Merge pull request #19 from CESNET/sedlak-filter

Sedlak filter

Author: Lukas955

.gitignore

@@ -10,6 +10,10 @@ cmake-build-release/
 # JetBrains files
 .idea/
 
+# VS Code files
+.vscode/
+
+
 # Prerequisites
 *.d
 

config/system/aliases.xml

@@ -23,11 +23,13 @@
 	<!-- Source IP address (IPv4 or IPv6) -->
 	<element>
 		<name>SRC IP</name>
+		<alias>src ip</alias>
 		<alias>srcip</alias>
+		<alias>src host</alias>
 		<alias>srchost</alias>
 
 		<!-- possible data types: ipv4Address/ipv6Address -->
-		<source mode="anyOf">
+		<source mode="firstOf">
 			<id>iana:sourceIPv4Address</id>
 			<id>iana:sourceIPv6Address</id>
 		</source>
@@ -36,11 +38,13 @@
 	<!-- Destination IP address (IPv4 or IPv6) -->
 	<element>
 		<name>DST IP</name>
+		<alias>dst ip</alias>
 		<alias>dstip</alias>
+		<alias>dst host</alias>
 		<alias>dsthost</alias>
 
 		<!-- possible data types: ipv4Address/ipv6Address -->
-		<source mode="anyOf">
+		<source mode="firstOf">
 			<id>iana:destinationIPv4Address</id>
 			<id>iana:destinationIPv6Address</id>
 		</source>
@@ -54,8 +58,10 @@
 
 		<!-- possible data types: ipv4Address/ipv6Address -->
 		<source mode="anyOf">
-			<id>@srcip</id>
-			<id>@dstip</id>
+			<id>iana:sourceIPv4Address</id>
+			<id>iana:sourceIPv6Address</id>
+            <id>iana:destinationIPv4Address</id>
+			<id>iana:destinationIPv6Address</id>
 		</source>
 	</element>
 
@@ -64,7 +70,6 @@
 		<name>Flow Start</name>
 		<alias>flowstart</alias>
 
-		<dataType>dateTimeMilliseconds</dataType>
 		<aggregation>
 			<method>min</method>
 			<order>ascendent</order>
@@ -83,7 +88,6 @@
 		<name>Flow End</name>
 		<alias>flowend</alias>
 
-		<dataType>dateTimeMilliseconds</dataType>
 		<aggregation>
 			<method>max</method>
 			<order>ascendent</order>
@@ -97,47 +101,91 @@
 		</source>
 	</element>
 
-	<!-- Flow duration (calculation example) -->
 	<element>
-		<name>Duration</name>
-		<alias>duration</alias>
+		<name>Protocol</name>
 
-		<dataType>dateTimeMilliseconds</dataType>
-		<aggregation>
-			<method>sum</method>
-			<order>descendent</order>
-		</aggregation>
+		<alias>protocol</alias>
+		<alias>proto</alias>
 
-		<source mode="firstOf">
-			<!-- First, try to calculate the duration -->
-			<calculated expr="$1 - $2">
-				<arg id="1">@flowEnd</arg>
-				<arg id="2">@flowStart</arg>
-			</calculated>
-			<!-- If calculation failed, try to find other elements -->
-			<id>iana:flowDurationMilliseconds</id>
-			<id>iana:flowDurationMicroseconds</id>
+		<source>
+			<id>iana:protocolIdentifier</id>
 		</source>
 	</element>
 
-	<!-- Bytes per second (another calculated value) -->
 	<element>
-		<name>Bytes per second</name>
-		<alias>bps</alias>
+		<name>IPv4 Address</name>
 
-		<dataType>float64</dataType>
-		<aggregation>
-			<method>sum</method>
-			<order>descendent</order>
-		</aggregation>
+		<alias>ip4</alias>
+		<alias>ipv4</alias>
+		<alias>ipv4addr</alias>
+		<alias>ipv4address</alias>
+
+		<source>
+			<id>iana:sourceIPv4Address</id>
+			<id>iana:destinationIPv4Address</id>
+		</source>
+	</element>
+
+	<element>
+		<name>IPv6 Address</name>
+
+		<alias>ip6</alias>
+		<alias>ipv6</alias>
+		<alias>ipv6addr</alias>
+		<alias>ipv6address</alias>
 
