github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/vnet.txt (about) 1 # Copyright 2017 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 include <linux/types.h> 5 include <linux/byteorder/generic.h> 6 7 syz_emit_ethernet(len len[packet], packet ptr[in, eth_packet], frags ptr[in, vnet_fragmentation, opt]) 8 9 vnet_fragmentation { 10 # If set and we have remaining data after fragmentation, it is written in an additional fragment. 11 # If not set, data remaining after fragmentation is discarded. 12 full int32[0:1] 13 count int32[1:4] 14 frags array[int32[0:4096], 4] 15 } 16 17 hop_limits = 0, 1, 255 18 19 resource tcp_seq_num[int32]: 0x41424344 20 21 tcp_resources { 22 seq tcp_seq_num 23 ack tcp_seq_num 24 } 25 26 # These pseudo syscalls read a packet from /dev/net/tun and extract tcp sequence and acknowledgement numbers from it. 27 # They also adds the inc arguments to the returned values, this way sequence numbers get incremented. 28 syz_extract_tcp_res(res ptr[out, tcp_resources], seq_inc int32, ack_inc int32) 29 syz_extract_tcp_res$synack(res ptr[out, tcp_resources], seq_inc const[1], ack_inc const[0]) 30 31 ################################################################################ 32 ################################### Ethernet ################################### 33 ################################################################################ 34 35 # https://en.wikipedia.org/wiki/Ethernet_frame#Structure 36 # https://en.wikipedia.org/wiki/IEEE_802.1Q 37 38 include <uapi/linux/if.h> 39 include <uapi/linux/if_ether.h> 40 41 type mac_addr_t[LAST] { 42 a0 array[const[0xaa, int8], 5] 43 a1 LAST 44 } [packed] 45 46 mac_addr_link_local { 47 a0 const[0x1, int8] 48 a1 const[0x80, int8] 49 a2 const[0xc2, int8] 50 a3 const[0x0, int8] 51 a4 const[0x0, int8] 52 a5 flags[mac_addr_link_local_values, int8] 53 } [packed] 54 55 mac_addr_link_local_values = 0x0, 0x1, 0x2, 0x3, 0xe 56 57 # This corresponds to the last digit in DEV_MAC/DEV_IPV4/DEV_IPV6 in executor/common_linux.h 58 type netdev_addr_id int8[10:68] 59 60 mac_addr [ 61 empty array[const[0x0, int8], 6] 62 # These correspond to LOCAL_MAC/REMOTE_MAC/DEV_MAC in executor/common_linux.h 63 local mac_addr_t[const[0xaa, int8]] 64 remote mac_addr_t[const[0xbb, int8]] 65 dev mac_addr_t[netdev_addr_id] 66 broadcast array[const[0xff, int8], 6] 67 multicast array[const[0xbb, int8], 6] 68 link_local mac_addr_link_local 69 random array[int8, 6] 70 ] 71 72 type mac_addr_mask array[flags[mac_addr_mask_vals, int8], 6] 73 mac_addr_mask_vals = 0, 0xff 74 75 vlan_tag_ad { 76 tpid const[ETH_P_8021AD, int16be] 77 pcp int16:3 78 dei int16:1 79 vid int16:12[0:4] 80 } [packed] 81 82 vlan_tag_q { 83 tpid const[ETH_P_8021Q, int16be] 84 pcp int16:3 85 dei int16:1 86 vid int16:12[0:4] 87 } [packed] 88 89 vlan_tag { 90 tag_ad optional[vlan_tag_ad] 91 tag_q vlan_tag_q 92 } [packed] 93 94 eth_packet { 95 dst_mac mac_addr 96 src_mac mac_addr 97 vtag optional[vlan_tag] 98 payload eth_payload 99 } [packed] 100 101 eth_payload { 102 eth2 eth2_packet 103 } [packed] 104 105 ################################################################################ 106 ################################## Ethernet 2 ################################## 107 ################################################################################ 108 109 # https://en.wikipedia.org/wiki/Ethernet_frame#Ethernet_II 110 111 ether_types = ETH_P_LOOP, ETH_P_PUP, ETH_P_PUPAT, ETH_P_TSN, ETH_P_IP, ETH_P_X25, ETH_P_ARP, ETH_P_IEEEPUP, ETH_P_IEEEPUPAT, ETH_P_BATMAN, ETH_P_DEC, ETH_P_DNA_DL, ETH_P_DNA_RC, ETH_P_DNA_RT, ETH_P_LAT, ETH_P_DIAG, ETH_P_CUST, ETH_P_SCA, ETH_P_TEB, ETH_P_RARP, ETH_P_ATALK, ETH_P_AARP, ETH_P_8021Q, ETH_P_ERSPAN, ETH_P_ERSPAN2, ETH_P_IPV6, ETH_P_PAUSE, ETH_P_SLOW, ETH_P_WCCP, ETH_P_MPLS_UC, ETH_P_MPLS_MC, ETH_P_ATMMPOA, ETH_P_PPP_DISC, ETH_P_PPP_SES, ETH_P_LINK_CTL, ETH_P_ATMFATE, ETH_P_PAE, ETH_P_AOE, ETH_P_8021AD, ETH_P_802_EX1, ETH_P_TIPC, ETH_P_MACSEC, ETH_P_8021AH, ETH_P_MVRP, ETH_P_1588, ETH_P_NCSI, ETH_P_PRP, ETH_P_FCOE, ETH_P_TDLS, ETH_P_FIP, ETH_P_80221, ETH_P_HSR, ETH_P_LOOPBACK, ETH_P_QINQ1, ETH_P_QINQ2, ETH_P_QINQ3, ETH_P_EDSA, ETH_P_AF_IUCV, ETH_P_802_3_MIN, ETH_P_802_3, ETH_P_AX25, ETH_P_ALL, ETH_P_802_2, ETH_P_SNAP, ETH_P_DDCMP, ETH_P_WAN_PPP, ETH_P_PPP_MP, ETH_P_LOCALTALK, ETH_P_CAN, ETH_P_CANFD, ETH_P_PPPTALK, ETH_P_TR_802_2, ETH_P_MOBITEX, ETH_P_CONTROL, ETH_P_IRDA, ETH_P_ECONET, ETH_P_HDLC, ETH_P_ARCNET, ETH_P_DSA, ETH_P_TRAILER, ETH_P_PHONET, ETH_P_IEEE802154, ETH_P_CAIF, ETH_P_XDSA, ETH_P_MAP 112 113 eth2_packet [ 114 generic eth2_packet_generic 115 arp eth2_packet_t[ETH_P_ARP, arp_packet] 116 ipv4 eth2_packet_t[ETH_P_IP, ipv4_packet] 117 ipv6 eth2_packet_t[ETH_P_IPV6, ipv6_packet] 118 llc eth2_packet_t[ETH_P_802_2, llc_packet] 119 llc_tr eth2_packet_t[ETH_P_TR_802_2, llc_packet] 120 x25 eth2_packet_t[ETH_P_X25, x25_packet] 121 mpls_uc eth2_packet_t[ETH_P_MPLS_UC, mpls_packet] 122 mpls_mc eth2_packet_t[ETH_P_MPLS_MC, mpls_packet] 123 can eth2_packet_t[ETH_P_CAN, can_frame] 124 canfd eth2_packet_t[ETH_P_CANFD, canfd_frame] 125 ] [varlen] 126 127 eth2_packet_generic { 128 etype flags[ether_types, int16be] 129 payload array[int8] 130 } [packed] 131 132 type eth2_packet_t[TYPE, PAYLOAD] { 133 etype const[TYPE, int16be] 134 payload PAYLOAD 135 } [packed] 136 137 ################################################################################ 138 ###################################### ARP ##################################### 139 ################################################################################ 140 141 # https://en.wikipedia.org/wiki/Address_Resolution_Protocol#Packet_structure 142 143 include <uapi/linux/if_arp.h> 144 145 arp_htypes = ARPHRD_NETROM, ARPHRD_ETHER, ARPHRD_EETHER, ARPHRD_AX25, ARPHRD_PRONET, ARPHRD_CHAOS, ARPHRD_IEEE802, ARPHRD_ARCNET, ARPHRD_APPLETLK, ARPHRD_DLCI, ARPHRD_ATM, ARPHRD_METRICOM, ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP, ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD, ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25, ARPHRD_CAN, ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_HDLC, ARPHRD_LAPB, ARPHRD_DDCMP, ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI, ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE, ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET, ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL, ARPHRD_FCFABRIC, ARPHRD_IEEE802_TR, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM, ARPHRD_IEEE80211_RADIOTAP, ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR, ARPHRD_PHONET, ARPHRD_PHONET_PIPE, ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN, ARPHRD_VOID, ARPHRD_NONE 146 147 arp_ops = ARPOP_REQUEST, ARPOP_REPLY, ARPOP_RREQUEST, ARPOP_RREPLY, ARPOP_InREQUEST, ARPOP_InREPLY, ARPOP_NAK 148 149 arp_packet [ 150 generic arp_packet_t[flags[arp_htypes, int16be], flags[ether_types, int16be], array[int8, 0:16]] 151 ether_ipv4 arp_packet_t[const[ARPHRD_ETHER, int16be], const[ETH_P_IP, int16be], ipv4_addr] 152 ether_ipv6 arp_packet_t[const[ARPHRD_ETHER, int16be], const[ETH_P_IPV6, int16be], ipv6_addr] 153 ] [varlen] 154 155 type arp_packet_t[HTYPE, PTYPE, ADDR] { 156 htype HTYPE 157 ptype PTYPE 158 hlen const[6, int8] 159 plen len[spa, int8] 160 op flags[arp_ops, int16be] 161 sha mac_addr 162 spa ADDR 163 tha mac_addr 164 tpa ADDR 165 } [packed] 166 167 ################################################################################ 168 ################################## 802.2 (LLC) ################################# 169 ################################################################################ 170 171 # https://en.wikipedia.org/wiki/IEEE_802.2 172 # https://en.wikipedia.org/wiki/Subnetwork_Access_Protocol 173 174 include <uapi/linux/llc.h> 175 176 # Adding '1' as a SAP value since the lower bit in SAP has a special meaning. 177 sap_values = 1, LLC_SAP_NULL, LLC_SAP_LLC, LLC_SAP_SNA, LLC_SAP_PNM, LLC_SAP_IP, LLC_SAP_BSPAN, LLC_SAP_MMS, LLC_SAP_8208, LLC_SAP_3COM, LLC_SAP_PRO, LLC_SAP_SNAP, LLC_SAP_BANYAN, LLC_SAP_NETBEUI, LLC_SAP_LANMGR, LLC_SAP_IMPL, LLC_SAP_DISC, LLC_SAP_OSI, LLC_SAP_LAR, LLC_SAP_RM, LLC_SAP_GLOBAL 178 179 llc_generic_packet { 180 dsap flags[sap_values, int8] 181 ssap flags[sap_values, int8] 182 ctrl array[int8, 1:2] 183 payload array[int8] 184 } [packed] 185 186 sap_snap_values = 1, LLC_SAP_SNAP 187 188 llc_snap_packet { 189 dsap flags[sap_snap_values, int8] 190 ssap flags[sap_snap_values, int8] 191 control array[int8, 1:2] 192 oui array[int8, 3] 193 protocol_id flags[ether_types, int16be] 194 payload array[int8] 195 } [packed] 196 197 llc_payload [ 198 llc llc_generic_packet 199 snap llc_snap_packet 200 ] [varlen] 201 202 llc_packet { 203 # TODO: is there length or not? I don't see it in packet format... 204 # length len[payload, int16be] 205 payload llc_payload 206 } [packed] 207 208 ################################################################################ 209 ###################################### x25 ##################################### 210 ################################################################################ 211 212 # Documentation/networking/x25.txt 213 # Documentation/networking/x25-iface.txt 214 # http://www.dafuer.com/kleinehelferlein/x25layer.htm 215 216 include <uapi/linux/if_x25.h> 217 include <net/x25.h> 218 219 x25_iface_types = X25_IFACE_DATA, X25_IFACE_CONNECT, X25_IFACE_DISCONNECT, X25_IFACE_PARAMS 220 221 x25_frame_types = X25_CALL_REQUEST, X25_CALL_ACCEPTED, X25_CLEAR_REQUEST, X25_CLEAR_CONFIRMATION, X25_DATA, X25_INTERRUPT, X25_INTERRUPT_CONFIRMATION, X25_RR, X25_RNR, X25_REJ, X25_RESET_REQUEST, X25_RESET_CONFIRMATION, X25_REGISTRATION_REQUEST, X25_REGISTRATION_CONFIRMATION, X25_RESTART_REQUEST, X25_RESTART_CONFIRMATION, X25_DIAGNOSTIC, X25_ILLEGAL 222 223 x25_packet { 224 iface flags[x25_iface_types, int8] 225 wtf int8 226 frame flags[x25_frame_types, int8] 227 payload array[int8] 228 } [packed] 229 230 ################################################################################ 231 ##################################### IPv4 ##################################### 232 ################################################################################ 233 234 # https://tools.ietf.org/html/rfc791#section-3.1 235 # https://en.wikipedia.org/wiki/IPv4#Header 236 237 # TODO: https://en.wikipedia.org/wiki/IPsec#Authentication_Header 238 # TODO: https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload 239 240 include <uapi/linux/in.h> 241 include <uapi/linux/ip.h> 242 include <uapi/linux/l2tp.h> 243 include <net/cipso_ipv4.h> 244 include <security/smack/smack.h> 245 246 type ipv4_addr_t[LAST] { 247 a0 const[0xac, int8] 248 a1 const[0x14, int8] 249 a2 const[0x14, int8] 250 a3 LAST 251 } [packed] 252 253 ipv4_addr_initdev { 254 a0 const[0xac, int8] 255 a1 const[0x1e, int8] 256 a2 int8[0:1] 257 a3 proc[1, 1, int8] 258 } 259 260 ipv4_addr [ 261 # Few public random addresses 100.1.1.[0-2] 262 rand_addr int32be[0x64010100:0x64010102] 263 # 0.0.0.0 264 empty const[0x0, int32be] 265 # These correspond to LOCAL_IPV4/REMOTE_IPV4/DEV_IPV4 in executor/common_linux.h 266 local ipv4_addr_t[const[170, int8]] 267 remote ipv4_addr_t[const[187, int8]] 268 dev ipv4_addr_t[netdev_addr_id] 269 initdev ipv4_addr_initdev 270 # 127.0.0.1 271 loopback const[0x7f000001, int32be] 272 # 224.0.0.1 273 multicast1 const[0xe0000001, int32be] 274 # 224.0.0.2 275 multicast2 const[0xe0000002, int32be] 276 # 255.255.255.255 277 broadcast const[0xffffffff, int32be] 278 # 10.1.1.[0-2] can be used for custom things within the image 279 private int32be[0xa010100:0xa010102] 280 ] [size[4]] 281 282 type ipv4_addr_mask flags[ipv4_addr_mask_vals, int32be] 283 ipv4_addr_mask_vals = 0, 0xff000000, 0xffffff00, 0xffffffff, 0xff 284 285 # http://www.iana.org/assignments/ip-parameters/ip-parameters.xhtml#ip-parameters-1 286 ipv4_option [ 287 generic ipv4_option_generic 288 end ipv4_option_end 289 noop ipv4_option_noop 290 lsrr ipv4_option_route[IPOPT_LSRR] 291 ssrr ipv4_option_route[IPOPT_SSRR] 292 rr ipv4_option_route[IPOPT_RR] 293 timestamp ipv4_option_timestamp[IPOPT_TS_TSONLY, int32be] 294 timestamp_addr ipv4_option_timestamp[IPOPT_TS_TSANDADDR, ipv4_option_timestamp_timestamp] 295 timestamp_prespec ipv4_option_timestamp[IPOPT_TS_PRESPEC, ipv4_option_timestamp_timestamp] 296 cipso ipv4_option_cipso 297 ra ipv4_option_ra 298 # IPOPT_SEC and IPOPT_SID are not supported by Linux kernel 299 ] [varlen] 300 301 ipv4_option_types = IPOPT_SEC, IPOPT_LSRR, IPOPT_TIMESTAMP, IPOPT_CIPSO, IPOPT_RR, IPOPT_SID, IPOPT_SSRR, IPOPT_RA 302 303 ipv4_option_generic { 304 type flags[ipv4_option_types, int8] 305 length len[parent, int8] 306 data array[int8, 0:16] 307 } [packed] 308 309 # https://tools.ietf.org/html/rfc791#section-3.1 310 ipv4_option_end { 311 type const[IPOPT_END, int8] 312 } [packed] 313 314 # https://tools.ietf.org/html/rfc791#section-3.1 315 ipv4_option_noop { 316 type const[IPOPT_NOOP, int8] 317 } [packed] 318 319 # https://tools.ietf.org/html/rfc791#section-3.1 320 type ipv4_option_route[OPT] { 321 type const[OPT, int8] 322 length