diff options
| author |   provos <provos@openbsd.org> | 2001-06-25 23:02:17 +0000 |
|---|---|---|
| committer | provos <provos@openbsd.org> | 2001-06-25 23:02:17 +0000 |
| commit | b9d38aaec7cb7a5f94d408fcef2db7d53f3be5f2 (patch) | |
| tree | e3a1a9f96048845be9693026a47009641a3819ab | |
| parent | Enable interrupts during PCIIDE detect (diff) | |
| download | wireguard-openbsd-b9d38aaec7cb7a5f94d408fcef2db7d53f3be5f2.tar.xz wireguard-openbsd-b9d38aaec7cb7a5f94d408fcef2db7d53f3be5f2.zip | |
extend the logging via a new link header type. export interface, direction,
action and rule nr.
| -rw-r--r-- | sys/net/bpf.h | 3 | ||||
| -rw-r--r-- | sys/net/if_pflog.c | 10 | ||||
| -rw-r--r-- | sys/net/if_pflog.h | 10 | ||||
| -rw-r--r-- | sys/net/if_types.h | 5 | ||||
| -rw-r--r-- | sys/net/pf.c | 47 |
5 files changed, 42 insertions, 33 deletions
diff --git a/sys/net/bpf.h b/sys/net/bpf.h index 6cfd2337b27..61df4a03483 100644 --- a/sys/net/bpf.h +++ b/sys/net/bpf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bpf.h,v 1.15 2001/06/09 06:16:37 angelos Exp $ */ +/* $OpenBSD: bpf.h,v 1.16 2001/06/25 23:02:17 provos Exp $ */ /* $NetBSD: bpf.h,v 1.15 1996/12/13 07:57:33 mikel Exp $ */ /* @@ -164,6 +164,7 @@ struct bpf_hdr { #define DLT_RAW 14 /* raw IP */ #define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ +#define DLT_PFLOG 17 /* Packet filter logging */ /* * The instruction encodings. diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c index 37fa1ffcc82..e3fa20367be 100644 --- a/sys/net/if_pflog.c +++ b/sys/net/if_pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.c,v 1.2 2001/06/25 21:07:44 art Exp $ */ +/* $OpenBSD: if_pflog.c,v 1.3 2001/06/25 23:02:18 provos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -69,10 +69,6 @@ #define DPRINTF(x) #endif -#if NPFLOG != 2 -#error "if_plog needs exactly two interfaces, fix sys/conf/GENERIC" -#endif - struct pflog_softc pflogif[NPFLOG]; void pflogattach(int); @@ -100,13 +96,13 @@ pflogattach(int npflog) ifp->if_ioctl = pflogioctl; ifp->if_output = pflogoutput; ifp->if_start = pflogstart; - ifp->if_type = IFT_LOOP; + ifp->if_type = IFT_PFLOG; ifp->if_snd.ifq_maxlen = ifqmaxlen; ifp->if_hdrlen = PFLOG_HDRLEN; if_attach(ifp); #if NBPFILTER > 0 - bpfattach(&pflogif[i].sc_if.if_bpf, ifp, DLT_LOOP, + bpfattach(&pflogif[i].sc_if.if_bpf, ifp, DLT_PFLOG, PFLOG_HDRLEN); #endif #ifdef INET6 diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index 48cfd11a678..577ee1c340d 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.h,v 1.1 2001/06/25 20:48:17 provos Exp $ */ +/* $OpenBSD: if_pflog.h,v 1.2 2001/06/25 23:02:19 provos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -36,15 +36,19 @@ #ifndef _NET_IF_PFLOG_H_ #define _NET_IF_PFLOG_H_ -#define PFLOG_HDRLEN 4 - struct pflog_softc { struct ifnet sc_if; /* the interface */ }; struct pfloghdr { u_int32_t af; + char ifname[IFNAMSIZ]; + int rnr; + short dir; + short action; }; +#define PFLOG_HDRLEN sizeof(struct pfloghdr) + extern struct pflog_softc pflogif[]; #endif /* _NET_IF_ENC_H_ */ diff --git a/sys/net/if_types.h b/sys/net/if_types.h index beeafa12294..3abfde46851 100644 --- a/sys/net/if_types.h +++ b/sys/net/if_types.