yafhooks.h
Go to the documentation of this file.
1/*
2 * Copyright 2007-2026 Carnegie Mellon University
3 * See license information in LICENSE.txt.
4 */
5/*
6 * yafhooks.h
7 * YAF Active Flow Table Plugin Interface
8 *
9 * ------------------------------------------------------------------------
10 * Authors: Brian Trammell
11 * ------------------------------------------------------------------------
12 * @DISTRIBUTION_STATEMENT_BEGIN@
13 * YAF 2.19
14 *
15 * Copyright 2026 Carnegie Mellon University.
16 *
17 * NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
18 * INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON
19 * UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
20 * AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
21 * PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF
22 * THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
23 * ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
24 * INFRINGEMENT.
25 *
26 * Licensed under a GNU GPL 2.0-style license, please see LICENSE.txt or
27 * contact permission@sei.cmu.edu for full terms.
28 *
29 * [DISTRIBUTION STATEMENT A] This material has been approved for public
30 * release and unlimited distribution. Please see Copyright notice for
31 * non-US Government use and distribution.
32 *
33 * This Software includes and/or makes use of Third-Party Software each
34 * subject to its own license.
35 *
36 * DM26-0194
37 * @DISTRIBUTION_STATEMENT_END@
38 * ------------------------------------------------------------------------
39 */
40
114
115/*
116 *
117 * Design notes:
118 *
119 * 1. For now, it is okay for the yfhook facility to only support a single
120 * hook.
121 *
122 * 5. Each hook needs to know when a flow is flushed, so that it can make the
123 * per-flow export fields available.
124 *
125 * Changes in Version 7:
126 *
127 * ypGetTemplate() takes the hook's context as an argument.
128 *
129 * Changes in Version 6:
130 *
131 * Added ability for ypSetPluginConf() to create a hook-specific context, and
132 * added that context as an argument to ypSetPluginOpt() and ypFlowAlloc().
133 *
134 * Changes in Version 5: ???
135 *
136 * Changes in Version 4:
137 *
138 * Added a function to pass a config file to the plugin from the command line.
139 *
140 * Changes in Version 3:
141 *
142 * Hooks export entire templates that will be added to Yaf's
143 * subTemplateMultiList.
144 * yfWriteFlow in yafcore.c will call ypGetTemplateCount (a function as of v.
145 * 3),
146 * which will return the number of templates Yaf should alloc in the STML.
147 * When
148 * yfHookWriteFlow is called the STML entry can be added. The hook should not
149 * add NULL entries, if no template is to be added, ypGetTemplateCount should
150 * return
151 * 0. If the STML entry contains list fields (BL's, STL's, STML's), it must
152 * free
153 * these in the call to ypFreeLists. This means that the hook must maintain
154 * access to the record so that it can free it.
155 * ypFreeList does NOT free Yaf's STML, yaf will free this after all the hook's
156 * lists have been freed.
157 *
158 * As of Version 3, ypGetTemplate will call fbTemplateAppendSpecArray and
159 * fbSessionAddTemplate. It does not need to internal templates, only
160 * external.
161 *
162 * ypGetInfoModel should no longer be used. ypGetTemplate should allocate the
163 * info model and add the elements to the info model & the template.
164 *
165 * Versions 2 or Below:
166 *
167 * Each hook needs to be able to hand YAF an export template for its fields.
168 * These fields will appear in every exported record; a facility for NULLs MUST
169 * be provided by the hook's representation.
