line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
3
|
|
|
3
|
|
2383
|
use strict; |
|
3
|
|
|
|
|
5
|
|
|
3
|
|
|
|
|
83
|
|
2
|
3
|
|
|
3
|
|
10
|
use warnings; |
|
3
|
|
|
|
|
3
|
|
|
3
|
|
|
|
|
90
|
|
3
|
3
|
|
|
3
|
|
452
|
no if $] >= 5.017011, warnings => 'experimental::smartmatch'; |
|
3
|
|
|
|
|
9
|
|
|
3
|
|
|
|
|
16
|
|
4
|
|
|
|
|
|
|
|
5
|
|
|
|
|
|
|
package Net::IMP::ProtocolPinning; |
6
|
3
|
|
|
3
|
|
176
|
use base 'Net::IMP::Base'; |
|
3
|
|
|
|
|
2
|
|
|
3
|
|
|
|
|
588
|
|
7
|
|
|
|
|
|
|
use fields ( |
8
|
3
|
|
|
|
|
13
|
'buf', # buffered data for each direction |
9
|
|
|
|
|
|
|
'off_buf', # start of buf[dir] relativ to input stream |
10
|
|
|
|
|
|
|
'off_passed', # offset up to which already passed |
11
|
|
|
|
|
|
|
'ruleset', # active rules per dir |
12
|
|
|
|
|
|
|
'paused', # if there is active IMP_PAUSE for dir |
13
|
|
|
|
|
|
|
# if allow_dup already matched packets are put with key md5(seed+packet) |
14
|
|
|
|
|
|
|
# and rule number as value into matched[dir]{...} |
15
|
|
|
|
|
|
|
'matched', # hash of already matched packets |
16
|
|
|
|
|
|
|
'matched_seed', # random seed for matched hash (new for each analyzer) |
17
|
3
|
|
|
3
|
|
12
|
); |
|
3
|
|
|
|
|
4
|
|
18
|
|
|
|
|
|
|
|
19
|
3
|
|
|
3
|
|
159
|
use Net::IMP; # import IMP_ constants |
|
3
|
|
|
|
|
4
|
|
|
3
|
|
|
|
|
222
|
|
20
|
3
|
|
|
3
|
|
12
|
use Net::IMP::Debug; |
|
3
|
|
|
|
|
3
|
|
|
3
|
|
|
|
|
12
|
|
21
|
3
|
|
|
3
|
|
1556
|
use Storable 'dclone'; |
|
3
|
|
|
|
|
6517
|
|
|
3
|
|
|
|
|
206
|
|
22
|
3
|
|
|
3
|
|
997
|
use Data::Dumper; |
|
3
|
|
|
|
|
10628
|
|
|
3
|
|
|
|
|
125
|
|
23
|
3
|
|
|
3
|
|
12
|
use Carp 'croak'; |
|
3
|
|
|
|
|
4
|
|
|
3
|
|
|
|
|
99
|
|
24
|
3
|
|
|
3
|
|
10
|
use Digest::MD5 'md5'; |
|
3
|
|
|
|
|
3
|
|
|
3
|
|
|
|
|
8051
|
|
25
|
|
|
|
|
|
|
|
26
|
|
|
|
|
|
|
sub INTERFACE { return ([ |
27
|
|
|
|
|
|
|
undef, # we can stream and packets, although they behave differently |
28
|
|
|
|
|
|
|
[ |
29
|
0
|
|
|
0
|
0
|
0
|
IMP_PASS, # pass data unchanged |
30
|
|
|
|
|
|
|
IMP_DENY, # deny if rule is not matched |
31
|
|
|
|
|
|
|
# send pause/continue if last rule of dir is reached and |
32
|
|
|
|
|
|
|
# max_unbound is undef |
33
|
|
|
|
|
|
|
IMP_PAUSE, |
34
|
|
|
|
|
|
|
IMP_CONTINUE, |
35
|
|
|
|
|
|
|
] |
36
|
|
|
|
|
|
|
])} |
37
|
|
|
|
|
|
|
|
38
|
|
|
|
|
|
|
sub _compile_cfg { |
39
|
60
|
|
|
60
|
|
90
|
my %args = @_; |
40
|
|
|
|
|
|
|
|
41
|
60
|
|
|
|
|
63
|
my $ignore_order = delete $args{ignore_order}; |
42
|
60
|
|
|
|
|
57
|
my $allow_reorder = delete $args{allow_reorder}; |
43
|
60
|
50
|
|
|
|
92
|
my $r = delete $args{rules} or die "rules need to be given\n"; |
44
|
60
|
|
|
|
|
46
|
my $max_unbound = delete $args{max_unbound}; |
45
|
|
|
|
|
|
|
|
46
|
60
|
100
|
|
|
|
83
|
if ($max_unbound) { |
47
|
50
|
50
|
|
|
|
72
|
die "max_unbound should be [max0,max1]\n" if @$max_unbound>2; |
48
|
50
|
|
|
|
|
58
|
for (0,1) { |
49
|
100
|
100
|
|
|
|
142
|
defined $max_unbound->[$_] or next; |
50
|
68
|
50
|
|
|
|
199
|
die "max_unbound[$_] should be number >=0\n" |
51
|
|
|
|
|
|
|
if $max_unbound->[$_] !~m{^\d+$}; |
52
|
|
|
|
|
|
|
} |
53
|
|
|
|
|
|
|
} |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
# compile $args{rules} into list of rulesets per dir |
56
|
|
|
|
|
|
|
# $ruleset[$dir][$i] -> [r1,r2,.] | undef |
57
|
|
|
|
|
|
|
# - [ r1,r2.. ] - these rules can match, multiple rules at a time are only |
58
|
|
|
|
|
|
|
# possible if reorder. The rules will be tried in the given order until |
59
|
|
|
|
|
|
|
# one matches. |
60
|
|
|
|
|
|
|
# - undef - no data for this dir allowed at this stage. If ignore_order |
61
|
|
|
|
|
|
|
# there can be rules for each dir at the same time, else not. |
62
|
|
|
|
|
|
|
# When processing data it will remove completely matched rules, but |
63
|
|
|
|
|
|
|
# put rules which might match more (e.g. data
|
64
|
|
|
|
|
|
|
# If no more rules are open inside a ruleset it will remove the ruleset |
65
|
|
|
|
|
|
|
# and then |
66
|
|
|
|
|
|
|
# - if there is a next ruleset for the same dir continue with it |
67
|
|
|
|
|
|
|
# (e.g no change after removing the done ruleset) |
68
|
|
|
|
|
|
|
# - if there is no next ruleset (e.g. all rules done or next is undef) |
69
|
|
|
|
|
|
|
# remove any undef set from the other dir |
70
|
|
|
|
|
|
|
# It will remove the ruleset of no more open rules are inside. |
71
|
|
|
|
|
|
|
|
72
|
60
|
|
|
|
|
93
|
my @ruleset = ([],[]); |
73
