ÿØÿà JFIF    ÿÛ „  ( %"1!%)+...383,7(-.+  -+++--++++---+-+-----+---------------+---+-++7-----ÿÀ  ß â" ÿÄ     ÿÄ H    !1AQaq"‘¡2B±ÁÑð#R“Ò Tbr‚²á3csƒ’ÂñDS¢³$CÿÄ   ÿÄ %  !1AQa"23‘ÿÚ   ? ôÿ ¨pŸªáÿ —åYõõ\?àÒü©ŠÄï¨pŸªáÿ —åYõõ\?àÓü©ŠÄá 0Ÿªáÿ Ÿå[úƒ ú®ði~TÁbqÐ8OÕpÿ ƒOò¤Oè`–RÂáœá™êi€ßÉ< FtŸI“öÌ8úDf´°å}“¾œ6  öFá°y¥jñÇh†ˆ¢ã/ÃÐ:ªcÈ "Y¡ðÑl>ÿ ”ÏËte:qž\oäŠe÷󲍷˜HT4&ÿ ÓÐü6ö®¿øþßèô Ÿ•7Ñi’•j|“ñì>b…þS?*Óôÿ ÓÐü*h¥£ír¶ü UãSç‚Ÿ[AÐaè[ûª•õ&õj?†Éö+EzP—WeÒírJFt ‘BŒ†Ï‡%#tE Øz ¥OÛ«!1›üä±Í™%ºÍãö]°î(–:@<‹ŒÊö×òÆt¦ãº+‡¦%ÌÁ²h´OƒJŒtMÜ>ÀÜÊw3Y´•牋4ǍýʏTì>œú=Íwhyë,¾Ôò×õ¿ßÊa»«þˆѪQ|%6ž™A õ%:øj<>É—ÿ Å_ˆCbõ¥š±ý¯Ýƒï…¶|RëócÍf溪“t.СøTÿ *Ä¿-{†çàczůŽ_–^XþŒ±miB[X±d 1,é”zEù»& î9gœf™9Ð'.;—™i}!ôšåîqêÛ٤ёý£½ÆA–àôe"A$˝Úsäÿ ÷Û #°xŸëí(l »ý3—¥5m! rt`†0~'j2(]S¦¦kv,ÚÇ l¦øJA£Šƒ J3E8ÙiŽ:cÉžúeZ°€¯\®kÖ(79«Ž:¯X”¾³Š&¡* ….‰Ž(ÜíŸ2¥ª‡×Hi²TF¤ò[¨íÈRëÉ䢍mgÑ.Ÿ<öäS0í„ǹÁU´f#Vß;Õ–…P@3ío<ä-±»Ž.L|kªÀê›fÂ6@»eu‚|ÓaÞÆŸ…¨ááå>åŠ?cKü6ùTÍÆ”†sĤÚ;H2RÚ†õ\Ö·Ÿn'¾ ñ#ºI¤Å´%çÁ­‚â7›‹qT3Iï¨ÖÚ5I7Ë!ÅOóŸ¶øÝñØôת¦$Tcö‘[«Ö³šÒ';Aþ ¸èíg A2Z"i¸vdÄ÷.iõ®§)¿]¤À†–‡É&ä{V¶iŽ”.Ó×Õÿ û?h¬Mt–íª[ÿ Ñÿ ÌV(í}=ibÔ¡›¥¢±b Lô¥‡piη_Z<‡z§èŒ)iÖwiÇ 2hÙ3·=’d÷8éŽ1¦¸c¤µ€7›7Ø ð\á)} ¹fËí›pAÃL%âc2 í§æQz¿;T8sæ°qø)QFMð‰XŒÂ±N¢aF¨…8¯!U  Z©RÊ ÖPVÄÀÍin™Ì-GˆªÅËŠ›•zË}º±ŽÍFò¹}Uw×#ä5B¤{î}Ð<ÙD é©¤&‡ïDbàÁôMÁ." ¤‡ú*õ'VŽ|¼´Úgllº¼klz[Æüï÷Aób‡Eÿ dÑ»Xx9ÃÜ£ÁT/`¼¸vI±Ýµ·Ë‚“G³þ*Ÿû´r|*}<¨îºœ @¦mÄ’M¹”.œ«Y–|6ÏU¤jç¥ÕÞqO ˜kDÆÁ¨5ÿ š;Њ¦¦€GÙk \ –Þ=â¼=SͧµªS°ÚÍpÜãQűÀõ¬?ÃÁ1Ñ•õZà?hóœ€ L¦l{Y*K˜Ù›zc˜–ˆâ ø+¾ ­-Ök¥%ùEÜA'}ˆ><ÊIè“bpÍ/qÞâvoX€w,\úªò6Z[XdÒæ­@Ö—€$òJí#é>'°Ú ôª˜<)4ryÙ£|óAÅn5žêŸyÒäMÝ2{"}‰–¤l÷ûWX\l¾Á¸góÉOÔ /óñB¤f¸çñ[.P˜ZsÊË*ßT܈§QN¢’¡¨§V¼(Üù*eÕ“”5T¨‹Âê¥FŒã½Dü[8'Ò¥a…Ú¶k7a *•›¼'Ò·\8¨ª\@\õ¢¦íq+DÙrmÎ…_ªæ»ŠÓœ¡¯’Ré9MÅ×D™lælffc+ŒÑ,ý™ÿ ¯þǤ=Å’Á7µ÷ÚÛ/“Ü€ñýã¼àí¾ÕÑ+ƒ,uµMâÀÄbm:ÒÎPæ{˜Gz[ƒ¯«® KHà`ßØŠéí¯P8Aq.C‰ à€kòpj´kN¶qô€…Õ,ÜNŠª-­{Zö’æû44‰sŽè‰îVíRœÕm" 6?³D9¡ÇTíÅꋇ`4«¸ÝÁô ï’ýorqКÇZ«x4Žâéþuïf¹µö[P ,Q£éaX±`PÉÍZ ¸äYúg üAx ’6Lê‚xÝÓ*äQ  Ï’¨hÍ =²,6ï#rÃ<¯–£»ƒ‹,–ê•€ aÛsñ'%Æ"®ÛüìBᝠHÚ3ß°©$“XnœÖ’î2ËTeûìxîß ¦å¿çÉ ðK§þ{‘t‚Ϋ¬jéîZ[ ”š7L¥4VÚCE×]m¤Øy”ä4-dz£œ§¸x.*ãÊÊ b÷•h:©‡¦s`BTÁRû¾g⻩‹jø sF¢àJøFl‘È•Xᓁà~*j¯ +(ÚÕ6-£¯÷GŠØy‚<Ç’.F‹Hœw(+)ÜÜâÈzÄäT§FߘãÏ;DmVœ3Àu@mÚüXÝü•3B¨òÌÁÛ<·ÃÜ z,Ì@õÅ·d2]ü8s÷IôÞ¯^Ç9¢u„~ëAŸï4«M? K]­ÅàPl@s_ p:°¬ZR”´›JC[CS.h‹ƒïËœ«Æ]–÷ó‚wR×k7X‰k›‘´ù¦=¡«‰¨¨Â')—71ó’c‡Ðúµ `é.