15b0fe478SBruce M Simpson /* 25b0fe478SBruce M Simpson * Copyright (c) 1990, 1991, 1993, 1994, 1995, 1996 35b0fe478SBruce M Simpson * The Regents of the University of California. All rights reserved. 45b0fe478SBruce M Simpson * 55b0fe478SBruce M Simpson * Redistribution and use in source and binary forms, with or without 65b0fe478SBruce M Simpson * modification, are permitted provided that: (1) source code distributions 75b0fe478SBruce M Simpson * retain the above copyright notice and this paragraph in its entirety, (2) 85b0fe478SBruce M Simpson * distributions including binary code include the above copyright notice and 95b0fe478SBruce M Simpson * this paragraph in its entirety in the documentation or other materials 105b0fe478SBruce M Simpson * provided with the distribution, and (3) all advertising materials mentioning 115b0fe478SBruce M Simpson * features or use of this software display the following acknowledgement: 125b0fe478SBruce M Simpson * ``This product includes software developed by the University of California, 135b0fe478SBruce M Simpson * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 145b0fe478SBruce M Simpson * the University nor the names of its contributors may be used to endorse 155b0fe478SBruce M Simpson * or promote products derived from this software without specific prior 165b0fe478SBruce M Simpson * written permission. 175b0fe478SBruce M Simpson * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 185b0fe478SBruce M Simpson * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 195b0fe478SBruce M Simpson * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 205b0fe478SBruce M Simpson */ 215b0fe478SBruce M Simpson 22*3340d773SGleb Smirnoff /* \summary: OpenBSD packet filter log file printer */ 23*3340d773SGleb Smirnoff 245b0fe478SBruce M Simpson #ifdef HAVE_CONFIG_H 255b0fe478SBruce M Simpson #include "config.h" 265b0fe478SBruce M Simpson #endif 275b0fe478SBruce M Simpson 28b5bfcb5dSMax Laier #ifndef HAVE_NET_PFVAR_H 29b5bfcb5dSMax Laier #error "No pf headers available" 30b5bfcb5dSMax Laier #endif 31b5bfcb5dSMax Laier #include <sys/types.h> 32b5bfcb5dSMax Laier #include <sys/socket.h> 33b5bfcb5dSMax Laier #include <net/if.h> 34b5bfcb5dSMax Laier #include <net/pfvar.h> 35b5bfcb5dSMax Laier #include <net/if_pflog.h> 36b5bfcb5dSMax Laier 37*3340d773SGleb Smirnoff #include <netdissect-stdinc.h> 385b0fe478SBruce M Simpson 39*3340d773SGleb Smirnoff #include "netdissect.h" 403c602fabSXin LI #include "extract.h" 415b0fe478SBruce M Simpson 423c602fabSXin LI static const char tstr[] = "[|pflog]"; 433c602fabSXin LI 443c602fabSXin LI static const struct tok pf_reasons[] = { 455b0fe478SBruce M Simpson { 0, "0(match)" }, 465b0fe478SBruce M Simpson { 1, "1(bad-offset)" }, 475b0fe478SBruce M Simpson { 2, "2(fragment)" }, 485b0fe478SBruce M Simpson { 3, "3(short)" }, 495b0fe478SBruce M Simpson { 4, "4(normalize)" }, 505b0fe478SBruce M Simpson { 5, "5(memory)" }, 51b5bfcb5dSMax Laier { 6, "6(bad-timestamp)" }, 52b5bfcb5dSMax Laier { 7, "7(congestion)" }, 53b5bfcb5dSMax Laier { 8, "8(ip-option)" }, 54b5bfcb5dSMax