Moving some of the BPF filtering code into base class.

This will allow packet sources that don't support BPF natively to emulate the filtering via libpcap.
2025-10-02 14:48:21 +00:00 · 2014-08-22 17:27:20 -07:00 · 2014-08-22 17:27:20 -07:00 · ce9f16490c
commit ce9f16490c
parent 0186061aa8
8 changed files with 110 additions and 85 deletions
--- a/src/iosource/pcap/BPF_Program.cc
+++ b/src/iosource/pcap/BPF_Program.cc
--- a/src/iosource/pcap/BPF_Program.h
+++ b/src/iosource/pcap/BPF_Program.h
--- a/src/iosource/CMakeLists.txt
+++ b/src/iosource/CMakeLists.txt
@ -7,6 +7,7 @@ include_directories(BEFORE
 )

 set(iosource_SRCS
+    BPF_Program.cc
    Component.cc
    Manager.cc
    PktDumper.cc
--- a/src/iosource/PktSrc.cc
+++ b/src/iosource/PktSrc.cc
@ -25,6 +25,10 @@ PktSrc::PktSrc()

 PktSrc::~PktSrc()
 	{
+	BPF_Program* code;
+	IterCookie* cookie = filters.InitForIteration();
+	while ( (code = filters.NextEntry(cookie)) )
+		delete code;
 	}

 const std::string& PktSrc::Path() const
@ -43,6 +47,11 @@ int PktSrc::LinkType() const
 	return IsOpen() ? props.link_type : -1;
 	}

+uint32 PktSrc::Netmask() const
+	{
+	return IsOpen() ? props.netmask : PCAP_NETMASK_UNKNOWN;
+	}
+
 int PktSrc::HdrSize() const
 	{
 	return IsOpen() ? props.hdr_size : -1;
@ -77,6 +86,12 @@ void PktSrc::Opened(const Properties& arg_props)
 	props = arg_props;
 	SetClosed(false);

+	if ( ! PrecompileFilter(0, props.filter) || ! SetFilter(0) )
+		{
+		Close();
+		return;
+		}
+
 	DBG_LOG(DBG_PKTIO, "Opened source %s", props.path.c_str());
 	}

@ -409,12 +424,50 @@ int PktSrc::ExtractNextPacketInternal()
 	return 0;
 	}

-int PktSrc::PrecompileFilter(int index, const std::string& filter)
+int PktSrc::PrecompileBPFFilter(int index, const std::string& filter)
 	{
+	char errbuf[PCAP_ERRBUF_SIZE];
+
+	// Compile filter.
+	BPF_Program* code = new BPF_Program();
+
+	if ( ! code->Compile(SnapLen(), LinkType(), filter.c_str(), Netmask(), errbuf, sizeof(errbuf)) )
+		{
+		Error(fmt("cannot compile BPF filter \"%s\": %s", filter.c_str(), errbuf));
+		Close();
+		delete code;
+		return 0;
+		}
+
+	// Store it in hash.
+	HashKey* hash = new HashKey(HashKey(bro_int_t(index)));
+	BPF_Program* oldcode = filters.Lookup(hash);
+	if ( oldcode )
+		delete oldcode;
+
+	filters.Insert(hash, code);
+	delete hash;
+
 	return 1;
 	}

-int PktSrc::SetFilter(int index)
+BPF_Program* PktSrc::GetBPFFilter(int index)
 	{
-	return 1;
+	HashKey* hash = new HashKey(HashKey(bro_int_t(index)));
+	BPF_Program* code = filters.Lookup(hash);
+	delete hash;
+	return code;
+	}
+
+int PktSrc::ApplyBPFFilter(int index, const struct pcap_pkthdr *hdr, const u_char *pkt)
+	{
+	BPF_Program* code = GetBPFFilter(index);
+
+	if ( ! code )
+		{
+		Error(fmt("BPF filter %d not compiled", index));
+		Close();
+		}
+
+	return pcap_offline_filter(code->GetProgram(), hdr, pkt);
 	}
--- a/src/iosource/PktSrc.h
+++ b/src/iosource/PktSrc.h
@ -8,6 +8,10 @@ extern "C" {
 }

