]> The Tcpdump Group git mirrors - tcpdump/blob - print-pflog.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
pflog: don't use PF_ as a prefix for #defines.
[tcpdump] / print-pflog.c
1 /*
2 * Copyright (c) 1990, 1991, 1993, 1994, 1995, 1996
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22 /* \summary: *BSD/Darwin packet filter log file printer */
23
24 #include <config.h>
25
26 #include <limits.h>
27
28 #include "netdissect-stdinc.h"
29
30 #define ND_LONGJMP_FROM_TCHECK
31 #include "netdissect.h"
32 #include "extract.h"
33 #include "af.h"
34
35 /*
36 * pflog headers, at least as they exist now.
37 */
38 #define PFLOG_IFNAMSIZ 16
39 #define PFLOG_RULESET_NAME_SIZE 16
40
41 struct pf_addr {
42 union {
43 nd_ipv4 v4;
44 nd_ipv6 v6;
45 } pfa; /* 128-bit address */
46 #define v4 pfa.v4
47 #define v6 pfa.v6
48 };
49
50 /*
51 * This header is:
52 *
53 * 61 bytes long on NetBSD, DragonFly BSD. and Darwin;
54 * 84 bytes lon on OpenBSD;
55 * 72 bytes long on FreeBSD;
56 *
57 * which, unfortunately, does not allow us to distinguish, based on
58 * the header length, between the three OSes listed as having 61-byte
59 * headers. As the action values differ between them, this makes it
60 * impossible to correctly dissect the reason values that differ
61 * between NetBSD and Darwin (reason value 15) without having some
62 * way to explicitly tell tcpdump what to do.
63 *
64 * (We could, I guess, label reason value 15 as
65 * "state-locked (NetBSD)/dummynet (macOS etc.)" or something such as
66 * that.)
67 */
68 struct pfloghdr {
69 nd_uint8_t length;
70 nd_uint8_t af;
71 nd_uint8_t action;
72 nd_uint8_t reason;
73 char ifname[PFLOG_IFNAMSIZ];
74 char ruleset[PFLOG_RULESET_NAME_SIZE];
75 nd_uint32_t rulenr;
76 nd_uint32_t subrulenr;
77 nd_uint32_t uid;
78 nd_int32_t pid;
79 nd_uint32_t rule_uid;
80 nd_int32_t rule_pid;
81 nd_uint8_t dir;
82 union {
83 struct pflog_openbsd_only {
84 nd_uint8_t rewritten;
85 nd_uint8_t naf;
86 nd_uint8_t pad[1];
87 struct pf_addr saddr;
88 struct pf_addr daddr;
89 nd_uint16_t sport;
90 nd_uint16_t dport;
91 } openbsd;
92 struct pflog_freebsd_only {
93 nd_uint8_t pad[3];
94 nd_uint32_t ridentifier;
95 nd_uint8_t reserve;
96 } freebsd;
97 } u;
98 };
99
100 /*
101 * FreeBSD header length.
102 */
103 #define PFLOG_HEADER_LEN_FREEBSD 69
104
105 /*
106 * OpenBSD header length.
107 */
108 #define PFLOG_HEADER_LEN_OPENBSD 100
109
110 /*
111 * DragonFly BSD, NetBSD and Darwin header length.
112 * Older versions of FreeBSD and OpenBSD may have used this
113 * as well.
114 *
115 * Unfortunately, this means we can't distinguish between Darwin, NetBSD,
116 * and DragonFly BSD based on the header length.
117 */
118 #define PFLOG_HEADER_LEN_OTHER 61
119
120 /*
121 * These are the minimum and maximum pflog header lengths.
122 */
123 #define MIN_PFLOG_HDRLEN 61
124 #define MAX_PFLOG_HDRLEN 100
125
126 /*
127 * Reason values.
