From: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
To: Eric Leblond <eric@regit.org>
Cc: Netfilter Devel <netfilter-devel@vger.kernel.org>
Subject: [PATCH ulogd 4/7] filter: add new filter for Netflow ICMP_TYPE
Date: Wed, 10 Feb 2016 11:01:56 +0900 [thread overview]
Message-ID: <20160210020156.GE17470@gmail.com> (raw)
In-Reply-To: <20160210015358.GA17470@gmail.com>
This filter creates ICMP_TYPE Netflow v9 from IPFIX icmpTypeIPv4
and icmpCodeIPv4.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
filter/Makefile.am | 6 ++-
filter/ulogd_filter_PACKICMP.c | 101 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 106 insertions(+), 1 deletion(-)
create mode 100644 filter/ulogd_filter_PACKICMP.c
diff --git a/filter/Makefile.am b/filter/Makefile.am
index 875850b..70a2bcc 100644
--- a/filter/Makefile.am
+++ b/filter/Makefile.am
@@ -7,7 +7,8 @@ pkglib_LTLIBRARIES = ulogd_filter_IFINDEX.la ulogd_filter_PWSNIFF.la \
ulogd_filter_PRINTPKT.la ulogd_filter_PRINTFLOW.la \
ulogd_filter_IP2STR.la ulogd_filter_IP2BIN.la \
ulogd_filter_HWHDR.la ulogd_filter_MARK.la \
- ulogd_filter_IP2HBIN.la
+ ulogd_filter_IP2HBIN.la \
+ ulogd_filter_PACKICMP.la
ulogd_filter_IFINDEX_la_SOURCES = ulogd_filter_IFINDEX.c
ulogd_filter_IFINDEX_la_LDFLAGS = -avoid-version -module
@@ -36,3 +37,6 @@ ulogd_filter_PRINTPKT_la_LDFLAGS = -avoid-version -module
ulogd_filter_PRINTFLOW_la_SOURCES = ulogd_filter_PRINTFLOW.c ../util/printflow.c
ulogd_filter_PRINTFLOW_la_LDFLAGS = -avoid-version -module
+
+ulogd_filter_PACKICMP_la_SOURCES = ulogd_filter_PACKICMP.c
+ulogd_filter_PACKICMP_la_LDFLAGS = -avoid-version -module
diff --git a/filter/ulogd_filter_PACKICMP.c b/filter/ulogd_filter_PACKICMP.c
new file mode 100644
index 0000000..802b5ef
--- /dev/null
+++ b/filter/ulogd_filter_PACKICMP.c
@@ -0,0 +1,101 @@
+/* ulogd_filter_PACKICMP.c
+ *
+ * ulogd interpreter plugin for IPFIX / Netflow v9 to create
+ * icmpTypeCodeIPv4
+ *
+ * (C) 2014 by Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+
+#include <arpa/inet.h>
+
+#include <ulogd/ulogd.h>
+#include <ulogd/ipfix_protocol.h>
+
+enum input_key_index {
+ IKEY_ICMP_CODE,
+ IKEY_ICMP_TYPE,
+ IKEY_MAX,
+};
+
+static struct ulogd_key input_keys[] = {
+ [IKEY_ICMP_CODE] = {
+ .type = ULOGD_RET_UINT8,
+ .flags = ULOGD_RETF_NONE,
+ .name = "icmp.code",
+ },
+ [IKEY_ICMP_TYPE] = {
+ .type = ULOGD_RET_UINT8,
+ .flags = ULOGD_RETF_NONE,
+ .name = "icmp.type",
+ },
+};
+
+enum output_key_index {
+ OKEY_V4,
+ OKEY_MAX,
+};
+
+static struct ulogd_key output_keys[] = {
+ [OKEY_V4] = {
+ .type = ULOGD_RET_UINT16,
+ .flags = ULOGD_RETF_NONE,
+ .name = "icmp.typecode4",
+ .ipfix = {
+ .vendor = IPFIX_VENDOR_IETF,
+ .field_id = IPFIX_icmpTypeCodeIPv4,
+ },
+ },
+};
+
+static int interp_packicmp(struct ulogd_pluginstance *pi)
+{
+ struct ulogd_key *ret = pi->output.keys;
+ struct ulogd_key *inp = pi->input.keys;
+
+ if (!pp_is_valid(inp, IKEY_ICMP_TYPE)
+ || !pp_is_valid(inp, IKEY_ICMP_CODE))
+ return ULOGD_IRET_OK;
+
+ okey_set_u16(&ret[OKEY_V4],
+ ikey_get_u8(&inp[IKEY_ICMP_TYPE]) << 8
+ | ikey_get_u8(&inp[IKEY_ICMP_CODE]));
+
+ return ULOGD_IRET_OK;
+}
+
+static struct ulogd_plugin packicmp_plugin = {
+ .name = "PACKICMP",
+ .input = {
+ .keys = input_keys,
+ .num_keys = IKEY_MAX,
+ .type = ULOGD_DTYPE_PACKET | ULOGD_DTYPE_FLOW,
+ },
+ .output = {
+ .keys = output_keys,
+ .num_keys = OKEY_MAX,
+ .type = ULOGD_DTYPE_PACKET | ULOGD_DTYPE_FLOW,
+ },
+ .interp = &interp_packicmp,
+ .version = VERSION,
+};
+
+void __attribute__ ((constructor)) init(void);
+
+void init(void)
+{
+ ulogd_register_plugin(&packicmp_plugin);
+}
--
2.1.4
next prev parent reply other threads:[~2016-02-10 2:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-06 10:42 [RFC] a software based on ulogd Ken-ichirou MATSUZAWA
2016-02-07 10:51 ` Eric Leblond
2016-02-10 1:53 ` Ken-ichirou MATSUZAWA
2016-02-10 1:56 ` [PATCH ulogd 1/7] ipfix: add flowDirection IE Ken-ichirou MATSUZAWA
2016-02-10 1:58 ` [PATCH ulogd 2/7] nfct/ipfix: introduce new vendor id Ken-ichirou MATSUZAWA
2016-02-10 2:00 ` [PATCH ulogd 3/7] nfct/ipfix: introduce NAT entries Ken-ichirou MATSUZAWA
2016-02-10 2:01 ` Ken-ichirou MATSUZAWA [this message]
2016-02-10 2:03 ` [PATCH ulogd 5/7] filter: add new filter for IPFIX time Ken-ichirou MATSUZAWA
2016-02-10 2:04 ` [PATCH ulogd 6/7] ulogd: update calling stop callback condition Ken-ichirou MATSUZAWA
2016-02-10 2:05 ` [PATCH ulogd 7/7] nflow9: introduce new NetFlow v9 output plugin Ken-ichirou MATSUZAWA
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160210020156.GE17470@gmail.com \
--to=chamaken@gmail.com \
--cc=eric@regit.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.