{§p¹ój\Ž{1h{o±Ý=áUÊïGÖŒõ–-BÄm+AZX¶¡ ïHðæ¥JmÙ;…ä¡Ÿˆ¦ ° äšiÉg«$üMk5¤L“’çÊvïâï ,=f“"íἊ5ô¬x6{ɏžID0e¸vçmi'︧ºð9$ò¹÷*£’9ÿ ²TÔ…×>JV¥}Œ}$p[bÔ®*[jzS*8 ”·T›Í–ñUîƒwo$áè=LT™ç—~ô·¤ÈÚ$榍q‰„+´kFm)ž‹©i–ËqÞŠ‰à¶ü( ‚•§ •°ò·‡#5ª•µÊ﯅¡X¨šÁ*F#TXJÊ ušJVÍ&=iÄs1‚3•'fý§5Ñ<=[íÞ­ PÚ;ѱÌ_~Ä££8rÞ ²w;’hDT°>ÈG¬8Á²ÚzŽ®ò®qZcqJêäÞ-ö[ܘbň±çb“Š¶31²n×iƒðÕ;1¶þÉ ªX‰,ßqÏ$>•î íZ¥Z 1{ç൵+ƒÕµ¥°T$§K]á»Ûï*·¤tMI’ÂZbŽÕiÒ˜}bÓ0£ª5›¨ [5Ž^ÝœWøÂÝh° ¢OWun£¤5 a2Z.G2³YL]jåtì”ä ÁÓ‘%"©<ÔúÊ°sº UZvä‡ÄiÆÒM .÷V·™ø#kèýiíÌ–ª)µT[)BˆõÑ xB¾B€ÖT¨.¥~ð@VĶr#¸ü*åZNDŽH;âi ],©£öØpù(šºãö¼T.uCê•4@ÿ GÕÛ)Cx›®0ø#:ÏðFÒbR\(€€Ä®fã4Þ‰Fä¯HXƒÅ,†öEÑÔÜ]Öv²?tLÃvBY£ú6Êu5ÅAQ³1‘’¬x–HŒÐ‡ ^ ¸KwJôÖŽ5×CÚ¨vÜ«/B0$×k°=ðbÇ(Ï)w±A†Á† 11Í=èQšµ626ŒÜ/`G«µ<}—-Ö7KEHÈÉðóȤmݱû±·ø«Snmá=“ä«šmݱŸ¡¶~ó·“äUóJæúòB|E LêŽy´jDÔ$G¢þÐñ7óR8ýÒ…Ç› WVe#·Ÿ p·Fx~•ݤF÷0Èÿ K¯æS<6’¡WШ; ´ÿ ¥Êø\Òuî†åÝ–VNœkÒ7oòX¨Á­Ø÷FÎÑä±g÷ÿ M~Çî=p,X´ ÝÌÚÅ‹’ÃjÖ.ØöÏñ qïQ¤ÓZE†° =6·]܈ s¸>v•Ž^Ý\wq9r‰Î\¸¡kURÒ$­*‹Nq?Þª*!sŠÆ:TU_u±T+øX¡ ®¹¡,ÄâÃBTsÜ$Ø›4m椴zÜK]’’›Pƒ @€#â˜`é¹=I‡fiV•Ôî“nRm+µFPOhÍ0B£ €+¬5c v•:P'ÒyÎ ‰V~‚Ó†ÖuókDoh$å\*ö%Ю=£«…aȼ½÷Û.-½VŒŠ¼'lyî±1¬3ó#ÞE¿ÔS¤gV£m›=§\û"—WU¤ÚǼÿ ÂnÁGŒÃ ‚õN D³õNÚíŒÕ;HôyÄÈ©P¹Ä{:?R‘Ô¨âF÷ø£bÅó® JS|‚R÷ivýáâ€Æé¡è³´IئÑT!§˜•Øª‚¬â@q€wnïCWÄ@JU€ê¯m6]Ï:£âx'+ÒðXvÓ¦Úm=–´7œ $ì“B£~p%ÕŸUþ« N@¼üï~w˜ñø5®—'Ôe»¤5ã//€ž~‰Tþ›Å7•#¤× Íö pÄ$ùeåì*«ÓŠEØWEÈsßg ¦ûvžSsLpºÊW–âµEWöˬH; ™!CYõZ ÃÄf æ#1W. \uWâ\,\Çf j’<qTbên›Î[vxx£ë 'ö¨1›˜ÀM¼Pÿ H)ƒêêŒA7s,|F“ 꺸k³9Ìö*ç®;Ö!Ö$Eiž•¹ÒÚ†ýóéÝû¾ÕS®ó$’NÝäŸz¤5r¦ãÄÃD÷Üø!°ø‡Ô&@m™Ì^Ãä­d q5Lnÿ N;.6½·N|#ä"1Nƒx“ã<3('&ñßt  ~ªu”1Tb㫨9ê–›–bìd$ߣ=#ÕãÒmU¯eí$EFù5ýYô櫨æ왍Ǘ±ssM]·á¿0ÕåJRÓªîiƒ+O58ÖñªŠÒx" \µâá¨i’¤i —Ö ” M+M¤ë9‚‰A¦°Qõ¾ßøK~¼Ã‘g…Ö´~÷Ï[3GUœÒ½#…kàÔ®Ò”‰³·dWV‰IP‰Ú8u¹”E ÖqLj¾êÕCBš{A^Âß;–¨`¯¬ìö ˼ ×tìø.tƐm*n¨y4o&Àx¥n¦×î‡aupáÛj8¿m›è¶ã!o½;ß0y^ý×^EÑ¿ÒjzŒ­)vÚÑnÄL …^ªô× ‡—‚3k Îý­hï]içå–îÏ*÷ñþ»Ô CÒjøjÍznˆ´ ¹#b'Fô‹ ‰v¥'’à'T´ƒHýÍ%M‰ ƒ&ÆÇŒï1 ‘ –Þ ‰i¬s žR-Ÿ kŠ¬á¬7:þ 0ŒÅÒÕ/aÙ¬ÃÝ#Úøœ ©aiVc‰. ¹¦ãµ” ›Yg¦›ÆÎýº°f³7ƒhá·¸­}&D9¡ÂsÉÙÞèŠõØàC™¨ñbFC|´Ü(ŸƒÚÒ-%»'a Ì¿)ËÇn¿úÿ ÞŽX…4ÊÅH^ôΑí@ù¹Eh¶“L8Çjù ¼ÎåVªóR©Ï5uà V4lZß®=€xÖŸ–ÑÈ ÷”¨°¾__yM1tÉ?uÆþIkÄgæ@þ[¢†°XÃJ£j·:nkÅ¢u ‘}âGzö­/IµèŠ¬¼48q¦F°ŽR¼=ûì{´¯RýicS ÕÛ íNtÍÙï£,w4rêì®»~x(©Uñ§#Ñ&œÕ¤>ÎåÍÓ9’Ö{9eV­[Öjâ²ãu]˜å2›qÑšÕJç0€sÄ|Êëè0튔bÁ>“{×_F`Ø©ºê:µä,v¤ðfc1±"«ÔÍän1#=· Âøv~H½ÐßA¾¿Ü€Óš]Õ; I¾÷ç‚Qi†î¹9ywÔKG˜áñ zQY—§ÃÕZ07§X‚ Áh;ÁM)iÌCH-¯T‘ë|A0{Ò½LÚ–TâÖkÜ’dÀ“rmm»”جPF³ÖcbE§T€ÒxKºû’Ó®7±²(\4ŽÃ¸Uu@j™yĵ;³µ!Á¢b.W¤=mõ´êµK k ¸K^ÜÛ#p*Ü14qkZç5ïë †°5Ï%ÍÛ<Õ¤×Ô¥ê†C Õ´¼ú$ƒÖ“”]Ù¬qÞÚ[4©ý!ûÏ—Áb쳐XµA¬â~`›Çr¸8ìùÝ䫦<>ä÷«?xs´ÇÑ /á;¹øüÊÈÙà{"@Žïzâ¬[âß‚ U_<ÇŸ½4èN˜ú61®qŠu ¦þF£»äJ_ˆÙÎ~ ÞAã–Ý„Ï—rŠD;xTž‘ô`É«…suãO`?³à™ô Lý#Íc5öoæØ‚y´´÷«ZR§<&JÇ+éâô´€i!