 		<source>
-			<calculated expr="($1 * 1000) / $2">
-				<arg id="1">iana:octetDeltaCount</arg>
-				<arg id="2">@duration</arg>
-			</calculated>
+			<id>iana:sourceIPv6Address</id>
+			<id>iana:destinationIPv6Address</id>
 		</source>
 	</element>
+
+	<element>
+		<name>Port</name>
+
+		<alias>port</alias>
+
+		<source>
+			<id>iana:sourceTransportPort</id>
+			<id>iana:destinationTransportPort</id>
+		</source>
+	</element>
+
+	<element>
+		<name>Source Port</name>
+
+		<alias>srcport</alias>
+		<alias>sourceport</alias>
+		<alias>src port</alias>
+
+		<source>
+			<id>iana:sourceTransportPort</id>
+		</source>
+	</element>
+
+	<element>
+		<name>Destination Port</name>
+
+		<alias>dstport</alias>
+		<alias>destport</alias>
+		<alias>destinationport</alias>
+		<alias>dst port</alias>
+
+		<source>
+			<id>iana:destinationTransportPort</id>
+		</source>
+	</element>
+
+	<element>
+		<name>TCP Flags</name>
+
+		<alias>tcpflags</alias>
+
+		<source>
+			<id>iana:tcpControlBits</id>
+		</source>
+	</element>
+
 </ipfix-aliases>
 
 <!-- TODO: How to express "net a.b.c.d/XX"? -->

config/system/mappings.xml

@@ -0,0 +1,65 @@
+<ipfix-mapping>
+    <group>
+        <name>Protocol</name>
+        
+        <!-- Alias or Element name -->
+        <match>Protocol</match>
+
+        <item-list mode="caseInsensitive">
+            <item>
+                <key>TCP</key>
+                <value>6</value>
+            </item>
+            <item>
+                <key>UDP</key>
+                <value>17</value>
+            </item>
+        </item-list>
+    </group>
+
+    <group>
+        <name>TCP Flags</name>
+
+        <match>TCP Flags</match>
+
+        <item-list mode="caseInsensitive">
+            <item>
+                <key>FIN</key>
+                <value>1</value>
+            </item>
+            <item>
+                <key>SYN</key>
+                <value>2</value>
+            </item>
+            <item>
+                <key>RST</key>
+                <value>4</value>
+            </item>
+            <item>
+                <key>PSH</key>
+                <value>8</value>
+            </item>
+            <item>
+                <key>ACK</key>
+                <value>16</value>
+            </item>
+            <item>
+                <key>URG</key>
+                <value>32</value>
+            </item>
+            <item>
+                <key>ECE</key>
+                <value>64</value>
+            </item>
+            <item>
+                <key>CWR</key>
+                <value>128</value>
+            </item>
+            <item>
+                <key>NS</key>
+                <value>256</value>
+            </item>
+        </item-list>
+    </group>
+
+</ipfix-mapping>

