search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ifpps: remove unsupported noise display
[netsniff.git] / src / bpf.c
blob7fcb21756d67285af2a80ce8519bb82b8c1d0923
1 /*
2 * netsniff-ng - the packet sniffing beast
3 * By Daniel Borkmann <daniel@netsniff-ng.org>
4 * Copyright 2009 - 2012 Daniel Borkmann.
5 * Copyright 2009, 2010 Emmanuel Roullit.
6 * Copyright 1990-1996 The Regents of the University of
7 * California. All rights reserved. (3-clause BSD license)
8 * Subject to the GPL, version 2.
9 */
10
11 #include <stdint.h>
12 #include <stdio.h>
13 #include <arpa/inet.h>
14 #include <sys/types.h>
15 #include <sys/stat.h>
16 #include <fcntl.h>
17
18 #include "bpf.h"
19 #include "xmalloc.h"
20 #include "xutils.h"
21 #include "die.h"
22
23 /* This is a bug in libpcap, they actually use 'unsigned long' instead
24 * of short! */
25 #define EXTRACT_SHORT(packet) \
26 ((unsigned short) ntohs(*(unsigned short *) packet))
27 #define EXTRACT_LONG(packet) \
28 (ntohl(*(unsigned long *) packet))
29 #ifndef BPF_MEMWORDS
30 # define BPF_MEMWORDS 16
31 #endif
32
33 #define BPF_LD_B (BPF_LD | BPF_B)
34 #define BPF_LD_H (BPF_LD | BPF_H)
35 #define BPF_LD_W (BPF_LD | BPF_W)
36 #define BPF_LDX_B (BPF_LDX | BPF_B)
37 #define BPF_LDX_W (BPF_LDX | BPF_W)
38 #define BPF_JMP_JA (BPF_JMP | BPF_JA)
39 #define BPF_JMP_JEQ (BPF_JMP | BPF_JEQ)
40 #define BPF_JMP_JGT (BPF_JMP | BPF_JGT)
41 #define BPF_JMP_JGE (BPF_JMP | BPF_JGE)
42 #define BPF_JMP_JSET (BPF_JMP | BPF_JSET)
43 #define BPF_ALU_ADD (BPF_ALU | BPF_ADD)
44 #define BPF_ALU_SUB (BPF_ALU | BPF_SUB)
45 #define BPF_ALU_MUL (BPF_ALU | BPF_MUL)
46 #define BPF_ALU_DIV (BPF_ALU | BPF_DIV)
47 #define BPF_ALU_MOD (BPF_ALU | BPF_MOD)
48 #define BPF_ALU_NEG (BPF_ALU | BPF_NEG)
49 #define BPF_ALU_AND (BPF_ALU | BPF_AND)
50 #define BPF_ALU_OR (BPF_ALU | BPF_OR)
51 #define BPF_ALU_XOR (BPF_ALU | BPF_XOR)
52 #define BPF_ALU_LSH (BPF_ALU | BPF_LSH)
53 #define BPF_ALU_RSH (BPF_ALU | BPF_RSH)
54 #define BPF_MISC_TAX (BPF_MISC | BPF_TAX)
55 #define BPF_MISC_TXA (BPF_MISC | BPF_TXA)
56
57 static const char *op_table[] = {
58 [BPF_LD_B] = "ldb",
59 [BPF_LD_H] = "ldh",
60 [BPF_LD_W] = "ld",
61 [BPF_LDX] = "ldx",
62 [BPF_LDX_B] = "ldxb",
63 [BPF_ST] = "st",
64 [BPF_STX] = "stx",
65 [BPF_JMP_JA] = "ja",
66 [BPF_JMP_JEQ] = "jeq",
67 [BPF_JMP_JGT] = "jgt",
68 [BPF_JMP_JGE] = "jge",
69 [BPF_JMP_JSET] = "jset",
70 [BPF_ALU_ADD] = "add",
71 [BPF_ALU_SUB] = "sub",
72 [BPF_ALU_MUL] = "mul",
73 [BPF_ALU_DIV] = "div",
74 [BPF_ALU_MOD] = "mod",
75 [BPF_ALU_NEG] = "neg",
76 [BPF_ALU_AND] = "and",
77 [BPF_ALU_OR] = "or",
78 [BPF_ALU_XOR] = "xor",
79 [BPF_ALU_LSH] = "lsh",
80 [BPF_ALU_RSH] = "rsh",
81 [BPF_RET] = "ret",
82 [BPF_MISC_TAX] = "tax",
83 [BPF_MISC_TXA] = "txa",
84 };
85
86 void bpf_dump_op_table(void)
87 {
88 int i;
89 for (i = 0; i < array_size(op_table); ++i) {
90 if (op_table[i])
91 printf("%s\n", op_table[i]);
92 }
93 }
94
95 static const char *bpf_dump_linux_k(uint32_t k)
96 {
97 switch (k) {
98 default:
99 return "[%d]";
100 /* Linux specific arguments */
101 case (SKF_AD_OFF + SKF_AD_PROTOCOL):
102 return "#proto";
103 case (SKF_AD_OFF + SKF_AD_PKTTYPE):
104 return "#type";
105 case (SKF_AD_OFF + SKF_AD_IFINDEX):
106 return "#ifidx";
107 case (SKF_AD_OFF + SKF_AD_NLATTR):
108 return "#nla";
109 case (SKF_AD_OFF + SKF_AD_NLATTR_NEST):
110 return "#nlan";
111 case (SKF_AD_OFF + SKF_AD_MARK):
112 return "#mark";
113 case (SKF_AD_OFF + SKF_AD_QUEUE):
114 return "#queue";
115 case (SKF_AD_OFF + SKF_AD_HATYPE):
116 return "#hatype";
117 case (SKF_AD_OFF + SKF_AD_RXHASH):
118 return "#rxhash";
119 case (SKF_AD_OFF + SKF_AD_CPU):
120 return "#cpu";
121 case (SKF_AD_OFF + SKF_AD_VLAN_TAG):
122 return "#vlant";
123 case (SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT):
124 return "#vlanp";
125 }
126 }
127
128 static char *bpf_dump(const struct sock_filter bpf, int n)
129 {
130 int v;
131 const char *fmt, *op;
132 static char image[256];
133 char operand[64];
134
135 v = bpf.k;
136 switch (bpf.code) {
137 default:
138 op = "unimp";
139 fmt = "0x%x";
140 v = bpf.code;
141 break;
142 case BPF_RET | BPF_K:
143 op = op_table[BPF_RET];
144 fmt = "#0x%x";
145 break;
146 case BPF_RET | BPF_A:
147 op = op_table[BPF_RET];
148 fmt = "";
149 break;
150 case BPF_LD_W | BPF_ABS:
151 op = op_table[BPF_LD_W];
152 fmt = bpf_dump_linux_k(bpf.k);
153 break;
154 case BPF_LD_H | BPF_ABS:
155 op = op_table[BPF_LD_H];
156 fmt = bpf_dump_linux_k(bpf.k);
157 break;
158 case BPF_LD_B | BPF_ABS:
159 op = op_table[BPF_LD_B];
160 fmt = bpf_dump_linux_k(bpf.k);
161 break;
162 case BPF_LD_W | BPF_LEN:
163 op = op_table[BPF_LD_W];
164 fmt = "#len";
165 break;
166 case BPF_LD_W | BPF_IND:
167 op = op_table[BPF_LD_W];
168 fmt = "[x + %d]";
169 break;
170 case BPF_LD_H | BPF_IND:
171 op = op_table[BPF_LD_H];
172 fmt = "[x + %d]";
173 break;
174 case BPF_LD_B | BPF_IND:
175 op = op_table[BPF_LD_B];
176 fmt = "[x + %d]";
177 break;
178 case BPF_LD | BPF_IMM:
179 op = op_table[BPF_LD_W];
180 fmt = "#0x%x";
181 break;
182 case BPF_LDX | BPF_IMM:
183 op = op_table[BPF_LDX];
184 fmt = "#0x%x";
185 break;
186 case BPF_LDX_B | BPF_MSH:
187 op = op_table[BPF_LDX_B];
188 fmt = "4*([%d]&0xf)";
189 break;
190 case BPF_LD | BPF_MEM:
191 op = op_table[BPF_LD_W];
192 fmt = "M[%d]";
193 break;
194 case BPF_LDX | BPF_MEM:
195 op = op_table[BPF_LDX];
196 fmt = "M[%d]";
197 break;
198 case BPF_ST:
199 op = op_table[BPF_ST];
200 fmt = "M[%d]";
201 break;
202 case BPF_STX:
203 op = op_table[BPF_STX];
204 fmt = "M[%d]";
205 break;
206 case BPF_JMP_JA:
207 op = op_table[BPF_JMP_JA];
208 fmt = "%d";
209 v = n + 1 + bpf.k;
210 break;
211 case BPF_JMP_JGT | BPF_K:
212 op = op_table[BPF_JMP_JGT];
213 fmt = "#0x%x";
214 break;
215 case BPF_JMP_JGE | BPF_K:
216 op = op_table[BPF_JMP_JGE];
217 fmt = "#0x%x";
218 break;
219 case BPF_JMP_JEQ | BPF_K:
220 op = op_table[BPF_JMP_JEQ];
221 fmt = "#0x%x";
222 break;
223 case BPF_JMP_JSET | BPF_K:
224 op = op_table[BPF_JMP_JSET];
225 fmt = "#0x%x";
226 break;
227 case BPF_JMP_JGT | BPF_X:
228 op = op_table[BPF_JMP_JGT];
229 fmt = "x";
230 break;
231 case BPF_JMP_JGE | BPF_X:
232 op = op_table[BPF_JMP_JGE];
233 fmt = "x";
234 break;
235 case BPF_JMP_JEQ | BPF_X:
236 op = op_table[BPF_JMP_JEQ];
237 fmt = "x";
238 break;
239 case BPF_JMP_JSET | BPF_X:
240 op = op_table[BPF_JMP_JSET];
241 fmt = "x";
242 break;
243 case BPF_ALU_ADD | BPF_X:
244 op = op_table[BPF_ALU_ADD];
245 fmt = "x";
246 break;
247 case BPF_ALU_SUB | BPF_X:
248 op = op_table[BPF_ALU_SUB];
249 fmt = "x";
250 break;
251 case BPF_ALU_MUL | BPF_X:
252 op = op_table[BPF_ALU_MUL];
253 fmt = "x";
254 break;
255 case BPF_ALU_DIV | BPF_X:
256 op = op_table[BPF_ALU_DIV];
257 fmt = "x";
258 break;
259 case BPF_ALU_MOD | BPF_X:
260 op = op_table[BPF_ALU_MOD];
261 fmt = "x";
262 break;
263 case BPF_ALU_AND | BPF_X:
264 op = op_table[BPF_ALU_AND];
265 fmt = "x";
266 break;
267 case BPF_ALU_OR | BPF_X:
268 op = op_table[BPF_ALU_OR];
269 fmt = "x";
270 break;
271 case BPF_ALU_XOR | BPF_X:
272 op = op_table[BPF_ALU_XOR];
273 fmt = "x";
274 break;
275 case BPF_ALU_LSH | BPF_X:
276 op = op_table[BPF_ALU_LSH];
277 fmt = "x";
278 break;
279 case BPF_ALU_RSH | BPF_X:
280 op = op_table[BPF_ALU_RSH];
281 fmt = "x";
282 break;
283 case BPF_ALU_ADD | BPF_K:
284 op = op_table[BPF_ALU_ADD];
285 fmt = "#%d";
286 break;
287 case BPF_ALU_SUB | BPF_K:
288 op = op_table[BPF_ALU_SUB];
289 fmt = "#%d";
290 break;
291 case BPF_ALU_MUL | BPF_K:
292 op = op_table[BPF_ALU_MUL];
293 fmt = "#%d";
294 break;
295 case BPF_ALU_DIV | BPF_K:
296 op = op_table[BPF_ALU_DIV];
297 fmt = "#%d";
298 break;
299 case BPF_ALU_MOD | BPF_K:
300 op = op_table[BPF_ALU_MOD];
301 fmt = "#%d";
302 break;
303 case BPF_ALU_AND | BPF_K:
304 op = op_table[BPF_ALU_AND];
305 fmt = "#0x%x";
306 break;
307 case BPF_ALU_OR | BPF_K:
308 op = op_table[BPF_ALU_OR];
309 fmt = "#0x%x";
310 break;
311 case BPF_ALU_XOR | BPF_K:
312 op = op_table[BPF_ALU_XOR];
313 fmt = "#0x%x";
314 break;
315 case BPF_ALU_LSH | BPF_K:
316 op = op_table[BPF_ALU_LSH];
317 fmt = "#%d";
318 break;
319 case BPF_ALU_RSH | BPF_K:
320 op = op_table[BPF_ALU_RSH];
321 fmt = "#%d";
322 break;
323 case BPF_ALU_NEG:
324 op = op_table[BPF_ALU_NEG];
325 fmt = "";
326 break;
327 case BPF_MISC_TAX:
328 op = op_table[BPF_MISC_TAX];
329 fmt = "";
330 break;
331 case BPF_MISC_TXA:
332 op = op_table[BPF_MISC_TXA];
333 fmt = "";
334 break;
335 }
336
337 slprintf(operand, sizeof(operand), fmt, v);
338 slprintf(image, sizeof(image),
339 (BPF_CLASS(bpf.code) == BPF_JMP &&
340 BPF_OP(bpf.code) != BPF_JA) ?
341 " L%d: %s %s, L%d, L%d" : " L%d: %s %s",
342 n, op, operand, n + 1 + bpf.jt, n + 1 + bpf.jf);
343
344 return image;
345 }
346
347 void bpf_dump_all(struct sock_fprog *bpf)
348 {
349 int i;
350 for (i = 0; i < bpf->len; ++i)
351 printf("%s\n", bpf_dump(bpf->filter[i], i));
352 }
353
354 void bpf_attach_to_sock(int sock, struct sock_fprog *bpf)
355 {
356 int ret;
357
358 if (bpf->filter[0].code == BPF_RET &&
359 bpf->filter[0].k == 0xFFFFFFFF)
360 return;
361
362 ret = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER,
363 bpf, sizeof(*bpf));
364 if (ret < 0)
365 panic("Cannot attach filter to socket!\n");
366 }
367
368 void bpf_detach_from_sock(int sock)
369 {
370 int ret, empty = 0;
371
372 ret = setsockopt(sock, SOL_SOCKET, SO_DETACH_FILTER,
373 &empty, sizeof(empty));
374 if (ret < 0)
375 panic("Cannot detach filter from socket!\n");
376 }
377
378 void enable_kernel_bpf_jit_compiler(void)
379 {
380 int fd;
381 ssize_t ret;
382 char *file = "/proc/sys/net/core/bpf_jit_enable";
383
384 fd = open(file, O_WRONLY);
385 if (fd < 0)
386 return;
387
388 ret = write(fd, "1", strlen("1"));
389 if (ret > 0)
390 printf("BPF JIT\n");
391
392 close(fd);
393 }
394
395 int bpf_validate(const struct sock_fprog *bpf)
396 {
397 uint32_t i, from;
398 const struct sock_filter *p;
399
400 if (!bpf)
401 return 0;
402 if (bpf->len < 1)
403 return 0;
404
405 for (i = 0; i < bpf->len; ++i) {
406 p = &bpf->filter[i];
407 switch (BPF_CLASS(p->code)) {
408 /* Check that memory operations use valid addresses. */
409 case BPF_LD:
410 case BPF_LDX:
411 switch (BPF_MODE(p->code)) {
412 case BPF_IMM:
413 break;
414 case BPF_ABS:
415 case BPF_IND:
416 case BPF_MSH:
417 /* There's no maximum packet data size
418 * in userland. The runtime packet length
419 * check suffices.
420 */
421 break;
422 case BPF_MEM:
423 if (p->k >= BPF_MEMWORDS)
424 return 0;
425 break;
426 case BPF_LEN:
427 break;
428 default:
429 return 0;
430 }
431 break;
432 case BPF_ST:
433 case BPF_STX:
434 if (p->k >= BPF_MEMWORDS)
435 return 0;
436 break;
437 case BPF_ALU:
438 switch (BPF_OP(p->code)) {
439 case BPF_ADD:
440 case BPF_SUB:
441 case BPF_MUL:
442 case BPF_OR:
443 case BPF_XOR:
444 case BPF_AND:
445 case BPF_LSH:
446 case BPF_RSH:
447 case BPF_NEG:
448 break;
449 case BPF_DIV:
450 case BPF_MOD:
451 /* Check for constant division by 0 (undefined
452 * for div and mod).
453 */
454 if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
455 return 0;
456 break;
457 default:
458 return 0;
459 }
460 break;
461 case BPF_JMP:
462 /* Check that jumps are within the code block,
463 * and that unconditional branches don't go
464 * backwards as a result of an overflow.
465 * Unconditional branches have a 32-bit offset,
466 * so they could overflow; we check to make
467 * sure they don't. Conditional branches have
468 * an 8-bit offset, and the from address is <=
469 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
470 * is sufficiently small that adding 255 to it
471 * won't overflow.
472 *
473 * We know that len is <= BPF_MAXINSNS, and we
474 * assume that BPF_MAXINSNS is < the maximum size
475 * of a u_int, so that i + 1 doesn't overflow.
476 *
477 * For userland, we don't know that the from
478 * or len are <= BPF_MAXINSNS, but we know that
479 * from <= len, and, except on a 64-bit system,
480 * it's unlikely that len, if it truly reflects
481 * the size of the program we've been handed,
482 * will be anywhere near the maximum size of
483 * a u_int. We also don't check for backward
484 * branches, as we currently support them in
485 * userland for the protochain operation.
486 */
487 from = i + 1;
488 switch (BPF_OP(p->code)) {
489 case BPF_JA:
490 if (from + p->k >= bpf->len)
491 return 0;
492 break;
493 case BPF_JEQ:
494 case BPF_JGT:
495 case BPF_JGE:
496 case BPF_JSET:
497 if (from + p->jt >= bpf->len ||
498 from + p->jf >= bpf->len)
499 return 0;
500 break;
501 default:
502 return 0;
503 }
504 break;
505 case BPF_RET:
506 break;
507 case BPF_MISC:
508 break;
509 default:
510 return 0;
511 }
512 }
513
514 return BPF_CLASS(bpf->filter[bpf->len - 1].code) == BPF_RET;
515 }
516
517 uint32_t bpf_run_filter(const struct sock_fprog * fcode, uint8_t * packet,
518 size_t plen)
519 {
520 /* XXX: caplen == len */
521 uint32_t A, X;
522 uint32_t k;
523 struct sock_filter *bpf;
524 int32_t mem[BPF_MEMWORDS];
525
526 if (fcode == NULL || fcode->filter == NULL || fcode->len == 0)
527 return 0xFFFFFFFF;
528
529 A = 0;
530 X = 0;
531
532 bpf = fcode->filter;
533 --bpf;
534 while (1) {
535 ++bpf;
536 switch (bpf->code) {
537 default:
538 return 0;
539 case BPF_RET | BPF_K:
540 return (uint32_t) bpf->k;
541 case BPF_RET | BPF_A:
542 return (uint32_t) A;
543 case BPF_LD_W | BPF_ABS:
544 /* No Linux extensions supported here! */
545 k = bpf->k;
546 if (k + sizeof(int32_t) > plen)
547 return 0;
548 A = EXTRACT_LONG(&packet[k]);
549 continue;
550 case BPF_LD_H | BPF_ABS:
551 /* No Linux extensions supported here! */
552 k = bpf->k;
553 if (k + sizeof(short) > plen)
554 return 0;
555 A = EXTRACT_SHORT(&packet[k]);
556 continue;
557 case BPF_LD_B | BPF_ABS:
558 /* No Linux extensions supported here! */
559 k = bpf->k;
560 if (k >= plen)
561 return 0;
562 A = packet[k];
563 continue;
564 case BPF_LD_W | BPF_LEN:
565 A = plen;
566 continue;
567 case BPF_LDX_W | BPF_LEN:
568 X = plen;
569 continue;
570 case BPF_LD_W | BPF_IND:
571 k = X + bpf->k;
572 if (k + sizeof(int32_t) > plen)
573 return 0;
574 A = EXTRACT_LONG(&packet[k]);
575 continue;
576 case BPF_LD_H | BPF_IND:
577 k = X + bpf->k;
578 if (k + sizeof(short) > plen)
579 return 0;
580 A = EXTRACT_SHORT(&packet[k]);
581 continue;
582 case BPF_LD_B | BPF_IND:
583 k = X + bpf->k;
584 if (k >= plen)
585 return 0;
586 A = packet[k];
587 continue;
588 case BPF_LDX_B | BPF_MSH:
589 k = bpf->k;
590 if (k >= plen)
591 return 0;
592 X = (packet[bpf->k] & 0xf) << 2;
593 continue;
594 case BPF_LD | BPF_IMM:
595 A = bpf->k;
596 continue;
597 case BPF_LDX | BPF_IMM:
598 X = bpf->k;
599 continue;
600 case BPF_LD | BPF_MEM:
601 A = mem[bpf->k];
602 continue;
603 case BPF_LDX | BPF_MEM:
604 X = mem[bpf->k];
605 continue;
606 case BPF_ST:
607 mem[bpf->k] = A;
608 continue;
609 case BPF_STX:
610 mem[bpf->k] = X;
611 continue;
612 case BPF_JMP_JA:
613 bpf += bpf->k;
614 continue;
615 case BPF_JMP_JGT | BPF_K:
616 bpf += (A > bpf->k) ? bpf->jt : bpf->jf;
617 continue;
618 case BPF_JMP_JGE | BPF_K:
619 bpf += (A >= bpf->k) ? bpf->jt : bpf->jf;
620 continue;
621 case BPF_JMP_JEQ | BPF_K:
622 bpf += (A == bpf->k) ? bpf->jt : bpf->jf;
623 continue;
624 case BPF_JMP_JSET | BPF_K:
625 bpf += (A & bpf->k) ? bpf->jt : bpf->jf;
626 continue;
627 case BPF_JMP_JGT | BPF_X:
628 bpf += (A > X) ? bpf->jt : bpf->jf;
629 continue;
630 case BPF_JMP_JGE | BPF_X:
631 bpf += (A >= X) ? bpf->jt : bpf->jf;
632 continue;
633 case BPF_JMP_JEQ | BPF_X:
634 bpf += (A == X) ? bpf->jt : bpf->jf;
635 continue;
636 case BPF_JMP_JSET | BPF_X:
637 bpf += (A & X) ? bpf->jt : bpf->jf;
638 continue;
639 case BPF_ALU_ADD | BPF_X:
640 A += X;
641 continue;
642 case BPF_ALU_SUB | BPF_X:
643 A -= X;
644 continue;
645 case BPF_ALU_MUL | BPF_X:
646 A *= X;
647 continue;
648 case BPF_ALU_DIV | BPF_X:
649 if (X == 0)
650 return 0;
651 A /= X;
652 continue;
653 case BPF_ALU_MOD | BPF_X:
654 if (X == 0)
655 return 0;
656 A %= X;
657 continue;
658 case BPF_ALU_AND | BPF_X:
659 A &= X;
660 continue;
661 case BPF_ALU_OR | BPF_X:
662 A |= X;
663 continue;
664 case BPF_ALU_XOR | BPF_X:
665 A ^= X;
666 continue;
667 case BPF_ALU_LSH | BPF_X:
668 A <<= X;
669 continue;
670 case BPF_ALU_RSH | BPF_X:
671 A >>= X;
672 continue;
673 case BPF_ALU_ADD | BPF_K:
674 A += bpf->k;
675 continue;
676 case BPF_ALU_SUB | BPF_K:
677 A -= bpf->k;
678 continue;
679 case BPF_ALU_MUL | BPF_K:
680 A *= bpf->k;
681 continue;
682 case BPF_ALU_DIV | BPF_K:
683 A /= bpf->k;
684 continue;
685 case BPF_ALU_MOD | BPF_K:
686 A %= bpf->k;
687 continue;
688 case BPF_ALU_AND | BPF_K:
689 A &= bpf->k;
690 continue;
691 case BPF_ALU_OR | BPF_K:
692 A |= bpf->k;
693 continue;
694 case BPF_ALU_XOR | BPF_K:
695 A ^= bpf->k;
696 continue;
697 case BPF_ALU_LSH | BPF_K:
698 A <<= bpf->k;
699 continue;
700 case BPF_ALU_RSH | BPF_K:
701 A >>= bpf->k;
702 continue;
703 case BPF_ALU_NEG:
704 A = -A;
705 continue;
706 case BPF_MISC_TAX:
707 X = A;
708 continue;
709 case BPF_MISC_TXA:
710 A = X;
711 continue;
712 }
713 }
714 }
715
716 void bpf_parse_rules(char *rulefile, struct sock_fprog *bpf)
717 {
718 int ret;
719 char buff[256];
720 struct sock_filter sf_single = { 0x06, 0, 0, 0xFFFFFFFF };
721 FILE *fp;
722
723 if (rulefile == NULL) {
724 bpf->len = 1;
725 bpf->filter = xmalloc(sizeof(sf_single));
726 fmemcpy(&bpf->filter[0], &sf_single, sizeof(sf_single));
727 return;
728 }
729
730 fp = fopen(rulefile, "r");
731 if (!fp)
732 panic("Cannot read BPF rule file!\n");
733
734 fmemset(buff, 0, sizeof(buff));
735 while (fgets(buff, sizeof(buff), fp) != NULL) {
736 buff[sizeof(buff) - 1] = 0;
737 if (buff[0] != '{') {
738 fmemset(buff, 0, sizeof(buff));
739 continue;
740 }
741
742 fmemset(&sf_single, 0, sizeof(sf_single));
743 ret = sscanf(buff, "{ 0x%x, %u, %u, 0x%08x },",
744 (unsigned int *) &sf_single.code,
745 (unsigned int *) &sf_single.jt,
746 (unsigned int *) &sf_single.jf,
747 (unsigned int *) &sf_single.k);
748 if (ret != 4)
749 panic("BPF syntax error!\n");
750
751 bpf->len++;
752 bpf->filter = xrealloc(bpf->filter, 1,
753 bpf->len * sizeof(sf_single));
754
755 fmemcpy(&bpf->filter[bpf->len - 1], &sf_single,
756 sizeof(sf_single));
757 fmemset(buff, 0, sizeof(buff));
758 }
759
760 fclose(fp);
761
762 if (bpf_validate(bpf) == 0)
763 panic("This is not a valid BPF program!\n");
764 }
netsniff-ng, the packet sniffing beast