1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 /*
30 * Logging support for ipfw
31 */
32
33 #include "opt_ipfw.h"
34 #include "opt_inet.h"
35 #ifndef INET
36 #error IPFIREWALL requires INET.
37 #endif /* INET */
38 #include "opt_inet6.h"
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/kernel.h>
43 #include <sys/mbuf.h>
44 #include <sys/socket.h>
45 #include <sys/sysctl.h>
46 #include <sys/syslog.h>
47 #include <net/ethernet.h> /* for ETHERTYPE_IP */
48 #include <net/if.h>
49 #include <net/if_dl.h>
50 #include <net/if_var.h>
51 #include <net/if_private.h>
52 #include <net/vnet.h>
53 #include <net/route.h>
54 #include <net/route/route_var.h>
55
56 #include <netinet/in.h>
57 #include <netinet/ip.h>
58 #include <netinet/ip_icmp.h>
59 #include <netinet/ip_var.h>
60 #include <netinet/ip_fw.h>
61 #include <netinet/udp.h>
62 #include <netinet/tcp.h>
63
64 #include <netinet/ip6.h>
65 #include <netinet/icmp6.h>
66 #ifdef INET6
67 #include <netinet6/in6_var.h> /* ip6_sprintf() */
68 #endif
69
70 #include <netpfil/ipfw/ip_fw_private.h>
71
72 #ifdef MAC
73 #include <security/mac/mac_framework.h>
74 #endif
75
76 /*
77 * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T
78 * Other macros just cast void * into the appropriate type
79 */
80 #define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl))
81 #define TCP(p) ((struct tcphdr *)(p))
82 #define SCTP(p) ((struct sctphdr *)(p))
83 #define UDP(p) ((struct udphdr *)(p))
84 #define ICMP(p) ((struct icmphdr *)(p))
85 #define ICMP6(p) ((struct icmp6_hdr *)(p))
86
87 #ifdef __APPLE__
88 #undef snprintf
89 #define snprintf sprintf
90 #define SNPARGS(buf, len) buf + len
91 #define SNP(buf) buf
92 #else /* !__APPLE__ */
93 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
94 #define SNP(buf) buf, sizeof(buf)
95 #endif /* !__APPLE__ */
96
97 #define TARG(k, f) IP_FW_ARG_TABLEARG(chain, k, f)
98
99 static void
ipfw_log_ipfw0(struct ip_fw_args * args,struct ip * ip)100 ipfw_log_ipfw0(struct ip_fw_args *args, struct ip *ip)
101 {
102 if (args->flags & IPFW_ARGS_LENMASK)
103 ipfw_bpf_tap(args->mem, IPFW_ARGS_LENGTH(args->flags));
104 else if (args->flags & IPFW_ARGS_ETHER)
105 /* layer2, use orig hdr */
106 ipfw_bpf_mtap(args->m);
107 else {
108 /* Add fake header. Later we will store
109 * more info in the header.
110 */
111 if (ip->ip_v == 4)
112 ipfw_bpf_mtap2("DDDDDDSSSSSS\x08\x00",
113 ETHER_HDR_LEN, args->m);
114 else if (ip->ip_v == 6)
115 ipfw_bpf_mtap2("DDDDDDSSSSSS\x86\xdd",
116 ETHER_HDR_LEN, args->m);
117 else
118 /* Obviously bogus EtherType. */
119 ipfw_bpf_mtap2("DDDDDDSSSSSS\xff\xff",
120 ETHER_HDR_LEN, args->m);
121 }
122 }
123
124 /*
125 * XXX this function alone takes about 2Kbytes of code!
126 */
127 static void
ipfw_log_syslog(struct ip_fw_chain * chain,struct ip_fw * f,u_int hlen,struct ip_fw_args * args,u_short offset,uint32_t tablearg,struct ip * ip)128 ipfw_log_syslog(struct ip_fw_chain *chain, struct ip_fw *f, u_int hlen,
129 struct ip_fw_args *args, u_short offset, uint32_t tablearg, struct ip *ip)
130 {
131 char *action;
132 int limit_reached = 0;
133 char action2[92], proto[128], fragment[32], mark_str[24];
134
135 fragment[0] = '\0';
136 proto[0] = '\0';
137
138 if (f == NULL) { /* bogus pkt */
139 if (V_verbose_limit != 0 && V_norule_counter >= V_verbose_limit)
140 return;
141 V_norule_counter++;
142 if (V_norule_counter == V_verbose_limit)
143 limit_reached = V_verbose_limit;
144 action = "Refuse";
145 } else { /* O_LOG is the first action, find the real one */
146 ipfw_insn *cmd = ACTION_PTR(f);
147 ipfw_insn_log *l = (ipfw_insn_log *)cmd;
148
149 if (l->max_log != 0 && l->log_left == 0)
150 return;
151 l->log_left--;
152 if (l->log_left == 0)
153 limit_reached = l->max_log;
154 cmd += F_LEN(cmd); /* point to first action */
155 if (cmd->opcode == O_ALTQ) {
156 ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
157
158 snprintf(SNPARGS(action2, 0), "Altq %d",
159 altq->qid);
160 cmd += F_LEN(cmd);
161 }
162 if (cmd->opcode == O_PROB || cmd->opcode == O_TAG)
163 cmd += F_LEN(cmd);
164
165 action = action2;
166 switch (cmd->opcode) {
167 case O_DENY:
168 action = "Deny";
169 break;
170
171 case O_REJECT:
172 if (cmd->arg1==ICMP_REJECT_RST)
173 action = "Reset";
174 else if (cmd->arg1==ICMP_REJECT_ABORT)
175 action = "Abort";
176 else if (cmd->arg1==ICMP_UNREACH_HOST)
177 action = "Reject";
178 else
179 snprintf(SNPARGS(action2, 0), "Unreach %d",
180 cmd->arg1);
181 break;
182
183 case O_UNREACH6:
184 if (cmd->arg1==ICMP6_UNREACH_RST)
185 action = "Reset";
186 else if (cmd->arg1==ICMP6_UNREACH_ABORT)
187 action = "Abort";
188 else
189 snprintf(SNPARGS(action2, 0), "Unreach %d",
190 cmd->arg1);
191 break;
192
193 case O_ACCEPT:
194 action = "Accept";
195 break;
196 case O_COUNT:
197 action = "Count";
198 break;
199 case O_DIVERT:
200 snprintf(SNPARGS(action2, 0), "Divert %d",
201 TARG(cmd->arg1, divert));
202 break;
203 case O_TEE:
204 snprintf(SNPARGS(action2, 0), "Tee %d",
205 TARG(cmd->arg1, divert));
206 break;
207 case O_SETDSCP:
208 snprintf(SNPARGS(action2, 0), "SetDscp %d",
209 TARG(cmd->arg1, dscp) & 0x3F);
210 break;
211 case O_SETFIB:
212 snprintf(SNPARGS(action2, 0), "SetFib %d",
213 TARG(cmd->arg1, fib) & 0x7FFF);
214 break;
215 case O_SKIPTO:
216 snprintf(SNPARGS(action2, 0), "SkipTo %d",
217 TARG(insntod(cmd, u32)->d[0], skipto));
218 break;
219 case O_PIPE:
220 snprintf(SNPARGS(action2, 0), "Pipe %d",
