release: version 1.1.6 - Add local IP filtering and SLL support

Features: - Add local_ips configuration option for filtering traffic to local machine - Auto-detection of local IP addresses (excludes loopback 127.x.x.x, ::1) - Support interface 'any' for capturing on all network interfaces - Add Linux SLL (cooked capture) support for interface 'any' - Generate BPF filter with 'dst host' for local IP filtering - Add LinkType field to RawPacket for proper packet parsing Testing: - Add unit tests for local IP detection (detectLocalIPs, extractIP) - Add unit tests for SLL packet parsing (IPv4 and IPv6) - Update capture tests for new packetToRawPacket method Configuration: - Update config.yml.example with local_ips documentation - Update RPM spec to version 1.1.6 with changelog Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-03-04 11:02:53 +01:00
parent 96372e6181
commit 027730b360
8 changed files with 714 additions and 67 deletions
--- a/internal/capture/capture.go
+++ b/internal/capture/capture.go
@ -3,7 +3,9 @@ package capture

 import (
 	"fmt"
+	"net"
 	"regexp"
+	"strings"
 	"sync"

 	"github.com/google/gopacket"
@ -29,11 +31,13 @@ var validBPFPattern = regexp.MustCompile(`^[a-zA-Z0-9\s\(\)\-\_\.\*\+\?\:\=\!\&\

 // CaptureImpl implements the capture.Capture interface for packet capture
 type CaptureImpl struct {
-	handle   *pcap.Handle
-	mu       sync.Mutex
-	snapLen  int
-	promisc  bool
-	isClosed bool
+	handle      *pcap.Handle
+	mu          sync.Mutex
+	snapLen     int
+	promisc     bool
+	isClosed    bool
+	localIPs    []string // Local IPs to filter (dst host)
+	linkType    int      // Link type from pcap handle
 }

 // New creates a new capture instance
@ -68,11 +72,14 @@ func (c *CaptureImpl) Run(cfg api.Config, out chan<- api.RawPacket) error {
 		return fmt.Errorf("failed to list network interfaces: %w", err)
 	}

-	interfaceFound := false
-	for _, iface := range ifaces {
-		if iface.Name == cfg.Interface {
-			interfaceFound = true
-			break
+	// Special handling for "any" interface
+	interfaceFound := cfg.Interface == "any"
+	if !interfaceFound {
+		for _, iface := range ifaces {
+			if iface.Name == cfg.Interface {
+				interfaceFound = true
+				break
+			}
 		}
 	}
 	if !interfaceFound {
@ -86,6 +93,7 @@ func (c *CaptureImpl) Run(cfg api.Config, out chan<- api.RawPacket) error {

 	c.mu.Lock()
 	c.handle = handle
+	c.linkType = int(handle.LinkType())
 	c.mu.Unlock()

 	defer func() {
@ -97,10 +105,23 @@ func (c *CaptureImpl) Run(cfg api.Config, out chan<- api.RawPacket) error {
 		c.mu.Unlock()
 	}()

+	// Resolve local IPs for filtering (if not manually specified)
+	localIPs := cfg.LocalIPs
+	if len(localIPs) == 0 {
+		localIPs, err = c.detectLocalIPs(cfg.Interface)
+		if err != nil {
+			return fmt.Errorf("failed to detect local IPs: %w", err)
+		}
+		if len(localIPs) == 0 {
+			return fmt.Errorf("no local IPs found on interface %s", cfg.Interface)
+		}
+	}
+	c.localIPs = localIPs
+
 	// Build and apply BPF filter
 	bpfFilter := cfg.BPFFilter
 	if bpfFilter == "" {
-		bpfFilter = buildBPFForPorts(cfg.ListenPorts)
+		bpfFilter = c.buildBPFFilter(cfg.ListenPorts, localIPs)
 	}

 	// Validate BPF filter before applying
@ -117,7 +138,7 @@ func (c *CaptureImpl) Run(cfg api.Config, out chan<- api.RawPacket) error {

 	for packet := range packetSource.Packets() {
 		// Convert packet to RawPacket
-		rawPkt := packetToRawPacket(packet)
+		rawPkt := c.packetToRawPacket(packet)
 		if rawPkt != nil {
 			select {
 			case out <- *rawPkt:
@ -174,20 +195,116 @@ func getInterfaceNames(ifaces []pcap.Interface) []string {
 	return names
 }

-// buildBPFForPorts builds a BPF filter for the specified TCP ports
-func buildBPFForPorts(ports []uint16) string {
+// detectLocalIPs detects local IP addresses on the specified interface
+// Excludes loopback addresses (127.0.0.0/8, ::1)
+func (c *CaptureImpl) detectLocalIPs(interfaceName string) ([]string, error) {
+	var localIPs []string
+
+	// Special case: "any" interface - get all non-loopback IPs
+	if interfaceName == "any" {
+		ifaces, err := net.Interfaces()
+		if err != nil {
+			return nil, fmt.Errorf("failed to list interfaces: %w", err)
+		}
+
+		for _, iface := range ifaces {
+			// Skip loopback interfaces
+			if iface.Flags&net.FlagLoopback != 0 {
+				continue
+			}
+
+			addrs, err := iface.Addrs()
+			if err != nil {
+				continue // Skip this interface, try others
+			}
+
+			for _, addr := range addrs {
+				ip := extractIP(addr)
+				if ip != nil && !ip.IsLoopback() {
+					localIPs = append(localIPs, ip.String())
+				}
+			}
+		}
+
+		return localIPs, nil
+	}
+
+	// Specific interface - get IPs from that interface only
+	iface, err := net.InterfaceByName(interfaceName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get interface %s: %w", interfaceName, err)
+	}
+
+	addrs, err := iface.Addrs()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get addresses for %s: %w", interfaceName, err)
+	}
+
+	for _, addr := range addrs {
+		ip := extractIP(addr)
+		if ip != nil && !ip.IsLoopback() {
+			localIPs = append(localIPs, ip.String())
+		}
+	}
+
+	return localIPs, nil
+}
+
+// extractIP extracts the IP address from a net.Addr
+func extractIP(addr net.Addr) net.IP {
+	switch v := addr.(type) {
+	case *net.IPNet:
+		ip := v.IP
+		// Return IPv4 as 4-byte, IPv6 as 16-byte
+		if ip4 := ip.To4(); ip4 != nil {
+			return ip4
+		}
+		return ip
+	case *net.IPAddr:
+		ip := v.IP
+		if ip4 := ip.To4(); ip4 != nil {
+			return ip4
+		}
+		return ip
+	}
+	return nil
+}
+
+// buildBPFFilter builds a BPF filter for the specified ports and local IPs
+// Filter: (tcp port 443 or tcp port 8443) and (dst host 192.168.1.10 or dst host 10.0.0.5)
+func (c *CaptureImpl) buildBPFFilter(ports []uint16, localIPs []string) string {
 	if len(ports) == 0 {
 		return "tcp"
 	}

-	filterParts := make([]string, len(ports))
+	// Build port filter
+	portParts := make([]string, len(ports))
 	for i, port := range ports {
-		filterParts[i] = fmt.Sprintf("tcp port %d", port)
+		portParts[i] = fmt.Sprintf("tcp port %d", port)
 	}
-	return "(" + joinString(filterParts, ") or (") + ")"
+	portFilter := "(" + strings.Join(portParts, ") or (") + ")"
+
+	// Build destination host filter
+	if len(localIPs) == 0 {
+		return portFilter
+	}
+
+	hostParts := make([]string, len(localIPs))
+	for i, ip := range localIPs {
+		// Handle IPv6 addresses
+		if strings.Contains(ip, ":") {
+			hostParts[i] = fmt.Sprintf("dst host %s", ip)
+		} else {
+			hostParts[i] = fmt.Sprintf("dst host %s", ip)
+		}
+	}
+	hostFilter := "(" + strings.Join(hostParts, ") or (") + ")"
+
+	// Combine port and host filters
+	return portFilter + " and " + hostFilter
 }

-// joinString joins strings with a separator
+// joinString joins strings with a separator (kept for backward compatibility)
 func joinString(parts []string, sep string) string {
 	if len(parts) == 0 {
 		return ""
@ -200,8 +317,21 @@ func joinString(parts []string, sep string) string {
 }

 // packetToRawPacket converts a gopacket packet to RawPacket
-func packetToRawPacket(packet gopacket.Packet) *api.RawPacket {
-	data := packet.Data()
+// Uses the raw packet bytes from the link layer
+func (c *CaptureImpl) packetToRawPacket(packet gopacket.Packet) *api.RawPacket {
+	// Try to get link layer contents + payload for full packet
+	var data []byte
+	
+	linkLayer := packet.LinkLayer()
+	if linkLayer != nil {
+		// Combine link layer contents with payload to get full packet
+		data = append(data, linkLayer.LayerContents()...)
+		data = append(data, linkLayer.LayerPayload()...)
+	} else {
+		// Fallback to packet.Data()
+		data = packet.Data()
+	}
+	
 	if len(data) == 0 {
 		return nil
 	}
@ -209,6 +339,7 @@ func packetToRawPacket(packet gopacket.Packet) *api.RawPacket {
 	return &api.RawPacket{
 		Data:      data,
 		Timestamp: packet.Metadata().Timestamp.UnixNano(),
+		LinkType:  c.linkType,
 	}
 }

