implement poll() for startCaptureBlockingMode

[tigercosmos]

please refer to #1220

new in PR:

• timeout of startCaptureBlockingMode keeps the unit as second but changes to use double type to allow millisecond precision.
• add usePoll option
• main behavior difference: originally, if there are no packets coming, then the timeout will never be triggered due to blocking of pcap_dispatch. Use poll() to frequently check if it is already timeout.

[tigercosmos]

@seladb please take a look.

[seladb]

@tigercosmos I updated the base branch to dev. We always merge PRs to dev first before merging them to master.

Please also note CI fails on many platforms. Can you please check?

[tigercosmos]

@tigercosmos I updated the base branch to dev. We always merge PRs to dev first before merging them to master.

Please also note CI fails on many platforms. Can you please check?

@seladb Sure, I will fix the CI. I would like to ask your opinion about this PR. Does the current implementation make sense to you?

[seladb]

Please see a few initial comments. I will do a more thorough review once CI passes

[tigercosmos]

@seladb I think it's ready for review

[tigercosmos]

it's weird, it seems that iptables does not work by default, but it succeeded before: 1a50a03

[tigercosmos]

@seladb I try to use sudo in the std::system and also try to use sudo to start the test. Neither of them work:

iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

Moreover, currently CI containers complain there is no iptables, so we also need to install it.
However, before a couple of commits merged into dev, I already used iptables, and CI was totally fine.

I also check the changes on dev, it seems it should not affect this "cannot use iptables".

[seladb]

@seladb I try to use sudo in the std::system and also try to use sudo to start the test. Neither of them work:

iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

Moreover, currently CI containers complain there is no iptables, so we also need to install it. However, before a couple of commits merged into dev, I already used iptables, and CI was totally fine.

I also check the changes on dev, it seems it should not affect this "cannot use iptables".

Maybe it's not possible to run iptables inside a docker container: https://forums.docker.com/t/iptables-permission-denied/81211/3 😕

[tigercosmos]

@seladb I try to use sudo in the std::system and also try to use sudo to start the test. Neither of them work:

iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

Moreover, currently CI containers complain there is no iptables, so we also need to install it. However, before a couple of commits merged into dev, I already used iptables, and CI was totally fine.
I also check the changes on dev, it seems it should not affect this "cannot use iptables".

Maybe it's not possible to run iptables inside a docker container: https://forums.docker.com/t/iptables-permission-denied/81211/3 😕

True... after survey, seems that Github action has some limitations.
seems a possible solution is to run a docker inside Github action with --cap-add=NET_ADMIN

Or, probably we should think of some other ways to test the function.

[tigercosmos]

@seladb Maybe we should not make it very complicated... as long as the poll version can work the same as the original version, maybe we don't need to prove that poll can timeout with no packets coming (we should believe that poll is always correct)

[seladb]

@seladb Maybe we should not make it very complicated... as long as the poll version can work the same as the original version, maybe we don't need to prove that poll can timeout with no packets coming (we should believe that poll is always correct)

@tigercosmos I tend to agree... I can't think of a good way to test the poll timeout so let's just keep the existing tests. It's not ideal but we currently don't have a CI infra that is robust enough to test this scenario.

Can you clean up the PR and I'll review it again?

[tigercosmos]

@seladb I added some comments here to mention that manual tests are required here

[tigercosmos]

this ensures the behaviour is as same as before.

[tigercosmos]

although this test cannot run on CI, we can manually run it locally.
I think it is worth keeping it, so I added a MANUAL_TEST flag for it.

[tigercosmos]

I found that it's really difficult to use iptables to block all packets. No matter how I set up rules, I still can see packets on Wireshark. Maybe the easiest way is to use a clean interface to test... since we can ensure no packets on it ...

[tigercosmos]

@seladb please let me know your opinion

[seladb]

Yes, I also encountered problems with iptables. I think we should just remove these tests. There is no point in MANUAL_TEST which we don't run anywhere...

[tigercosmos]

same for this test. use MANUAL_TEST here.

[seladb]

I think we can remove this test also...

[seladb]

I don't think we can return 0 directly because in lines 597-600 we reset a few private members.
Instead we should set m_StopThread = true and maybe add a new local variable pollError and I think we can return 0 in this case (poll error)

[tigercosmos]

fixed.

[seladb]

ditto: we cannot return 0 here. We should probably add a new local variable pollError and set it to true

[tigercosmos]

fixed.

[seladb]

An error in pcap_dispatch is -1 and not other values:

https://linux.die.net/man/3/pcap_dispatch

It returns -1 if an error occurs or -2 if the loop terminated due to a call to pcap_breakloop() before any packets were processed. If your application uses pcap_breakloop(), make sure that you explicitly check for -1 and -2, rather than just checking for a return value < 0.

[tigercosmos]

sorry, fixed.

[seladb]

Yes, I also encountered problems with iptables. I think we should just remove these tests. There is no point in MANUAL_TEST which we don't run anywhere...

[seladb]

I think we can remove this test also...

[tigercosmos]

@seladb all addressed

[tigercosmos]

finally 🎉
thanks @seladb

[seladb]

finally 🎉 thanks @seladb

Thank you @tigercosmos for your hard work and patience in solving all the issues, very much appreciated! 🙏