Àˆ0æAoàðLèÖ-2ŸõW.’t^–(KÁmHµV@xÜÇy®Ñø­â^:Ú3w· 7½¹°ñ¸â¹®:',«Mœ—n­Á+Ãbš LÈ‘ÄnRÓÅœ%¦²‰¨ùQ:¤f‚ "PÕtô¸…cæl…&˜Ú˜Ôkv‹ž+vŠ,=¢v­6—Xy*¥t£«<™:“aîϲ=¦6rO]XI¿Œ÷¤zÚ­›¶ 6÷”w\d ü~v®ˆÌk«^m<ÿ ¢‰Õ\)ùºŽ;… lîÙÅEŠ®cѾ@vnMÏ,¼“ñ•ŽBxðÃzãÇç%3ˆ"}Ù•Åî> BÉú;Ò]V+P˜F_´ßé> Øše|ï‡ÄOmFæÇ ãqÞ$/xÐx­z`ï9"œÜij‚!7.\Td…9M‡•iŽ‹¾‘50ÞŽn¥ß4ÉôO ¹*í^QêËÜÇÌ8=Ž§s‰'ÂëÙ«á%Pú[O †ÅP¯VsŽ°.‰,kc¶ ¬A9n˜XÎ-ÞšN["¹QÕ‰ƒMýÁߺXJæÍaLj¾×Ãmã¾ãÚ uñÒþåQô¦¥ /ÄUx:‚ÍÜ’ Đ©ØÝ3V¨‰ÕnÐ6ó*óúK­«…c ¯U òhsý­jóÔj#,ímŒRµ«lbïUTŒÑ8†Ä0œÏr`ð¡¬É Ї ë"À² ™ 6¥ f¶ ¢ÚoܱԷ-<Àî)†a¶ž'Ú»¨TXqØæ¶÷YÄHy˜9ÈIW­YÀuMFë ºÏ’AqÌ4·/Ú †ô'i$øä­=Ä Ý|öK×40è|È6p‘0§)o¥ctî§H+CA-“ xØ|ÐXŠç l8íºð3Ø:³¤¬KX¯UÿÙ """Defines helpful decoders that can be used to decode information from the flows. A decoder is generally a callable that accepts a string and returns the value object. """ import json import netaddr import re class Decoder(object): """Base class for all decoder classes.""" def to_json(self): raise NotImplementedError() def decode_default(value): """Default decoder. It tries to convert into an integer value and, if it fails, just returns the string. """ try: return int(value, 0) except ValueError: return value def decode_flag(value): """Decode a flag. It's existence is just flagged by returning True.""" return True def decode_int(value): """Integer decoder. Both base10 and base16 integers are supported. Used for fields such as: n_bytes=34 metadata=0x4 """ return int(value, 0) def decode_time(value): """Time decoder. Used for fields such as: duration=1234.123s """ if value == "never": return value time_str = value.rstrip("s") return float(time_str) class IntMask(Decoder): """Base class for Integer Mask decoder classes. It supports decoding a value/mask pair. The class has to be derived, and the size attribute must be set. """ size = None # Size in bits. def __init__(self, string): if not self.size: raise NotImplementedError( "IntMask should be derived and size should be fixed" ) parts = string.split("/") if len(parts) > 1: self._value = int(parts[0], 0) self._mask = int(parts[1], 0) if self._mask.bit_length() > self.size: raise ValueError( "Integer mask {} is bigger than size {}".format( self._mask, self.size ) ) else: self._value = int(parts[0], 0) self._mask = self.max_mask() if self._value.bit_length() > self.size: raise ValueError( "Integer value {} is bigger than size {}".format( self._value, self.size ) ) @property def value(self): return self._value @property def mask(self): return self._mask def max_mask(self): return 2 ** self.size - 1 def fully(self): """Returns True if it's fully masked.""" return self._mask == self.max_mask() def __str__(self): if self.fully(): return str(self._value) else: return "{}/{}".format(hex(self._value), hex(self._mask)) def __repr__(self): return "%s('%s')" % (self.__class__.__name__, self) def __eq__(self, other): """Equality operator. Both value and mask must be the same for the comparison to result True. This can be used to implement filters that expect a specific mask, e.g: ct.state = 0x1/0xff. Args: other (IntMask): Another IntMask to compare against. Returns: True if the other IntMask is the same as this one. """ if isinstance(other, IntMask): return self.value == other.value and self.mask == other.mask elif isinstance(other, int): return self.value == other and self.mask == self.max_mask() else: raise ValueError("Cannot compare against ", other) def __contains__(self, other): """Contains operator. Args: other (int or IntMask): Another integer or fully-masked IntMask to compare against. Returns: True if the other integer or fully-masked IntMask is contained in this IntMask. Example: 0x1 in IntMask("0xf1/0xff"): True 0x1 in IntMask("0xf1/0x0f"): True 0x1 in IntMask("0xf1/0xf0"): False """ if isinstance(other, IntMask): if other.fully(): return other.value in self else: raise ValueError( "Comparing non fully-masked IntMasks is not supported" ) else: return other & self._mask == self._value & self._mask def dict(self): return {"value": self._value, "mask": self._mask} def to_json(self): return self.dict() class Mask8(IntMask): size = 8 class Mask16(IntMask): size = 16 class Mask32(IntMask): size = 32 class Mask64(IntMask): size = 64 class Mask128(IntMask): size = 128 class Mask992(IntMask): size = 992 def decode_mask(mask_size): """Value/Mask decoder for values of specific size (bits). Used for fields such as: reg0=0x248/0xff """ class Mask(IntMask): size = mask_size __name__ = "Mask{}".format(size) return Mask class EthMask(Decoder): """EthMask represents an Ethernet address with optional mask. It uses netaddr.EUI. Attributes: eth (netaddr.EUI): The Ethernet address. mask (netaddr.EUI): Optional, the Ethernet address mask. Args: string (str): A string representing the masked Ethernet