Laier { 9, "9(proto-cksum)" }, 55b5bfcb5dSMax Laier { 10, "10(state-mismatch)" }, 56b5bfcb5dSMax Laier { 11, "11(state-insert)" }, 57b5bfcb5dSMax Laier { 12, "12(state-limit)" }, 58b5bfcb5dSMax Laier { 13, "13(src-limit)" }, 59b5bfcb5dSMax Laier { 14, "14(synproxy)" }, 605b0fe478SBruce M Simpson { 0, NULL } 615b0fe478SBruce M Simpson }; 625b0fe478SBruce M Simpson 633c602fabSXin LI static const struct tok pf_actions[] = { 645b0fe478SBruce M Simpson { PF_PASS, "pass" }, 655b0fe478SBruce M Simpson { PF_DROP, "block" }, 665b0fe478SBruce M Simpson { PF_SCRUB, "scrub" }, 675b0fe478SBruce M Simpson { PF_NAT, "nat" }, 685b0fe478SBruce M Simpson { PF_NONAT, "nat" }, 695b0fe478SBruce M Simpson { PF_BINAT, "binat" }, 705b0fe478SBruce M Simpson { PF_NOBINAT, "binat" }, 715b0fe478SBruce M Simpson { PF_RDR, "rdr" }, 725b0fe478SBruce M Simpson { PF_NORDR, "rdr" }, 735b0fe478SBruce M Simpson { PF_SYNPROXY_DROP, "synproxy-drop" }, 745b0fe478SBruce M Simpson { 0, NULL } 755b0fe478SBruce M Simpson }; 765b0fe478SBruce M Simpson 773c602fabSXin LI static const struct tok pf_directions[] = { 785b0fe478SBruce M Simpson { PF_INOUT, "in/out" }, 795b0fe478SBruce M Simpson { PF_IN, "in" }, 805b0fe478SBruce M Simpson { PF_OUT, "out" }, 815b0fe478SBruce M Simpson { 0, NULL } 825b0fe478SBruce M Simpson }; 835b0fe478SBruce M Simpson 845b0fe478SBruce M Simpson /* For reading capture files on other systems */ 855b0fe478SBruce M Simpson #define OPENBSD_AF_INET 2 865b0fe478SBruce M Simpson #define OPENBSD_AF_INET6 24 875b0fe478SBruce M Simpson 885b0fe478SBruce M Simpson static void 893c602fabSXin LI pflog_print(netdissect_options *ndo, const struct pfloghdr *hdr) 905b0fe478SBruce M Simpson { 913c602fabSXin LI uint32_t rulenr, subrulenr; 921de50e9fSSam Leffler 9327df3f5dSRui Paulo rulenr = EXTRACT_32BITS(&hdr->rulenr); 9427df3f5dSRui Paulo subrulenr = EXTRACT_32BITS(&hdr->subrulenr); 953c602fabSXin LI if (subrulenr == (uint32_t)-1) 963c602fabSXin LI ND_PRINT((ndo, "rule %u/", rulenr)); 975b0fe478SBruce M Simpson else 983c602fabSXin LI ND_PRINT((ndo, "rule %u.%s.%u/", rulenr, hdr->ruleset, subrulenr)); 995b0fe478SBruce M Simpson 1003c602fabSXin LI ND_PRINT((ndo, "%s: %s %s on %s: ", 1015b0fe478SBruce M Simpson tok2str(pf_reasons, "unkn(%u)", hdr->reason), 1025b0fe478SBruce M Simpson tok2str(pf_actions, "unkn(%u)", hdr->action), 1035b0fe478SBruce M Simpson tok2str(pf_directions, "unkn(%u)", hdr->dir), 1043c602fabSXin LI hdr->ifname)); 1055b0fe478SBruce M Simpson } 1065b0fe478SBruce M Simpson 1075b0fe478SBruce M Simpson u_int 1083c602fabSXin LI pflog_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, 1093c602fabSXin LI register const u_char *p) 1105b0fe478SBruce M Simpson { 1115b0fe478SBruce M Simpson u_int length = h->len; 1125b0fe478SBruce M Simpson u_int hdrlen; 1135b0fe478SBruce M Simpson u_int caplen = h->caplen; 1145b0fe478SBruce M Simpson const struct pfloghdr *hdr; 1153c602fabSXin LI uint8_t af; 1165b0fe478SBruce M Simpson 1175b0fe478SBruce M Simpson /* check length */ 1183c602fabSXin LI if (caplen < sizeof(uint8_t)) { 1193c602fabSXin LI