128 */
129 #define PFRES_MATCH 0
130 #define PFRES_BADOFF 1
131 #define PFRES_FRAG 2
132 #define PFRES_SHORT 3
133 #define PFRES_NORM 4
134 #define PFRES_MEMORY 5
135 #define PFRES_TS 6
136 #define PFRES_CONGEST 7
137 #define PFRES_IPOPTIONS 8
138 #define PFRES_PROTCKSUM 9
139 #define PFRES_BADSTATE 10
140 #define PFRES_STATEINS 11
141 #define PFRES_MAXSTATES 12
142 #define PFRES_SRCLIMIT 13
143 #define PFRES_SYNPROXY 14
144
145 /* FreeBSD */
146 #define PFRES_MAPFAILED 15
147
148 /* OpenBSD */
149 #define PFRES_TRANSLATE 15
150 #define PFRES_NOROUTE 16
151
152 /* NetBSD/Darwin */
153 #define PFRES_STATELOCKED_DUMMYNET 15 /* STATELOCKED on NetBSD, DUMMYNET on Darwin */
154 #define PFRES_INVPORT 16 /* INVPORT on Darwin */
155
156 static const struct tok pf_reasons_freebsd[] = {
157 { PFRES_MATCH, "0(match)" },
158 { PFRES_BADOFF, "1(bad-offset)" },
159 { PFRES_FRAG, "2(fragment)" },
160 { PFRES_SHORT, "3(short)" },
161 { PFRES_NORM, "4(normalize)" },
162 { PFRES_MEMORY, "5(memory)" },
163 { PFRES_TS, "6(bad-timestamp)" },
164 { PFRES_CONGEST, "7(congestion)" },
165 { PFRES_IPOPTIONS, "8(ip-option)" },
166 { PFRES_PROTCKSUM, "9(proto-cksum)" },
167 { PFRES_BADSTATE, "10(state-mismatch)" },
168 { PFRES_STATEINS, "11(state-insert)" },
169 { PFRES_MAXSTATES, "12(state-limit)" },
170 { PFRES_SRCLIMIT, "13(src-limit)" },
171 { PFRES_SYNPROXY, "14(synproxy)" },
172 { PFRES_MAPFAILED, "15(map-failed)" },
173 { 0, NULL }
174 };
175
176 static const struct tok pf_reasons_openbsd[] = {
177 { PFRES_MATCH, "0(match)" },
178 { PFRES_BADOFF, "1(bad-offset)" },
179 { PFRES_FRAG, "2(fragment)" },
180 { PFRES_SHORT, "3(short)" },
181 { PFRES_NORM, "4(normalize)" },
182 { PFRES_MEMORY, "5(memory)" },
183 { PFRES_TS, "6(bad-timestamp)" },
184 { PFRES_CONGEST, "7(congestion)" },
185 { PFRES_IPOPTIONS, "8(ip-option)" },
186 { PFRES_PROTCKSUM, "9(proto-cksum)" },
187 { PFRES_BADSTATE, "10(state-mismatch)" },
188 { PFRES_STATEINS, "11(state-insert)" },
189 { PFRES_MAXSTATES, "12(state-limit)" },
190 { PFRES_SRCLIMIT, "13(src-limit)" },
191 { PFRES_SYNPROXY, "14(synproxy)" },
192 { PFRES_TRANSLATE, "15(translate)" },
193 { PFRES_NOROUTE, "16(no-route)" },
194 { 0, NULL }
195 };
196
197 static const struct tok pf_reasons_other[] = {
198 { PFRES_MATCH, "0(match)" },
199 { PFRES_BADOFF, "1(bad-offset)" },
200 { PFRES_FRAG, "2(fragment)" },
201 { PFRES_SHORT, "3(short)" },
202 { PFRES_NORM, "4(normalize)" },
203 { PFRES_MEMORY, "5(memory)" },
204 { PFRES_TS, "6(bad-timestamp)" },
205 { PFRES_CONGEST, "7(congestion)" },
206 { PFRES_IPOPTIONS, "8(ip-option)" },
207 { PFRES_PROTCKSUM, "9(proto-cksum)" },
208 { PFRES_BADSTATE, "10(state-mismatch)" },
209 { PFRES_STATEINS, "11(state-insert)" },
210 { PFRES_MAXSTATES, "12(state-limit)" },
211 { PFRES_SRCLIMIT, "13(src-limit)" },
212 { PFRES_SYNPROXY, "14(synproxy)" },
213 { PFRES_STATELOCKED_DUMMYNET,
214 "15(state-locked (NetBSD)/dummynet(Darwin)" },
215 { PFRES_INVPORT, "16(invalid-port (Darwin))" },
216 { 0, NULL }
217 };
218
219 /*
220 * Action values.