address e.g: 00.11:22:33:44:55 or 01:00:22:00:33:00/01:00:00:00:00:00 """ def __init__(self, string): mask_parts = string.split("/") self._eth = netaddr.EUI(mask_parts[0]) if len(mask_parts) == 2: self._mask = netaddr.EUI(mask_parts[1]) else: self._mask = None @property def eth(self): """The Ethernet address.""" return self._eth @property def mask(self): """The Ethernet address mask.""" return self._mask def __eq__(self, other): """Equality operator. Both the Ethernet address and the mask are compared. This can be used to implement filters where we expect a specific mask to be present, e.g: dl_dst=01:00:00:00:00:00/01:00:00:00:00:00. Args: other (EthMask): Another EthMask to compare against. Returns: True if this EthMask is the same as the other. """ return self._mask == other._mask and self._eth == other._eth def __contains__(self, other): """Contains operator. Args: other (netaddr.EUI or EthMask): An Ethernet address. Returns: True if the other netaddr.EUI or fully-masked EthMask is contained in this EthMask's address range. """ if isinstance(other, EthMask): if other._mask: raise ValueError( "Comparing non fully-masked EthMask is not supported" ) return other._eth in self if self._mask: return (other.value & self._mask.value) == ( self._eth.value & self._mask.value ) else: return other == self._eth def __str__(self): if self._mask: return "/".join( [ self._eth.format(netaddr.mac_unix), self._mask.format(netaddr.mac_unix), ] ) else: return self._eth.format(netaddr.mac_unix) def __repr__(self): return "%s('%s')" % (self.__class__.__name__, self) def to_json(self): return str(self) class IPMask(Decoder): """IPMask stores an IPv6 or IPv4 and a mask. It uses netaddr.IPAddress. IPMasks can represent valid CIDRs or randomly masked IP Addresses. Args: string (str): A string representing the ip/mask. """ def __init__(self, string): self._ipnet = None self._ip = None self._mask = None try: self._ipnet = netaddr.IPNetwork(string) except netaddr.AddrFormatError: pass if not self._ipnet: # It's not a valid CIDR. Store ip and mask independently. parts = string.split("/") if len(parts) != 2: raise ValueError( "value {}: is not an ipv4 or ipv6 address".format(string) ) try: self._ip = netaddr.IPAddress(parts[0]) self._mask = netaddr.IPAddress(parts[1]) except netaddr.AddrFormatError as