1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 /*
30 * Logging support for ipfw
31 */
32
33 #include "opt_ipfw.h"
34 #include "opt_inet.h"
35 #ifndef INET
36 #error IPFIREWALL requires INET.
37 #endif /* INET */
38 #include "opt_inet6.h"
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/kernel.h>
43 #include <sys/mbuf.h>
44 #include <sys/socket.h>
45 #include <sys/sysctl.h>
46 #include <sys/syslog.h>
47 #include <net/ethernet.h> /* for ETHERTYPE_IP */
48 #include <net/if.h>
49 #include <net/if_dl.h>
50 #include <net/if_var.h>
51 #include <net/if_private.h>
52 #include <net/vnet.h>
53 #include <net/route.h>
54 #include <net/route/route_var.h>
55
56 #include <netinet/in.h>
57 #include <netinet/ip.h>
58 #include <netinet/ip_icmp.h>
59 #include <netinet/ip_var.h>
60 #include <netinet/ip_fw.h>
61 #include <netinet/udp.h>
62 #include <netinet/tcp.h>
63
64 #include <netinet/ip6.h>
65 #include <netinet/icmp6.h>
66 #ifdef INET6
67 #include <netinet6/in6_var.h> /* ip6_sprintf() */
68 #endif
69
70 #include <netpfil/ipfw/ip_fw_private.h>
71
72 #ifdef MAC
73 #include <security/mac/mac_framework.h>
74 #endif
75
76 /*
77 * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T
78 * Other macros just cast void * into the appropriate type
79 */
80 #define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl))
81 #define TCP(p) ((struct tcphdr *)(p))
82 #define SCTP(p) ((struct sctphdr *)(p))
83 #define UDP(p) ((struct udphdr *)(p))
84 #define ICMP(p) ((struct icmphdr *)(p))
85 #define ICMP6(p) ((struct icmp6_hdr *)(p))
86
87 #ifdef __APPLE__
88 #undef snprintf
89 #define snprintf sprintf
90 #define SNPARGS(buf, len) buf + len
91 #define SNP(buf) buf
92 #else /* !__APPLE__ */
93 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
94 #define SNP(buf) buf, sizeof(buf)
95 #endif /* !__APPLE__ */
96
97 #define TARG(k, f) IP_FW_ARG_TABLEARG(chain, k, f)
98
99 /*
100 * XXX this function alone takes about 2Kbytes of code!
101 */
102 static void
ipfw_log_syslog(struct ip_fw_chain * chain,struct ip_fw * f,u_int hlen,struct ip_fw_args * args,u_short offset,uint32_t tablearg,struct ip * ip)103 ipfw_log_syslog(struct ip_fw_chain *chain, struct ip_fw *f, u_int hlen,
104 struct ip_fw_args *args, u_short offset, uint32_t tablearg, struct ip *ip)
105 {
106 char *action;
107 int limit_reached = 0;
108 char action2[92], proto[128], fragment[32], mark_str[24];
109
110 fragment[0] = '\0';
111 proto[0] = '\0';
112
113 if (f == NULL) { /* bogus pkt */
114 if (V_verbose_limit != 0 && V_norule_counter >= V_verbose_limit)
115 return;
116 V_norule_counter++;
117 if (V_norule_counter == V_verbose_limit)
118 limit_reached = V_verbose_limit;
119 action = "Refuse";
120 } else { /* O_LOG is the first action, find the real one */
121 ipfw_insn *cmd = ACTION_PTR(f);
122 ipfw_insn_log *l = (ipfw_insn_log *)cmd;
123
124 if (l->max_log != 0 && l->log_left == 0)
125 return;
126 l->log_left--;
127 if (l->log_left == 0)
128 limit_reached = l->max_log;
129 cmd += F_LEN(cmd); /* point to first action */
130 if (cmd->opcode == O_ALTQ) {
131 ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
132
133 snprintf(SNPARGS(action2, 0), "Altq %d",
134 altq->qid);
135 cmd += F_LEN(cmd);
136 }
137 if (cmd->opcode == O_PROB || cmd->opcode == O_TAG)
138 cmd += F_LEN(cmd);
139
140 action = action2;
141 switch (cmd->opcode) {
142 case O_DENY:
143 action = "Deny";
144 break;
145