len[parent, int8] 323 pointer int8[4:255] 324 data array[ipv4_addr] 325 } [packed] 326 327 # https://tools.ietf.org/html/rfc791#section-3.1 328 # http://www.networksorcery.com/enp/protocol/ip/option004.htm 329 type ipv4_option_timestamp[TYP, TSTAMP] { 330 type const[IPOPT_TIMESTAMP, int8] 331 length len[parent, int8] 332 pointer int8[5:255] 333 flg const[TYP, int8:4] 334 oflw int8:4 335 timestamps array[TSTAMP] 336 } [packed] 337 338 ipv4_option_timestamp_timestamp { 339 addr ipv4_addr 340 timestamp int32be 341 } [packed] 342 343 ipv4_option_cipso_tag_types = CIPSO_V4_TAG_INVALID, CIPSO_V4_TAG_RBITMAP, CIPSO_V4_TAG_ENUM, CIPSO_V4_TAG_RANGE, CIPSO_V4_TAG_PBITMAP, CIPSO_V4_TAG_FREEFORM 344 345 # TODO: describe particular tag types 346 ipv4_option_cipso_tag { 347 type flags[ipv4_option_cipso_tag_types, int8] 348 length len[parent, int8] 349 data array[int8, 0:16] 350 } [packed] 351 352 # https://www.ietf.org/archive/id/draft-ietf-cipso-ipsecurity-01.txt 353 ipv4_option_cipso { 354 type const[IPOPT_CIPSO, int8] 355 length len[parent, int8] 356 doi flags[cipso_doi, int32be] 357 tags array[ipv4_option_cipso_tag] 358 } [packed] 359 360 cipso_doi = CIPSO_V4_DOI_UNKNOWN, SMACK_CIPSO_DOI_DEFAULT, SMACK_CIPSO_DOI_INVALID, 1, 2, 3 361 362 # https://tools.ietf.org/html/rfc2113 363 ipv4_option_ra { 364 type const[IPOPT_RA, int8] 365 length len[parent, int8] 366 value bool16 367 } [packed] 368 369 ipv4_options { 370 options array[ipv4_option] 371 } [packed, align[4]] 372 373 ipv4_types = IPPROTO_IP, IPPROTO_ICMP, IPPROTO_IGMP, IPPROTO_IPIP, IPPROTO_TCP, IPPROTO_EGP, IPPROTO_PUP, IPPROTO_UDP, IPPROTO_IDP, IPPROTO_TP, IPPROTO_DCCP, IPPROTO_IPV6, IPPROTO_RSVP, IPPROTO_GRE, IPPROTO_ESP, IPPROTO_AH, IPPROTO_MTP, IPPROTO_BEETPH, IPPROTO_ENCAP, IPPROTO_PIM, IPPROTO_COMP, IPPROTO_SCTP, IPPROTO_UDPLITE, IPPROTO_MPLS, IPPROTO_RAW, IPPROTO_L2TP 374 375 type ipv4_header[PROTO] { 376 ihl bytesize4[parent, int8:4] 377 version const[4, int8:4] 378 ecn int8:2 379 dscp int8:6 380 # TODO: if s/ipv4_packet_t/ipv4_packet/, (1) this crashes, (2) only at runtime with: 381 # panic: len field "total_len" references non existent field "ipv4_packet", pos="len"/"total_len" 382 total_len len[ipv4_packet_t, int16be] 383 id int16be[100:104] 384 # TODO: frag_off is actually 13 bits, 3 bits are flags 385 frag_off int16be[0:0] 386 ttl int8 387 protocol PROTO 388 csum csum[parent, inet, int16be] 389 src_ip ipv4_addr 390 dst_ip ipv4_addr 391 options ipv4_options 392 } [packed] 393 394 type ipv4_packet_t[PROTO, PAYLOAD] { 395 header ipv4_header[PROTO] 396 payload PAYLOAD 397 } [packed] 398 399 ipv4_packet [ 400 generic ipv4_packet_t[flags[ipv4_types, int8], array[int8]] 401 tcp ipv4_packet_t[const[IPPROTO_TCP, int8], tcp_packet] 402 udp ipv4_packet_t[const[IPPROTO_UDP, int8], udp_packet] 403 icmp ipv4_packet_t[const[IPPROTO_ICMP, int8], icmp_packet] 404 dccp ipv4_packet_t[const[IPPROTO_DCCP, int8], dccp_packet] 405 igmp ipv4_packet_t[const[IPPROTO_IGMP, int8], igmp_packet] 406 gre ipv4_packet_t[const[IPPROTO_GRE, int8], gre_packet] 407 # TODO: what proto do we need for tipc (there is no IPPROTO_TIPC)? 408 tipc ipv4_packet_t[const[IPPROTO_TCP, int8], tipc_packet] 409 ] [varlen] 410 411 ################################################################################ 412 ##################################### IPv6 ##################################### 413 ################################################################################ 414 415 # https://tools.ietf.org/html/rfc2460#section-3 416 # https://en.wikipedia.org/wiki/IPv6_packet#Fixed_header 417 418 include <uapi/linux/in6.h> 419 include <uapi/linux/ipv6.h> 420 include <uapi/linux/seg6.h> 421 include <uapi/linux/ip6_tunnel.h> 422 include <net/ipv6.h> 423 424 ipv6_types = IPPROTO_IP, IPPROTO_ICMP, IPPROTO_IGMP, IPPROTO_IPIP, IPPROTO_TCP, IPPROTO_EGP, IPPROTO_PUP, IPPROTO_UDP, IPPROTO_IDP, IPPROTO_TP, IPPROTO_DCCP, IPPROTO_IPV6, IPPROTO_RSVP, IPPROTO_GRE, IPPROTO_ESP, IPPROTO_AH, IPPROTO_MTP, IPPROTO_BEETPH, IPPROTO_ENCAP, IPPROTO_PIM, IPPROTO_COMP, IPPROTO_SCTP, IPPROTO_UDPLITE, IPPROTO_MPLS, IPPROTO_RAW, IPPROTO_HOPOPTS, IPPROTO_ROUTING, IPPROTO_FRAGMENT, IPPROTO_ICMPV6, IPPROTO_NONE, IPPROTO_DSTOPTS, IPPROTO_MH, NEXTHDR_HOP, NEXTHDR_ROUTING, NEXTHDR_FRAGMENT, NEXTHDR_GRE, NEXTHDR_ESP, NEXTHDR_AUTH, NEXTHDR_ICMP, NEXTHDR_NONE, NEXTHDR_DEST, NEXTHDR_MOBILITY, IPPROTO_L2TP 425 426 ipv6_addr_empty { 427 a0 array[const[0x0, int8], 16] 428 } [packed, align[4]] 429 430 type ipv6_addr_t[LAST] { 431 a0 const[0xfe, int8] 432 a1 const[0x80, int8] 433 a2 array[const[0x0, int8], 13] 434 a3 LAST 435 } [packed, align[4]] 436 437 ipv6_addr_initdev { 438 a0 const[0xfe, int8] 439 a1 const[0x88, int8] 440 a2 array[const[0x0, int8], 12] 441 a3 int8[0:1] 442 a4 proc[1, 1, int8] 443 } [packed, align[4]] 444 445 ipv6_addr_loopback { 446 a0 const[0, int64be] 447 a1 const[1, int64be] 448 } [packed, align[4]] 449 450 ipv6_addr_ipv4 { 451 a0 array[const[0x0, int8], 10] 452 a1 array[const[0xff, int8], 2] 453 a3 ipv4_addr 454 } [packed, align[4]] 455 456 ipv6_addr_multicast1 { 457 a0 const[0xff, int8] 458 a1 const[0x1, int8] 459 a2 array[const[0x0, int8], 13] 460 a3 const[0x1, int8] 461 } [packed, align[4]] 462 463 ipv6_addr_multicast2 { 464 a0 const[0xff, int8] 465 a1 const[0x2, int8] 466 a2 array[const[0x0, int8], 13] 467 a3 const[0x1, int8] 468 } [packed, align[4]] 469 470 type ipv6_addr_private[BYTE2] { 471 a0 const[0xfc, int8] 472 a1 const[BYTE2, int8] 473 a2 array[const[0x0, int8], 13] 474 a3 int8[0:1] 475 } [packed, align[4]] 476 477 ipv6_addr_random = `20010000000000000000000000000000`, `20010000000000000000000000000001`, `20010000000000000000000000000002` 478 479 ipv6_addr [ 480 # Few public random addresses 481 rand_addr stringnoz[ipv6_addr_random] 482 empty ipv6_addr_empty 483 # These correspond to LOCAL_IPV6/REMOTE_IPV6/DEV_IPV6 in executor/common_linux.h 484 local ipv6_addr_t[const[0xaa, int8]] 485 remote ipv6_addr_t[const[0xbb, int8]] 486 dev ipv6_addr_t[netdev_addr_id] 487 initdev ipv6_addr_initdev 488 # Some special addresses: 489 loopback ipv6_addr_loopback 490 ipv4 ipv6_addr_ipv4 491 mcast1 ipv6_addr_multicast1 492 mcast2 ipv6_addr_multicast2 493 # Several custom private ranges with 2 addresses each: fc0X::/127. 494 # Can be used for custom things within the tested image. 