170 *
171 */
172
173#ifndef _YAF_HOOKS_H_
174#define _YAF_HOOKS_H_
175
176#include <yaf/autoinc.h>
177#include <yaf/decode.h>
178#include <yaf/yafcore.h>
179#include <yaf/yaftab.h>
180#if YAF_ENABLE_APPLABEL
181#define PCRE2_CODE_UNIT_WIDTH 8
182#include <pcre2.h>
183#endif
184
186#define YAF_HOOK_INTERFACE_VERSION 7
187
190struct yfHookMetaData {
192 uint8_t version;
194 uint32_t exportDataSize;
196 uint8_t requireAppLabel;
197};
198
199
212gboolean
213yfHookPacket(
214 yfFlowKey_t *key,
215 const uint8_t *pkt,
216 size_t caplen,
217 uint32_t iplen,
218 yfTCPInfo_t *tcpinfo,
219 yfL2Info_t *l2info);
220
233void
234yfHookFlowPacket(
235 yfFlow_t *flow,
236 yfFlowVal_t *val,
237 const uint8_t *pkt,
238 size_t caplen,
239 uint32_t iplen,
240 yfTCPInfo_t *tcpinfo,
241 yfL2Info_t *l2info);
242
259void
260yfHookValidateFlowTab(
261 void **yfHookCtxArray,
262 uint32_t max_payload,
263 gboolean uniflow,
264 gboolean silkmode,
265 gboolean applabelmode,
266 gboolean entropymode,
267 gboolean fingerprintmode,
268 gboolean fpExportMode,
269 gboolean udp_multipkt_payload,
270 uint16_t udp_uniflow_port);
271
279gboolean
280yfHookFlowClose(
281 yfFlow_t *flow);
282
293void
294yfHookFlowAlloc(
295 yfFlow_t *flow,
296 void **yfHookCtxArray);
297
305void
306yfHookFlowFree(
307 yfFlow_t *flow);
308
315fbInfoElement_t *
316yfHookGetInfoModel(
317 void);
318
329gboolean
330yfHookGetTemplate(
331 fbSession_t *session,
332 void **yfHookCtxArray);
333
343gboolean
344yfHookFlowWrite(
345 fbSubTemplateMultiList_t *rec,
346 fbSubTemplateMultiListEntry_t *stml,
347 yfFlow_t *flow,
348 GError **err);
349
362gboolean
363yfHookAddNewHook(
364 const char *hookName,
365 const char *hookOpts,
366 const char *hookConf,
367 void **yfHookCtxArray,
368 GError **err);
369
370#if YAF_ENABLE_APPLABEL
383void
384yfHookScanPayload(
385 yfFlow_t *flow,
386 const uint8_t *pkt,
387 size_t caplen,
388 pcre2_code *expression,
389 uint32_t offset,
390 uint16_t elementID,
391 uint16_t applabel);
392
393#endif /* if YAF_ENABLE_APPLABEL */
394
402uint8_t
403yfHookGetTemplateCount(
404 yfFlow_t *flow);
405
412void
413yfHookFreeLists(
414 yfFlow_t *flow);
415
416
417/*
418 * --------------------------------------------------------------------------
419 *
420 * The following are the prototypes of the functions that must be defined for
421 * a hook to be loaded into YAF. They are declared here to help ensure the
422 * hook uses the correct function signature.
423 */
424
429const struct yfHookMetaData *
430ypGetMetaData(
431 void);
432
446gboolean
447ypHookPacket(
448 yfFlowKey_t *key,
449 const uint8_t *pkt,
450 size_t caplen,
451 uint32_t iplen,
452 yfTCPInfo_t *tcpinfo,
453 yfL2Info_t *l2info);
454
476void
477ypFlowPacket(
478 void *yfHookFlowContext,
479 yfFlow_t *flow,
480 yfFlowVal_t *val,
481 const uint8_t *pkt,
482 size_t caplen,
483 uint32_t iplen,
484 yfTCPInfo_t *tcpinfo,
485 yfL2Info_t *l2info);
486
494gboolean
495ypFlowClose(
496 void *yfHookFlowContext,
497 yfFlow_t *flow);
498
507void
508ypFlowAlloc(
509 void **yfHookFlowContext,
510 yfFlow_t *flow,
511 void *yfHookCtx);
512
520void
521ypFlowFree(
522 void *yfHookFlowContext,
523 yfFlow_t *flow);
524
536gboolean
537ypFlowWrite(
538 void *yfHookFlowContext,
539 fbSubTemplateMultiList_t *rec,
540 fbSubTemplateMultiListEntry_t *stml,
541 yfFlow_t *flow,
542 GError **err);
543
549fbInfoElement_t *