221 */
222 #define PFACT_PASS 0
223 #define PFACT_DROP 1
224 #define PFACT_SCRUB 2
225 #define PFACT_NOSCRUB 3
226 #define PFACT_NAT 4
227 #define PFACT_NONAT 5
228 #define PFACT_BINAT 6
229 #define PFACT_NOBINAT 7
230 #define PFACT_RDR 8
231 #define PFACT_NORDR 9
232 #define PFACT_SYNPROXY_DROP 10
233
234 /* FreeBSD and OpenBSD */
235 #define PFACT_DEFER 11
236
237 /* FreeBSD */
238 #define PFACT_MATCH 12
239
240 /* OpenBSD */
241 #define PFACT_MATCH 12
242 #define PFACT_DIVERT 13
243 #define PFACT_RT 14
244 #define PFACT_AFRT 15
245
246 /* Darwin */
247 #define PFACT_DUMMYNET 11
248 #define PFACT_NODUMMYNET 12
249 #define PFACT_NAT64 13
250 #define PFACT_NONAT64 14
251
252 static const struct tok pf_actions_freebsd[] = {
253 { PFACT_PASS, "pass" },
254 { PFACT_DROP, "block" },
255 { PFACT_SCRUB, "scrub" },
256 { PFACT_NOSCRUB, "noscrub" },
257 { PFACT_NAT, "nat" },
258 { PFACT_NONAT, "nonat" },
259 { PFACT_BINAT, "binat" },
260 { PFACT_NOBINAT, "nobinat" },
261 { PFACT_RDR, "rdr" },
262 { PFACT_NORDR, "nordr" },
263 { PFACT_SYNPROXY_DROP, "synproxy-drop" },
264 { PFACT_DEFER, "defer" },
265 { PFACT_MATCH, "match" },
266 { 0, NULL }
267 };
268
269 static const struct tok pf_actions_openbsd[] = {
270 { PFACT_PASS, "pass" },
271 { PFACT_DROP, "block" },
272 { PFACT_SCRUB, "scrub" },
273 { PFACT_NOSCRUB, "noscrub" },
274 { PFACT_NAT, "nat" },
275 { PFACT_NONAT, "nonat" },
276 { PFACT_BINAT, "binat" },
277 { PFACT_NOBINAT, "nobinat" },
278 { PFACT_RDR, "rdr" },
279 { PFACT_NORDR, "nordr" },
280 { PFACT_SYNPROXY_DROP, "synproxy-drop" },
281 { PFACT_DEFER, "defer" },
282 { PFACT_MATCH, "match" },
283 { PFACT_DIVERT, "divert" },
284 { PFACT_RT, "rt" },
285 { PFACT_AFRT, "afrt" },
286 { 0, NULL }
287 };
288
289 static const struct tok pf_actions_darwin[] = {
290 { PFACT_PASS, "pass" },
291 { PFACT_DROP, "block" },
292 { PFACT_SCRUB, "scrub" },
293 { PFACT_NOSCRUB, "noscrub" },
294 { PFACT_NAT, "nat" },
295 { PFACT_NONAT, "nonat" },
296 { PFACT_BINAT, "binat" },
297 { PFACT_NOBINAT, "nobinat" },
298 { PFACT_RDR, "rdr" },
299 { PFACT_NORDR, "nordr" },
300 { PFACT_SYNPROXY_DROP, "synproxy-drop" },
301 { PFACT_DUMMYNET, "dummynet (Darwin)" },
302 { PFACT_NODUMMYNET, "nodummynet (Darwin)" },
303 { PFACT_NAT64, "nat64 (Darwin)" },
304 { PFACT_NONAT64, "nonat64 (Darwin)" },
305 { 0, NULL }
306 };
307
308 /*
309 * Direction values.
