[flow-tools] Filter flows
Mark Fullmer
maf@eng.oar.net
Thu, 23 Jan 2003 23:35:18 -0500
This sounds like it would be useful. The patch below adds an invert
option to a filter-definition. Might be useful as a command line option
to flow-nfilter too.
filter-definition
invert
match ip-source-address custa
Index: ftlib.h
===================================================================
RCS file: /usr/home/djnz-cvsroot/flow-tools/lib/ftlib.h,v
retrieving revision 1.80
diff -c -r1.80 ftlib.h
*** ftlib.h 24 Jan 2003 01:12:20 -0000 1.80
--- ftlib.h 24 Jan 2003 04:26:37 -0000
***************
*** 2047,2052 ****
--- 2047,2053 ----
FT_STAILQ_HEAD(filmathead, ftfil_match) matches;
char *name; /* name of the def */
u_int64 xfields; /* required flow fields - FT_XFIELD_* */
+ int invert; /* invert the PERMIT/DENY? */
};
struct ftfil_primitive {
Index: ftfil.c
===================================================================
RCS file: /usr/home/djnz-cvsroot/flow-tools/lib/ftfil.c,v
retrieving revision 1.15
diff -c -r1.15 ftfil.c
*** ftfil.c 10 Dec 2002 17:11:51 -0000 1.15
--- ftfil.c 24 Jan 2003 04:29:19 -0000
***************
*** 296,301 ****
--- 296,303 ----
struct ftfil *ftfil);
static int parse_definition_or(struct line_parser *lp,
struct ftfil *ftfil);
+ static int parse_definition_invert(struct line_parser *lp,
+ struct ftfil *ftfil);
static int parse_primitive(struct line_parser *lp, struct ftfil *ftfil);
static int parse_primitive_type(struct line_parser *lp, struct ftfil *ftfil);
***************
*** 465,470 ****
--- 467,473 ----
{"filter-definition", 0, parse_definition},
{"match", PARSE_STATE_DEFINITION, parse_definition_match},
{"or", PARSE_STATE_DEFINITION, parse_definition_or},
+ {"invert", PARSE_STATE_DEFINITION, parse_definition_invert},
{0, 0, 0},
};
/*
***************
*** 2760,2770 ****
} /* matchi */
if (done)
! return FT_FIL_MODE_PERMIT;
} /* match */
! return FT_FIL_MODE_DENY;
} /* ftfil_def_eval */
--- 2763,2773 ----
} /* matchi */
if (done)
! return active_def->invert ? FT_FIL_MODE_DENY : FT_FIL_MODE_PERMIT;
} /* match */
! return active_def->invert ? FT_FIL_MODE_PERMIT : FT_FIL_MODE_DENY;
} /* ftfil_def_eval */
***************
*** 2932,2937 ****
--- 2935,2963 ----
return 0;
} /* parse_definition_match */
+
+ /*
+ * function: parse_definition_invert
+ *
+ * process the definition invert
+ *
+ * returns: 0 ok
+ * <0 fail
+ */
+ static int parse_definition_invert(struct line_parser *lp, struct ftfil *ftfil)
+ {
+
+ if (!lp->cur_def) {
+ fterr_warnx("%s line %d: Not in filter-definition mode.", lp->fname,
+ lp->lineno);
+ return -1;
+ }
+
+ lp->cur_def->invert = 1;
+
+ return 0;
+
+ } /* parse_definition_invert */
/*
* function: resolve_primitives
On Fri, Jan 10, 2003 at 01:55:04PM -0600, Mike Hyde wrote:
> Is there a way to show flows that do not match a filter list? I am
> missing some networks from my filter list and was hoping to make a list
> of everything not found with the filter list.
>
>
> Mike
>
> --
> Mike Hyde <mhyde@escape.ca>
>
>
> _______________________________________________
> flow-tools@splintered.net
> http://www.splintered.net/sw/flow-tools