[PATCH] db-parser(): implement a MAC address parser
While talking about netfilter logs recently, we found, that a MAC address parser may come in handy when parsing these messages, so here it comes. I hope others might find it useful as well. Balint
From: Balint Kovacs <blint@blint.hu> The MACADDR parser matches the standard format for printing MAC-48 addresses in human-friendly form, whis consists of is six groups of two hexadecimal digits, separated colons (:) Signed-off-by: Balint Kovacs <blint@balabit.hu> --- modules/dbparser/radix.c | 33 +++++++++++++++++++++++++++++++++ modules/dbparser/radix.h | 5 ++++- modules/dbparser/tests/test_radix.c | 4 ++++ 3 files changed, 41 insertions(+), 1 deletions(-) diff --git a/modules/dbparser/radix.c b/modules/dbparser/radix.c index 2f2034b..fb74c20 100644 --- a/modules/dbparser/radix.c +++ b/modules/dbparser/radix.c @@ -254,6 +254,34 @@ r_parser_ip(guint8 *str, gint *len, const gchar *param, gpointer state, RParserM } gboolean +r_parser_macaddr(guint8 *str, gint *len, const gchar *param, gpointer state, RParserMatch *match) +{ + gint i; + *len = 0; + + for (i = 1; i <= 6; i++) + { + if (!g_ascii_isxdigit(str[*len]) && !g_ascii_isxdigit(str[*len+1])) + { + return FALSE; + } + if (i<6) + { + if (str[*len+2] != ':') + return FALSE; + (*len)+=3; + } + else + (*len)+=2; + } + + if (G_UNLIKELY(*len == 16)) + return FALSE; + + return TRUE; +} + +gboolean r_parser_float(guint8 *str, gint *len, const gchar *param, gpointer state, RParserMatch *match) { gboolean dot = FALSE; @@ -349,6 +377,11 @@ r_new_pnode(guint8 *key) parser_node->parse = r_parser_ip; parser_node->type = RPT_IP; } + else if (strcmp(params[0], "MACADDR") == 0) + { + parser_node->parse = r_parser_macaddr; + parser_node->type = RPT_MACADDR; + } else if (strcmp(params[0], "NUMBER") == 0) { parser_node->parse = r_parser_number; diff --git a/modules/dbparser/radix.h b/modules/dbparser/radix.h index 9756dfe..c36fb63 100644 --- a/modules/dbparser/radix.h +++ b/modules/dbparser/radix.h @@ -41,7 +41,8 @@ enum RPT_IPV6, RPT_IP, RPT_FLOAT, - RPT_SET + RPT_SET, + RPT_MACADDR }; typedef struct _RParserMatch @@ -127,6 +128,8 @@ r_parser_type_name(guint8 type) return "FLOAT"; case RPT_SET: return "SET"; + case RPT_MACADDR: + return "MACADDR"; default: return "UNKNOWN"; } diff --git a/modules/dbparser/tests/test_radix.c b/modules/dbparser/tests/test_radix.c index b6c9736..aafa698 100644 --- a/modules/dbparser/tests/test_radix.c +++ b/modules/dbparser/tests/test_radix.c @@ -302,6 +302,7 @@ test_parsers(void) insert_node(root, "AAA@SET@AAA"); printf("We excpect an error message\n"); insert_node(root, "AAA@SET:set@AAA"); + insert_node(root, "AAA@MACADDR@AAA"); test_search_value(root, "a@", NULL); test_search_value(root, "a@NUMBER@aa@@", "a@@NUMBER@@aa@@@@"); @@ -343,6 +344,7 @@ test_matches(void) insert_node(root, "fff @FLOAT:float@"); insert_node(root, "zzz @ESTRING:test:gép@"); insert_node(root, "ggg @SET:set: @"); + insert_node(root, "iii @MACADDR:macaddr@"); test_search_matches(root, "aaa 12345 hihihi", "number", "12345", @@ -613,6 +615,8 @@ test_matches(void) test_search_matches(root, "ggg aaa", "set", " ", NULL); test_search_matches(root, "ggg aaa", "set", " ", NULL); test_search_matches(root, "ggg aaa", "set", " ", NULL); + test_search_matches(root, "iii 82:63:25:93:eb:51.iii", "macaddr", "82:63:25:93:eb:51", NULL); + test_search_matches(root, "iii 82:63:25:93:EB:51.iii", "macaddr", "82:63:25:93:EB:51", NULL); test_search_matches(root, "zzz árvíztűrőtükörfúrógép", "test", "árvíztűrőtükörfúró", NULL); r_free_node(root, NULL); -- 1.7.0.4
Hi Balint, Committed on syslog-ng 3.4 master. Thanks. On Wed, 2012-08-15 at 19:28 +0200, Balint Kovacs wrote:
From: Balint Kovacs <blint@blint.hu>
The MACADDR parser matches the standard format for printing MAC-48 addresses in human-friendly form, whis consists of is six groups of two hexadecimal digits, separated colons (:)
Signed-off-by: Balint Kovacs <blint@balabit.hu>
participants (2)
-
Balazs Scheidler
-
Balint Kovacs