Closed wingo closed 9 years ago
I like the concept. A further extension would be to make ICMPv6 addressable. Right now:
% tcpdump -d "icmp6[3] >= 0"
tcpdump: IPv6 upper-layer protocol is not supported by proto[x]
I guess tcp[&tcp[0]] isn't so sensible; the original proposal doesn't define what &foo means actually. I propose that it result in the number of bytes from the start of the packet at which foo may be found. So for ether encapsulation, ether[&tcp[0]] is the same as tcp[0].
That sounds problematic. Look at cases like nested ipv6 encapsulated packets; how do you know which you're referring to?
If we can calculate tcp[0], we can calculate &tcp[0]. No problems.
See #229 for a use case. When you write (handle_tcp) => handle_tcp(&tcp[0])
you want your function handle_tcp(pkt, len, offset)
to be called with an offset relative to the start of P, not relative to something squirrely in the packet.
Yes; that 'if' is the crucial thing. I suppose in both cases we could just refer to the first match (I think that's what libpcap does), but that makes dealing with anything inside tunnels annoying. It's not a problem introduced by &, admittedly.
Heh, ok :) For me there are zero problems associated with &tcp[0]
. I realize it's worth talking through but I don't want the last word here to be a question if there is a clear answer to that question :)
Fixed in #231, with basic support for only payload accessors.
& would be a useful pflang extension. For example:
len - &ip6[0] > 1200
tcp[&tcp[0]] == 42
The grammar would go:
If the packet is not of the correct payload kind (e.g. you ask for
&udp[0]
but the packet isn't udp) then the relop in which the AddressExpression is embedded fails to match. Likewise if the address isn't within the packet (e.g.&udp[0:4]
but the payload is only 1 byte); note that this differs fromudp[0:4]
in the same conditions, which causes the whole filter to abort.A future extension could add other addressables: