ftfil.c

netflow,抓包

 * function: eval_match_packets
 *
 * Evalute packets
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_packets(struct ftfil_lookup_counter *lookup, char *rec,
  struct fts3rec_offsets *fo)
{
  struct ftfil_lookup_counter_rec *ftflcr;
  u_int32 *packets;
  int t, match;

  packets = ((u_int32*)(rec+fo->dPkts));

  match = 0;

  FT_STAILQ_FOREACH(ftflcr, &lookup->list, chain) {

    switch (ftflcr->op) {

      case FT_FIL_OP_LT:
        t = (*packets < ftflcr->val);
        break;
      case FT_FIL_OP_GT:
        t = (*packets > ftflcr->val);
        break;
      case FT_FIL_OP_EQ:
        t = (*packets == ftflcr->val);
        break;
      case FT_FIL_OP_NE:
        t = (*packets != ftflcr->val);
        break;
      case FT_FIL_OP_GE:
        t = (*packets >= ftflcr->val);
        break;
      case FT_FIL_OP_LE:
        t = (*packets <= ftflcr->val);
        break;
      default:
        fterr_warnx("eval_match_packets: internal error");
        return -1;
        break;

    } /* switch */

    /* did this line match? */
    if (t) {
      match = 1;
      break;
    }

  } /* ftflcr */

  /* if there was a match, then return that mode */
  if (match)
    return ftflcr->mode;

  /* else return the default */
  return lookup->default_mode;

} /* eval_match_packets */

/*
 * function: eval_match_xtra_packets
 *
 * Evalute xtra_packets
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_xtra_packets(struct ftfil_lookup_counter *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  struct ftfil_lookup_counter_rec *ftflcr;
  u_int32 *xtra_packets;
  int t, match;

  xtra_packets = ((u_int32*)(rec+fo->extra_pkts));

  match = 0;

  FT_STAILQ_FOREACH(ftflcr, &lookup->list, chain) {

    switch (ftflcr->op) {

      case FT_FIL_OP_LT:
        t = (*xtra_packets < ftflcr->val);
        break;
      case FT_FIL_OP_GT:
        t = (*xtra_packets > ftflcr->val);
        break;
      case FT_FIL_OP_EQ:
        t = (*xtra_packets == ftflcr->val);
        break;
      case FT_FIL_OP_NE:
        t = (*xtra_packets != ftflcr->val);
        break;
      case FT_FIL_OP_GE:
        t = (*xtra_packets >= ftflcr->val);
        break;
      case FT_FIL_OP_LE:
        t = (*xtra_packets <= ftflcr->val);
        break;
      default:
        fterr_warnx("eval_match_xtra_packets: internal error");
        return -1;
        break;

    } /* switch */

    /* did this line match? */
    if (t) {
      match = 1;
      break;
    }

  } /* ftflcr */

  /* if there was a match, then return that mode */
  if (match)
    return ftflcr->mode;

  /* else return the default */
  return lookup->default_mode;

} /* eval_match_xtra_packets */

/*
 * function: eval_match_duration
 *
 * Evalute duration
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_duration(struct ftfil_lookup_counter *lookup, char *rec,
  struct fts3rec_offsets *fo)
{
  struct ftfil_lookup_counter_rec *ftflcr;
  u_int32 duration, *first, *last;
  int t, match;

  first = ((u_int32*)(rec+fo->First));
  last = ((u_int32*)(rec+fo->Last));
  duration = *last - *first;

  match = 0;

  FT_STAILQ_FOREACH(ftflcr, &lookup->list, chain) {

    switch (ftflcr->op) {

      case FT_FIL_OP_LT:
        t = (duration < ftflcr->val);
        break;
      case FT_FIL_OP_GT:
        t = (duration > ftflcr->val);
        break;
      case FT_FIL_OP_EQ:
        t = (duration == ftflcr->val);
        break;
      case FT_FIL_OP_NE:
        t = (duration != ftflcr->val);
        break;
      case FT_FIL_OP_GE:
        t = (duration >= ftflcr->val);
        break;
      case FT_FIL_OP_LE:
        t = (duration <= ftflcr->val);
        break;
      default:
        fterr_warnx("eval_match_duration: internal error");
        return -1;
        break;

    } /* switch */

    /* did this line match? */
    if (t) {
      match = 1;
      break;
    }

  } /* ftflcr */

  /* if there was a match, then return that mode */
  if (match)
    return ftflcr->mode;