221 TARG(cmd->arg1, pipe));
222 break;
223 case O_QUEUE:
224 snprintf(SNPARGS(action2, 0), "Queue %d",
225 TARG(cmd->arg1, pipe));
226 break;
227 case O_FORWARD_IP: {
228 char buf[INET_ADDRSTRLEN];
229 ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd;
230 int len;
231 struct in_addr dummyaddr;
232 if (sa->sa.sin_addr.s_addr == INADDR_ANY)
233 dummyaddr.s_addr = htonl(tablearg);
234 else
235 dummyaddr.s_addr = sa->sa.sin_addr.s_addr;
236
237 len = snprintf(SNPARGS(action2, 0), "Forward to %s",
238 inet_ntoa_r(dummyaddr, buf));
239
240 if (sa->sa.sin_port)
241 snprintf(SNPARGS(action2, len), ":%d",
242 sa->sa.sin_port);
243 }
244 break;
245 #ifdef INET6
246 case O_FORWARD_IP6: {
247 char buf[INET6_ADDRSTRLEN];
248 ipfw_insn_sa6 *sa = (ipfw_insn_sa6 *)cmd;
249 int len;
250
251 len = snprintf(SNPARGS(action2, 0), "Forward to [%s]",
252 ip6_sprintf(buf, &sa->sa.sin6_addr));
253
254 if (sa->sa.sin6_port)
255 snprintf(SNPARGS(action2, len), ":%u",
256 sa->sa.sin6_port);
257 }
258 break;
259 #endif
260 case O_NETGRAPH:
261 snprintf(SNPARGS(action2, 0), "Netgraph %d",
262 cmd->arg1);
263 break;
264 case O_NGTEE:
265 snprintf(SNPARGS(action2, 0), "Ngtee %d",
266 cmd->arg1);
267 break;
268 case O_NAT:
269 action = "Nat";
270 break;
271 case O_REASS:
272 action = "Reass";
273 break;
274 case O_CALLRETURN:
275 if (cmd->len & F_NOT)
276 snprintf(SNPARGS(action2, 0), "Return %s",
277 cmd->arg1 == RETURN_NEXT_RULENUM ?
278 "next-rulenum": "next-rule");
279 else
280 snprintf(SNPARGS(action2, 0), "Call %d",
281 TARG(insntod(cmd, u32)->d[0], skipto));
282 break;
283 case O_SETMARK:
284 if (cmd->arg1 == IP_FW_TARG)
285 snprintf(SNPARGS(action2, 0), "SetMark %#010x",
286 TARG(cmd->arg1, mark));
287 else
288 snprintf(SNPARGS(action2, 0), "SetMark %#010x",
289 insntoc(cmd, u32)->d[0]);
290 break;
291 case O_EXTERNAL_ACTION:
292 snprintf(SNPARGS(action2, 0), "Eaction %s",
293 ((struct named_object *)SRV_OBJECT(chain,
294 insntod(cmd, kidx)->kidx))->name);
295 break;
296 default:
297 action = "UNKNOWN";
298 break;
299 }
300 }
301
302 if (hlen == 0) { /* non-ip */
303 snprintf(SNPARGS(proto, 0), "MAC");
304
305 } else {
306 int len;
307 #ifdef INET6
308 char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2];
309 #else
310 char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN];
311 #endif
312 struct icmphdr *icmp;
313 struct tcphdr *tcp;
314 struct udphdr *udp;
315 #ifdef INET6
316 struct ip6_hdr *ip6 = NULL;
317 struct icmp6_hdr *icmp6;
318 u_short ip6f_mf;
319 #endif
320 src[0] = '\0';
321 dst[0] = '\0';
322 #ifdef INET6
323 ip6f_mf = offset & IP6F_MORE_FRAG;
324 offset &= IP6F_OFF_MASK;
325
326 if (IS_IP6_FLOW_ID(&(args->f_id))) {
327 char ip6buf[INET6_ADDRSTRLEN];
