Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support pcap-filter expression for pcap mode #478

Merged
merged 7 commits into from
Feb 22, 2024
Merged

feat: Support pcap-filter expression for pcap mode #478

merged 7 commits into from
Feb 22, 2024

Conversation

Asphaltt
Copy link
Contributor

@Asphaltt Asphaltt commented Feb 3, 2024
edited
Loading

Fix #474

It's better to use pcap-filter expression to filter packets like tcpdump instead of --port like options.

e.g. ./bin/ecapture tls -m pcap -i ens33 --pcapfile test.pcapng host 142.251.10.100

So, in this PR:

  1. Add libpcap as a Git submodule.
  2. make in Makefile will build and install libpcap.
  3. Remove target_port in bpf code.
  4. Add filter_pcap_ebpf_l2() as a stub to inject pcap-filter.
  5. Use ebpfmanager@v0.4.5 to inject pcap-filter into bpf program spec with elibpcap library.
  6. Remove --port option.
  7. Add remain command line args as pcap filter expression.

@Asphaltt Asphaltt force-pushed the tls/pcap-filter branch 2 times, most recently from 9de6fbd to 1987e97 Compare February 3, 2024 07:00
@cfc4n cfc4n added enhancement New feature or request good first issue Good for newcomers labels Feb 3, 2024
@cfc4n
Copy link
Member

cfc4n commented Feb 4, 2024 

./bin/ecapture tls -m pcap -i ens33 --pcapfile test.pcapng host 142.251.10.100

It seems that Option 2 is more in line with the usual rules of using pcap-filter, just like tcpdump , tshark etc...

看上去,选项2 更符合使用pcap-filter的规则习惯,跟tcpdump等产品一样。

@Asphaltt Asphaltt force-pushed the tls/pcap-filter branch 4 times, most recently from f3efccc to 96f3571 Compare February 19, 2024 14:11
cfc4n
cfc4n reviewed Feb 19, 2024
View reviewed changes
Makefile Outdated Show resolved Hide resolved
@Asphaltt Asphaltt force-pushed the tls/pcap-filter branch 2 times, most recently from 074a4d9 to 9a0a416 Compare February 19, 2024 14:52
cfc4n
cfc4n reviewed Feb 19, 2024
View reviewed changes
Copy link
Member

@cfc4n cfc4n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PTAL

kern/bpf/bpf_helpers.h Show resolved Hide resolved
cfc4n
cfc4n reviewed Feb 21, 2024
View reviewed changes
Makefile Show resolved Hide resolved
@cfc4n
Copy link
Member

cfc4n commented Feb 21, 2024

It runs normally on x86_64\aarch64 Linux.
However, it has no effect when running on aarch64 Android (kernel 5.15).

But you can skip Android for now.

@Asphaltt
feat: Support pcap-filter expression for pcap mode
b5c1d02 
It's better to use pcap-filter expression to filter packets like tcpdump instead of `--port` like options.

e.g. `./bin/ecapture tls -m pcap -i ens33 --pcapfile test.pcapng host 142.251.10.100`

So, in this commit:

1. Add libpcap as a Git submodule.
2. `make` in Makefile will build and install libpcap.
3. Remove `target_port` in bpf code.
4. Add `filter_pcap_ebpf_l2()` as a stub to inject pcap-filter.
5. Use `ebpfmanager@v0.4.5` to inject pcap-filter into bpf program spec with `elibpcap` library.
6. Remove `--port` option.
7. Add remain command line args as pcap filter expression.

Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
@Asphaltt
ci: Checkout with submodules
ea0ed3e 
As previous commit adds libpcap submodule, we have to checkout repo with
it.

Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
@Asphaltt
ci: Install flex and bison
ef537c4 
Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
@Asphaltt
makefile: Update libpcap configure options
f1692b5 
Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
@Asphaltt
readme: git clone with --recurse-submodules
b23f920 
Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
@Asphaltt
chore: Install flex bison when init_env.sh
4715813 
Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
@Asphaltt
kern: Fix undefined __noinline__ issue
80094bc 
When `make nocore`, there will be a compiling error:

```bash
In file included from kern/boringssl_a_13_kern.c:72:
In file included from ./kern/openssl.h:16:
./kern/tc.h:116:8: error: use of undeclared identifier '__noinline__'
static __noinline bool filter_pcap_ebpf_l2(void *_skb, void *__skb,
       ^
./kern/bpf/bpf_helpers.h:47:35: note: expanded from macro '__noinline'
                                  ^
/lib/modules/6.5.0-15-generic/build/include/linux/compiler_attributes.h:244:56: note: expanded from macro 'noinline'
                                                       ^
1 error generated.
```

This is because definition of `noinline` in `compiler_attributes.h` is
incorrect for us, which makes `__noinline` expanding to clang-unrecognised
`__attribute__((__attribute__((__noinline__))))`.

So, we have to `undef noinline` for clang compiling for `make nocore`.

Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
cfc4n
cfc4n reviewed Feb 21, 2024
View reviewed changes
Copy link
Member

@cfc4n cfc4n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cfc4n cfc4n merged commit f50b9de into gojue:master Feb 22, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfc4n cfc4n cfc4n left review comments

Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tls子命令可否支持ip过滤
2 participants
@Asphaltt @cfc4n