2 * netsniff-ng - the packet sniffing beast
3 * Copyright 2009 - 2012 Daniel Borkmann.
4 * Copyright 2009, 2010 Emmanuel Roullit.
5 * Copyright 1990-1996 The Regents of the University of
6 * California. All rights reserved. (3-clause BSD license)
7 * Subject to the GPL, version 2.
13 #include <arpa/inet.h>
14 #include <sys/types.h>
24 #define EXTRACT_SHORT(packet) \
25 ((unsigned short) ntohs(*(unsigned short *) packet))
26 #define EXTRACT_LONG(packet) \
27 (ntohl(*(unsigned long *) packet))
30 # define BPF_MEMWORDS 16
33 #define BPF_LD_B (BPF_LD | BPF_B)
34 #define BPF_LD_H (BPF_LD | BPF_H)
35 #define BPF_LD_W (BPF_LD | BPF_W)
36 #define BPF_LDX_B (BPF_LDX | BPF_B)
37 #define BPF_LDX_W (BPF_LDX | BPF_W)
38 #define BPF_JMP_JA (BPF_JMP | BPF_JA)
39 #define BPF_JMP_JEQ (BPF_JMP | BPF_JEQ)
40 #define BPF_JMP_JGT (BPF_JMP | BPF_JGT)
41 #define BPF_JMP_JGE (BPF_JMP | BPF_JGE)
42 #define BPF_JMP_JSET (BPF_JMP | BPF_JSET)
43 #define BPF_ALU_ADD (BPF_ALU | BPF_ADD)
44 #define BPF_ALU_SUB (BPF_ALU | BPF_SUB)
45 #define BPF_ALU_MUL (BPF_ALU | BPF_MUL)
46 #define BPF_ALU_DIV (BPF_ALU | BPF_DIV)
47 #define BPF_ALU_MOD (BPF_ALU | BPF_MOD)
48 #define BPF_ALU_NEG (BPF_ALU | BPF_NEG)
49 #define BPF_ALU_AND (BPF_ALU | BPF_AND)
50 #define BPF_ALU_OR (BPF_ALU | BPF_OR)
51 #define BPF_ALU_XOR (BPF_ALU | BPF_XOR)
52 #define BPF_ALU_LSH (BPF_ALU | BPF_LSH)
53 #define BPF_ALU_RSH (BPF_ALU | BPF_RSH)
54 #define BPF_MISC_TAX (BPF_MISC | BPF_TAX)
55 #define BPF_MISC_TXA (BPF_MISC | BPF_TXA)
57 static const char *op_table
[] = {
66 [BPF_JMP_JEQ
] = "jeq",
67 [BPF_JMP_JGT
] = "jgt",
68 [BPF_JMP_JGE
] = "jge",
69 [BPF_JMP_JSET
] = "jset",
70 [BPF_ALU_ADD
] = "add",
71 [BPF_ALU_SUB
] = "sub",
72 [BPF_ALU_MUL
] = "mul",
73 [BPF_ALU_DIV
] = "div",
74 [BPF_ALU_MOD
] = "mod",
75 [BPF_ALU_NEG
] = "neg",
76 [BPF_ALU_AND
] = "and",
78 [BPF_ALU_XOR
] = "xor",
79 [BPF_ALU_LSH
] = "lsh",
80 [BPF_ALU_RSH
] = "rsh",
82 [BPF_MISC_TAX
] = "tax",
83 [BPF_MISC_TXA
] = "txa",
86 void bpf_dump_op_table(void)
89 for (i
= 0; i
< array_size(op_table
); ++i
) {
91 printf("%s\n", op_table
[i
]);
95 static const char *bpf_dump_linux_k(uint32_t k
)
100 case SKF_AD_OFF
+ SKF_AD_PROTOCOL
:
102 case SKF_AD_OFF
+ SKF_AD_PKTTYPE
:
104 case SKF_AD_OFF
+ SKF_AD_IFINDEX
:
106 case SKF_AD_OFF
+ SKF_AD_NLATTR
:
108 case SKF_AD_OFF
+ SKF_AD_NLATTR_NEST
:
110 case SKF_AD_OFF
+ SKF_AD_MARK
:
112 case SKF_AD_OFF
+ SKF_AD_QUEUE
:
114 case SKF_AD_OFF
+ SKF_AD_HATYPE
:
116 case SKF_AD_OFF
+ SKF_AD_RXHASH
:
118 case SKF_AD_OFF
+ SKF_AD_CPU
:
120 case SKF_AD_OFF
+ SKF_AD_VLAN_TAG
:
122 case SKF_AD_OFF
+ SKF_AD_VLAN_TAG_PRESENT
:
124 case SKF_AD_OFF
+ SKF_AD_PAY_OFFSET
:
129 static char *__bpf_dump(const struct sock_filter bpf
, int n
)
132 const char *fmt
, *op
;
133 static char image
[256];
143 case BPF_RET
| BPF_K
:
144 op
= op_table
[BPF_RET
];
147 case BPF_RET
| BPF_A
:
148 op
= op_table
[BPF_RET
];
151 case BPF_RET
| BPF_X
:
152 op
= op_table
[BPF_RET
];
155 case BPF_LD_W
| BPF_ABS
:
156 op
= op_table
[BPF_LD_W
];
157 fmt
= bpf_dump_linux_k(bpf
.k
);
159 case BPF_LD_H
| BPF_ABS
:
160 op
= op_table
[BPF_LD_H
];
161 fmt
= bpf_dump_linux_k(bpf
.k
);
163 case BPF_LD_B
| BPF_ABS
:
164 op
= op_table
[BPF_LD_B
];
165 fmt
= bpf_dump_linux_k(bpf
.k
);
167 case BPF_LD_W
| BPF_LEN
:
168 op
= op_table
[BPF_LD_W
];
171 case BPF_LD_W
| BPF_IND
:
172 op
= op_table
[BPF_LD_W
];
175 case BPF_LD_H
| BPF_IND
:
176 op
= op_table
[BPF_LD_H
];
179 case BPF_LD_B
| BPF_IND
:
180 op
= op_table
[BPF_LD_B
];
183 case BPF_LD
| BPF_IMM
:
184 op
= op_table
[BPF_LD_W
];
187 case BPF_LDX
| BPF_IMM
:
188 op
= op_table
[BPF_LDX
];
191 case BPF_LDX_B
| BPF_MSH
:
192 op
= op_table
[BPF_LDX_B
];
193 fmt
= "4*([%d]&0xf)";
195 case BPF_LD
| BPF_MEM
:
196 op
= op_table
[BPF_LD_W
];
199 case BPF_LDX
| BPF_MEM
:
200 op
= op_table
[BPF_LDX
];
204 op
= op_table
[BPF_ST
];
208 op
= op_table
[BPF_STX
];
212 op
= op_table
[BPF_JMP_JA
];
216 case BPF_JMP_JGT
| BPF_K
:
217 op
= op_table
[BPF_JMP_JGT
];
220 case BPF_JMP_JGE
| BPF_K
:
221 op
= op_table
[BPF_JMP_JGE
];
224 case BPF_JMP_JEQ
| BPF_K
:
225 op
= op_table
[BPF_JMP_JEQ
];
228 case BPF_JMP_JSET
| BPF_K
:
229 op
= op_table
[BPF_JMP_JSET
];
232 case BPF_JMP_JGT
| BPF_X
:
233 op
= op_table
[BPF_JMP_JGT
];
236 case BPF_JMP_JGE
| BPF_X
:
237 op
= op_table
[BPF_JMP_JGE
];
240 case BPF_JMP_JEQ
| BPF_X
:
241 op
= op_table
[BPF_JMP_JEQ
];
244 case BPF_JMP_JSET
| BPF_X
:
245 op
= op_table
[BPF_JMP_JSET
];
248 case BPF_ALU_ADD
| BPF_X
:
249 op
= op_table
[BPF_ALU_ADD
];
252 case BPF_ALU_SUB
| BPF_X
:
253 op
= op_table
[BPF_ALU_SUB
];
256 case BPF_ALU_MUL
| BPF_X
:
257 op
= op_table
[BPF_ALU_MUL
];
260 case BPF_ALU_DIV
| BPF_X
:
261 op
= op_table
[BPF_ALU_DIV
];
264 case BPF_ALU_MOD
| BPF_X
:
265 op
= op_table
[BPF_ALU_MOD
];
268 case BPF_ALU_AND
| BPF_X
:
269 op
= op_table
[BPF_ALU_AND
];
272 case BPF_ALU_OR
| BPF_X
:
273 op
= op_table
[BPF_ALU_OR
];
276 case BPF_ALU_XOR
| BPF_X
:
277 op
= op_table
[BPF_ALU_XOR
];
280 case BPF_ALU_LSH
| BPF_X
:
281 op
= op_table
[BPF_ALU_LSH
];
284 case BPF_ALU_RSH
| BPF_X
:
285 op
= op_table
[BPF_ALU_RSH
];
288 case BPF_ALU_ADD
| BPF_K
:
289 op
= op_table
[BPF_ALU_ADD
];
292 case BPF_ALU_SUB
| BPF_K
:
293 op
= op_table
[BPF_ALU_SUB
];
296 case BPF_ALU_MUL
| BPF_K
:
297 op
= op_table
[BPF_ALU_MUL
];
300 case BPF_ALU_DIV
| BPF_K
:
301 op
= op_table
[BPF_ALU_DIV
];
304 case BPF_ALU_MOD
| BPF_K
:
305 op
= op_table
[BPF_ALU_MOD
];
308 case BPF_ALU_AND
| BPF_K
:
309 op
= op_table
[BPF_ALU_AND
];
312 case BPF_ALU_OR
| BPF_K
:
313 op
= op_table
[BPF_ALU_OR
];
316 case BPF_ALU_XOR
| BPF_K
:
317 op
= op_table
[BPF_ALU_XOR
];
320 case BPF_ALU_LSH
| BPF_K
:
321 op
= op_table
[BPF_ALU_LSH
];
324 case BPF_ALU_RSH
| BPF_K
:
325 op
= op_table
[BPF_ALU_RSH
];
329 op
= op_table
[BPF_ALU_NEG
];
333 op
= op_table
[BPF_MISC_TAX
];
337 op
= op_table
[BPF_MISC_TXA
];
342 slprintf_nocheck(operand
, sizeof(operand
), fmt
, v
);
343 slprintf_nocheck(image
, sizeof(image
),
344 (BPF_CLASS(bpf
.code
) == BPF_JMP
&&
345 BPF_OP(bpf
.code
) != BPF_JA
) ?
346 " L%d: %s %s, L%d, L%d" : " L%d: %s %s",
347 n
, op
, operand
, n
+ 1 + bpf
.jt
, n
+ 1 + bpf
.jf
);
351 void bpf_dump_all(struct sock_fprog
*bpf
)
355 for (i
= 0; i
< bpf
->len
; ++i
)
356 printf("%s\n", __bpf_dump(bpf
->filter
[i
], i
));
359 void bpf_attach_to_sock(int sock
, struct sock_fprog
*bpf
)
363 if (bpf
->filter
[0].code
== BPF_RET
&&
364 bpf
->filter
[0].k
== 0xFFFFFFFF)
367 ret
= setsockopt(sock
, SOL_SOCKET
, SO_ATTACH_FILTER
,
369 if (unlikely(ret
< 0))
370 panic("Cannot attach filter to socket!\n");
373 void bpf_detach_from_sock(int sock
)
377 ret
= setsockopt(sock
, SOL_SOCKET
, SO_DETACH_FILTER
,
378 &empty
, sizeof(empty
));
379 if (unlikely(ret
< 0))
380 panic("Cannot detach filter from socket!\n");
383 int enable_kernel_bpf_jit_compiler(void)
385 return sysctl_set_int("net/core/bpf_jit_enable", 1);
388 int __bpf_validate(const struct sock_fprog
*bpf
)
391 const struct sock_filter
*p
;
398 for (i
= 0; i
< bpf
->len
; ++i
) {
400 switch (BPF_CLASS(p
->code
)) {
401 /* Check that memory operations use valid addresses. */
404 switch (BPF_MODE(p
->code
)) {
410 /* There's no maximum packet data size
411 * in userland. The runtime packet length
416 if (p
->k
>= BPF_MEMWORDS
)
427 if (p
->k
>= BPF_MEMWORDS
)
431 switch (BPF_OP(p
->code
)) {
444 /* Check for constant division by 0 (undefined
447 if (BPF_RVAL(p
->code
) == BPF_K
&& p
->k
== 0)
455 /* Check that jumps are within the code block,
456 * and that unconditional branches don't go
457 * backwards as a result of an overflow.