exc: raise ValueError( "value {}: is not an ipv4 or ipv6 address".format(string) ) from exc def __eq__(self, other): """Equality operator. Both the IPAddress and the mask are compared. This can be used to implement filters where a specific mask is expected, e.g: nw_src=192.168.1.0/24. Args: other (IPMask or netaddr.IPNetwork or netaddr.IPAddress): Another IPAddress or IPNetwork to compare against. Returns: True if this IPMask is the same as the other. """ if isinstance(other, netaddr.IPNetwork): return self._ipnet and self._ipnet == other if isinstance(other, netaddr.IPAddress): return self._ipnet and self._ipnet.ip == other elif isinstance(other, IPMask): if self._ipnet: return self._ipnet == other._ipnet return self._ip == other._ip and self._mask == other._mask else: return False def __contains__(self, other): """Contains operator. Only comparing valid CIDRs is supported. Args: other (netaddr.IPAddress or IPMask): An IP address. Returns: True if the other IPAddress is contained in this IPMask's address range. """ if isinstance(other, IPMask): if not other._ipnet: raise ValueError("Only comparing valid CIDRs is supported") return ( netaddr.IPAddress(other._ipnet.first) in self and netaddr.IPAddress(other._ipnet.last) in self ) elif isinstance(other, netaddr.IPAddress): if self._ipnet: return other in self._ipnet return (other & self._mask) == (self._ip & self._mask) def cidr(self): """ Returns True if the IPMask is a valid CIDR. """ return self._ipnet is not None @property def ip(self): """The IP address.""" if self._ipnet: return self._ipnet.ip return self._ip @property def mask(self): """The IP mask.""" if self._ipnet: return self._ipnet.netmask return self._mask def __str__(self): if self._ipnet: return str(self._ipnet) return "/".join([str(self._ip), str(self._mask)]) def __repr__(self): return "%s('%s')" % (self.__class__.__name__, self) def to_json(self): return str(self) def decode_free_output(value): """The value of the output action can be found free, i.e: without the 'output' keyword. This decoder decodes its value when found this way.""" try: return "output", {"port": int(value)} except ValueError: return "output", {"port": value.strip('"')} ipv4 = r"(?:\d{1,3}.?){3}\d{1,3}" ipv4_capture = r"({ipv4})".format(ipv4=ipv4) ipv6 = r"[\w:\.]+" ipv6_capture = r"(?:\[*)?