2 * netsniff-ng - the packet sniffing beast
3 * By Daniel Borkmann <daniel@netsniff-ng.org>
4 * Copyright 2009, 2010 Daniel Borkmann.
5 * Copyright 2009, 2010 Emmanuel Roullit.
6 * Copyright 1990-1996 The Regents of the University of
7 * California. All rights reserved. (3-clause BSD license)
8 * Subject to the GPL, version 2.
14 #include <arpa/inet.h>
21 /* This is a bug in libpcap, they actually use 'unsigned long' instead
23 #define EXTRACT_SHORT(packet) \
24 ((unsigned short) ntohs(*(unsigned short *) packet))
25 #define EXTRACT_LONG(packet) \
26 (ntohl(*(unsigned long *) packet))
28 # define BPF_MEMWORDS 16
31 static char *bpf_dump(const struct sock_filter bpf
, int n
)
35 static char image
[256];
53 case BPF_LD
| BPF_W
| BPF_ABS
:
57 case BPF_LD
| BPF_H
| BPF_ABS
:
61 case BPF_LD
| BPF_B
| BPF_ABS
:
65 case BPF_LD
| BPF_W
| BPF_LEN
:
69 case BPF_LD
| BPF_W
| BPF_IND
:
73 case BPF_LD
| BPF_H
| BPF_IND
:
77 case BPF_LD
| BPF_B
| BPF_IND
:
81 case BPF_LD
| BPF_IMM
:
85 case BPF_LDX
| BPF_IMM
:
89 case BPF_LDX
| BPF_MSH
| BPF_B
:
93 case BPF_LD
| BPF_MEM
:
97 case BPF_LDX
| BPF_MEM
:
109 case BPF_JMP
| BPF_JA
:
114 case BPF_JMP
| BPF_JGT
| BPF_K
:
118 case BPF_JMP
| BPF_JGE
| BPF_K
:
122 case BPF_JMP
| BPF_JEQ
| BPF_K
:
126 case BPF_JMP
| BPF_JSET
| BPF_K
:
130 case BPF_JMP
| BPF_JGT
| BPF_X
:
134 case BPF_JMP
| BPF_JGE
| BPF_X
:
138 case BPF_JMP
| BPF_JEQ
| BPF_X
:
142 case BPF_JMP
| BPF_JSET
| BPF_X
:
146 case BPF_ALU
| BPF_ADD
| BPF_X
:
150 case BPF_ALU
| BPF_SUB
| BPF_X
:
154 case BPF_ALU
| BPF_MUL
| BPF_X
:
158 case BPF_ALU
| BPF_DIV
| BPF_X
:
162 case BPF_ALU
| BPF_AND
| BPF_X
:
166 case BPF_ALU
| BPF_OR
| BPF_X
:
170 case BPF_ALU
| BPF_LSH
| BPF_X
:
174 case BPF_ALU
| BPF_RSH
| BPF_X
:
178 case BPF_ALU
| BPF_ADD
| BPF_K
:
182 case BPF_ALU
| BPF_SUB
| BPF_K
:
186 case BPF_ALU
| BPF_MUL
| BPF_K
:
190 case BPF_ALU
| BPF_DIV
| BPF_K
:
194 case BPF_ALU
| BPF_AND
| BPF_K
:
198 case BPF_ALU
| BPF_OR
| BPF_K
:
202 case BPF_ALU
| BPF_LSH
| BPF_K
:
206 case BPF_ALU
| BPF_RSH
| BPF_K
:
210 case BPF_ALU
| BPF_NEG
:
214 case BPF_MISC
| BPF_TAX
:
218 case BPF_MISC
| BPF_TXA
:
224 slprintf(operand
, sizeof(operand
), fmt
, v
);
225 slprintf(image
, sizeof(image
),
226 (BPF_CLASS(bpf
.code
) == BPF_JMP
&&
227 BPF_OP(bpf
.code
) != BPF_JA
) ?