--- a/internal/capture/capture_test.go
+++ b/internal/capture/capture_test.go
@ -1,6 +1,8 @@
 package capture

 import (
+	"net"
+	"strings"
 	"testing"
 	"time"

@ -128,7 +130,10 @@ func TestPacketToRawPacket(t *testing.T) {
 		gopacket.SerializeLayers(buf, opts, &eth, &ip, &tcp)

 		packet := gopacket.NewPacket(buf.Bytes(), layers.LinkTypeEthernet, gopacket.Default)
-		rawPkt := packetToRawPacket(packet)
+		
+		// Create capture instance for method call
+		c := New()
+		rawPkt := c.packetToRawPacket(packet)

 		if rawPkt == nil {
 			t.Fatal("packetToRawPacket() returned nil for valid packet")
@ -144,7 +149,9 @@ func TestPacketToRawPacket(t *testing.T) {
 	t.Run("empty_packet", func(t *testing.T) {
 		// Create packet with no data
 		packet := gopacket.NewPacket([]byte{}, layers.LinkTypeEthernet, gopacket.Default)
-		rawPkt := packetToRawPacket(packet)
+		
+		c := New()
+		rawPkt := c.packetToRawPacket(packet)

 		if rawPkt != nil {
 			t.Error("packetToRawPacket() should return nil for empty packet")
@ -159,8 +166,9 @@ func TestPacketToRawPacket(t *testing.T) {
 				t.Error("packetToRawPacket() with nil packet should panic")
 			}
 		}()
+		c := New()
 		var packet gopacket.Packet
-		_ = packetToRawPacket(packet)
+		_ = c.packetToRawPacket(packet)
 	})
 }