|
60
|
|
|
|
|
43
|
my $lastdir; |
74
|
60
|
|
|
|
|
97
|
for (my $i=0;$i<@$r;$i++) { |
75
|
132
|
|
|
|
|
109
|
my $dir = $r->[$i]{dir}; |
76
|
132
|
50
|
50
|
|
|
310
|
die "rule$i.dir must be 0|1\n" unless ($dir//-1 ) ~~ [0,1]; |
77
|
132
|
50
|
50
|
|
|
255
|
die "rule$i.rxlen must be >0\n" unless ($r->[$i]{rxlen}||0)>0; |
78
|
132
|
|
|
|
|
91
|
my $rx = $r->[$i]{rx}; |
79
|
132
|
50
|
|
|
|
183
|
die "rule$i.rx should be regex\n" if ref($rx) ne 'Regexp'; |
80
|
132
|
50
|
|
|
|
200
|
die "rule$i.rx should not match empty string\n" if '' ~~ $rx; |
81
|
|
|
|
|
|
|
|
82
|
132
|
100
|
|
|
|
135
|
if ( ! $ignore_order ) { |
|
|
100
|
|
|
|
|
|
83
|
|
|
|
|
|
|
# initial rule or direction change |
84
|
76
|
100
|
100
|
|
|
148
|
$lastdir //= $dir ? 0:1; |
85
|
76
|
100
|
|
|
|
91
|
if ( $lastdir != $dir ) { |
86
|
58
|
|
|
|
|
40
|
push @{ $ruleset[$dir] }, []; # new ruleset |
|
58
|
|
|
|
|
66
|
|
87
|
58
|
|
|
|
|
36
|
push @{ $ruleset[$lastdir] },undef; # no more allowd |
|
58
|
|
|
|
|
44
|
|
88
|
58
|
|
|
|
|
51
|
$lastdir = $dir; |
89
|
|
|
|
|
|
|
} |
90
|
56
|
|
|
|
|
82
|
} elsif ( not @{ $ruleset[$dir] } ) { |
91
|
|
|
|
|
|
|
# initialize when ignore_order |
92
|
48
|
|
|
|
|
33
|
push @{ $ruleset[$dir] },[]; |
|
48
|
|
|
|
|
52
|
|
93
|
|
|
|
|
|
|
} |
94
|
|
|
|
|
|
|
|
95
|
|
|
|
|
|
|
# set ruleset to this rule |
96
|
|
|
|
|
|
|
# if allow_reorder try to add it to existing ruleset |
97
|
132
|
100
|
100
|
|
|
172
|
if ( $allow_reorder |
98
|
94
|
|
|
|
|
187
|
or ! @{ $ruleset[$dir][-1] } ) { |
99
|
120
|
|
|
|
|
77
|
push @{ $ruleset[$dir][-1] },$i; |
|
120
|
|
|
|
|
262
|
|
100
|
|
|
|
|
|
|
} else { |
101
|
12
|
|
|
|
|
10
|
push @{ $ruleset[$dir] },[ $i ]; |
|
12
|
|
|
|
|
24
|
|
102
|
|
|
|
|
|
|
} |
103
|
|
|
|
|
|
|
} |
104
|
|
|
|
|
|
|
|
105
|
|
|
|
|
|
|
return ( |
106
|
|
|
|
|
|
|
rules => $r, |
107
|
|
|
|
|
|
|
ruleset => \@ruleset, |
108
|
|
|
|
|
|
|
allow_dup => $args{allow_dup}, |
109
|
60
|
|
|
|
|
280
|
max_unbound => $max_unbound, |
110
|
|
|
|
|
|
|
%args, |
111
|
|
|
|
|
|
|
); |
112
|
|
|
|
|
|
|
} |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
sub new_factory { |
115
|
30
|
|
|
30
|
1
|
93
|
my $class = shift; |
116
|
30
|
|
|
|
|
35
|
return $class->SUPER::new_factory( _compile_cfg(@_)); |
117
|
|
|
|
|
|
|
} |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
sub validate_cfg { |
120
|
30
|
|
|
30
|
1
|
12272
|
my ($class,%args) = @_; |
121
|
30
|
|
|
|
|
27
|
my @err; |
122
|
30
|
50
|
|
|
|
30
|
push @err,$@ if ! eval { my @x = _compile_cfg(%args) }; |
|
30
|
|
|
|
|
54
|
|
123
|
30
|
|
|
|
|
86
|
delete @args{qw/rules max_unbound ignore_order allow_dup allow_reorder/}; |
124
|
30
|
|
|
|
|
89
|
push @err,$class->SUPER::validate_cfg(%args); |
125
|
30
|
|
|
|
|
54
|
return @err; |
126
|
|
|
|
|
|
|
} |
127
|
|
|
|
|
|
|
|
128
|
|
|
|
|
|
|
# create new analyzer object |
129
|
|
|
|
|
|
|
sub new_analyzer { |
130
|
41
|
|
|
41
|
1
|
4488
|
my ($factory,%args) = @_; |
131
|
|
|
|
|
|
|
|
132
|
41
|
|
|
|
|
37
|
my $fargs = $factory->{factory_args}; |
133
|
|
|
|
|
|
|
my Net::IMP::ProtocolPinning $self = $factory->SUPER::new_analyzer( |
134
|
|
|
|
|
|
|
%args, |
135
|
|
|
|
|
|
|
|
136
|
|
|
|
|
|
|
# buffer per direction |
137
|
|
|
|
|
|
|
buf => [ '','' ], |
138
|
|
|
|
|
|
|
|
139
|
|
|
|
|
|
|
# offset for buffer per direction |
140
|
|
|
|
|
|
|
off_buf => [0,0], |
141
|
|
|
|
|
|
|
|
142
|
|
|
|
|
|
|
# amount of data already passed |
143
|
|
|
|
|
|
|
off_passed => [0,0], |
144
|
|
|
|
|
|
|
|
145
|
|
|
|
|
|
|
# clone ruleset because we will modify it |
146
|
|
|
|
|
|
|
ruleset => dclone($fargs->{ruleset}), |
147
|
|
|
|
|
|
|
|
148
|
|
|
|
|
|
|
# hash of already matched packets (per dir) if allow_dup |
149
|
41
|
100
|
|
|
|
927
|
matched => $fargs->{allow_dup} ? [] : undef, |
150
|
|
|
|
|
|
|
# seed for hashing matched packets, gets initialized on first use |
151
|
|
|
|
|
|
|
matched_seed => undef, |
152
|
|
|
|
|
|
|
); |
153
|
|
|
|
|
|
|
|
154
|
41
|
|
|
|
|
68
|
return $self; |
155
|
|
|
|
|
|
|
} |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
|
158
|
|
|
|
|
|
|
# matches buffer against rule |
159
|
|
|
|
|
|
|
# if match impossible returns () |
160
|
|
|
|
|
|
|
# if no match, but might by possible if more data are added returns (0,0) |
161
|
|
|
|
|
|
|
# if matched and data got removed because bufsize >=rxlen returns (size,size) |
162
|
|
|
|
|
|
|
# if matched and data are still in buffer (match may be longer) returns (size,0) |
163
