npf_bpf_comp.c revision 1.7.4.2
1 1.7.4.2 tls /* $NetBSD: npf_bpf_comp.c,v 1.7.4.2 2014/08/20 00:05:11 tls Exp $ */ 2 1.7.4.2 tls 3 1.7.4.2 tls /*- 4 1.7.4.2 tls * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. 5 1.7.4.2 tls * All rights reserved. 6 1.7.4.2 tls * 7 1.7.4.2 tls * This material is based upon work partially supported by The 8 1.7.4.2 tls * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 9 1.7.4.2 tls * 10 1.7.4.2 tls * Redistribution and use in source and binary forms, with or without 11 1.7.4.2 tls * modification, are permitted provided that the following conditions 12 1.7.4.2 tls * are met: 13 1.7.4.2 tls * 1. Redistributions of source code must retain the above copyright 14 1.7.4.2 tls * notice, this list of conditions and the following disclaimer. 15 1.7.4.2 tls * 2. Redistributions in binary form must reproduce the above copyright 16 1.7.4.2 tls * notice, this list of conditions and the following disclaimer in the 17 1.7.4.2 tls * documentation and/or other materials provided with the distribution. 18 1.7.4.2 tls * 19 1.7.4.2 tls * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 1.7.4.2 tls * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 1.7.4.2 tls * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 1.7.4.2 tls * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 1.7.4.2 tls * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 1.7.4.2 tls * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 1.7.4.2 tls * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 1.7.4.2 tls * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 1.7.4.2 tls * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 1.7.4.2 tls * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 1.7.4.2 tls * POSSIBILITY OF SUCH DAMAGE. 30 1.7.4.2 tls */ 31 1.7.4.2 tls 32 1.7.4.2 tls /* 33 1.7.4.2 tls * BPF byte-code generation for NPF rules. 34 1.7.4.2 tls */ 35 1.7.4.2 tls 36 1.7.4.2 tls #include <sys/cdefs.h> 37 1.7.4.2 tls __RCSID("$NetBSD: npf_bpf_comp.c,v 1.7.4.2 2014/08/20 00:05:11 tls Exp $"); 38 1.7.4.2 tls 39 1.7.4.2 tls #include <stdlib.h> 40 1.7.4.2 tls #include <stdbool.h> 41 1.7.4.2 tls #include <stddef.h> 42 1.7.4.2 tls #include <string.h> 43 1.7.4.2 tls #include <inttypes.h> 44 1.7.4.2 tls #include <err.h> 45 1.7.4.2 tls #include <assert.h> 46 1.7.4.2 tls 47 1.7.4.2 tls #include <netinet/in.h> 48 1.7.4.2 tls #include <netinet/in_systm.h> 49 1.7.4.2 tls #include <netinet/ip.h> 50 1.7.4.2 tls #include <netinet/ip6.h> 51 1.7.4.2 tls #include <netinet/udp.h> 52 1.7.4.2 tls #include <netinet/tcp.h> 53 1.7.4.2 tls #include <netinet/ip_icmp.h> 54 1.7.4.2 tls #include <netinet/icmp6.h> 55 1.7.4.2 tls 56 1.7.4.2 tls #include <net/bpf.h> 57 1.7.4.2 tls 58 1.7.4.2 tls #include "npfctl.h" 59 1.7.4.2 tls 60 1.7.4.2 tls /* 61 1.7.4.2 tls * Note: clear X_EQ_L4OFF when register X is invalidated i.e. it stores 62 1.7.4.2 tls * something other than L4 header offset. Generally, when BPF_LDX is used. 63 1.7.4.2 tls */ 64 1.7.4.2 tls #define FETCHED_L3 0x01 65 1.7.4.2 tls #define CHECKED_L4 0x02 66 1.7.4.2 tls #define X_EQ_L4OFF 0x04 67 1.7.4.2 tls 68 1.7.4.2 tls struct npf_bpf { 69 1.7.4.2 tls /* 70 1.7.4.2 tls * BPF program code, the allocated length (in bytes), the number 71 1.7.4.2 tls * of logical blocks and the flags. 