2 * netsniff-ng - the packet sniffing beast
3 * By Daniel Borkmann <daniel@netsniff-ng.org>
4 * Copyright 2009, 2010 Daniel Borkmann.
5 * Copyright 2009, 2010 Emmanuel Roullit.
6 * Subject to the GPL, version 2.
10 * Copyright (c) 1990, 1991, 1992, 1994, 1995, 1996
11 * The Regents of the University of California. All rights reserved.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that: (1) source code distributions
15 * retain the above copyright notice and this paragraph in its entirety, (2)
16 * distributions including binary code include the above copyright notice and
17 * this paragraph in its entirety in the documentation or other materials
18 * provided with the distribution, and (3) all advertising materials mentioning
19 * features or use of this software display the following acknowledgement:
20 * ``This product includes software developed by the University of California,
21 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
22 * the University nor the names of its contributors may be used to endorse
23 * or promote products derived from this software without specific prior
25 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
26 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
27 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
33 #include <arpa/inet.h>
40 /* This is a bug in libpcap, they actually use 'unsigned long' instead
42 #define EXTRACT_SHORT(packet) \
43 ((unsigned short) ntohs(*(unsigned short *) packet))
44 #define EXTRACT_LONG(packet) \
45 (ntohl(*(unsigned long *) packet))
48 * Number of scratch memory words for: BPF_ST and BPF_STX
51 # define BPF_MEMWORDS 16
52 #endif /* BPF_MEMWORDS */
54 static char *bpf_dump(const struct sock_filter bpf
, int n
)
58 static char image
[256];
80 case BPF_LD
| BPF_W
| BPF_ABS
:
85 case BPF_LD
| BPF_H
| BPF_ABS
:
90 case BPF_LD
| BPF_B
| BPF_ABS
:
95 case BPF_LD
| BPF_W
| BPF_LEN
:
100 case BPF_LD
| BPF_W
| BPF_IND
:
105 case BPF_LD
| BPF_H
| BPF_IND
:
110 case BPF_LD
| BPF_B
| BPF_IND
:
115 case BPF_LD
| BPF_IMM
:
120 case BPF_LDX
| BPF_IMM
:
125 case BPF_LDX
| BPF_MSH
| BPF_B
:
127 fmt
= "4*([%d]&0xf)";
130 case BPF_LD
| BPF_MEM
:
135 case BPF_LDX
| BPF_MEM
:
150 case BPF_JMP
| BPF_JA
:
156 case BPF_JMP
| BPF_JGT
| BPF_K
:
161 case BPF_JMP
| BPF_JGE
| BPF_K
:
166 case BPF_JMP
| BPF_JEQ
| BPF_K
:
171 case BPF_JMP
| BPF_JSET
| BPF_K
:
176 case BPF_JMP
| BPF_JGT
| BPF_X
:
181 case BPF_JMP
| BPF_JGE
| BPF_X
:
186 case BPF_JMP
| BPF_JEQ
| BPF_X
:
191 case BPF_JMP
| BPF_JSET
| BPF_X
:
196 case BPF_ALU
| BPF_ADD
| BPF_X
:
201 case BPF_ALU
| BPF_SUB
| BPF_X
:
206 case BPF_ALU
| BPF_MUL
| BPF_X
:
211 case BPF_ALU
| BPF_DIV
| BPF_X
:
216 case BPF_ALU
| BPF_AND
| BPF_X
:
221 case BPF_ALU
| BPF_OR
| BPF_X
:
226 case BPF_ALU
| BPF_LSH
| BPF_X
:
231 case BPF_ALU
| BPF_RSH
| BPF_X
:
236 case BPF_ALU
| BPF_ADD
| BPF_K
:
241 case BPF_ALU
| BPF_SUB
| BPF_K
:
246 case BPF_ALU
| BPF_MUL
| BPF_K
:
251 case BPF_ALU
| BPF_DIV
| BPF_K
:
256 case BPF_ALU
| BPF_AND
| BPF_K
:
261 case BPF_ALU
| BPF_OR
| BPF_K
:
266 case BPF_ALU
| BPF_LSH
| BPF_K
:
271 case BPF_ALU
| BPF_RSH
| BPF_K
:
276 case BPF_ALU
| BPF_NEG
:
281 case BPF_MISC
| BPF_TAX
:
286 case BPF_MISC
| BPF_TXA
:
292 /* XXX: Tell gcc that this here is okay for us */
293 slprintf(operand
, sizeof(operand
), fmt
, v
);
294 slprintf(image
, sizeof(image
),
295 (BPF_CLASS(bpf
.code
) == BPF_JMP
&&
296 BPF_OP(bpf
.code
) != BPF_JA
) ?
