backend/binsrc/nfqueue.cpp

#include "classes/regex_rules.cpp"
#include "classes/netfilter.cpp"
#include "utils.hpp"
#include <iostream>

using namespace std;

shared_ptr<RegexRules> regex_config;

void config_updater (){
	string line;
	while (true){
		getline(cin, line);
		if (cin.eof()){
			cerr << "[fatal] [updater] cin.eof()" << endl;
			exit(EXIT_FAILURE);
		}
		if (cin.bad()){
			cerr << "[fatal] [updater] cin.bad()" << endl;
			exit(EXIT_FAILURE);
		}
		cerr << "[info] [updater] Updating configuration with line " << line << endl;
		istringstream config_stream(line);
		vector<string> raw_rules;
		
		while(!config_stream.eof()){
			string data;
			config_stream >> data;
			if (data != "" && data != "\n"){
				raw_rules.push_back(data);
			}
		}
		try{
			regex_config.reset(new RegexRules(raw_rules, regex_config->stream_mode()));
			cerr << "[info] [updater] Config update done to ver "<< regex_config->ver() << endl;
		}catch(...){
			cerr << "[error] [updater] Failed to build new configuration!" << endl;
			// TODO send a row on stdout for this error
		}
	}
	
}

void inline scratch_setup(regex_ruleset &conf, hs_scratch_t* & scratch){
	if (scratch == nullptr && conf.hs_db != nullptr){
		if (hs_alloc_scratch(conf.hs_db, &scratch) != HS_SUCCESS) {
			throw invalid_argument("Cannot alloc scratch");
		}
	}
}

struct matched_data{
	unsigned int matched = 0;
	bool has_matched = false;
};


bool filter_callback(packet_info& info){
	shared_ptr<RegexRules> conf = regex_config;
	auto current_version = conf->ver();
	if (current_version != info.sctx->latest_config_ver){
		#ifdef DEBUG
		cerr << "[DEBUG] [filter_callback] Configuration has changed (" << current_version << "!=" << info.sctx->latest_config_ver << "), cleaning scratch spaces" << endl;
		#endif
		info.sctx->clean();
		info.sctx->latest_config_ver = current_version;
	}
	scratch_setup(conf->input_ruleset, info.sctx->in_scratch);
	scratch_setup(conf->output_ruleset, info.sctx->out_scratch);

	hs_database_t* regex_matcher = info.is_input ? conf->input_ruleset.hs_db : conf->output_ruleset.hs_db;
	if (regex_matcher == nullptr){
		return true;
	}
	
	#ifdef DEBUG
	cerr << "[DEBUG] [filter_callback] Matching packet with " << (info.is_input ? "input" : "output") << " ruleset" << endl;
	if (info.payload.size() <= 30){
		cerr << "[DEBUG] [filter_callback] Packet: " << info.payload << endl;
	}
	#endif
	
	matched_data match_res;
	hs_error_t err;
	hs_scratch_t* scratch_space = info.is_input ? info.sctx->in_scratch: info.sctx->out_scratch;
	auto match_func = [](unsigned int id, auto from, auto to, auto flags, auto ctx){
		auto res = (matched_data*)ctx;
		res->has_matched = true;
		res->matched = id;
		return -1; // Stop matching
	};
	hs_stream_t* stream_match;
	if (conf->stream_mode()){
		matching_map* match_map = info.is_input ? &info.sctx->in_hs_streams : &info.sctx->out_hs_streams;
		#ifdef DEBUG
		cerr << "[DEBUG] [filter_callback] Dumping match_map " << match_map << endl;
		for (auto ele: *match_map){
			cerr << "[DEBUG] [filter_callback] " << ele.first << " -> " << ele.second << endl;
		}
		cerr << "[DEBUG] [filter_callback] End of match_map" << endl;
		#endif
		auto stream_search = match_map->find(info.sid);
		
