diff options
| author |   canacar <canacar@openbsd.org> | 2003-05-14 08:50:37 +0000 |
|---|---|---|
| committer | canacar <canacar@openbsd.org> | 2003-05-14 08:50:37 +0000 |
| commit | 263bcd0c602ea893a1f099ba03ddac034dd01ab4 (patch) | |
| tree | 2e94a399f77634e8e155c5ceff2bd8d306bb329b | |
| parent | Minor format string correctness. (diff) | |
| download | wireguard-openbsd-263bcd0c602ea893a1f099ba03ddac034dd01ab4.tar.xz wireguard-openbsd-263bcd0c602ea893a1f099ba03ddac034dd01ab4.zip | |
libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.
ok henning@ dhartmei@ frantzen@
| -rw-r--r-- | lib/libpcap/gencode.c | 119 | ||||
| -rw-r--r-- | lib/libpcap/gencode.h | 6 | ||||
| -rw-r--r-- | lib/libpcap/grammar.y | 8 | ||||
| -rw-r--r-- | lib/libpcap/scanner.l | 6 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/interface.h | 6 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/print-pflog.c | 123 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/tcpdump.8 | 20 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/tcpdump.c | 5 |
8 files changed, 252 insertions, 41 deletions
diff --git a/lib/libpcap/gencode.c b/lib/libpcap/gencode.c index c91561ebbc8..473f3a10f47 100644 --- a/lib/libpcap/gencode.c +++ b/lib/libpcap/gencode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gencode.c,v 1.18 2002/11/29 18:27:54 mickey Exp $ */ +/* $OpenBSD: gencode.c,v 1.19 2003/05/14 08:50:37 canacar Exp $ */ /* * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 @@ -22,7 +22,7 @@ */ #ifndef lint static const char rcsid[] = - "@(#) $Header: /home/cvs/src/lib/libpcap/gencode.c,v 1.18 2002/11/29 18:27:54 mickey Exp $ (LBL)"; + "@(#) $Header: /home/cvs/src/lib/libpcap/gencode.c,v 1.19 2003/05/14 08:50:37 canacar Exp $ (LBL)"; #endif #include <sys/types.h> @@ -620,11 +620,17 @@ init_linktype(type) off_nl = 12; return; - case DLT_PFLOG: + case DLT_OLD_PFLOG: off_linktype = 0; off_nl = 28; return; + case DLT_PFLOG: + off_linktype = 0; + /* XXX read from header? */ + off_nl = PFLOG_HDRLEN; + return; + case DLT_PFSYNC: off_linktype = -1; off_nl = 4; @@ -740,7 +746,7 @@ gen_linktype(proto) else return gen_false(); break; - case DLT_PFLOG: + case DLT_OLD_PFLOG: if (proto == ETHERTYPE_IP) return (gen_cmp(0, BPF_W, (bpf_int32)AF_INET)); #ifdef INET6 @@ -750,6 +756,20 @@ gen_linktype(proto) else return gen_false(); break; + + case DLT_PFLOG: + if (proto == ETHERTYPE_IP) + return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B, + (bpf_int32)AF_INET)); +#ifdef INET6 + else if (proto == ETHERTYPE_IPV6) + return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B, + (bpf_int32)AF_INET6)); +#endif /* INET6 */ + else + return gen_false(); + break; + case DLT_ARCNET: /* * XXX should we check for first fragment if the protocol @@ -2903,7 +2923,12 @@ gen_inbound(dir) break; case DLT_PFLOG: - b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_H, + b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_B, + (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); + break; + + case DLT_OLD_PFLOG: + b0 = gen_cmp(offsetof(struct old_pfloghdr, dir), BPF_H, (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); break; @@ -2922,19 +2947,45 @@ struct block * gen_pf_ifname(char *ifname) { struct block *b0; - - if (linktype != DLT_PFLOG) { + u_int len, off; + + if (linktype == DLT_PFLOG) { + len = sizeof(((struct pfloghdr *)0)->ifname); + off = offsetof(struct pfloghdr, ifname); + } else if (linktype == DLT_OLD_PFLOG) { + len = sizeof(((struct old_pfloghdr *)0)->ifname); + off = offsetof(struct old_pfloghdr, ifname); + } else { bpf_error("ifname not supported on linktype 0x%x\n", linktype); /* NOTREACHED */ } - if (strlen(ifname) >= sizeof(((struct pfloghdr *)0)->ifname)) { + if (strlen(ifname) >= len) { bpf_error("ifname interface names can only be %d characters\n", - sizeof(((struct pfloghdr *)0)->ifname) - 1); + len - 1); + /* NOTREACHED */ + } + b0 = gen_bcmp(off, strlen(ifname), ifname); + return (b0); +} + +/* PF firewall log matched interface */ +struct block * +gen_pf_ruleset(char *ruleset) +{ + struct block *b0; + + if (linktype != DLT_PFLOG) { + bpf_error("ruleset not supported on linktype 0x%x\n", linktype); /* NOTREACHED */ } - b0 = gen_bcmp(offsetof(struct pfloghdr, ifname), strlen(ifname), - ifname); + if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { + bpf_error("ruleset names can only be %d characters\n", + sizeof(((struct pfloghdr *)0)->ruleset) - 1); + /* NOTREACHED */ + } + b0 = gen_bcmp(offsetof(struct pfloghdr, ruleset), + strlen(ruleset), ruleset); return (b0); } @@ -2945,12 +2996,34 @@ gen_pf_rnr(int rnr) { struct block *b0; - if (linktype != DLT_PFLOG) { + if (linktype == DLT_PFLOG) { + b0 = gen_cmp(offsetof(struct pfloghdr, rulenr), BPF_W, + (bpf_int32)rnr); + } else if (linktype == DLT_OLD_PFLOG) { + b0 = gen_cmp(offsetof(struct old_pfloghdr, rnr), BPF_H, + (bpf_int32)rnr); + } else { bpf_error("rnr not supported on linktype 0x%x\n", linktype); /* NOTREACHED */ } - b0 = gen_cmp(offsetof(struct pfloghdr, rnr), BPF_H, (bpf_int32)rnr); + return (b0); +} + + +/* PF firewall log sub-rule number */ +struct block * +gen_pf_srnr(int srnr) +{ + struct block *b0; + + if (linktype != DLT_PFLOG) { + bpf_error("srnr not supported on linktype 0x%x\n", linktype); + /* NOTREACHED */ + } + + b0 = gen_cmp(offsetof(struct pfloghdr, subrulenr), BPF_W, + (bpf_int32)srnr); return (b0); } @@ -2960,13 +3033,17 @@ gen_pf_reason(int reason) { struct block *b0; - if (linktype != DLT_PFLOG) { + if (linktype == DLT_PFLOG) { + b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_B, + (bpf_int32)reason); + } else if (linktype == DLT_OLD_PFLOG) { + b0 = gen_cmp(offsetof(struct old_pfloghdr, reason), BPF_H, + (bpf_int32)reason); + } else { bpf_error("reason not supported on linktype 0x%x\n", linktype); /* NOTREACHED */ } - b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_H, - (bpf_int32)reason); return (b0); } @@ -2976,13 +3053,17 @@ gen_pf_action(int action) { struct block *b0; - if (linktype != DLT_PFLOG) { + if (linktype == DLT_PFLOG) { + b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_B, + (bpf_int32)action); + } else if (linktype == DLT_OLD_PFLOG) { + b0 = gen_cmp(offsetof(struct old_pfloghdr, action), BPF_H, + (bpf_int32)action); + } else { bpf_error("action not supported on linktype 0x%x\n", linktype); /* NOTREACHED */ } - b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_H, - (bpf_int32)action); return (b0); } diff --git a/lib/libpcap/gencode.h b/lib/libpcap/gencode.h index c6d408cc9fc..433032c859e 100644 --- a/lib/libpcap/gencode.h +++ b/lib/libpcap/gencode.h @@ -1,4 +1,4 @@ -/* $OpenBSD: gencode.h,v 1.10 2002/03/23 01:33:16 frantzen Exp $ */ +/* $OpenBSD: gencode.h,v 1.11 2003/05/14 08:50:37 canacar Exp $ */ /* * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996 @@ -20,7 +20,7 @@ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * @(#) $Header: /home/cvs/src/lib/libpcap/gencode.h,v 1.10 2002/03/23 01:33:16 frantzen Exp $ (LBL) + * @(#) $Header: /home/cvs/src/lib/libpcap/gencode.h,v 1.11 2003/05/14 08:50:37 canacar Exp $ (LBL) */ /* Address qualifiers. */ @@ -178,6 +178,8 @@ struct block *gen_inbound(int); struct block *gen_pf_ifname(char *); struct block *gen_pf_rnr(int); +struct block *gen_pf_srnr(int); +struct block *gen_pf_ruleset(char *); struct block *gen_pf_reason(int); struct block *gen_pf_action(int); struct block *gen_pf_dir(int); diff --git a/lib/libpcap/grammar.y b/lib/libpcap/grammar.y index 4b4cbb6317c..7ac78380cf1 100644 --- a/lib/libpcap/grammar.y +++ b/lib/libpcap/grammar.y @@ -1,5 +1,5 @@ %{ -/* $OpenBSD: grammar.y,v 1.10 2002/03/23 01:33:16 frantzen Exp $ */ +/* $OpenBSD: grammar.y,v 1.11 2003/05/14 08:50:37 canacar Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996 @@ -24,7 +24,7 @@ */ #ifndef lint static const char rcsid[] = - "@(#) $Header: /home/cvs/src/lib/libpcap/grammar.y,v 1.10 2002/03/23 01:33:16 frantzen Exp $ (LBL)"; + "@(#) $Header: /home/cvs/src/lib/libpcap/grammar.y,v 1.11 2003/05/14 08:50:37 canacar Exp $ (LBL)"; #endif #include <sys/types.h> @@ -108,7 +108,7 @@ pcap_parse() %token ATALK DECNET LAT SCA MOPRC MOPDL %token TK_BROADCAST TK_MULTICAST %token NUM INBOUND OUTBOUND -%token PF_IFNAME PF_RNR PF_REASON PF_ACTION +%token PF_IFNAME PF_RSET PF_RNR PF_SRNR PF_REASON PF_ACTION %token LINK %token GEQ LEQ NEQ %token ID EID HID HID6 @@ -274,7 +274,9 @@ other: pqual TK_BROADCAST { $$ = gen_broadcast($1); } ; pfvar: PF_IFNAME ID { $$ = gen_pf_ifname($2); } + | PF_RSET ID { $$ = gen_pf_ruleset($2); } | PF_RNR NUM { $$ = gen_pf_rnr($2); } + | PF_SRNR NUM { $$ = gen_pf_srnr($2); } | PF_REASON reason { $$ = gen_pf_reason($2); } | PF_ACTION action { $$ = gen_pf_action($2); } ; diff --git a/lib/libpcap/scanner.l b/lib/libpcap/scanner.l index 4d214ad4752..011e662da24 100644 --- a/lib/libpcap/scanner.l +++ b/lib/libpcap/scanner.l @@ -1,5 +1,5 @@ %{ -/* $OpenBSD: scanner.l,v 1.13 2002/08/26 22:43:53 deraadt Exp $ */ +/* $OpenBSD: scanner.l,v 1.14 2003/05/14 08:50:37 canacar Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -24,7 +24,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /home/cvs/src/lib/libpcap/scanner.l,v 1.13 2002/08/26 22:43:53 deraadt Exp $ (LBL)"; + "@(#) $Header: /home/cvs/src/lib/libpcap/scanner.l,v 1.14 2003/05/14 08:50:37 canacar Exp $ (LBL)"; #endif #include <sys/types.h> @@ -227,7 +227,9 @@ inbound return INBOUND; outbound return OUTBOUND; on|ifname return PF_IFNAME; +rset|ruleset return PF_RSET; rnr|rulenum return PF_RNR; +srnr|subrulenum return PF_SRNR; reason return PF_REASON; action return PF_ACTION; diff --git a/usr.sbin/tcpdump/interface.h b/usr.sbin/tcpdump/interface.h index 3a2a8629467..bfcc957cc00 100644 --- a/usr.sbin/tcpdump/interface.h +++ b/usr.sbin/tcpdump/interface.h @@ -1,4 +1,4 @@ -/* $OpenBSD: interface.h,v 1.36 2003/02/20 23:39:20 jason Exp $ */ +/* $OpenBSD: interface.h,v 1.37 2003/05/14 08:50:37 canacar Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -20,7 +20,7 @@ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * @(#) $Header: /home/cvs/src/usr.sbin/tcpdump/interface.h,v 1.36 2003/02/20 23:39:20 jason Exp $ (LBL) + * @(#) $Header: /home/cvs/src/usr.sbin/tcpdump/interface.h,v 1.37 2003/05/14 08:50:37 canacar Exp $ (LBL) */ #ifndef tcpdump_interface_h @@ -195,6 +195,8 @@ extern void egp_print(const u_char *, u_int, const u_char *); extern void enc_if_print(u_char *, const struct pcap_pkthdr *, const u_char *); extern void pflog_if_print(u_char *, const struct pcap_pkthdr *, const u_char *); +extern void pflog_old_if_print(u_char *, const struct pcap_pkthdr *, + const u_char *); extern void pfsync_if_print(u_char *, const struct pcap_pkthdr *, const u_char *); extern void ether_if_print(u_char *, const struct pcap_pkthdr *, diff --git a/usr.sbin/tcpdump/print-pflog.c b/usr.sbin/tcpdump/print-pflog.c index b0ca03b8e30..f714631882c 100644 --- a/usr.sbin/tcpdump/print-pflog.c +++ b/usr.sbin/tcpdump/print-pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-pflog.c,v 1.12 2003/01/28 22:45:19 henning Exp $ */ +/* $OpenBSD: print-pflog.c,v 1.13 2003/05/14 08:50:37 canacar Exp $ */ /* * Copyright (c) 1990, 1991, 1993, 1994, 1995, 1996 @@ -23,7 +23,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /home/cvs/src/usr.sbin/tcpdump/print-pflog.c,v 1.12 2003/01/28 22:45:19 henning Exp $ (LBL)"; + "@(#) $Header: /home/cvs/src/usr.sbin/tcpdump/print-pflog.c,v 1.13 2003/05/14 08:50:37 canacar Exp $ (LBL)"; #endif #include <sys/param.h> @@ -59,17 +59,32 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h, register const u_char *p) { u_int length = h->len; + u_int hdrlen; u_int caplen = h->caplen; const struct ip *ip; const struct ip6_hdr *ip6; const struct pfloghdr *hdr; - u_short res; + u_int32_t res; char reason[128], *why; u_int8_t af; ts_print(&h->ts); - if (caplen < PFLOG_HDRLEN) { + // check length + if (caplen < sizeof(u_int8_t)) { + printf("[|pflog]"); + goto out; + } + +#define MIN_PFLOG_HDRLEN 45 + hdr = (struct pfloghdr *)p; + if (hdr->length < MIN_PFLOG_HDRLEN) { + printf("[pflog: invalid header length!]"); + goto out; + } + hdrlen = BPF_WORDALIGN(hdr->length); + + if (caplen < hdrlen) { printf("[|pflog]"); goto out; } @@ -84,6 +99,96 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h, hdr = (struct pfloghdr *)p; if (eflag) { + res = hdr->reason; + why = (res < PFRES_MAX) ? pf_reasons[res] : "unkn"; + + snprintf(reason, sizeof(reason), "%d(%s)", res, why); + + if (ntohl(hdr->subrulenr) == (u_int32_t) -1) + printf("rule %u/%s: ", + ntohl(hdr->rulenr), reason); + else + printf("rule %u.%s.%u/%s: ", ntohl(hdr->rulenr), + hdr->ruleset, ntohl(hdr->subrulenr), reason); + + switch (hdr->action) { + case PF_SCRUB: + printf("scrub"); + break; + case PF_PASS: + printf("pass"); + break; + case PF_DROP: + printf("block"); + break; + case PF_NAT: + case PF_NONAT: + printf("nat"); + break; + case PF_BINAT: + case PF_NOBINAT: + printf("binat"); + break; + case PF_RDR: + case PF_NORDR: + printf("rdr"); + break; + } + printf(" %s on %s: ", + hdr->dir == PF_OUT ? "out" : "in", + hdr->ifname); + } + af = hdr->af; + length -= hdrlen; + if (af == AF_INET) { + ip = (struct ip *)(p + hdrlen); + ip_print((const u_char *)ip, length); + if (xflag) + default_print((const u_char *)ip, + caplen - hdrlen); + } else { + ip6 = (struct ip6_hdr *)(p + hdrlen); + ip6_print((const u_char *)ip6, length); + if (xflag) + default_print((const u_char *)ip6, + caplen - hdrlen); + } + +out: + putchar('\n'); +} + + +void +pflog_old_if_print(u_char *user, const struct pcap_pkthdr *h, + register const u_char *p) +{ + u_int length = h->len; + u_int caplen = h->caplen; + const struct ip *ip; + const struct ip6_hdr *ip6; + const struct old_pfloghdr *hdr; + u_short res; + char reason[128], *why; + u_int8_t af; + + ts_print(&h->ts); + + if (caplen < OLD_PFLOG_HDRLEN) { + printf("[|pflog]"); + goto out; + } + + /* + * Some printers want to get