297 "(%03d) %-8s %-16s jt %d\tjf %d" : "(%03d) %-8s %s",
298 n
, op
, operand
, n
+ 1 + bpf
.jt
, n
+ 1 + bpf
.jf
);
302 void bpf_dump_all(struct sock_fprog
*bpf
)
305 for (i
= 0; i
< bpf
->len
; ++i
)
306 printf("%s\n", bpf_dump(bpf
->filter
[i
], i
));
309 void bpf_attach_to_sock(int sock
, struct sock_fprog
*bpf
)
311 int ret
= setsockopt(sock
, SOL_SOCKET
, SO_ATTACH_FILTER
, bpf
,
314 panic("Cannot attach filter to socket!\n");
317 void bpf_detach_from_sock(int sock
)
320 ret
= setsockopt(sock
, SOL_SOCKET
, SO_DETACH_FILTER
, &empty
,
323 panic("Cannot detach filter from socket!\n");
326 int bpf_validate(const struct sock_fprog
*bpf
)
329 const struct sock_filter
*p
;
336 for (i
= 0; i
< bpf
->len
; ++i
) {
338 switch (BPF_CLASS(p
->code
)) {
340 * Check that memory operations use valid addresses.
344 switch (BPF_MODE(p
->code
)) {
351 * There's no maximum packet data size
352 * in userland. The runtime packet length
357 if (p
->k
>= BPF_MEMWORDS
)
368 if (p
->k
>= BPF_MEMWORDS
)
372 switch (BPF_OP(p
->code
)) {
384 * Check for constant division by 0.
386 if (BPF_RVAL(p
->code
) == BPF_K
&& p
->k
== 0)
395 * Check that jumps are within the code block,
396 * and that unconditional branches don't go
397 * backwards as a result of an overflow.
398 * Unconditional branches have a 32-bit offset,
399 * so they could overflow; we check to make
400 * sure they don't. Conditional branches have
401 * an 8-bit offset, and the from address is <=
402 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
403 * is sufficiently small that adding 255 to it
406 * We know that len is <= BPF_MAXINSNS, and we
407 * assume that BPF_MAXINSNS is < the maximum size
408 * of a u_int, so that i + 1 doesn't overflow.
410 * For userland, we don't know that the from
411 * or len are <= BPF_MAXINSNS, but we know that
412 * from <= len, and, except on a 64-bit system,
413 * it's unlikely that len, if it truly reflects
414 * the size of the program we've been handed,
415 * will be anywhere near the maximum size of
416 * a u_int. We also don't check for backward
417 * branches, as we currently support them in
418 * userland for the protochain operation.
421 switch (BPF_OP(p
->code
)) {
423 if (from
+ p
->k
>= bpf
->len
)
430 if (from
+ p
->jt
>= bpf
->len
||
431 from
+ p
->jf
>= bpf
->len
)
447 return BPF_CLASS(bpf
->filter
[bpf
->len
- 1].code
) == BPF_RET
;
450 uint32_t bpf_run_filter(const struct sock_fprog
* fcode
, uint8_t * packet
,
453 /* XXX: caplen == len */
456 struct sock_filter
*bpf
;
457 int32_t mem
[BPF_MEMWORDS
];
459 if (fcode
== NULL
|| fcode
->filter
== NULL
|| fcode
->len
== 0)
475 case BPF_RET
| BPF_K
:
476 return (uint32_t) bpf
->k
;
478 case BPF_RET
| BPF_A
:
481 case BPF_LD
| BPF_W
| BPF_ABS
:
483 if (k
+ sizeof(int32_t) > plen
)
485 A
= EXTRACT_LONG(&packet
[k
]);
488 case BPF_LD
| BPF_H
| BPF_ABS
:
490 if (k
+ sizeof(short) > plen
)
492 A
= EXTRACT_SHORT(&packet
[k
]);
495 case BPF_LD
| BPF_B
| BPF_ABS
:
502 case BPF_LD
| BPF_W
| BPF_LEN
:
506 case BPF_LDX
| BPF_W
