by other systems as they adopt pf.
Don't bother trying to be backwards compatible with DLT 17.
*/
#ifndef lint
static const char rcsid[] _U_ =
- "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.201 2004-03-17 19:03:28 guy Exp $ (LBL)";
+ "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.202 2004-03-28 20:27:12 fenner Exp $ (LBL)";
#endif
#ifdef HAVE_CONFIG_H
#include "sll.h"
#include "arcnet.h"
#include "pf.h"
+#ifndef offsetof
+#define offsetof(s, e) ((size_t)&((s *)0)->e)
+#endif
#ifdef INET6
#ifndef WIN32
#include <netdb.h> /* for "struct addrinfo" */
off_nl_nosnap = 12; /* no 802.2 LLC */
return;
- case DLT_PFLOG:
- off_linktype = 0;
- off_nl = 28;
- off_nl_nosnap = 28; /* no 802.2 LLC */
- return;
-
case DLT_PPP:
case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
return;
+ case DLT_PFLOG:
+ off_linktype = 0;
+ /* XXX read from header? */
+ off_nl = PFLOG_HDRLEN;
+ off_nl_nosnap = PFLOG_HDRLEN;
+ return;
+
+#ifdef DLT_PFSYNC
+ case DLT_PFSYNC:
+ off_linktype = -1;
+ off_nl = 4;
+ off_nl_nosnap = 4;
+ return;
+#endif
}
bpf_error("unknown data link type %d", linktype);
/* NOTREACHED */
case DLT_NULL:
case DLT_LOOP:
case DLT_ENC:
- case DLT_PFLOG:
/*
* For DLT_NULL, the link-layer header is a 32-bit
* word containing an AF_ value in *host* byte order,
* This means that, when reading a capture file, just
* checking for our AF_INET6 value won't work if the
* capture file came from another OS.
- *
- * XXX - what's the byte order for DLT_PFLOG?
*/
switch (proto) {
}
return (gen_cmp(0, BPF_W, (bpf_int32)proto));
+ case DLT_PFLOG:
+ /*
+ * af field is host byte order in contrast to the rest of
+ * the packet.
+ */
+ if (proto == ETHERTYPE_IP)
+ return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
+ (bpf_int32)AF_INET));
+#ifdef INET6
+ else if (proto == ETHERTYPE_IPV6)
+ return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
+ (bpf_int32)AF_INET6));
+#endif /* INET6 */
+ else
+ return gen_false();
+ break;
+
case DLT_ARCNET:
case DLT_ARCNET_LINUX:
/*
break;
case DLT_PFLOG:
- b0 = gen_cmp(26, BPF_H,
+ b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_B,
(bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
break;
struct block *
gen_pf_ifname(const char *ifname)
{
- if (linktype != DLT_PFLOG) {
- bpf_error("ifname supported only for DLT_PFLOG");
+ struct block *b0;
+ u_int len, off;
+
+ if (linktype == DLT_PFLOG) {
+ len = sizeof(((struct pfloghdr *)0)->ifname);
+ off = offsetof(struct pfloghdr, ifname);
+ } else {
+ bpf_error("ifname not supported on linktype 0x%x", linktype);
/* NOTREACHED */
}
- if (strlen(ifname) >= 16) {
- bpf_error("ifname interface names can't be larger than 16 characters");
+ if (strlen(ifname) >= len) {
+ bpf_error("ifname interface names can only be %d characters",
+ len-1);
/* NOTREACHED */
}
- return (gen_bcmp(4, strlen(ifname), (const u_char *)ifname));
+ b0 = gen_bcmp(off, strlen(ifname), ifname);
+ return (b0);
}
+/* PF firewall log matched interface */
+struct block *
+gen_pf_ruleset(char *ruleset)
+{
+ struct block *b0;
+
+ if (linktype != DLT_PFLOG) {
+ bpf_error("ruleset not supported on linktype 0x%x", linktype);
+ /* NOTREACHED */
+ }
+ if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
+ bpf_error("ruleset names can only be %d characters",
+ sizeof(((struct pfloghdr *)0)->ruleset) - 1);
+ /* NOTREACHED */
+ }
+ b0 = gen_bcmp(offsetof(struct pfloghdr, ruleset),
+ strlen(ruleset), ruleset);
+ return (b0);
+}
/* PF firewall log rule number */
struct block *
gen_pf_rnr(int rnr)
{
+ struct block *b0;
+
+ if (linktype == DLT_PFLOG) {
+ b0 = gen_cmp(offsetof(struct pfloghdr, rulenr), BPF_W,
+ (bpf_int32)rnr);
+ } else {
+ bpf_error("rnr not supported on linktype 0x%x", linktype);
+ /* NOTREACHED */
+ }
+
+ return (b0);
+}
+
+/* PF firewall log sub-rule number */
+struct block *
+gen_pf_srnr(int srnr)
+{
+ struct block *b0;
+
if (linktype != DLT_PFLOG) {
- bpf_error("rnr supported only for DLT_PFLOG");
+ bpf_error("srnr not supported on linktype 0x%x", linktype);
/* NOTREACHED */
}
- return (gen_cmp(20, BPF_H, (bpf_int32)rnr));
+ b0 = gen_cmp(offsetof(struct pfloghdr, subrulenr), BPF_W,
+ (bpf_int32)srnr);
+ return (b0);
}
/* PF firewall log reason code */
struct block *
gen_pf_reason(int reason)
{
- if (linktype != DLT_PFLOG) {
- bpf_error("reason supported only for DLT_PFLOG");
+ struct block *b0;
+
+ if (linktype == DLT_PFLOG) {
+ b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_B,
+ (bpf_int32)reason);
+ } else {
+ bpf_error("reason not supported on linktype 0x%x", linktype);
/* NOTREACHED */
}
- return (gen_cmp(22, BPF_H, (bpf_int32)reason));
+ return (b0);
}
/* PF firewall log action */
struct block *
gen_pf_action(int action)
{
- if (linktype != DLT_PFLOG) {
- bpf_error("action supported only for DLT_PFLOG");
+ struct block *b0;
+
+ if (linktype == DLT_PFLOG) {
+ b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_B,
+ (bpf_int32)action);
+ } else {
+ bpf_error("action not supported on linktype 0x%x", linktype);
/* NOTREACHED */
}
- return (gen_cmp(24, BPF_H, (bpf_int32)action));
+ return (b0);
}
struct block *
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
- * @(#) $Header: /tcpdump/master/libpcap/gencode.h,v 1.58 2003-05-02 08:37:44 guy Exp $ (LBL)
+ * @(#) $Header: /tcpdump/master/libpcap/gencode.h,v 1.59 2004-03-28 20:27:14 fenner Exp $ (LBL)
*/
/*
struct block *gen_pf_ifname(const char *);
struct block *gen_pf_rnr(int);
+struct block *gen_pf_srnr(int);
+struct block *gen_pf_ruleset(char *);
struct block *gen_pf_reason(int);
struct block *gen_pf_action(int);
struct block *gen_pf_dir(int);
*/
#ifndef lint
static const char rcsid[] _U_ =
- "@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.81 2003-12-16 05:19:56 guy Exp $ (LBL)";
+ "@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.82 2004-03-28 20:27:14 fenner Exp $ (LBL)";
#endif
#ifdef HAVE_CONFIG_H
#endif /* WIN32 */
#include <stdio.h>
+#include <strings.h>
#include "pcap-int.h"
%token ATALK AARP DECNET LAT SCA MOPRC MOPDL
%token TK_BROADCAST TK_MULTICAST
%token NUM INBOUND OUTBOUND
-%token PF_IFNAME PF_RNR PF_REASON PF_ACTION
+%token PF_IFNAME PF_RSET PF_RNR PF_SRNR PF_REASON PF_ACTION
%token LINK
%token GEQ LEQ NEQ
%token ID EID HID HID6 AID
;
pfvar: PF_IFNAME ID { $$ = gen_pf_ifname($2); }
+ | PF_RSET ID { $$ = gen_pf_ruleset($2); }
| PF_RNR NUM { $$ = gen_pf_rnr($2); }
+ | PF_SRNR NUM { $$ = gen_pf_srnr($2); }
| PF_REASON reason { $$ = gen_pf_reason($2); }
| PF_ACTION action { $$ = gen_pf_action($2); }
;
*
* @(#)bpf.h 7.1 (Berkeley) 5/7/91
*
- * @(#) $Header: /tcpdump/master/libpcap/pcap-bpf.h,v 1.18 2004-03-17 19:03:29 guy Exp $ (LBL)
+ * @(#) $Header: /tcpdump/master/libpcap/pcap-bpf.h,v 1.19 2004-03-28 20:27:15 fenner Exp $ (LBL)
*/
/*
#endif
/*
- * 17 is used for DLT_PFLOG in OpenBSD; don't use it for anything else.
+ * 17 is used for DLT_OLD_PFLOG in OpenBSD;
+ * OBSOLETE: DLT_PFLOG is 117 in OpenBSD now as well. See below.
+ * 18 is used for DLT_PFSYNC in OpenBSD; don't use it for anything else.
*/
#define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */
/*
* OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, but that's DLT_LANE8023
* in SuSE 6.3, so we can't use 17 for it in capture-file headers.
+ *
+ * XXX: is there a conflict with DLT_PFSYNC 18 as well?
*/
#ifdef __OpenBSD__
-#define DLT_PFLOG 17
-#else
-#define DLT_PFLOG 117
+#define DLT_OLD_PFLOG 17
+#define DLT_PFSYNC 18
#endif
+#define DLT_PFLOG 117
/*
* Registered for Cisco-internal use.
-.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap.3,v 1.59 2004-03-23 19:18:07 guy Exp $
+.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap.3,v 1.60 2004-03-28 20:27:16 fenner Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
OpenBSD pflog; the link layer header contains, in order:
.RS 10
.LP
-a 4-byte PF_ value, in network byte order;
+a 1-byte header length, in host byte order;
.LP
-a 16-character interface name;
+a 4-byte PF_ value, in host byte order;
.LP
-a 2-byte rule number, in network byte order;
+a 2-byte action code, in network byte order, which is one of:
+.RS 5
+.TP 5
+0
+passed
+.TP 5
+1
+dropped
+.TP 5
+2
+scrubbed
+.RE
.LP
a 2-byte reason code, in network byte order, which is one of:
.RS 5
4
normalize
.TP 5
+5
memory
.RE
.LP
-a 2-byte action code, in network byte order, which is one of:
-.RS 5
-.TP 5
-0
-passed
-.TP 5
-1
-dropped
-.TP 5
-2
-scrubbed
-.RE
+a 16-character interface name;
+.LP
+a 16-character ruleset name (only meaningful if subrule is set);
+.LP
+a 4-byte rule number, in network byte order;
+.LP
+a 4-byte subrule number, in network byte order;
.LP
-a 2-byte direction, in network byte order, which is one of:
+a 1-byte direction, in network byte order, which is one of:
.RS 5
.TP 5
0
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * @(#) $Header: /tcpdump/master/libpcap/Attic/pf.h,v 1.1 2003-03-11 06:23:54 guy Exp $ (LBL)
+ * @(#) $Header: /tcpdump/master/libpcap/Attic/pf.h,v 1.2 2004-03-28 20:27:16 fenner Exp $ (LBL)
*/
-/* from $OpenBSD: pfvar.h,v 1.61 2002/01/11 20:13:11 mickey Exp $ */
+/* from $OpenBSD: pfvar.h,v 1.170 2003/08/22 21:50:34 david Exp $ */
-enum { PF_IN=0, PF_OUT=1 };
-enum { PF_PASS=0, PF_DROP=1, PF_SCRUB=2 };
+enum { PF_INOUT=0, PF_IN=1, PF_OUT=2 };
+enum { PF_PASS=0, PF_DROP=1, PF_SCRUB=2, PF_NAT=3, PF_NONAT=4,
+ PF_BINAT=5, PF_NOBINAT=6, PF_RDR=7, PF_NORDR=8, PF_SYNPROXY_DROP=9 };
/* Reasons code for passing/dropping a packet */
#define PFRES_MATCH 0 /* Explicit match of a rule */
"memory", \
NULL \
}
+
+#define PF_RULESET_NAME_SIZE 16
+
+/* from $OpenBSD: if_pflog.h,v 1.9 2003/07/15 20:27:27 dhartmei Exp $ */
+
+#ifndef IFNAMSIZ
+#define IFNAMSIZ 16
+#endif
+
+struct pfloghdr {
+ u_int8_t length;
+ sa_family_t af;
+ u_int8_t action;
+ u_int8_t reason;
+ char ifname[IFNAMSIZ];
+ char ruleset[PF_RULESET_NAME_SIZE];
+ u_int32_t rulenr;
+ u_int32_t subrulenr;
+ u_int8_t dir;
+ u_int8_t pad[3];
+};
+#define PFLOG_HDRLEN sizeof(struct pfloghdr)
#ifndef lint
static const char rcsid[] _U_ =
- "@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.97 2003-12-16 05:19:56 guy Exp $ (LBL)";
+ "@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.98 2004-03-28 20:27:16 fenner Exp $ (LBL)";
#endif
#ifdef HAVE_CONFIG_H
metaconnect return METACONNECT;
on|ifname return PF_IFNAME;
+rset|ruleset return PF_RSET;
rnr|rulenum return PF_RNR;
+srnr|subrulenum return PF_SRNR;
reason return PF_REASON;
action return PF_ACTION;
projects / libpcap / commitdiff