 #include "IOSource.h"
+#include "BPF_Program.h"
+#include "Dict.h"
+
+declare(PDict,BPF_Program);

 namespace iosource {

@ -29,6 +33,7 @@ public:
 	const std::string& Filter() const;
 	bool IsLive() const;
 	int LinkType() const;
+	uint32 Netmask() const;
 	const char* ErrorMsg() const;
 	int HdrSize() const;
 	int SnapLen() const;
@ -41,7 +46,22 @@ public:
 	// going to be continued.
 	void ContinueAfterSuspend();

-	virtual void Statistics(Stats* stats) = 0;
+	// Precompiles a BPF filter and associates the given index with it.
+	// Returns true on success, 0 if a problem occurred. The compiled
+	// filter will be then available via GetBPFFilter*(.
+	int PrecompileBPFFilter(int index, const std::string& filter);
+
+	// Returns the BPF filter with the given index, as compiled by
+	// PrecompileBPFFilter(), or null if none has been (successfully)
+	// compiled.
+	BPF_Program* GetBPFFilter(int index);
+
+	// Applies a precompiled BPF filter to a packet, returning true if it
+	// maches. This will close the source with an error message if no
+	// filter with that index has been compiled.
+	int ApplyBPFFilter(int index, const struct pcap_pkthdr *hdr, const u_char *pkt);
+
+	// PacketSource interace for derived classes to override.

 	// Returns the packet last processed; false if there is no
 	// current packet available.
@ -50,12 +70,15 @@ public:
 	// Precompiles a filter and associates the given index with it.
 	// Returns true on success, 0 if a problem occurred or filtering is
 	// not supported.
-	virtual int PrecompileFilter(int index, const std::string& filter);
+	virtual int PrecompileFilter(int index, const std::string& filter) = 0;

 	// Activates the filter with the given index. Returns true on
 	// success, 0 if a problem occurred or the filtering is not
 	// supported.
-	virtual int SetFilter(int index);
+	virtual int SetFilter(int index) = 0;
+
+	// Returns current statistics about the source.
+	virtual void Statistics(Stats* stats) = 0;

 	static int GetLinkHeaderSize(int link_type);

@ -68,7 +91,13 @@ protected:
 		int selectable_fd;
 		int link_type;
 		int hdr_size;
+		uint32 netmask;
 		bool is_live;
+
+		Properties()
+			{
+			netmask = PCAP_NETMASK_UNKNOWN;
+			}
 	};

 	struct Packet {
@ -113,6 +142,9 @@ private:
 	bool have_packet;
 	Packet current_packet;

+	// For BPF filtering support.
+	PDict(BPF_Program) filters;
+
 	// Only set in pseudo-realtime mode.
 	double first_timestamp;
 	double first_wallclock;
--- a/src/iosource/pcap/CMakeLists.txt
+++ b/src/iosource/pcap/CMakeLists.txt
@ -4,5 +4,5 @@ include(BroPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})

 bro_plugin_begin(Bro Pcap)
-bro_plugin_cc(Source.cc Dumper.cc BPF_Program.cc Plugin.cc)
+bro_plugin_cc(Source.cc Dumper.cc Plugin.cc)
 bro_plugin_end()
--- a/src/iosource/pcap/Source.cc
+++ b/src/iosource/pcap/Source.cc
@ -37,13 +37,6 @@ void PcapSource::Close()
 	if ( ! pd )
 		return;

-	BPF_Program* code;
-	IterCookie* cookie = filters.InitForIteration();
-	while ( (code = filters.NextEntry(cookie)) )
-		delete code;
-
-	filters.Clear();
-
 	pcap_close(pd);
 	pd = 0;
 	last_data = 0;
@ -56,10 +49,6 @@ void PcapSource::OpenLive()
 	char errbuf[PCAP_ERRBUF_SIZE];
 	char tmp_errbuf[PCAP_ERRBUF_SIZE];

-#if 0
-	filter_type = ft;
-#endif
-
 	// Determine interface if not specified.
 	if ( props.path.empty() )
 		props.path = pcap_lookupdev(tmp_errbuf);
@ -74,7 +63,7 @@ void PcapSource::OpenLive()