72 1.7.4.2 tls */ 73 1.7.4.2 tls struct bpf_program prog; 74 1.7.4.2 tls size_t alen; 75 1.7.4.2 tls u_int nblocks; 76 1.7.4.2 tls sa_family_t af; 77 1.7.4.2 tls uint32_t flags; 78 1.7.4.2 tls 79 1.7.4.2 tls /* The current group offset and block number. */ 80 1.7.4.2 tls bool ingroup; 81 1.7.4.2 tls u_int goff; 82 1.7.4.2 tls u_int gblock; 83 1.7.4.2 tls 84 1.7.4.2 tls /* BPF marks, allocated length and the real length. */ 85 1.7.4.2 tls uint32_t * marks; 86 1.7.4.2 tls size_t malen; 87 1.7.4.2 tls size_t mlen; 88 1.7.4.2 tls }; 89 1.7.4.2 tls 90 1.7.4.2 tls /* 91 1.7.4.2 tls * NPF success and failure values to be returned from BPF. 92 1.7.4.2 tls */ 93 1.7.4.2 tls #define NPF_BPF_SUCCESS ((u_int)-1) 94 1.7.4.2 tls #define NPF_BPF_FAILURE 0 95 1.7.4.2 tls 96 1.7.4.2 tls /* 97 1.7.4.2 tls * Magic value to indicate the failure path, which is fixed up on completion. 98 1.7.4.2 tls * Note: this is the longest jump offset in BPF, since the offset is one byte. 99 1.7.4.2 tls */ 100 1.7.4.2 tls #define JUMP_MAGIC 0xff 101 1.7.4.2 tls 102 1.7.4.2 tls /* Reduce re-allocations by expanding in 64 byte blocks. */ 103 1.7.4.2 tls #define ALLOC_MASK (64 - 1) 104 1.7.4.2 tls #define ALLOC_ROUND(x) (((x) + ALLOC_MASK) & ~ALLOC_MASK) 105 1.7.4.2 tls 106 1.7.4.2 tls npf_bpf_t * 107 1.7.4.2 tls npfctl_bpf_create(void) 108 1.7.4.2 tls { 109 1.7.4.2 tls return ecalloc(1, sizeof(npf_bpf_t)); 110 1.7.4.2 tls } 111 1.7.4.2 tls 112 1.7.4.2 tls static void 113 1.7.4.2 tls fixup_jumps(npf_bpf_t *ctx, u_int start, u_int end, bool swap) 114 1.7.4.2 tls { 115 1.7.4.2 tls struct bpf_program *bp = &ctx->prog; 116 1.7.4.2 tls 117 1.7.4.2 tls for (u_int i = start; i < end; i++) { 118 1.7.4.2 tls struct bpf_insn *insn = &bp->bf_insns[i]; 119 1.7.4.2 tls const u_int fail_off = end - i; 120 1.7.4.2 tls 121 1.7.4.2 tls if (fail_off >= JUMP_MAGIC) { 122 1.7.4.2 tls errx(EXIT_FAILURE, "BPF generation error: " 123 1.7.4.2 tls "the number of instructions is over the limit"); 124 1.7.4.2 tls } 125 1.7.4.2 tls if (BPF_CLASS(insn->code) != BPF_JMP) { 126 1.7.4.2 tls continue; 127 1.7.4.2 tls } 128 1.7.4.2 tls if (swap) { 129 1.7.4.2 tls uint8_t jt = insn->jt; 130 1.7.4.2 tls insn->jt = insn->jf; 131 1.7.4.2 tls insn->jf = jt; 132 1.7.4.2 tls } 133 1.7.4.2 tls if (insn->jt == JUMP_MAGIC) 134 1.7.4.2 tls insn->jt = fail_off; 135 1.7.4.2 tls if (insn->jf == JUMP_MAGIC) 136 1.7.4.2 tls insn->jf = fail_off; 137 1.7.4.2 tls } 138 1.7.4.2 tls } 139 1.7.4.2 tls 140 1.7.4.2 tls static void 141 1.7.4.2 tls add_insns(npf_bpf_t *ctx, struct bpf_insn *insns, size_t count) 142 1.7.4.2 tls { 143 1.7.4.2 tls struct bpf_program *bp = &ctx->prog; 144 1.7.4.2 tls size_t offset, len, reqlen; 145 1.7.4.2 tls 146 1.7.4.2 tls /* Note: bf_len is the count of instructions. */ 147 1.7.4.2 tls offset = bp->bf_len * sizeof(struct bpf_insn); 148 1.7.4.2 tls len = count * sizeof(struct bpf_insn); 149 1.7.4.2 tls 150 1.7.4.2 tls /* Ensure the memory buffer for the program. */ 151 1.7.4.2 tls reqlen = ALLOC_ROUND(offset + len); 152 1.7.4.2 tls if (reqlen > ctx->alen) { 153 1.7.4.2 tls bp->bf_insns = erealloc(bp->bf_insns, reqlen); 154 1.7.4.2 tls ctx->alen = reqlen; 155 1.7.4.2 tls } 156 1.7.4.2 tls 157 1.7.4.2 tls /* Add the code block. */ 158 1.7.4.2 tls memcpy((uint8_t *)bp->bf_insns + offset, insns, len); 159 1.7.4.2 tls bp->bf_len += count; 160 1.7.4.2 tls } 161 1.7.4.2 tls 162 1.7.4.2 tls static void 163 1.7.4.2 tls done_raw_block(npf_bpf_t *ctx, const uint32_t *m, size_t len) 164 1.7.4.2 tls { 165 1.7.4.2 tls size_t reqlen, nargs = m[1]; 166 1.7.4.2 tls 167 1.7.4.2 tls if ((len / sizeof(uint32_t) - 2) != nargs) { 168 1.7.4.2 tls errx(EXIT_FAILURE, "invalid BPF block description"); 169 1.7.4.2 tls } 170 1.7.4.2 tls reqlen = ALLOC_ROUND(ctx->mlen + len); 171 1.7.4.2 tls if (reqlen > ctx->malen) { 172 1.7.4.2 tls ctx->marks = erealloc(ctx->marks, reqlen); 173 1.7.4.2 tls ctx->malen = reqlen; 174 1.7.4.2 tls } 175 1.7.4.2 tls memcpy((uint8_t *)ctx->marks + ctx->mlen, m, len); 176 1.7.4.2 tls ctx->mlen += len; 177 1.7.4.2 tls } 178 1.7.4.2 tls 179 1.7.4.2 tls static void 180 1.7.4.2 tls done_block(npf_bpf_t *ctx, const uint32_t *m, size_t len) 181 1.7.4.2 tls { 182 1.7.4.2 tls done_raw_block(ctx, m, len); 183 1.7.4.2 tls ctx->nblocks++; 184 1.7.4.2 tls } 185 1.7.4.2 tls 186 1.7.4.2 tls struct bpf_program * 187 1.7.4.2 tls npfctl_bpf_complete(npf_bpf_t *ctx) 188 1.7.4.2 tls { 189 1.7.4.2 tls struct bpf_program *bp = &ctx->prog; 190 1.7.4.2 tls const u_int retoff = bp->bf_len; 191 1.7.4.2 tls 192 1.7.4.2 tls /* Add the return fragment (success and failure paths). */ 193 1.7.4.2 tls struct bpf_insn insns_ret[] = { 194 1.7.4.2 tls BPF_STMT(BPF_RET+BPF_K, NPF_BPF_SUCCESS), 195 1.7.4.2 tls BPF_STMT(BPF_RET+BPF_K, NPF_BPF_FAILURE), 196 1.7.4.2 tls }; 197 1.7.4.2 tls add_insns(ctx, insns_ret, __arraycount(insns_ret)); 198 1.7.4.2 tls 199 1.7.4.2 tls /* Fixup all jumps to the main failure path. */ 200 1.7.4.2 tls fixup_jumps(ctx, 0, retoff, false); 201 1.7.4.2 tls 202 1.7.4.2 tls return &ctx->prog; 203 1.7.4.2 tls } 204 1.7.4.2 tls 205 1.7.4.2 tls const void * 206 1.7.4.2 tls npfctl_bpf_bmarks(npf_bpf_t *ctx, size_t *len) 207 1.7.4.2 tls { 208 1.7.4.2 tls *len = ctx->mlen; 209 1.7.4.2 tls return ctx->marks; 210 1.7.4.2 tls } 211 1.7.4.2 tls 212 1.7.4.2 tls void 213 1.7.4.2 tls npfctl_bpf_destroy(npf_bpf_t *ctx) 214 1.7.4.2 tls { 215 1.7.4.2 tls free(ctx->prog.bf_insns); 216 1.7.4.2 tls free(ctx->marks); 217 1.7.4.2 tls free(ctx); 218 1.7.4.2 tls } 219 1.7.4.2 tls 220 1.7.4.2 tls /* 221 1.7.4.2 tls * npfctl_bpf_group: begin a logical group. It merely uses logical 222 1.7.4.2 tls * disjunction (OR) for compares within the group. 223 1.7.4.2 tls */ 224 1.7.4.2 tls void 225 1.7.4.2 tls npfctl_bpf_group(npf_bpf_t *ctx) 226 1.7.4.2 tls { 227 1.7.4.2 tls struct bpf_program *bp = &ctx->prog; 228 1.7.4.2 tls 229 1.7.4.2 tls assert(ctx->goff == 0); 230 1.7.4.2 tls assert(ctx->gblock == 0); 231 1.7.4.2 tls 232 1.7.4.2 tls ctx->goff = bp->bf_len; 233 1.7.4.2 tls ctx->gblock = ctx->nblocks; 234 1.7.4.2 tls ctx->ingroup = true; 235 1.7.4.2 tls } 236 1.7.4.2 tls 237 1.7.4.2 tls void 238 1.7.4.2 tls npfctl_bpf_endgroup(npf_bpf_t *ctx) 239 1.7.4.2 tls { 240 1.7.4.2 tls struct bpf_program *bp = &ctx->prog; 241 1.7.4.2 tls const size_t curoff = bp->bf_len; 242 1.7.4.2 tls 243 1.7.4.2 tls /* If there are no blocks or only one - nothing to do. */ 244 1.7.4.2 tls if ((ctx->nblocks - ctx->gblock) <= 1) { 245 1.7.4.2 tls ctx->goff = ctx->gblock = 0; 246 1.7.4.2 tls return; 247 1.7.4.2 tls } 248 1.7.4.2 tls 249 1.7.4.2 tls /* 250 1.7.4.2 tls * Append a failure return as a fall-through i.e. if there is 251 1.7.4.2 tls * no match within the group. 252 1.7.4.2 tls */ 253 1.7.4.2 tls struct bpf_insn insns_ret[] = { 254 1.7.4.2 tls BPF_STMT(BPF_RET+BPF_K, NPF_BPF_FAILURE), 255 1.7.4.2 tls }; 256 1.7.4.2 tls add_insns(ctx, insns_ret, __arraycount(insns_ret)); 257 1.7.4.2 tls 258 1.7.4.2 tls /* 259 1.7.4.2 tls * Adjust jump offsets: on match - jump outside the group i.e. 260 1.7.4.2 tls * to the current offset. Otherwise, jump to the next instruction 261 1.7.4.2 tls * which would lead to the fall-through code above if none matches. 262 1.7.4.2 tls */ 263 1.7.4.2 tls fixup_jumps(ctx, ctx->goff, curoff, true); 264 1.7.4.2 tls ctx->goff = ctx->gblock = 0; 265 1.7.4.2 tls } 266 1.7.4.2 tls 267 1.7.4.2 tls static void 268 1.7.4.2 tls fetch_l3(npf_bpf_t *ctx, sa_family_t af, u_int flags) 269 1.7.4.2 tls { 270 1.7.4.2 tls u_int ver; 271 1.7.4.2 tls 272 1.7.4.2 tls switch (af) { 273 1.7.4.2 tls case AF_INET: 274 1.7.4.2 tls ver = IPVERSION; 275 1.7.4.2 tls break; 276 1.7.4.2 tls case AF_INET6: 277 1.7.4.2 tls ver = IPV6_VERSION >> 4; 278 1.7.4.2 tls break; 279 1.7.4.2 tls case AF_UNSPEC: 280 1.7.4.2 tls ver = 0; 281 1.7.4.2 tls break; 282 1.7.4.2 tls default: 283 1.7.4.2 tls abort(); 284 1.7.4.2 tls } 285 1.7.4.2 tls 286 1.7.4.2 tls /* 287 1.7.4.2 tls * The memory store is populated with: 288 1.7.4.2 tls * - BPF_MW_IPVER: IP version (4 or 6). 289 1.7.4.2 tls * - BPF_MW_L4OFF: L4 header offset. 290 1.7.4.2 tls * - BPF_MW_L4PROTO: L4 protocol. 291 1.7.4.2 tls */ 292 1.7.4.2 tls if ((ctx->flags & FETCHED_L3) == 0 || (af && ctx->af == 0)) { 293 1.7.4.2 tls const uint8_t jt = ver ? 0 : JUMP_MAGIC; 294 1.7.4.2 tls const uint8_t jf = ver ? JUMP_MAGIC : 0; 295 1.7.4.2 tls bool ingroup = ctx->ingroup; 296 1.7.4.2 tls 297 1.7.4.2 tls /* 298 1.7.4.2 tls * L3 block cannot be inserted in the middle of a group. 299 1.7.4.2 tls * In fact, it never is. Check and start the group after. 300 1.7.4.2 tls */ 301 1.7.4.2 tls if (ingroup) { 302 1.7.4.2 tls assert(ctx->nblocks == ctx->gblock); 303 1.7.4.2 tls npfctl_bpf_endgroup(ctx); 304 1.7.4.2 tls } 305 1.7.4.2 tls 306 1.7.4.2 tls /* 307 1.7.4.2 tls * A <- IP version; A == expected-version? 308 1.7.4.2 tls * If no particular version specified, check for non-zero. 309 1.7.4.2 tls */ 310 1.7.4.2 tls struct bpf_insn insns_af[] = { 311 1.7.4.2 tls BPF_STMT(BPF_LD+BPF_W+BPF_MEM, BPF_MW_IPVER), 312 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ver, jt, jf), 313 1.7.4.2 tls }; 314 1.7.4.2 tls add_insns(ctx, insns_af, __arraycount(insns_af)); 315 1.7.4.2 tls ctx->flags |= FETCHED_L3; 316 1.7.4.2 tls ctx->af = af; 317 1.7.4.2 tls 318 1.7.4.2 tls if (af) { 319 1.7.4.2 tls uint32_t mwords[] = { BM_IPVER, 