data, nr) */
348  jeq #15, good           /* __NR_rt_sigreturn */
349  jeq #231, good          /* __NR_exit_group */
350  jeq #60, good           /* __NR_exit */
351  jeq #0, good            /* __NR_read */
352  jeq #1, good            /* __NR_write */
353  jeq #5, good            /* __NR_fstat */
354  jeq #9, good            /* __NR_mmap */
355  jeq #14, good           /* __NR_rt_sigprocmask */
356  jeq #13, good           /* __NR_rt_sigaction */
357  jeq #35, good           /* __NR_nanosleep */
358  bad: ret #0             /* SECCOMP_RET_KILL_THREAD */
359  good: ret #0x7fff0000   /* SECCOMP_RET_ALLOW */
360
361Examples for low-level BPF extension:
362
363**Packet for interface index 13**::
364
365  ld ifidx
366  jneq #13, drop
367  ret #-1
368  drop: ret #0
369
370**(Accelerated) VLAN w/ id 10**::
371
372  ld vlan_tci
373  jneq #10, drop
374  ret #-1
375  drop: ret #0
376
377The above example code can be placed into a file (here called "foo"), and
378then be passed to the bpf_asm tool for generating opcodes, output that xt_bpf
379and cls_bpf understands and can directly be loaded with. Example with above
380ARP code::
381
382    $ ./bpf_asm foo
383    4,40 0 0 12,21 0 1 2054,6 0 0 4294967295,6 0 0 0,
384
385In copy and paste C-like output::
386
387    $ ./bpf_asm -c foo
388    { 0x28,  0,  0, 0x0000000c },
389    { 0x15,  0,  1, 0x00000806 },
390    { 0x06,  0,  0, 0xffffffff },
391    { 0x06,  0,  0, 0000000000 },
392
393In particular, as usage with xt_bpf or cls_bpf can result in more complex BPF
394filters that might not be obvious at first, it's good to test filters before
395attaching to a live system. For that purpose, there's a small tool called
396bpf_dbg under tools/bpf/ in the kernel source directory. This debugger allows
397for testing BPF filters against given pcap files, single stepping through the
398BPF code on the pcap's packets and to do BPF machine register dumps.
399
400Starting bpf_dbg is trivial and just requires issuing::
401
402    # ./bpf_dbg
403
404In case input and output do not equal stdin/stdout, bpf_dbg takes an
405alternative stdin source as a first argument, and an alternative stdout
406sink as a second one, e.g. `./bpf_dbg test_in.txt test_out.txt`.
407
408Other than that, a particular libreadline configuration can be set via
409file "~/.bpf_dbg_init" and the command history is stored in the file
410"~/.bpf_dbg_history".
411
412Interaction in bpf_dbg happens through a shell that also has auto-completion
413support (follow-up example commands starting with '>' denote bpf_dbg shell).
414The usual workflow would be to ...
415
416* load bpf 6,40 0 0 12,21 0 3 2048,48 0 0 23,21 0 1 1,6 0 0 65535,6 0 0 0
417  Loads a BPF filter from standard output of bpf_asm, or transformed via
418  e.g. ``tcpdump -iem1 -ddd port 22 | tr '\n' ','``. Note that for JIT
419  debugging (next section), this command creates a temporary socket and
420  loads the BPF code into the kernel. Thus, this will also be useful for
421  JIT developers.
422
423* load pcap foo.pcap
424
425  Loads standard tcpdump pcap file.
426
427* run [<n>]
428
429bpf passes:1 fails:9
430  Runs through all packets from a pcap to account how many passes and fails
431  the filter will generate. A limit of packets to traverse can be given.
432
433* disassemble::
434
435	l0:	ldh [12]
436	l1:	jeq #0x800, l2, l5
437	l2:	ldb [23]
438	l3:	jeq #0x1, l4, l5
439	l4:	ret #0xffff
440	l5:	ret #0
441
442  Prints out BPF code disassembly.
443
444* dump::
445
446	/* { op, jt, jf, k }, */
447	{ 0x28,  0,  0, 0x0000000c },
448	{ 0x15,  0,  3, 0x00000800 },
449	{ 0x30,  0,  0, 0x00000017 },
450	{ 0x15,  0,  1, 0x00000001 },
451	{ 0x06,  0,  0, 0x0000ffff },
452	{ 0x06,  0,  0, 0000000000 },
453
454  Prints out C-style BPF code dump.
455
456* breakpoint 0::
457
458	breakpoint at: l0:	ldh [12]
459
460* breakpoint 1::
461
462	breakpoint at: l1:	jeq #0x800, l2, l5
463
464  ...