328 snprintf(src, sizeof(src), "[%s]",
329 ip6_sprintf(ip6buf, &args->f_id.src_ip6));
330 snprintf(dst, sizeof(dst), "[%s]",
331 ip6_sprintf(ip6buf, &args->f_id.dst_ip6));
332
333 ip6 = (struct ip6_hdr *)ip;
334 tcp = (struct tcphdr *)(((char *)ip) + hlen);
335 udp = (struct udphdr *)(((char *)ip) + hlen);
336 } else
337 #endif
338 {
339 tcp = L3HDR(struct tcphdr, ip);
340 udp = L3HDR(struct udphdr, ip);
341
342 inet_ntop(AF_INET, &ip->ip_src, src, sizeof(src));
343 inet_ntop(AF_INET, &ip->ip_dst, dst, sizeof(dst));
344 }
345
346 switch (args->f_id.proto) {
347 case IPPROTO_TCP:
348 len = snprintf(SNPARGS(proto, 0), "TCP %s", src);
349 if (offset == 0)
350 snprintf(SNPARGS(proto, len), ":%d %s:%d",
351 ntohs(tcp->th_sport),
352 dst,
353 ntohs(tcp->th_dport));
354 else
355 snprintf(SNPARGS(proto, len), " %s", dst);
356 break;
357
358 case IPPROTO_UDP:
359 case IPPROTO_UDPLITE:
360 len = snprintf(SNPARGS(proto, 0), "UDP%s%s",
361 args->f_id.proto == IPPROTO_UDP ? " ": "Lite ",
362 src);
363 if (offset == 0)
364 snprintf(SNPARGS(proto, len), ":%d %s:%d",
365 ntohs(udp->uh_sport),
366 dst,
367 ntohs(udp->uh_dport));
368 else
369 snprintf(SNPARGS(proto, len), " %s", dst);
370 break;
371
372 case IPPROTO_ICMP:
373 icmp = L3HDR(struct icmphdr, ip);
374 if (offset == 0)
375 len = snprintf(SNPARGS(proto, 0),
376 "ICMP:%u.%u ",
377 icmp->icmp_type, icmp->icmp_code);
378 else
379 len = snprintf(SNPARGS(proto, 0), "ICMP ");
380 len += snprintf(SNPARGS(proto, len), "%s", src);
381 snprintf(SNPARGS(proto, len), " %s", dst);
382 break;
383 #ifdef INET6
384 case IPPROTO_ICMPV6:
385 icmp6 = (struct icmp6_hdr *)(((char *)ip) + hlen);
386 if (offset == 0)
387 len = snprintf(SNPARGS(proto, 0),
388 "ICMPv6:%u.%u ",
389 icmp6->icmp6_type, icmp6->icmp6_code);
390 else
391 len = snprintf(SNPARGS(proto, 0), "ICMPv6 ");
392 len += snprintf(SNPARGS(proto, len), "%s", src);
393 snprintf(SNPARGS(proto, len), " %s", dst);
394 break;
395 #endif
396 default:
397 len = snprintf(SNPARGS(proto, 0), "P:%d %s",
398 args->f_id.proto, src);
399 snprintf(SNPARGS(proto, len), " %s", dst);
400 break;
401 }
402
403 #ifdef INET6
404 if (IS_IP6_FLOW_ID(&(args->f_id))) {
405 if (offset || ip6f_mf)
406 snprintf(SNPARGS(fragment, 0),
407 " (frag %08x:%d@%d%s)",
408 args->f_id.extra,
409 ntohs(ip6->ip6_plen) - hlen,
410 ntohs(offset) << 3, ip6f_mf ? "+" : "");
411 } else
412 #endif
413 {
414 int ipoff, iplen;
415 ipoff = ntohs(ip->ip_off);
416 iplen = ntohs(ip->ip_len);
417 if (ipoff & (IP_MF | IP_OFFMASK))
418 snprintf(SNPARGS(fragment, 0),
419 " (frag %d:%d@%d%s)",
420 ntohs(ip->ip_id), iplen - (ip->ip_hl << 2),
421 offset << 3,
422 (ipoff & IP_MF) ? "+" : "");
423 }
424 }
425
