search

Igalia / pflua

Packet filtering in Lua
Other
313 stars 39 forks source link

Keyword elision not implemented with packet access: igmp, pim, igrp, vrrp #138

Closed kbara closed 9 years ago

kbara commented 9 years ago

A filter of "igmp" compiles with pflua, but not a filter of "igmp[8] < 7" or anything else using the [] syntax, unlike tcpdump.

% ./pflua-match ../tests/data/wingolog.pcap "igmp"   
Matched 0/19589 packets in 7934 iterations: ../tests/data/wingolog.pcap (155.411511 MPPS).
% ./pflua-match ../tests/data/wingolog.pcap "igmp[8] < 7"
luajit: ../src/pf/parse.lua:290: 
Error: In expression "igmp[8] < 7"
                           ^
keyword elision not implemented [

stack traceback:
        [C]: in function 'primitive_error'
        ../src/pf/parse.lua:290: in function 'error'
        ../src/pf/parse.lua:838: in function 'parse_primitive_or_arithmetic'
        ../src/pf/parse.lua:859: in function 'parse_logical_or_arithmetic'
        ../src/pf/parse.lua:891: in function 'parse_logical'
        ../src/pf/parse.lua:884: in function 'parse_logical_or_arithmetic'
        ../src/pf/parse.lua:891: in function 'parse_logical'
        ../src/pf/parse.lua:899: in function 'parse'
        ../src/pf.lua:32: in function 'get_predicate'
        ./pflua-match:58: in function 'main'
        ./pflua-match:84: in main chunk
        [C]: at 0x00404bc0
% tcpdump -d "igmp[8] <7" 
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 10
(002) ldb      [23]
(003) jeq      #0x2             jt 4    jf 10
(004) ldh      [20]
(005) jset     #0x1fff          jt 10   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 22]
(008) jge      #0x7             jt 10   jf 9
(009) ret      #65535
(010) ret      #0
kbara commented 9 years ago

While the above example uses igmp, essentially the same comments hold for pim, igrp, and vrrp.

kbara commented 9 years ago

LGTM. I ran the property-based tester against this patch, specialized to only test packet accesses (on every meaningful protocol), and everything passed.

dpino commented 9 years ago

I had some concerns about the minimum payload for each protocol so I went through to http://www.networksorcery.com/enp/protocol/sctp.htm and similar to verify the payloads were correct (in some cases they were not).

I also added a parsing test for each protocol.

@kbara Could you ran the property-based tester again? Apparently, the new payloads didn't have any effect in the output code for the examples.

kbara commented 9 years ago

LGTM. A manual sanity check looked good, as did tens/hundreds of thousands of random test cases.

% ./pflua-match ../tests/data/wingolog.pcap "igmp[1] < 200" 
Matched 0/19589 packets in 7360 iterations: ../tests/data/wingolog.pcap (144.158173 MPPS).
% ./pflua-match ../tests/data/wingolog.pcap "pim[1] < 200" 
Matched 0/19589 packets in 7576 iterations: ../tests/data/wingolog.pcap (148.405374 MPPS).
% ./pflua-match ../tests/data/wingolog.pcap "igrp[1] < 200" 
Matched 0/19589 packets in 7279 iterations: ../tests/data/wingolog.pcap (142.581487 MPPS).
% ./pflua-match ../tests/data/wingolog.pcap "vrrp[1] < 200" 
Matched 0/19589 packets in 7602 iterations: ../tests/data/wingolog.pcap (148.886247 MPPS).