458 * Unconditional branches have a 32-bit offset,
459 * so they could overflow; we check to make
460 * sure they don't. Conditional branches have
461 * an 8-bit offset, and the from address is <=
462 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
463 * is sufficiently small that adding 255 to it
466 * We know that len is <= BPF_MAXINSNS, and we
467 * assume that BPF_MAXINSNS is < the maximum size
468 * of a u_int, so that i + 1 doesn't overflow.
470 * For userland, we don't know that the from
471 * or len are <= BPF_MAXINSNS, but we know that
472 * from <= len, and, except on a 64-bit system,
473 * it's unlikely that len, if it truly reflects
474 * the size of the program we've been handed,
475 * will be anywhere near the maximum size of
476 * a u_int. We also don't check for backward
477 * branches, as we currently support them in
478 * userland for the protochain operation.
481 switch (BPF_OP(p
->code
)) {
483 if (from
+ p
->k
>= bpf
->len
)
490 if (from
+ p
->jt
>= bpf
->len
||
491 from
+ p
->jf
>= bpf
->len
)
505 return BPF_CLASS(bpf
->filter
[bpf
->len
- 1].code
) == BPF_RET
;
508 uint32_t bpf_run_filter(const struct sock_fprog
* fcode
, uint8_t * packet
,
511 /* XXX: caplen == len */
514 struct sock_filter
*bpf
;
515 int32_t mem
[BPF_MEMWORDS
] = { 0, };
517 if (fcode
== NULL
|| fcode
->filter
== NULL
|| fcode
->len
== 0)
530 case BPF_RET
| BPF_K
:
531 return (uint32_t) bpf
->k
;
532 case BPF_RET
| BPF_A
:
534 case BPF_LD_W
| BPF_ABS
:
535 /* No Linux extensions supported here! */
537 if (k
+ sizeof(int32_t) > plen
)
539 A
= EXTRACT_LONG(&packet
[k
]);
541 case BPF_LD_H
| BPF_ABS
:
542 /* No Linux extensions supported here! */
544 if (k
+ sizeof(short) > plen
)
546 A
= EXTRACT_SHORT(&packet
[k
]);
548 case BPF_LD_B
| BPF_ABS
:
549 /* No Linux extensions supported here! */
555 case BPF_LD_W
| BPF_LEN
:
558 case BPF_LDX_W
| BPF_LEN
:
561 case BPF_LD_W
| BPF_IND
:
563 if (k
+ sizeof(int32_t) > plen
)
565 A
= EXTRACT_LONG(&packet
[k
]);
567 case BPF_LD_H
| BPF_IND
:
569 if (k
+ sizeof(short) > plen
)
571 A
= EXTRACT_SHORT(&packet
[k
]);
573 case BPF_LD_B
| BPF_IND
:
579 case BPF_LDX_B
| BPF_MSH
:
583 X
= (packet
[bpf
->k
] & 0xf) << 2;
585 case BPF_LD
| BPF_IMM
:
588 case BPF_LDX
| BPF_IMM
:
591 case BPF_LD
| BPF_MEM
:
594 case BPF_LDX
| BPF_MEM
:
606 case BPF_JMP_JGT
| BPF_K
:
607 bpf
+= (A
> bpf
->k
) ? bpf
->jt
: bpf
->jf
;
