Skip to content

Commit

Permalink
Merge pull request #444 from lukego/integrate-pflua-filter
Browse files Browse the repository at this point in the history 
Integrate Pflua
  • Loading branch information
@lukego
lukego committed Apr 28, 2015
2 parents da23c70 + d2503a4 commit 5056a55
Show file tree
Hide file tree
Showing 24 changed files with 379 additions and 1,108 deletions.
3 changes: 3 additions & 0 deletions .gitmodules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,6 @@
[submodule "deps/ljsyscall"]
path = deps/ljsyscall
url = /~https://github.com/justincormack/ljsyscall.git
[submodule "deps/pflua"]
path = deps/pflua
url = /~https://github.com/SnabbCo/pflua.git
20 changes: 16 additions & 4 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,13 @@ LUAOBJ = $(LUASRC:.lua=.o)
CSRC = $(wildcard src/c/*.c)
COBJ = $(CSRC:.c=.o)

LUAJIT_O := deps/luajit/src/libluajit.a
SYSCALL := src/syscall.lua
LUAJIT := deps/luajit.vsn
SYSCALL := deps/syscall.vsn
PFLUA := deps/pflua.vsn

LUAJIT_CFLAGS := -include $(CURDIR)/gcc-preinclude.h

all: $(LUAJIT_O) $(SYSCALL)
all: $(LUAJIT) $(SYSCALL) $(PFLUA)
@echo "Building snabbswitch"
cd src && $(MAKE)

Expand All @@ -23,7 +24,7 @@ install_compute_node: install
install -D src/scripts/sysv/init.d/snabb-nfv-sync-agent ${PREFIX}/etc/init.d/snabb-nfv-sync-agent
install -D src/scripts/sysv/default/snabb-nfv-sync-agent ${PREFIX}/etc/default/snabb-nfv-sync-agent

$(LUAJIT_O): check_luajit deps/luajit/Makefile
$(LUAJIT): check_luajit deps/luajit/Makefile
@echo 'Building LuaJIT'
@(cd deps/luajit && \
$(MAKE) PREFIX=`pwd`/usr/local \
Expand All @@ -38,6 +39,17 @@ check_luajit:
git submodule update --init deps/luajit; \
fi

$(PFLUA): check_pflua
# pflua has no tags at time of writing, so use raw commit id
@(cd deps/pflua && git rev-parse HEAD > ../pflua.vsn)

check_pflua:
@if [ ! -f deps/pflua/src/pf.lua ]; then \
echo "Initializing pflua submodule.."; \
git submodule update --init deps/pflua; \
fi


$(SYSCALL): check_syscall
@echo 'Copying ljsyscall components'
@mkdir -p src/syscall/linux
Expand Down
1 change: 1 addition & 0 deletions deps/pflua
Submodule pflua added at af132e
24 changes: 20 additions & 4 deletions src/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,16 @@ E= @echo
# Defined here to detect version mismatches at build time.
LUAJIT_VSN := "v2.0.3-328-g04dc64b"
LJSYSCALL_VSN := "v0.10-65-g7081d97"
PFLUA_VSN := "af132e77feede98dce0f2efcdc8dd9206a28c2e3"

TEST_SKIPPED="43"

SRCDIR = $(shell find . -type d -not -regex './obj.*' -printf '%P ')
OBJDIR = $(patsubst %,obj/%,$(SRCDIR))

LUASRC = $(shell find . -regex '[^\#]*\.lua' -printf '%P ')
PFLUASRC = $(shell cd ../deps/pflua/src && \
find . -regex '[^\#]*\.lua' -printf '%P ')
CSRC = $(shell find . -regex '[^\#]*\.c' -printf '%P ')
CHDR = $(shell find . -regex '[^\#]*\.h' -printf '%P ')
ASM = $(shell find . -regex '[^\#]*\.dasc' -printf '%P ')
Expand All @@ -24,6 +27,7 @@ PROGRAM = $(shell find program -regex '^[^/]+/[^/]+' -type d -printf '%P ')
INCSRC = $(shell find . -regex '[^\#]*\.inc' -printf '%P ')

LUAOBJ := $(patsubst %.lua,obj/%_lua.o,$(LUASRC))
PFLUAOBJ := $(patsubst %.lua,obj/%_lua.o,$(PFLUASRC))
COBJ := $(patsubst %.c,obj/%_c.o, $(CSRC))
HOBJ := $(patsubst %.h,obj/%_h.o, $(CHDR))
ASMOBJ := $(patsubst %.dasc,obj/%_dasc.o, $(ASM))
Expand All @@ -47,17 +51,24 @@ TESTSCRIPTS = $(shell find . -name "selftest.sh" -executable | xargs)