426 /* [fw]mark */
427 if (args->rule.pkt_mark)
428 snprintf(SNPARGS(mark_str, 0), " mark:%#x",
429 args->rule.pkt_mark);
430 else
431 mark_str[0] = '\0';
432
433 #ifdef __FreeBSD__
434 log(LOG_SECURITY | LOG_INFO, "ipfw: %d %s %s%s %s via %s%s\n",
435 f ? f->rulenum : -1, action, proto, mark_str,
436 args->flags & IPFW_ARGS_OUT ? "out" : "in", args->ifp->if_xname,
437 fragment);
438 #else
439 log(LOG_SECURITY | LOG_INFO, "ipfw: %d %s %s%s [no if info]%s\n",
440 f ? f->rulenum : -1, action, proto, mark_str, fragment);
441 #endif
442 if (limit_reached)
443 log(LOG_SECURITY | LOG_NOTICE,
444 "ipfw: limit %d reached on entry %d\n",
445 limit_reached, f ? f->rulenum : -1);
446 }
447
448 static void
ipfw_rtsocklog_fill_l3(struct ip_fw_args * args,char ** buf,struct sockaddr ** src,struct sockaddr ** dst)449 ipfw_rtsocklog_fill_l3(struct ip_fw_args *args,
450 char **buf, struct sockaddr **src, struct sockaddr **dst)
451 {
452 struct sockaddr_in *v4src, *v4dst;
453 #ifdef INET6
454 struct sockaddr_in6 *v6src, *v6dst;
455
456 if (IS_IP6_FLOW_ID(&(args->f_id))) {
457 v6src = (struct sockaddr_in6 *)*buf;
458 *buf += sizeof(*v6src);
459 v6dst = (struct sockaddr_in6 *)*buf;
460 *buf += sizeof(*v6dst);
461 v6src->sin6_len = v6dst->sin6_len = sizeof(*v6src);
462 v6src->sin6_family = v6dst->sin6_family = AF_INET6;
463 v6src->sin6_addr = args->f_id.src_ip6;
464 v6dst->sin6_addr = args->f_id.dst_ip6;
465
466 *src = (struct sockaddr *)v6src;
467 *dst = (struct sockaddr *)v6dst;
468 } else
469 #endif
470 {
471 v4src = (struct sockaddr_in *)*buf;
472 *buf += sizeof(*v4src);
473 v4dst = (struct sockaddr_in *)*buf;
474 *buf += sizeof(*v4dst);
475 v4src->sin_len = v4dst->sin_len = sizeof(*v4src);
476 v4src->sin_family = v4dst->sin_family = AF_INET;
477 v4src->sin_addr.s_addr = htonl(args->f_id.src_ip);
478 v4dst->sin_addr.s_addr = htonl(args->f_id.dst_ip);
479
480 *src = (struct sockaddr *)v4src;
481 *dst = (struct sockaddr *)v4dst;
482 }
483 }
484
485 static struct sockaddr *
ipfw_rtsocklog_handle_tablearg(struct ip_fw_chain * chain,ipfw_insn * cmd,uint32_t tablearg,uint32_t * targ_value,char ** buf)486 ipfw_rtsocklog_handle_tablearg(struct ip_fw_chain *chain, ipfw_insn *cmd,
487 uint32_t tablearg, uint32_t *targ_value, char **buf)
488 {
489 struct sockaddr_in *v4nh = NULL;
490
491 /* handle tablearg now */
492 switch (cmd->opcode) {
493 case O_DIVERT:
494 case O_TEE:
495 *targ_value = TARG(cmd->arg1, divert);
496 break;
497 case O_NETGRAPH:
498 case O_NGTEE:
499 *targ_value = TARG(cmd->arg1, netgraph);
500 break;
501 case O_SETDSCP:
502 *targ_value = (TARG(cmd->arg1, dscp) & 0x3F);
503 break;
504 case O_SETFIB:
505 *targ_value = (TARG(cmd->arg1, fib) & 0x7FFF);
