summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Borkmann <dborkman@redhat.com>2013-05-23 11:08:03 +0200
committerDaniel Borkmann <dborkman@redhat.com>2013-05-23 11:10:55 +0200
commit4584b955420cd8d2fcae767c86b853fde4bccc6e (patch)
treea0a00667b54fd4d3b4bda48185ce5df98ca24bc5
parent4e497b9aa7e8635a9414021bd1bf31a9ff923566 (diff)
bpfc: allow bpf programs to be passed to cpp
This patch allows bpf programs to be passed to the C preprocessor before handing over to bpfc. Example: #define ETH_P_IP 0x800 ldh [12] jne #ETH_P_IP, drop ldb [23] jneq #6, drop ldh [20] jset #0x1fff, drop ldxb 4 * ([14] & 0xf) ldh [x + 14] jeq #0x16, pass ldh [x + 16] jne #0x16, drop pass: ret #-1 drop: ret #0 Compile with: bpfc -i foo -p Suggested-by: John Lange <JLange@trendium.com> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-rw-r--r--bpf_lexer.l1
-rw-r--r--bpf_parser.y30
-rw-r--r--bpfc.811
-rw-r--r--bpfc.c14
4 files changed, 48 insertions, 8 deletions
diff --git a/bpf_lexer.l b/bpf_lexer.l
index a2ff90a..185faae 100644
--- a/bpf_lexer.l
+++ b/bpf_lexer.l
@@ -119,6 +119,7 @@ label [a-zA-Z_][a-zA-Z0-9_]+
"/*"([^\*]|\*[^/])*"*/" { /* NOP */ }
";"[^\n]* {/* NOP */}
+^#.* {/* NOP */}
"\n" { yylineno++; }
[ \t]+ {/* NOP */ }
. { printf("Unknown character '%s'", yytext);
diff --git a/bpf_parser.y b/bpf_parser.y
index 459ea99..7734fb3 100644
--- a/bpf_parser.y
+++ b/bpf_parser.y
@@ -16,16 +16,19 @@
#include <signal.h>
#include <stdint.h>
#include <errno.h>
+#include <libgen.h>
#include "bpf.h"
#include "xmalloc.h"
#include "bpf_parser.tab.h"
#include "built_in.h"
#include "die.h"
+#include "xutils.h"
#define MAX_INSTRUCTIONS 4096
-int compile_filter(char *file, int verbose, int bypass, int format);
+int compile_filter(char *file, int verbose, int bypass, int format,
+ bool invoke_cpp);
static int curr_instr = 0;
@@ -659,10 +662,30 @@ static void pretty_printer(const struct sock_fprog *prog, int format)
}
}
-int compile_filter(char *file, int verbose, int bypass, int format)
+int compile_filter(char *file, int verbose, int bypass, int format,
+ bool invoke_cpp)
{
int i;
struct sock_fprog res;
+ char tmp_file[128];
+
+ memset(tmp_file, 0, sizeof(tmp_file));
+
+ if (invoke_cpp) {
+ char cmd[256], *dir, *base, *a, *b;
+
+ dir = dirname((a = xstrdup(file)));
+ base = basename((b = xstrdup(file)));
+
+ slprintf(tmp_file, sizeof(tmp_file), "%s/.tmp-%u-%s", dir, rand(), base);
+ slprintf(cmd, sizeof(cmd), "cpp -I" PREFIX_STRING
+ "/etc/netsniff-ng/ %s > %s", file, tmp_file);
+ system(cmd);
+
+ file = tmp_file;
+ xfree(a);
+ xfree(b);
+ }
if (!strncmp("-", file, strlen("-")))
yyin = stdin;
@@ -718,6 +741,9 @@ int compile_filter(char *file, int verbose, int bypass, int format)
}
fclose(yyin);
+ if (invoke_cpp)
+ unlink(tmp_file);
+
return 0;
}
diff --git a/bpfc.8 b/bpfc.8
index 6f9a504..41ee1e6 100644
--- a/bpfc.8
+++ b/bpfc.8
@@ -57,6 +57,11 @@ source tree under: tools/net/bpf_jit_disasm.c
.SS -i <source-file/->, --input <source-file/->
Read BPF assembly instruction from an input file or from stdin.
.PP
+.SS -p, --cpp
+Pass the bpf program through the C preprocessor before reading it in
+bpfc. This allows #define and #include directives (e.g. to include
+definitions from system headers) to be used in the bpf program.