146 case O_REJECT:
147 if (cmd->arg1==ICMP_REJECT_RST)
148 action = "Reset";
149 else if (cmd->arg1==ICMP_REJECT_ABORT)
150 action = "Abort";
151 else if (cmd->arg1==ICMP_UNREACH_HOST)
152 action = "Reject";
153 else
154 snprintf(SNPARGS(action2, 0), "Unreach %d",
155 cmd->arg1);
156 break;
157
158 case O_UNREACH6:
159 if (cmd->arg1==ICMP6_UNREACH_RST)
160 action = "Reset";
161 else if (cmd->arg1==ICMP6_UNREACH_ABORT)
162 action = "Abort";
163 else
164 snprintf(SNPARGS(action2, 0), "Unreach %d",
165 cmd->arg1);
166 break;
167
168 case O_ACCEPT:
169 action = "Accept";
170 break;
171 case O_COUNT:
172 action = "Count";
173 break;
174 case O_DIVERT:
175 snprintf(SNPARGS(action2, 0), "Divert %d",
176 TARG(cmd->arg1, divert));
177 break;
178 case O_TEE:
179 snprintf(SNPARGS(action2, 0), "Tee %d",
180 TARG(cmd->arg1, divert));
181 break;
182 case O_SETDSCP:
183 snprintf(SNPARGS(action2, 0), "SetDscp %d",
184 TARG(cmd->arg1, dscp) & 0x3F);
185 break;
186 case O_SETFIB:
187 snprintf(SNPARGS(action2, 0), "SetFib %d",
188 TARG(cmd->arg1, fib) & 0x7FFF);
189 break;
190 case O_SKIPTO:
191 snprintf(SNPARGS(action2, 0), "SkipTo %d",
192 TARG(insntod(cmd, u32)->d[0], skipto));
193 break;
194 case O_PIPE:
195 snprintf(SNPARGS(action2, 0), "Pipe %d",
196 TARG(cmd->arg1, pipe));
197 break;
198 case O_QUEUE:
199 snprintf(SNPARGS(action2, 0), "Queue %d",
200 TARG(cmd->arg1, pipe));
201 break;
202 case O_FORWARD_IP:
203 if (IS_IP4_FLOW_ID(&args->f_id)) {
204 char buf[INET_ADDRSTRLEN];
205 const struct sockaddr_in *sin = &insntod(cmd, sa)->sa;
206 int len;
207
208 /* handle fwd tablearg */
209 if (sin->sin_addr.s_addr == INADDR_ANY) {
210 struct in_addr tmp;
211
212 tmp.s_addr = htonl(
213 TARG_VAL(chain, tablearg, nh4));
214 inet_ntoa_r(tmp, buf);
215 } else
216 inet_ntoa_r(sin->sin_addr, buf);
217 len = snprintf(SNPARGS(action2, 0),
218 "Forward to %s", buf);
219 if (sin->sin_port != 0)
220 snprintf(SNPARGS(action2, len), ":%d",
221 sin->sin_port);
222 }
223 /* FALLTHROUGH */
224 #ifdef INET6
225 case O_FORWARD_IP6:
226 if (IS_IP6_FLOW_ID(&args->f_id)) {
227 char buf[INET6_ADDRSTRLEN];
228 struct sockaddr_in6 tmp;
229 const struct sockaddr_in *sin = &insntod(cmd, sa)->sa;
230 struct sockaddr_in6 *sin6 = &insntod(cmd, sa6)->sa;
231 int len;
232
233 if (cmd->opcode == O_FORWARD_IP &&
234 sin->sin_addr.s_addr == INADDR_ANY) {
235 sin6 = &tmp;
236 sin6->sin6_addr =
237 TARG_VAL(chain, tablearg, nh6);
238 sin6->sin6_scope_id =
239 TARG_VAL(chain, tablearg, zoneid);
240 sin6->sin6_port = sin->sin_port;
241 }
242
243 ip6_sprintf(buf, &sin6->sin6_addr);
244 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) &&
245 sin6->sin6_scope_id != 0)
246 len = snprintf(SNPARGS(action2, 0),
247 "Forward to [%s%%%u]",
248 buf, sin6->sin6_scope_id);
249 else
250 len = snprintf(SNPARGS(action2, 0),
251 "Forward to [%s]", buf);
252 if (sin6->sin6_port != 0)
253 snprintf(SNPARGS(action2, len), ":%u",
254 sin6->sin6_port);
255 }
256 #endif
257 break;
258 case O_NETGRAPH:
259 snprintf(SNPARGS(action2, 0), "Netgraph %d",
260 cmd->arg1);
261 break;
262 case O_NGTEE:
263 snprintf(SNPARGS(action2, 0), "Ngtee %d",
264 cmd->arg1);
265 break;
266 case O_NAT:
267 action = "Nat";
268 break;
269 case O_REASS:
270 action = "Reass";
271 break;
272 case O_CALLRETURN:
273 if (cmd->len & F_NOT)
274 snprintf(SNPARGS(action2, 0), "Return %s",
275 cmd->arg1 == RETURN_NEXT_RULENUM ?