|
|
|
|
|
|
|
sub _match_stream { |
164
|
63
|
|
|
63
|
|
56
|
my ($r,$rbuf) = @_; |
165
|
63
|
50
|
|
|
|
95
|
if ( $DEBUG ) { |
166
|
0
|
|
|
|
|
0
|
my ($pkg,undef,$line) = caller; |
167
|
|
|
|
|
|
|
debug("try match from=%s[%d] rxlen=%d rx=%s buf=%d/'%s'", |
168
|
0
|
|
|
|
|
0
|
$pkg,$line, $r->{rxlen},$r->{rx},length($$rbuf),$$rbuf); |
169
|
|
|
|
|
|
|
} |
170
|
63
|
|
|
|
|
56
|
my $lbuf = length($$rbuf); |
171
|
63
|
100
|
|
|
|
68
|
if ($r->{rxlen} <= $lbuf ) { |
172
|
32
|
100
|
|
|
|
440
|
if ( substr($$rbuf,0,$r->{rxlen}) =~s{\A$r->{rx}}{} ) { |
173
|
30
|
|
|
|
|
29
|
my $lm = $lbuf - length($$rbuf); |
174
|
30
|
50
|
|
|
|
38
|
$DEBUG && debug("final match of $lm in $r->{rxlen} bytes"); |
175
|
30
|
|
|
|
|
48
|
return ($lm,$lm) # (matched,removed=matched) |
176
|
|
|
|
|
|
|
} |
177
|
2
|
50
|
|
|
|
6
|
$DEBUG && debug("final failed match in $r->{rxlen} bytes"); |
178
|
2
|
|
|
|
|
2
|
return; # could never match because rxlen reached |
179
|
|
|
|
|
|
|
} else { |
180
|
31
|
100
|
|
|
|
332
|
if ( $$rbuf =~m{\A$r->{rx}}g ) { |
181
|
|
|
|
|
|
|
# might match later again and more |
182
|
19
|
|
|
|
|
23
|
my $lm = pos($$rbuf); |
183
|
19
|
50
|
|
|
|
26
|
$DEBUG && debug("preliminary match of $lm in $lbuf bytes"); |
184
|
19
|
|
|
|
|
33
|
return ($lm,0); # (matched,removed=0) |
185
|
|
|
|
|
|
|
} |
186
|
12
|
50
|
|
|
|
21
|
$DEBUG && debug("preliminary failed match in $lbuf bytes"); |
187
|
12
|
|
|
|
|
20
|
return (0,0); # could match if more data |
188
|
|
|
|
|
|
|
} |
189
|
|
|
|
|
|
|
} |
190
|
|
|
|
|
|
|
|
191
|
|
|
|
|
|
|
# like _match_stream but matches rx against whole packet. |
192
|
|
|
|
|
|
|
# result can either be final (size,size) or never () |
193
|
|
|
|
|
|
|
sub _match_packet { |
194
|
30
|
|
|
30
|
|
26
|
my ($r,$rbuf) = @_; |
195
|
|
|
|
|
|
|
# try to match full packet |
196
|
30
|
|
|
|
|
20
|
my $len = length($$rbuf); |
197
|
30
|
50
|
|
|
|
44
|
return if $r->{rxlen} < $len; # could not match full packet |
198
|
30
|
100
|
|
|
|
346
|
return $$rbuf =~m{\A$r->{rx}\Z} ? ($len,$len) : (); |
199
|
|
|
|
|
|
|
} |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
sub data { |
202
|
114
|
|
|
114
|
1
|
294
|
my Net::IMP::ProtocolPinning $self = shift; |
203
|
114
|
|
|
|
|
121
|
my ($dir,$data,$offset,$type) = @_; |
204
|
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
# buf gets removed at final reply |
206
|
114
|
100
|
|
|
|
165
|
if ( ! $self->{buf} ) { |
207
|
|
|
|
|
|
|
# we gave already the final reply |
208
|
8
|
50
|
|
|
|
11
|
$DEBUG && debug("data[$dir] after final reply"); |
209
|
8
|
|
|
|
|
10
|
return; |
210
|
|
|
|
|
|
|
} |
211
|
|
|
|
|
|
|
|
212
|
|
|
|
|
|
|
# never did IMP_PASS into future, so no offset allowed |
213
|
106
|
50
|
|
|
|
142
|
$offset and die "no offset allowed"; |
214
|
|
|
|
|
|
|
|
215
|
106
|
|
|
|
|
95
|
my $rs = $self->{ruleset}[$dir]; # [r]ule[s]et |
216
|
106
|
|
|
|
|
86
|
my $rules = $self->{factory_args}{rules}; |
217
|
106
|
100
|
|
|
|
147
|
my $match = $type>0 ? \&_match_packet:\&_match_stream; |
218
|
|
|
|
|
|
|
|
219
|
106
|
100
|
|
|
|
143
|
if ($data eq '' ) { |
220
|
|
|
|
|
|
|
# eof - remove leading rule with extendable match and then |
221
|
|
|
|
|
|
|
# check if all rules are done |
222
|
|
|
|
|
|
|
$DEBUG && debug("eof dir=%d rules=%s", $dir, |
223
|
7
|
50
|
|
|
|
10
|
Data::Dumper->new([$self->{ruleset}])->Indent(0)->Terse(1)->Dump); |
224
|
|
|
|
|
|
|
|
225
|
7
|
100
|
66
|
|
|
28
|
if ( @$rs and my $match_in_progress = |
226
|
|
|
|
|
|
|
$self->{off_passed}[$dir] - $self->{off_buf}[$dir] ) { |
227
|
|
|
|
|
|
|
# rule done |
228
|
2
|
|
|
|
|
2
|
$self->{off_buf}[$dir] = $self->{off_passed}[$dir]; |
229
|
2
|
|
|
|
|
4
|
$self->{buf}[$dir] = ''; |
230
|
|
|
|
|
|
|
# remove matched rule |
231
|
|
|
|
|
|
|
# don't care for duplicates, they won't come anymore |
232
|
2
|
|
|
|
|
1
|
shift(@{$rs->[0]}); |
|
2
|
|
|
|
|
3
|
|
233
|
|
|
|
|
|
|
# remove ruleset if empty |
234
|
2
|
50
|
|
|
|
3
|
if (! @{$rs->[0]}) { |
|
2
|
|
|
|
|
4
|
|
235
|
2
|
|
|
|
|
2
|
shift(@$rs); |
236
|
|
|
|
|
|
|
# switch to other dir if this dir is done for now |
237
|
2
|
50
|
33
|
|
|
6
|
if ( ! @$rs || ! $rs->[0] ) { |
238
|
2
|
50
|
|
|
|
7
|
my $ors = $self->{ruleset}[$dir?0:1]; |
239
|
2
|
50
|
33
|
|
|
10
|
shift @$ors if @$ors && ! $ors->[0]; |
240
|
|
|
|
|
|
|
} |
241
|
2
|
50
|
|
|
|
3
|
goto CHECK_DONE if ! @$rs; |
242
|
|
|
|
|
|
|
} |
243
|
|
|
|
|
|
