release: version 1.1.6 - Add local IP filtering and SLL support

Features:
- Add local_ips configuration option for filtering traffic to local machine
- Auto-detection of local IP addresses (excludes loopback 127.x.x.x, ::1)
- Support interface 'any' for capturing on all network interfaces
- Add Linux SLL (cooked capture) support for interface 'any'
- Generate BPF filter with 'dst host' for local IP filtering
- Add LinkType field to RawPacket for proper packet parsing

Testing:
- Add unit tests for local IP detection (detectLocalIPs, extractIP)
- Add unit tests for SLL packet parsing (IPv4 and IPv6)
- Update capture tests for new packetToRawPacket method

Configuration:
- Update config.yml.example with local_ips documentation
- Update RPM spec to version 1.1.6 with changelog

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

internal/capture/capture.go

@@ -3,7 +3,9 @@ package capture
 
 import (
 	"fmt"
+	"net"
 	"regexp"
+	"strings"
 	"sync"
 
 	"github.com/google/gopacket"
@@ -29,11 +31,13 @@ var validBPFPattern = regexp.MustCompile(`^[a-zA-Z0-9\s\(\)\-\_\.\*\+\?\:\=\!\&\
 
 // CaptureImpl implements the capture.Capture interface for packet capture
 type CaptureImpl struct {
-	handle   *pcap.Handle
-	mu       sync.Mutex
-	snapLen  int
-	promisc  bool
-	isClosed bool
+	handle      *pcap.Handle
+	mu          sync.Mutex
+	snapLen     int
+	promisc     bool
+	isClosed    bool
+	localIPs    []string // Local IPs to filter (dst host)
+	linkType    int      // Link type from pcap handle
 }
 
 // New creates a new capture instance
@@ -68,11 +72,14 @@ func (c *CaptureImpl) Run(cfg api.Config, out chan<- api.RawPacket) error {
 		return fmt.Errorf("failed to list network interfaces: %w", err)
 	}
 
-	interfaceFound := false
-	for _, iface := range ifaces {
-		if iface.Name == cfg.Interface {
-			interfaceFound = true
-			break
+	// Special handling for "any" interface
+	interfaceFound := cfg.Interface == "any"
+	if !interfaceFound {
+		for _, iface := range ifaces {
+			if iface.Name == cfg.Interface {
+				interfaceFound = true
+				break
+			}
 		}
 	}
 	if !interfaceFound {
@@ -86,6 +93,7 @@ func (c *CaptureImpl) Run(cfg api.Config, out chan<- api.RawPacket) error {
 
 	c.mu.Lock()
 	c.handle = handle
+	c.linkType = int(handle.LinkType())
 	c.mu.Unlock()
 
 	defer func() {
@@ -97,10 +105,23 @@ func (c *CaptureImpl) Run(cfg api.Config, out chan<- api.RawPacket) error {
 		c.mu.Unlock()
 	}()
 
+	// Resolve local IPs for filtering (if not manually specified)
+	localIPs := cfg.LocalIPs
+	if len(localIPs) == 0 {
+		localIPs, err = c.detectLocalIPs(cfg.Interface)
+		if err != nil {
+			return fmt.Errorf("failed to detect local IPs: %w", err)
+		}
+		if len(localIPs) == 0 {
+			return fmt.Errorf("no local IPs found on interface %s", cfg.Interface)
+		}
+	}
+	c.localIPs = localIPs
+
 	// Build and apply BPF filter
 	bpfFilter := cfg.BPFFilter
 	if bpfFilter == "" {
-		bpfFilter = buildBPFForPorts(cfg.ListenPorts)
+		bpfFilter = c.buildBPFFilter(cfg.ListenPorts, localIPs)
 	}
 
 	// Validate BPF filter before applying
@@ -117,7 +138,7 @@ func (c *CaptureImpl) Run(cfg api.Config, out chan<- api.RawPacket) error {
 
 	for packet := range packetSource.Packets() {
 		// Convert packet to RawPacket
-		rawPkt := packetToRawPacket(packet)
+		rawPkt := c.packetToRawPacket(packet)
 		if rawPkt != nil {
 			select {
 			case out <- *rawPkt:
@@ -174,20 +195,116 @@ func getInterfaceNames(ifaces []pcap.Interface) []string {
 	return names
 }
 
-// buildBPFForPorts builds a BPF filter for the specified TCP ports
-func buildBPFForPorts(ports []uint16) string {
+// detectLocalIPs detects local IP addresses on the specified interface
+// Excludes loopback addresses (127.0.0.0/8, ::1)
+func (c *CaptureImpl) detectLocalIPs(interfaceName string) ([]string, error) {
+	var localIPs []string
+
+	// Special case: "any" interface - get all non-loopback IPs
+	if interfaceName == "any" {
+		ifaces, err := net.Interfaces()
+		if err != nil {
+			return nil, fmt.Errorf("failed to list interfaces: %w", err)
+		}
+
+		for _, iface := range ifaces {
+			// Skip loopback interfaces
+			if iface.Flags&net.FlagLoopback != 0 {
+				continue
+			}
+
+			addrs, err := iface.Addrs()
+			if err != nil {
+				continue // Skip this interface, try others
+			}
+
+			for _, addr := range addrs {
+				ip := extractIP(addr)
+				if ip != nil && !ip.IsLoopback() {
+					localIPs = append(localIPs, ip.String())
+				}
+			}
+		}
+
+		return localIPs, nil
+	}
+
+	// Specific interface - get IPs from that interface only
+	iface, err := net.InterfaceByName(interfaceName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get interface %s: %w", interfaceName, err)
+	}
+
+	addrs, err := iface.Addrs()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get addresses for %s: %w", interfaceName, err)
+	}
+
+	for _, addr := range addrs {
+		ip := extractIP(addr)
+		if ip != nil && !ip.IsLoopback() {
+			localIPs = append(localIPs, ip.String())
+		}
+	}
+
+	return localIPs, nil
+}
+
+// extractIP extracts the IP address from a net.Addr
+func extractIP(addr net.Addr) net.IP {
+	switch v := addr.(type) {
+	case *net.IPNet:
+		ip := v.IP
+		// Return IPv4 as 4-byte, IPv6 as 16-byte
+		if ip4 := ip.To4(); ip4 != nil {
+			return ip4
+		}
+		return ip
+	case *net.IPAddr:
+		ip := v.IP
+		if ip4 := ip.To4(); ip4 != nil {
+			return ip4
+		}
+		return ip
+	}
+	return nil
+}
+
+// buildBPFFilter builds a BPF filter for the specified ports and local IPs
+// Filter: (tcp port 443 or tcp port 8443) and (dst host 192.168.1.10 or dst host 10.0.0.5)
+func (c *CaptureImpl) buildBPFFilter(ports []uint16, localIPs []string) string {
 	if len(ports) == 0 {
 		return "tcp"
 	}
 
-	filterParts := make([]string, len(ports))
+	// Build port filter
+	portParts := make([]string, len(ports))
 	for i, port := range ports {
-		filterParts[i] = fmt.Sprintf("tcp port %d", port)
+		portParts[i] = fmt.Sprintf("tcp port %d", port)
 	}
-	return "(" + joinString(filterParts, ") or (") + ")"
+	portFilter := "(" + strings.Join(portParts, ") or (") + ")"
+
+	// Build destination host filter
+	if len(localIPs) == 0 {
+		return portFilter
+	}
+
+	hostParts := make([]string, len(localIPs))
+	for i, ip := range localIPs {
+		// Handle IPv6 addresses
+		if strings.Contains(ip, ":") {
+			hostParts[i] = fmt.Sprintf("dst host %s", ip)
+		} else {
+			hostParts[i] = fmt.Sprintf("dst host %s", ip)
+		}
+	}
+	hostFilter := "(" + strings.Join(hostParts, ") or (") + ")"
+
+	// Combine port and host filters
+	return portFilter + " and " + hostFilter
 }
 
-// joinString joins strings with a separator
+// joinString joins strings with a separator (kept for backward compatibility)
 func joinString(parts []string, sep string) string {
 	if len(parts) == 0 {
 		return ""
@@ -200,8 +317,21 @@ func joinString(parts []string, sep string) string {
 }
 
 // packetToRawPacket converts a gopacket packet to RawPacket
-func packetToRawPacket(packet gopacket.Packet) *api.RawPacket {
-	data := packet.Data()
+// Uses the raw packet bytes from the link layer
+func (c *CaptureImpl) packetToRawPacket(packet gopacket.Packet) *api.RawPacket {
+	// Try to get link layer contents + payload for full packet
+	var data []byte
+	
+	linkLayer := packet.LinkLayer()
+	if linkLayer != nil {
+		// Combine link layer contents with payload to get full packet
+		data = append(data, linkLayer.LayerContents()...)
+		data = append(data, linkLayer.LayerPayload()...)
+	} else {
+		// Fallback to packet.Data()
+		data = packet.Data()
+	}
+	
 	if len(data) == 0 {
 		return nil
 	}
@@ -209,6 +339,7 @@ func packetToRawPacket(packet gopacket.Packet) *api.RawPacket {
 	return &api.RawPacket{
 		Data:      data,
 		Timestamp: packet.Metadata().Timestamp.UnixNano(),
+		LinkType:  c.linkType,
 	}
 }