276 "next-rulenum": "next-rule");
277 else
278 snprintf(SNPARGS(action2, 0), "Call %d",
279 TARG(insntod(cmd, u32)->d[0], skipto));
280 break;
281 case O_SETMARK:
282 if (cmd->arg1 == IP_FW_TARG)
283 snprintf(SNPARGS(action2, 0), "SetMark %#010x",
284 TARG(cmd->arg1, mark));
285 else
286 snprintf(SNPARGS(action2, 0), "SetMark %#010x",
287 insntoc(cmd, u32)->d[0]);
288 break;
289 case O_EXTERNAL_ACTION:
290 snprintf(SNPARGS(action2, 0), "Eaction %s",
291 ((struct named_object *)SRV_OBJECT(chain,
292 insntod(cmd, kidx)->kidx))->name);
293 break;
294 default:
295 action = "UNKNOWN";
296 break;
297 }
298 }
299
300 if (hlen == 0) { /* non-ip */
301 snprintf(SNPARGS(proto, 0), "MAC");
302
303 } else {
304 int len;
305 #ifdef INET6
306 char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2];
307 #else
308 char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN];
309 #endif
310 struct icmphdr *icmp;
311 struct tcphdr *tcp;
312 struct udphdr *udp;
313 #ifdef INET6
314 struct ip6_hdr *ip6 = NULL;
315 struct icmp6_hdr *icmp6;
316 u_short ip6f_mf;
317 #endif
318 src[0] = '\0';
319 dst[0] = '\0';
320 #ifdef INET6
321 ip6f_mf = offset & IP6F_MORE_FRAG;
322 offset &= IP6F_OFF_MASK;
323
324 if (IS_IP6_FLOW_ID(&(args->f_id))) {
325 char ip6buf[INET6_ADDRSTRLEN];
326 snprintf(src, sizeof(src), "[%s]",
327 ip6_sprintf(ip6buf, &args->f_id.src_ip6));
328 snprintf(dst, sizeof(dst), "[%s]",
329 ip6_sprintf(ip6buf, &args->f_id.dst_ip6));
330
331 ip6 = (struct ip6_hdr *)ip;
332 tcp = (struct tcphdr *)(((char *)ip) + hlen);
333 udp = (struct udphdr *)(((char *)ip) + hlen);
334 } else
335 #endif
336 {
337 tcp = L3HDR(struct tcphdr, ip);
338 udp = L3HDR(struct udphdr, ip);
339
340 inet_ntop(AF_INET, &ip->ip_src, src, sizeof(src));
341 inet_ntop(AF_INET, &ip->ip_dst, dst, sizeof(dst));
342 }
343
344 switch (args->f_id.proto) {
345 case IPPROTO_TCP:
346 len = snprintf(SNPARGS(proto, 0), "TCP %s", src);
347 if (offset == 0)
348 snprintf(SNPARGS(proto, len), ":%d %s:%d",
349 ntohs(tcp->th_sport),
350 dst,
351 ntohs(tcp->th_dport));
352 else
353 snprintf(SNPARGS(proto, len), " %s", dst);
354 break;
355
356 case IPPROTO_UDP:
357 case IPPROTO_UDPLITE:
358 len = snprintf(SNPARGS(proto, 0), "UDP%s%s",
359 args->f_id.proto == IPPROTO_UDP ? " ": "Lite ",
360 src);
361 if (offset == 0)
362 snprintf(SNPARGS(proto, len), ":%d %s:%d",
363 ntohs(udp->uh_sport),
364 dst,
365 ntohs(udp->uh_dport));
366 else
367 snprintf(SNPARGS(proto, len), " %s", dst);
368 break;
369
370 case IPPROTO_ICMP:
371 icmp = L3HDR(struct icmphdr, ip);
372 if (offset == 0)
373 len = snprintf(SNPARGS(proto, 0),
374 "ICMP:%u.%u ",
375 icmp->icmp_type, icmp->icmp_code);
376 else
377 len = snprintf(SNPARGS(proto, 0), "ICMP ");
378 len += snprintf(SNPARGS(proto, len), "%s", src);
379 snprintf(SNPARGS(proto, len), " %s", dst);
380 break;
381 #ifdef INET6
382 case IPPROTO_ICMPV6:
383 icmp6 = (struct icmp6_hdr *)(((char *)ip) + hlen);
384 if (offset == 0)