| BPF_LEN
:
510 case BPF_LD
| BPF_W
| BPF_IND
:
512 if (k
+ sizeof(int32_t) > plen
)
514 A
= EXTRACT_LONG(&packet
[k
]);
517 case BPF_LD
| BPF_H
| BPF_IND
:
519 if (k
+ sizeof(short) > plen
)
521 A
= EXTRACT_SHORT(&packet
[k
]);
524 case BPF_LD
| BPF_B
| BPF_IND
:
531 case BPF_LDX
| BPF_MSH
| BPF_B
:
535 X
= (packet
[bpf
->k
] & 0xf) << 2;
538 case BPF_LD
| BPF_IMM
:
542 case BPF_LDX
| BPF_IMM
:
546 case BPF_LD
| BPF_MEM
:
550 case BPF_LDX
| BPF_MEM
:
562 case BPF_JMP
| BPF_JA
:
566 case BPF_JMP
| BPF_JGT
| BPF_K
:
567 bpf
+= (A
> bpf
->k
) ? bpf
->jt
: bpf
->jf
;
570 case BPF_JMP
| BPF_JGE
| BPF_K
:
571 bpf
+= (A
>= bpf
->k
) ? bpf
->jt
: bpf
->jf
;
574 case BPF_JMP
| BPF_JEQ
| BPF_K
:
575 bpf
+= (A
== bpf
->k
) ? bpf
->jt
: bpf
->jf
;
578 case BPF_JMP
| BPF_JSET
| BPF_K
:
579 bpf
+= (A
& bpf
->k
) ? bpf
->jt
: bpf
->jf
;
582 case BPF_JMP
| BPF_JGT
| BPF_X
:
583 bpf
+= (A
> X
) ? bpf
->jt
: bpf
->jf
;
586 case BPF_JMP
| BPF_JGE
| BPF_X
:
587 bpf
+= (A
>= X
) ? bpf
->jt
: bpf
->jf
;
590 case BPF_JMP
| BPF_JEQ
| BPF_X
:
591 bpf
+= (A
== X
) ? bpf
->jt
: bpf
->jf
;
594 case BPF_JMP
| BPF_JSET
| BPF_X
:
595 bpf
+= (A
& X
) ? bpf
->jt
: bpf
->jf
;
598 case BPF_ALU
| BPF_ADD
| BPF_X
:
602 case BPF_ALU
| BPF_SUB
| BPF_X
:
606 case BPF_ALU
| BPF_MUL
| BPF_X
:
610 case BPF_ALU
| BPF_DIV
| BPF_X
:
616 case BPF_ALU
| BPF_AND
| BPF_X
:
620 case BPF_ALU
| BPF_OR
| BPF_X
:
624 case BPF_ALU
| BPF_LSH
| BPF_X
:
628 case BPF_ALU
| BPF_RSH
| BPF_X
:
632 case BPF_ALU
| BPF_ADD
| BPF_K
:
636 case BPF_ALU
| BPF_SUB
| BPF_K
:
640 case BPF_ALU
| BPF_MUL
| BPF_K
:
644 case BPF_ALU
| BPF_DIV
| BPF_K
:
648 case BPF_ALU
| BPF_AND
| BPF_K
:
652 case BPF_ALU
| BPF_OR
| BPF_K
:
656 case BPF_ALU
| BPF_LSH
| BPF_K
:
660 case BPF_ALU
| BPF_RSH
| BPF_K
:
664 case BPF_ALU
| BPF_NEG
:
668 case BPF_MISC
| BPF_TAX
:
672 case BPF_MISC
| BPF_TXA
:
679 void bpf_parse_rules(char *rulefile
, struct sock_fprog
*bpf
)
683 struct sock_filter sf_single
= { 0x06, 0, 0, 0xFFFFFFFF };
685 if (rulefile
== NULL
) {
687 bpf
->filter
= xmalloc(sizeof(sf_single
));
688 memcpy(&bpf
->filter
[0], &sf_single
, sizeof(sf_single
));
692 FILE *fp
= fopen(rulefile
, "r");
694 panic("Cannot read BPF rule file!\n");
696 memset(buff
, 0, sizeof(buff
));
698 while (fgets(buff
, sizeof(buff
), fp
) != NULL
) {
699 buff
[sizeof(buff
) - 1] = 0;
701 /* A comment. Skip this line */
702 if (buff
[0] != '{') {
703 memset(buff
, 0, sizeof(buff
));
707 memset(&sf_single
, 0, sizeof(sf_single
));
708 ret
= sscanf(buff
, "{ 0x%x, %u, %u, 0x%08x },",
709 (unsigned int *) &sf_single
.code
,
710 (unsigned int *) &sf_single
.jt
,
711 (unsigned int *) &sf_single
.jf
,
712 (unsigned int *) &sf_single
.k
);
714 /* No valid bpf opcode format or a syntax error */
715 panic("BPF syntax error!\n");
718 bpf
->filter
= xrealloc(bpf
->filter
, 1,
719 bpf
->len
* sizeof(sf_single
));
720 memcpy(&bpf
->filter
[bpf
->len
- 1], &sf_single
,
723 memset(buff
, 0, sizeof(buff
));
728 if (bpf_validate(bpf
) == 0)
729 panic("This is not a valid BPF program!\n");