search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
man: bpf: also mention that bpfc can be used for seccomp-BPF
[netsniff-ng.git] / bpf.c
blob791f75390c0ca35833a58c90aa705bcc09048a96
1 /*
2 * netsniff-ng - the packet sniffing beast
3 * Copyright 2009 - 2012 Daniel Borkmann.
4 * Copyright 2009, 2010 Emmanuel Roullit.
5 * Copyright 1990-1996 The Regents of the University of
6 * California. All rights reserved. (3-clause BSD license)
7 * Subject to the GPL, version 2.
8 */
9
10 #include <stdint.h>
11 #include <stdio.h>
12 #include <arpa/inet.h>
13 #include <sys/types.h>
14 #include <sys/stat.h>
15 #include <fcntl.h>
16
17 #include "bpf.h"
18 #include "xmalloc.h"
19 #include "die.h"
20 #include "str.h"
21
22 #define EXTRACT_SHORT(packet) \
23 ((unsigned short) ntohs(*(unsigned short *) packet))
24 #define EXTRACT_LONG(packet) \
25 (ntohl(*(unsigned long *) packet))
26
27 #ifndef BPF_MEMWORDS
28 # define BPF_MEMWORDS 16
29 #endif
30
31 #define BPF_LD_B (BPF_LD | BPF_B)
32 #define BPF_LD_H (BPF_LD | BPF_H)
33 #define BPF_LD_W (BPF_LD | BPF_W)
34 #define BPF_LDX_B (BPF_LDX | BPF_B)
35 #define BPF_LDX_W (BPF_LDX | BPF_W)
36 #define BPF_JMP_JA (BPF_JMP | BPF_JA)
37 #define BPF_JMP_JEQ (BPF_JMP | BPF_JEQ)
38 #define BPF_JMP_JGT (BPF_JMP | BPF_JGT)
39 #define BPF_JMP_JGE (BPF_JMP | BPF_JGE)
40 #define BPF_JMP_JSET (BPF_JMP | BPF_JSET)
41 #define BPF_ALU_ADD (BPF_ALU | BPF_ADD)
42 #define BPF_ALU_SUB (BPF_ALU | BPF_SUB)
43 #define BPF_ALU_MUL (BPF_ALU | BPF_MUL)
44 #define BPF_ALU_DIV (BPF_ALU | BPF_DIV)
45 #define BPF_ALU_MOD (BPF_ALU | BPF_MOD)
46 #define BPF_ALU_NEG (BPF_ALU | BPF_NEG)
47 #define BPF_ALU_AND (BPF_ALU | BPF_AND)
48 #define BPF_ALU_OR (BPF_ALU | BPF_OR)
49 #define BPF_ALU_XOR (BPF_ALU | BPF_XOR)
50 #define BPF_ALU_LSH (BPF_ALU | BPF_LSH)
51 #define BPF_ALU_RSH (BPF_ALU | BPF_RSH)
52 #define BPF_MISC_TAX (BPF_MISC | BPF_TAX)
53 #define BPF_MISC_TXA (BPF_MISC | BPF_TXA)
54
55 static const char *op_table[] = {
56 [BPF_LD_B] = "ldb",
57 [BPF_LD_H] = "ldh",
58 [BPF_LD_W] = "ld",
59 [BPF_LDX] = "ldx",
60 [BPF_LDX_B] = "ldxb",
61 [BPF_ST] = "st",
62 [BPF_STX] = "stx",
63 [BPF_JMP_JA] = "ja",
64 [BPF_JMP_JEQ] = "jeq",
65 [BPF_JMP_JGT] = "jgt",
66 [BPF_JMP_JGE] = "jge",
67 [BPF_JMP_JSET] = "jset",
68 [BPF_ALU_ADD] = "add",
69 [BPF_ALU_SUB] = "sub",
70 [BPF_ALU_MUL] = "mul",
71 [BPF_ALU_DIV] = "div",
72 [BPF_ALU_MOD] = "mod",
73 [BPF_ALU_NEG] = "neg",
74 [BPF_ALU_AND] = "and",
75 [BPF_ALU_OR] = "or",
76 [BPF_ALU_XOR] = "xor",
77 [BPF_ALU_LSH] = "lsh",
78 [BPF_ALU_RSH] = "rsh",
79 [BPF_RET] = "ret",
80 [BPF_MISC_TAX] = "tax",
81 [BPF_MISC_TXA] = "txa",
82 };
83
84 void bpf_dump_op_table(void)
85 {
86 int i;
87 for (i = 0; i < array_size(op_table); ++i) {
88 if (op_table[i])
89 printf("%s\n", op_table[i]);
90 }
91 }
92
93 static const char *bpf_dump_linux_k(uint32_t k)
94 {
95 switch (k) {
96 default:
97 return "[%d]";
98 case SKF_AD_OFF + SKF_AD_PROTOCOL:
99 return "proto";
100 case SKF_AD_OFF + SKF_AD_PKTTYPE:
101 return "type";
102 case SKF_AD_OFF + SKF_AD_IFINDEX:
103 return "ifidx";
104 case SKF_AD_OFF + SKF_AD_NLATTR:
105 return "nla";
106 case SKF_AD_OFF + SKF_AD_NLATTR_NEST:
107 return "nlan";
108 case SKF_AD_OFF + SKF_AD_MARK:
109 return "mark";
110 case SKF_AD_OFF + SKF_AD_QUEUE:
111 return "queue";
112 case SKF_AD_OFF + SKF_AD_HATYPE:
113 return "hatype";
114 case SKF_AD_OFF + SKF_AD_RXHASH:
115 return "rxhash";
116 case SKF_AD_OFF + SKF_AD_CPU:
117 return "cpu";
118 case SKF_AD_OFF + SKF_AD_VLAN_TAG:
119 return "vlant";
120 case SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT:
121 return "vlanp";
122 case SKF_AD_OFF + SKF_AD_PAY_OFFSET:
123 return "poff";
124 }
125 }
126
127 static char *__bpf_dump(const struct sock_filter bpf, int n)
128 {
129 int v;
130 const char *fmt, *op;
131 static char image[256];
132 char operand[64];
133
134 v = bpf.k;
135 switch (bpf.code) {
136 default:
137 op = "unimp";
138 fmt = "0x%x";
139 v = bpf.code;
140 break;
141 case BPF_RET | BPF_K:
142 op = op_table[BPF_RET];
143 fmt = "#0x%x";
144 break;
145 case BPF_RET | BPF_A:
146 op = op_table[BPF_RET];
147 fmt = "a";
148 break;
149 case BPF_RET | BPF_X:
150 op = op_table[BPF_RET];
151 fmt = "x";
152 break;
153 case BPF_LD_W | BPF_ABS:
154 op = op_table[BPF_LD_W];
155 fmt = bpf_dump_linux_k(bpf.k);
156 break;
157 case BPF_LD_H | BPF_ABS:
158 op = op_table[BPF_LD_H];
159 fmt = bpf_dump_linux_k(bpf.k);
160 break;
161 case BPF_LD_B | BPF_ABS:
162 op = op_table[BPF_LD_B];
163 fmt = bpf_dump_linux_k(bpf.k);
164 break;
165 case BPF_LD_W | BPF_LEN:
166 op = op_table[BPF_LD_W];
167 fmt = "#len";
168 break;
169 case BPF_LD_W | BPF_IND:
170 op = op_table[BPF_LD_W];
171 fmt = "[x + %d]";
172 break;
173 case BPF_LD_H | BPF_IND:
174 op = op_table[BPF_LD_H];
175 fmt = "[x + %d]";
176 break;
177 case BPF_LD_B | BPF_IND:
178 op = op_table[BPF_LD_B];
179 fmt = "[x + %d]";
180 break;
181 case BPF_LD | BPF_IMM:
182 op = op_table[BPF_LD_W];
183 fmt = "#0x%x";
184 break;
185 case BPF_LDX | BPF_IMM:
186 op = op_table[BPF_LDX];
187 fmt = "#0x%x";
188 break;
189 case BPF_LDX_B | BPF_MSH:
190 op = op_table[BPF_LDX_B];
191 fmt = "4*([%d]&0xf)";
192 break;
193 case BPF_LD | BPF_MEM:
194 op = op_table[BPF_LD_W];
195 fmt = "M[%d]";
196 break;
197 case BPF_LDX | BPF_MEM:
198 op = op_table[BPF_LDX];
199 fmt = "M[%d]";
200 break;
201 case BPF_ST:
202 op = op_table[BPF_ST];
203 fmt = "M[%d]";
204 break;
205 case BPF_STX:
206 op = op_table[BPF_STX];
207 fmt = "M[%d]";
208 break;
209 case BPF_JMP_JA:
210 op = op_table[BPF_JMP_JA];
211 fmt = "%d";
212 v = n + 1 + bpf.k;
213 break;
214 case BPF_JMP_JGT | BPF_K:
215 op = op_table[BPF_JMP_JGT];
216 fmt = "#0x%x";
217 break;
218 case BPF_JMP_JGE | BPF_K:
219 op = op_table[BPF_JMP_JGE];
220 fmt = "#0x%x";
221 break;
222 case BPF_JMP_JEQ | BPF_K:
223 op = op_table[BPF_JMP_JEQ];
224 fmt = "#0x%x";
225 break;
226 case BPF_JMP_JSET | BPF_K:
227 op = op_table[BPF_JMP_JSET];
228 fmt = "#0x%x";
229 break;
230 case BPF_JMP_JGT | BPF_X:
231 op = op_table[BPF_JMP_JGT];
232 fmt = "x";
233 break;
234 case BPF_JMP_JGE | BPF_X:
235 op = op_table[BPF_JMP_JGE];
236 fmt = "x";
237 break;
238 case BPF_JMP_JEQ | BPF_X:
239 op = op_table[BPF_JMP_JEQ];
240 fmt = "x";
241 break;
242 case BPF_JMP_JSET | BPF_X:
243 op = op_table[BPF_JMP_JSET];
244 fmt = "x";
245 break;
246 case BPF_ALU_ADD | BPF_X:
247 op = op_table[BPF_ALU_ADD];
248 fmt = "x";
249 break;
250 case BPF_ALU_SUB | BPF_X:
251 op = op_table[BPF_ALU_SUB];
252 fmt = "x";
253 break;
254 case BPF_ALU_MUL | BPF_X:
255 op = op_table[BPF_ALU_MUL];
256 fmt = "x";
257 break;
258 case BPF_ALU_DIV | BPF_X:
259 op = op_table[BPF_ALU_DIV];
260 fmt = "x";
261 break;
262 case BPF_ALU_MOD | BPF_X:
263 op = op_table[BPF_ALU_MOD];
264 fmt = "x";
265 break;
266 case BPF_ALU_AND | BPF_X:
267 op = op_table[BPF_ALU_AND];
268 fmt = "x";
269 break;
270 case BPF_ALU_OR | BPF_X:
271 op = op_table[BPF_ALU_OR];
272 fmt = "x";
273 break;
274 case BPF_ALU_XOR | BPF_X:
275 op = op_table[BPF_ALU_XOR];
276 fmt = "x";
277 break;
278 case BPF_ALU_LSH | BPF_X:
279 op = op_table[BPF_ALU_LSH];
280 fmt = "x";
281 break;
282 case BPF_ALU_RSH | BPF_X:
283 op = op_table[BPF_ALU_RSH];
284 fmt = "x";
285 break;
286 case BPF_ALU_ADD | BPF_K:
287 op = op_table[BPF_ALU_ADD];
288 fmt = "#%d";
289 break;
290 case BPF_ALU_SUB | BPF_K:
291 op = op_table[BPF_ALU_SUB];
292 fmt = "#%d";
293 break;
294 case BPF_ALU_MUL | BPF_K:
295 op = op_table[BPF_ALU_MUL];
296 fmt = "#%d";
297 break;
298 case BPF_ALU_DIV | BPF_K:
299 op = op_table[BPF_ALU_DIV];
300 fmt = "#%d";
301 break;
302 case BPF_ALU_MOD | BPF_K:
303 op = op_table[BPF_ALU_MOD];
304 fmt = "#%d";
305 break;
306 case BPF_ALU_AND | BPF_K:
307 op = op_table[BPF_ALU_AND];
308 fmt = "#0x%x";
309 break;
310 case BPF_ALU_OR | BPF_K:
311 op = op_table[BPF_ALU_OR];
312 fmt = "#0x%x";
313 break;
314 case BPF_ALU_XOR | BPF_K:
315 op = op_table[BPF_ALU_XOR];
316 fmt = "#0x%x";
317 break;
318 case BPF_ALU_LSH | BPF_K:
319 op = op_table[BPF_ALU_LSH];
320 fmt = "#%d";
321 break;
322 case BPF_ALU_RSH | BPF_K:
323 op = op_table[BPF_ALU_RSH];
324 fmt = "#%d";
325 break;
326 case BPF_ALU_NEG:
327 op = op_table[BPF_ALU_NEG];
328 fmt = "";
329 break;
330 case BPF_MISC_TAX:
331 op = op_table[BPF_MISC_TAX];
332 fmt = "";
333 break;
334 case BPF_MISC_TXA:
335 op = op_table[BPF_MISC_TXA];
336 fmt = "";
337 break;
338 }
339
340 slprintf_nocheck(operand, sizeof(operand), fmt, v);
341 slprintf_nocheck(image, sizeof(image),
342 (BPF_CLASS(bpf.code) == BPF_JMP &&
343 BPF_OP(bpf.code) != BPF_JA) ?
344 " L%d: %s %s, L%d, L%d" : " L%d: %s %s",
345 n, op, operand, n + 1 + bpf.jt, n + 1 + bpf.jf);
346 return image;
347 }
348
349 void bpf_dump_all(struct sock_fprog *bpf)
350 {
351 int i;
352 for (i = 0; i < bpf->len; ++i)
353 printf("%s\n", __bpf_dump(bpf->filter[i], i));
354 }
355
356 void bpf_attach_to_sock(int sock, struct sock_fprog *bpf)
357 {
358 int ret;
359
360 if (bpf->filter[0].code == BPF_RET &&
361 bpf->filter[0].k == 0xFFFFFFFF)
362 return;
363
364 ret = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER,
365 bpf, sizeof(*bpf));
366 if (ret < 0)
367 panic("Cannot attach filter to socket!\n");
368 }
369
370 void bpf_detach_from_sock(int sock)
371 {
372 int ret, empty = 0;
373
374 ret = setsockopt(sock, SOL_SOCKET, SO_DETACH_FILTER,
375 &empty, sizeof(empty));
376 if (ret < 0)
377 panic("Cannot detach filter from socket!\n");
378 }
379
380 int enable_kernel_bpf_jit_compiler(void)
381 {
382 int fd;
383 ssize_t ret;
384 char *file = "/proc/sys/net/core/bpf_jit_enable";
385
386 fd = open(file, O_WRONLY);
387 if (fd < 0)
388 return -1;
389
390 ret = write(fd, "1", strlen("1"));
391
392 close(fd);
393 return ret;
394 }
395
396 int __bpf_validate(const struct sock_fprog *bpf)
397 {
398 uint32_t i, from;
399 const struct sock_filter *p;
400
401 if (!bpf)
402 return 0;
403 if (bpf->len < 1)
404 return 0;
405
406 for (i = 0; i < bpf->len; ++i) {
407 p = &bpf->filter[i];
408 switch (BPF_CLASS(p->code)) {
409 /* Check that memory operations use valid addresses. */
410 case BPF_LD:
411 case BPF_LDX:
412 switch (BPF_MODE(p->code)) {
413 case BPF_IMM:
414 break;
415 case BPF_ABS:
416 case BPF_IND:
417 case BPF_MSH:
418 /* There's no maximum packet data size
419 * in userland. The runtime packet length
420 * check suffices.
421 */
422 break;
423 case BPF_MEM:
424 if (p->k >= BPF_MEMWORDS)
425 return 0;
426 break;
427 case BPF_LEN:
428 break;
429 default:
430 return 0;
431 }
432 break;
433 case BPF_ST:
434 case BPF_STX:
435 if (p->k >= BPF_MEMWORDS)
436 return 0;
437 break;
438 case BPF_ALU:
439 switch (BPF_OP(p->code)) {
440 case BPF_ADD:
441 case BPF_SUB:
442 case BPF_MUL:
443 case BPF_OR:
444 case BPF_XOR:
445 case BPF_AND:
446 case BPF_LSH:
447 case BPF_RSH:
448 case BPF_NEG:
449 break;
450 case BPF_DIV:
451 case BPF_MOD:
452 /* Check for constant division by 0 (undefined
453 * for div and mod).
454 */
455 if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
456 return 0;
457 break;
458 default:
459 return 0;
460 }
461 break;
462 case BPF_JMP:
463 /* Check that jumps are within the code block,
464 * and that unconditional branches don't go
465 * backwards as a result of an overflow.
466 * Unconditional branches have a 32-bit offset,
467 * so they could overflow; we check to make
468 * sure they don't. Conditional branches have
469 * an 8-bit offset, and the from address is <=
470 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
471 * is sufficiently small that adding 255 to it
472 * won't overflow.
473 *
474 * We know that len is <= BPF_MAXINSNS, and we
475 * assume that BPF_MAXINSNS is < the maximum size
476 * of a u_int, so that i + 1 doesn't overflow.
477 *
478 * For userland, we don't know that the from
479 * or len are <= BPF_MAXINSNS, but we know that
480 * from <= len, and, except on a 64-bit system,
481 * it's unlikely that len, if it truly reflects
482 * the size of the program we've been handed,
483 * will be anywhere near the maximum size of
484 * a u_int. We also don't check for backward
485 * branches, as we currently support them in
486 * userland for the protochain operation.
487 */
488 from = i + 1;
489 switch (BPF_OP(p->code)) {
490 case BPF_JA:
491 if (from + p->k >= bpf->len)
492 return 0;
493 break;
494 case BPF_JEQ:
495 case BPF_JGT:
496 case BPF_JGE:
497 case BPF_JSET:
498 if (from + p->jt >= bpf->len ||
499 from + p->jf >= bpf->len)
500 return 0;
501 break;
502 default:
503 return 0;
504 }
505 break;
506 case BPF_RET:
507 break;
508 case BPF_MISC:
509 break;
510 }
511 }
512
513 return BPF_CLASS(bpf->filter[bpf->len - 1].code) == BPF_RET;
514 }
515
516 uint32_t bpf_run_filter(const struct sock_fprog * fcode, uint8_t * packet,
517 size_t plen)
518 {
519 /* XXX: caplen == len */
520 uint32_t A, X;
521 uint32_t k;
522 struct sock_filter *bpf;
523 int32_t mem[BPF_MEMWORDS] = { 0, };
524
525 if (fcode == NULL || fcode->filter == NULL || fcode->len == 0)
526 return 0xFFFFFFFF;
527
528 A = 0;
529 X = 0;
530
531 bpf = fcode->filter;
532 --bpf;
533 while (1) {
534 ++bpf;
535 switch (bpf->code) {
536 default:
537 return 0;
538 case BPF_RET | BPF_K:
539 return (uint32_t) bpf->k;
540 case BPF_RET | BPF_A:
541 return (uint32_t) A;
542 case BPF_LD_W | BPF_ABS:
543 /* No Linux extensions supported here! */
544 k = bpf->k;
545 if (k + sizeof(int32_t) > plen)
546 return 0;
547 A = EXTRACT_LONG(&packet[k]);
548 continue;
549 case BPF_LD_H | BPF_ABS:
550 /* No Linux extensions supported here! */
551 k = bpf->k;
552 if (k + sizeof(short) > plen)
553 return 0;
554 A = EXTRACT_SHORT(&packet[k]);
555 continue;
556 case BPF_LD_B | BPF_ABS:
557 /* No Linux extensions supported here! */
558 k = bpf->k;
559 if (k >= plen)
560 return 0;
561 A = packet[k];
562 continue;
563 case BPF_LD_W | BPF_LEN:
564 A = plen;
565 continue;
566 case BPF_LDX_W | BPF_LEN:
567 X = plen;
568 continue;
569 case BPF_LD_W | BPF_IND:
570 k = X + bpf->k;
571 if (k + sizeof(int32_t) > plen)
572 return 0;
573 A = EXTRACT_LONG(&packet[k]);
574 continue;
575 case BPF_LD_H | BPF_IND:
576 k = X + bpf->k;
577 if (k + sizeof(short) > plen)
578 return 0;
579 A = EXTRACT_SHORT(&packet[k]);
580 continue;
581 case BPF_LD_B | BPF_IND:
582 k = X + bpf->k;
583 if (k >= plen)
584 return 0;
585 A = packet[k];
586 continue;
587 case BPF_LDX_B | BPF_MSH:
588 k = bpf->k;
589 if (k >= plen)
590 return 0;
591 X = (packet[bpf->k] & 0xf) << 2;
592 continue;
593 case BPF_LD | BPF_IMM:
594 A = bpf->k;
595 continue;
596 case BPF_LDX | BPF_IMM:
597 X = bpf->k;
598 continue;
599 case BPF_LD | BPF_MEM:
600 A = mem[bpf->k];
601 continue;
602 case BPF_LDX | BPF_MEM:
603 X = mem[bpf->k];
604 continue;
605 case BPF_ST:
606 mem[bpf->k] = A;
607 continue;
608 case BPF_STX:
609 mem[bpf->k] = X;
610 continue;
611 case BPF_JMP_JA:
612 bpf += bpf->k;
613 continue;
614 case BPF_JMP_JGT | BPF_K:
615 bpf += (A > bpf->k) ? bpf->jt : bpf->jf;
616 continue;
617 case BPF_JMP_JGE | BPF_K:
618 bpf += (A >= bpf->k) ? bpf->jt : bpf->jf;
619 continue;
620 case BPF_JMP_JEQ | BPF_K:
621 bpf += (A == bpf->k) ? bpf->jt : bpf->jf;
622 continue;
623 case BPF_JMP_JSET | BPF_K:
624 bpf += (A & bpf->k) ? bpf->jt : bpf->jf;
625 continue;
626 case BPF_JMP_JGT | BPF_X:
627 bpf += (A > X) ? bpf->jt : bpf->jf;
628 continue;
629 case BPF_JMP_JGE | BPF_X:
630 bpf += (A >= X) ? bpf->jt : bpf->jf;
631 continue;
632 case BPF_JMP_JEQ | BPF_X:
633 bpf += (A == X) ? bpf->jt : bpf->jf;
634 continue;
635 case BPF_JMP_JSET | BPF_X:
636 bpf += (A & X) ? bpf->jt : bpf->jf;
637 continue;
638 case BPF_ALU_ADD | BPF_X:
639 A += X;
640 continue;
641 case BPF_ALU_SUB | BPF_X:
642 A -= X;
643 continue;
644 case BPF_ALU_MUL | BPF_X:
645 A *= X;
646 continue;
647 case BPF_ALU_DIV | BPF_X:
648 if (X == 0)
649 return 0;
650 A /= X;
651 continue;
652 case BPF_ALU_MOD | BPF_X:
653 if (X == 0)
654 return 0;
655 A %= X;
656 continue;
657 case BPF_ALU_AND | BPF_X:
658 A &= X;
659 continue;
660 case BPF_ALU_OR | BPF_X:
661 A |= X;
662 continue;
663 case BPF_ALU_XOR | BPF_X:
664 A ^= X;
665 continue;
666 case BPF_ALU_LSH | BPF_X:
667 A <<= X;
668 continue;
669 case BPF_ALU_RSH | BPF_X:
670 A >>= X;
671 continue;
672 case BPF_ALU_ADD | BPF_K:
673 A += bpf->k;
674 continue;
675 case BPF_ALU_SUB | BPF_K:
676 A -= bpf->k;
677 continue;
678 case BPF_ALU_MUL | BPF_K:
679 A *= bpf->k;
680 continue;
681 case BPF_ALU_DIV | BPF_K:
682 A /= bpf->k;
683 continue;
684 case BPF_ALU_MOD | BPF_K:
685 A %= bpf->k;
686 continue;
687 case BPF_ALU_AND | BPF_K:
688 A &= bpf->k;
689 continue;
690 case BPF_ALU_OR | BPF_K:
691 A |= bpf->k;
692 continue;
693 case BPF_ALU_XOR | BPF_K:
694 A ^= bpf->k;
695 continue;
696 case BPF_ALU_LSH | BPF_K:
697 A <<= bpf->k;
698 continue;
699 case BPF_ALU_RSH | BPF_K:
700 A >>= bpf->k;
701 continue;
702 case BPF_ALU_NEG:
703 A = -A;
704 continue;
705 case BPF_MISC_TAX:
706 X = A;
707 continue;
708 case BPF_MISC_TXA:
709 A = X;
710 continue;
711 }
712 }
713 }
714
715 void bpf_parse_rules(char *rulefile, struct sock_fprog *bpf, uint32_t link_type)
716 {
717 int ret;
718 char buff[256];
719 struct sock_filter sf_single = { 0x06, 0, 0, 0xFFFFFFFF };
720 FILE *fp;
721
722 if (rulefile == NULL) {
723 bpf->len = 1;
724 bpf->filter = xmalloc(sizeof(sf_single));
725 fmemcpy(&bpf->filter[0], &sf_single, sizeof(sf_single));
726 return;
727 }
728
729 fp = fopen(rulefile, "r");
730 if (!fp) {
731 bpf_try_compile(rulefile, bpf, link_type);
732 return;
733 }
734
735 fmemset(buff, 0, sizeof(buff));
736 while (fgets(buff, sizeof(buff), fp) != NULL) {
737 buff[sizeof(buff) - 1] = 0;
738 if (buff[0] != '{') {
739 fmemset(buff, 0, sizeof(buff));
740 continue;
741 }
742
743 fmemset(&sf_single, 0, sizeof(sf_single));
744 ret = sscanf(buff, "{ 0x%x, %u, %u, 0x%08x },",
745 (unsigned int *) &sf_single.code,
746 (unsigned int *) &sf_single.jt,
747 (unsigned int *) &sf_single.jf,
748 (unsigned int *) &sf_single.k);
749 if (ret != 4)
750 panic("BPF syntax error!\n");
751
752 bpf->len++;
753 bpf->filter = xrealloc(bpf->filter, 1,
754 bpf->len * sizeof(sf_single));
755
756 fmemcpy(&bpf->filter[bpf->len - 1], &sf_single,
757 sizeof(sf_single));
758 fmemset(buff, 0, sizeof(buff));
759 }
760
761 fclose(fp);
762
763 if (__bpf_validate(bpf) == 0)
764 panic("This is not a valid BPF program!\n");
765 }
netsniff-ng toolkit, the packet sniffing beast, staging tree