|
} |
244
|
|
|
|
|
|
|
# still unmatched rules but we have eof, thus no more rules |
245
|
|
|
|
|
|
|
# can match on this dir |
246
|
7
|
100
|
|
|
|
7
|
if ( my ($r) = grep { $_ } @$rs ) { |
|
9
|
|
|
|
|
17
|
|
247
|
5
|
|
|
|
|
5
|
$self->{buf} = undef; |
248
|
5
|
|
|
|
|
10
|
$self->run_callback([ |
249
|
|
|
|
|
|
|
IMP_DENY, |
250
|
|
|
|
|
|
|
$dir, |
251
|
5
|
|
|
|
|
18
|
"eof on $dir but unmatched rule#@{$r}" |
252
|
|
|
|
|
|
|
]); |
253
|
|
|
|
|
|
|
} else { |
254
|
|
|
|
|
|
|
# no more rules on eof side |
255
|
|
|
|
|
|
|
# as long as further rules on other side gets matched everything |
256
|
|
|
|
|
|
|
# is fine |
257
|
|
|
|
|
|
|
} |
258
|
7
|
|
|
|
|
39
|
return; |
259
|
|
|
|
|
|
|
} |
260
|
|
|
|
|
|
|
|
261
|
|
|
|
|
|
|
# collect maximal offset to pass, will pass in PASS_AND_RETURN |
262
|
99
|
|
|
|
|
68
|
my $pass_until; |
263
|
|
|
|
|
|
|
|
264
|
|
|
|
|
|
|
NEXT_RULE: |
265
|
|
|
|
|
|
|
$DEBUG && debug("next rule dir=%d rules=%s |data=%d/'%s'", |
266
|
115
|
50
|
|
|
|
140
|
$dir,Data::Dumper->new([$self->{ruleset}])->Indent(0)->Terse(1)->Dump, |
267
|
|
|
|
|
|
|
length($data),substr($data,0,100)); |
268
|
|
|
|
|
|
|
|
269
|
115
|
100
|
|
|
|
141
|
if ( ! @$rs ) { |
270
|
|
|
|
|
|
|
# no (more) rules for $dir, accumulate data until all rules for other |
271
|
|
|
|
|
|
|
# direction are completed |
272
|
15
|
50
|
|
|
|
26
|
$self->{buf}[$dir] eq '' or die "buffer should be empty"; |
273
|
|
|
|
|
|
|
|
274
|
|
|
|
|
|
|
# check if other side has matched already with last rule |
275
|
15
|
100
|
|
|
|
21
|
my $odir = $dir ? 0:1; |
276
|
15
|
|
|
|
|
10
|
my $ors = $self->{ruleset}[$odir]; |
277
|
15
|
100
|
66
|
|
|
25
|
if ( @$ors == 1 and @{$ors->[0]} == 1 |
|
15
|
|
100
|
|
|
69
|
|
278
|
|
|
|
|
|
|
and $self->{off_passed}[$odir] - $self->{off_buf}[$odir] >0 ) { |
279
|
1
|
|
|
|
|
2
|
shift(@$ors); |
280
|
1
|
|
|
|
|
7
|
goto CHECK_DONE; |
281
|
|
|
|
|
|
|
} |
282
|
|
|
|
|
|
|
|
283
|
14
|
|
|
|
|
17
|
$self->{off_buf}[$dir] += length($data); |
284
|
|
|
|
|
|
|
|
285
|
14
|
|
|
|
|
14
|
my $max_unbound = $self->{factory_args}{max_unbound}; |
286
|
14
|
|
66
|
|
|
26
|
$max_unbound = $max_unbound && $max_unbound->[$dir]; |
287
|
14
|
100
|
|
|
|
18
|
if ( ! defined $max_unbound ) { |
288
|
7
|
50
|
|
|
|
10
|
$DEBUG && debug( |
289
|
|
|
|
|
|
|
"buffer data for dir $dir because buffering not bound"); |
290
|
7
|
100
|
|
|
|
13
|
if ( ! $self->{paused}[$dir] ) { |
291
|
|
|
|
|
|
|
# ask data provider to stop sending data |
292
|
5
|
|
|
|
|
6
|
$self->{paused}[$dir] = 1; |
293
|
5
|
|
|
|
|
14
|
$self->run_callback([ IMP_PAUSE, $dir ]); |
294
|
|
|
|
|
|
|
} |
295
|
|
|
|
|
|
|
# if pass_until>0 we had something to pass |
296
|
7
|
|
|
|
|
86
|
goto PASS_AND_RETURN; |
297
|
|
|
|
|
|
|
} |
298
|
|
|
|
|
|
|
|
299
|
7
|
|
|
|
|
8
|
my $unbound = $self->{off_buf}[$dir] - $self->{off_passed}[$dir]; |
300
|
|
|
|
|
|
|
$DEBUG && debug("dir=%d off=%d passed=%d -> unbound=%d", |
301
|
7
|
50
|
|
|
|
10
|
$dir,$self->{off_buf}[$dir],$self->{off_passed}[$dir],$unbound); |
302
|
7
|
100
|
|
|
|
10
|
if ( $unbound <= $max_unbound ) { |
303
|
4
|
50
|
|
|
|
5
|
$DEBUG && debug("buffer data for dir $dir because ". |
304
|
|
|
|
|
|
|
"unbound($unbound)<=max_unbound($max_unbound)"); |
305
|
4
|
|
|
|
|
30
|
goto PASS_AND_RETURN; |
306
|
|
|
|
|
|
|
} |
307
|
|
|
|
|
|
|
|
308
|
3
|
|
|
|
|
3
|
$self->{buf} = undef; |
309
|
3
|
|
|
|
|
13
|
$self->run_callback([ |
310
|
|
|
|
|
|
|
IMP_DENY, |
311
|
|
|
|
|
|
|
$dir, |
312
|
|
|
|
|
|
|
"unbound buffer size=$unbound > max_unbound($max_unbound)" |
313
|
|
|
|
|
|
|
]); |
314
|
3
|
|
|
|
|
23
|
return; |
315
|
|
|
|
|
|
|
} |
316
|
|
|
|
|
|
|
|
317
|
|
|
|
|
|
|
# append new data to buf, for packet data we work directly with $data |
318
|
100
|
100
|
|
|
|
126
|
unless ( $type > 0 ) { |
319
|
70
|
|
|
|
|
114
|
$self->{buf}[$dir] .= $data; |
320
|
70
|
|
|
|
|
55
|
$data = ''; |
321
|
|
|
|
|
|
|
} |
322
|
|
|
|
|
|
|
|
323
|
100
|
|
|
|
|
82
|
my $crs = $rs->[0]; # crs - [c]urrent [r]ule[s]et |
324
|
100
|
100
|
|
|
|
113
|
if ( ! $crs ) { |
325
|
|
|
|
|
|
|
# data from $dir are not allowed at this stage |
326
|
|
|
|
|
|
|
|
327
|
|
|
|
|
|
|
# finish a preliminary match on the other side and then try again |
328
|
9
|
100
|
|
|
|
11
|
my $odir = $dir ? 0:1; |
329
|
9
|
|
|
|
|
10
|
my $ors = $self->{ruleset}[$odir]; |
330
|
9
|
100
|
33
|
|
|
47
|
if ( @$ors and $ors->[0] and my $omatch_in_progress |
|