465
466  Sets breakpoints at particular BPF instructions. Issuing a `run` command
467  will walk through the pcap file continuing from the current packet and
468  break when a breakpoint is being hit (another `run` will continue from
469  the currently active breakpoint executing next instructions):
470
471  * run::
472
473	-- register dump --
474	pc:       [0]                       <-- program counter
475	code:     [40] jt[0] jf[0] k[12]    <-- plain BPF code of current instruction
476	curr:     l0:	ldh [12]              <-- disassembly of current instruction
477	A:        [00000000][0]             <-- content of A (hex, decimal)
478	X:        [00000000][0]             <-- content of X (hex, decimal)
479	M[0,15]:  [00000000][0]             <-- folded content of M (hex, decimal)
480	-- packet dump --                   <-- Current packet from pcap (hex)
481	len: 42
482	    0: 00 19 cb 55 55 a4 00 14 a4 43 78 69 08 06 00 01
483	16: 08 00 06 04 00 01 00 14 a4 43 78 69 0a 3b 01 26
484	32: 00 00 00 00 00 00 0a 3b 01 01
485	(breakpoint)
486	>
487
488  * breakpoint::
489
490	breakpoints: 0 1
491
492    Prints currently set breakpoints.
493
494* step [-<n>, +<n>]
495
496  Performs single stepping through the BPF program from the current pc
497  offset. Thus, on each step invocation, above register dump is issued.
498  This can go forwards and backwards in time, a plain `step` will break
499  on the next BPF instruction, thus +1. (No `run` needs to be issued here.)
500
501* select <n>
502
503  Selects a given packet from the pcap file to continue from. Thus, on
504  the next `run` or `step`, the BPF program is being evaluated against
505  the user pre-selected packet. Numbering starts just as in Wireshark
506  with index 1.
507
508* quit
509
510  Exits bpf_dbg.
511
512JIT compiler
513------------
514
515The Linux kernel has a built-in BPF JIT compiler for x86_64, SPARC,
516PowerPC, ARM, ARM64, MIPS, RISC-V and s390 and can be enabled through
517CONFIG_BPF_JIT. The JIT compiler is transparently invoked for each
518attached filter from user space or for internal kernel users if it has
519been previously enabled by root::
520
521  echo 1 > /proc/sys/net/core/bpf_jit_enable
522
523For JIT developers, doing audits etc, each compile run can output the generated
524opcode image into the kernel log via::
525
526  echo 2 > /proc/sys/net/core/bpf_jit_enable
527
528Example output from dmesg::
529
530    [ 3389.935842] flen=6 proglen=70 pass=3 image=ffffffffa0069c8f
531    [ 3389.935847] JIT code: 00000000: 55 48 89 e5 48 83 ec 60 48 89 5d f8 44 8b 4f 68
532    [ 3389.935849] JIT code: 00000010: 44 2b 4f 6c 4c 8b 87 d8 00 00 00 be 0c 00 00 00
533    [ 3389.935850] JIT code: 00000020: e8 1d 94 ff e0 3d 00 08 00 00 75 16 be 17 00 00
534    [ 3389.935851] JIT code: 00000030: 00 e8 28 94 ff e0 83 f8 01 75 07 b8 ff ff 00 00
535    [ 3389.935852] JIT code: 00000040: eb 02 31 c0 c9 c3
536
537When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is permanently set to 1 and
538setting any other value than that will return in failure. This is even the case for
539setting bpf_jit_enable to 2, since dumping the final JIT image into the kernel log
540is discouraged and introspection through bpftool (under tools/bpf/bpftool/) is the
541generally recommended approach instead.
542
543In the kernel source tree under tools/bpf/, there's bpf_jit_disasm for
544generating disassembly out of the kernel log's hexdump::
545
546	# ./bpf_jit_disasm
547	70 bytes emitted from JIT compiler (pass:3, flen:6)
548	ffffffffa0069c8f + <x>:
549	0:	push   %rbp
550	1:	mov    %rsp,%rbp
551	4:	sub    $0x60,%rsp
552	8:	mov    %rbx,-0x8(%rbp)
553	c:	mov    0x68(%rdi),%r9d
554	10:	sub    0x6c(%rdi),%r9d
555	14:	mov    0xd8(%rdi),%r8
556	1b:	mov    $0xc,%esi
557	20:	callq  0xffffffffe0ff9442
558	25:	cmp    $0x800,%eax
559	2a:	jne    0x0000000000000042
560	2c:	mov    $0x17,%esi
561	31:	callq  0xffffffffe0ff945e
562	36:	cmp    $0x1,%eax
563	39:	jne    0x0000000000000042
564	3b:	mov    $0xffff,%eax
565	40:	jmp    0x0000000000000044
566	42:	xor    %eax,%eax
567	44:	leaveq
568	45:	retq
569
570	Issuing option `-o` will "annotate" opcodes to resulting assembler
571	instructions, which can be very useful for JIT developers:
572
573	# ./bpf_jit_disasm -o
574	70 bytes emitted from JIT compiler (pass:3, flen:6)
575	ffffffffa0069c8f + <x>:
576	0:	push   %rbp
577		55
578	1:	mov    %rsp,%rbp
579		48 89 e5
580	4:	sub    $0x60,%rsp
581		48 83 ec 60
582	8:	mov    %rbx,-0x8(%rbp)
583		48 89 5d f8
584	c:	mov    0x68(%rdi),%r9d
585		44 8b 4f 68
586	10:	sub    0x6c(%rdi),%r9d
587		44 2b 4f 6c
588	14:	mov    0xd8(%rdi),%r8
589		4c 8b 87 d8 00 00 00
590	1b:	mov    $0xc,%esi
591		be 0c 00 00 00
592	20:	callq  0xffffffffe0ff9442
593		e8 1d 94 ff e0
594	25:	cmp    $0x800,%eax
595		3d 00 08 00 00
596	2a:	jne    0x0000000000000042
597		75 16
598	2c:	mov    $0x17,%esi
599		be 17 00 00 00
600	31:	callq  0xffffffffe0ff945e
601		e8 28 94 ff e0
602	36:	cmp    $0x1,%eax
603		83 f8 01
604	39:	jne    0x0000000000000042
605		75 07
606	3b:	mov    $0xffff,%eax
607		b8 ff ff 00 00
608	40:	jmp    0x0000000000000044
609		eb 02
610	42:	xor    %eax,%eax
611		31 c0
612	44:	leaveq
613		c9
614	45:	retq
615		c3
616
617For BPF JIT developers, bpf_jit_disasm, bpf_asm and bpf_dbg provides a useful
618toolchain for developing and testing the kernel's JIT compiler.
619
620BPF kernel internals
621--------------------
622Internally, for the kernel interpreter, a different instruction set
623format with similar underlying principles from BPF described in previous
624paragraphs is being used. However, the instruction set format is modelled
625closer to the underlying architecture to mimic native instruction sets, so
626that a better performance can be achieved (more details later). This new
627ISA is called eBPF.  See the ../bpf/index.rst for details.  (Note: eBPF which
628originates from [e]xtended BPF is not the same as BPF extensions! While
629eBPF is an ISA, BPF extensions date back to classic BPF's 'overloading'
630of BPF_LD | BPF_{B,H,W} | BPF_ABS instruction.)
631
632The new instruction set was originally designed with the possible goal in
633mind to write programs in "restricted C" and compile into eBPF with a optional
634GCC/LLVM backend, so that it can just-in-time map to modern 64-bit CPUs with
635minimal performance overhead over two steps, that is, C -> eBPF -> native code.
636
637Currently, the new format is being used for running user BPF programs, which
638includes seccomp BPF, classic socket filters, cls_bpf traffic classifier,
639team driver's classifier for its load-balancing mode, netfilter's xt_bpf
640extension, PTP dissector/classifier, and much more. They are all internally
641converted by the kernel into the new instruction set representation and run
642in the eBPF interpreter. For in-kernel handlers, this all works transparently
643by using bpf_prog_create() for setting up the filter, resp.
644bpf_prog_destroy() for destroying it. The function
645bpf_prog_run(filter, ctx) transparently invokes eBPF interpreter or JITed
646code to run the filter. 'filter' is a pointer to struct bpf_prog that we
647got from bpf_prog_create(), and 'ctx' the given context (e.g.
648skb pointer). All constraints and restrictions from bpf_check_classic() apply
649before a conversion to the new layout is being done behind the scenes!
650
651Currently, the classic BPF format is being used for JITing on most
65232-bit architectures, whereas x86-64, aarch64, s390x, powerpc64,
653sparc64, arm32, riscv64, riscv32, loongarch64 perform JIT compilation
654from eBPF instruction set.
655
656Testing
657-------
658
659Next to the BPF toolchain, the kernel also ships a test module that contains
660various test cases for classic and eBPF that can be executed against
661the BPF interpreter and JIT compiler. It can be found in lib/test_bpf.c and
662enabled via Kconfig::
663
664  CONFIG_TEST_BPF=m
665
666After the module has been built and installed, the test suite can be executed
667via insmod or modprobe against 'test_bpf' module. Results of the test cases
668including timings in nsec can be found in the kernel log (dmesg).
669
670Misc
671----
672
673Also trinity, the Linux syscall fuzzer, has built-in support for BPF and
674SECCOMP-BPF kernel fuzzing.
675
676Written by
677----------
678
679The document was written in the hope that it is found useful and in order
680to give potential BPF hackers or security auditors a better overview of
681the underlying architecture.
682
683- Jay Schulist <jschlst@samba.org>
684- Daniel Borkmann <daniel@iogearbox.net>
685- Alexei Starovoitov <ast@kernel.org>
686