ND_PRINT((ndo, "%s", tstr)); 1205b0fe478SBruce M Simpson return (caplen); 1215b0fe478SBruce M Simpson } 1225b0fe478SBruce M Simpson 1235b0fe478SBruce M Simpson #define MIN_PFLOG_HDRLEN 45 124*3340d773SGleb Smirnoff hdr = (const struct pfloghdr *)p; 1255b0fe478SBruce M Simpson if (hdr->length < MIN_PFLOG_HDRLEN) { 1263c602fabSXin LI ND_PRINT((ndo, "[pflog: invalid header length!]")); 1275b0fe478SBruce M Simpson return (hdr->length); /* XXX: not really */ 1285b0fe478SBruce M Simpson } 1295b0fe478SBruce M Simpson hdrlen = BPF_WORDALIGN(hdr->length); 1305b0fe478SBruce M Simpson 1315b0fe478SBruce M Simpson if (caplen < hdrlen) { 1323c602fabSXin LI ND_PRINT((ndo, "%s", tstr)); 1335b0fe478SBruce M Simpson return (hdrlen); /* XXX: true? */ 1345b0fe478SBruce M Simpson } 1355b0fe478SBruce M Simpson 1365b0fe478SBruce M Simpson /* print what we know */ 1373c602fabSXin LI ND_TCHECK(*hdr); 1383c602fabSXin LI if (ndo->ndo_eflag) 1393c602fabSXin LI pflog_print(ndo, hdr); 1405b0fe478SBruce M Simpson 1415b0fe478SBruce M Simpson /* skip to the real packet */ 1425b0fe478SBruce M Simpson af = hdr->af; 1435b0fe478SBruce M Simpson length -= hdrlen; 1445b0fe478SBruce M Simpson caplen -= hdrlen; 1455b0fe478SBruce M Simpson p += hdrlen; 1465b0fe478SBruce M Simpson switch (af) { 1475b0fe478SBruce M Simpson 1485b0fe478SBruce M Simpson case AF_INET: 1495b0fe478SBruce M Simpson #if OPENBSD_AF_INET != AF_INET 1505b0fe478SBruce M Simpson case OPENBSD_AF_INET: /* XXX: read pcap files */ 1515b0fe478SBruce M Simpson #endif 1523c602fabSXin LI ip_print(ndo, p, length); 1535b0fe478SBruce M Simpson break; 1545b0fe478SBruce M Simpson 1558bdc5a62SPatrick Kelsey #if defined(AF_INET6) || defined(OPENBSD_AF_INET6) 1568bdc5a62SPatrick Kelsey #ifdef AF_INET6 1575b0fe478SBruce M Simpson case AF_INET6: 1588bdc5a62SPatrick Kelsey #endif /* AF_INET6 */ 1598bdc5a62SPatrick Kelsey #if !defined(AF_INET6) || OPENBSD_AF_INET6 != AF_INET6 1605b0fe478SBruce M Simpson case OPENBSD_AF_INET6: /* XXX: read pcap files */ 1618bdc5a62SPatrick Kelsey #endif /* !defined(AF_INET6) || OPENBSD_AF_INET6 != AF_INET6 */ 1623c602fabSXin LI ip6_print(ndo, p, length); 1635b0fe478SBruce M Simpson break; 1648bdc5a62SPatrick Kelsey #endif /* defined(AF_INET6) || defined(OPENBSD_AF_INET6) */ 1655b0fe478SBruce M Simpson 1665b0fe478SBruce M Simpson default: 1675b0fe478SBruce M Simpson /* address family not handled, print raw packet */ 1683c602fabSXin LI if (!ndo->ndo_eflag) 1693c602fabSXin LI pflog_print(ndo, hdr); 1703c602fabSXin LI if (!ndo->ndo_suppress_default_print) 1713c602fabSXin LI ND_DEFAULTPRINT(p, caplen); 1725b0fe478SBruce M Simpson } 1735b0fe478SBruce M Simpson 1745b0fe478SBruce M Simpson return (hdrlen); 1755b0fe478SBruce M Simpson trunc: 1763c602fabSXin LI ND_PRINT((ndo, "%s", tstr)); 1775b0fe478SBruce M Simpson return (hdrlen); 1785b0fe478SBruce M Simpson } 1791de50e9fSSam Leffler 1801de50e9fSSam Leffler /* 1811de50e9fSSam Leffler * Local Variables: 1821de50e9fSSam Leffler * c-style: whitesmith 1831de50e9fSSam Leffler * c-basic-offset: 8 1841de50e9fSSam Leffler * End: 1851de50e9fSSam Leffler */ 186