pwru icon indicating copy to clipboard operation
pwru copied to clipboard

Published 20 hours ago verified publisher icon cilium

support --filter-ip and --filter-port

Open borkmann opened this issue 3 years ago • 2 comments

Right now pwru only supports:

      --filter-dst-ip string        filter destination IP addr
      --filter-dst-port uint16      filter destination port
[...]
      --filter-src-ip string        filter source IP addr
      --filter-src-port uint16      filter source port

But when tracing packets through the stack, they can get DNAT'ed or SNAT'ed or both.

Maybe libpcap-like expression could even be used here, and converted to eBPF insns (e.g. inline asm blob), at least basic primitives to define an expression with ips & ports combined with logical and/or.

borkmann avatar Aug 26 '22 07:08 borkmann

It's interesting to compile libpcap-like expression to JIT'ed eBPF insns, and make them work with pwru existing eBPF insns.

How about bpf_tail_call()? Get the skb first, then bpf_tail_call() the JIT'ed filtering the skb insns, and then bpf_tail_call() the pwru filtering and outputing eBPF insns.

Asphaltt avatar Aug 28 '22 07:08 Asphaltt

It's interesting to compile libpcap-like expression to JIT'ed eBPF insns, and make them work with pwru existing eBPF insns.

Yeah, in my spare time I am working on a small tcpdump-like syntax compiler to eBPF. Instead of bpf_tail_call() the plan is to use bpf2bpf calls.

brb avatar Aug 29 '22 09:08 brb

@brb How is it going?

Instead of bpf_tail_call() the plan is to use bpf2bpf calls.

After some researching, bpf2bpf + freplace is perfect for this case.

Asphaltt avatar Feb 04 '23 15:02 Asphaltt

@Asphaltt Hey, this is still WIP. ACK on bpf2bpf + freplace.

brb avatar Feb 07 '23 07:02 brb