2 * netsniff-ng - the packet sniffing beast
3 * Copyright 2009 - 2012 Daniel Borkmann.
4 * Copyright 2009, 2010 Emmanuel Roullit.
5 * Copyright 1990-1996 The Regents of the University of
6 * California. All rights reserved. (3-clause BSD license)
7 * Subject to the GPL, version 2.
12 #include <arpa/inet.h>
13 #include <sys/types.h>
23 #define EXTRACT_SHORT(packet) \
24 ((unsigned short) ntohs(*(unsigned short *) packet))
25 #define EXTRACT_LONG(packet) \
26 (ntohl(*(unsigned long *) packet))
29 # define BPF_MEMWORDS 16
32 #define BPF_LD_B (BPF_LD | BPF_B)
33 #define BPF_LD_H (BPF_LD | BPF_H)
34 #define BPF_LD_W (BPF_LD | BPF_W)
35 #define BPF_LDX_B (BPF_LDX | BPF_B)
36 #define BPF_LDX_W (BPF_LDX | BPF_W)
37 #define BPF_JMP_JA (BPF_JMP | BPF_JA)
38 #define BPF_JMP_JEQ (BPF_JMP | BPF_JEQ)
39 #define BPF_JMP_JGT (BPF_JMP | BPF_JGT)
40 #define BPF_JMP_JGE (BPF_JMP | BPF_JGE)
41 #define BPF_JMP_JSET (BPF_JMP | BPF_JSET)
42 #define BPF_ALU_ADD (BPF_ALU | BPF_ADD)
43 #define BPF_ALU_SUB (BPF_ALU | BPF_SUB)
44 #define BPF_ALU_MUL (BPF_ALU | BPF_MUL)
45 #define BPF_ALU_DIV (BPF_ALU | BPF_DIV)
46 #define BPF_ALU_MOD (BPF_ALU | BPF_MOD)
47 #define BPF_ALU_NEG (BPF_ALU | BPF_NEG)
48 #define BPF_ALU_AND (BPF_ALU | BPF_AND)
49 #define BPF_ALU_OR (BPF_ALU | BPF_OR)
50 #define BPF_ALU_XOR (BPF_ALU | BPF_XOR)
51 #define BPF_ALU_LSH (BPF_ALU | BPF_LSH)
52 #define BPF_ALU_RSH (BPF_ALU | BPF_RSH)
53 #define BPF_MISC_TAX (BPF_MISC | BPF_TAX)
54 #define BPF_MISC_TXA (BPF_MISC | BPF_TXA)
56 static const char *op_table
[] = {
65 [BPF_JMP_JEQ
] = "jeq",
66 [BPF_JMP_JGT
] = "jgt",
67 [BPF_JMP_JGE
] = "jge",
68 [BPF_JMP_JSET
] = "jset",
69 [BPF_ALU_ADD
] = "add",
70 [BPF_ALU_SUB
] = "sub",
71 [BPF_ALU_MUL
] = "mul",
72 [BPF_ALU_DIV
] = "div",
73 [BPF_ALU_MOD
] = "mod",
74 [BPF_ALU_NEG
] = "neg",
75 [BPF_ALU_AND
] = "and",
77 [BPF_ALU_XOR
] = "xor",
78 [BPF_ALU_LSH
] = "lsh",
79 [BPF_ALU_RSH
] = "rsh",
81 [BPF_MISC_TAX
] = "tax",
82 [BPF_MISC_TXA
] = "txa",
85 void bpf_dump_op_table(void)
88 for (i
= 0; i
< array_size(op_table
); ++i
) {
90 printf("%s\n", op_table
[i
]);
94 static const char *bpf_dump_linux_k(uint32_t k
)
99 case SKF_AD_OFF
+ SKF_AD_PROTOCOL
:
101 case SKF_AD_OFF
+ SKF_AD_PKTTYPE
:
103 case SKF_AD_OFF
+ SKF_AD_IFINDEX
:
105 case SKF_AD_OFF
+ SKF_AD_NLATTR
:
107 case SKF_AD_OFF
+ SKF_AD_NLATTR_NEST
:
109 case SKF_AD_OFF
+ SKF_AD_MARK
:
111 case SKF_AD_OFF
+ SKF_AD_QUEUE
:
113 case SKF_AD_OFF
+ SKF_AD_HATYPE
:
115 case SKF_AD_OFF
+ SKF_AD_RXHASH
:
117 case SKF_AD_OFF
