int pfring_mod_set_bpf_filter(pfring *ring, char *filter_buffer){
int rc = 0;
#ifdef ENABLE_BPF
struct bpf_program filter;
struct sock_fprog fcode;
if (!filter_buffer)
return -1;
if(pcap_compile_nopcap(ring->caplen, /* snaplen_arg */
DLT_EN10MB, /* linktype_arg */
&filter, /* program */
filter_buffer, /* const char *buf */
0, /* optimize */
0 /* mask */
) == -1)
return -1;
if (filter.bf_insns == NULL)
return (-1);
fcode.len = filter.bf_len;
fcode.filter = filter.bf_insns;
rc = setsockopt(ring->fd, 0, SO_ATTACH_FILTER, &fcode, sizeof(fcode));
if (rc == -1) {
int dummy = 0;
setsockopt(ring->fd, SOL_SOCKET, SO_DETACH_FILTER, &dummy, sizeof(dummy));
}
#endif
return rc;
}
void
parse_bpf(ipfw_insn **cmd, int *ac, char **av[])
{
struct bpf_program program;
ipfw_insn_bpf *bpf;
int avlen;
NEXT_ARG1;
(*cmd)->opcode = O_LAYER4_BPF;
(*cmd)->module = MODULE_LAYER4_ID;
avlen = strlen(**av);
if (avlen > 256)
errx(EX_DATAERR, "bpf \"%s\" too long (max 256)", **av);
bpf = (ipfw_insn_bpf *)(*cmd);
strcpy(bpf->bf_str, **av);
if (pcap_compile_nopcap(65535, DLT_RAW, &program, **av, 1,
PCAP_NETMASK_UNKNOWN))
errx(EX_DATAERR, "bpf \"%s\" compilation error", **av);
bpf->bf_len = program.bf_len;
memcpy(&bpf->bf_insn, program.bf_insns,
sizeof(struct bpf_insn) * program.bf_len);
(*cmd)->len |= (sizeof(ipfw_insn_bpf) +
sizeof(struct bpf_insn) * (bpf->bf_len - 1)) /
sizeof(uint32_t);
pcap_freecode(&program);
NEXT_ARG1;
}
void bpf_try_compile(const char *rulefile, struct sock_fprog *bpf, uint32_t link_type)
{
int i, ret;
const struct bpf_insn *ins;
struct sock_filter *out;
struct bpf_program _bpf;
ret = pcap_compile_nopcap(65535, link_type, &_bpf, rulefile, 1, 0xffffffff);
if (ret < 0)
panic("Cannot compile filter %s\n", rulefile);
bpf->len = _bpf.bf_len;
bpf->filter = xrealloc(bpf->filter, 1, bpf->len * sizeof(*out));
for (i = 0, ins = _bpf.bf_insns, out = bpf->filter; i < bpf->len; ++i, ++ins, ++out) {
out->code = ins->code;
out->jt = ins->jt;
out->jf = ins->jf;
out->k = ins->k;
if (out->code == 0x06 && out->k > 0)
out->k = 0xFFFFFFFF;
}
pcap_freecode(&_bpf);
if (__bpf_validate(bpf) == 0)
panic("This is not a valid BPF program!\n");
}
static int pfring_zc_daq_set_filter(void *handle, const char *filter) {
Pfring_Context_t *context = (Pfring_Context_t *) handle;
#ifdef ENABLE_BPF
if (pcap_compile_nopcap(context->snaplen, /* snaplen_arg */
DLT_EN10MB, /* linktype_arg */
&context->filter, /* program */
filter, /* const char *buf */
0, /* optimize */
0 /* mask */
) == -1) {
goto bpf_error;
}
if (context->filter.bf_insns == NULL)
goto bpf_error;
context->bpf_filter = 1;
return DAQ_SUCCESS;
bpf_error:
DPE(context->errbuf, "%s: BPF state machine compilation failed!", __FUNCTION__);
#else
DPE(context->errbuf, "%s: BPF filters not supported!", __FUNCTION__);
#endif
return DAQ_ERROR;
}
int set_raw_filter(unsigned int loc_idx, char *filter) {
struct bpf_program raw_filter;
//uint16_t snaplen = 65535;
int linktype;
//struct pcap_t *aa;
int fd = -1;
LERR("APPLY FILTER [%d]\n", loc_idx);
if(loc_idx >= MAX_SOCKETS || sniffer_proto[loc_idx] == NULL) return 0;
fd = pcap_get_selectable_fd(sniffer_proto[loc_idx]);
linktype = profile_socket[loc_idx].link_type ? profile_socket[loc_idx].link_type : DLT_EN10MB;
if (pcap_compile_nopcap(profile_socket[loc_idx].snap_len ? profile_socket[loc_idx].snap_len : 0xffff, linktype, &raw_filter, filter, 1, 0) == -1) {
LERR("Failed to compile filter '%s'", filter);
return -1;