228 "(%03d) %-8s %-16s jt %d\tjf %d" : "(%03d) %-8s %s",
229 n
, op
, operand
, n
+ 1 + bpf
.jt
, n
+ 1 + bpf
.jf
);
234 void bpf_dump_all(struct sock_fprog
*bpf
)
237 for (i
= 0; i
< bpf
->len
; ++i
)
238 printf("%s\n", bpf_dump(bpf
->filter
[i
], i
));
241 void bpf_attach_to_sock(int sock
, struct sock_fprog
*bpf
)
244 if (bpf
->filter
[0].code
== BPF_RET
&&
245 bpf
->filter
[0].k
== 0xFFFFFFFF)
248 int ret
= setsockopt(sock
, SOL_SOCKET
, SO_ATTACH_FILTER
, bpf
,
251 panic("Cannot attach filter to socket!\n");
254 void bpf_detach_from_sock(int sock
)
258 ret
= setsockopt(sock
, SOL_SOCKET
, SO_DETACH_FILTER
, &empty
,
261 panic("Cannot detach filter from socket!\n");
264 void enable_kernel_bpf_jit_compiler(void)
268 char *file
= "/proc/sys/net/core/bpf_jit_enable";
270 fd
= open(file
, O_WRONLY
);
274 ret
= write(fd
, "1", strlen("1"));
281 int bpf_validate(const struct sock_fprog
*bpf
)
284 const struct sock_filter
*p
;
291 for (i
= 0; i
< bpf
->len
; ++i
) {
293 switch (BPF_CLASS(p
->code
)) {
295 * Check that memory operations use valid addresses.
299 switch (BPF_MODE(p
->code
)) {
306 * There's no maximum packet data size
307 * in userland. The runtime packet length
312 if (p
->k
>= BPF_MEMWORDS
)
323 if (p
->k
>= BPF_MEMWORDS
)
327 switch (BPF_OP(p
->code
)) {
339 * Check for constant division by 0.
341 if (BPF_RVAL(p
->code
) == BPF_K
&& p
->k
== 0)
350 * Check that jumps are within the code block,
351 * and that unconditional branches don't go
352 * backwards as a result of an overflow.
353 * Unconditional branches have a 32-bit offset,
354 * so they could overflow; we check to make
355 * sure they don't. Conditional branches have
356 * an 8-bit offset, and the from address is <=
357 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
358 * is sufficiently small that adding 255 to it
361 * We know that len is <= BPF_MAXINSNS, and we
362 * assume that BPF_MAXINSNS is < the maximum size
363 * of a u_int, so that i + 1 doesn't overflow.
365 * For userland, we don't know that the from
366 * or len are <= BPF_MAXINSNS, but we know that
367 * from <= len, and, except on a 64-bit system,
368 * it's unlikely that len, if it truly reflects
369 * the size of the program we've been handed,
370 * will be anywhere near the maximum size of
371 * a u_int. We also don't check for backward
372 * branches, as we currently support them in
373 * userland for the protochain operation.
376 switch (BPF_OP(p
->code
)) {
378 if (from
+ p
->k
>= bpf
->len
)
385 if (from
+ p
->jt
>= bpf
->len
||
386 from
+ p
->jf
>= bpf
->len
)
402 return BPF_CLASS(bpf
->filter
[bpf
->len
- 1].code
) == BPF_RET
;
405 uint32_t bpf_run_filter(const struct sock_fprog
* fcode
, uint8_t * packet
,
408 /* XXX: caplen == len */
411 struct sock_filter
*bpf
;
412 int32_t mem
[BPF_MEMWORDS
];
414 if (fcode
== NULL
|| fcode
->filter
== NULL
|| fcode
->len
== 0)
429 case BPF_RET
| BPF_K
:
430 return (uint32_t) bpf
->k
;
431 case BPF_RET
| BPF_A
:
433 case BPF_LD
| BPF_W
| BPF_ABS
:
435 if (k
+ sizeof(int32_t) > plen
)
437 A
= EXTRACT_LONG(&packet
[k
]);
439 case BPF_LD
| BPF_H
| BPF_ABS