+ SKF_AD_CPU
:
119 case SKF_AD_OFF
+ SKF_AD_VLAN_TAG
:
121 case SKF_AD_OFF
+ SKF_AD_VLAN_TAG_PRESENT
:
126 static char *__bpf_dump(const struct sock_filter bpf
, int n
)
129 const char *fmt
, *op
;
130 static char image
[256];
140 case BPF_RET
| BPF_K
:
141 op
= op_table
[BPF_RET
];
144 case BPF_RET
| BPF_A
:
145 op
= op_table
[BPF_RET
];
148 case BPF_RET
| BPF_X
:
149 op
= op_table
[BPF_RET
];
152 case BPF_LD_W
| BPF_ABS
:
153 op
= op_table
[BPF_LD_W
];
154 fmt
= bpf_dump_linux_k(bpf
.k
);
156 case BPF_LD_H
| BPF_ABS
:
157 op
= op_table
[BPF_LD_H
];
158 fmt
= bpf_dump_linux_k(bpf
.k
);
160 case BPF_LD_B
| BPF_ABS
:
161 op
= op_table
[BPF_LD_B
];
162 fmt
= bpf_dump_linux_k(bpf
.k
);
164 case BPF_LD_W
| BPF_LEN
:
165 op
= op_table
[BPF_LD_W
];
168 case BPF_LD_W
| BPF_IND
:
169 op
= op_table
[BPF_LD_W
];
172 case BPF_LD_H
| BPF_IND
:
173 op
= op_table
[BPF_LD_H
];
176 case BPF_LD_B
| BPF_IND
:
177 op
= op_table
[BPF_LD_B
];
180 case BPF_LD
| BPF_IMM
:
181 op
= op_table
[BPF_LD_W
];
184 case BPF_LDX
| BPF_IMM
:
185 op
= op_table
[BPF_LDX
];
188 case BPF_LDX_B
| BPF_MSH
:
189 op
= op_table
[BPF_LDX_B
];
190 fmt
= "4*([%d]&0xf)";
192 case BPF_LD
| BPF_MEM
:
193 op
= op_table
[BPF_LD_W
];
196 case BPF_LDX
| BPF_MEM
:
197 op
= op_table
[BPF_LDX
];
201 op
= op_table
[BPF_ST
];
205 op
= op_table
[BPF_STX
];
209 op
= op_table
[BPF_JMP_JA
];
213 case BPF_JMP_JGT
| BPF_K
:
214 op
= op_table
[BPF_JMP_JGT
];
217 case BPF_JMP_JGE
| BPF_K
:
218 op
= op_table
[BPF_JMP_JGE
];
221 case BPF_JMP_JEQ
| BPF_K
:
222 op
= op_table
[BPF_JMP_JEQ
];
225 case BPF_JMP_JSET
| BPF_K
:
226 op
= op_table
[BPF_JMP_JSET
];
229 case BPF_JMP_JGT
| BPF_X
:
230 op
= op_table
[BPF_JMP_JGT
];
233 case BPF_JMP_JGE
| BPF_X
:
234 op
= op_table
[BPF_JMP_JGE
];
237 case BPF_JMP_JEQ
| BPF_X
:
238 op
= op_table
[BPF_JMP_JEQ
];
241 case BPF_JMP_JSET
| BPF_X
:
242 op
= op_table
[BPF_JMP_JSET
];
245 case BPF_ALU_ADD
| BPF_X
:
246 op
= op_table
[BPF_ALU_ADD
];
249 case BPF_ALU_SUB
| BPF_X
:
250 op
= op_table
[BPF_ALU_SUB
];
253 case BPF_ALU_MUL
| BPF_X
:
254 op
= op_table
[BPF_ALU_MUL
];
257 case BPF_ALU_DIV
| BPF_X
:
258 op
= op_table
[BPF_ALU_DIV
];
261 case BPF_ALU_MOD
| BPF_X
:
262 op
= op_table
[BPF_ALU_MOD
];
265 case BPF_ALU_AND
| BPF_X
:
266 op
= op_table
[BPF_ALU_AND
];
269 case BPF_ALU_OR
| BPF_X
:
270 op
= op_table
[BPF_ALU_OR
];
273 case BPF_ALU_XOR
| BPF_X
:
274 op
= op_table
[BPF_ALU_XOR
];
277 case BPF_ALU_LSH
| BPF_X
:
278 op
= op_table
[BPF_ALU_LSH
];
281 case BPF_ALU_RSH
| BPF_X
:
282 op