PATH := ../deps/luajit/usr/local/bin:$(PATH)

snabb: $(LUAOBJ) $(HOBJ) $(COBJ) $(ASMOBJ) $(INCOBJ) $(LUAJIT_A)
snabb: $(LUAOBJ) $(PFLUAOBJ) $(HOBJ) $(COBJ) $(ASMOBJ) $(INCOBJ) $(LUAJIT_A)
$(E) "SUBMODULES"
@if grep -vqF $(LUAJIT_VSN) ../deps/luajit.vsn || \
grep -vqF $(LJSYSCALL_VSN) ../deps/ljsyscall.vsn; then \
@if test ! -f ../deps/luajit.vsn || \
test ! -f ../deps/ljsyscall.vsn || \
test ! -f ../deps/pflua.vsn || \
grep -vqF $(LJSYSCALL_VSN) ../deps/ljsyscall.vsn || \
grep -vqF $(LUAJIT_VSN) ../deps/luajit.vsn || \
grep -vqF $(PFLUA_VSN) ../deps/pflua.vsn; then \
echo "Error: Submodule version mismatch" >&2; \
echo "luajit:" >&2; \
echo " require: $(LUAJIT_VSN)" >&2; \
echo " found: $(shell cat ../deps/luajit.vsn)" >&2; \
echo "ljsyscall:" >&2; \
echo " require: $(LJSYSCALL_VSN)" >&2; \
echo " found: $(shell cat ../deps/ljsyscall.vsn) " >&2; \
echo "pflua:" >&2; \
echo " require: $(PFLUA_VSN)" >&2; \
echo " found: $(shell cat ../deps/pflua.vsn) " >&2; \
echo "Please update and rebuild submodules." >&2; \
echo "" >&2; \
echo "Cheat sheet:" >&2; \
Expand Down Expand Up @@ -131,6 +142,11 @@ $(LUAOBJ): obj/%_lua.o: %.lua Makefile | $(OBJDIR)
$(E) "LUA $@"
$(Q) luajit -bg -n $(subst /,.,$*) $< $@

$(PFLUAOBJ): obj/%_lua.o: ../deps/pflua/src/%.lua Makefile
$(E) "LUA $@"
$(Q) mkdir -p $(dir $@)
$(Q) luajit -bg -n $(subst /,.,$*) $< $@

$(COBJ): obj/%_c.o: %.c $(CHDR) Makefile | $(OBJDIR)
$(E) "C $@"
$(Q) gcc $(DEBUG) -Wl,-E -I ../deps/luajit/src -I . -include $(CURDIR)/../gcc-preinclude.h -c -Wall -Werror -o $@ $<
Expand Down Expand Up @@ -197,7 +213,7 @@ doc/snabbswitch.epub: doc/snabbswitch.md
$(E) "PANDOC $@"
$(Q) (cd doc; pandoc --self-contained --css="style.css" -S -s --toc --chapters -o snabbswitch.epub snabbswitch.md)

CLEAN = snabb snabbswitch obj bin doc/snabbswitch.* doc/.images/* testlog
CLEAN = snabb snabbswitch obj bin doc/snabbswitch.* doc/.images/* testlog deps/*.vsn

clean:
$(E) "RM $(CLEAN)"
Expand Down
Binary file added src/apps/packet_filter/.images/PcapFilter.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
92 changes: 19 additions & 73 deletions src/apps/packet_filter/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,84 +1,30 @@
# PacketFilter App (apps.packet_filter.packet_filter)
# PcapFilter App (apps.packet_filter.pcap_filter)

The `PacketFilter` app receives packets on the `input` port and transmits
The `PcapFilter` app receives packets on the `input` port and transmits
conforming packets to the `output` port. In order to conform, a packet
must match at least one of the *filter rules* of the `PacketFilter`
instance and/or belong to a *sanctioned connection*. For a connection to
be sanctioned it must be tracked in a *connection table* by a
`PacketFilter` app using the `state_track` operators. All `PacketFilter`
apps share a global namespace of *connection table identifiers*. Multiple
`PacketFilter` apps—e.g. for inbound and outbound traffic—can refer to
the same connection by sharing a connection table identifer.
must match the *[pcap-filter](http://www.tcpdump.org/manpages/pcap-filter.7.html)
expression* of the `PcapFilter` instance and/or belong to a *sanctioned
connection*. For a connection to be sanctioned it must be tracked in a
*state table* by a `PcapFilter` app using the same state table. All
`PcapFilter` apps share a global namespace of *state table identifiers*.
Multiple `PcapFilter` apps—e.g. for inbound and outbound traffic—can
refer to the same connection by sharing a state table identifer.

![PacketFilter](.images/PacketFilter.png)
![PcapFilter](.images/PcapFilter.png)

## Configuration

The `PacketFilter` app accepts a table as its configuration argument. The
The `PcapFilter` app accepts a table as its configuration argument. The
following keys are available:

— Key **rules**
— Key **filter**

*Required*. An array of filter rules as described in the *Filter Rules*
section below.
*Required*. A string containing a [pcap-filter](http://www.tcpdump.org/manpages/pcap-filter.7.html)
expression.

— Key **state_track**
— Key **state_table**

*Optional*. A string naming a connection table. If set, packets passing
*any* rule will be tracked in the specified connection table.

— Key **state_check**

*Optional*. A string denoting a connection table. If set, any packet that
belongs to a tracked connection in the specified connection table will
be let pass.