back at the link level addresses, + * and/or check that they're not walking off the end of the packet. + * Rather than pass them all the way down, we set these globals. + */ + packetp = p; + snapend = p + caplen; + + hdr = (struct old_pfloghdr *)p; + if (eflag) { res = ntohs(hdr->reason); why = (res < PFRES_MAX) ? pf_reasons[res] : "unkn"; @@ -119,19 +224,19 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h, hdr->ifname); } af = ntohl(hdr->af); - length -= PFLOG_HDRLEN; + length -= OLD_PFLOG_HDRLEN; if (af == AF_INET) { - ip = (struct ip *)(p + PFLOG_HDRLEN); + ip = (struct ip *)(p + OLD_PFLOG_HDRLEN); ip_print((const u_char *)ip, length); if (xflag) default_print((const u_char *)ip, - caplen - PFLOG_HDRLEN); + caplen - OLD_PFLOG_HDRLEN); } else { - ip6 = (struct ip6_hdr *)(p + PFLOG_HDRLEN); + ip6 = (struct ip6_hdr *)(p + OLD_PFLOG_HDRLEN); ip6_print((const u_char *)ip6, length); if (xflag) default_print((const u_char *)ip6, - caplen - PFLOG_HDRLEN); + caplen - OLD_PFLOG_HDRLEN); } out: diff --git a/usr.sbin/tcpdump/tcpdump.8 b/usr.sbin/tcpdump/tcpdump.8 index 25e80a3d94c..3a4606384cc 100644 --- a/usr.sbin/tcpdump/tcpdump.8 +++ b/usr.sbin/tcpdump/tcpdump.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tcpdump.8,v 1.33 2003/04/08 01:21:11 david Exp $ +.\" $OpenBSD: tcpdump.8,v 1.34 2003/05/14 08:50:37 canacar Exp $ .\" .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996 .\" The Regents of the University of California. All rights reserved. @@ -663,7 +663,7 @@ Synonymous with the modifier. .It Cm rnr Ar num True if the packet was logged as matching the specified PF rule number -(applies only to packets logged by +in the main ruleset (applies only to packets logged by .Xr pf 4 ). .It Cm rulenum Ar num Synonomous with the @@ -681,6 +681,22 @@ and .Ar memory . (applies only to packets logged by .Xr pf 4 ). +.It Cm rset Ar name +True if the packet was logged as matching the specified PF ruleset +name of an anchored ruleset (applies only to packets logged by +.Xr pf 4 ). +.It Cm ruleset Ar name +Synonomous with the +.Ar rset +modifier. +.It Cm srnr Ar num +True if the packet was logged as matching the specified PF rule number +of an anchored ruleset (applies only to packets logged by +.Xr pf 4 ). +.It Cm subrulenum Ar num +Synonomous with the +.Ar srnr +modifier. .It Cm action Ar act True if PF took the specified action when the packet was logged. Known actions are: diff --git a/usr.sbin/tcpdump/tcpdump.c b/usr.sbin/tcpdump/tcpdump.c index dea85777191..929a089784b 100644 --- a/usr.sbin/tcpdump/tcpdump.c +++ b/usr.sbin/tcpdump/tcpdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcpdump.c,v 1.30 2002/11/30 13:56:23 mickey Exp $ */ +/* $OpenBSD: tcpdump.c,v 1.31 2003/05/14 08:50:37 canacar Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -26,7 +26,7 @@ static const char copyright[] = "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997\n\ The Regents of the University of California. All rights reserved.\n"; static const char rcsid[] = - "@(#) $Header: /home/cvs/src/usr.sbin/tcpdump/tcpdump.c,v 1.30 2002/11/30 13:56:23 mickey Exp $ (LBL)"; + "@(#) $Header: /home/cvs/src/usr.sbin/tcpdump/tcpdump.c,v 1.31 2003/05/14 08:50:37 canacar Exp $ (LBL)"; #endif /* @@ -111,6 +111,7 @@ static struct printer printers[] = { { loop_if_print, DLT_LOOP }, { enc_if_print, DLT_ENC }, { pflog_if_print, DLT_PFLOG }, + { pflog_old_if_print, DLT_OLD_PFLOG }, { pfsync_if_print, DLT_PFSYNC }, { NULL, 0 }, }; |