added bpf_filter

adubovikov · adubovikov · commit 059aaf5862f1 · 2021-04-06T10:54:27.000+02:00
diff --git a/stenotype/Makefile b/stenotype/Makefile
@@ -26,7 +26,7 @@ ifneq (,$(wildcard /usr/bin/c++))
 CXX=/usr/bin/c++
 endif
 SHARED_CFLAGS=-std=c++0x -Wall -fno-strict-aliasing $(DEFINES)
-SHARED_LDFLAGS=-lleveldb -lrt -laio -lpthread -lsnappy -lseccomp
+SHARED_LDFLAGS=-lleveldb -lrt -laio -lpthread -lsnappy -lseccomp -lpcap
 ifneq (,$(wildcard /usr/include/testimony.h))
 SHARED_LDFLAGS += -ltestimony
 endif
@@ -56,12 +56,12 @@ FUZZ_FILES=util index index_bin
 SANITIZE=
 ifndef SANITIZE
 	OBJECTS=$(foreach file,$(FILES),$(file)_opt.o)
-	CFLAGS:=$(CFLAGS) $(SHARED_CFLAGS) $(OPT_CFLAGS)
-	LDFLAGS:=$(LDFLAGS) $(SHARED_LDFLAGS) $(OPT_LDFLAGS)
+	CFLAGS=$(SHARED_CFLAGS) $(OPT_CFLAGS)
+	LDFLAGS=$(SHARED_LDFLAGS) $(OPT_LDFLAGS)
 else
 	OBJECTS=$(foreach file,$(FILES),$(file)_$(SANITIZE)_dbg.o)
-	CFLAGS:=$(CFLAGS) $(SHARED_CFLAGS) $(DBG_CFLAGS) -fsanitize=$(SANITIZE)
-	LDFLAGS:=$(LDFLAGS) $(SHARED_LDFLAGS) $(DBG_LDFLAGS)
+	CFLAGS=$(SHARED_CFLAGS) $(DBG_CFLAGS) -fsanitize=$(SANITIZE)
+	LDFLAGS=$(SHARED_LDFLAGS) $(DBG_LDFLAGS)
 	CXX=clang++ # Force clang if we're sanitizing
 endif
 ifeq "$(SANITIZE)" "memory"
@@ -78,15 +78,15 @@ clean:
 
 # Generate g++ object files.
 %_opt.o: %.cc $(DEPS)
-	$(CXX) $(CFLAGS) $(CPPFLAGS) -c -o $@ $<
+	$(CXX) $(CFLAGS) -c -o $@ $<
 
 # Generate clang object files.
 %_$(SANITIZE)_dbg.o: %.cc $(DEPS)
-	$(CXX) $(CFLAGS) $(CPPFLAGS) -c -o $@ $<
+	$(CXX) $(CFLAGS) -c -o $@ $<
 
 # Generate the stenotype binary itself.  You mostly want this :)
 stenotype: $(OBJECTS)
-	$(CXX) $(CFLAGS) $(CPPFLAGS) -o $@ $^ $(LDFLAGS)
+	$(CXX) $(CFLAGS) -o $@ $^ $(LDFLAGS)
 
 
 
@@ -103,4 +103,3 @@ index_fuzz: $(foreach file,$(FUZZ_FILES),$(file)_afl.o)
 # Run afl-fuzz to fuzz the index_fuzz binary.
 fuzz: index_fuzz
 	afl-fuzz -i afl_tests -o afl_findings ./index_fuzz @@
-
diff --git a/stenotype/packets.cc b/stenotype/packets.cc
@@ -28,6 +28,9 @@
 #include <unistd.h>           // close(), getpid()
 #include <sys/ioctl.h>        // ioctl()
 
+#include <pcap.h>             // pcap_compile
+
+
 #include <memory>
 #include <string>
 #include <sstream>
@@ -301,6 +304,36 @@ Error PacketsV3::Builder::SetFilter(const std::string& filter) {
   return SUCCESS;
 }
 
+Error PacketsV3::Builder::SetBPFFilter(const std::string& filter) {
+  RETURN_IF_ERROR(BadState(), "Builder");
+
+  struct bpf_program raw_filter;
+  int linktype = DLT_EN10MB;
+
+ if (pcap_compile_nopcap(0xffff, linktype, &raw_filter, filter.data(), 1, 0) == -1) {
+         return ERROR("invalid filter: too long");
+
+
+  RETURN_IF_ERROR(Errno(setsockopt(state_.fd, SOL_SOCKET, SO_ATTACH_FILTER, &raw_filter, sizeof(raw_filter))),
+                  "so_attach_filter"); }
+
+
+#ifdef SO_LOCK_FILTER
+  int v = 1;
+  // SO_LOCK_FILTER is available only on kernels >= 3.9, so ignore the
+  // ENOPROTOOPT
+  // error here. We use it to make sure that no one can mess with our socket's
+  // filter, so not having it is not really a big concern.
+  RETURN_IF_ERROR(
+      Errno(setsockopt(state_.fd, SOL_SOCKET, SO_LOCK_FILTER, &v, sizeof(v)) ||
+            errno == ENOPROTOOPT),
+      "so_lock_filter");
+  errno = 0;
+#endif
+  pcap_freecode( (struct bpf_program *) &raw_filter);
+  return SUCCESS;
+}
+
 Error PacketsV3::Builder::BadState() {
   if (state_.fd < 0) {
     return ERROR(
diff --git a/stenotype/packets.h b/stenotype/packets.h
@@ -200,6 +200,9 @@ class PacketsV3 : public Packets {
     // SetFilter sets a BPF filter on the socket.
     Error SetFilter(const std::string& filter);
 
+     // SetBPFFilter sets a BPF filter on the socket.
+    Error SetBPFFilter(const std::string& filter);
+
     // Determines whether Bind will set the interface into promiscuous sniffing
     // mode.
     Error SetPromisc(bool promisc);
diff --git a/stenotype/stenotype.cc b/stenotype/stenotype.cc
@@ -86,6 +86,7 @@ namespace {
 
 std::string flag_iface = "eth0";
 std::string flag_filter = "";
+std::string flag_bpf_filter = "";
 std::string flag_dir = "";
 int64_t flag_count = -1;
 int32_t flag_blocks = 2048;
@@ -199,6 +200,9 @@ int ParseOptions(int key, char* arg, struct argp_state* state) {
     case 323:
       flag_stats_sec = atoi(arg);
       break;
+    case 324:
+      flag_bpf_filter = arg;
+      break;
   }
   return 0;
 }
@@ -243,6 +247,7 @@ void ParseOptions(int argc, char** argv) {
       {"no_promisc", 321, 0, 0, "Don't set promiscuous mode"},
       {"stats_blocks", 322, n, 0, "Size block stats will be displayed, requires verbose, default 100, 0 disables"},
       {"stats_sec", 323, n, 0, "Seconds stats will be displayed, requires verbose, default 60, 0 disables"},
+      {"bpf_filter", 324, s, 0,"string filer"},
       {0},
   };
   struct argp argp = {options, &ParseOptions};
@@ -614,7 +619,10 @@ int Main(int argc, char** argv) {
       }
       if (!flag_filter.empty()) {
         CHECK_SUCCESS(builder.SetFilter(flag_filter));
+      } else if (!flag_bpf_filter.empty()) {
+        CHECK_SUCCESS(builder.SetBPFFilter(flag_bpf_filter));
       }
+
       Packets* v3;
       CHECK_SUCCESS(builder.Bind(flag_iface, &v3));
       sockets.push_back(v3);