495 private0 ipv6_addr_private[0] 496 private1 ipv6_addr_private[1] 497 private2 ipv6_addr_private[2] 498 ] [size[16]] 499 500 type ipv6_addr_mask array[flags[ipv4_addr_mask_vals, int32be], 4] 501 502 # TODO: Describe more types of headers 503 # NEXTHDR_HOP, NEXTHDR_TCP, NEXTHDR_UDP, NEXTHDR_IPV6, NEXTHDR_FRAGMENT, NEXTHDR_GRE, NEXTHDR_ESP, NEXTHDR_AUTH, NEXTHDR_ICMP, NEXTHDR_NONE, NEXTHDR_DEST, NEXTHDR_SCTP, NEXTHDR_MOBILITY 504 # https://tools.ietf.org/html/rfc2402 505 # https://tools.ietf.org/html/rfc2406 506 # https://tools.ietf.org/html/rfc3775 507 508 # https://tools.ietf.org/html/rfc2460#section-4 509 # The length field in each of the extension headers specifies the 510 # length of the header in 8-octet units not including the first 8 octets. 511 ipv6_ext_header [ 512 hopopts ipv6_hopopts_ext_header 513 routing ipv6_rt_hdr 514 srh ipv6_sr_hdr 515 fragment ipv6_fragment_ext_header 516 dstopts ipv6_dstopts_ext_header 517 ] [varlen] 518 519 ipv6_hopopts_ext_header { 520 next_header flags[ipv6_types, int8] 521 length bytesize8[options, int8] 522 pad array[const[0, int8], 6] 523 options array[ipv6_tlv_option] 524 } [packed, align[8]] 525 526 ipv6_routing_types = IPV6_SRCRT_STRICT, IPV6_SRCRT_TYPE_0, IPV6_SRCRT_TYPE_2 527 528 ipv6_rt_hdr { 529 next_header flags[ipv6_types, int8] 530 length bytesize8[data, int8] 531 routing_type flags[ipv6_routing_types, int8] 532 segments_left int8 533 reserved const[0, int32] 534 data array[ipv6_addr] 535 } [packed, align[8]] 536 537 ipv6_sr_hdr { 538 nexthdr flags[ipv6_types, int8] 539 hdrlen bytesize8[segments, int8] 540 type const[IPV6_SRCRT_TYPE_4, int8] 541 segments_left len[segments, int8] 542 first_segment int8 543 flags flags[ipv6_sr_flags, int8] 544 tag int16 545 segments array[ipv6_addr] 546 # TODO: this may be followed by sr6_tlv_hmac if SR6_FLAG1_HMAC is set. 547 # However, if we place it here, we won't be able to calculate hdrlen (len of 2 fields), 548 # and if we move segments and sr6_tlv_hmac into a separate struct, 549 # we won't be able to calculate segments_left because it will need to 550 # refer to a field of a subobject. What may help is allowing specifying 551 # subfields as len/bytesize targets, e.g. "len[payload.segments]", or "bytesize[parent_struct.foo]". 552 } [packed, align[8]] 553 554 ipv6_sr_flags = SR6_FLAG1_PROTECTED, SR6_FLAG1_OAM, SR6_FLAG1_ALERT, SR6_FLAG1_HMAC 555 556 ipv6_fragment_ext_header { 557 next_header flags[ipv6_types, int8] 558 reserved1 const[0, int8] 559 fragment_off_hi int8 560 m_flag int8:1 561 reserved2 const[0, int8:2] 562 fragment_off_lo int8:5 563 identification int32[100:104] 564 } [packed, align[8]] 565 566 ipv6_dstopts_ext_header { 567 next_header flags[ipv6_types, int8] 568 length bytesize8[options, int8] 569 pad array[const[0, int8], 6] 570 options array[ipv6_tlv_option] 571 } [packed, align[8]] 572 573 ipv6_tlv_option [ 574 generic ipv6_tlv_generic 575 pad1 ipv6_tlv_pad1 576 padn ipv6_tlv_padn 577 ra ipv6_tlv_ra 578 jumbo ipv6_tlv_jumbo 579 calipso ipv6_tlv_calipso 580 hao ipv6_tlv_hao 581 enc_lim ipv6_tlv_enc_lim 582 ] [varlen] 583 584 ipv6_tlv_generic { 585 type int8 586 length len[data, int8] 587 data array[int8] 588 } [packed] 589 590 ipv6_tlv_pad1 { 591 type const[IPV6_TLV_PAD1, int8] 592 len const[1, int8] 593 pad const[0, int8] 594 } [packed] 595 596 ipv6_tlv_padn { 597 type const[IPV6_TLV_PADN, int8] 598 len len[pad, int8] 599 pad array[const[0, int8]] 600 } [packed] 601 602 ipv6_tlv_ra { 603 type const[IPV6_TLV_ROUTERALERT, int8] 604 len const[2, int8] 605 ra int16be 606 } [packed] 607 608 ipv6_tlv_jumbo { 609 type const[IPV6_TLV_JUMBO, int8] 610 len const[4, int8] 611 pkt_len int32be 612 } [packed] 613 614 # https://tools.ietf.org/html/rfc5570#section-5.1 615 ipv6_tlv_calipso { 616 type const[IPV6_TLV_CALIPSO, int8] 617 len bytesize[payload, int8] 618 payload ipv6_tlv_calipso_payload 619 } [packed] 620 621 # TODO: checksum is generally incorrect. 622 ipv6_tlv_calipso_payload { 623 domain flags[calipso_doi, int32be] 624 compartment_length bytesize4[compartment_bitmap, int8] 625 sensitivity_level int8 626 checksum int16 627 compartment_bitmap array[int64] 628 } [packed] 629 630 calipso_doi = 0, 1, 2, 3 631 632 ipv6_tlv_hao { 633 type const[IPV6_TLV_HAO, int8] 634 len bytesize[addr, int8] 635 addr ipv6_addr 636 } [packed] 637 638 ipv6_tlv_enc_lim { 639 type const[IPV6_TLV_TNL_ENCAP_LIMIT, int8] 640 len const[1, int8] 641 encap_limit int8 642 } [packed] 643 644 ipv6_packet [ 645 generic ipv6_packet_t[flags[ipv6_types, int8], array[int8]] 646 tcp ipv6_packet_t[const[IPPROTO_TCP, int8], tcp_packet] 647 udp ipv6_packet_t[const[IPPROTO_UDP, int8], udp_packet] 648 icmpv6 ipv6_packet_t[const[IPPROTO_ICMPV6, int8], icmpv6_packet] 649 dccp_packet ipv6_packet_t[const[IPPROTO_DCCP, int8], dccp_packet] 650 gre_packet ipv6_packet_t[const[IPPROTO_GRE, int8], gre_packet] 651 # TODO: what proto do we need for tipc (there is no IPPROTO_TIPC)? 652 tipc_packet ipv6_packet_t[const[IPPROTO_TCP, int8], tipc_packet] 653 ] [varlen] 654 655 type ipv6_packet_t[PROTO, PAYLOAD] { 656 priority int8:4 657 version const[6, int8:4] 658 # TODO: flow_label is actually 20 bits, 4 bits are part of priority 659 flow_label array[int8, 3] 660 length len[payload, int16be] 661 next_header PROTO 662 hop_limit flags[hop_limits, int8] 663 src_ip ipv6_addr 664 dst_ip ipv6_addr 665 payload ipv6_packet_payload[PAYLOAD] 666 } [packed] 667 668 type ipv6_packet_payload[PAYLOAD] { 669 ext_headers array[ipv6_ext_header] 670 payload PAYLOAD 671 } [packed] 672 673 ################################################################################ 674 ###################################### TCP ##################################### 675 ################################################################################ 676 677 # https://tools.ietf.org/html/rfc793#section-3.1 678 # https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure 679 # http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml 680 681 include <net/tcp.h> 682 include <uapi/linux/tcp.h> 683 684 tcp_option [ 685 generic tcp_generic_option 686 nop tcp_nop_option 687 eol tcp_eol_option 688 mss tcp_mss_option 689 window tcp_window_option 690 sack_perm tcp_sack_perm_option 691 sack tcp_sack_option 692 timestamp tcp_timestamp_option 693 md5sig tcp_md5sig_option 694 fastopen tcp_fastopen_option 695 exp_fastopen tcp_exp_fastopen_option 696 exp_smc tcp_exp_smc_option 697 mptcp tcp_mptcp_option 698 ] [varlen] 699 700 tcp_option_types = TCPOPT_NOP, TCPOPT_EOL, TCPOPT_MSS, TCPOPT_WINDOW, TCPOPT_SACK_PERM, TCPOPT_SACK, TCPOPT_TIMESTAMP, TCPOPT_MD5SIG, TCPOPT_FASTOPEN, TCPOPT_EXP 701 702 tcp_generic_option { 703 type flags[tcp_option_types, int8] 704 length len[parent, int8] 705 data array[int8, 0:16] 706 } [packed] 707 708 # https://tools.ietf.org/html/rfc793#section-3.1 709 tcp_nop_option { 710 type const[TCPOPT_NOP, int8] 711 } [packed] 712 713 # https://tools.ietf.org/html/rfc793#section-3.1 714 tcp_eol_option { 715 type const[TCPOPT_EOL, int8] 716 } [packed] 717 718 # https://tools.ietf.org/html/rfc793#section-3.1 719 tcp_mss_option { 720 type const[TCPOPT_MSS, int8] 721 length len[parent, int8] 722 seg_size int16 723 } [packed] 724 725 # https://tools.ietf.org/html/rfc7323#section-2 726 tcp_window_option { 727 type const[TCPOPT_WINDOW, int8] 728 length len[parent, int8] 729 shift int8 730 } [packed] 731 732 # https://tools.ietf.org/html/rfc2018#section-2 733 tcp_sack_perm_option { 734 type const[TCPOPT_SACK_PERM, int8] 735 length len[parent, int8] 736 } [packed] 737 738 # https://tools.ietf.org/html/rfc2018#section-3 739 tcp_sack_option { 740 type const[TCPOPT_SACK, int8] 741 length len[parent, int8] 742 data array[int32be] 743 } [packed] 744 745 # https://tools.ietf.org/html/rfc7323#section-3 746 tcp_timestamp_option { 747 type const[TCPOPT_TIMESTAMP, int8] 748 length len[parent, int8] 749 tsval int32be 750 tsecr int32be 751 } [packed] 752 753 # https://tools.ietf.org/html/rfc2385#section-3.0 754 tcp_md5sig_option { 755 type const[TCPOPT_MD5SIG, int8] 756 length len[parent, int8] 757 md5 array[int8, 16] 758 } [packed] 759 760 # https://tools.ietf.org/html/rfc7413#section-4.1.1 761 tcp_fastopen_option { 762 type const[TCPOPT_FASTOPEN, int8] 763 length len[parent, int8] 764 data array[int8, 0:16] 765 } [packed] 766 767 tcp_exp_fastopen_option { 768 type const[TCPOPT_EXP, int8] 769 length len[parent, int8] 770 subtype const[TCPOPT_FASTOPEN_MAGIC, int16be] 771 data array[int8, 0:16] 772 } [packed] 773 774 tcp_exp_smc_option { 775 type const[TCPOPT_EXP, int8] 776 length len[parent, int8] 777 subtype const[TCPOPT_SMC_MAGIC, int32be] 778 } [packed] 779 780 tcp_options { 781 options array[tcp_option] 782 } [packed, align[4]] 783 784 tcp_flags = TCPHDR_FIN, TCPHDR_SYN, TCPHDR_RST, TCPHDR_PSH, TCPHDR_ACK, TCPHDR_URG, TCPHDR_ECE, TCPHDR_CWR, TCPHDR_SYN_ECN 785 786 tcp_header { 787 src_port sock_port 788 dst_port sock_port 789 seq_num tcp_seq_num 790 ack_num tcp_seq_num 791 ns int8:1 792 reserved const[0, int8:3] 793 data_off bytesize4[parent, int8:4] 794 flags flags[tcp_flags, int8] 795 window_size int16be 796 csum csum[tcp_packet, pseudo, IPPROTO_TCP, int16be] 797 urg_ptr int16be 798 options tcp_options 799 } [packed] 800 801 tcp_packet { 802 header tcp_header 803 payload tcp_payload 804 } [packed] 805 806 tcp_payload { 807 payload array[int8] 808 } [packed] 809 810 ################################################################################ 811 ###################################### UDP ##################################### 812 ################################################################################ 813 814 # https://tools.ietf.org/html/rfc768 815 # https://en.wikipedia.org/wiki/User_Datagram_Protocol#Packet_structure 816 817 include <net/gue.h> 818 819 udp_packet { 820 src_port sock_port 821 dst_port sock_port 822 length len[parent, int16be] 823 csum csum[parent, pseudo, IPPROTO_UDP, int16be] 824 payload udp_payload 825 } [packed] 826 827 udp_payload [ 828 opaque array[int8] 829 gue gue_packet 830 wg wg_packet 831 ] [varlen] 832 833 gue_packet { 834 hdr guehdr 835 opaque array[int8] 836 } [packed] 837 838 guehdr { 839 hlen bytesize4[parent, int8:5] 840 control int8:1 841 version int8:2 842 proto_ctype int8 843 flags flags[guehdr_flags, int16] 844 priv optional[flags[guehdr_prov_flags, int32]] 845 } [packed] 846 847 guehdr_flags = GUE_FLAG_PRIV 848 guehdr_prov_flags = GUE_PFLAG_REMCSUM 849 850 ################################################################################ 851 ###################################### GRE ##################################### 852 ################################################################################ 853 854 # https://en.wikipedia.org/wiki/Generic_Routing_Encapsulation 855 856 include <net/gre.h> 857 858 gre_packet { 859 pptp gre_packet_pptp 860 # TODO: add more packets 861 # TODO: the payload should be ipv4_packet/ipv6_packet, but this creates recursion 862 # ipv4 -> gre -> ipv4 -> ... 863 cisco_ipv4 gre_packet_cisco[ETH_P_IP, array[int8]] 864 cisco_ipv6 gre_packet_cisco[ETH_P_IPV6, array[int8]] 865 erspan1 gre_packet_erspan[ETH_P_ERSPAN, erspan_md1_msg] 866 erspan2 gre_packet_erspan[ETH_P_ERSPAN2, erspan_md2_msg] 867 teb gre_packet_erspan[ETH_P_TEB, array[int8]] 868 } [packed] 869 870 type gre_packet_cisco[PROTO, PAYLOAD] { 871 C int16:1 872 R const[0, int16:1] 873 K int16:1 874 S int16:1 875 reserved const[0, int16:9] 876 version const[0, int16:3] 877 protocol const[PROTO, int16be] 878 # checksum, key, sequence number 879 add array[int16be, 0:3] 880 payload PAYLOAD 881 } [packed] 882 883 gre_packet_pptp { 884 C const[0, int16:1] 885 R const[0, int16:1] 886 K const[1, int16:1] 887 S int16:1 888 reserved const[0, int16:4] 889 A int16:1 890 flags const[0, int16:4] 891 version const[1, int16:3] 892 protocol const[0x880b, int16be] 893 payload_len bytesize[payload, int16be] 894 key_call_id pptp_call_id 895 # sequence/ack number 896 add array[int16be, 0:2] 897 payload ppp_packet 898 } [packed] 899 900 type ppp_packet array[int8] 901 902 type gre_packet_erspan[PROTO, PAYLOAD] { 903 H const[8, int16] 904 protocol const[PROTO, int16be] 905 seq int32be[0:4] 906 payload PAYLOAD 907 } [packed] 908 909 ################################################################################ 910 ##################################### ERSPAN ################################### 911 ################################################################################ 912 913 include <net/erspan.h> 914 include <uapi/linux/erspan.h> 915 916 type erspan_base_hdr[VER] { 917 vlan_upper int8:4 918 ver const[VER, int8:4] 919 vlan int8:8 920 session_id_upper int8:2 921 t int8:1 922 en int8:2 923 cos int8:3 924 session_id int8:8 925 } [packed] 926 927 erspan_md1 { 928 index int32be 929 } [packed] 930 931 erspan_md1_msg { 932 base erspan_base_hdr[1] 933 version const[1, int32] 934 payload erspan_md1 935 } 936 937 erspan_md2 { 938 timestamp int32be 939 sgt int16be 940 hwid_upper int8:2 941 ft int8:5 942 p int8:1 943 o int8:1 944 gra int8:2 945 dir int8:1 946 hwid int8:1 947 } [packed] 948 949 erspan_md2_msg { 950 base erspan_base_hdr[2] 951 version const[2, int32] 952 payload erspan_md2 953 } 954 955 ################################################################################ 956 ###################################### ICMP #################################### 957 ################################################################################ 958 959 # https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#ICMP_datagram_structure 960 # https://tools.ietf.org/html/rfc792 961 # https://tools.ietf.org/html/rfc4884#section-4.1 962 # http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml 963 964 include <uapi/linux/icmp.h> 965 966 icmp_ipv4_header { 967 ihl bytesize4[parent, int8:4] 968 version const[4, int8:4] 969 ecn int8:2 970 dscp int8:6 971 total_len int16be 972 id icmp_id 973 frag_off int16be 974 ttl int8 975 protocol flags[ipv4_types, int8] 976 csum int16be 977 src_ip ipv4_addr 978 dst_ip ipv4_addr 979 options ipv4_options 980 } [packed] 981 982 icmp_echo_reply_packet { 983 type const[ICMP_ECHOREPLY, int8] 984 code const[0, int8] 985 csum csum[parent, inet, int16be] 986 id icmp_id 987 seq_num int16be 988 data array[int8] 989 } [packed] 990 991 type icmp_id int16be[100:104] 992 993 icmp_dest_unreach_codes = ICMP_NET_UNREACH, ICMP_HOST_UNREACH, ICMP_PROT_UNREACH, ICMP_PORT_UNREACH, ICMP_FRAG_NEEDED, ICMP_SR_FAILED, ICMP_NET_UNKNOWN, ICMP_HOST_UNKNOWN, ICMP_HOST_ISOLATED, ICMP_NET_ANO, ICMP_HOST_ANO, ICMP_NET_UNR_TOS, ICMP_HOST_UNR_TOS, ICMP_PKT_FILTERED, ICMP_PREC_VIOLATION, ICMP_PREC_CUTOFF 994 995 icmp_dest_unreach_packet { 996 type const[ICMP_DEST_UNREACH, int8] 997 code flags[icmp_dest_unreach_codes, int8] 998 csum csum[parent, inet, int16be] 999 unused const[0, int8] 1000 length int8 1001 mtu int16be 1002 iph icmp_ipv4_header 1003 data array[int8, 0:8] 1004 } [packed] 1005 1006 icmp_source_quench_packet { 1007 type const[ICMP_SOURCE_QUENCH, int8] 1008 code const[0, int8] 1009 csum csum[parent, inet, int16be] 1010 unused const[0, int32] 1011 iph icmp_ipv4_header 1012 data array[int8, 0:8] 1013 } [packed] 1014 1015 icmp_redirect_codes = ICMP_REDIR_NET, ICMP_REDIR_HOST, ICMP_REDIR_NETTOS, ICMP_REDIR_HOSTTOS 1016 1017 icmp_redirect_packet { 1018 type const[ICMP_REDIRECT, int8] 1019 code flags[icmp_redirect_codes, int8] 1020 csum csum[parent, inet, int16be] 1021 ip ipv4_addr 1022 iph icmp_ipv4_header 1023 data array[int8, 0:8] 1024 } [packed] 1025 1026 icmp_echo_packet { 1027 type const[ICMP_ECHO, int8] 1028 code const[0, int8] 1029 csum csum[parent, inet, int16be] 1030 id int16be 1031 seq_num int16be 1032 data array[int8] 1033 } [packed] 1034 1035 icmp_time_exceeded_codes = ICMP_EXC_TTL, ICMP_EXC_FRAGTIME 1036 1037 icmp_time_exceeded_packet { 1038 type const[ICMP_TIME_EXCEEDED, int8] 1039 code flags[icmp_time_exceeded_codes, int8] 1040 csum csum[parent, inet, int16be] 1041 unused1 const[0, int8] 1042 length int8 1043 unused2 const[0, int16] 1044 iph icmp_ipv4_header 1045 data array[int8, 0:8] 1046 } [packed] 1047 1048 icmp_parameter_prob_packet { 1049 type const[ICMP_PARAMETERPROB, int8] 1050 code const[0, int8] 1051 csum csum[parent, inet, int16be] 1052 pointer int8 1053 length int8 1054 unused const[0, int16] 1055 iph icmp_ipv4_header 1056 data array[int8, 0:8] 1057 } [packed] 1058 1059 icmp_timestamp_packet { 1060 type const[ICMP_TIMESTAMP, int8] 1061 code const[0, int8] 1062 csum csum[parent, inet, int16be] 1063 id int16be 1064 seq_num int16be 1065 orig_ts int32be 1066 recv_ts int32be 1067 trans_ts int32be 1068 } [packed] 1069 1070 icmp_timestamp_reply_packet { 1071 type const[ICMP_TIMESTAMPREPLY, int8] 1072 code const[0, int8] 1073 csum csum[parent, inet, int16be] 1074 id int16be 1075 seq_num int16be 1076 orig_ts int32be 1077 recv_ts int32be 1078 trans_ts int32be 1079 } [packed] 1080 1081 icmp_info_request_packet { 1082 type const[ICMP_INFO_REQUEST, int8] 1083 code const[0, int8] 1084 csum csum[parent, inet, int16be] 1085 id int16be 1086 seq_num int16be 1087 } [packed] 1088 1089 icmp_info_reply_packet { 1090 type const[ICMP_INFO_REPLY, int8] 1091 code const[0, int8] 1092 csum csum[parent, inet, int16be] 1093 id int16be 1094 seq_num int16be 1095 } [packed] 1096 1097 icmp_address_request_packet { 1098 type const[ICMP_ADDRESS, int8] 1099 code const[0, int8] 1100 csum csum[parent, inet, int16be] 1101 mask int32be 1102 } [packed] 1103 1104 icmp_address_reply_packet { 1105 type const[ICMP_ADDRESSREPLY, int8] 1106 code const[0, int8] 1107 csum csum[parent, inet, int16be] 1108 mask int32be 1109 } [packed] 1110 1111 icmp_types = ICMP_ECHOREPLY, ICMP_DEST_UNREACH, ICMP_SOURCE_QUENCH, ICMP_REDIRECT, ICMP_ECHO, ICMP_TIME_EXCEEDED, ICMP_PARAMETERPROB, ICMP_TIMESTAMP, ICMP_TIMESTAMPREPLY, ICMP_INFO_REQUEST, ICMP_INFO_REPLY, ICMP_ADDRESS, ICMP_ADDRESSREPLY 1112 1113 icmp_packet [ 1114 echo_reply icmp_echo_reply_packet 1115 dest_unreach icmp_dest_unreach_packet 1116 source_quench icmp_source_quench_packet 1117 redirect icmp_redirect_packet 1118 echo icmp_echo_packet 1119 time_exceeded icmp_time_exceeded_packet 1120 parameter_prob icmp_parameter_prob_packet 1121 timestamp icmp_timestamp_packet 1122 timestamp_reply icmp_timestamp_reply_packet 1123 info_request icmp_info_request_packet 1124 info_reply icmp_info_reply_packet 1125 address_request icmp_address_request_packet 1126 address_reply icmp_address_reply_packet 1127 ] [varlen] 1128 1129 ################################################################################ 1130 ##################################### ICMPv6 ################################### 1131 ################################################################################ 1132 1133 # https://tools.ietf.org/html/rfc4443 1134 # http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml 1135 1136 include <uapi/linux/icmpv6.h> 1137 1138 icmpv6_ipv6_packet { 1139 priority int8:4 1140 version const[6, int8:4] 1141 flow_label array[int8, 3] 1142 length int16be 1143 next_header flags[ipv6_types, int8] 1144 hop_limit flags[hop_limits, int8] 1145 src_ip ipv6_addr 1146 dst_ip ipv6_addr 1147 ext_headers array[ipv6_ext_header] 1148 data array[int8] 1149 } [packed] 1150 1151 icmpv6_dest_unreach_codes = ICMPV6_NOROUTE, ICMPV6_ADM_PROHIBITED, ICMPV6_NOT_NEIGHBOUR, ICMPV6_ADDR_UNREACH, ICMPV6_PORT_UNREACH, ICMPV6_POLICY_FAIL, ICMPV6_REJECT_ROUTE 1152 1153 icmpv6_dest_unreach_packet { 1154 type const[ICMPV6_DEST_UNREACH, int8] 1155 code flags[icmpv6_dest_unreach_codes, int8] 1156 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1157 length int8 1158 unused array[const[0, int8], 3] 1159 packet icmpv6_ipv6_packet 1160 } [packed] 1161 1162 icmpv6_pkt_toobig_packet { 1163 type const[ICMPV6_PKT_TOOBIG, int8] 1164 code const[0, int8] 1165 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1166 mtu int32be 