Commit b1178f6f authored by 4ast's avatar 4ast

Merge pull request #401 from mbertrone/master

http_filter readme fixed
parents 79ad6dd2 34860ad5
......@@ -116,6 +116,7 @@ Tools:
Examples:
- examples/networking/[distributed_bridge/](examples/networking/distributed_bridge): Distributed bridge example.
- examples/networking/[http_filter/](examples/networking/http_filter): Simple HTTP filter example.
- examples/networking/[simple_tc.py](examples/networking/simple_tc.py): Simple traffic control example.
- examples/networking/[simulation.py](examples/networking/simulation.py): Simulation helper.
- examples/networking/neighbor_sharing/[tc_neighbor_sharing.py](examples/networking/neighbor_sharing/tc_neighbor_sharing.py) examples/networking/neighbor_sharing/[tc_neighbor_sharing.c](examples/networking/neighbor_sharing/tc_neighbor_sharing.c): Per-IP classification and rate limiting.
......
#Simple HTTP Filter: Project purpose
# HTTP Filter
Write an eBPF application that parses HTTP packets and extracts (and prints on screen) the URL contained in the GET/POST request.
eBPF application that parses HTTP packets and extracts (and prints on screen) the URL contained in the GET/POST request.
[eBPF HTTP Filter - Short Presentation](https://github.com/iovisor/bpf-docs/blob/master/ebpf_http_filter.pdf)
#Usage Example
## Usage Example
```Shell
$ sudo python http-parse-v2.py
GET /pipermail/iovisor-dev/ HTTP/1.1
HTTP/1.1 200 OK
GET /favicon.ico HTTP/1.1
HTTP/1.1 404 Not Found
GET /pipermail/iovisor-dev/2016-January/thread.html HTTP/1.1
HTTP/1.1 200 OK
GET /pipermail/iovisor-dev/2016-January/000046.html HTTP/1.1
HTTP/1.1 200 OK
```
#Implementation using BCC
$ sudo python http-parse-complete.py
GET /pipermail/iovisor-dev/ HTTP/1.1
HTTP/1.1 200 OK
GET /favicon.ico HTTP/1.1
HTTP/1.1 404 Not Found
GET /pipermail/iovisor-dev/2016-January/thread.html HTTP/1.1
HTTP/1.1 200 OK
GET /pipermail/iovisor-dev/2016-January/000046.html HTTP/1.1
HTTP/1.1 200 OK
eBPF socket filter.<br />
Filters IP and TCP packets, containing "HTTP", "GET", "POST" in payload and all subsequent packets belonging to the same session, having the same (ip_src,ip_dst,port_src,port_dst).<br />
Program is loaded as PROG_TYPE_SOCKET_FILTER and attached to a socket, bind to eth0. <br />
Matching packets are forwarded to user space, others dropped by the filter.<br />
<br />
Python script reads filtered raw packets from the socket, if necessary reassembles packets belonging to the same session, and prints on stdout the first line of the HTTP GET/POST request. <br />
#v1 vs v2
## Implementation overview
First version is the simple one: if the url is too long (splitted in more than one packet) is truncated. <br />
Second version is quite more complex: if necessary reassembles packets belonging to the same session and prints the complete url.
The implementation is split in two portions: the former that exploits eBPF code, the latter that performs some additional processing in user space (the python wrapper).
#To run:
### First part: eBPF filter
This component filters IP and TCP packets containing the "HTTP", "GET", "POST" strings in their payload and all subsequent packets belonging to the same session, having the same (ip.src,ip.dst,port.src,port.dst) tuple.
```Shell
$ sudo python http-parse.py
$ sudo python http-parse-v2.py
```
\ No newline at end of file
The program is loaded as PROG_TYPE_SOCKET_FILTER and attached to a socket, bind to eth0.
Matching packets are forwarded to user space, the others are dropped by the filter.
### Second part: python code in user space
The Python script reads filtered raw packets from the socket, if necessary reassembles packets belonging to the same session, and prints on stdout the first line of the HTTP GET/POST request.
## Simple vs. complete
Two versions of this code are available in this repository:
* simple version: it does not handle URLs that span across multiple packets. For instance, if the URL is too long it shows only the portion contained in the first packet.
* complete version: it is able to cope with URLs spanning across multiple packets; if such a situation is detected, the code reassembles packets belonging to the same session and prints the complete URL.
## How to execute this sample
This sample can be executed by typing either one the two commands below:
$ sudo python http-parse-simple.py
$ sudo python http-parse-complete.py
......@@ -76,8 +76,8 @@ def cleanup():
#-----FUNCTIONS-END-------------------------#
# initialize BPF - load source code from http-parse.c
bpf = BPF(src_file = "http-parse-v2.c",debug = 0)
# initialize BPF - load source code from http-parse-complete.c
bpf = BPF(src_file = "http-parse-complete.c",debug = 0)
#load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm
#more info about eBPF program types
......
......@@ -19,8 +19,8 @@ import sys
import socket
import os
# initialize BPF - load source code from http-parse.c
bpf = BPF(src_file = "http-parse.c",debug = 0)
# initialize BPF - load source code from http-parse-simple.c
bpf = BPF(src_file = "http-parse-simple.c",debug = 0)
#load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm
#more info about eBPF program types
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment