diff options
author | Daniel Borkmann <dborkman@redhat.com> | 2013-05-23 11:08:03 +0200 |
---|---|---|
committer | Daniel Borkmann <dborkman@redhat.com> | 2013-05-23 11:10:55 +0200 |
commit | 4584b955420cd8d2fcae767c86b853fde4bccc6e (patch) | |
tree | a0a00667b54fd4d3b4bda48185ce5df98ca24bc5 | |
parent | 4e497b9aa7e8635a9414021bd1bf31a9ff923566 (diff) |
bpfc: allow bpf programs to be passed to cpp
This patch allows bpf programs to be passed to the C preprocessor
before handing over to bpfc. Example:
#define ETH_P_IP 0x800
ldh [12]
jne #ETH_P_IP, drop
ldb [23]
jneq #6, drop
ldh [20]
jset #0x1fff, drop
ldxb 4 * ([14] & 0xf)
ldh [x + 14]
jeq #0x16, pass
ldh [x + 16]
jne #0x16, drop
pass: ret #-1
drop: ret #0
Compile with: bpfc -i foo -p
Suggested-by: John Lange <JLange@trendium.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-rw-r--r-- | bpf_lexer.l | 1 | ||||
-rw-r--r-- | bpf_parser.y | 30 | ||||
-rw-r--r-- | bpfc.8 | 11 | ||||
-rw-r--r-- | bpfc.c | 14 |
4 files changed, 48 insertions, 8 deletions
diff --git a/bpf_lexer.l b/bpf_lexer.l index a2ff90a..185faae 100644 --- a/bpf_lexer.l +++ b/bpf_lexer.l @@ -119,6 +119,7 @@ label [a-zA-Z_][a-zA-Z0-9_]+ "/*"([^\*]|\*[^/])*"*/" { /* NOP */ } ";"[^\n]* {/* NOP */} +^#.* {/* NOP */} "\n" { yylineno++; } [ \t]+ {/* NOP */ } . { printf("Unknown character '%s'", yytext); diff --git a/bpf_parser.y b/bpf_parser.y index 459ea99..7734fb3 100644 --- a/bpf_parser.y +++ b/bpf_parser.y @@ -16,16 +16,19 @@ #include <signal.h> #include <stdint.h> #include <errno.h> +#include <libgen.h> #include "bpf.h" #include "xmalloc.h" #include "bpf_parser.tab.h" #include "built_in.h" #include "die.h" +#include "xutils.h" #define MAX_INSTRUCTIONS 4096 -int compile_filter(char *file, int verbose, int bypass, int format); +int compile_filter(char *file, int verbose, int bypass, int format, + bool invoke_cpp); static int curr_instr = 0; @@ -659,10 +662,30 @@ static void pretty_printer(const struct sock_fprog *prog, int format) } } -int compile_filter(char *file, int verbose, int bypass, int format) +int compile_filter(char *file, int verbose, int bypass, int format, + bool invoke_cpp) { int i; struct sock_fprog res; + char tmp_file[128]; + + memset(tmp_file, 0, sizeof(tmp_file)); + + if (invoke_cpp) { + char cmd[256], *dir, *base, *a, *b; + + dir = dirname((a = xstrdup(file))); + base = basename((b = xstrdup(file))); + + slprintf(tmp_file, sizeof(tmp_file), "%s/.tmp-%u-%s", dir, rand(), base); + slprintf(cmd, sizeof(cmd), "cpp -I" PREFIX_STRING + "/etc/netsniff-ng/ %s > %s", file, tmp_file); + system(cmd); + + file = tmp_file; + xfree(a); + xfree(b); + } if (!strncmp("-", file, strlen("-"))) yyin = stdin; @@ -718,6 +741,9 @@ int compile_filter(char *file, int verbose, int bypass, int format) } fclose(yyin); + if (invoke_cpp) + unlink(tmp_file); + return 0; } @@ -57,6 +57,11 @@ source tree under: tools/net/bpf_jit_disasm.c .SS -i <source-file/->, --input <source-file/-> Read BPF assembly instruction from an input file or from stdin. .PP +.SS -p, --cpp +Pass the bpf program through the C preprocessor before reading it in +bpfc. This allows #define and #include directives (e.g. to include +definitions from system headers) to be used in the bpf program. +.PP .SS -f <format>, --format <format> Specify a different output format than the default that is netsniff-ng compatible. The <format> specifier can be: C, netsniff-ng, xt_bpf, tcpdump. @@ -284,9 +289,11 @@ words, some small example filter programs: Compile the source file ''fubar'' into BPF opcodes. Opcodes will be directed to stdout. .PP -.SS bpfc -f xt_bpf -b -i fubar, resp. iptables -A INPUT -m bpf --bytecode "`bpfc -f xt_bpf -i fubar`" -j LOG +.SS bpfc -f xt_bpf -b -p -i fubar, resp. iptables -A INPUT -m bpf --bytecode "`bpfc -f xt_bpf -i fubar`" -j LOG Compile the source file ''fubar'' into BPF opcodes, bypass basic filter -validation and emit opcodes in netfilter's xt_bpf readable format. +validation and emit opcodes in netfilter's xt_bpf readable format. Note +that the source file ''fubar'' is first passed to the C preprocessor for +textual replacments before handing over to the bpfc compiler. .PP .SS bpfc - Read bpfc instruction from stdin and emit opcodes to stdout. @@ -17,10 +17,11 @@ #include "die.h" #include "bpf.h" -static const char *short_options = "vhi:Vdbf:"; +static const char *short_options = "vhi:Vdbf:p"; static const struct option long_options[] = { {"input", required_argument, NULL, 'i'}, {"format", required_argument, NULL, 'f'}, + {"cpp", no_argument, NULL, 'p'}, {"verbose", no_argument, NULL, 'V'}, {"bypass", no_argument, NULL, 'b'}, {"dump", no_argument, NULL, 'd'}, @@ -29,7 +30,7 @@ static const struct option long_options[] = { {NULL, 0, NULL, 0} }; -extern int compile_filter(char *file, int verbose, int bypass, int format); +extern int compile_filter(char *file, int verbose, int bypass, int format, bool invoke_cpp); static void __noreturn help(void) { @@ -38,6 +39,7 @@ static void __noreturn help(void) "Usage: bpfc [options] || bpfc <program>\n" "Options:\n" " -i|--input <program/-> Berkeley Packet Filter file/stdin\n" + " -p|--cpp Run bpf program through C preprocessor\n" " -f|--format <format> Output format: C|netsniff-ng|xt_bpf|tcpdump\n" " -b|--bypass Bypass filter validation (e.g. for bug testing)\n" " -V|--verbose Be more verbose\n" @@ -48,7 +50,7 @@ static void __noreturn help(void) " bpfc fubar\n" " bpfc fubar > foo (bpfc -f C -i fubar > foo) --> netsniff-ng -f foo ...\n" " bpfc -f tcpdump -i fubar > foo --> tcpdump -ddd like ...\n" - " bpfc -f xt_bpf -b -i fubar\n" + " bpfc -f xt_bpf -b -p -i fubar\n" " iptables -A INPUT -m bpf --bytecode \"`./bpfc -f xt_bpf -i fubar`\" -j LOG\n" " bpfc - (read from stdin)\n\n" "Please report bugs to <bugs@netsniff-ng.org>\n" @@ -76,6 +78,7 @@ static void __noreturn version(void) int main(int argc, char **argv) { int ret, verbose = 0, c, opt_index, bypass = 0, format = 0; + bool invoke_cpp = false; char *file = NULL; setfsuid(getuid()); @@ -96,6 +99,9 @@ int main(int argc, char **argv) case 'V': verbose = 1; break; + case 'p': + invoke_cpp = true; + break; case 'f': if (!strncmp(optarg, "C", 1) || !strncmp(optarg, "netsniff-ng", 11)) @@ -137,7 +143,7 @@ int main(int argc, char **argv) if (!file) panic("No Berkeley Packet Filter program specified!\n"); - ret = compile_filter(file, verbose, bypass, format); + ret = compile_filter(file, verbose, bypass, format, invoke_cpp); xfree(file); return ret; |