310 */
311 #define PFDIR_INOUT 0
312 #define PFDIR_IN 1
313 #define PFDIR_OUT 2
314
315 /* OpenBSD */
316 #define PFDIR_FWD 3
317
318 static const struct tok pf_directions_freebsd[] = {
319 { PFDIR_INOUT, "in/out" },
320 { PFDIR_IN, "in" },
321 { PFDIR_OUT, "out" },
322 { 0, NULL }
323 };
324
325 static const struct tok pf_directions_openbsd[] = {
326 { PFDIR_INOUT, "in/out" },
327 { PFDIR_IN, "in" },
328 { PFDIR_OUT, "out" },
329 { PFDIR_FWD, "fwd" },
330 { 0, NULL }
331 };
332
333 static const struct tok pf_directions_other[] = {
334 { PFDIR_INOUT, "in/out" },
335 { PFDIR_IN, "in" },
336 { PFDIR_OUT, "out" },
337 { 0, NULL }
338 };
339
340 static void
341 pflog_print(netdissect_options *ndo, const struct pfloghdr *hdr)
342 {
343 uint8_t length;
344 uint32_t rulenr, subrulenr;
345 uint32_t uid;
346 uint32_t ridentifier;
347
348 ndo->ndo_protocol = "pflog";
349 length = GET_U_1(hdr->length);
350
351 rulenr = GET_BE_U_4(hdr->rulenr);
352 subrulenr = GET_BE_U_4(hdr->subrulenr);
353 ND_PRINT("rule ");
354 if (rulenr != (uint32_t)-1) {
355 ND_PRINT("%u", rulenr);
356 if (hdr->ruleset[0] != '\0') {
357 ND_PRINT(".");
358 nd_printjnp(ndo, (const u_char*)hdr->ruleset, PFLOG_RULESET_NAME_SIZE);
359 }
360 if (subrulenr != (uint32_t)-1)
361 ND_PRINT(".%u", subrulenr);
362 }
363 ND_PRINT("/");
364
365 if (length == PFLOG_HEADER_LEN_FREEBSD)
366 ND_PRINT("%s", tok2str(pf_reasons_freebsd, "unkn(%u)", GET_U_1(hdr->reason)));
367 else if (length == PFLOG_HEADER_LEN_OPENBSD)
368 ND_PRINT("%s", tok2str(pf_reasons_openbsd, "unkn(%u)", GET_U_1(hdr->reason)));
369 else
370 ND_PRINT("%s", tok2str(pf_reasons_other, "unkn(%u)", GET_U_1(hdr->reason)));
371
372 /*
373 * In Darwin (macOS, etc.) and NetBSD, uid is set to
374 * UID_MAX if there's no UID, and UID_MAX is 2^31-1.
375 * UID_MAX is 2^31-1.
376 *
377 * In OpenBSD, uid is set to -1 if there's no UID, which
378 * means we'll see it as UINT_MAX, as we treat it as
379 * unsigned. UID_MAX is 2^32-1.
380 *
381 * In FreeBSD and DragonFly BSD, uid is set to UID_MAX
382 * if there's no UID. UID_MAX is 2^32-1.
383 *
384 * So:
385 *
386 * For OpenBSD and FreeBSD, check only for 2^32-1 (0xFFFFFFFFU)
387 * if there's no UID.
388 *
389 * For other OSes, it's either NetBSD, DragonFly BSD, or Darwin,
390 * check for both 2^31-1 (0x7FFFFFFFU) (NetBSD and Darwin) and
391 * 2^32-1 (0xFFFFFFFFU) (DragonFly BSD). That runs the risk of
392 * the UID not being printed for a DragonFly BSD log if it's
393 * 0x7FFFFFFF, but that's *probably* not going to be the case.