1, af }; 320 1.7.4.2 tls done_raw_block(ctx, mwords, sizeof(mwords)); 321 1.7.4.2 tls } 322 1.7.4.2 tls if (ingroup) { 323 1.7.4.2 tls npfctl_bpf_group(ctx); 324 1.7.4.2 tls } 325 1.7.4.2 tls 326 1.7.4.2 tls } else if (af && af != ctx->af) { 327 1.7.4.2 tls errx(EXIT_FAILURE, "address family mismatch"); 328 1.7.4.2 tls } 329 1.7.4.2 tls 330 1.7.4.2 tls if ((flags & X_EQ_L4OFF) != 0 && (ctx->flags & X_EQ_L4OFF) == 0) { 331 1.7.4.2 tls /* X <- IP header length */ 332 1.7.4.2 tls struct bpf_insn insns_hlen[] = { 333 1.7.4.2 tls BPF_STMT(BPF_LDX+BPF_MEM, BPF_MW_L4OFF), 334 1.7.4.2 tls }; 335 1.7.4.2 tls add_insns(ctx, insns_hlen, __arraycount(insns_hlen)); 336 1.7.4.2 tls ctx->flags |= X_EQ_L4OFF; 337 1.7.4.2 tls } 338 1.7.4.2 tls } 339 1.7.4.2 tls 340 1.7.4.2 tls /* 341 1.7.4.2 tls * npfctl_bpf_proto: code block to match IP version and L4 protocol. 342 1.7.4.2 tls */ 343 1.7.4.2 tls void 344 1.7.4.2 tls npfctl_bpf_proto(npf_bpf_t *ctx, sa_family_t af, int proto) 345 1.7.4.2 tls { 346 1.7.4.2 tls assert(af != AF_UNSPEC || proto != -1); 347 1.7.4.2 tls 348 1.7.4.2 tls /* Note: fails if IP version does not match. */ 349 1.7.4.2 tls fetch_l3(ctx, af, 0); 350 1.7.4.2 tls if (proto == -1) { 351 1.7.4.2 tls return; 352 1.7.4.2 tls } 353 1.7.4.2 tls 354 1.7.4.2 tls struct bpf_insn insns_proto[] = { 355 1.7.4.2 tls /* A <- L4 protocol; A == expected-protocol? */ 356 1.7.4.2 tls BPF_STMT(BPF_LD+BPF_W+BPF_MEM, BPF_MW_L4PROTO), 357 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, proto, 0, JUMP_MAGIC), 358 1.7.4.2 tls }; 359 1.7.4.2 tls add_insns(ctx, insns_proto, __arraycount(insns_proto)); 360 1.7.4.2 tls 361 1.7.4.2 tls uint32_t mwords[] = { BM_PROTO, 1, proto }; 362 1.7.4.2 tls done_block(ctx, mwords, sizeof(mwords)); 363 1.7.4.2 tls ctx->flags |= CHECKED_L4; 364 1.7.4.2 tls } 365 1.7.4.2 tls 366 1.7.4.2 tls /* 367 1.7.4.2 tls * npfctl_bpf_cidr: code block to match IPv4 or IPv6 CIDR. 368 1.7.4.2 tls * 369 1.7.4.2 tls * => IP address shall be in the network byte order. 370 1.7.4.2 tls */ 371 1.7.4.2 tls void 372 1.7.4.2 tls npfctl_bpf_cidr(npf_bpf_t *ctx, u_int opts, sa_family_t af, 373 1.7.4.2 tls const npf_addr_t *addr, const npf_netmask_t mask) 374 1.7.4.2 tls { 375 1.7.4.2 tls const uint32_t *awords = (const uint32_t *)addr; 376 1.7.4.2 tls u_int nwords, length, maxmask, off; 377 1.7.4.2 tls 378 1.7.4.2 tls assert(((opts & MATCH_SRC) != 0) ^ ((opts & MATCH_DST) != 0)); 379 1.7.4.2 tls assert((mask && mask <= NPF_MAX_NETMASK) || mask == NPF_NO_NETMASK); 380 1.7.4.2 tls 381 1.7.4.2 tls switch (af) { 382 1.7.4.2 tls case AF_INET: 383 1.7.4.2 tls maxmask = 32; 384 1.7.4.2 tls off = (opts & MATCH_SRC) ? 385 1.7.4.2 tls offsetof(struct ip, ip_src) : 386 1.7.4.2 tls offsetof(struct ip, ip_dst); 387 1.7.4.2 tls nwords = sizeof(struct in_addr) / sizeof(uint32_t); 388 1.7.4.2 tls break; 389 1.7.4.2 tls case AF_INET6: 390 1.7.4.2 tls maxmask = 128; 391 1.7.4.2 tls off = (opts & MATCH_SRC) ? 