<p>据我所知,问题似乎来自前两个条件跳转的逻辑。具体来说:</p>
<pre><code>bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 0, 5), # if false, skip 5 instructions
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 80, 0, 5),
</code></pre>
<p>指令<code>bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, <val>, <jtrue>, <jfalse>)</code>表示</p>
^{pr2}$
<p>所以这两条线的意思是:</p>
<pre><code>if port is 9000
then if port is 80
then go on with checks…
else skip 5 instructions (i.e. reject)
else
skip 5 instructions (i.e. pass, as jump offset was not updated from 5 to 6)
</code></pre>
<p>你可能想要更像:</p>
<pre><code>if port is 9000
then go on with checks…
else
if port is 80
then go on with checks…
else reject
</code></pre>
<p>我还没有测试过,但是为了得到这个逻辑,我想说你需要调整跳跃偏移,如下所示:</p>
<pre><code>bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 1, 0), # if true skip 1 insn
# (i.e. port 80 check) else 0
# and check for port 80
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 80, 0, 5), # if true skip 0 else skip 5
# (and land on “reject”)
</code></pre>
<p><strong>编辑1:</strong>然后过滤三个端口,将变成:</p>
<pre><code>bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 8084, 2, 0), # skip the next 2 checks if true
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 1, 0), # skip the next check if true
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 22, 0, 5), # if true go on else reject
</code></pre>
<p><strong>编辑2:</strong>若要在源端口(除了目标端口)上也进行筛选,您可以尝试这样的方法(我这边还没有测试):</p>
<pre><code># Load TCP src port into register K, and check port value
# For packets with IP header len == 20 bytes, TCP src port should be at offset 34
# We adapt the jump offsets to go to next check if no match (or to “reject” after
# the last check), or to skip all remaining checks on ports if a match is found.
bpf_stmt(BPF_LD | BPF_H | BPF_ABS, 34), # 34 == offset of src port
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 8084, 6, 0),
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 5, 0),
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 22, 4, 0),
# As before: if no match on src port, check on dst port
bpf_stmt(BPF_LD | BPF_H | BPF_ABS, 36),
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 8084, 2, 0),
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 1, 0),
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 22, 0, 5),
…
</code></pre>