0

I am writing a bpf filter to prevent certain netlink messages. I am trying to debug the bpf code. Is there any debug tool that could help me?

I was initially thinking of using nlmon to capture netlink messages:

From https://jvns.ca/blog/2017/09/03/debugging-netlink-requests/

# create the network interface

sudo ip link add nlmon0 type nlmon
sudo ip link set dev nlmon0 up
sudo tcpdump -i nlmon0 -w netlink.pcap # capture your packets

Then use ./bpf_dbg ( https://github.com/cloudflare/bpftools/blob/master/linux_tools/bpf_dbg.c)

1) ./bpf_dbg to enter the shell (shell cmds denoted with '>'):
2) > load bpf 6,40 0 0 12,21 0 3 20... (this is the bpf code I intend to debug)
3) > load pcap netlink.pcap
4) > run /disassemble/dump/quit (self-explanatory)
5) > breakpoint 2 (sets bp at loaded BPF insns 2, do run then; multiple bps can be set, of course, a call to breakpoint w/o args shows currently loaded bps, breakpoint reset for resetting all breakpoints)
6) > select 3 (run etc will start from the 3rd packet in the pcap)
7) > step [-, +] (performs single stepping through the BPF)

Did anyone try this before?

Also, I was not able to make nlmon module to load on my linux kernel(Is there a doc for this?)

I am running kernel version Linux version 4.10.0-40-generic The nlmon module seems to be present in the kernel source:

https://elixir.free-electrons.com/linux/v4.10/source/drivers/net/nlmon.c#L41

But, when I search inside, /lib/modules/ for nlmon.ko I dont find anything. 

instance-1:/lib/modules$ find . | grep -i nlmon
instance-1:/lib/modules$
rickest rick c132
  • 21
  • 3
  • Is `6,40 0 0 12,21 0 3 20` (`port 22`) the BPF filter for netlink message you are trying to debug or am I misunderstanding? – pchaigno Dec 23 '17 at 06:03
  • Yes, that is the BPF filter code. Sorry, for the confusion. I just copied those steps from the bpf_dbg.c file on github. I haven't tried the steps myself, because, I haven't got the nlmon device to load in my kernel in the first place. I have re-edited my question to make it more clear. – rickest rick c132 Dec 24 '17 at 07:15
  • Ok. What's the error message you're having with `nlmon`? – pchaigno Dec 24 '17 at 12:11
  • I am trying to load the nlmon kernel module, but I am not able to find the nlmon module in the first place. I have updated the question with the kernel version and steps I have undertaken till now. – rickest rick c132 Dec 25 '17 at 01:10
  • Have you checked your kernel config.? What does `cat /boot/config-$(uname -r) | grep NLMON` say? – pchaigno Dec 25 '17 at 18:56
  • instance-1:~$ cat /boot/config-$(uname -r) | grep NLMON CONFIG_NLMON=m. From what I understand this means the kernel will load this on demand? But I get this error when I try to create a nlmon device instance-1:~$ sudo ip link add nlmon0 type nlmon RTNETLINK answers: Operation not supported – rickest rick c132 Dec 25 '17 at 20:50
  • Have you checked `dmesg` for a more detailed error message? – pchaigno Dec 25 '17 at 22:58
  • dmesg shows no related messages. – rickest rick c132 Dec 26 '17 at 03:15
  • Just to be sure, did you try to load the module manually (with e.g. `sudo modprobe nlmon`)? If this does not work, does it give you anymore info in dmesg? If you really don't have the module on your system, you could still download the linux tree and compile nlmon. – Qeole Jan 12 '18 at 18:25

0 Answers0