 	// Determine network and netmask.
 	uint32 net;
-	if ( pcap_lookupnet(props.path.c_str(), &net, &netmask, tmp_errbuf) < 0 )
+	if ( pcap_lookupnet(props.path.c_str(), &net, &props.netmask, tmp_errbuf) < 0 )
 		{
 		// ### The lookup can fail if no address is assigned to
 		// the interface; and libpcap doesn't have any useful notion
@ -82,7 +71,7 @@ void PcapSource::OpenLive()
 		// just kludge around the error :-(.
 		// sprintf(errbuf, "pcap_lookupnet %s", tmp_errbuf);
 		// return;
-		netmask = 0xffffff00;
+		props.netmask = 0xffffff00;
 		}

 	// We use the smallest time-out possible to return almost immediately if
@ -113,31 +102,22 @@ void PcapSource::OpenLive()

 	props.selectable_fd = pcap_fileno(pd);

-	if ( PrecompileFilter(0, props.filter) && SetFilter(0) )
-		{
 	SetHdrSize();

 	if ( ! pd )
 		// Was closed, couldn't get header size.
 		return;

-		Info(fmt("listening on %s, capture length %d bytes\n", props.path.c_str(), SnapLen()));
-		}
-	else
-		Close();
-
 	props.is_live = true;
 	Opened(props);
+
+	Info(fmt("listening on %s, capture length %d bytes\n", props.path.c_str(), SnapLen()));
 	}

 void PcapSource::OpenOffline()
 	{
 	char errbuf[PCAP_ERRBUF_SIZE];

-#if 0
-	filter_type = ft;
-#endif
-
 	pd = pcap_open_offline(props.path.c_str(), errbuf);

 	if ( ! pd )
@ -146,25 +126,16 @@ void PcapSource::OpenOffline()
 		return;
 		}

-	if ( PrecompileFilter(0, props.filter) && SetFilter(0) )
-		{
 	SetHdrSize();

 	if ( ! pd )
 		// Was closed, unknown link layer type.
 		return;

-		// We don't put file sources into non-blocking mode as
-		// otherwise we would not be able to identify the EOF.
-
 	props.selectable_fd = fileno(pcap_file(pd));

 	if ( props.selectable_fd < 0 )
 		InternalError("OS does not support selectable pcap fd");
-		}
-
-	else
-		Close();

 	props.is_live = false;
 	Opened(props);
@ -211,31 +182,7 @@ void PcapSource::DoneWithPacket(Packet* pkt)

 int PcapSource::PrecompileFilter(int index, const std::string& filter)
 	{
-	if ( ! pd )
-		return 1; // Prevent error message.
-
-	char errbuf[PCAP_ERRBUF_SIZE];
-
-	// Compile filter.
-	BPF_Program* code = new BPF_Program();
-
-	if ( ! code->Compile(pd, filter.c_str(), netmask, errbuf, sizeof(errbuf)) )
-		{
-		PcapError();
-		delete code;
-		return 0;
-		}
-
-	// Store it in hash.
-	HashKey* hash = new HashKey(HashKey(bro_int_t(index)));
-	BPF_Program* oldcode = filters.Lookup(hash);
-	if ( oldcode )
-		delete oldcode;
-
-	filters.Insert(hash, code);
-	delete hash;
-
-	return 1;
+	return PktSrc::PrecompileBPFFilter(index, filter).
 	}

 int PcapSource::SetFilter(int index)
@ -245,9 +192,7 @@ int PcapSource::SetFilter(int index)

 	char errbuf[PCAP_ERRBUF_SIZE];

-	HashKey* hash = new HashKey(HashKey(bro_int_t(index)));
-	BPF_Program* code = filters.Lookup(hash);
-	delete hash;
+	BPF_Program* code = GetFilter(index);

 	if ( ! code )
 		{
--- a/src/iosource/pcap/Source.h
+++ b/src/iosource/pcap/Source.h
@ -4,10 +4,6 @@
 #define IOSOURCE_PKTSRC_PCAP_SOURCE_H

 #include "../PktSrc.h"
-#include "BPF_Program.h"
-#include "Dict.h"
-
-declare(PDict,BPF_Program);

 namespace iosource {
 namespace pktsrc {
@ -42,8 +38,6 @@ private:
 	Stats stats;

 	pcap_t *pd;
-	uint32 netmask;
-	PDict(BPF_Program) filters;

 	struct pcap_pkthdr current_hdr;
 	struct pcap_pkthdr last_hdr;