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_types.h,v 1.9 2001/06/09 06:16:38 angelos Exp $ */ +/* $OpenBSD: if_types.h,v 1.10 2001/06/25 23:02:20 provos Exp $ */ /* $NetBSD: if_types.h,v 1.7 1995/02/27 09:10:24 glass Exp $ */ /* @@ -99,7 +99,8 @@ #define IFT_SMDSICIP 0x34 /* SMDS InterCarrier Interface */ #define IFT_PROPVIRTUAL 0x35 /* Proprietary Virtual/internal */ #define IFT_PROPMUX 0x36 /* Proprietary Multiplexing */ -#define IFT_ENC 0x37 /* Encapsulation */ +#define IFT_ENC 0x37 /* Encapsulation */ +#define IFT_PFLOG 0x38 /* Packet filter logging */ /* private usage... how should we define these? */ #define IFT_BRIDGE 0xe8 /* bridge interfaces */ diff --git a/sys/net/pf.c b/sys/net/pf.c index 8d0817e402c..a992f29f3e1 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.38 2001/06/25 22:53:39 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.39 2001/06/25 23:02:20 provos Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -57,6 +57,7 @@ #include <netinet/ip_icmp.h> #include "bpfilter.h" +#include "pflog.h" /* * Tree data structure @@ -161,16 +162,21 @@ struct pf_state *pf_test_state_icmp(int, struct ifnet *, struct mbuf **, int, void *pull_hdr(struct ifnet *, struct mbuf **, int, int, int, struct ip *, int *); int pf_test(int, struct ifnet *, struct mbuf **); -int pflog_packet(struct mbuf *, int, int); +int pflog_packet(struct mbuf *, int, short,int, + struct pf_rule *); -#define PFLOG_PACKET(x,a,b,c) \ +#if NPFLOG > 0 +#define PFLOG_PACKET(x,a,b,c,d,e) \ do { \ HTONS((x)->ip_len); \ HTONS((x)->ip_off); \ - pflog_packet(a,b,c); \ + pflog_packet(a,b,c,d,e); \ NTOHS((x)->ip_len); \ NTOHS((x)->ip_off); \ } while (0) +#else +#define PFLOG_PACKET +#endif int tree_key_compare(struct pf_tree_key *a, struct pf_tree_key *b) @@ -349,30 +355,31 @@ tree_remove(struct pf_tree_node **p, struct pf_tree_key *key) } int -pflog_packet(struct mbuf *m, int af, int action) +pflog_packet(struct mbuf *m, int af, short dir, int nr, struct pf_rule *rm) { #if NBPFILTER > 0 - struct ifnet *ifn; + struct ifnet *ifn, *ifp = rm->ifp; struct pfloghdr hdr; struct mbuf m1; hdr.af = htonl(af); + /* Set the right interface name */ + if (m->m_pkthdr.rcvif != NULL) + ifp = m->m_pkthdr.rcvif; + if (ifp != NULL) + memcpy(hdr.ifname, ifp->if_xname, sizeof(hdr.ifname)); + else + strcpy(hdr.ifname, "unkn"); + + hdr.dir = htons(dir); + hdr.action = htons(rm->action); + hdr.rnr = htonl(nr); m1.m_next = m; m1.m_len = PFLOG_HDRLEN; m1.m_data = (char *) &hdr; - switch (action) { - case PF_DROP_RST: - case PF_DROP: - ifn = &(pflogif[0].sc_if); - break; - case PF_PASS: - ifn = &(pflogif[1].sc_if); - break; - default: - return (-1); - } + ifn = &(pflogif[0].sc_if); if (ifn->if_bpf) bpf_mtap(ifn->if_bpf, &m1); @@ -1254,7 +1261,7 @@ pf_test_tcp(int direction, struct ifnet *ifp, struct mbuf **m, int off, } if ((rm != NULL) && rm->log) - PFLOG_PACKET(h, *m, AF_INET, rm->action); + PFLOG_PACKET(h, *m, AF_INET, direction, mnr, rm); if ((rm != NULL) && (rm->action == PF_DROP_RST)) { /* undo NAT/RST changes, if they have taken place */ @@ -1380,7 +1387,7 @@ pf_test_udp(int direction, struct ifnet *ifp, struct mbuf **m, int off, } if (rm != NULL && rm->log) - PFLOG_PACKET(h, *m, AF_INET, rm->action); + PFLOG_PACKET(h, *m, AF_INET, direction, mnr, rm); if (rm != NULL && rm->action != PF_PASS) return (PF_DROP); @@ -1479,7 +1486,7 @@ pf_test_icmp(int direction, struct ifnet *ifp, struct mbuf **m, int off, } if (rm != NULL && rm->log) - PFLOG_PACKET(h, *m, AF_INET, rm->action); + PFLOG_PACKET(h, *m, AF_INET, direction, mnr, rm); if (rm != NULL && rm->action != PF_PASS) return (PF_DROP); |