+.PP
.SS -f <format>, --format <format>
Specify a different output format than the default that is netsniff-ng
compatible. The <format> specifier can be: C, netsniff-ng, xt_bpf, tcpdump.
@@ -284,9 +289,11 @@ words, some small example filter programs:
Compile the source file ''fubar'' into BPF opcodes. Opcodes will be
directed to stdout.
.PP
-.SS bpfc -f xt_bpf -b -i fubar, resp. iptables -A INPUT -m bpf --bytecode "`bpfc -f xt_bpf -i fubar`" -j LOG
+.SS bpfc -f xt_bpf -b -p -i fubar, resp. iptables -A INPUT -m bpf --bytecode "`bpfc -f xt_bpf -i fubar`" -j LOG
Compile the source file ''fubar'' into BPF opcodes, bypass basic filter
-validation and emit opcodes in netfilter's xt_bpf readable format.
+validation and emit opcodes in netfilter's xt_bpf readable format. Note
+that the source file ''fubar'' is first passed to the C preprocessor for
+textual replacments before handing over to the bpfc compiler.
.PP
.SS bpfc -
Read bpfc instruction from stdin and emit opcodes to stdout.
diff --git a/bpfc.c b/bpfc.c
index cd88d66..e8482fa 100644
--- a/bpfc.c
+++ b/bpfc.c
@@ -17,10 +17,11 @@
#include "die.h"
#include "bpf.h"
-static const char *short_options = "vhi:Vdbf:";
+static const char *short_options = "vhi:Vdbf:p";
static const struct option long_options[] = {
{"input", required_argument, NULL, 'i'},
{"format", required_argument, NULL, 'f'},
+ {"cpp", no_argument, NULL, 'p'},
{"verbose", no_argument, NULL, 'V'},
{"bypass", no_argument, NULL, 'b'},
{"dump", no_argument, NULL, 'd'},
@@ -29,7 +30,7 @@ static const struct option long_options[] = {
{NULL, 0, NULL, 0}
};
-extern int compile_filter(char *file, int verbose, int bypass, int format);
+extern int compile_filter(char *file, int verbose, int bypass, int format, bool invoke_cpp);
static void __noreturn help(void)
{
@@ -38,6 +39,7 @@ static void __noreturn help(void)
"Usage: bpfc [options] || bpfc <program>\n"
"Options:\n"
" -i|--input <program/-> Berkeley Packet Filter file/stdin\n"
+ " -p|--cpp Run bpf program through C preprocessor\n"
" -f|--format <format> Output format: C|netsniff-ng|xt_bpf|tcpdump\n"
" -b|--bypass Bypass filter validation (e.g. for bug testing)\n"
" -V|--verbose Be more verbose\n"
@@ -48,7 +50,7 @@ static void __noreturn help(void)
" bpfc fubar\n"
" bpfc fubar > foo (bpfc -f C -i fubar > foo) --> netsniff-ng -f foo ...\n"
" bpfc -f tcpdump -i fubar > foo --> tcpdump -ddd like ...\n"
- " bpfc -f xt_bpf -b -i fubar\n"
+ " bpfc -f xt_bpf -b -p -i fubar\n"
" iptables -A INPUT -m bpf --bytecode \"`./bpfc -f xt_bpf -i fubar`\" -j LOG\n"
" bpfc - (read from stdin)\n\n"
"Please report bugs to <bugs@netsniff-ng.org>\n"
@@ -76,6 +78,7 @@ static void __noreturn version(void)
int main(int argc, char **argv)
{
int ret, verbose = 0, c, opt_index, bypass = 0, format = 0;
+ bool invoke_cpp = false;
char *file = NULL;
setfsuid(getuid());
@@ -96,6 +99,9 @@ int main(int argc, char **argv)
case 'V':
verbose = 1;
break;
+ case 'p':
+ invoke_cpp = true;
+ break;
case 'f':
if (!strncmp(optarg, "C", 1) ||
!strncmp(optarg, "netsniff-ng", 11))
@@ -137,7 +143,7 @@ int main(int argc, char **argv)
if (!file)
panic("No Berkeley Packet Filter program specified!\n");
- ret = compile_filter(file, verbose, bypass, format);
+ ret = compile_filter(file, verbose, bypass, format, invoke_cpp);
xfree(file);
return ret;