mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
47 lines
1.4 KiB
C++
47 lines
1.4 KiB
C++
// Provides some very limited but fast packet filter mechanisms
|
|
|
|
#pragma once
|
|
|
|
#include "IPAddr.h"
|
|
#include "PrefixTable.h"
|
|
|
|
ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
|
|
ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
|
|
|
|
class PacketFilter {
|
|
public:
|
|
explicit PacketFilter(bool arg_default);
|
|
~PacketFilter() {}
|
|
|
|
// Drops all packets from a particular source (which may be given
|
|
// as an AddrVal or a SubnetVal) which hasn't any of TCP flags set
|
|
// (TH_*) with the given probability (from 0..MAX_PROB).
|
|
void AddSrc(const zeek::IPAddr& src, uint32_t tcp_flags, double probability);
|
|
void AddSrc(zeek::Val* src, uint32_t tcp_flags, double probability);
|
|
void AddDst(const zeek::IPAddr& src, uint32_t tcp_flags, double probability);
|
|
void AddDst(zeek::Val* src, uint32_t tcp_flags, double probability);
|
|
|
|
// Removes the filter entry for the given src/dst
|
|
// Returns false if filter doesn not exist.
|
|
bool RemoveSrc(const zeek::IPAddr& src);
|
|
bool RemoveSrc(zeek::Val* dst);
|
|
bool RemoveDst(const zeek::IPAddr& dst);
|
|
bool RemoveDst(zeek::Val* dst);
|
|
|
|
// Returns true if packet matches a drop filter
|
|
bool Match(const zeek::IP_Hdr* ip, int len, int caplen);
|
|
|
|
private:
|
|
struct Filter {
|
|
uint32_t tcp_flags;
|
|
double probability;
|
|
};
|
|
|
|
static void DeleteFilter(void* data);
|
|
|
|
bool MatchFilter(const Filter& f, const zeek::IP_Hdr& ip, int len, int caplen);
|
|
|
|
bool default_match;
|
|
PrefixTable src_filter;
|
|
PrefixTable dst_filter;
|
|
};
|