|
|
66
|
|
|
|
|
331
|
|
|
|
|
|
|
= $self->{off_passed}[$odir] - $self->{off_buf}[$odir] ) { |
332
|
5
|
50
|
|
|
|
8
|
$DEBUG && debug("finish preliminary match on $odir"); |
333
|
5
|
|
|
|
|
5
|
$self->{off_buf}[$odir] = $self->{off_passed}[$odir]; |
334
|
5
|
|
|
|
|
9
|
substr($self->{buf}[$odir],0,$omatch_in_progress,''); |
335
|
5
|
|
|
|
|
4
|
shift(@{$ors->[0]}); |
|
5
|
|
|
|
|
6
|
|
336
|
5
|
50
|
|
|
|
3
|
if ( ! @{$ors->[0]} ) { |
|
5
|
|
|
|
|
9
|
|
337
|
5
|
|
|
|
|
3
|
shift(@$ors); # ruleset done |
338
|
5
|
50
|
33
|
|
|
15
|
shift(@$rs) if ! @$ors or ! $ors->[0]; # switch dir |
339
|
5
|
0
|
33
|
|
|
8
|
goto CHECK_DONE if ! @$ors && ! @$rs; |
340
|
5
|
|
|
|
|
40
|
goto NEXT_RULE; # and try again |
341
|
|
|
|
|
|
|
} |
342
|
|
|
|
|
|
|
} |
343
|
|
|
|
|
|
|
|
344
|
|
|
|
|
|
|
# ignore if it is a duplicate packet |
345
|
|
|
|
|
|
|
# duplicate checking is only done for packet types |
346
|
4
|
0
|
66
|
|
|
9
|
if ( $type>0 and $self->{matched} and $self->{buf}[$dir] eq '' |
|
|
|
33
|
|
|
|
|
|
|
|
33
|
|
|
|
|
347
|
|
|
|
|
|
|
and my $matched = $self->{matched}[$dir] ) { |
348
|
0
|
|
|
|
|
0
|
my $hpkt = md5($self->{matched_seed} . $data); |
349
|
0
|
0
|
|
|
|
0
|
if ( defined( my $r = $matched->{$hpkt} )) { |
350
|
0
|
0
|
|
|
|
0
|
$DEBUG && debug("ignored DUP[$dir] for rule $r"); |
351
|
|
|
|
|
|
|
$pass_until = $self->{off_passed}[$dir] |
352
|
0
|
|
|
|
|
0
|
= $self->{off_buf}[$dir] += length($data); |
353
|
0
|
|
|
|
|
0
|
goto PASS_AND_RETURN; |
354
|
|
|
|
|
|
|
} |
355
|
|
|
|
|
|
|
} |
356
|
4
|
50
|
|
|
|
6
|
$DEBUG && debug("data[$dir] but rule -> DENY"); |
357
|
4
|
|
|
|
|
4
|
$self->{buf} = undef; |
358
|
|
|
|
|
|
|
$self->run_callback([ IMP_DENY, $dir, "rule#" |
359
|
4
|
100
|
|
|
|
23
|
.( $self->{ruleset}[$dir?0:1][0][0] )." data from wrong dir $dir" |
360
|
|
|
|
|
|
|
]); |
361
|
4
|
|
|
|
|
29
|
return; |
362
|
|
|
|
|
|
|
} |
363
|
|
|
|
|
|
|
|
364
|
|
|
|
|
|
|
# if there was a last match try to extend it or to mark rule as done |
365
|
91
|
100
|
|
|
|
161
|
if ( my $match_in_progress = |
366
|
|
|
|
|
|
|
$self->{off_passed}[$dir] - $self->{off_buf}[$dir] ) { |
367
|
|
|
|
|
|
|
# last rule matched already |
368
|
5
|
50
|
|
|
|
7
|
unless ( $type>0 ) { |
369
|
|
|
|
|
|
|
# try to extend match for streams |
370
|
|
|
|
|
|
|
my ($matched,$removed) = |
371
|
5
|
|
|
|
|
11
|
$match->($rules->[$crs->[0]],\$self->{buf}[$dir]); |
372
|
5
|
50
|
|
|
|
10
|
die "expected $crs->[0] to match" if ! $matched; |
373
|
5
|
100
|
|
|
|
8
|
if ( $removed ) { |
|
|
50
|
|
|
|
|
|
374
|
|
|
|
|
|
|
# rule finished, probably because rxlen reached |
375
|
4
|
50
|
|
|
|
5
|
$DEBUG && debug("completed preliminary match rule $crs->[0]"); |
376
|
4
|
|
|
|
|
5
|
$self->{off_buf}[$dir] += $removed; |
377
|
4
|
100
|
|
|
|
8
|
if ( $removed > $match_in_progress ) { |
378
|
|
|
|
|
|
|
$pass_until = $self->{off_passed}[$dir] |
379
|
3
|
|
|
|
|
5
|
= $self->{off_buf}[$dir]; |
380
|
|
|
|
|
|
|
} |
381
|
|
|
|
|
|
|
# no return, might match more |
382
|
|
|
|
|
|
|
|
383
|
|
|
|
|
|
|
} elsif ( $matched > $match_in_progress ) { |
384
|
|
|
|
|
|
|
# keep rule open but issue extended IMP_PASS |
385
|
1
|
50
|
|
|
|
2
|
$DEBUG && debug("extended preliminary match rule $crs->[0]"); |
386
|
|
|
|
|
|
|
$pass_until = $self->{off_passed}[$dir] |
387
|
1
|
|
|
|
|
3
|
= $self->{off_buf}[$dir]+$matched; |
388
|
1
|
|
|
|
|
15
|
goto PASS_AND_RETURN; # need more data |
389
|
|
|
|
|
|
|
} else { |
390
|
|
|
|
|
|
|
# keep rule open waiting for more data |
391
|
0
|
0
|
|
|
|
0
|
$DEBUG && debug("still preliminary(?) match rule $crs->[0]"); |
392
|
0
|
|
|
|
|
0
|
goto PASS_AND_RETURN; # need more data |
393
|
|
|
|
|
|
|
} |
394
|
|
|
|
|
|
|
|
395
|
|
|
|
|
|
|
} else { |
396
|
|
|
|
|
|
|
# stream followed by packet, so rule cannot be extended |
397
|
|
|
|
|
|
|
# remove from buf until end of last match |
398
|
0
|
0
|
|
|
|
0
|
$DEBUG && debug("finished match rule $crs->[0] on packet $type"); |
399
|
0
|
|
|
|
|
0
|
substr($self->{buf}[$dir],0,$match_in_progress,''); |
400
|
0
|
|
|
|
|
0
|
$self->{off_buf}[$dir] = $self->{off_passed}[$dir]; |
401
|
|
|
|
|
|
|
} |
402
|
|
|
|
|
|
|
|
403
|
|
|
|
|
|
|
# match of previously matching rule done |
404
|
|
|
|
|
|
|
# remove it and continue with next rule if there are more data |
405
|
4
|
|
|
|
|
4
|
shift(@$crs); |
406
|
4
|
50
|
|
|
|
6
|
if (! @$crs) { |
407
|
4
|
|
|
|
|
3
|
shift(@$rs); |
408
|
|
|
|
|
|
|