550ypGetInfoModel(
551 void);
552
560gboolean
561ypGetTemplate(
562 fbSession_t *session,
563 void *yfHookCtx);
564
572void
573ypSetPluginOpt(
574 const char *pluginOpt,
575 void *yfHookCtx);
576
585void
586ypSetPluginConf(
587 const char *pluginConf,
588 void **yfHookCtx);
589
590#if YAF_ENABLE_APPLABEL
604void
605ypScanPayload(
606 void *yfHookFlowContext,
607 yfFlow_t *flow,
608 const uint8_t *pkt,
609 size_t caplen,
610 pcre2_code *expression,
611 uint32_t offset,
612 uint16_t elementID,
613 uint16_t applabel);
614
615#endif /* YAF_ENABLE_APPLABEL */
616
633gboolean
634ypValidateFlowTab(
635 void *yfHookCtx,
636 uint32_t max_payload,
637 gboolean uniflow,
638 gboolean silkmode,
639 gboolean applabelmode,
640 gboolean entropymode,
641 gboolean fingerprintmode,
642 gboolean fpExportMode,
643 gboolean udp_multipkt_payload,
644 uint16_t udp_uniflow_port,
645 GError **err);
646
654uint8_t
655ypGetTemplateCount(
656 void *yfHookFlowContext,
657 yfFlow_t *flow);
658
666void
667ypFreeLists(
668 void *yfHookFlowContext,
669 yfFlow_t *flow);
670
671#endif /* _YAF_HOOKS_H_ */
yfHookMetaData
Exported from the plugin to tell YAF about its export data & interface version.
Definition yafhooks.h:190
yfHookMetaData::version
uint8_t version
version of plugin interface
Definition yafhooks.h:192
yfHookMetaData::requireAppLabel
uint8_t requireAppLabel
turn on application labeling related functions
Definition yafhooks.h:196
yfHookMetaData::exportDataSize
uint32_t exportDataSize
size of data plugin will export
Definition yafhooks.h:194
yafcore.h
YAF Core Library.
yfFlowKey_t
struct yfFlowKey_st yfFlowKey_t
A YAF flow key.
yfFlowVal_t
struct yfFlowVal_st yfFlowVal_t
A YAF uniflow value.
yfFlow_t
struct yfFlow_st yfFlow_t
A YAF flow.
ypFlowPacket
void ypFlowPacket(void *yfHookFlowContext, yfFlow_t *flow, yfFlowVal_t *val, const uint8_t *pkt, size_t caplen, uint32_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info)
Callback invoked by yfHookFlowPacket() to allow the plugin to process each packet as it is read.
yfHookFlowFree
void yfHookFlowFree(yfFlow_t *flow)
Frees all memory associated with the flow state in all of the attached plugins.
ypHookPacket
gboolean ypHookPacket(yfFlowKey_t *key, const uint8_t *pkt, size_t caplen, uint32_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info)
Callback invoked by yfHookPacket() to allow the plugin to prevent the packet from becoming a part of ...
yfHookValidateFlowTab
void yfHookValidateFlowTab(void **yfHookCtxArray, uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_multipkt_payload, uint16_t udp_uniflow_port)
Validation function to make sure the plugin can and should operate based on the flowtable options.
yfHookFlowPacket
void yfHookFlowPacket(yfFlow_t *flow, yfFlowVal_t *val, const uint8_t *pkt, size_t caplen, uint32_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info)
Similar to yfHookPacket but also given yfFlowVal_t struct for processing per flow direction.
yfHookFlowWrite
gboolean yfHookFlowWrite(fbSubTemplateMultiList_t *rec, fbSubTemplateMultiListEntry_t *stml, yfFlow_t *flow, GError **err)
called by yfWriteFlow to add the data from all registered plugins to the outgoing IPFIX record
ypGetMetaData
const struct yfHookMetaData * ypGetMetaData(void)
Callback invoked by yfHookAddNewHook() to get the version, max export bytes, and whether the plugin r...
ypFreeLists
void ypFreeLists(void *yfHookFlowContext, yfFlow_t *flow)
Callback invoked by yfHookFreeLists() after the IPFIX record has been written to allow the plugin to ...
yfHookAddNewHook
gboolean yfHookAddNewHook(const char *hookName, const char *hookOpts, const char *hookConf, void **yfHookCtxArray, GError **err)
Adds another hook (plugin) into yaf.
ypFlowFree
void ypFlowFree(void *yfHookFlowContext, yfFlow_t *flow)
Callback invoked by yfHookFlowFree() when a flow is destroyed to allow the plugin to free the flow-sp...
ypGetTemplateCount
uint8_t ypGetTemplateCount(void *yfHookFlowContext, yfFlow_t *flow)
Callback invoked by yfHookGetTemplateCount() when sizing the STML to allow the plugin to reserve spac...
ypFlowWrite
gboolean ypFlowWrite(void *yfHookFlowContext, fbSubTemplateMultiList_t *rec, fbSubTemplateMultiListEntry_t *stml, yfFlow_t *flow, GError **err)
Callback invoked by yfHookFlowWrite() when the data is copied into an IPFIX record immediately prior ...
yfHookGetInfoModel
fbInfoElement_t * yfHookGetInfoModel(void)
Returns the IPFIX info model aggregated for all plugins.
yfHookGetTemplateCount
uint8_t yfHookGetTemplateCount(yfFlow_t *flow)
Returns the amount of templates to add to the SubtemplateMultiList from all plugins hooked.
yfHookPacket
gboolean yfHookPacket(yfFlowKey_t *key, const uint8_t *pkt, size_t caplen, uint32_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info)
Function called to do processing on each packet as it comes in.
yfHookFreeLists
void yfHookFreeLists(yfFlow_t *flow)
Sends control back to the plugin to free any BasicLists, SubTemplateLists, or SubTemplateMultiLists t...
yfHookFlowAlloc
void yfHookFlowAlloc(yfFlow_t *flow, void **yfHookCtxArray)
Allow plugins to allocate flow state information for each flow captured by yaf at the time of flow cr...
yfHookFlowClose
gboolean yfHookFlowClose(yfFlow_t *flow)
Called upon flow close to do any necessary plugin processing upon flow close.
ypGetInfoModel
fbInfoElement_t * ypGetInfoModel(void)
Callback invoked by yfHookGetInfoModel() to allow the plugin to add elements to the InfoModel.
ypSetPluginOpt
void ypSetPluginOpt(const char *pluginOpt, void *yfHookCtx)
Callback invoked by yfHookAddNewHook() to provide the plugin with command line options other than the...
ypFlowAlloc
void ypFlowAlloc(void **yfHookFlowContext, yfFlow_t *flow, void *yfHookCtx)
Callback invoked by yfHookFlowAlloc() when a new flow is opened to allow the plugin to create a per-f...
ypSetPluginConf
void ypSetPluginConf(const char *pluginConf, void **yfHookCtx)
Callback invoked by yfHookAddNewHook() to provide the plugin with the name of the configuration file ...
ypFlowClose
gboolean ypFlowClose(void *yfHookFlowContext, yfFlow_t *flow)
Callback invoked by yfHookFlowClose() when a flow is closed to allow the plugin to examine the comple...
ypValidateFlowTab
gboolean ypValidateFlowTab(void *yfHookCtx, uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_multipkt_payload, uint16_t udp_uniflow_port, GError **err)
Callback invoked by yfFlowTabAlloc() to allow the plugin to confirm it can be used given the flow-tab...
ypGetTemplate
gboolean ypGetTemplate(fbSession_t *session, void *yfHookCtx)
Callback invoked by yfHookGetTemplate() to allow the plugin to add its templates to the export sessio...
yfHookGetTemplate
gboolean yfHookGetTemplate(fbSession_t *session, void **yfHookCtxArray)
Gets the IPFIX info model template for the export data from all the plugins and turns it into a singl...
yaftab.h
Flow generation interface for YAF.