:
441 if (k
+ sizeof(short) > plen
)
443 A
= EXTRACT_SHORT(&packet
[k
]);
445 case BPF_LD
| BPF_B
| BPF_ABS
:
451 case BPF_LD
| BPF_W
| BPF_LEN
:
454 case BPF_LDX
| BPF_W
| BPF_LEN
:
457 case BPF_LD
| BPF_W
| BPF_IND
:
459 if (k
+ sizeof(int32_t) > plen
)
461 A
= EXTRACT_LONG(&packet
[k
]);
463 case BPF_LD
| BPF_H
| BPF_IND
:
465 if (k
+ sizeof(short) > plen
)
467 A
= EXTRACT_SHORT(&packet
[k
]);
469 case BPF_LD
| BPF_B
| BPF_IND
:
475 case BPF_LDX
| BPF_MSH
| BPF_B
:
479 X
= (packet
[bpf
->k
] & 0xf) << 2;
481 case BPF_LD
| BPF_IMM
:
484 case BPF_LDX
| BPF_IMM
:
487 case BPF_LD
| BPF_MEM
:
490 case BPF_LDX
| BPF_MEM
:
499 case BPF_JMP
| BPF_JA
:
502 case BPF_JMP
| BPF_JGT
| BPF_K
:
503 bpf
+= (A
> bpf
->k
) ? bpf
->jt
: bpf
->jf
;
505 case BPF_JMP
| BPF_JGE
| BPF_K
:
506 bpf
+= (A
>= bpf
->k
) ? bpf
->jt
: bpf
->jf
;
508 case BPF_JMP
| BPF_JEQ
| BPF_K
:
509 bpf
+= (A
== bpf
->k
) ? bpf
->jt
: bpf
->jf
;
511 case BPF_JMP
| BPF_JSET
| BPF_K
:
512 bpf
+= (A
& bpf
->k
) ? bpf
->jt
: bpf
->jf
;
514 case BPF_JMP
| BPF_JGT
| BPF_X
:
515 bpf
+= (A
> X
) ? bpf
->jt
: bpf
->jf
;
517 case BPF_JMP
| BPF_JGE
| BPF_X
:
518 bpf
+= (A
>= X
) ? bpf
->jt
: bpf
->jf
;
520 case BPF_JMP
| BPF_JEQ
| BPF_X
:
521 bpf
+= (A
== X
) ? bpf
->jt
: bpf
->jf
;
523 case BPF_JMP
| BPF_JSET
| BPF_X
:
524 bpf
+= (A
& X
) ? bpf
->jt
: bpf
->jf
;
526 case BPF_ALU
| BPF_ADD
| BPF_X
:
529 case BPF_ALU
| BPF_SUB
| BPF_X
:
532 case BPF_ALU
| BPF_MUL
| BPF_X
:
535 case BPF_ALU
| BPF_DIV
| BPF_X
:
540 case BPF_ALU
| BPF_AND
| BPF_X
:
543 case BPF_ALU
| BPF_OR
| BPF_X
:
546 case BPF_ALU
| BPF_LSH
| BPF_X
:
549 case BPF_ALU
| BPF_RSH
| BPF_X
:
552 case BPF_ALU
| BPF_ADD
| BPF_K
:
555 case BPF_ALU
| BPF_SUB
| BPF_K
:
558 case BPF_ALU
| BPF_MUL
| BPF_K
:
561 case BPF_ALU
| BPF_DIV
| BPF_K
:
564 case BPF_ALU
| BPF_AND
| BPF_K
:
567 case BPF_ALU
| BPF_OR
| BPF_K
:
570 case BPF_ALU
| BPF_LSH
| BPF_K
:
573 case BPF_ALU
| BPF_RSH
| BPF_K
:
576 case BPF_ALU
| BPF_NEG
:
579 case BPF_MISC
| BPF_TAX
:
582 case BPF_MISC
| BPF_TXA
:
589 void bpf_parse_rules(char *rulefile
, struct sock_fprog
*bpf
)
593 struct sock_filter sf_single
= { 0x06, 0, 0, 0xFFFFFFFF };
596 if (rulefile
== NULL
) {
598 bpf
->filter
= xmalloc(sizeof(sf_single
));
599 fmemcpy(&bpf
->filter
[0], &sf_single
, sizeof(sf_single
));
603 fp
= fopen(rulefile
, "r");
605 panic("Cannot read BPF rule file!\n");
607 fmemset(buff
, 0, sizeof(buff
));
608 while (fgets(buff
, sizeof(buff
), fp
) != NULL
) {
609 buff
[sizeof(buff
) - 1] = 0;
610 if (buff
[0] != '{') {
611 fmemset(buff
, 0, sizeof(buff
));
615 fmemset(&sf_single
, 0, sizeof(sf_single
));
616 ret
= sscanf(buff
, "{ 0x%x, %u, %u, 0x%08x },",
617 (unsigned int *) &sf_single
.code
,
618 (unsigned int *) &sf_single
.jt
,
619 (unsigned int *) &sf_single
.jf
,
620 (unsigned int *) &sf_single
.k
);
622 panic("BPF syntax error!\n");
624 bpf
->filter
= xrealloc(bpf
->filter
, 1,
625 bpf
->len
* sizeof(sf_single
));
626 fmemcpy(&bpf
->filter
[bpf
->len
- 1], &sf_single
,
629 fmemset(buff
, 0, sizeof(buff
));
633 if (bpf_validate(bpf
) == 0)
634 panic("This is not a valid BPF program!\n");