Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Use better data structure for storing BPF filters.

Browse source
This commit is contained in:
Robin Sommer 2015-11-23 19:55:02 -08:00
parent 17bc615467
commit c22a6f67d2
3 changed files with 22 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/iosource/PktSrc.cc
View file

@ -36,9 +36,7 @@ PktSrc::PktSrc()
PktSrc::~PktSrc() PktSrc::~PktSrc()
{ {
BPF_Program* code; for ( auto code : filters )
IterCookie* cookie = filters.InitForIteration();
while ( (code = filters.NextEntry(cookie)) )
delete code; delete code;
} }
@ -335,16 +333,16 @@ bool PktSrc::PrecompileBPFFilter(int index, const std::string& filter)
return 0; return 0;
} }
// Store it in hash. // Store it in vector.
HashKey* hash = new HashKey(HashKey(bro_int_t(index))); if ( index >= static_cast<int>(filters.size()) )
BPF_Program* oldcode = filters.Lookup(hash); filters.resize(index + 1);
if ( oldcode )
delete oldcode;
filters.Insert(hash, code); if ( auto old = filters[index] )
delete hash; delete old;
return 1; filters[index] = code;
return true;
} }
BPF_Program* PktSrc::GetBPFFilter(int index) BPF_Program* PktSrc::GetBPFFilter(int index)
@ -352,10 +350,7 @@ BPF_Program* PktSrc::GetBPFFilter(int index)
if ( index < 0 ) if ( index < 0 )
return 0; return 0;
HashKey* hash = new HashKey(HashKey(bro_int_t(index))); return (static_cast<int>(filters.size()) > index ? filters[index] : 0);
BPF_Program* code = filters.Lookup(hash);
delete hash;
return code;
} }
bool PktSrc::ApplyBPFFilter(int index, const struct pcap_pkthdr *hdr, const u_char *pkt) bool PktSrc::ApplyBPFFilter(int index, const struct pcap_pkthdr *hdr, const u_char *pkt)

4
src/iosource/PktSrc.h
View file

@ -3,6 +3,8 @@
#ifndef IOSOURCE_PKTSRC_PKTSRC_H #ifndef IOSOURCE_PKTSRC_PKTSRC_H
#define IOSOURCE_PKTSRC_PKTSRC_H #define IOSOURCE_PKTSRC_PKTSRC_H
#include <vector>
#include "IOSource.h" #include "IOSource.h"
#include "BPF_Program.h" #include "BPF_Program.h"
#include "Dict.h" #include "Dict.h"
@ -362,7 +364,7 @@ private:
Packet current_packet; Packet current_packet;
// For BPF filtering support. // For BPF filtering support.
PDict(BPF_Program) filters; std::vector<BPF_Program *> filters;
// Only set in pseudo-realtime mode. // Only set in pseudo-realtime mode.
double first_timestamp; double first_timestamp;

9
src/iosource/pcap/functions.bif
View file

@ -21,6 +21,15 @@ module Pcap;
## pcap_error ## pcap_error
function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool
%{ %{
if ( id->AsEnum() >= 100 )
{
// We use a vector as underlying data structure for fast
// lookups and limit the ID space so that that doesn't grow too
// large.
builtin_error(fmt("PCAP filter ids must remain below 100 (is %ld)", id->AsInt()));
return new Val(false, TYPE_BOOL);
}
bool success = true; bool success = true;
const iosource::Manager::PktSrcList& pkt_srcs(iosource_mgr->GetPktSrcs()); const iosource::Manager::PktSrcList& pkt_srcs(iosource_mgr->GetPktSrcs());