506 break;
507 case O_SKIPTO:
508 case O_CALLRETURN:
509 if (cmd->opcode == O_CALLRETURN && (cmd->len & F_NOT))
510 break;
511 *targ_value = (TARG(insntod(cmd, u32)->d[0], skipto));
512 break;
513 case O_PIPE:
514 case O_QUEUE:
515 *targ_value = TARG(cmd->arg1, pipe);
516 break;
517 case O_MARK:
518 *targ_value = TARG(cmd->arg1, mark);
519 break;
520 case O_FORWARD_IP:
521 v4nh = (struct sockaddr_in *)buf;
522 buf += sizeof(*v4nh);
523 *v4nh = ((ipfw_insn_sa *)cmd)->sa;
524 if (v4nh->sin_addr.s_addr == INADDR_ANY)
525 v4nh->sin_addr.s_addr = htonl(tablearg);
526
527 return (struct sockaddr *)v4nh;
528 #ifdef INET6
529 case O_FORWARD_IP6:
530 return (struct sockaddr *)&(((ipfw_insn_sa6 *)cmd)->sa);
531 #endif
532 default:
533 break;
534 }
535
536 return (NULL);
537 }
538
539 #define MAX_COMMENT_LEN 80
540
541 static size_t
ipfw_copy_rule_comment(struct ip_fw * f,char * dst)542 ipfw_copy_rule_comment(struct ip_fw *f, char *dst)
543 {
544 ipfw_insn *cmd;
545 size_t rcomment_len = 0;
546 int l, cmdlen;
547
548 for (l = f->cmd_len, cmd = f->cmd; l > 0; l -= cmdlen, cmd += cmdlen) {
549 cmdlen = F_LEN(cmd);
550 if (cmd->opcode != O_NOP) {
551 continue;
552 } else if (cmd->len == 1) {
553 return (0);
554 }
555 break;
556 }
557 if (l <= 0) {
558 return (0);
559 }
560 rcomment_len = strnlen((char *)(cmd + 1), MAX_COMMENT_LEN - 1) + 1;
561 strlcpy(dst, (char *)(cmd + 1), rcomment_len);
562 return (rcomment_len);
563 }
564
565 static void
ipfw_log_rtsock(struct ip_fw_chain * chain,struct ip_fw * f,u_int hlen,struct ip_fw_args * args,u_short offset,uint32_t tablearg,void * _eh)566 ipfw_log_rtsock(struct ip_fw_chain *chain, struct ip_fw *f, u_int hlen,
567 struct ip_fw_args *args, u_short offset, uint32_t tablearg,
568 void *_eh)
569 {
570 struct sockaddr_dl *sdl_ipfwcmd;
571 struct ether_header *eh = _eh;
572 struct rt_addrinfo *info;
573 uint32_t *targ_value;
574 ipfwlog_rtsock_hdr_v2 *hdr;
575 ipfw_insn *cmd;
576 ipfw_insn_log *l;
577 char *buf, *orig_buf;
578 /* at least 4 x sizeof(struct sockaddr_dl) + rule comment (80) */
579 size_t buflen = 512;
580
581 /* Should we log? O_LOG is the first one */
582 cmd = ACTION_PTR(f);
583 l = (ipfw_insn_log *)cmd;
584
585 if (l->max_log != 0 && l->log_left == 0)
586 return;
587
588 l->log_left--;
589 if (V_fw_verbose != 0 && l->log_left == 0) {
590 log(LOG_SECURITY | LOG_NOTICE,
591 "ipfw: limit %d reached on entry %d\n",
592 l->max_log, f ? f->rulenum : -1);
593 }
594
595 buf = orig_buf = malloc(buflen, M_TEMP, M_NOWAIT | M_ZERO);
596 if (buf == NULL)
597 return;
598
599 info = (struct rt_addrinfo *)buf;
600 buf += sizeof (*info);
601
602 cmd = ipfw_get_action(f);
603 sdl_ipfwcmd = (struct sockaddr_dl *)buf;