385 len = snprintf(SNPARGS(proto, 0),
386 "ICMPv6:%u.%u ",
387 icmp6->icmp6_type, icmp6->icmp6_code);
388 else
389 len = snprintf(SNPARGS(proto, 0), "ICMPv6 ");
390 len += snprintf(SNPARGS(proto, len), "%s", src);
391 snprintf(SNPARGS(proto, len), " %s", dst);
392 break;
393 #endif
394 default:
395 len = snprintf(SNPARGS(proto, 0), "P:%d %s",
396 args->f_id.proto, src);
397 snprintf(SNPARGS(proto, len), " %s", dst);
398 break;
399 }
400
401 #ifdef INET6
402 if (IS_IP6_FLOW_ID(&(args->f_id))) {
403 if (offset || ip6f_mf)
404 snprintf(SNPARGS(fragment, 0),
405 " (frag %08x:%d@%d%s)",
406 args->f_id.extra,
407 ntohs(ip6->ip6_plen) - hlen,
408 ntohs(offset) << 3, ip6f_mf ? "+" : "");
409 } else
410 #endif
411 {
412 int ipoff, iplen;
413 ipoff = ntohs(ip->ip_off);
414 iplen = ntohs(ip->ip_len);
415 if (ipoff & (IP_MF | IP_OFFMASK))
416 snprintf(SNPARGS(fragment, 0),
417 " (frag %d:%d@%d%s)",
418 ntohs(ip->ip_id), iplen - (ip->ip_hl << 2),
419 offset << 3,
420 (ipoff & IP_MF) ? "+" : "");
421 }
422 }
423
424 /* [fw]mark */
425 if (args->rule.pkt_mark)
426 snprintf(SNPARGS(mark_str, 0), " mark:%#x",
427 args->rule.pkt_mark);
428 else
429 mark_str[0] = '\0';
430
431 #ifdef __FreeBSD__
432 log(LOG_SECURITY | LOG_INFO, "ipfw: %d %s %s%s %s via %s%s\n",
433 f ? f->rulenum : -1, action, proto, mark_str,
434 args->flags & IPFW_ARGS_OUT ? "out" : "in", args->ifp->if_xname,
435 fragment);
436 #else
437 log(LOG_SECURITY | LOG_INFO, "ipfw: %d %s %s%s [no if info]%s\n",
438 f ? f->rulenum : -1, action, proto, mark_str, fragment);
439 #endif
440 if (limit_reached)
441 log(LOG_SECURITY | LOG_NOTICE,
442 "ipfw: limit %d reached on entry %d\n",
443 limit_reached, f ? f->rulenum : -1);
444 }
445
446 static void
ipfw_rtsocklog_fill_l3(struct ip_fw_args * args,char ** buf,struct sockaddr ** src,struct sockaddr ** dst)447 ipfw_rtsocklog_fill_l3(struct ip_fw_args *args,
448 char **buf, struct sockaddr **src, struct sockaddr **dst)
449 {
450 struct sockaddr_in *v4src, *v4dst;
451 #ifdef INET6
452 struct sockaddr_in6 *v6src, *v6dst;
453
454 if (IS_IP6_FLOW_ID(&(args->f_id))) {
455 v6src = (struct sockaddr_in6 *)*buf;
456 *buf += sizeof(*v6src);
457 v6dst = (struct sockaddr_in6 *)*buf;
458 *buf += sizeof(*v6dst);
459 v6src->sin6_len = v6dst->sin6_len = sizeof(*v6src);
460 v6src->sin6_family = v6dst->sin6_family = AF_INET6;
461 v6src->sin6_addr = args->f_id.src_ip6;
462 v6dst->sin6_addr = args->f_id.dst_ip6;
463
464 *src = (struct sockaddr *)v6src;
465 *dst = (struct sockaddr *)v6dst;
466 } else
467 #endif
468 {
469 v4src = (struct sockaddr_in *)*buf;
470 *buf += sizeof(*v4src);
471 v4dst = (struct sockaddr_in *)*buf;
472 *buf += sizeof(*v4dst);
473 v4src->sin_len = v4dst->sin_len = sizeof(*v4src);
474 v4src->sin_family = v4dst->sin_family = AF_INET;
475 v4src->sin_addr.s_addr = htonl(args->f_id.src_ip);
476 v4dst->sin_addr.s_addr = htonl(args->f_id.dst_ip);
477
478 *src = (struct sockaddr *)v4src;
479 *dst = (struct sockaddr *)v4dst;
480 }
