xref: /freebsd/contrib/tcpdump/print-pflog.c (revision ba3c1f5972d7b90feb6e6da47905ff2757e0fe57) 
1 /*
2  * Copyright (c) 1990, 1991, 1993, 1994, 1995, 1996
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  */
21 
22 /* \summary: *BSD/Darwin packet filter log file printer */
23 
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27 
28 #include "netdissect-stdinc.h"
29 
30 #include "netdissect.h"
31 #include "extract.h"
32 #include "af.h"
33 
34 #include "pflog.h"
35 
36 static const struct tok pf_reasons[] = {
37 	{ PFRES_MATCH,		"0(match)" },
38 	{ PFRES_BADOFF,		"1(bad-offset)" },
39 	{ PFRES_FRAG,		"2(fragment)" },
40 	{ PFRES_NORM,		"3(short)" },
41 	{ PFRES_NORM,		"4(normalize)" },
42 	{ PFRES_MEMORY,		"5(memory)" },
43 	{ PFRES_TS,		"6(bad-timestamp)" },
44 	{ PFRES_CONGEST,	"7(congestion)" },
45 	{ PFRES_IPOPTIONS,	"8(ip-option)" },
46 	{ PFRES_PROTCKSUM,	"9(proto-cksum)" },
47 	{ PFRES_BADSTATE,	"10(state-mismatch)" },
48 	{ PFRES_STATEINS,	"11(state-insert)" },
49 	{ PFRES_MAXSTATES,	"12(state-limit)" },
50 	{ PFRES_SRCLIMIT,	"13(src-limit)" },
51 	{ PFRES_SYNPROXY,	"14(synproxy)" },
52 #if defined(__FreeBSD__)
53 	{ PFRES_MAPFAILED,	"15(map-failed)" },
54 #elif defined(__NetBSD__)
55 	{ PFRES_STATELOCKED,	"15(state-locked)" },
56 #elif defined(__OpenBSD__)
57 	{ PFRES_TRANSLATE,	"15(translate)" },
58 	{ PFRES_NOROUTE,	"16(no-route)" },
59 #elif defined(__APPLE__)
60 	{ PFRES_DUMMYNET,	"15(dummynet)" },
61 #endif
62 	{ 0,	NULL }
63 };
64 
65 static const struct tok pf_actions[] = {
66 	{ PF_PASS,		"pass" },
67 	{ PF_DROP,		"block" },
68 	{ PF_SCRUB,		"scrub" },
69 	{ PF_NOSCRUB,		"scrub" },
70 	{ PF_NAT,		"nat" },
71 	{ PF_NONAT,		"nonat" },
72 	{ PF_BINAT,		"binat" },
73 	{ PF_NOBINAT,		"nobinat" },
74 	{ PF_RDR,		"rdr" },
75 	{ PF_NORDR,		"nordr" },
76 	{ PF_SYNPROXY_DROP,	"synproxy-drop" },
77 #if defined(__FreeBSD__)
78 	{ PF_DEFER,		"defer" },
79 	{ PF_MATCH,		"match" },
80 #elif defined(__OpenBSD__)
81 	{ PF_DEFER,		"defer" },
82 	{ PF_MATCH,		"match" },
83 	{ PF_DIVERT,		"divert" },
84 	{ PF_RT,		"rt" },
85 	{ PF_AFRT,		"afrt" },
86 #elif defined(__APPLE__)
87 	{ PF_DUMMYNET,		"dummynet" },
88 	{ PF_NODUMMYNET,	"nodummynet" },
89 	{ PF_NAT64,		"nat64" },
90 	{ PF_NONAT64,		"nonat64" },
91 #endif
92 	{ 0,			NULL }
93 };
94 
95 static const struct tok pf_directions[] = {
96 	{ PF_INOUT,	"in/out" },
97 	{ PF_IN,	"in" },
98 	{ PF_OUT,	"out" },
99 #if defined(__OpenBSD__)
100 	{ PF_FWD,	"fwd" },
101 #endif
102 	{ 0,		NULL }
103 };
104 
105 static void
106 pflog_print(netdissect_options *ndo, const struct pfloghdr *hdr)
107 {
108 	uint32_t rulenr, subrulenr, ridentifier;
109 
110 	ndo->ndo_protocol = "pflog";
111 	rulenr = GET_BE_U_4(&hdr->rulenr);
112 	subrulenr = GET_BE_U_4(&hdr->subrulenr);
113 	ridentifier = GET_BE_U_4(&hdr->ridentifier);