392 1.7.4.2 tls offsetof(struct ip6_hdr, ip6_src) : 393 1.7.4.2 tls offsetof(struct ip6_hdr, ip6_dst); 394 1.7.4.2 tls nwords = sizeof(struct in6_addr) / sizeof(uint32_t); 395 1.7.4.2 tls break; 396 1.7.4.2 tls default: 397 1.7.4.2 tls abort(); 398 1.7.4.2 tls } 399 1.7.4.2 tls 400 1.7.4.2 tls /* Ensure address family. */ 401 1.7.4.2 tls fetch_l3(ctx, af, 0); 402 1.7.4.2 tls 403 1.7.4.2 tls length = (mask == NPF_NO_NETMASK) ? maxmask : mask; 404 1.7.4.2 tls 405 1.7.4.2 tls /* CAUTION: BPF operates in host byte-order. */ 406 1.7.4.2 tls for (u_int i = 0; i < nwords; i++) { 407 1.7.4.2 tls const u_int woff = i * sizeof(uint32_t); 408 1.7.4.2 tls uint32_t word = ntohl(awords[i]); 409 1.7.4.2 tls uint32_t wordmask; 410 1.7.4.2 tls 411 1.7.4.2 tls if (length >= 32) { 412 1.7.4.2 tls /* The mask is a full word - do not apply it. */ 413 1.7.4.2 tls wordmask = 0; 414 1.7.4.2 tls length -= 32; 415 1.7.4.2 tls } else if (length) { 416 1.7.4.2 tls wordmask = 0xffffffff << (32 - length); 417 1.7.4.2 tls length = 0; 418 1.7.4.2 tls } else { 419 1.7.4.2 tls /* The mask became zero - skip the rest. */ 420 1.7.4.2 tls break; 421 1.7.4.2 tls } 422 1.7.4.2 tls 423 1.7.4.2 tls /* A <- IP address (or one word of it) */ 424 1.7.4.2 tls struct bpf_insn insns_ip[] = { 425 1.7.4.2 tls BPF_STMT(BPF_LD+BPF_W+BPF_ABS, off + woff), 426 1.7.4.2 tls }; 427 1.7.4.2 tls add_insns(ctx, insns_ip, __arraycount(insns_ip)); 428 1.7.4.2 tls 429 1.7.4.2 tls /* A <- (A & MASK) */ 430 1.7.4.2 tls if (wordmask) { 431 1.7.4.2 tls struct bpf_insn insns_mask[] = { 432 1.7.4.2 tls BPF_STMT(BPF_ALU+BPF_AND+BPF_K, wordmask), 433 1.7.4.2 tls }; 434 1.7.4.2 tls add_insns(ctx, insns_mask, __arraycount(insns_mask)); 435 1.7.4.2 tls } 436 1.7.4.2 tls 437 1.7.4.2 tls /* A == expected-IP-word ? */ 438 1.7.4.2 tls struct bpf_insn insns_cmp[] = { 439 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, word, 0, JUMP_MAGIC), 440 1.7.4.2 tls }; 441 1.7.4.2 tls add_insns(ctx, insns_cmp, __arraycount(insns_cmp)); 442 1.7.4.2 tls } 443 1.7.4.2 tls 444 1.7.4.2 tls uint32_t mwords[] = { 445 1.7.4.2 tls (opts & MATCH_SRC) ? BM_SRC_CIDR: BM_DST_CIDR, 6, 446 1.7.4.2 tls af, mask, awords[0], awords[1], awords[2], awords[3], 447 1.7.4.2 tls }; 448 1.7.4.2 tls done_block(ctx, mwords, sizeof(mwords)); 449 1.7.4.2 tls } 450 1.7.4.2 tls 451 1.7.4.2 tls /* 452 1.7.4.2 tls * npfctl_bpf_ports: code block to match TCP/UDP port range. 453 1.7.4.2 tls * 454 1.7.4.2 tls * => Port numbers shall be in the network byte order. 455 1.7.4.2 tls */ 456 1.7.4.2 tls void 457 1.7.4.2 tls npfctl_bpf_ports(npf_bpf_t *ctx, u_int opts, in_port_t from, in_port_t to) 458 1.7.4.2 tls { 459 1.7.4.2 tls const u_int sport_off = offsetof(struct udphdr, uh_sport); 460 1.7.4.2 tls const u_int dport_off = offsetof(struct udphdr, uh_dport); 461 1.7.4.2 tls u_int off; 462 1.7.4.2 tls 463 1.7.4.2 tls /* TCP and UDP port offsets are the same. */ 464 1.7.4.2 tls assert(sport_off == offsetof(struct tcphdr, th_sport)); 465 1.7.4.2 tls assert(dport_off == offsetof(struct tcphdr, th_dport)); 466 1.7.4.2 tls assert(ctx->flags & CHECKED_L4); 467 1.7.4.2 tls 468 1.7.4.2 tls assert(((opts & MATCH_SRC) != 0) ^ ((opts & MATCH_DST) != 0)); 469 1.7.4.2 tls off = (opts & MATCH_SRC) ? sport_off : dport_off; 470 1.7.4.2 tls 471 1.7.4.2 tls /* X <- IP header length */ 472 1.7.4.2 tls fetch_l3(ctx, AF_UNSPEC, X_EQ_L4OFF); 