}
#if ( defined (OS_LINUX) || defined (OS_SOLARIS) )
if(setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &raw_filter, sizeof(raw_filter)) < 0 ) {
LERR(" setsockopt filter: [%s] [%d]", strerror(errno), errno);
return -1;
}
#endif
//free(BPF_code);
pcap_freecode( (struct bpf_program *) &raw_filter);
return 1;
}
void CProtoEngBase::SetCombinedFilter() {
#if UCFG_SNIF_FILTER
try {
for (size_t i=m_filters.size(); i--;) {
CAdapterFilter& f = *m_filters[i];
String s;
if (f.m_medium == PROTO_ETHERNET) //!!!? or NdisMedium802_5
s = m_sIPFilter;
if (!m_sUserFilter.IsEmpty()) {
if (!s.IsEmpty())
s += " and ";
s += "("+m_sUserFilter+")";
}
bpf_program bpf;
char *buf = (char*)alloca(s.Length+1);
strcpy(buf, s);
if (pcap_compile_nopcap(0xFFFF, MediumToDlt(f.m_medium), &bpf, buf, 0, 0)<0)
Throw(1);
f.SetFilter(bpf);
}
} catch (RCExc) {
m_sUserFilter = "";
throw;
}
#endif
}
int
main(int argc, char *argv[])
{
struct bpf_program prog;
parse_args(argc, argv);
if (pcap_compile_nopcap(snaplen, dlt, &prog, expr, 1, 0))
{
fprintf(stderr, "Syntax error in expression\n");
exit(EX_USAGE);
}
switch(format)
{
case RAW:
print_raw(&prog);
break;
case HEXSTRING:
print_hexstring(&prog);
break;
case NG_BPF:
print_ng_bpf(&prog);
break;
}
return EX_OK;
}
int pcap_ex_compile_nopcap(int snaplen, int dlt, struct bpf_program *fp,
char *str, int optimize, unsigned int netmask)
{
#ifdef HAVE_PCAP_COMPILE_NOPCAP
#ifdef __NetBSD__
/* We love consistent interfaces */
char errbuf[PCAP_ERRBUF_SIZE];
return (pcap_compile_nopcap(snaplen, dlt, fp, str, optimize, netmask,
errbuf));
#else
return (pcap_compile_nopcap(snaplen, dlt, fp, str, optimize, netmask));
#endif
#else
FILE *f;
struct pcap_file_header hdr;
pcap_t *pc;
char path[] = "/tmp/.pypcapXXXXXX.pcap";
char ebuf[PCAP_ERRBUF_SIZE];
int ret = -1;
mktemp(path);
if ((f = fopen(path, "w")) != NULL )
{
hdr.magic = 0xa1b2c3d4;
hdr.version_major = PCAP_VERSION_MAJOR;
hdr.version_minor = PCAP_VERSION_MINOR;
hdr.thiszone = 0;
hdr.snaplen = snaplen;
hdr.sigfigs = 0;
hdr.linktype = dlt;
fwrite(&hdr, sizeof(hdr), 1, f);
fclose(f);
if ((pc = pcap_open_offline(path, ebuf)) != NULL )
{
ret = pcap_compile(pc, fp, str, optimize, netmask);
pcap_close(pc);
}
unlink(path);
}
return (ret);
#endif
}
int parse_bpf_filter(char *filter_buffer, u_int caplen) {
if(pcap_compile_nopcap(caplen, /* snaplen_arg */
DLT_EN10MB, /* linktype_arg */
&filter, /* program */
filter_buffer, /* const char *buf */
0, /* optimize */
0 /* mask */
) == -1) {
return -1;
}
if(filter.bf_insns == NULL)
return -1;
return 0;
}
int pfring_mod_set_bpf_filter(pfring *ring, char *filter_buffer){
int rc = -1;
#ifdef ENABLE_BPF
struct bpf_program filter;
struct sock_fprog fcode;
if(!filter_buffer)
return -1;
if(unlikely(ring->reentrant))
pthread_rwlock_wrlock(&ring->rx_lock);
if(pcap_compile_nopcap(ring->caplen, /* snaplen_arg */
DLT_EN10MB, /* linktype_arg */
&filter, /* program */
filter_buffer, /* const char *buf */
0, /* optimize */
0 /* mask */
) == -1) {
rc = -1;
goto pfring_mod_set_bpf_filter_exit;
}
if(filter.bf_insns == NULL) {
rc = -1;
goto pfring_mod_set_bpf_filter_exit;
}
fcode.len = filter.bf_len;
fcode.filter = (struct sock_filter*)filter.bf_insns;
rc = setsockopt(ring->fd, 0, SO_ATTACH_FILTER, &fcode, sizeof(fcode));
if(rc == -1)
pfring_mod_remove_bpf_filter(ring);
pfring_mod_set_bpf_filter_exit:
if(unlikely(ring->reentrant))
pthread_rwlock_unlock(&ring->rx_lock);
#endif
return rc;
}