= op_table
[BPF_ALU_RSH
];
285 case BPF_ALU_ADD
| BPF_K
:
286 op
= op_table
[BPF_ALU_ADD
];
289 case BPF_ALU_SUB
| BPF_K
:
290 op
= op_table
[BPF_ALU_SUB
];
293 case BPF_ALU_MUL
| BPF_K
:
294 op
= op_table
[BPF_ALU_MUL
];
297 case BPF_ALU_DIV
| BPF_K
:
298 op
= op_table
[BPF_ALU_DIV
];
301 case BPF_ALU_MOD
| BPF_K
:
302 op
= op_table
[BPF_ALU_MOD
];
305 case BPF_ALU_AND
| BPF_K
:
306 op
= op_table
[BPF_ALU_AND
];
309 case BPF_ALU_OR
| BPF_K
:
310 op
= op_table
[BPF_ALU_OR
];
313 case BPF_ALU_XOR
| BPF_K
:
314 op
= op_table
[BPF_ALU_XOR
];
317 case BPF_ALU_LSH
| BPF_K
:
318 op
= op_table
[BPF_ALU_LSH
];
321 case BPF_ALU_RSH
| BPF_K
:
322 op
= op_table
[BPF_ALU_RSH
];
326 op
= op_table
[BPF_ALU_NEG
];
330 op
= op_table
[BPF_MISC_TAX
];
334 op
= op_table
[BPF_MISC_TXA
];
339 slprintf_nocheck(operand
, sizeof(operand
), fmt
, v
);
340 slprintf_nocheck(image
, sizeof(image
),
341 (BPF_CLASS(bpf
.code
) == BPF_JMP
&&
342 BPF_OP(bpf
.code
) != BPF_JA
) ?
343 " L%d: %s %s, L%d, L%d" : " L%d: %s %s",
344 n
, op
, operand
, n
+ 1 + bpf
.jt
, n
+ 1 + bpf
.jf
);
348 void bpf_dump_all(struct sock_fprog
*bpf
)
351 for (i
= 0; i
< bpf
->len
; ++i
)
352 printf("%s\n", __bpf_dump(bpf
->filter
[i
], i
));
355 void bpf_attach_to_sock(int sock
, struct sock_fprog
*bpf
)
359 if (bpf
->filter
[0].code
== BPF_RET
&&
360 bpf
->filter
[0].k
== 0xFFFFFFFF)
363 ret
= setsockopt(sock
, SOL_SOCKET
, SO_ATTACH_FILTER
,
366 panic("Cannot attach filter to socket!\n");
369 void bpf_detach_from_sock(int sock
)
373 ret
= setsockopt(sock
, SOL_SOCKET
, SO_DETACH_FILTER
,
374 &empty
, sizeof(empty
));
376 panic("Cannot detach filter from socket!\n");
379 int enable_kernel_bpf_jit_compiler(void)
383 char *file
= "/proc/sys/net/core/bpf_jit_enable";
385 fd
= open(file
, O_WRONLY
);
389 ret
= write(fd
, "1", strlen("1"));
395 int __bpf_validate(const struct sock_fprog
*bpf
)
398 const struct sock_filter
*p
;
405 for (i
= 0; i
< bpf
->len
; ++i
) {
407 switch (BPF_CLASS(p
->code
)) {
408 /* Check that memory operations use valid addresses. */
411 switch (BPF_MODE(p
->code
)) {
417 /* There's no maximum packet data size
418 * in userland. The runtime packet length
423 if (p
->k
>= BPF_MEMWORDS
)
434 if (p
->k
>= BPF_MEMWORDS
)
438 switch (BPF_OP(p
->code
)) {
451 /* Check for constant division by 0 (undefined
454 if (BPF_RVAL(p
->code
) == BPF_K
&& p
->k
== 0)
462 /* Check that jumps are within the code block,
463 * and that unconditional branches don't go
464 * backwards as a result of an overflow.