### Filter Rules

A filter rule is a table in which each key/value pair specifies a pattern
to match or track incoming packets against. The following keys are
defined:

— Key **ethertype**

*Required*. The ethernet type in use (IPv4 or IPv6). A string identifier,
either "ipv4" or "ipv6".

— Key **protocol**

*Optional*. The protocol is use (ICMP, UDP or TCP). A string identifier,
may be one of "icmp", "udp" or "tcp".

— Key **source_cidr**

— Key **dest_cidr**

*Optional*. Source and destination addresses. IP ranges in CIDR notation
as strings.

— Key **source_port_min**

— Key **source_port_max**

*Optional*. The source port range. Integers denoting the minimum and
maximum source port numbers. If only one is set then only that port is
allowed.

— Key **dest_port_min**

— Key **dest_port_max**

*Optional*. The destination port range. Integers denoting the minimum and
maximum destination port numbers. If only one is set then only that port
is allowed.

— Key **state_track**

*Optional*. A string naming a connection table. If set, packets passing
the rule are tracked in the specified connection table.

— Key **state_check**

*Optional*. A string denoting a connection table. If set, packets must
belong to a tracked connection in the specified connection table in
addition to any other condition in the rule to pass.
*Optional*. A string naming a state table. If set, packets passing any*
*rule will be tracked in the specified state table and any packet that
*belongs to a tracked connection in the specified state table will be let
*pass.
104 changes: 25 additions & 79 deletions src/apps/packet_filter/README.md.src
View file
Original file line number Diff line number Diff line change
@@ -1,89 +1,35 @@
# PacketFilter App (apps.packet_filter.packet_filter)
# PcapFilter App (apps.packet_filter.pcap_filter)

The `PacketFilter` app receives packets on the `input` port and transmits
The `PcapFilter` app receives packets on the `input` port and transmits
conforming packets to the `output` port. In order to conform, a packet
must match at least one of the *filter rules* of the `PacketFilter`
instance and/or belong to a *sanctioned connection*. For a connection to
be sanctioned it must be tracked in a *connection table* by a
`PacketFilter` app using the `state_track` operators. All `PacketFilter`
apps share a global namespace of *connection table identifiers*. Multiple
`PacketFilter` apps—e.g. for inbound and outbound traffic—can refer to
the same connection by sharing a connection table identifer.

DIAGRAM: PacketFilter
+--------------+
| |
input ---->* PacketFilter *----> output
| |
+--------------+
must match the *[pcap-filter](http://www.tcpdump.org/manpages/pcap-filter.7.html)
expression* of the `PcapFilter` instance and/or belong to a *sanctioned
connection*. For a connection to be sanctioned it must be tracked in a
*state table* by a `PcapFilter` app using the same state table. All
`PcapFilter` apps share a global namespace of *state table identifiers*.
Multiple `PcapFilter` apps—e.g. for inbound and outbound traffic—can
refer to the same connection by sharing a state table identifer.

DIAGRAM: PcapFilter
+------------+
| |
input ---->* PcapFilter *----> output
| |
+------------+

## Configuration

The `PacketFilter` app accepts a table as its configuration argument. The
The `PcapFilter` app accepts a table as its configuration argument. The
following keys are available:

— Key **rules**

*Required*. An array of filter rules as described in the *Filter Rules*
section below.

— Key **state_track**

*Optional*. A string naming a connection table. If set, packets passing
*any* rule will be tracked in the specified connection table.

— Key **state_check**

*Optional*. A string denoting a connection table. If set, any packet that
belongs to a tracked connection in the specified connection table will
be let pass.

### Filter Rules

A filter rule is a table in which each key/value pair specifies a pattern
to match or track incoming packets against. The following keys are
defined:

— Key **ethertype**

*Required*. The ethernet type in use (IPv4 or IPv6). A string identifier,
either "ipv4" or "ipv6".

— Key **protocol**

*Optional*. The protocol is use (ICMP, UDP or TCP). A string identifier,
may be one of "icmp", "udp" or "tcp".

— Key **source_cidr**

— Key **dest_cidr**

*Optional*. Source and destination addresses. IP ranges in CIDR notation
as strings.

— Key **source_port_min**

— Key **source_port_max**

*Optional*. The source port range. Integers denoting the minimum and
maximum source port numbers. If only one is set then only that port is
allowed.

— Key **dest_port_min**

— Key **dest_port_max**

*Optional*. The destination port range. Integers denoting the minimum and
maximum destination port numbers. If only one is set then only that port
is allowed.

— Key **state_track**
— Key **filter**

*Optional*. A string naming a connection table. If set, packets passing
the rule are tracked in the specified connection table.
*Required*. A string containing a [pcap-filter](http://www.tcpdump.org/manpages/pcap-filter.7.html)
expression.

— Key **state_check**
— Key **state_table**

*Optional*. A string denoting a connection table. If set, packets must
belong to a tracked connection in the specified connection table in
addition to any other condition in the rule to pass.
*Optional*. A string naming a state table. If set, packets passing any*
*rule will be tracked in the specified state table and any packet that
*belongs to a tracked connection in the specified state table will be let
*pass.
Loading

0 comments on commit 5056a55

Please sign in to comment.