@ -269,39 +277,6 @@ func TestValidateBPFFilter(t *testing.T) {
 	}
 }

-func TestBuildBPFForPorts(t *testing.T) {
-	tests := []struct {
-		name  string
-		ports []uint16
-		want  string
-	}{
-		{
-			name:  "no ports",
-			ports: []uint16{},
-			want:  "tcp",
-		},
-		{
-			name:  "single port",
-			ports: []uint16{443},
-			want:  "(tcp port 443)",
-		},
-		{
-			name:  "multiple ports",
-			ports: []uint16{443, 8443, 9443},
-			want:  "(tcp port 443) or (tcp port 8443) or (tcp port 9443)",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got := buildBPFForPorts(tt.ports)
-			if got != tt.want {
-				t.Errorf("buildBPFForPorts() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
 func TestJoinString(t *testing.T) {
 	tests := []struct {
 		name  string
@ -428,3 +403,209 @@ func TestValidateBPFFilter_BalancedParentheses(t *testing.T) {
 		})
 	}
 }
+
+func TestCaptureImpl_detectLocalIPs(t *testing.T) {
+	c := New()
+	if c == nil {
+		t.Fatal("New() returned nil")
+	}
+
+	t.Run("any_interface", func(t *testing.T) {
+		ips, err := c.detectLocalIPs("any")
+		if err != nil {
+			t.Errorf("detectLocalIPs(any) error = %v", err)
+		}
+		// Should return at least one non-loopback IP or empty if none available
+		for _, ip := range ips {
+			if ip == "127.0.0.1" || ip == "::1" {
+				t.Errorf("detectLocalIPs(any) should exclude loopback, got %s", ip)
+			}
+		}
+	})
+
+	t.Run("loopback_excluded", func(t *testing.T) {
+		ips, err := c.detectLocalIPs("any")
+		if err != nil {
+			t.Skipf("Skipping loopback test: %v", err)
+		}
+		// Verify no loopback addresses are included
+		for _, ip := range ips {
+			if ip == "127.0.0.1" {
+				t.Error("detectLocalIPs should exclude 127.0.0.1")
+			}
+		}
+	})
+}
+
+func TestCaptureImpl_detectLocalIPs_SpecificInterface(t *testing.T) {
+	c := New()
+	if c == nil {
+		t.Fatal("New() returned nil")
+	}
+
+	// Test with a non-existent interface
+	_, err := c.detectLocalIPs("nonexistent_interface_xyz")
+	if err == nil {
+		t.Error("detectLocalIPs with non-existent interface should return error")
+	}
+}
+
+func TestCaptureImpl_extractIP(t *testing.T) {
+	tests := []struct {
+		name     string
+		addr     net.Addr
+		wantIPv4 bool
+		wantIPv6 bool
+	}{
+		{
+			name: "IPv4",
+			addr: &net.IPNet{
+				IP:   net.ParseIP("192.168.1.10"),
+				Mask: net.CIDRMask(24, 32),
+			},
+			wantIPv4: true,
+		},
+		{
+			name: "IPv6",
+			addr: &net.IPNet{
+				IP:   net.ParseIP("2001:db8::1"),
+				Mask: net.CIDRMask(64, 128),
+			},
+			wantIPv6: true,
+		},
+		{
+			name:     "nil",
+			addr:     nil,
+			wantIPv4: false,
+			wantIPv6: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := extractIP(tt.addr)
+			if tt.wantIPv4 {
+				if got == nil || got.To4() == nil {
+					t.Error("extractIP() should return IPv4 address")
+				}
+			}
+			if tt.wantIPv6 {
+				if got == nil || got.To4() != nil {
+					t.Error("extractIP() should return IPv6 address")
+				}
+			}
+			if !tt.wantIPv4 && !tt.wantIPv6 {
+				if got != nil {
+					t.Error("extractIP() should return nil for nil address")
+				}
+			}
+		})
+	}
+}
+
+func TestCaptureImpl_buildBPFFilter(t *testing.T) {
+	c := New()
+	if c == nil {
+		t.Fatal("New() returned nil")
+	}
+
+	tests := []struct {
+		name      string
+		ports     []uint16
+		localIPs  []string
+		wantParts []string // Parts that should be in the filter
+	}{
+		{
+			name:      "no ports",
+			ports:     []uint16{},
+			localIPs:  []string{},
+			wantParts: []string{"tcp"},
+		},
+		{
+			name:      "single port no IPs",
+			ports:     []uint16{443},
+			localIPs:  []string{},
+			wantParts: []string{"tcp port 443"},
+		},
+		{
+			name:      "single port with single IP",
+			ports:     []uint16{443},
+			localIPs:  []string{"192.168.1.10"},
+			wantParts: []string{"tcp port 443", "dst host 192.168.1.10"},
+		},
+		{
+			name:      "multiple ports with multiple IPs",
+			ports:     []uint16{443, 8443},
+			localIPs:  []string{"192.168.1.10", "10.0.0.5"},
+			wantParts: []string{"tcp port 443", "tcp port 8443", "dst host 192.168.1.10", "dst host 10.0.0.5"},
+		},
+		{
+			name:      "IPv6 address",
+			ports:     []uint16{443},
+			localIPs:  []string{"2001:db8::1"},
+			wantParts: []string{"tcp port 443", "dst host 2001:db8::1"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := c.buildBPFFilter(tt.ports, tt.localIPs)
+			for _, part := range tt.wantParts {
+				if !strings.Contains(got, part) {
+					t.Errorf("buildBPFFilter() = %q, should contain %q", got, part)
+				}
+			}
+		})
+	}
+}
+
+func TestCaptureImpl_Run_AnyInterface(t *testing.T) {
+	c := New()
+	if c == nil {
+		t.Fatal("New() returned nil")
+	}
+
+	// Test that "any" interface is accepted (validation only, won't actually run)
+	cfg := api.Config{
+		Interface:   "any",
+		ListenPorts: []uint16{443},
+		LocalIPs:    []string{"192.168.1.10"}, // Provide manual IPs to avoid detection
+	}
+
+	// We can't actually run capture without root permissions, but we can test validation
+	// This test will fail at the pcap.OpenLive stage without root, which is expected
+	out := make(chan api.RawPacket, 10)
+	err := c.Run(cfg, out)
+	
+	// If we get "operation not permitted" or similar, that's expected without root
+	// If we get "interface not found", that's a bug
+	if err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			t.Errorf("Run() with 'any' interface should be valid, got: %v", err)
+		}
+		// Permission errors are expected in non-root environments
+		t.Logf("Run() error (expected without root): %v", err)
+	}
+}
+
+func TestCaptureImpl_Run_WithManualLocalIPs(t *testing.T) {
+	c := New()
+	if c == nil {
+		t.Fatal("New() returned nil")
+	}
+
+	// Test with manually specified local IPs
+	cfg := api.Config{
+		Interface:   "any",
+		ListenPorts: []uint16{443},
+		LocalIPs:    []string{"192.168.1.10", "10.0.0.5"},
+	}
+
+	out := make(chan api.RawPacket, 10)
+	err := c.Run(cfg, out)
+	
+	// Same as above - permission errors are expected
+	if err != nil && strings.Contains(err.Error(), "not found") {
+		t.Errorf("Run() with manual LocalIPs should be valid, got: %v", err)
+	}
+}