2 * netsniff-ng - the packet sniffing beast
3 * By Daniel Borkmann <daniel@netsniff-ng.org>
4 * Copyright 2009, 2010 Daniel Borkmann.
5 * Copyright 2009, 2010 Emmanuel Roullit.
6 * Subject to the GPL, version 2.
10 * Copyright (c) 1990, 1991, 1992, 1994, 1995, 1996
11 * The Regents of the University of California. All rights reserved.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that: (1) source code distributions
15 * retain the above copyright notice and this paragraph in its entirety, (2)
16 * distributions including binary code include the above copyright notice and
17 * this paragraph in its entirety in the documentation or other materials
18 * provided with the distribution, and (3) all advertising materials mentioning
19 * features or use of this software display the following acknowledgement:
20 * ``This product includes software developed by the University of California,
21 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
22 * the University nor the names of its contributors may be used to endorse
23 * or promote products derived from this software without specific prior
25 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
26 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
27 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
33 #include <arpa/inet.h>
40 /* This is a bug in libpcap, they actually use 'unsigned long' instead
42 #define EXTRACT_SHORT(packet) \
43 ((unsigned short) ntohs(*(unsigned short *) packet))
44 #define EXTRACT_LONG(packet) \
45 (ntohl(*(unsigned long *) packet))
48 * Number of scratch memory words for: BPF_ST and BPF_STX
51 # define BPF_MEMWORDS 16
54 static char *bpf_dump(const struct sock_filter bpf
, int n
)
58 static char image
[256];
76 case BPF_LD
| BPF_W
| BPF_ABS
:
80 case BPF_LD
| BPF_H
| BPF_ABS
:
84 case BPF_LD
| BPF_B
| BPF_ABS
:
88 case BPF_LD
| BPF_W
| BPF_LEN
:
92 case BPF_LD
| BPF_W
| BPF_IND
:
96 case BPF_LD
| BPF_H
| BPF_IND
:
100 case BPF_LD
| BPF_B
| BPF_IND
:
104 case BPF_LD
| BPF_IMM
:
108 case BPF_LDX
| BPF_IMM
:
112 case BPF_LDX
| BPF_MSH
| BPF_B
:
114 fmt
= "4*([%d]&0xf)";
116 case BPF_LD
| BPF_MEM
:
120 case BPF_LDX
| BPF_MEM
:
132 case BPF_JMP
| BPF_JA
:
137 case BPF_JMP
| BPF_JGT
| BPF_K
:
141 case BPF_JMP
| BPF_JGE
| BPF_K
:
145 case BPF_JMP
| BPF_JEQ
| BPF_K
:
149 case BPF_JMP
| BPF_JSET
| BPF_K
:
153 case BPF_JMP
| BPF_JGT
| BPF_X
:
157 case BPF_JMP
| BPF_JGE
| BPF_X
:
161 case BPF_JMP
| BPF_JEQ
| BPF_X
:
165 case BPF_JMP
| BPF_JSET
| BPF_X
:
169 case BPF_ALU
| BPF_ADD
| BPF_X
:
173 case BPF_ALU
| BPF_SUB
| BPF_X
:
177 case BPF_ALU
| BPF_MUL
| BPF_X
:
181 case BPF_ALU
| BPF_DIV
| BPF_X
:
185 case BPF_ALU
| BPF_AND
| BPF_X
:
189 case BPF_ALU
| BPF_OR
| BPF_X
:
193 case BPF_ALU
| BPF_LSH
| BPF_X
:
197 case BPF_ALU
| BPF_RSH
| BPF_X
:
201 case BPF_ALU
| BPF_ADD
| BPF_K
:
205 case BPF_ALU
| BPF_SUB
| BPF_K
:
209 case BPF_ALU
| BPF_MUL
| BPF_K
:
213 case BPF_ALU
| BPF_DIV
| BPF_K
:
217 case BPF_ALU
| BPF_AND
| BPF_K
:
221 case BPF_ALU
| BPF_OR
| BPF_K
:
225 case BPF_ALU
| BPF_LSH
| BPF_K
:
229 case BPF_ALU
| BPF_RSH
| BPF_K
:
233 case BPF_ALU
| BPF_NEG
:
237 case BPF_MISC
| BPF_TAX
:
241 case BPF_MISC
| BPF_TXA
:
246 slprintf(operand
, sizeof(operand
), fmt
, v
);
247 slprintf(image
, sizeof(image
),
248 (BPF_CLASS(bpf
.code
) == BPF_JMP
&&
249 BPF_OP(bpf
.code
) != BPF_JA
) ?
250 "(%03d) %-8s %-16s jt %d\tjf %d" : "(%03d) %-8s %s",
251 n
, op
, operand
, n
+ 1 + bpf
.jt
, n
+ 1 + bpf
.jf
);
255 void bpf_dump_all(struct sock_fprog
*bpf
)
258 for (i
= 0; i
< bpf
->len
; ++i
)
259 printf("%s\n", bpf_dump(bpf
->filter
[i
], i
));
262 void bpf_attach_to_sock(int sock
, struct sock_fprog
*bpf
)
264 int ret
= setsockopt(sock
, SOL_SOCKET
, SO_ATTACH_FILTER
, bpf
,
267 panic("Cannot attach filter to socket!\n");
270 void bpf_detach_from_sock(int sock
)
273 ret
= setsockopt(sock
, SOL_SOCKET
, SO_DETACH_FILTER
, &empty
,
276 panic("Cannot detach filter from socket!\n");
279 int bpf_validate(const struct sock_fprog
*bpf
)
282 const struct sock_filter
*p
;
288 for (i
= 0; i
< bpf
->len
; ++i
) {
290 switch (BPF_CLASS(p
->code
)) {
292 * Check that memory operations use valid addresses.
296 switch (BPF_MODE(p
->code
)) {
303 * There's no maximum packet data size
304 * in userland. The runtime packet length
309 if (p
->k
>= BPF_MEMWORDS
)
320 if (p
->k
>= BPF_MEMWORDS
)
324 switch (BPF_OP(p
->code
)) {
336 * Check for constant division by 0.
338 if (BPF_RVAL(p
->code
) == BPF_K
&& p
->k
== 0)
347 * Check that jumps are within the code block,
348 * and that unconditional branches don't go
349 * backwards as a result of an overflow.
350 * Unconditional branches have a 32-bit offset,
351 * so they could overflow; we check to make
352 * sure they don't. Conditional branches have
353 * an 8-bit offset, and the from address is <=
354 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
355 * is sufficiently small that adding 255 to it
358 * We know that len is <= BPF_MAXINSNS, and we
359 * assume that BPF_MAXINSNS is < the maximum size
360 * of a u_int, so that i + 1 doesn't overflow.
362 * For userland, we don't know that the from
363 * or len are <= BPF_MAXINSNS, but we know that
364 * from <= len, and, except on a 64-bit system,
365 * it's unlikely that len, if it truly reflects
366 * the size of the program we've been handed,
367 * will be anywhere near the maximum size of
368 * a u_int. We also don't check for backward
369 * branches, as we currently support them in
370 * userland for the protochain operation.
373 switch (BPF_OP(p
->code
)) {
375 if (from
+ p
->k
>= bpf
->len
)
382 if (from
+ p
->jt
>= bpf
->len
||
383 from
+ p
->jf
>= bpf
->len
)
399 return BPF_CLASS(bpf
->filter
[bpf
->len
- 1].code
) == BPF_RET
;
402 uint32_t bpf_run_filter(const struct sock_fprog
* fcode
, uint8_t * packet
,
405 /* XXX: caplen == len */
408 struct sock_filter
*bpf
;
409 int32_t mem
[BPF_MEMWORDS
];
411 if (fcode
== NULL
|| fcode
->filter
== NULL
|| fcode
->len
== 0)
424 case BPF_RET
| BPF_K
:
425 return (uint32_t) bpf
->k
;
426 case BPF_RET
| BPF_A
:
428 case BPF_LD
| BPF_W
| BPF_ABS
:
430 if (k
+ sizeof(int32_t) > plen
)
432 A
= EXTRACT_LONG(&packet
[k
]);
434 case BPF_LD
| BPF_H
| BPF_ABS
:
436 if (k
+ sizeof(short) > plen
)
438 A
= EXTRACT_SHORT(&packet
[k
]);
440 case BPF_LD
| BPF_B
| BPF_ABS
:
446 case BPF_LD
| BPF_W
| BPF_LEN
:
449 case BPF_LDX
| BPF_W
| BPF_LEN
:
452 case BPF_LD
| BPF_W
| BPF_IND
:
454 if (k
+ sizeof(int32_t) > plen
)
456 A
= EXTRACT_LONG(&packet
[k
]);
458 case BPF_LD
| BPF_H
| BPF_IND
:
460 if (k
+ sizeof(short) > plen
)
462 A
= EXTRACT_SHORT(&packet
[k
]);
464 case BPF_LD
| BPF_B
| BPF_IND
:
470 case BPF_LDX
| BPF_MSH
| BPF_B
:
474 X
= (packet
[bpf
->k
] & 0xf) << 2;
476 case BPF_LD
| BPF_IMM
:
479 case BPF_LDX
| BPF_IMM
:
482 case BPF_LD
| BPF_MEM
:
485 case BPF_LDX
| BPF_MEM
:
494 case BPF_JMP
| BPF_JA
:
497 case BPF_JMP
| BPF_JGT
| BPF_K
:
498 bpf
+= (A
> bpf
->k
) ? bpf
->jt
: bpf
->jf
;
500 case BPF_JMP
| BPF_JGE
| BPF_K
:
501 bpf
+= (A
>= bpf
->k
) ? bpf
->jt
: bpf
->jf
;
503 case BPF_JMP
| BPF_JEQ
| BPF_K
:
504 bpf
+= (A
== bpf
->k
) ? bpf
->jt
: bpf
->jf
;
506 case BPF_JMP
| BPF_JSET
| BPF_K
:
507 bpf
+= (A
& bpf
->k
) ? bpf
->jt
: bpf
->jf
;
509 case BPF_JMP
| BPF_JGT
| BPF_X
:
510 bpf
+= (A
> X
) ? bpf
->jt
: bpf
->jf
;
512 case BPF_JMP
| BPF_JGE
| BPF_X
:
513 bpf
+= (A
>= X
) ? bpf
->jt
: bpf
->jf
;
515 case BPF_JMP
| BPF_JEQ
| BPF_X
:
516 bpf
+= (A
== X
) ? bpf
->jt
: bpf
->jf
;
518 case BPF_JMP
| BPF_JSET
| BPF_X
:
519 bpf
+= (A
& X
) ? bpf
->jt
: bpf
->jf
;
521 case BPF_ALU
| BPF_ADD
| BPF_X
:
524 case BPF_ALU
| BPF_SUB
| BPF_X
:
527 case BPF_ALU
| BPF_MUL
| BPF_X
:
530 case BPF_ALU
| BPF_DIV
| BPF_X
:
535 case BPF_ALU
| BPF_AND
| BPF_X
:
538 case BPF_ALU
| BPF_OR
| BPF_X
:
541 case BPF_ALU
| BPF_LSH
| BPF_X
:
544 case BPF_ALU
| BPF_RSH
| BPF_X
:
547 case BPF_ALU
| BPF_ADD
| BPF_K
:
550 case BPF_ALU
| BPF_SUB
| BPF_K
:
553 case BPF_ALU
| BPF_MUL
| BPF_K
:
556 case BPF_ALU
| BPF_DIV
| BPF_K
:
559 case BPF_ALU
| BPF_AND
| BPF_K
:
562 case BPF_ALU
| BPF_OR
| BPF_K
:
565 case BPF_ALU
| BPF_LSH
| BPF_K
:
568 case BPF_ALU
| BPF_RSH
| BPF_K
:
571 case BPF_ALU
| BPF_NEG
:
574 case BPF_MISC
| BPF_TAX
:
577 case BPF_MISC
| BPF_TXA
:
584 void bpf_parse_rules(char *rulefile
, struct sock_fprog
*bpf
)
588 struct sock_filter sf_single
= { 0x06, 0, 0, 0xFFFFFFFF };
590 if (rulefile
== NULL
) {
592 bpf
->filter
= xmalloc(sizeof(sf_single
));
593 memcpy(&bpf
->filter
[0], &sf_single
, sizeof(sf_single
));
597 FILE *fp
= fopen(rulefile
, "r");
599 panic("Cannot read BPF rule file!\n");
600 memset(buff
, 0, sizeof(buff
));
602 while (fgets(buff
, sizeof(buff
), fp
) != NULL
) {
603 buff
[sizeof(buff
) - 1] = 0;
604 /* A comment. Skip this line */
605 if (buff
[0] != '{') {
606 memset(buff
, 0, sizeof(buff
));
610 memset(&sf_single
, 0, sizeof(sf_single
));
611 ret
= sscanf(buff
, "{ 0x%x, %u, %u, 0x%08x },",
612 (unsigned int *) &sf_single
.code
,
613 (unsigned int *) &sf_single
.jt
,
614 (unsigned int *) &sf_single
.jf
,
615 (unsigned int *) &sf_single
.k
);
617 /* No valid bpf opcode format or a syntax error */
618 panic("BPF syntax error!\n");
620 bpf
->filter
= xrealloc(bpf
->filter
, 1,
621 bpf
->len
* sizeof(sf_single
));
622 memcpy(&bpf
->filter
[bpf
->len
- 1], &sf_single
,
625 memset(buff
, 0, sizeof(buff
));
629 if (bpf_validate(bpf
) == 0)
630 panic("This is not a valid BPF program!\n");