({ipv6})(?:\]*)?".format(ipv6=ipv6) port_range = r":(\d+)(?:-(\d+))?" ip_range_regexp = r"{ip_cap}(?:-{ip_cap})?(?:{port_range})?" ipv4_port_regex = re.compile( ip_range_regexp.format(ip_cap=ipv4_capture, port_range=port_range) ) ipv6_port_regex = re.compile( ip_range_regexp.format(ip_cap=ipv6_capture, port_range=port_range) ) def decode_ip_port_range(value): """ Decodes an IP and port range: {ip_start}-{ip-end}:{port_start}-{port_end} IPv6 addresses are surrounded by "[" and "]" if port ranges are also present Returns the following dictionary: { "addrs": { "start": {ip_start} "end": {ip_end} } "ports": { "start": {port_start}, "end": {port_end} } (the "ports" key might be omitted) """ if value.count(":") > 1: match = ipv6_port_regex.match(value) else: match = ipv4_port_regex.match(value) ip_start = match.group(1) ip_end = match.group(2) port_start = match.group(3) port_end = match.group(4) result = { "addrs": { "start": netaddr.IPAddress(ip_start), "end": netaddr.IPAddress(ip_end or ip_start), } } if port_start: result["ports"] = { "start": int(port_start), "end": int(port_end or port_start), } return result def decode_nat(value): """Decodes the 'nat' keyword of the ct action. The format is: nat Flag format. nat(type=addrs[:ports][,flag]...) Full format where the address-port range has the same format as the one described in decode_ip_port_range. Examples: nat(src=0.0.0.0) nat(src=0.0.0.0,persistent) nat(dst=192.168.1.0-192.168.1.253:4000-5000) nat(dst=192.168.1.0-192.168.1.253,hash) nat(dst=[fe80::f150]-[fe80::f15f]:255-300) """ if not value: return True # If flag format, the value is True. result = dict() type_parts = value.split("=") result["type"] = type_parts[0] if len(type_parts) > 1: value_parts = type_parts[1].split(",") if len(type_parts) != 2: raise ValueError("Malformed nat action: %s" % value) ip_port_range = decode_ip_port_range(value_parts[0]) result = {"type": type_parts[0], **ip_port_range} for flag in value_parts[1:]: result[flag] = True return result class FlowEncoder(json.JSONEncoder): """FlowEncoder is a json.JSONEncoder instance that can be used to serialize flow fields.""" def default(self, obj): if isinstance(obj, Decoder): return obj.to_json() elif isinstance(obj, netaddr.IPAddress): return str(obj) return json.JSONEncoder.default(self, obj)