  /* else return the default */
  return lookup->default_mode;

} /* eval_match_duration */

/*
 * function: eval_match_start_time_date
 *
 * Evalute start_time_date
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_start_time_date(struct ftfil_lookup_counter *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  struct ftfil_lookup_counter_rec *ftflcr;
  struct fttime ftt;
  u_int32 *sysUpTime, *unix_secs, *unix_nsecs, *First;
  int t, match;

  sysUpTime = ((u_int32*)(rec+fo->sysUpTime));
  unix_secs = ((u_int32*)(rec+fo->unix_secs));
  unix_nsecs = ((u_int32*)(rec+fo->unix_nsecs));
  First = ((u_int32*)(rec+fo->First));

  ftt = ftltime(*sysUpTime, *unix_secs, *unix_nsecs, *First);

  match = 0;

  FT_STAILQ_FOREACH(ftflcr, &lookup->list, chain) {

    switch (ftflcr->op) {

      case FT_FIL_OP_LT:
        t = (ftt.secs < ftflcr->val);
        break;
      case FT_FIL_OP_GT:
        t = (ftt.secs > ftflcr->val);
        break;
      case FT_FIL_OP_EQ:
        t = (ftt.secs == ftflcr->val);
        break;
      case FT_FIL_OP_NE:
        t = (ftt.secs != ftflcr->val);
        break;
      case FT_FIL_OP_GE:
        t = (ftt.secs >= ftflcr->val);
        break;
      case FT_FIL_OP_LE:
        t = (ftt.secs <= ftflcr->val);
        break;
      default:
        fterr_warnx("eval_match_start_time_date: internal error");
        return -1;
        break;

    } /* switch */

    /* did this line match? */
    if (t) {
      match = 1;
      break;
    }

  } /* ftflcr */

  /* if there was a match, then return that mode */
  if (match)
    return ftflcr->mode;

  /* else return the default */
  return lookup->default_mode;

} /* eval_match_start_time_date */

/*
 * function: eval_match_end_time_date
 *
 * Evalute end_time_date
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_end_time_date(struct ftfil_lookup_counter *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  struct ftfil_lookup_counter_rec *ftflcr;
  struct fttime ftt;
  u_int32 *sysUpTime, *unix_secs, *unix_nsecs, *Last;
  int t, match;

  sysUpTime = ((u_int32*)(rec+fo->sysUpTime));
  unix_secs = ((u_int32*)(rec+fo->unix_secs));
  unix_nsecs = ((u_int32*)(rec+fo->unix_nsecs));
  Last = ((u_int32*)(rec+fo->Last));

  ftt = ftltime(*sysUpTime, *unix_secs, *unix_nsecs, *Last);

  match = 0;

  FT_STAILQ_FOREACH(ftflcr, &lookup->list, chain) {

    switch (ftflcr->op) {

      case FT_FIL_OP_LT:
        t = (ftt.secs < ftflcr->val);
        break;
      case FT_FIL_OP_GT:
        t = (ftt.secs > ftflcr->val);
        break;
      case FT_FIL_OP_EQ:
        t = (ftt.secs == ftflcr->val);
        break;
      case FT_FIL_OP_NE:
        t = (ftt.secs != ftflcr->val);
        break;
      case FT_FIL_OP_GE:
        t = (ftt.secs >= ftflcr->val);
        break;
      case FT_FIL_OP_LE:
        t = (ftt.secs <= ftflcr->val);
        break;
      default:
        fterr_warnx("eval_match_end_time_date: internal error");
        return -1;
        break;

    } /* switch */

    /* did this line match? */
    if (t) {
      match = 1;
      break;
    }

  } /* ftflcr */

  /* if there was a match, then return that mode */
  if (match)
    return ftflcr->mode;

  /* else return the default */
  return lookup->default_mode;

} /* eval_match_end_time_date */

/*
 * function: eval_match_start_time
 *
 * Evalute start_time
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_start_time(struct ftfil_lookup_time *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  time_t t1, t2;
  struct tm *tm;
  struct ftfil_lookup_time_rec *ftfltmer;
  struct fttime ftt;
  u_int32 *sysUpTime, *unix_secs, *unix_nsecs, *First;
  int t, match;

  sysUpTime = ((u_int32*)(rec+fo->sysUpTime));
  unix_secs = ((u_int32*)(rec+fo->unix_secs));
  unix_nsecs = ((u_int32*)(rec+fo->unix_nsecs));
  First = ((u_int32*)(rec+fo->First));

  ftt = ftltime(*sysUpTime, *unix_secs, *unix_nsecs, *First);

  t1 = ftt.secs;

  /* first find the start of the day, store to t1 */
  tm = localtime(&t1);
  tm->tm_hour = 0;
  tm->tm_min = 0;
  tm->tm_sec = 0;

  match = 0;

  FT_STAILQ_FOREACH(ftfltmer, &lookup->list, chain) {

    /*
     * find where the hh:mm:ss for this filter falls relative to day start,
     * store as t2
     */
    tm->tm_hour = ftfltmer->hour;
    tm->tm_min = ftfltmer->min;
    tm->tm_sec = ftfltmer->sec;
    t2 = mktime(tm);

    switch (ftfltmer->op) {

      case FT_FIL_OP_LT:
        t = (t1 < t2);
        break;
      case FT_FIL_OP_GT:
        t = (t1 > t2);
        break;
      case FT_FIL_OP_EQ:
        t = (t1 == t2);
        break;
      case FT_FIL_OP_NE:
        t = (t1 != t2);
        break;
      case FT_FIL_OP_GE:
        t = (t1 >= t2);
        break;
      case FT_FIL_OP_LE:
        t = (t1 <= t2);
        break;
      default:
        fterr_warnx("eval_match_start_time: internal error");
        return -1;
        break;

    } /* switch */

    /* did this line match? */
    if (t) {
      match = 1;
      break;
    }

  } /* ftfltmer */

  /* if there was a match, then return that mode */
  if (match)
    return ftfltmer->mode;

  /* else return the default */
  return lookup->default_mode;

} /* eval_match_start_time */

/*
 * function: eval_match_end_time
 *
 * Evalute end_time
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_end_time(struct ftfil_lookup_time *lookup,
  char *rec, struct fts3rec_offsets *fo)
{
  time_t t1, t2;
  struct tm *tm;
  struct ftfil_lookup_time_rec *ftfltmer;
  struct fttime ftt;
  u_int32 *sysUpTime, *unix_secs, *unix_nsecs, *Last;
  int t, match;

  sysUpTime = ((u_int32*)(rec+fo->sysUpTime));
  unix_secs = ((u_int32*)(rec+fo->unix_secs));
  unix_nsecs = ((u_int32*)(rec+fo->unix_nsecs));
  Last = ((u_int32*)(rec+fo->Last));

  ftt = ftltime(*sysUpTime, *unix_secs, *unix_nsecs, *Last);

  t1 = ftt.secs;

  /* first find the start of the day, store to t1 */
  tm = localtime(&t1);
  tm->tm_hour = 0;
  tm->tm_min = 0;
  tm->tm_sec = 0;
  t1 = mktime(tm);


  match = 0;

  FT_STAILQ_FOREACH(ftfltmer, &lookup->list, chain) {

    /*
     * find where the hh:mm:ss for this filter falls relative to day start,
     * store as t2
     */
    tm->tm_hour = ftfltmer->hour;
    tm->tm_min = ftfltmer->min;
    tm->tm_sec = ftfltmer->sec;
    t2 = mktime(tm);

    switch (ftfltmer->op) {

      case FT_FIL_OP_LT:
        t = (t1 < t2);
        break;
      case FT_FIL_OP_GT:
        t = (t1 > t2);
        break;
      case FT_FIL_OP_EQ:
        t = (t1 == t2);
        break;
      case FT_FIL_OP_NE:
        t = (t1 != t2);
        break;
      case FT_FIL_OP_GE:
        t = (t1 >= t2);
        break;
      case FT_FIL_OP_LE:
        t = (t1 <= t2);
        break;
      default:
        fterr_warnx("eval_match_end_time: internal error");
        return -1;
        break;

    } /* switch */

    /* did this line match? */
    if (t) {
      match = 1;
      break;
    }

  } /* ftfltmer */

  /* if there was a match, then return that mode */
  if (match)
    return ftfltmer->mode;

  /* else return the default */
  return lookup->default_mode;

} /* eval_match_end_time */

/*
 * function: eval_match_src_tag_l
 *
 * Evalute src_tag as list
 *
 * returns: FT_FIL_MODE_PERMIT
 *          FT_FIL_MODE_DENY
 */
inline int eval_match_src_tag_l(struct ftfil_lookup_tag_mask *lookup,
  char *rec, struct fts3rec_offsets *fo)
{