		if (stream_search == match_map->end()){
			
			#ifdef DEBUG
			cerr << "[DEBUG] [filter_callback] Creating new stream matcher for " << info.sid << endl;
			#endif
            if (hs_open_stream(regex_matcher, 0, &stream_match) != HS_SUCCESS) {
                cerr << "[error] [filter_callback] Error opening the stream matcher (hs)" << endl;
                throw invalid_argument("Cannot open stream match on hyperscan");
            }
			match_map->insert_or_assign(info.sid, stream_match);
		}else{
			stream_match = stream_search->second;
		}
		#ifdef DEBUG
		cerr << "[DEBUG] [filter_callback] Matching as a stream" << endl;
		#endif
		err = hs_scan_stream(
			stream_match,info.payload.c_str(), info.payload.length(),
			0, scratch_space, match_func, &match_res
		);
	}else{
		#ifdef DEBUG
		cerr << "[DEBUG] [filter_callback] Matching as a block" << endl;
		#endif
		err = hs_scan(
			regex_matcher,info.payload.c_str(), info.payload.length(),
			0, scratch_space, match_func, &match_res
		);
	}
	if (err != HS_SUCCESS && err != HS_SCAN_TERMINATED) {
		cerr << "[error] [filter_callback] Error while matching the stream (hs)" << endl;
		throw invalid_argument("Error while matching the stream with hyperscan");
	}
	if (match_res.has_matched){
		auto rules_vector = info.is_input ? conf->input_ruleset.regexes : conf->output_ruleset.regexes;
		stringstream msg;
		msg << "BLOCKED " << rules_vector[match_res.matched] << "\n";
		cout << msg.str() << flush;
		return false;
	}
	return true;
}

int main(int argc, char *argv[]){
	int n_of_threads = 1;
   	char * n_threads_str = getenv("NTHREADS");
   	if (n_threads_str != nullptr) n_of_threads = ::atoi(n_threads_str);
	if(n_of_threads <= 0) n_of_threads = 1;

	char * matchmode = getenv("MATCH_MODE");
	bool stream_mode = true;
	if (matchmode != nullptr && strcmp(matchmode, "block") == 0){
		stream_mode = false;
	}

	regex_config.reset(new RegexRules(stream_mode));
	
	NFQueueSequence<filter_callback> queues(n_of_threads);
	queues.start();

	cout << "QUEUES " << queues.init() << " " << queues.end() << endl;
	cerr << "[info] [main] Queues: " << queues.init() << ":" << queues.end() << " threads assigned: " << n_of_threads << " stream mode: " << stream_mode << endl;

	config_updater();
}
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`#include "classes/regex_rules.cpp"`
			`#include "classes/netfilter.cpp"`
Python integration with c++ binary (not totally working yet) 2022-07-18 18:52:14 +02:00			`#include "utils.hpp"`
Go -> C++ 2022-07-15 10:08:54 +02:00			`#include <iostream>`
Finished but not working 2022-07-16 14:22:33 +02:00
Go -> C++ 2022-07-15 10:08:54 +02:00			`using namespace std;`
C++ file developping 2022-07-15 17:26:40 +02:00
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`shared_ptr<RegexRules> regex_config;`
C++ file developping 2022-07-15 17:26:40 +02:00
c++ filter done 2022-07-16 15:24:05 +02:00			`void config_updater (){`
Fixes and small changes 2022-07-18 23:01:24 +02:00			`string line;`
c++ filter done 2022-07-16 15:24:05 +02:00			`while (true){`
			`getline(cin, line);`
Python integration with c++ binary (not totally working yet) 2022-07-18 18:52:14 +02:00			`if (cin.eof()){`
Iptables -> NFtables 2022-07-19 15:17:34 +02:00			`cerr << "[fatal] [updater] cin.eof()" << endl;`
Python integration with c++ binary (not totally working yet) 2022-07-18 18:52:14 +02:00			`exit(EXIT_FAILURE);`
			`}`
c++ filter done 2022-07-16 15:24:05 +02:00			`if (cin.bad()){`
Iptables -> NFtables 2022-07-19 15:17:34 +02:00			`cerr << "[fatal] [updater] cin.bad()" << endl;`
c++ filter done 2022-07-16 15:24:05 +02:00			`exit(EXIT_FAILURE);`
			`}`
			`cerr << "[info] [updater] Updating configuration with line " << line << endl;`
			`istringstream config_stream(line);`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`vector<string> raw_rules;`

