module Pcap;

const snaplen: count;
const bufsize: count;

%%{
#include "iosource/Manager.h"
%%}

## Precompiles a PCAP filter and binds it to a given identifier.
##
## id: The PCAP identifier to reference the filter *s* later on.
##
## s: The PCAP filter. See ``man tcpdump`` for valid expressions.
##
## Returns: True if *s* is valid and precompiles successfully.
##
## .. zeek:see:: Pcap::install_pcap_filter
##          install_src_addr_filter
##          install_src_net_filter
##          uninstall_src_addr_filter
##          uninstall_src_net_filter
##          install_dst_addr_filter
##          install_dst_net_filter
##          uninstall_dst_addr_filter
##          uninstall_dst_net_filter
##          Pcap::error
function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool
	%{
	if ( id->AsEnum() >= 100 )
		{
		// We use a vector as underlying data structure for fast
		// lookups and limit the ID space so that that doesn't grow too
		// large.
		zeek::emit_builtin_error(
			zeek::util::fmt("PCAP filter ids must remain below 100 (is %" PRId64 ")", id->AsInt()));
		return zeek::val_mgr->False();
		}

	bool success = true;

	zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
	if ( ps && ! ps->PrecompileFilter(id->ForceAsInt(), s->CheckString()) )
		success = false;

	return zeek::val_mgr->Bool(success);
	%}

## Installs a PCAP filter that has been precompiled with
## :zeek:id:`Pcap::precompile_pcap_filter`.
##
## id: The PCAP filter id of a precompiled filter.
##
## Returns: True if the filter associated with *id* has been installed
##          successfully.
##
## .. zeek:see:: Pcap::precompile_pcap_filter
##              install_src_addr_filter
##              install_src_net_filter
##              uninstall_src_addr_filter
##              uninstall_src_net_filter
##              install_dst_addr_filter
##              install_dst_net_filter
##              uninstall_dst_addr_filter
##              uninstall_dst_net_filter
##              Pcap::error
function Pcap::install_pcap_filter%(id: PcapFilterID%): bool
	%{
	bool success = true;

	zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
	if ( ps && ! ps->SetFilter(id->ForceAsInt()) )
		success = false;

	return zeek::val_mgr->Bool(success);
	%}

## Returns a string representation of the last PCAP error.
##
## Returns: A descriptive error message of the PCAP function that failed.
##
## .. zeek:see:: Pcap::precompile_pcap_filter
##              Pcap::install_pcap_filter
##              install_src_addr_filter
##              install_src_net_filter
##              uninstall_src_addr_filter
##              uninstall_src_net_filter
##              install_dst_addr_filter
##              install_dst_net_filter
##              uninstall_dst_addr_filter
##              uninstall_dst_net_filter
function error%(%): string
	%{
	zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
	if ( ps )
		{
		const char* err = ps->ErrorMsg();
		if ( *err )
			return zeek::make_intrusive<zeek::StringVal>(err);
		}

	return zeek::make_intrusive<zeek::StringVal>("no error");
	%}