Ask Your Question

Revision history [back]

BPF Byte filter for VLAN-IPv6-UDP stack

Hi Guys,

I'm struggling with BPF filter to match 2 Bytes inside UDP payload for the next stack: Ethernet-VLAN-IPv6-UDP.

So I make the next expression:

vlan and udp[8:2] = 0x1111    (1)

For some reason it does not work, no packet is matched. I make a step back and delete Byte matching part:

vlan and udp    (2)

This one works correctly matching all UDP inside IPv6.

I then try the first one (with Byte offset), but on Ethernet-VLAN-IPv4-UDP - and it works again.

So I checked compiled BPF and I see:

  • For vlan and udp:

image description

There is a check for v4 and v6.

  • For vlan and udp[8:2] = 0x1111

image description

There is no more check for v6.

Am I missing something? I'd like to avoid going down the stack and making Ethernet Byte filter with big offsets.

A good file to play with is in Johannes Weber blog:

https://weberblog.net/ipv6-upper-layer-protocol-samples/

Thanks,

Vlad

BPF Byte filter for VLAN-IPv6-UDP stack

Hi Guys,

I'm struggling with BPF filter to match 2 Bytes inside UDP payload for the next stack: Ethernet-VLAN-IPv6-UDP.

So I make the next expression:

vlan and udp[8:2] = 0x1111    (1)

For some reason it does not work, no packet is matched. I make a step back and delete Byte matching part:

vlan and udp    (2)

This one works correctly matching all UDP inside IPv6.

I then try the first one (with Byte offset), but on Ethernet-VLAN-IPv4-UDP - and it works again.

So I checked compiled BPF and I see:

  • For vlan and udp:

image description

There is a check for v4 and v6.

  • For vlan and udp[8:2] = 0x1111

image description

There is no more check for v6.

Am I missing something? I'd like to avoid going down the stack and making Ethernet Byte filter with big offsets.

A good file to play with is in Johannes Weber blog:

https://weberblog.net/ipv6-upper-layer-protocol-samples/

Thanks,

Vlad