# switch to other dir if this dir is done for now |
409
|
4
|
100
|
66
|
|
|
11
|
if ( ! @$rs || ! $rs->[0] ) { |
410
|
2
|
50
|
|
|
|
3
|
my $ors = $self->{ruleset}[$dir ? 0:1]; |
411
|
2
|
50
|
33
|
|
|
8
|
shift @$ors if @$ors && ! $ors->[0]; |
412
|
2
|
0
|
33
|
|
|
4
|
goto CHECK_DONE if ! @$ors && ! @$rs; |
413
|
|
|
|
|
|
|
} |
414
|
|
|
|
|
|
|
} |
415
|
4
|
100
|
66
|
|
|
15
|
if ( $type>0 or $self->{buf}[$dir] ne '' ) { |
416
|
|
|
|
|
|
|
# unmatched data exist in data/buf |
417
|
3
|
100
|
|
|
|
10
|
if ( ! @$rs ) { |
418
|
|
|
|
|
|
|
# all rules done from this direction, put back all |
419
|
|
|
|
|
|
|
# from buf to $data before calling NEXT_RULE |
420
|
1
|
|
|
|
|
1
|
$data = $self->{buf}[$dir]; |
421
|
1
|
|
|
|
|
2
|
$self->{buf}[$dir] = ''; |
422
|
|
|
|
|
|
|
} |
423
|
3
|
|
|
|
|
22
|
goto NEXT_RULE; |
424
|
|
|
|
|
|
|
} |
425
|
1
|
|
|
|
|
11
|
goto PASS_AND_RETURN; # wait for more data |
426
|
|
|
|
|
|
|
} |
427
|
|
|
|
|
|
|
|
428
|
|
|
|
|
|
|
# check against current set |
429
|
86
|
100
|
|
|
|
83
|
if ( $type>0 ) { |
430
|
|
|
|
|
|
|
# packet data |
431
|
28
|
50
|
|
|
|
44
|
if ( $self->{buf}[$dir] ne '' ) { |
432
|
0
|
|
|
|
|
0
|
$self->run_callback([ |
433
|
|
|
|
|
|
|
IMP_DENY, |
434
|
|
|
|
|
|
|
$dir, |
435
|
|
|
|
|
|
|
"packet data after unmatched streaming data" |
436
|
|
|
|
|
|
|
]); |
437
|
|
|
|
|
|
|
} |
438
|
28
|
|
|
|
|
44
|
for( my $i=0;$i<@$crs;$i++ ) { |
439
|
30
|
100
|
|
|
|
44
|
if ( my ($len) = $match->($rules->[$crs->[$i]],\$data)) { |
440
|
|
|
|
|
|
|
# match |
441
|
|
|
|
|
|
|
$pass_until = $self->{off_passed}[$dir] = |
442
|
22
|
|
|
|
|
28
|
$self->{off_buf}[$dir] += $len; |
443
|
22
|
100
|
|
|
|
30
|
if ( $self->{matched} ) { |
444
|
|
|
|
|
|
|
# preserve hash of matched packet so that duplicates are |
445
|
|
|
|
|
|
|
# detected later |
446
|
|
|
|
|
|
|
$self->{matched}[$dir]{ md5( |
447
|
9
|
|
66
|
|
|
93
|
( $self->{matched_seed} //= pack("N",rand(2**32)) ). |
448
|
|
|
|
|
|
|
$data |
449
|
|
|
|
|
|
|
)} = $crs->[$i] |
450
|
|
|
|
|
|
|
} |
451
|
|
|
|
|
|
|
|
452
|
22
|
100
|
|
|
|
31
|
if (@$crs>1) { |
453
|
|
|
|
|
|
|
# remove rule, keep rest in ruleset |
454
|
4
|
50
|
|
|
|
7
|
$DEBUG && debug( |
455
|
|
|
|
|
|
|
"full match rule $crs->[$i] - remove from ruleset"); |
456
|
4
|
|
|
|
|
5
|
splice(@$crs,$i,1); |
457
|
|
|
|
|
|
|
} else { |
458
|
|
|
|
|
|
|
# remove ruleset with last rule in it |
459
|
18
|
50
|
|
|
|
22
|
$DEBUG && debug( |
460
|
|
|
|
|
|
|
"full match rule $crs->[$i] - remove ruleset"); |
461
|
18
|
|
|
|
|
15
|
shift(@$rs); |
462
|
|
|
|
|
|
|
# switch to other dir if this dir is done for now |
463
|
18
|
100
|
66
|
|
|
37
|
if ( ! @$rs || ! $rs->[0] ) { |
464
|
14
|
100
|
|
|
|
18
|
my $ors = $self->{ruleset}[$dir ? 0:1]; |
465
|
14
|
100
|
100
|
|
|
48
|
shift @$ors if @$ors && ! $ors->[0]; |
466
|
|
|
|
|
|
|
} |
467
|
|
|
|
|
|
|
} |
468
|
|
|
|
|
|
|
|
469
|
|
|
|
|
|
|
# pass data |
470
|
22
|
100
|
|
|
|
234
|
goto CHECK_DONE if ! @$rs; |
471
|
12
|
|
|
|
|
269
|
goto PASS_AND_RETURN; # wait for more data |
472
|
|
|
|
|
|
|
} |
473
|
|
|
|
|
|
|
} |
474
|
|
|
|
|
|
|
|
475
|
|
|
|
|
|
|
# no rule from ruleset matched, check for duplicates |
476
|
6
|
100
|
66
|
|
|
52
|
if ( $self->{matched} and my $dup = $self->{matched}[$dir] ) { |
477
|
5
|
|
|
|
|
17
|
my $r = $dup->{ md5($self->{matched_seed} . $data ) }; |
478
|
5
|
50
|
|
|
|
7
|
if ( defined $r ) { |
479
|
|
|
|
|
|
|
# matched again - pass data |
480
|
|
|
|
|
|
|
$pass_until = $self->{off_passed}[$dir] |
481
|
5
|
|
|
|
|
7
|
= $self->{off_buf}[$dir] += length($data); |
482
|
5
|
50
|
|
|
|
8
|
$DEBUG && debug("ignore DUP[$dir] for rule $r"); |
483
|
5
|
|
|
|
|
78
|
goto PASS_AND_RETURN; # wait for more data |
484
|
|
|
|
|
|
|
} |
485
|
|
|
|
|
|
|
} |
486
|
|
|
|
|
|
|
|
487
|
|
|
|
|
|
|
# no rule and no duplicates matched, must be bad data |
488
|
1
|
50
|
|
|
|
2
|
$DEBUG && debug("no matching rule for ${type}[$dir] - deny"); |
489
|
1
|
|
|
|
|
1
|
$self->{buf} = undef; |
490
|
1
|
|
|
|
|
5
|
$self->run_callback([ |
491
|
|
|
|
|
|
|
IMP_DENY, |
492
|
|
|
|
|
|
|
$dir, |
493
|
|
|
|
|
|
|
"rule#@$crs did not match" |
494
|
|
|
|
|
|
|
]); |
495
|
1
|
|
|
|
|
7
|
return; |
496
|
|
|
|
|
|
|
|
497
|
|
|
|
|
|
|
} else { |
498
|
|
|
|
|
|
|
# streaming data |
499
|
58
|
|
|
|
|
39
|
my $temp_fail; |
500
|
|
|
|
|
|
|
my $final_match; |
501
|
58
|
|
|
|
|
103
|
for( my $i=0;$i<@$crs;$i++ ) { |
502
|
|
|
|
|
|
|