394 */
395 uid = GET_BE_U_4(hdr->uid);
396 if (length == PFLOG_HEADER_LEN_FREEBSD ||
397 length == PFLOG_HEADER_LEN_OPENBSD) {
398 if (uid != 0xFFFFFFFFU)
399 ND_PRINT(" [uid %u]", uid);
400 } else {
401 if (uid != 0xFFFFFFFFU && uid != 0x7FFFFFFFU)
402 ND_PRINT(" [uid %u]", uid);
403 }
404
405 if (length == PFLOG_HEADER_LEN_FREEBSD) {
406 ridentifier = GET_BE_U_4(hdr->u.freebsd.ridentifier);
407 if (ridentifier != 0)
408 ND_PRINT(" [ridentifier %u]", ridentifier);
409 }
410
411 if (length == PFLOG_HEADER_LEN_FREEBSD) {
412 ND_PRINT(": %s %s on ",
413 tok2str(pf_actions_freebsd, "unkn(%u)", GET_U_1(hdr->action)),
414 tok2str(pf_directions_freebsd, "unkn(%u)", GET_U_1(hdr->dir)));
415 } else if (length == PFLOG_HEADER_LEN_OPENBSD) {
416 ND_PRINT(": %s %s on ",
417 tok2str(pf_actions_openbsd, "unkn(%u)", GET_U_1(hdr->action)),
418 tok2str(pf_directions_openbsd, "unkn(%u)", GET_U_1(hdr->dir)));
419 } else {
420 /*
421 * We use the Darwin set of actions, as it's a superset
422 * of the NetBSD/DragonFly BSD set of actions.
423 */
424 ND_PRINT(": %s %s on ",
425 tok2str(pf_actions_darwin, "unkn(%u)", GET_U_1(hdr->action)),
426 tok2str(pf_directions_other, "unkn(%u)", GET_U_1(hdr->dir)));
427 }
428 nd_printjnp(ndo, (const u_char*)hdr->ifname, PFLOG_IFNAMSIZ);
429 ND_PRINT(": ");
430 }
431
432 void
433 pflog_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h,
434 const u_char *p)
435 {
436 u_int length = h->len;
437 u_int hdrlen;
438 u_int caplen = h->caplen;
439 const struct pfloghdr *hdr;
440 uint8_t af;
441
442 ndo->ndo_protocol = "pflog";
443 /* check length */
444 ND_ICHECK_U(length, <, MIN_PFLOG_HDRLEN);
445
446 hdr = (const struct pfloghdr *)p;
447 hdrlen = GET_U_1(hdr->length);
448 ND_ICHECK_U(hdrlen, <, MIN_PFLOG_HDRLEN);
449 ND_ICHECK_U(hdrlen, >, MAX_PFLOG_HDRLEN);
450 hdrlen = roundup2(hdrlen, 4);
451
452 /* print what we know */
453 ND_TCHECK_LEN(hdr, hdrlen);
454 ndo->ndo_ll_hdr_len += hdrlen;
455 if (ndo->ndo_eflag)
456 pflog_print(ndo, hdr);
457
458 /* skip to the real packet */
459 af = GET_U_1(hdr->af);
460 length -= hdrlen;
461 caplen -= hdrlen;
462 p += hdrlen;
463 switch (af) {
464
465 /*
466 * If there's a system that doesn't use the AF_INET
467 * from 4.2BSD, feel free to add its value to af.h
468 * and use it here.
469 *
470 * Hopefully, there isn't.
471 */
472 case BSD_AF_INET:
473 ip_print(ndo, p, length);
474 break;
475
476 /*
477 * Try all AF_INET6 values for all systems with pflog,
478 * including Darwin.
479 */
480 case BSD_AF_INET6_BSD:
481 case BSD_AF_INET6_FREEBSD:
482 case BSD_AF_INET6_DARWIN:
483 ip6_print(ndo, p, length);
484 break;
485
486 default:
487 /* address family not handled, print raw packet */
488 if (!ndo->ndo_eflag)
489 pflog_print(ndo, hdr);
490 if (!ndo->ndo_suppress_default_print)
491 ND_DEFAULTPRINT(p, caplen);
492 }
493
494 return;
495
496 invalid:
497 nd_print_invalid(ndo);
498 }
[mirror] the TCPdump network dissector