c++ filter done 2022-07-16 15:24:05 +02:00			`while(!config_stream.eof()){`
Fixes and small changes 2022-07-18 23:01:24 +02:00			`string data;`
c++ filter done 2022-07-16 15:24:05 +02:00			`config_stream >> data;`
Python integration with c++ binary (not totally working yet) 2022-07-18 18:52:14 +02:00			`if (data != "" && data != "\n"){`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`raw_rules.push_back(data);`
Python integration with c++ binary (not totally working yet) 2022-07-18 18:52:14 +02:00			`}`
c++ filter done 2022-07-16 15:24:05 +02:00			`}`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`try{`
			`regex_config.reset(new RegexRules(raw_rules, regex_config->stream_mode()));`
improves on the nfregex binary 2025-02-03 02:04:10 +01:00			`cerr << "[info] [updater] Config update done to ver "<< regex_config->ver() << endl;`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`}catch(...){`
			`cerr << "[error] [updater] Failed to build new configuration!" << endl;`
			`// TODO send a row on stdout for this error`
			`}`
c++ filter done 2022-07-16 15:24:05 +02:00			`}`

			`}`

nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`void inline scratch_setup(regex_ruleset &conf, hs_scratch_t* & scratch){`
improves on the nfregex binary 2025-02-03 02:04:10 +01:00			`if (scratch == nullptr && conf.hs_db != nullptr){`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`if (hs_alloc_scratch(conf.hs_db, &scratch) != HS_SUCCESS) {`
			`throw invalid_argument("Cannot alloc scratch");`
			`}`
			`}`
c++ netfilter developping... 2022-07-16 01:04:55 +02:00			`}`

nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`struct matched_data{`
			`unsigned int matched = 0;`
			`bool has_matched = false;`
			`};`

improves on the nfregex binary x3 2025-02-04 21:09:03 +01:00
			`bool filter_callback(packet_info& info){`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`shared_ptr<RegexRules> conf = regex_config;`
improves on the nfregex binary x3 2025-02-04 21:09:03 +01:00			`auto current_version = conf->ver();`
			`if (current_version != info.sctx->latest_config_ver){`
			`#ifdef DEBUG`
			`cerr << "[DEBUG] [filter_callback] Configuration has changed (" << current_version << "!=" << info.sctx->latest_config_ver << "), cleaning scratch spaces" << endl;`
			`#endif`
			`info.sctx->clean();`
			`info.sctx->latest_config_ver = current_version;`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`}`
			`scratch_setup(conf->input_ruleset, info.sctx->in_scratch);`
			`scratch_setup(conf->output_ruleset, info.sctx->out_scratch);`

			`hs_database_t* regex_matcher = info.is_input ? conf->input_ruleset.hs_db : conf->output_ruleset.hs_db;`
			`if (regex_matcher == nullptr){`
			`return true;`
			`}`
improves on the nfregex binary x5 2025-02-04 22:51:30 +01:00
improves on the nfregex binary x3 2025-02-04 21:09:03 +01:00			`#ifdef DEBUG`
			`cerr << "[DEBUG] [filter_callback] Matching packet with " << (info.is_input ? "input" : "output") << " ruleset" << endl;`
improves on the nfregex binary x5 2025-02-04 22:51:30 +01:00			`if (info.payload.size() <= 30){`
			`cerr << "[DEBUG] [filter_callback] Packet: " << info.payload << endl;`
			`}`
improves on the nfregex binary x3 2025-02-04 21:09:03 +01:00			`#endif`

nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`matched_data match_res;`
			`hs_error_t err;`
			`hs_scratch_t* scratch_space = info.is_input ? info.sctx->in_scratch: info.sctx->out_scratch;`
			`auto match_func = [](unsigned int id, auto from, auto to, auto flags, auto ctx){`
			`auto res = (matched_data*)ctx;`
			`res->has_matched = true;`
			`res->matched = id;`
improves on the nfregex binary 2025-02-03 02:04:10 +01:00			`return -1; // Stop matching`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`};`
improves on the nfregex binary 2025-02-03 02:04:10 +01:00			`hs_stream_t* stream_match;`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`if (conf->stream_mode()){`
improves on the nfregex binary x3 2025-02-04 21:09:03 +01:00			`matching_map* match_map = info.is_input ? &info.sctx->in_hs_streams : &info.sctx->out_hs_streams;`
			`#ifdef DEBUG`
			`cerr << "[DEBUG] [filter_callback] Dumping match_map " << match_map << endl;`
			`for (auto ele: *match_map){`
			`cerr << "[DEBUG] [filter_callback] " << ele.first << " -> " << ele.second << endl;`
			`}`
			`cerr << "[DEBUG] [filter_callback] End of match_map" << endl;`
			`#endif`
			`auto stream_search = match_map->find(info.sid);`
improves on the nfregex binary 2025-02-03 02:04:10 +01:00
improves on the nfregex binary x3 2025-02-04 21:09:03 +01:00			`if (stream_search == match_map->end()){`