examples/custom_trie.c

@@ -0,0 +1,88 @@
+#include <stdio.h>
+#include <libfds.h>
+#include <assert.h>
+
+
+int
+ip_list_to_trie(fds_filter_value_u *val, fds_filter_value_u *res)
+{
+    printf("hello from trie constructor\n");
+
+    struct fds_trie *trie = fds_trie_create();
+    if (!trie) {
+        return FDS_ERR_NOMEM;
+    }
+    for (int i = 0; i < val->list.len; i++) {
+        int ret = fds_trie_add(trie, val->list.items[i].ip.version, val->list.items[i].ip.addr, val->list.items[i].ip.prefix);
+        if (!ret) {
+            return FDS_ERR_NOMEM;
+        }
+    }
+    // free(val->list.items);
+    res->p = trie;
+    return FDS_OK;
+}
+
+void
+destroy_trie(fds_filter_value_u *val)
+{
+    fds_trie_destroy(val->p);
+}
+
+void
+ip_in_trie(fds_filter_value_u *left, fds_filter_value_u *right, fds_filter_value_u *result)
+{
+    result->b = fds_trie_find(right->p, left->ip.version, left->ip.addr, left->ip.prefix);
+}
+
+#define FDS_FDT_TRIE (FDS_FDT_CUSTOM | 1) // const int doesn't work here?
+
+const fds_filter_op_s trie_ops[] = {
+    FDS_FILTER_DEF_CONSTRUCTOR(FDS_FDT_IP | FDS_FDT_LIST, ip_list_to_trie, FDS_FDT_TRIE),
+    FDS_FILTER_DEF_DESTRUCTOR(FDS_FDT_TRIE, destroy_trie),
+    FDS_FILTER_DEF_BINARY_OP(FDS_FDT_IP, "in", FDS_FDT_TRIE, ip_in_trie, FDS_FDT_BOOL),
+    FDS_FILTER_END_OP_LIST
+};
+
+int
+main(int argc, char *argv[])
+{
+    int exit_code = EXIT_SUCCESS;
+    int res;
+    fds_filter_opts_t *opts = NULL;
+    fds_filter_t *filter = NULL;
+    
+    opts = fds_filter_create_default_opts();
+    if (!opts) {
+        printf("error: create default opts failed\n");
+        exit_code = EXIT_FAILURE;
+        goto cleanup;
+    }
+
+    if (!fds_filter_opts_extend_ops(opts, trie_ops)) {
+        printf("error: extend ops failed\n");
+        exit_code = EXIT_FAILURE;
+        goto cleanup;
+    }
+
+    const char *expr = "127.0.0.1 in [127.0.0.1, 127.0.0.2, 192.168.1.21, 1.1.1.1, 8.8.8.8, 4.4.4.4]";
+    res = fds_filter_create(&filter, expr, opts);
+    if (res != FDS_OK) {
+        fds_filter_error_s *err = fds_filter_get_error(filter);
+        printf("error creating filter: %d: %s\n", err->code, err->msg);
+        exit_code = EXIT_FAILURE;
+        goto cleanup;
+    }
+
+    res = fds_filter_eval(filter, NULL);
+    if (res) {
+        printf("filter passed\n");
+    } else {
+        printf("filter didn't pass\n");
+    }
+
+cleanup:
+    fds_filter_destroy(filter);
+    fds_filter_destroy_opts(opts);
+    return exit_code;
+}

examples/filter.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+#include <libfds.h>
+
+int main(int argc, char *argv[]) {
+    if (argc < 0) {
+        fprintf(stderr, "Usage: filter <expr>\n");
+        return 1;
+    }
+
+    fds_filter_opts_t *opts = fds_filter_create_default_opts();
+    assert(opts);
+
+    fds_filter_t *filter;
+    int ret = fds_filter_create(&filter, argv[1], opts);
+    if (ret != FDS_OK) {
+        fds_filter_error_s *err = fds_filter_get_error(filter);
+        printf("(%d) %s\n", err->code, err->msg);
+        printf("%s\n", argv[1]);
+        const char *p = argv[1];
+        while (p < err->cursor_begin) { printf(" "); p++; }
+        while (p < err->cursor_end) { printf("^"); p++; }
+        printf("\n");
+        fds_filter_destroy(filter);
+        fds_filter_destroy_opts(opts);
+        return 1;
+    }
+    fds_filter_eval(filter, NULL);
+    fds_filter_destroy(filter);
+    fds_filter_destroy_opts(opts);
+    return 0;
+}

include/CMakeLists.txt

@@ -15,10 +15,13 @@ set(SUB_HEADERS
 	libfds/iemgr.h
 	libfds/drec.h
 	libfds/file.h
+	libfds/filter.h
 	libfds/ipfix_parsers.h
 	libfds/ipfix_structs.h
+	libfds/ipfix_filter.h
 	libfds/template.h
 	libfds/template_mgr.h
+	libfds/trie.h
 	libfds/xml_parser.h
 )