my ($len,$removed) |
503
|
58
|
|
|
|
|
97
|
= $match->($rules->[$crs->[$i]],\$self->{buf}[$dir]); |
504
|
58
|
100
|
|
|
|
122
|
if ( ! defined $len ) { |
|
|
100
|
|
|
|
|
|
505
|
|
|
|
|
|
|
# will never match against rule |
506
|
2
|
|
|
|
|
5
|
next; |
507
|
|
|
|
|
|
|
} elsif ( ! $len ) { |
508
|
|
|
|
|
|
|
# note that it might match if buf gets longer but check other |
509
|
|
|
|
|
|
|
# rules in ruleset if they match better |
510
|
12
|
|
|
|
|
10
|
$temp_fail = 1; |
511
|
12
|
|
|
|
|
24
|
next; |
512
|
|
|
|
|
|
|
} |
513
|
|
|
|
|
|
|
|
514
|
44
|
100
|
66
|
|
|
121
|
if ( ! $removed and @$crs == 1 and @$rs == 1 ) { |
|
|
|
100
|
|
|
|
|
515
|
|
|
|
|
|
|
# last rule for dir - no need to extend preliminary matches |
516
|
|
|
|
|
|
|
# as long as max_unbound is not restrictive |
517
|
9
|
|
|
|
|
9
|
my $ma = $self->{factory_args}{max_unbound}; |
518
|
9
|
100
|
33
|
|
|
24
|
if ( ! defined( $ma && $ma->[$dir] )) { |
519
|
2
|
|
|
|
|
1
|
$removed = $len; |
520
|
2
|
|
|
|
|
4
|
substr($self->{buf}[$dir],0,$removed,''); |
521
|
|
|
|
|
|
|
} |
522
|
|
|
|
|
|
|
} |
523
|
|
|
|
|
|
|
|
524
|
|
|
|
|
|
|
# rule matched |
525
|
44
|
100
|
|
|
|
49
|
if ( ! $removed ) { |
526
|
|
|
|
|
|
|
# match might not be final, wait for more data but put rule |
527
|
|
|
|
|
|
|
# at the beginning of ruleset if it's not already there |
528
|
16
|
50
|
|
|
|
22
|
unshift @$crs,splice(@$crs,$i,1) if $i>0; |
529
|
|
|
|
|
|
|
|
530
|
|
|
|
|
|
|
# advance off_passed, but keep off_buf |
531
|
|
|
|
|
|
|
$pass_until = $self->{off_passed}[$dir] |
532
|
16
|
|
|
|
|
20
|
= $self->{off_buf}[$dir] + $len; |
533
|
|
|
|
|
|
|
|
534
|
|
|
|
|
|
|
# if this is was the last completely open rule we don't need |
535
|
|
|
|
|
|
|
# to check if the matched could be extended |
536
|
16
|
100
|
66
|
|
|
48
|
if (@$crs == 1 and @$rs == 1 ) { |
537
|
|
|
|
|
|
|
# last rule on this side |
538
|
7
|
100
|
|
|
|
10
|
my $ors = $self->{ruleset}[$dir?0:1]; |
539
|
7
|
100
|
66
|
|
|
34
|
if ( |
|
|
100
|
33
|
|
|
|
|
|
|
100
|
66
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
|
66
|
|
|
|
|
540
|
|
|
|
|
|
|
# other side has no rules |
541
|
|
|
|
|
|
|
! @$ors |
542
|
|
|
|
|
|
|
# other side has empty rule |
543
|
|
|
|
|
|
|
or @$ors == 1 and ! $ors->[0] |
544
|
|
|
|
|
|
|
# other side has single rule which matched already |
545
|
5
|
|
|
|
|
24
|
or @$ors == 1 and @{ $ors->[0] } == 1 and |
546
|
|
|
|
|
|
|
$self->{off_passed}[$dir?0:1] |
547
|
|
|
|
|
|
|
- $self->{off_buf}[$dir?0:1] > 0 ) { |
548
|
|
|
|
|
|
|
|
549
|
|
|
|
|
|
|
# we are done and there is no need to extend the match |
550
|
3
|
|
|
|
|
6
|
@$ors = @$rs = (); |
551
|
3
|
|
|
|
|
80
|
goto CHECK_DONE; |
552
|
|
|
|
|
|
|
} |
553
|
|
|
|
|
|
|
} |
554
|
|
|
|
|
|
|
|
555
|
|
|
|
|
|
|
} else { |
556
|
|
|
|
|
|
|
# final match of rule |
557
|
|
|
|
|
|
|
$pass_until = $self->{off_passed}[$dir] |
558
|
28
|
|
|
|
|
35
|
= $self->{off_buf}[$dir] += $len; |
559
|
28
|
100
|
|
|
|
38
|
if (@$crs>1) { |
560
|
|
|
|
|
|
|
# remove rule, keep rest in ruleset |
561
|
3
|
50
|
|
|
|
5
|
$DEBUG && debug( |
562
|
|
|
|
|
|
|
"full match rule $crs->[$i] - remove from ruleset"); |
563
|
3
|
|
|
|
|
3
|
splice(@$crs,$i,1); |
564
|
|
|
|
|
|
|
} else { |
565
|
|
|
|
|
|
|
# remove ruleset with last rule in it |
566
|
25
|
50
|
|
|
|
29
|
$DEBUG && debug( |
567
|
|
|
|
|
|
|
"full match rule $crs->[$i] - remove ruleset"); |
568
|
25
|
|
|
|
|
19
|
shift(@$rs); |
569
|
|
|
|
|
|
|
# switch to other dir if this dir is done for now |
570
|
25
|
100
|
66
|
|
|
47
|
if ( ! @$rs || ! $rs->[0] ) { |
571
|
23
|
100
|
|
|
|
31
|
my $ors = $self->{ruleset}[$dir ? 0:1]; |
572
|
23
|
100
|
100
|
|
|
59
|
shift @$ors if @$ors && ! $ors->[0]; |
573
|
23
|
50
|
66
|
|
|
392
|
goto CHECK_DONE if ! @$ors && ! @$rs; |
574
|
|
|
|
|
|
|
} |
575
|
|
|
|
|
|
|
} |
576
|
15
|
|
|
|
|
11
|
$final_match = 1; |
577
|
|
|
|
|
|
|
# no allow_dup for streaming |
578
|
|
|
|
|
|
|
} |
579
|
|
|
|
|
|
|
|
580
|
|
|
|
|
|
|
# pass data |
581
|
28
|
100
|
100
|
|
|
67
|
if ( $final_match and $self->{buf}[$dir] ne '' ) { |
582
|
|
|
|
|
|
|
# try to match more |
583
|
8
|
|
|
|
|
9
|
$data = $self->{buf}[$dir]; |
584
|
8
|
|
|
|
|
6
|
$self->{buf}[$dir] = ''; |
585
|
8
|
|
|
|
|
226
|
goto NEXT_RULE; |
586
|
|
|
|
|
|
|
} |
587
|
20
|
100
|
|
|
|
60
|
goto CHECK_DONE if ! @$rs; |
588
|
19
|
|
|
|
|
567
|
goto PASS_AND_RETURN; |
589
|
|
|
|
|
|
|
} |
590
|
|
|
|
|
|
|
|
591
|
14
|
100
|
|
|