481 }
482
483 static struct sockaddr *
ipfw_rtsocklog_handle_tablearg(struct ip_fw_chain * chain,struct ip_fw_args * args,ipfw_insn * cmd,uint32_t tablearg,uint32_t * targ_value,char ** buf)484 ipfw_rtsocklog_handle_tablearg(struct ip_fw_chain *chain,
485 struct ip_fw_args *args, ipfw_insn *cmd, uint32_t tablearg,
486 uint32_t *targ_value, char **buf)
487 {
488 /* handle tablearg now */
489 switch (cmd->opcode) {
490 case O_DIVERT:
491 case O_TEE:
492 *targ_value = TARG(cmd->arg1, divert);
493 break;
494 case O_NETGRAPH:
495 case O_NGTEE:
496 *targ_value = TARG(cmd->arg1, netgraph);
497 break;
498 case O_SETDSCP:
499 *targ_value = (TARG(cmd->arg1, dscp) & 0x3F);
500 break;
501 case O_SETFIB:
502 *targ_value = (TARG(cmd->arg1, fib) & 0x7FFF);
503 break;
504 case O_SKIPTO:
505 case O_CALLRETURN:
506 if (cmd->opcode == O_CALLRETURN && (cmd->len & F_NOT))
507 break;
508 *targ_value = TARG(insntod(cmd, u32)->d[0], skipto);
509 break;
510 case O_PIPE:
511 case O_QUEUE:
512 *targ_value = TARG(cmd->arg1, pipe);
513 break;
514 case O_SETMARK:
515 if (cmd->arg1 == IP_FW_TARG)
516 *targ_value = TARG_VAL(chain, tablearg, mark);
517 break;
518 case O_FORWARD_IP:
519 if (IS_IP4_FLOW_ID(&args->f_id)) {
520 struct sockaddr_in *nh = (struct sockaddr_in *)*buf;
521
522 *buf += sizeof(*nh);
523 memcpy(nh, &insntod(cmd, sa)->sa, sizeof(*nh));
524 if (nh->sin_addr.s_addr == INADDR_ANY)
525 nh->sin_addr.s_addr = htonl(
526 TARG_VAL(chain, tablearg, nh4));
527 return ((struct sockaddr *)nh);
528 }
529 /* FALLTHROUGH */
530 #ifdef INET6
531 case O_FORWARD_IP6:
532 if (IS_IP6_FLOW_ID(&args->f_id)) {
533 const struct sockaddr_in *sin = &insntod(cmd, sa)->sa;
534 struct sockaddr_in6 *nh = (struct sockaddr_in6 *)*buf;
535
536 *buf += sizeof(*nh);
537 if (cmd->opcode == O_FORWARD_IP &&
538 sin->sin_addr.s_addr == INADDR_ANY) {
539 nh->sin6_family = AF_INET6;
540 nh->sin6_len = sizeof(*nh);
541 nh->sin6_addr = TARG_VAL(chain, tablearg, nh6);
542 nh->sin6_port = sin->sin_port;
543 nh->sin6_scope_id =
544 TARG_VAL(chain, tablearg, zoneid);
545 } else
546 memcpy(nh, &insntod(cmd, sa6)->sa, sizeof(*nh));
547 return ((struct sockaddr *)nh);
548 }
549 #endif
550 default:
551 break;
552 }
553
554 return (NULL);
555 }
556
557 #define MAX_COMMENT_LEN 80
558
559 static size_t
ipfw_copy_rule_comment(struct ip_fw * f,char * dst)560 ipfw_copy_rule_comment(struct ip_fw *f, char *dst)
561 {
562 ipfw_insn *cmd;
563 size_t rcomment_len = 0;
564 int l, cmdlen;
565
566 for (l = f->cmd_len, cmd = f->cmd; l > 0; l -= cmdlen, cmd += cmdlen) {
567 cmdlen = F_LEN(cmd);
568 if (cmd->opcode != O_NOP) {
569 continue;
570 } else if (cmd->len == 1) {
571 return (0);
572 }
573 break;
574 }
575 if (l <= 0) {
576 return (0);
577 }
578 rcomment_len = strnlen((char *)(cmd + 1), MAX_COMMENT_LEN - 1) + 1;
579 strlcpy(dst, (char *)(cmd + 1), rcomment_len);
580 return (rcomment_len);
581 }
582
583 /*
584 * Logs a packet matched by a rule as a route(4) socket message.