473 1.7.4.2 tls 474 1.7.4.2 tls struct bpf_insn insns_fetch[] = { 475 1.7.4.2 tls /* A <- port */ 476 1.7.4.2 tls BPF_STMT(BPF_LD+BPF_H+BPF_IND, off), 477 1.7.4.2 tls }; 478 1.7.4.2 tls add_insns(ctx, insns_fetch, __arraycount(insns_fetch)); 479 1.7.4.2 tls 480 1.7.4.2 tls /* CAUTION: BPF operates in host byte-order. */ 481 1.7.4.2 tls from = ntohs(from); 482 1.7.4.2 tls to = ntohs(to); 483 1.7.4.2 tls 484 1.7.4.2 tls if (from == to) { 485 1.7.4.2 tls /* Single port case. */ 486 1.7.4.2 tls struct bpf_insn insns_port[] = { 487 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, from, 0, JUMP_MAGIC), 488 1.7.4.2 tls }; 489 1.7.4.2 tls add_insns(ctx, insns_port, __arraycount(insns_port)); 490 1.7.4.2 tls } else { 491 1.7.4.2 tls /* Port range case. */ 492 1.7.4.2 tls struct bpf_insn insns_range[] = { 493 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, from, 0, JUMP_MAGIC), 494 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, to, JUMP_MAGIC, 0), 495 1.7.4.2 tls }; 496 1.7.4.2 tls add_insns(ctx, insns_range, __arraycount(insns_range)); 497 1.7.4.2 tls } 498 1.7.4.2 tls 499 1.7.4.2 tls uint32_t mwords[] = { 500 1.7.4.2 tls opts & MATCH_SRC ? BM_SRC_PORTS : BM_DST_PORTS, 2, from, to 501 1.7.4.2 tls }; 502 1.7.4.2 tls done_block(ctx, mwords, sizeof(mwords)); 503 1.7.4.2 tls } 504 1.7.4.2 tls 505 1.7.4.2 tls /* 506 1.7.4.2 tls * npfctl_bpf_tcpfl: code block to match TCP flags. 507 1.7.4.2 tls */ 508 1.7.4.2 tls void 509 1.7.4.2 tls npfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t tf, uint8_t tf_mask, bool checktcp) 510 1.7.4.2 tls { 511 1.7.4.2 tls const u_int tcpfl_off = offsetof(struct tcphdr, th_flags); 512 1.7.4.2 tls const bool usingmask = tf_mask != tf; 513 1.7.4.2 tls 514 1.7.4.2 tls /* X <- IP header length */ 515 1.7.4.2 tls fetch_l3(ctx, AF_UNSPEC, X_EQ_L4OFF); 516 1.7.4.2 tls if (checktcp) { 517 1.7.4.2 tls const u_int jf = usingmask ? 3 : 2; 518 1.7.4.2 tls assert(ctx->ingroup == false); 519 1.7.4.2 tls 520 1.7.4.2 tls /* A <- L4 protocol; A == TCP? If not, jump out. */ 521 1.7.4.2 tls struct bpf_insn insns_tcp[] = { 522 1.7.4.2 tls BPF_STMT(BPF_LD+BPF_W+BPF_MEM, BPF_MW_L4PROTO), 523 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, jf), 524 1.7.4.2 tls }; 525 1.7.4.2 tls add_insns(ctx, insns_tcp, __arraycount(insns_tcp)); 526 1.7.4.2 tls } else { 527 1.7.4.2 tls assert(ctx->flags & CHECKED_L4); 528 1.7.4.2 tls } 529 1.7.4.2 tls 530 1.7.4.2 tls struct bpf_insn insns_tf[] = { 531 1.7.4.2 tls /* A <- TCP flags */ 532 1.7.4.2 tls BPF_STMT(BPF_LD+BPF_B+BPF_IND, tcpfl_off), 533 1.7.4.2 tls }; 534 1.7.4.2 tls add_insns(ctx, insns_tf, __arraycount(insns_tf)); 535 1.7.4.2 tls 536 1.7.4.2 tls if (usingmask) { 537 1.7.4.2 tls /* A <- (A & mask) */ 538 1.7.4.2 tls struct bpf_insn insns_mask[] = { 539 1.7.4.2 tls BPF_STMT(BPF_ALU+BPF_AND+BPF_K, tf_mask), 540 1.7.4.2 tls }; 541 1.7.4.2 tls add_insns(ctx, insns_mask, __arraycount(insns_mask)); 542 1.7.4.2 tls } 543 1.7.4.2 tls 544 1.7.4.2 tls struct bpf_insn insns_cmp[] = { 545 1.7.4.2 tls /* A == expected-TCP-flags? */ 546 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, tf, 0, JUMP_MAGIC), 547 1.7.4.2 tls }; 548 1.7.4.2 tls add_insns(ctx, insns_cmp, __arraycount(insns_cmp)); 549 1.7.4.2 tls 550 1.7.4.2 tls if (!checktcp) { 551 1.7.4.2 tls uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask}; 552 1.7.4.2 tls done_block(ctx, mwords, sizeof(mwords)); 553 1.7.4.2 tls } 554 1.7.4.2 tls } 555 1.7.4.2 tls 556 1.7.4.2 tls /* 557 1.7.4.2 tls * npfctl_bpf_icmp: code block to match ICMP type and/or code. 558 1.7.4.2 tls * Note: suitable both for the ICMPv4 and ICMPv6. 559 1.7.4.2 tls */ 560 1.7.4.2 tls void 561 1.7.4.2 tls npfctl_bpf_icmp(npf_bpf_t *ctx, int type, int code) 562 1.7.4.2 tls { 563 1.7.4.2 tls const u_int type_off = offsetof(struct icmp, icmp_type); 564 1.7.4.2 tls const u_int code_off = offsetof(struct icmp, icmp_code); 565 1.7.4.2 tls 566 1.7.4.2 tls assert(ctx->flags & CHECKED_L4); 567 1.7.4.2 tls assert(offsetof(struct icmp6_hdr, icmp6_type) == type_off); 568 1.7.4.2 tls assert(offsetof(struct icmp6_hdr, icmp6_code) == code_off); 569 1.7.4.2 tls assert(type != -1 || code != -1); 570 1.7.4.2 tls 571 1.7.4.2 tls /* X <- IP header length */ 572 1.7.4.2 tls fetch_l3(ctx, AF_UNSPEC, X_EQ_L4OFF); 573 1.7.4.2 tls 574 1.7.4.2 tls if (type != -1) { 575 1.7.4.2 tls struct bpf_insn insns_type[] = { 576 1.7.4.2 tls BPF_STMT(BPF_LD+BPF_B+BPF_IND, type_off), 577 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, type, 0, JUMP_MAGIC), 578 1.7.4.2 tls }; 579 1.7.4.2 tls add_insns(ctx, insns_type, __arraycount(insns_type)); 580 1.7.4.2 tls 581 1.7.4.2 tls uint32_t mwords[] = { BM_ICMP_TYPE, 1, type }; 582 1.7.4.2 tls done_block(ctx, mwords, sizeof(mwords)); 583 1.7.4.2 tls } 584 1.7.4.2 tls 585 1.7.4.2 tls if (code != -1) { 586 1.7.4.2 tls struct bpf_insn insns_code[] = { 587 1.7.4.2 tls BPF_STMT(BPF_LD+BPF_B+BPF_IND, code_off), 588 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, code, 0, JUMP_MAGIC), 589 1.7.4.2 tls }; 590 1.7.4.2 tls add_insns(ctx, insns_code, __arraycount(insns_code)); 591 1.7.4.2 tls 592 1.7.4.2 tls uint32_t mwords[] = { BM_ICMP_CODE, 1, code }; 593 1.7.4.2 tls done_block(ctx, mwords, sizeof(mwords)); 594 1.7.4.2 tls } 595 1.7.4.2 tls } 596 1.7.4.2 tls 597 1.7.4.2 tls #define SRC_FLAG_BIT (1U << 31) 598 1.7.4.2 tls 599 1.7.4.2 tls /* 600 1.7.4.2 tls * npfctl_bpf_table: code block to match source/destination IP address 601 1.7.4.2 tls * against NPF table specified by ID. 602 1.7.4.2 tls */ 603 1.7.4.2 tls void 604 1.7.4.2 tls npfctl_bpf_table(npf_bpf_t *ctx, u_int opts, u_int tid) 605 1.7.4.2 tls { 606 1.7.4.2 tls const bool src = (opts & MATCH_SRC) != 0; 607 1.7.4.2 tls 608 1.7.4.2 tls struct bpf_insn insns_table[] = { 609 1.7.4.2 tls BPF_STMT(BPF_LD+BPF_IMM, (src ? SRC_FLAG_BIT : 0) | tid), 610 1.7.4.2 tls BPF_STMT(BPF_MISC+BPF_COP, NPF_COP_TABLE), 611 1.7.4.2 tls BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, JUMP_MAGIC, 0), 612 1.7.4.2 tls }; 613 1.7.4.2 tls add_insns(ctx, insns_table, __arraycount(insns_table)); 614 1.7.4.2 tls 615 1.7.4.2 tls uint32_t mwords[] = { src ? BM_SRC_TABLE: BM_DST_TABLE, 1, tid }; 616 1.7.4.2 tls done_block(ctx, mwords, sizeof(mwords)); 617 1.7.4.2 tls } 618
Indexes created Wed Oct 22 13:09:56 GMT 2025