Pflang extension: Address-of (&)

Igalia / pflua

Packet filtering in Lua

Other

313 stars 39 forks source link

Pflang extension: Address-of (&) #228

Closed wingo closed 9 years ago

wingo commented 9 years ago

& would be a useful pflang extension. For example:

len - &ip6[0] > 1200 tcp[&tcp[0]] == 42

The grammar would go:

AddressExpression := '&' Addressable
Addressable := PayloadAccessor '[' ArithmeticExpression [ ':' (1|2|4) ] ']'
PayloadAccessor := 'ip' | 'ip6' | 'tcp' | 'udp' | whatever

If the packet is not of the correct payload kind (e.g. you ask for &udp[0] but the packet isn't udp) then the relop in which the AddressExpression is embedded fails to match. Likewise if the address isn't within the packet (e.g. &udp[0:4] but the payload is only 1 byte); note that this differs from udp[0:4] in the same conditions, which causes the whole filter to abort.

A future extension could add other addressables:

Addressable := 'ip src' | 'ip6 src' | ...

kbara commented 9 years ago

I like the concept. A further extension would be to make ICMPv6 addressable. Right now:

%  tcpdump -d "icmp6[3] >= 0"
tcpdump: IPv6 upper-layer protocol is not supported by proto[x]

wingo commented 9 years ago

I guess tcp[&tcp[0]] isn't so sensible; the original proposal doesn't define what &foo means actually. I propose that it result in the number of bytes from the start of the packet at which foo may be found. So for ether encapsulation, ether[&tcp[0]] is the same as tcp[0].

kbara commented 9 years ago

That sounds problematic. Look at cases like nested ipv6 encapsulated packets; how do you know which you're referring to?

wingo commented 9 years ago

If we can calculate tcp[0], we can calculate &tcp[0]. No problems.

See #229 for a use case. When you write (handle_tcp) => handle_tcp(&tcp[0]) you want your function handle_tcp(pkt, len, offset) to be called with an offset relative to the start of P, not relative to something squirrely in the packet.

kbara commented 9 years ago

Yes; that 'if' is the crucial thing. I suppose in both cases we could just refer to the first match (I think that's what libpcap does), but that makes dealing with anything inside tunnels annoying. It's not a problem introduced by &, admittedly.

wingo commented 9 years ago

Heh, ok :) For me there are zero problems associated with &tcp[0]. I realize it's worth talking through but I don't want the last word here to be a question if there is a clear answer to that question :)

wingo commented 9 years ago

Fixed in #231, with basic support for only payload accessors.