ftfil.c

netflow,抓包

 * Also note that in the above example if the first two matches pass
 * the the next two will not be evaluated at all - short circuit.
 */

/*
 *************************************************************************
                                eval_*
 *************************************************************************
 */

/*
 * function: eval_match_src_as
 *
 * Evalute src_as
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_src_as(struct ftfil_lookup_as *lookup, char *rec,
  struct fts3rec_offsets *fo)
{
  u_int16 *src_as;
  int val;

  src_as = ((u_int16*)(rec+fo->src_as));

  val = lookup->mode[*src_as];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_src_as */

/*
 * function: eval_match_dst_as
 *
 * Evalute dst_as
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_dst_as(struct ftfil_lookup_as *lookup, char *rec,
  struct fts3rec_offsets *fo)
{
  u_int16 *dst_as;
  int val;

  dst_as = ((u_int16*)(rec+fo->dst_as));

  val = lookup->mode[*dst_as];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_dst_as */


/*
 * function: eval_match_ip_prot
 *
 * Evalute ip_prot
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_ip_prot(struct ftfil_lookup_ip_prot *lookup, char *rec,
  struct fts3rec_offsets *fo)
{
  u_int8 *ip_prot;
  int val;

  ip_prot = ((u_int8*)(rec+fo->prot));

  val = lookup->mode[*ip_prot];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_ip_prot */


/*
 * function: eval_match_ip_src_prefix_len
 *
 * Evalute ip_src_prefix_len
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_ip_src_prefix_len(struct ftfil_lookup_ip_prefix_len *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int8 *src_mask;
  int val;

  src_mask = ((u_int8*)(rec+fo->src_mask));

  val = lookup->mode[*src_mask];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_ip_src_prefix_len */


/*
 * function: eval_match_ip_dst_prefix_len
 *
 * Evalute ip_dst_prefix_len
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_ip_dst_prefix_len(struct ftfil_lookup_ip_prefix_len *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int8 *dst_mask;
  int val;

  dst_mask = ((u_int8*)(rec+fo->dst_mask));

  val = lookup->mode[*dst_mask];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_ip_dst_prefix_len */


/*
 * function: eval_match_ip_tos
 *
 * Evalute ip_tos
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_ip_tos(struct ftfil_lookup_ip_tos *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int8 tos;
  int val;

  tos = *((u_int8*)(rec+fo->tos));
  tos &= lookup->mask;

  val = lookup->mode[tos];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_ip_tos */

/*
 * function: eval_match_marked_ip_tos
 *
 * Evalute marked_ip_tos
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_ip_marked_tos(struct ftfil_lookup_ip_tos *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int8 marked_tos;
  int val;

  marked_tos = *((u_int8*)(rec+fo->marked_tos));
  marked_tos &= lookup->mask;

  val = lookup->mode[marked_tos];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_ip_marked_tos */


/*
 * function: eval_match_ip_tcp_flags
 *
 * Evalute ip_tcp_flags
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_ip_tcp_flags(struct ftfil_lookup_ip_tcp_flags *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int8 tcp_flags;
  int val;

  tcp_flags = *((u_int8*)(rec+fo->tcp_flags));
  tcp_flags &= lookup->mask;

  val = lookup->mode[tcp_flags];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_ip_tcp_flags */


/*
 * function: eval_match_ip_src_port
 *
 * Evalute ip_src_port
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_ip_src_port(struct ftfil_lookup_ip_port *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int16 *src_port;
  int val;

  src_port = ((u_int16*)(rec+fo->srcport));

  val = lookup->mode[*src_port];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_ip_src_port */

/*
 * function: eval_match_ip_dst_port
 *
 * Evalute ip_dst_port
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_ip_dst_port(struct ftfil_lookup_ip_port *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int16 *dst_port;
  int val;

  dst_port = ((u_int16*)(rec+fo->dstport));

  val = lookup->mode[*dst_port];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_ip_dst_port */


/*
 * function: eval_match_src_if_index
 *
 * Evalute src_if_index
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_src_if_index(struct ftfil_lookup_if_index *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int16 *src_if_index;
  int val;

  src_if_index = ((u_int16*)(rec+fo->input));

  val = lookup->mode[*src_if_index];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_src_if_index */