465 * Unconditional branches have a 32-bit offset,
466 * so they could overflow; we check to make
467 * sure they don't. Conditional branches have
468 * an 8-bit offset, and the from address is <=
469 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
470 * is sufficiently small that adding 255 to it
473 * We know that len is <= BPF_MAXINSNS, and we
474 * assume that BPF_MAXINSNS is < the maximum size
475 * of a u_int, so that i + 1 doesn't overflow.
477 * For userland, we don't know that the from
478 * or len are <= BPF_MAXINSNS, but we know that
479 * from <= len, and, except on a 64-bit system,
480 * it's unlikely that len, if it truly reflects
481 * the size of the program we've been handed,
482 * will be anywhere near the maximum size of
483 * a u_int. We also don't check for backward
484 * branches, as we currently support them in
485 * userland for the protochain operation.
488 switch (BPF_OP(p
->code
)) {
490 if (from
+ p
->k
>= bpf
->len
)
497 if (from
+ p
->jt
>= bpf
->len
||
498 from
+ p
->jf
>= bpf
->len
)
512 return BPF_CLASS(bpf
->filter
[bpf
->len
- 1].code
) == BPF_RET
;
515 uint32_t bpf_run_filter(const struct sock_fprog
* fcode
, uint8_t * packet
,
518 /* XXX: caplen == len */
521 struct sock_filter
*bpf
;
522 int32_t mem
[BPF_MEMWORDS
] = { 0, };
524 if (fcode
== NULL
|| fcode
->filter
== NULL
|| fcode
->len
== 0)
537 case BPF_RET
| BPF_K
:
538 return (uint32_t) bpf
->k
;
539 case BPF_RET
| BPF_A
:
541 case BPF_LD_W
| BPF_ABS
:
542 /* No Linux extensions supported here! */
544 if (k
+ sizeof(int32_t) > plen
)
546 A
= EXTRACT_LONG(&packet
[k
]);
548 case BPF_LD_H
| BPF_ABS
:
549 /* No Linux extensions supported here! */
551 if (k
+ sizeof(short) > plen
)
553 A
= EXTRACT_SHORT(&packet
[k
]);
555 case BPF_LD_B
| BPF_ABS
:
556 /* No Linux extensions supported here! */
562 case BPF_LD_W
| BPF_LEN
:
565 case BPF_LDX_W
| BPF_LEN
:
568 case BPF_LD_W
| BPF_IND
:
570 if (k
+ sizeof(int32_t) > plen
)
572 A
= EXTRACT_LONG(&packet
[k
]);
574 case BPF_LD_H
| BPF_IND
:
576 if (k
+ sizeof(short) > plen
)
578 A
= EXTRACT_SHORT(&packet
[k
]);
580 case BPF_LD_B
| BPF_IND
:
586 case BPF_LDX_B
| BPF_MSH
:
590 X
= (packet
[bpf
->k
] & 0xf) << 2;
592 case BPF_LD
| BPF_IMM
:
595 case BPF_LDX
| BPF_IMM
:
598 case BPF_LD
| BPF_MEM
:
601 case BPF_LDX
| BPF_MEM
:
613 case BPF_JMP_JGT
| BPF_K
:
614 bpf
+= (A
> bpf
->k
) ? bpf
->jt
: bpf
->jf
;
616 case BPF_JMP_JGE
| BPF_K
:
617 bpf
+= (A
>= bpf
->k
) ? bpf
->jt
: bpf
->jf
;
619 case BPF_JMP_JEQ
| BPF_K
:
620 bpf
+= (A
== bpf
->k
) ? bpf
->jt
: bpf
->jf
;
622 case BPF_JMP_JSET
| BPF_K
:
623 bpf
+= (A
& bpf
->k
) ? bpf
->jt
: bpf
->jf
;
625 case BPF_JMP_JGT
| BPF_X
:
626 bpf
+= (A
> X
) ? bpf
->jt
: bpf
->jf
;
628 case BPF_JMP_JGE
| BPF_X
:
629 bpf
+= (A
>= X
) ? bpf
->jt
: bpf
->jf
;
631 case BPF_JMP_JEQ
| BPF_X
:
632 bpf
+= (A
== X
) ? bpf
->jt
: bpf
->jf
;
634 case BPF_JMP_JSET
| BPF_X
:
635 bpf
+= (A
& X
) ? bpf
->jt
: bpf
->jf
;
637 case BPF_ALU_ADD
| BPF_X
:
640 case BPF_ALU_SUB
| BPF_X
:
643 case BPF_ALU_MUL
| BPF_X
:
646 case BPF_ALU_DIV
| BPF_X
:
651 case BPF_ALU_MOD
| BPF_X
:
656 case BPF_ALU_AND
| BPF_X
:
659 case BPF_ALU_OR
| BPF_X
:
662 case BPF_ALU_XOR
| BPF_X
:
665 case BPF_ALU_LSH
| BPF_X
:
668 case BPF_ALU_RSH
| BPF_X
:
671 case BPF_ALU_ADD
| BPF_K
:
674 case BPF_ALU_SUB
| BPF_K
:
677 case BPF_ALU_MUL
| BPF_K
:
680 case BPF_ALU_DIV
| BPF_K
:
683 case BPF_ALU_MOD
| BPF_K
:
686 case BPF_ALU_AND
| BPF_K
:
689 case BPF_ALU_OR
| BPF_K
:
692 case BPF_ALU_XOR
| BPF_K
:
695 case BPF_ALU_LSH
| BPF_K
:
698 case BPF_ALU_RSH
| BPF_K
:
714 void bpf_parse_rules(char *rulefile
, struct sock_fprog
*bpf
, uint32_t link_type
)
718 struct sock_filter sf_single
= { 0x06, 0, 0, 0xFFFFFFFF };
721 if (rulefile
== NULL
) {
723 bpf
->filter
= xmalloc(sizeof(sf_single
));
724 fmemcpy(&bpf
->filter
[0], &sf_single
, sizeof(sf_single
));
728 fp
= fopen(rulefile
, "r");
730 bpf_try_compile(rulefile
, bpf
, link_type
);
734 fmemset(buff
, 0, sizeof(buff
));
735 while (fgets(buff
, sizeof(buff
), fp
) != NULL
) {
736 buff
[sizeof(buff
) - 1] = 0;
737 if (buff
[0] != '{') {
738 fmemset(buff
, 0, sizeof(buff
));
742 fmemset(&sf_single
, 0, sizeof(sf_single
));
743 ret
= sscanf(buff
, "{ 0x%x, %u, %u, 0x%08x },",
744 (unsigned int *) &sf_single
.code
,
745 (unsigned int *) &sf_single
.jt
,
746 (unsigned int *) &sf_single
.jf
,
747 (unsigned int *) &sf_single
.k
);
749 panic("BPF syntax error!\n");
752 bpf
->filter
= xrealloc(bpf
->filter
, 1,
753 bpf
->len
* sizeof(sf_single
));
755 fmemcpy(&bpf
->filter
[bpf
->len
- 1], &sf_single
,
757 fmemset(buff
, 0, sizeof(buff
));
762 if (__bpf_validate(bpf
) == 0)
763 panic("This is not a valid BPF program!\n");