609 case BPF_JMP_JGE
| BPF_K
:
610 bpf
+= (A
>= bpf
->k
) ? bpf
->jt
: bpf
->jf
;
612 case BPF_JMP_JEQ
| BPF_K
:
613 bpf
+= (A
== bpf
->k
) ? bpf
->jt
: bpf
->jf
;
615 case BPF_JMP_JSET
| BPF_K
:
616 bpf
+= (A
& bpf
->k
) ? bpf
->jt
: bpf
->jf
;
618 case BPF_JMP_JGT
| BPF_X
:
619 bpf
+= (A
> X
) ? bpf
->jt
: bpf
->jf
;
621 case BPF_JMP_JGE
| BPF_X
:
622 bpf
+= (A
>= X
) ? bpf
->jt
: bpf
->jf
;
624 case BPF_JMP_JEQ
| BPF_X
:
625 bpf
+= (A
== X
) ? bpf
->jt
: bpf
->jf
;
627 case BPF_JMP_JSET
| BPF_X
:
628 bpf
+= (A
& X
) ? bpf
->jt
: bpf
->jf
;
630 case BPF_ALU_ADD
| BPF_X
:
633 case BPF_ALU_SUB
| BPF_X
:
636 case BPF_ALU_MUL
| BPF_X
:
639 case BPF_ALU_DIV
| BPF_X
:
644 case BPF_ALU_MOD
| BPF_X
:
649 case BPF_ALU_AND
| BPF_X
:
652 case BPF_ALU_OR
| BPF_X
:
655 case BPF_ALU_XOR
| BPF_X
:
658 case BPF_ALU_LSH
| BPF_X
:
661 case BPF_ALU_RSH
| BPF_X
:
664 case BPF_ALU_ADD
| BPF_K
:
667 case BPF_ALU_SUB
| BPF_K
:
670 case BPF_ALU_MUL
| BPF_K
:
673 case BPF_ALU_DIV
| BPF_K
:
676 case BPF_ALU_MOD
| BPF_K
:
679 case BPF_ALU_AND
| BPF_K
:
682 case BPF_ALU_OR
| BPF_K
:
685 case BPF_ALU_XOR
| BPF_K
:
688 case BPF_ALU_LSH
| BPF_K
:
691 case BPF_ALU_RSH
| BPF_K
:
707 void bpf_parse_rules(char *rulefile
, struct sock_fprog
*bpf
, uint32_t link_type
)
711 struct sock_filter sf_single
= { 0x06, 0, 0, 0xFFFFFFFF };
714 memset(bpf
, 0, sizeof(*bpf
));
716 if (rulefile
== NULL
) {
718 bpf
->filter
= xmalloc(sizeof(sf_single
));
720 memcpy(&bpf
->filter
[0], &sf_single
, sizeof(sf_single
));
724 if (!strcmp(rulefile
, "-"))
727 fp
= fopen(rulefile
, "r");
730 bpf_try_compile(rulefile
, bpf
, link_type
);
734 memset(buff
, 0, sizeof(buff
));
735 while (fgets(buff
, sizeof(buff
), fp
) != NULL
) {
736 buff
[sizeof(buff
) - 1] = 0;
738 if (buff
[0] != '{') {
739 memset(buff
, 0, sizeof(buff
));
743 memset(&sf_single
, 0, sizeof(sf_single
));
744 ret
= sscanf(buff
, "{ 0x%x, %u, %u, 0x%08x },",
745 (unsigned int *) &sf_single
.code
,
746 (unsigned int *) &sf_single
.jt
,
747 (unsigned int *) &sf_single
.jf
,
748 (unsigned int *) &sf_single
.k
);
749 if (unlikely(ret
!= 4))
750 panic("BPF syntax error!\n");
753 bpf
->filter
= xrealloc(bpf
->filter
,
754 bpf
->len
* sizeof(sf_single
));
756 memcpy(&bpf
->filter
[bpf
->len
- 1], &sf_single
,
758 memset(buff
, 0, sizeof(buff
));
764 if (unlikely(__bpf_validate(bpf
) == 0))
765 panic("This is not a valid BPF program!\n");