/* packet-falco-bridge.h * * By Loris Degioanni * Copyright (C) 2021 Sysdig, Inc. * * Wireshark - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * SPDX-License-Identifier: GPL-2.0-or-later */ #ifndef __PACKET_FALCO_BRIDGE_H__ #define __PACKET_FALCO_BRIDGE_H__ /* * API versions of this plugin engine */ #define PLUGIN_API_VERSION_MAJOR 0 #define PLUGIN_API_VERSION_MINOR 2 #define PLUGIN_API_VERSION_PATCH 0 /* * Return types */ #define SCAP_SUCCESS 0 #define SCAP_FAILURE 1 #define SCAP_TIMEOUT -1 #define SCAP_ILLEGAL_INPUT 3 #define SCAP_NOTFOUND 4 #define SCAP_INPUT_TOO_SMALL 5 #define SCAP_EOF 6 #define SCAP_UNEXPECTED_BLOCK 7 #define SCAP_VERSION_MISMATCH 8 #define SCAP_NOT_SUPPORTED 9 #define PROTO_DATA_BRIDGE_HANDLE 0x00 #define PROTO_DATA_CONVINFO_USER_0 10000 #define PROTO_DATA_CONVINFO_USER_1 10001 #define PROTO_DATA_CONVINFO_USER_2 10002 #define PROTO_DATA_CONVINFO_USER_3 10003 #define PROTO_DATA_CONVINFO_USER_4 10004 #define PROTO_DATA_CONVINFO_USER_5 10005 #define PROTO_DATA_CONVINFO_USER_6 10006 #define PROTO_DATA_CONVINFO_USER_7 10007 #define PROTO_DATA_CONVINFO_USER_8 10008 #define PROTO_DATA_CONVINFO_USER_9 10009 #define PROTO_DATA_CONVINFO_USER_10 10010 #define PROTO_DATA_CONVINFO_USER_11 10011 #define PROTO_DATA_CONVINFO_USER_12 10012 #define PROTO_DATA_CONVINFO_USER_13 10013 #define PROTO_DATA_CONVINFO_USER_14 10014 #define PROTO_DATA_CONVINFO_USER_15 10015 #define PROTO_DATA_CONVINFO_USER_BASE PROTO_DATA_CONVINFO_USER_0 //#define PLG_PARAM_TYPE_UINT64 8 //#define PLG_PARAM_TYPE_CHARBUF 9 //#define FLD_FLAG_USE_IN_INFO 1 //#define FLD_FLAG_USE_IN_CONVERSATIONS (1 << 1) #if 0 /* * Plugin types */ typedef enum ss_plugin_type { TYPE_SOURCE_PLUGIN = 1, TYPE_EXTRACTOR_PLUGIN = 2 }ss_plugin_type; typedef enum async_extractor_lock_state { LS_INIT = 0, LS_INPUT_READY = 1, LS_PROCESSING = 2, LS_DONE = 3, LS_SHUTDOWN_REQ = 4, LS_SHUTDOWN_DONE = 5, } async_extractor_lock_state; typedef gboolean (*cb_wait_t)(void* wait_ctx); /* * This is the opaque pointer to the state of a source plugin. * It points to any data that might be needed plugin-wise. It is * allocated by init() and must be destroyed by destroy(). * It is defined as void because the engine doesn't care what it is * and it treats is as opaque. */ typedef void ss_plugin_t; /* * This is the opaque pointer to the state of an open instance of the source * plugin. * It points to any data that is needed while a capture is running. It is * allocated by open() and must be destroyed by close(). * It is defined as void because the engine doesn't care what it is * and it treats is as opaque. */ typedef void ss_instance_t; #endif // This struct represents an event returned by the plugin, and is used // below in next()/next_batch(). // - evtnum: incremented for each event returned. Might not be contiguous. // - data: pointer to a memory buffer pointer. The plugin will set it // to point to the memory containing the next event. Once returned, // the memory is owned by the plugin framework and will be freed via // a call to free(). // - datalen: pointer to a 32bit integer. The plugin will set it the size of the // buffer pointed by data. // - ts: the event timestamp. Can be (uint64_t)-1, in which case the engine will // automatically fill the event time with the current time. //typedef struct ss_plugin_event //{ // uint64_t evtnum; // uint8_t *data; // uint32_t datalen; // uint64_t ts; //} ss_plugin_event; #if 0 // Used in extract_fields functions below to receive a field/arg // pair and return an extracted value. // field: the field name. // arg: the field argument, if an argument has been specified // for the field, otherwise it's NULL. // For example: // * if the field specified by the user is foo.bar[pippo], arg will be the // string "pippo" // * if the field specified by the user is foo.bar, arg will be NULL // ftype: the type of the field. Could be derived from the field name alone, // but including here can prevent a second lookup of field names. // The following should be filled in by the extraction function: // - field_present: set to true if the event has a meaningful // extracted value for the provided field, false otherwise // - res_str: if the corresponding field was type==string, this should be // filled in with the string value. The string should be allocated by // the plugin using malloc() and will be free()d by the plugin framework. // - res_u64: if the corresponding field was type==uint64, this should be // filled in with the uint64 value. typedef struct ss_plugin_extract_field { uint32_t field_id; const char *field; const char *arg; uint32_t ftype; bool field_present; char *res_str; uint64_t res_u64; } ss_plugin_extract_field; typedef struct async_extractor_info { // Pointer as this allows swapping out events from other // structs. const ss_plugin_event *evt; ss_plugin_extract_field *field; gint32 rc; cb_wait_t cb_wait; void* wait_ctx; } async_extractor_info; /* * Interface of a sinsp/scap plugin */ typedef struct { ss_plugin_t* (*init)(char* config, gint32* rc); void (*destroy)(ss_plugin_t* s); char* (*get_last_error)(ss_plugin_t* s); guint64 (*get_type)(void); guint64 (*get_id)(void); char* (*get_name)(void); char* (*get_filter_name)(void); char* (*get_description)(void); char* (*get_required_api_version)(void); char* (*get_fields)(void); ss_instance_t* (*open)(ss_plugin_t* s, char* params, gint32* rc); void (*close)(ss_plugin_t* s, ss_instance_t* h); gint32 (*next)(ss_plugin_t* s, ss_instance_t* h, ss_plugin_event **evt); char* (*get_progress)(ss_plugin_t* s, ss_instance_t* h, guint64* progress_pct); char *(*event_to_string)(ss_plugin_t *s, guint8 *data, guint64 datalen); int32_t (*extract_fields)(ss_plugin_t *s, const ss_plugin_event *evt, uint32_t num_fields, ss_plugin_extract_field *fields); gint32 (*next_batch)(ss_plugin_t* s, ss_instance_t* h, uint32_t *nevts, ss_plugin_event **evts); gint32 (*register_async_extractor)(ss_plugin_t *s, async_extractor_info *info); // // The following members are PRIVATE for the engine and should not be touched. // ss_plugin_t* state; ss_instance_t* handle; guint32 id; char* name; async_extractor_info async_extractor_info; gboolean is_async_extractor_configured; gboolean is_async_extractor_present; volatile int lock; } ss_plugin_info; #endif typedef enum bridge_field_flags_e { BFF_NONE = 0, BFF_HIDDEN = 1 << 1, // Unused BFF_INFO = 1 << 2, BFF_CONVERSATION = 1 << 3 } bridge_field_flags_e; typedef struct bridge_info { // ss_plugin_info si; sinsp_source_info_t *ssi; uint32_t source_id; int proto; hf_register_info* hf; int* hf_ids; uint32_t visible_fields; uint32_t* field_flags; int* field_ids; } bridge_info; typedef struct conv_fld_info { const char* proto_name; hf_register_info* field_info; char field_val[4096]; } conv_fld_info; #endif // __PACKET_FALCO_BRIDGE_H__