1167 packet icmpv6_ipv6_packet 1168 } [packed] 1169 1170 icmpv6_time_exceed_codes = ICMPV6_EXC_HOPLIMIT, ICMPV6_EXC_FRAGTIME 1171 1172 icmpv6_time_exceed_packet { 1173 type const[ICMPV6_TIME_EXCEED, int8] 1174 code flags[icmpv6_time_exceed_codes, int8] 1175 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1176 length int8 1177 unused array[const[0, int8], 3] 1178 packet icmpv6_ipv6_packet 1179 } [packed] 1180 1181 icmpv6_param_prob_codes = ICMPV6_HDR_FIELD, ICMPV6_UNK_NEXTHDR, ICMPV6_UNK_OPTION 1182 1183 icmpv6_param_prob_packet { 1184 type const[ICMPV6_PARAMPROB, int8] 1185 code flags[icmpv6_param_prob_codes, int8] 1186 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1187 pointer int32be 1188 packet icmpv6_ipv6_packet 1189 } [packed] 1190 1191 icmpv6_echo_request_packet { 1192 type const[ICMPV6_ECHO_REQUEST, int8] 1193 code const[0, int8] 1194 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1195 id int16be 1196 seq_num int16be 1197 data array[int8] 1198 } [packed] 1199 1200 icmpv6_echo_reply_packet { 1201 type const[ICMPV6_ECHO_REPLY, int8] 1202 code const[0, int8] 1203 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1204 id int16be 1205 seq_num int16be 1206 data array[int8] 1207 } [packed] 1208 1209 icmpv6_mld_types = ICMPV6_MGM_QUERY, ICMPV6_MGM_REPORT, ICMPV6_MGM_REDUCTION 1210 1211 # https://tools.ietf.org/html/rfc2710#section-3 1212 icmpv6_mld_packet { 1213 type flags[icmpv6_mld_types, int8] 1214 code const[0, int8] 1215 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1216 mrd int16be 1217 unused int16 1218 addr ipv6_addr 1219 } [packed] 1220 1221 # https://tools.ietf.org/html/rfc3810#section-5.1 1222 icmpv6_mldv2_listener_query_packet { 1223 type const[ICMPV6_MGM_QUERY, int8] 1224 code const[0, int8] 1225 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1226 mrd int16be 1227 unused int16 1228 mca ipv6_addr 1229 qrv int8:3 1230 suppress int8:1 1231 resv2 int8:4 1232 qqic int8 1233 nsrcs len[srcs, int16be] 1234 srcs array[ipv6_addr] 1235 } [packed] 1236 1237 icmpv6_mldv2_grec { 1238 type int8 1239 auxwords len[aux, int8] 1240 nsrcs len[srcs, int16be] 1241 mca ipv6_addr 1242 srcs array[ipv6_addr] 1243 aux array[int32] 1244 } [packed] 1245 1246 # https://tools.ietf.org/html/rfc3810#section-5.2 1247 icmpv6_mldv2_listener_report_packet { 1248 type const[ICMPV6_MLD2_REPORT, int8] 1249 code const[0, int8] 1250 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1251 unused int16 1252 ngrec len[grec, int16be] 1253 grec array[icmpv6_mldv2_grec] 1254 } [packed] 1255 1256 icmpv6_ni_types = ICMPV6_NI_QUERY, ICMPV6_NI_REPLY 1257 1258 # https://tools.ietf.org/html/rfc4620#section-4 1259 icmpv6_ni_packet { 1260 type flags[icmpv6_ni_types, int8] 1261 code const[0, int8] 1262 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1263 qtype int16be 1264 flags int16be 1265 nonce int64be 1266 data array[int8] 1267 } [packed] 1268 1269 icmpv6_ndisc_option_types = ND_OPT_SOURCE_LL_ADDR, ND_OPT_TARGET_LL_ADDR, ND_OPT_PREFIX_INFO, ND_OPT_REDIRECT_HDR, ND_OPT_MTU, ND_OPT_NONCE, ND_OPT_ROUTE_INFO, ND_OPT_RDNSS, ND_OPT_DNSSL, ND_OPT_6CO 1270 1271 # https://tools.ietf.org/html/rfc4861#section-4.6 1272 icmpv6_ndisc_option { 1273 option_type flags[icmpv6_ndisc_option_types, int8] 1274 length bytesize8[parent, int8] 1275 # TODO: define the option formats 1276 data array[int8] 1277 } [packed] 1278 1279 # https://tools.ietf.org/html/rfc4861#section-4.1 1280 icmpv6_ndisc_router_solicit_packet { 1281 type const[NDISC_ROUTER_SOLICITATION, int8] 1282 code const[0, int8] 1283 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1284 unused array[const[0, int8], 4] 1285 options array[icmpv6_ndisc_option] 1286 } [packed] 1287 1288 # https://tools.ietf.org/html/rfc4861#section-4.2 1289 icmpv6_ndisc_router_advert_packet { 1290 type const[NDISC_ROUTER_ADVERTISEMENT, int8] 1291 code const[0, int8] 1292 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1293 cur_hop_limit flags[hop_limits, int8] 1294 # TODO: Implement bitflags for the router advert flags 1295 router_flags int8 1296 router_lifetime int16 1297 reachable_time int32 1298 retrans_time int32 1299 options array[icmpv6_ndisc_option] 1300 } [packed] 1301 1302 # https://tools.ietf.org/html/rfc4861#section-4.3 1303 icmpv6_ndisc_neigh_solicit_packet { 1304 type const[NDISC_NEIGHBOUR_SOLICITATION, int8] 1305 code const[0, int8] 1306 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1307 target_addr ipv6_addr 1308 options array[icmpv6_ndisc_option] 1309 } [packed] 1310 1311 # https://tools.ietf.org/html/rfc4861#section-4.4 1312 icmpv6_ndisc_neigh_advert_packet { 1313 type const[NDISC_NEIGHBOUR_ADVERTISEMENT, int8] 1314 code const[0, int8] 1315 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1316 # TODO: Implement bitflags for the neighbor advert flags 1317 neighbor_flags int8 1318 unused array[const[0, int8], 3] 1319 target_addr ipv6_addr 1320 options array[icmpv6_ndisc_option] 1321 } [packed] 1322 1323 # https://tools.ietf.org/html/rfc4861#section-4.5 1324 icmpv6_ndisc_redir_packet { 1325 type const[NDISC_REDIRECT, int8] 1326 code const[0, int8] 1327 csum csum[parent, pseudo, IPPROTO_ICMPV6, int16be] 1328 unused array[const[0, int8], 4] 1329 target_addr ipv6_addr 1330 dst_addr ipv6_addr 1331 options array[icmpv6_ndisc_option] 1332 } [packed] 1333 1334 icmpv6_packet [ 1335 dest_unreach icmpv6_dest_unreach_packet 1336 pkt_toobig icmpv6_pkt_toobig_packet 1337 time_exceed icmpv6_time_exceed_packet 1338 param_prob icmpv6_param_prob_packet 1339 echo_request icmpv6_echo_request_packet 1340 echo_reply icmpv6_echo_reply_packet 1341 mld icmpv6_mld_packet 1342 mlv2_query icmpv6_mldv2_listener_query_packet 1343 mlv2_report icmpv6_mldv2_listener_report_packet 1344 ni icmpv6_ni_packet 1345 ndisc_rs icmpv6_ndisc_router_solicit_packet 1346 ndisc_ra icmpv6_ndisc_router_advert_packet 1347 ndisc_na icmpv6_ndisc_neigh_advert_packet 1348 ndisc_ns icmpv6_ndisc_neigh_solicit_packet 1349 ndisc_redir icmpv6_ndisc_redir_packet 1350 # TODO: ICMPV6_DHAAD_REQUEST, ICMPV6_DHAAD_REPLY, ICMPV6_MOBILE_PREFIX_SOL, ICMPV6_MOBILE_PREFIX_ADV (with ipv6 ext headers) 1351 ] [varlen] 1352 1353 ################################################################################ 1354 ###################################### DCCP #################################### 1355 ################################################################################ 1356 1357 # https://tools.ietf.org/html/rfc4340#section-5 1358 1359 include <uapi/linux/dccp.h> 1360 1361 # TODO: describe each type 1362 dccp_types = DCCP_PKT_REQUEST, DCCP_PKT_RESPONSE, DCCP_PKT_DATA, DCCP_PKT_ACK, DCCP_PKT_DATAACK, DCCP_PKT_CLOSEREQ, DCCP_PKT_CLOSE, DCCP_PKT_RESET, DCCP_PKT_SYNC, DCCP_PKT_SYNCACK, DCCP_PKT_INVALID 1363 1364 dccp_header { 1365 src_port sock_port 1366 dst_port sock_port 1367 offset bytesize4[parent, int8] 1368 cscov const[1, int8:4] 1369 # TODO: cscov might have other values, affects checksummed data 1370 ccval int8:4 1371 csum csum[parent, pseudo, IPPROTO_DCCP, int16be] 1372 x const[0, int8:1] 1373 type flags[dccp_types, int8:4] 1374 reserved1 int8:3 1375 seq_num array[int8, 3] 1376 reserved2 int8 1377 ack_num array[int8, 3] 1378 # TODO: seq_num and ack_num might have different size depending on x 1379 # TODO: options 1380 } [packed] 1381 1382 dccp_packet { 1383 header dccp_header 1384 payload array[int8] 1385 } [packed] 1386 1387 ################################################################################ 1388 ###################################### IGMP #################################### 1389 ################################################################################ 1390 1391 # https://tools.ietf.org/html/rfc2236 1392 # https://tools.ietf.org/html/rfc3376#section-4 1393 1394 include <uapi/linux/igmp.h> 1395 1396 igmp_types = IGMP_HOST_MEMBERSHIP_QUERY, IGMP_HOST_MEMBERSHIP_REPORT, IGMP_DVMRP, IGMP_PIM, IGMP_TRACE, IGMPV2_HOST_MEMBERSHIP_REPORT, IGMP_HOST_LEAVE_MESSAGE, IGMPV3_HOST_MEMBERSHIP_REPORT, IGMP_MTRACE_RESP, IGMP_MTRACE 1397 1398 igmp_packet { 1399 type flags[igmp_types, int8] 1400 mrtime int8 1401 csum csum[parent, inet, int16be] 1402 addr ipv4_addr 1403 data array[int8] 1404 } [packed] 1405 1406 # TODO: describe particular IGMP packets 1407 # TODO: open IGMP sockets from userspace 1408 1409 ################################################################################ 1410 ###################################### MPLS #################################### 1411 ################################################################################ 1412 1413 # https://en.wikipedia.org/wiki/Multiprotocol_Label_Switching 1414 1415 mpls_packet { 1416 labels array[mpls_label] 1417 payload mpls_payload 1418 } [packed] 1419 1420 mpls_label { 1421 label int32be:20 1422 tc const[0, int32be:3] 1423 s int32be:1 1424 ttl const[0, int32be:8] 1425 } 1426 1427 mpls_payload [ 1428 generic array[int8] 1429 ipv4 ipv4_packet 1430 ipv6 ipv6_packet 1431 llc llc_packet 1432 ] [varlen] 1433 1434 ################################################################################ 1435 ###################################### TIPC #################################### 1436 ################################################################################ 1437 1438 # http://tipc.sourceforge.net/protocol.html 1439 # http://tipc.sourceforge.net/protocol.html#anchor50 1440 1441 # TODO: describe more TIPC packets, the current description is far from being complete. 1442 # But first we need to ensure that syzkaller manages to enable TIPC receiving, 1443 # because currently it always crashes kernel earlier. 1444 # Also, do we need to nest TIPC packets in UDP for UDP media? 1445 1446 include <uapi/linux/tipc.h> 1447 include <net/tipc/msg.h> 1448 1449 tipc_packet [ 1450 payload_conn tipc_payload_msg[tipc_payload_hdr6[TIPC_CONN_MSG]] 1451 payload_mcast tipc_payload_msg[tipc_payload_hdr11[TIPC_MCAST_MSG]] 1452 payload_named tipc_payload_msg[tipc_payload_hdr10[TIPC_NAMED_MSG]] 1453 payload_direct tipc_payload_msg[tipc_payload_hdr8[TIPC_DIRECT_MSG]] 1454 name_distributor tipc_name_distributor_msg 1455 ] [varlen] 1456 1457 type tipc_payload_msg[HDR] { 1458 hdr tipc_payload_hdr[HDR] 1459 data array[const[0, int8]] 1460 } 1461 1462 type tipc_payload_hdr[HDR] { 1463 hdr HDR 1464 } 1465 1466 type tipc_payload_hdr6[TYP] { 1467 # w0 1468 message_size bytesize[tipc_payload_msg, int32be:17] 1469 y const[0, int32be:1] 1470 s int32be:1 1471 d int32be:1 1472 n int32be:1 1473 hsize bytesize4[tipc_payload_hdr, int32be:4] 1474 user flags[tipc_importance, int32be:4] 1475 ver const[TIPC_VERSION, int32be:3] 1476 # w1 1477 broadcast_acknowledge int32be:16 1478 res const[0, int32be:3] 1479 lcs flags[tipc_scope, int32be:2] 1480 reroute int32be:4 1481 error flags[tipc_error, int32be:4] 1482 mtype const[TYP, int32be:3] 1483 # w2 1484 link_sequence int32be:16 1485 link_acknowledge int32be:16 1486 # w3 1487 previous_node int32be[0:4] 1488 # w4 1489 originating_port int32be[20000:20004] 1490 # w5 1491 destination_port int32be[20000:20004] 1492 } [size[24]] 1493 1494 type tipc_payload_hdr8[TYP] { 1495 hdr6 tipc_payload_hdr6[TYP] 1496 # w6 1497 originating_node int32be[0:4] 1498 # w7 1499 destination_node int32be[0:4] 1500 } [size[32]] 1501 1502 type tipc_payload_hdr10[TYP] { 1503 hdr8 tipc_payload_hdr8[TYP] 1504 # w8 1505 name_type int32be[0:4] 1506 # w9 1507 name_instance int32be[0:4] 1508 } [size[40]] 1509 1510 type tipc_payload_hdr11[TYP] { 1511 hdr10 tipc_payload_hdr10[TYP] 1512 # w10 1513 name_sequence_upper int32be[0:4] 1514 } [size[44]] 1515 1516 tipc_name_distributor_msg { 1517 hdr tipc_name_distributor_hdr 1518 data array[tipc_name_publication] 1519 } 1520 1521 tipc_name_distributor_hdr { 1522 # w0 1523 message_size bytesize[tipc_name_distributor_msg, int32be:17] 1524 y const[0, int32be:1] 1525 s const[0, int32be:1] 1526 d const[0, int32be:1] 1527 n int32be:1 1528 hsize bytesize4[parent, int32be:4] 1529 user const[NAME_DISTRIBUTOR, int32be:4] 1530 ver const[TIPC_VERSION, int32be:3] 1531 # w1 1532 broadcast_acknowledge int32be:16 1533 res const[0, int32be:13] 1534 mtype int32be:3[0:1] 1535 # w2 1536 link_sequence int32be:16 1537 link_acknowledge int32be:16 1538 # w3 1539 previous_node int32be[0:4] 1540 # w4 1541 originating_port int32be[20000:20004] 1542 # w5 1543 destination_port int32be[20000:20004] 1544 # w6 1545 originating_node int32be[0:4] 1546 # w7 1547 destination_node int32be[0:4] 1548 # w8 1549 res1 const[0, int32be] 1550 # w9 1551 res2 const[0, int32be:23] 1552 m int32be:1 1553 item_size const[7, int32be:8] 1554 } 1555 1556 tipc_name_publication { 1557 type int32be 1558 lower_bound int32be 1559 upper_bound int32be 1560 reference int32be 1561 key int32be 1562 node int32be 1563 scope int32be:4 1564 res int32be:28 1565 } [size[28]] 1566 1567 tipc_importance = TIPC_LOW_IMPORTANCE, TIPC_MEDIUM_IMPORTANCE, TIPC_HIGH_IMPORTANCE, TIPC_CRITICAL_IMPORTANCE 1568 tipc_error = TIPC_OK, TIPC_ERR_NO_NAME, TIPC_ERR_NO_PORT, TIPC_ERR_NO_NODE, TIPC_ERR_OVERLOAD, TIPC_CONN_SHUTDOWN 1569 tipc_scope = TIPC_CFG_SRV, TIPC_ZONE_SCOPE, TIPC_CLUSTER_SCOPE, TIPC_NODE_SCOPE