114 	if (subrulenr == (uint32_t)-1)
115 		ND_PRINT("rule %u/", rulenr);
116 	else {
117 		ND_PRINT("rule %u.", rulenr);
118 		nd_printjnp(ndo, (const u_char*)hdr->ruleset, PFLOG_RULESET_NAME_SIZE);
119 		ND_PRINT(".%u/", subrulenr);
120 	}
121 
122 	ND_PRINT("%s", tok2str(pf_reasons, "unkn(%u)", hdr->reason));
123 
124 	if (hdr->uid != UID_MAX)
125 		ND_PRINT(" [uid %u]", (unsigned)hdr->uid);
126 
127 	if (ridentifier != 0)
128 		ND_PRINT(" [ridentifier %u]", ridentifier);
129 
130 	ND_PRINT(": %s %s on ",
131 	    tok2str(pf_actions, "unkn(%u)", GET_U_1(&hdr->action)),
132 	    tok2str(pf_directions, "unkn(%u)", GET_U_1(&hdr->dir)));
133 	nd_printjnp(ndo, (const u_char*)hdr->ifname, PFLOG_IFNAMSIZ);
134 	ND_PRINT(": ");
135 }
136 
137 void
138 pflog_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h,
139                const u_char *p)
140 {
141 	u_int length = h->len;
142 	u_int hdrlen;
143 	u_int caplen = h->caplen;
144 	const struct pfloghdr *hdr;
145 	uint8_t af;
146 
147 	ndo->ndo_protocol = "pflog";
148 	/* check length */
149 	if (caplen < sizeof(uint8_t)) {
150 		nd_print_trunc(ndo);
151 		ndo->ndo_ll_hdr_len += h->caplen;
152 		return;
153 	}
154 
155 #define MIN_PFLOG_HDRLEN	45
156 	hdr = (const struct pfloghdr *)p;
157 	if (GET_U_1(&hdr->length) < MIN_PFLOG_HDRLEN) {
158 		ND_PRINT("[pflog: invalid header length!]");
159 		ndo->ndo_ll_hdr_len += GET_U_1(&hdr->length);	/* XXX: not really */
160 		return;
161 	}
162 	hdrlen = roundup2(hdr->length, 4);
163 
164 	if (caplen < hdrlen) {
165 		nd_print_trunc(ndo);
166 		ndo->ndo_ll_hdr_len += hdrlen;	/* XXX: true? */
167 		return;
168 	}
169 
170 	/* print what we know */
171 	ND_TCHECK_SIZE(hdr);
172 	if (ndo->ndo_eflag)
173 		pflog_print(ndo, hdr);
174 
175 	/* skip to the real packet */
176 	af = GET_U_1(&hdr->af);
177 	length -= hdrlen;
178 	caplen -= hdrlen;
179 	p += hdrlen;
180 	switch (af) {
181 
182 		/*
183 		 * If there's a system that doesn't use the AF_INET
184 		 * from 4.2BSD, feel free to add its value to af.h
185 		 * and use it here.
186 		 *
187 		 * Hopefully, there isn't.
188 		 */
189 		case BSD_AFNUM_INET:
190 		        ip_print(ndo, p, length);
191 			break;
192 
193 		/*
194 		 * Try all AF_INET6 values for all systems with pflog,
195 		 * including Darwin.
196 		 */
197 		case BSD_AFNUM_INET6_BSD:
198 		case BSD_AFNUM_INET6_FREEBSD:
199 		case BSD_AFNUM_INET6_DARWIN:
200 			ip6_print(ndo, p, length);
201 			break;
202 
203 	default:
204 		/* address family not handled, print raw packet */
205 		if (!ndo->ndo_eflag)
206 			pflog_print(ndo, hdr);
207 		if (!ndo->ndo_suppress_default_print)
208 			ND_DEFAULTPRINT(p, caplen);
209 	}
210 
211 	ndo->ndo_ll_hdr_len += hdrlen;
212 	return;
213 trunc:
214 	nd_print_trunc(ndo);
215 	ndo->ndo_ll_hdr_len += hdrlen;
216 }
217