|
18
|
if ( ! $temp_fail ) { |
592
|
|
|
|
|
|
|
# no rule and no duplicates matched, must be bad data |
593
|
2
|
50
|
|
|
|
3
|
$DEBUG && debug("no matching rule for ${type}[$dir] - deny"); |
594
|
2
|
|
|
|
|
2
|
$self->{buf} = undef; |
595
|
2
|
|
|
|
|
10
|
$self->run_callback([ |
596
|
|
|
|
|
|
|
IMP_DENY, |
597
|
|
|
|
|
|
|
$dir, |
598
|
|
|
|
|
|
|
"rule#@$crs did not match" |
599
|
|
|
|
|
|
|
]); |
600
|
|
|
|
|
|
|
} |
601
|
14
|
|
|
|
|
257
|
goto PASS_AND_RETURN; |
602
|
|
|
|
|
|
|
} |
603
|
|
|
|
|
|
|
|
604
|
28
|
50
|
|
|
|
44
|
CHECK_DONE: |
605
|
|
|
|
|
|
|
return if @$rs; # still unmatched rules |
606
|
|
|
|
|
|
|
|
607
|
|
|
|
|
|
|
# pass only current data |
608
|
28
|
100
|
|
|
|
16
|
goto PASS_AND_RETURN if @{$self->{ruleset}[ $dir ? 0:1 ] }; |
|
28
|
100
|
|
|
|
63
|
|
609
|
|
|
|
|
|
|
|
610
|
|
|
|
|
|
|
# rulesets for both dirs are done, pass all data |
611
|
26
|
50
|
|
|
|
32
|
$DEBUG && debug("all rules done - pass rest"); |
612
|
26
|
|
|
|
|
26
|
$self->{buf} = undef; |
613
|
26
|
|
|
|
|
72
|
my @rv = ( |
614
|
|
|
|
|
|
|
[ IMP_PASS,0,IMP_MAXOFFSET ], |
615
|
|
|
|
|
|
|
[ IMP_PASS,1,IMP_MAXOFFSET ] |
616
|
|
|
|
|
|
|
); |
617
|
26
|
|
|
|
|
30
|
for(0,1) { |
618
|
52
|
100
|
|
|
|
111
|
$self->{paused}[$_] or next; |
619
|
5
|
|
|
|
|
5
|
$self->{paused}[$_] = 0; |
620
|
5
|
|
|
|
|
9
|
unshift @rv, [ IMP_CONTINUE,$_ ]; |
621
|
|
|
|
|
|
|
} |
622
|
26
|
|
|
|
|
60
|
$self->run_callback(@rv); |
623
|
26
|
|
|
|
|
209
|
return; |
624
|
|
|
|
|
|
|
|
625
|
65
|
100
|
|
|
|
105
|
PASS_AND_RETURN: |
626
|
|
|
|
|
|
|
return if ! $pass_until; |
627
|
46
|
|
|
|
|
140
|
$self->run_callback([ IMP_PASS, $dir, $pass_until ]); |
628
|
46
|
|
|
|
|
320
|
return; |
629
|
|
|
|
|
|
|
} |
630
|
|
|
|
|
|
|
|
631
|
|
|
|
|
|
|
# cfg2str and str2cfg are redefined because our config hash is deeper |
632
|
|
|
|
|
|
|
# nested due to rules and max_unbound |
633
|
|
|
|
|
|
|
sub cfg2str { |
634
|
2
|
|
|
2
|
1
|
510
|
my Net::IMP::ProtocolPinning $self = shift; |
635
|
2
|
|
|
|
|
5
|
my %cfg = @_; |
636
|
|
|
|
|
|
|
|
637
|
2
|
50
|
|
|
|
5
|
my $rules = delete $cfg{rules} or croak("no rules defined"); |
638
|
|
|
|
|
|
|
# re-insert [[dir,rxlen,rx],... ] as dir0,rxlen0,rx0,dir1,... |
639
|
2
|
|
|
|
|
6
|
for (my $i=0;$i<@$rules;$i++) { |
640
|
3
|
|
|
|
|
3
|
@cfg{ "dir$i","rxlen$i","rx$i" } = @{ $rules->[$i] }{qw( dir rxlen rx)}; |
|
3
|
|
|
|
|
15
|
|
641
|
|
|
|
|
|
|
} |
642
|
2
|
50
|
|
|
|
5
|
if ( my $max_unbound = delete $cfg{max_unbound} ) { |
643
|
|
|
|
|
|
|
# re-insert [mo0,mo1] as max_unbound0,max_unbound1 |
644
|
2
|
|
|
|
|
4
|
@cfg{ 'max_unbound0', 'max_unbound1' } = @$max_unbound; |
645
|
|
|
|
|
|
|
} |
646
|
2
|
|
|
|
|
13
|
return $self->SUPER::cfg2str(%cfg); |
647
|
|
|
|
|
|
|
} |
648
|
|
|
|
|
|
|
|
649
|
|
|
|
|
|
|
sub str2cfg { |
650
|
6
|
|
|
6
|
1
|
1222
|
my Net::IMP::ProtocolPinning $self = shift; |
651
|
6
|
|
|
|
|
18
|
my %cfg = $self->SUPER::str2cfg(@_); |
652
|
6
|
|
|
|
|
12
|
my $rules = $cfg{rules} = []; |
653
|
6
|
|
|
|
|
8
|
for ( my $i=0;1;$i++ ) { |
654
|
15
|
100
|
|
|
|
36
|
defined( my $dir = delete $cfg{"dir$i"} ) or last; |
655
|
9
|
50
|
|
|
|
16
|
defined( my $rxlen = delete $cfg{"rxlen$i"} ) |
656
|
|
|
|
|
|
|
or croak("no rxlen$i defined but dir$i"); |
657
|
9
|
50
|
|
|
|
14
|
defined( my $rx = delete $cfg{"rx$i"} ) |
658
|
|
|
|
|
|
|
or croak("no rx$i defined but dir$i"); |
659
|
9
|
50
|
|
|
|
9
|
$rx = eval { qr/$rx/ } or croak("invalid regex rx$i"); |
|
9
|
|
|
|
|
84
|
|
660
|
9
|
|
|
|
|
23
|
push @$rules, { dir => $dir, rxlen => $rxlen, rx => $rx }; |
661
|
|
|
|
|
|
|
|
662
|
|
|
|
|
|
|
|
663
|
|
|
|
|
|
|
} |
664
|
6
|
50
|
|
|
|
11
|
@$rules or croak("no rules defined"); |
665
|
6
|
|
|
|
|
7
|
my $max_unbound = $cfg{max_unbound} = []; |
666
|
6
|
|
|
|
|
8
|
for (0,1) { |
667
|
|
|
|
|
|
|
$max_unbound->[$_] = delete $cfg{"max_unbound$_"} |
668
|
12
|
50
|
|
|
|
30
|
if exists $cfg{"max_unbound$_"}; |
669
|
|
|
|
|
|
|
} |
670
|
|
|
|
|
|
|
|
671
|
|
|
|
|
|
|
# sanity check |
672
|
6
|
|
|
|
|
14
|
my %scfg = %cfg; |
673
|
6
|
|
|
|
|
12
|
delete @scfg{qw(rules max_unbound ignore_order allow_dup allow_reorder)}; |
674
|
6
|
50
|
|
|
|
9
|
%scfg and croak("unhandled config keys: ".join(' ',sort keys %scfg)); |
675
|
|
|
|
|
|
|
|
676
|
6
|
|
|
|
|
21
|
return %cfg; |
677
|
|
|
|
|
|
|
} |
678
|
|
|
|
|
|
|
|
679
|
|
|
|
|
|
|
|
680
|
|
|
|
|
|
|
1; |
681
|
|
|
|
|
|
|
|
682
|
|
|
|
|
|
|
__END__ |