585 *
586 * While ipfw0 pseudo interface provides a way to observe full packet body,
587 * no metadata (rule number, action, mark, etc) is available.
588 * pflog(4) is not an option either as it's header is hardcoded and does not
589 * provide sufficient space for ipfw meta information.
590 *
591 * To be able to get a machine-readable event with all meta information needed
592 * for user-space daemons we construct a route(4) message and pack as much meta
593 * information as we can into it.
594 *
595 * RTAX_DST(0): (struct sockaddr_dl) carrying ipfwlog_rtsock_hdr_v2 in sdl_data
596 * with general rule information (rule number, set, action, mark,
597 * cmd, comment) and source/destination MAC addresses in case we're
598 * logging in layer2 pass.
599 *
600 * RTAX_GATEWAY(1): (struct sockaddr) IP source address
601 *
602 * RTAX_NETMASK(2): (struct sockaddr) IP destination address
603 *
604 * RTAX_GENMASK(3): (struct sockaddr) IP address and port used in fwd action
605 *
606 * One SHOULD set an explicit logamount for any rule using rtsock as flooding
607 * route socket with such events could lead to various system-wide side effects.
608 * RTF_PROTO1 flag in (struct rt_addrinfo).rti_flags is set in all messages
609 * once half of logamount limit is crossed. This could be used by the software
610 * processing these logs to issue `ipfw resetlog` command to keep the event
611 * flow.
612 *
613 * TODO: convert ipfwlog_rtsock_hdr_v2 data into TLV to ease expansion.
614 */
615
616 static void
ipfw_log_rtsock(struct ip_fw_chain * chain,struct ip_fw * f,u_int hlen,struct ip_fw_args * args,u_short offset,uint32_t tablearg,void * _eh)617 ipfw_log_rtsock(struct ip_fw_chain *chain, struct ip_fw *f, u_int hlen,
618 struct ip_fw_args *args, u_short offset, uint32_t tablearg, void *_eh)
619 {
620 struct sockaddr_dl *sdl_ipfwcmd;
621 struct ether_header *eh = _eh;
622 struct rt_addrinfo *info;
623 uint32_t *targ_value;
624 ipfwlog_rtsock_hdr_v2 *hdr;
625 ipfw_insn *cmd;
626 ipfw_insn_log *l;
627 char *buf, *orig_buf;
628 /* at least 4 x sizeof(struct sockaddr_dl) + rule comment (80) */
629 size_t buflen = 512;
630
631 /* Should we log? O_LOG is the first one */
632 cmd = ACTION_PTR(f);
633 l = (ipfw_insn_log *)cmd;
634
635 if (l->max_log != 0 && l->log_left == 0)
636 return;
637
638 if (hlen == 0) /* non-ip */
639 return;
640
641 l->log_left--;
642 if (V_fw_verbose != 0 && l->log_left == 0) {
643 log(LOG_SECURITY | LOG_NOTICE,
644 "ipfw: limit %d reached on entry %d\n",
645 l->max_log, f ? f->rulenum : -1);
646 }
647
648 buf = orig_buf = malloc(buflen, M_TEMP, M_NOWAIT | M_ZERO);
649 if (buf == NULL)
650 return;
651
652 info = (struct rt_addrinfo *)buf;
653 buf += sizeof (*info);
654
655 cmd = ipfw_get_action(f);
656 sdl_ipfwcmd = (struct sockaddr_dl *)buf;
657 sdl_ipfwcmd->sdl_family = AF_IPFWLOG;