/*
 * function: eval_match_dst_if_index
 *
 * Evalute dst_if_index
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_dst_if_index(struct ftfil_lookup_if_index *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int16 *dst_if_index;
  int val;

  dst_if_index = ((u_int16*)(rec+fo->output));

  val = lookup->mode[*dst_if_index];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_dst_if_index */


/*
 * function: eval_match_engine_id
 *
 * Evalute engine_id
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_engine_id(struct ftfil_lookup_engine *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int8 *engine_id;
  int val;

  engine_id = ((u_int8*)(rec+fo->engine_id));

  val = lookup->mode[*engine_id];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_engine_id */


/*
 * function: eval_match_engine_type
 *
 * Evalute engine_type
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_engine_type(struct ftfil_lookup_engine *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  u_int8 *engine_type;
  int val;

  engine_type = ((u_int8*)(rec+fo->engine_type));

  val = lookup->mode[*engine_type];

  if (val == FT_FIL_MODE_PERMIT)
    return FT_FIL_MODE_PERMIT;
  else if (val == FT_FIL_MODE_DENY)
    return FT_FIL_MODE_DENY;
  else
    return lookup->default_mode;

} /* eval_match_engine_type */

/*
 * function: eval_match_flows
 *
 * Evalute flows
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_flows(struct ftfil_lookup_counter *lookup, char *rec,
  struct fts3rec_offsets *fo)
{
  struct ftfil_lookup_counter_rec *ftflcr;
  u_int32 *flows;
  int t, match;

  flows = ((u_int32*)(rec+fo->dFlows));

  match = 0;

  FT_STAILQ_FOREACH(ftflcr, &lookup->list, chain) {

    switch (ftflcr->op) {

      case FT_FIL_OP_LT:
        t = (*flows < ftflcr->val);
        break;
      case FT_FIL_OP_GT:
        t = (*flows > ftflcr->val);
        break;
      case FT_FIL_OP_EQ:
        t = (*flows == ftflcr->val);
        break;
      case FT_FIL_OP_NE:
        t = (*flows != ftflcr->val);
        break;
      case FT_FIL_OP_GE:
        t = (*flows >= ftflcr->val);
        break;
      case FT_FIL_OP_LE:
        t = (*flows <= ftflcr->val);
        break;
      default:
        fterr_warnx("eval_match_flows: internal error");
        return -1;
        break;

    } /* switch */

    /* did this line match? */
    if (t) {
      match = 1;
      break;
    }

  } /* ftflcr */

  /* if there was a match, then return that mode */
  if (match)
    return ftflcr->mode;

  /* else return the default */
  return lookup->default_mode;

} /* eval_match_flows */

/*
 * function: eval_match_octets
 *
 * Evalute octets
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_octets(struct ftfil_lookup_counter *lookup, char *rec,
  struct fts3rec_offsets *fo)
{
  struct ftfil_lookup_counter_rec *ftflcr;
  u_int32 *octets;
  int t, match;

  octets = ((u_int32*)(rec+fo->dOctets));

  match = 0;

  FT_STAILQ_FOREACH(ftflcr, &lookup->list, chain) {

    switch (ftflcr->op) {

      case FT_FIL_OP_LT:
        t = (*octets < ftflcr->val);
        break;
      case FT_FIL_OP_GT:
        t = (*octets > ftflcr->val);
        break;
      case FT_FIL_OP_EQ:
        t = (*octets == ftflcr->val);
        break;
      case FT_FIL_OP_NE:
        t = (*octets != ftflcr->val);
        break;
      case FT_FIL_OP_GE:
        t = (*octets >= ftflcr->val);
        break;
      case FT_FIL_OP_LE:
        t = (*octets <= ftflcr->val);
        break;
      default:
        fterr_warnx("eval_match_octets: internal error");
        return -1;
        break;

    } /* switch */

    /* did this line match? */
    if (t) {
      match = 1;
      break;
    }

  } /* ftflcr */

  /* if there was a match, then return that mode */
  if (match)
    return ftflcr->mode;

  /* else return the default */
  return lookup->default_mode;

} /* eval_match_octets */

/*