			`#ifdef DEBUG`
			`cerr << "[DEBUG] [filter_callback] Creating new stream matcher for " << info.sid << endl;`
			`#endif`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`if (hs_open_stream(regex_matcher, 0, &stream_match) != HS_SUCCESS) {`
			`cerr << "[error] [filter_callback] Error opening the stream matcher (hs)" << endl;`
			`throw invalid_argument("Cannot open stream match on hyperscan");`
			`}`
improves on the nfregex binary x3 2025-02-04 21:09:03 +01:00			`match_map->insert_or_assign(info.sid, stream_match);`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`}else{`
			`stream_match = stream_search->second;`
			`}`
improves on the nfregex binary x3 2025-02-04 21:09:03 +01:00			`#ifdef DEBUG`
			`cerr << "[DEBUG] [filter_callback] Matching as a stream" << endl;`
			`#endif`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`err = hs_scan_stream(`
			`stream_match,info.payload.c_str(), info.payload.length(),`
			`0, scratch_space, match_func, &match_res`
			`);`
			`}else{`
improves on the nfregex binary x3 2025-02-04 21:09:03 +01:00			`#ifdef DEBUG`
			`cerr << "[DEBUG] [filter_callback] Matching as a block" << endl;`
			`#endif`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`err = hs_scan(`
			`regex_matcher,info.payload.c_str(), info.payload.length(),`
			`0, scratch_space, match_func, &match_res`
			`);`
			`}`
improves on the nfregex binary 2025-02-03 02:04:10 +01:00			`if (err != HS_SUCCESS && err != HS_SCAN_TERMINATED) {`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`cerr << "[error] [filter_callback] Error while matching the stream (hs)" << endl;`
			`throw invalid_argument("Error while matching the stream with hyperscan");`
			`}`
			`if (match_res.has_matched){`
			`auto rules_vector = info.is_input ? conf->input_ruleset.regexes : conf->output_ruleset.regexes;`
			`stringstream msg;`
			`msg << "BLOCKED " << rules_vector[match_res.matched] << "\n";`
			`cout << msg.str() << flush;`
			`return false;`
			`}`
			`return true;`
			`}`

			`int main(int argc, char *argv[]){`
Fixes 2022-07-22 00:34:57 +02:00			`int n_of_threads = 1;`
Fixes and improvements in thread managment 2022-08-02 19:45:28 +00:00			`char * n_threads_str = getenv("NTHREADS");`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`if (n_threads_str != nullptr) n_of_threads = ::atoi(n_threads_str);`
Fixes 2022-07-22 00:34:57 +02:00			`if(n_of_threads <= 0) n_of_threads = 1;`
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00
			`char * matchmode = getenv("MATCH_MODE");`
			`bool stream_mode = true;`
			`if (matchmode != nullptr && strcmp(matchmode, "block") == 0){`
			`stream_mode = false;`
			`}`
improves on the nfregex binary x5 2025-02-04 22:51:30 +01:00
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`regex_config.reset(new RegexRules(stream_mode));`

			`NFQueueSequence<filter_callback> queues(n_of_threads);`
			`queues.start();`
C++ file developping 2022-07-15 17:26:40 +02:00
nfqueue to hyperscan and stream match, removed proxyregex 2025-02-02 19:54:42 +01:00			`cout << "QUEUES " << queues.init() << " " << queues.end() << endl;`
improves on the nfregex binary x5 2025-02-04 22:51:30 +01:00			`cerr << "[info] [main] Queues: " << queues.init() << ":" << queues.end() << " threads assigned: " << n_of_threads << " stream mode: " << stream_mode << endl;`
C++ file developping 2022-07-15 17:26:40 +02:00
			`config_updater();`
Go -> C++ 2022-07-15 10:08:54 +02:00			`}`