658 sdl_ipfwcmd->sdl_index = f->set;
659 sdl_ipfwcmd->sdl_type = 2; /* version */
660 sdl_ipfwcmd->sdl_alen = sizeof(*hdr);
661 hdr = (ipfwlog_rtsock_hdr_v2 *)(sdl_ipfwcmd->sdl_data);
662 /* fill rule comment in if any */
663 sdl_ipfwcmd->sdl_nlen = ipfw_copy_rule_comment(f, hdr->comment);
664 targ_value = &hdr->tablearg;
665 hdr->rulenum = f->rulenum;
666 hdr->mark = args->rule.pkt_mark;
667 hdr->cmd = *cmd;
668
669 sdl_ipfwcmd->sdl_len = sizeof(*sdl_ipfwcmd);
670 if (sizeof(*hdr) + sdl_ipfwcmd->sdl_nlen > sizeof(sdl_ipfwcmd->sdl_data)) {
671 sdl_ipfwcmd->sdl_len += sizeof(*hdr) + sdl_ipfwcmd->sdl_nlen -
672 sizeof(sdl_ipfwcmd->sdl_data);
673 }
674 buf += sdl_ipfwcmd->sdl_len;
675
676 /* fill L2 in if present */
677 if (args->flags & IPFW_ARGS_ETHER && eh != NULL) {
678 sdl_ipfwcmd->sdl_slen = sizeof(eh->ether_shost);
679 memcpy(hdr->ether_shost, eh->ether_shost,
680 sdl_ipfwcmd->sdl_slen);
681 memcpy(hdr->ether_dhost, eh->ether_dhost,
682 sdl_ipfwcmd->sdl_slen);
683 }
684
685 info->rti_info[RTAX_DST] = (struct sockaddr *)sdl_ipfwcmd;
686
687 /* Warn if we're about to stop sending messages */
688 if (l->max_log != 0 && l->log_left < (l->max_log >> 1)) {
689 info->rti_flags |= RTF_PROTO1;
690 }
691
692 /* handle tablearg */
693 info->rti_info[RTAX_GENMASK] = ipfw_rtsocklog_handle_tablearg(
694 chain, args, cmd, tablearg, targ_value, &buf);
695
696 /* L3 */
697 ipfw_rtsocklog_fill_l3(args, &buf,
698 &info->rti_info[RTAX_GATEWAY],
699 &info->rti_info[RTAX_NETMASK]);
700
701 KASSERT(buf <= (orig_buf + buflen),
702 ("ipfw: buffer for logdst rtsock is not big enough"));
703
704 info->rti_ifp = args->ifp;
705 rtsock_routemsg_info(RTM_IPFWLOG, info, RT_ALL_FIBS);
706
707 free(orig_buf, M_TEMP);
708 }
709
710 /*
711 * We enter here when we have a rule with O_LOG.
712 */
713 void
ipfw_log(struct ip_fw_chain * chain,struct ip_fw * f,u_int hlen,struct ip_fw_args * args,u_short offset,uint32_t tablearg,struct ip * ip,void * eh)714 ipfw_log(struct ip_fw_chain *chain, struct ip_fw *f, u_int hlen,
715 struct ip_fw_args *args, u_short offset, uint32_t tablearg,
716 struct ip *ip, void *eh)
717 {
718 ipfw_insn *cmd;
719
720 /* Fallback to default logging if we're missing rule pointer */
721 if (f == NULL ||
722 /* O_LOG is the first action */
723 ((cmd = ACTION_PTR(f)) && cmd->arg1 == IPFW_LOG_DEFAULT)) {
724 if (V_fw_verbose == 0) {
725 ipfw_bpf_tap(args, ip,
726 f != NULL ? f->rulenum : IPFW_DEFAULT_RULE);
727 return;
728 }
729 ipfw_log_syslog(chain, f, hlen, args, offset, tablearg, ip);
730 return;
731 }
732
733 if (cmd->arg1 & IPFW_LOG_SYSLOG)
734 ipfw_log_syslog(chain, f, hlen, args, offset, tablearg, ip);
735
736 if (cmd->arg1 & IPFW_LOG_RTSOCK)
737 ipfw_log_rtsock(chain, f, hlen, args, offset, tablearg, eh);
738
739 if (cmd->arg1 & IPFW_LOG_IPFW0)
740 ipfw_bpf_tap(args, ip, f->rulenum);
741 }
742 /* end of file */
743