604 sdl_ipfwcmd->sdl_family = AF_IPFWLOG;
605 sdl_ipfwcmd->sdl_index = f->set;
606 sdl_ipfwcmd->sdl_type = 2; /* version */
607 sdl_ipfwcmd->sdl_alen = sizeof(*hdr);
608 hdr = (ipfwlog_rtsock_hdr_v2 *)(sdl_ipfwcmd->sdl_data);
609 /* fill rule comment in if any */
610 sdl_ipfwcmd->sdl_nlen = ipfw_copy_rule_comment(f, hdr->comment);
611 targ_value = &hdr->tablearg;
612 hdr->rulenum = f->rulenum;
613 hdr->mark = args->rule.pkt_mark;
614 hdr->cmd = *cmd;
615
616 sdl_ipfwcmd->sdl_len = sizeof(*sdl_ipfwcmd);
617 if (sizeof(*hdr) + sdl_ipfwcmd->sdl_nlen > sizeof(sdl_ipfwcmd->sdl_data)) {
618 sdl_ipfwcmd->sdl_len += sizeof(*hdr) + sdl_ipfwcmd->sdl_nlen -
619 sizeof(sdl_ipfwcmd->sdl_data);
620 }
621 buf += sdl_ipfwcmd->sdl_len;
622
623 /* fill L2 in if present */
624 if (args->flags & IPFW_ARGS_ETHER && eh != NULL) {
625 sdl_ipfwcmd->sdl_slen = sizeof(eh->ether_shost);
626 memcpy(hdr->ether_shost, eh->ether_shost,
627 sdl_ipfwcmd->sdl_slen);
628 memcpy(hdr->ether_dhost, eh->ether_dhost,
629 sdl_ipfwcmd->sdl_slen);
630 }
631
632 info->rti_info[RTAX_DST] = (struct sockaddr *)sdl_ipfwcmd;
633
634 /* Warn if we're about to stop sending messages */
635 if (l->max_log != 0 && l->log_left < (l->max_log >> 1)) {
636 info->rti_flags |= RTF_PROTO1;
637 }
638
639 /* handle tablearg */
640 info->rti_info[RTAX_GENMASK] = ipfw_rtsocklog_handle_tablearg(
641 chain, cmd, tablearg, targ_value, &buf);
642
643 /* L3 */
644 ipfw_rtsocklog_fill_l3(args, &buf,
645 &info->rti_info[RTAX_GATEWAY],
646 &info->rti_info[RTAX_NETMASK]);
647
648 info->rti_ifp = args->ifp;
649 rtsock_routemsg_info(RTM_IPFWLOG, info, RT_ALL_FIBS);
650
651 free(orig_buf, M_TEMP);
652 }
653
654 /*
655 * We enter here when we have a rule with O_LOG.
656 */
657 void
ipfw_log(struct ip_fw_chain * chain,struct ip_fw * f,u_int hlen,struct ip_fw_args * args,u_short offset,uint32_t tablearg,struct ip * ip,void * eh)658 ipfw_log(struct ip_fw_chain *chain, struct ip_fw *f, u_int hlen,
659 struct ip_fw_args *args, u_short offset, uint32_t tablearg,
660 struct ip *ip, void *eh)
661 {
662 ipfw_insn *cmd;
663
664 if (f == NULL || hlen == 0)
665 return;
666
667 /* O_LOG is the first action */
668 cmd = ACTION_PTR(f);
669
670 if (cmd->arg1 == IPFW_LOG_DEFAULT) {
671 if (V_fw_verbose == 0) {
672 ipfw_log_ipfw0(args, ip);
673 return;
674 }
675 ipfw_log_syslog(chain, f, hlen, args, offset, tablearg, ip);
676 return;
677 }
678
679 if (cmd->arg1 & IPFW_LOG_SYSLOG)
680 ipfw_log_syslog(chain, f, hlen, args, offset, tablearg, ip);
681
682 if (cmd->arg1 & IPFW_LOG_RTSOCK)
683 ipfw_log_rtsock(chain, f, hlen, args, offset, tablearg, eh);
684
685 if (cmd->arg1 & IPFW_LOG_IPFW0)
686 ipfw_log_ipfw0(args, ip);
687 }
688 /* end of file */
689