The Tcpdump Group git mirrors - tcpdump/blob - print-pflog.c

   1 /*
   2  * Copyright (c) 1990, 1991, 1993, 1994, 1995, 1996
   3  *      The Regents of the University of California.  All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that: (1) source code distributions
   7  * retain the above copyright notice and this paragraph in its entirety, (2)
   8  * distributions including binary code include the above copyright notice and
   9  * this paragraph in its entirety in the documentation or other materials
  10  * provided with the distribution, and (3) all advertising materials mentioning
  11  * features or use of this software display the following acknowledgement:
  12  * ``This product includes software developed by the University of California,
  13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
  14  * the University nor the names of its contributors may be used to endorse
  15  * or promote products derived from this software without specific prior
  16  * written permission.
  17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
  18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  20  */
  21
  22 /* \summary: *BSD/Darwin packet filter log file printer */
  23
  24 #include <config.h>
  25
  26 #include "netdissect-stdinc.h"
  27
  28 #define ND_LONGJMP_FROM_TCHECK
  29 #include "netdissect.h"
  30 #include "extract.h"
  31 #include "af.h"
  32
  33 /*
  34  * pflog headers, at least as they exist now.
  35  */
  36 #define PFLOG_IFNAMSIZ          16
  37 #define PFLOG_RULESET_NAME_SIZE 16
  38
  39 struct pf_addr {
  40         union {
  41                 nd_ipv4         v4;
  42                 nd_ipv6         v6;
  43         } pfa;              /* 128-bit address */
  44 #define v4      pfa.v4
  45 #define v6      pfa.v6
  46 };
  47
  48 struct pfloghdr {
  49         nd_uint8_t      length;
  50         nd_uint8_t      af;
  51         nd_uint8_t      action;
  52         nd_uint8_t      reason;
  53         char            ifname[PFLOG_IFNAMSIZ];
  54         char            ruleset[PFLOG_RULESET_NAME_SIZE];
  55         nd_uint32_t     rulenr;
  56         nd_uint32_t     subrulenr;
  57         nd_uint32_t     uid;
  58         nd_int32_t      pid;
  59         nd_uint32_t     rule_uid;
  60         nd_int32_t      rule_pid;
  61         nd_uint8_t      dir;
  62 /* Minimum header length (without padding): 61 */
  63 #define MIN_PFLOG_HDRLEN 61
  64 #if defined(__OpenBSD__)
  65         nd_uint8_t      rewritten;
  66         nd_uint8_t      naf;
  67         nd_uint8_t      pad[1];
  68 #else
  69         nd_uint8_t      pad[3];
  70 #endif
  71 #if defined(__FreeBSD__)
  72         nd_uint32_t     ridentifier;
  73         nd_uint8_t      reserve;
  74         nd_uint8_t      pad2[3];
  75 #elif defined(__OpenBSD__)
  76         struct pf_addr  saddr;
  77         struct pf_addr  daddr;
  78         nd_uint16_t     sport;
  79         nd_uint16_t     dport;
  80 #endif
  81 };
  82 #define MAX_PFLOG_HDRLEN 100    /* 61 + 3 + 16 + 16 + 2 + 2 */
  83
  84 /*
  85  * Reason values.
  86  */
  87 #define PFRES_MATCH     0
  88 #define PFRES_BADOFF    1
  89 #define PFRES_FRAG      2
  90 #define PFRES_SHORT     3
  91 #define PFRES_NORM      4
  92 #define PFRES_MEMORY    5
  93 #define PFRES_TS        6
  94 #define PFRES_CONGEST   7
  95 #define PFRES_IPOPTIONS 8
  96 #define PFRES_PROTCKSUM 9
  97 #define PFRES_BADSTATE  10
  98 #define PFRES_STATEINS  11
  99 #define PFRES_MAXSTATES 12
 100 #define PFRES_SRCLIMIT  13
 101 #define PFRES_SYNPROXY  14
 102 #if defined(__FreeBSD__)
 103 #define PFRES_MAPFAILED 15
 104 #elif defined(__NetBSD__)
 105 #define PFRES_STATELOCKED 15
 106 #elif defined(__OpenBSD__)
 107 #define PFRES_TRANSLATE 15
 108 #define PFRES_NOROUTE   16
 109 #elif defined(__APPLE__)
 110 #define PFRES_DUMMYNET  15
 111 #endif
 112
 113 static const struct tok pf_reasons[] = {
 114         { PFRES_MATCH,          "0(match)" },
 115         { PFRES_BADOFF,         "1(bad-offset)" },
 116         { PFRES_FRAG,           "2(fragment)" },
 117         { PFRES_SHORT,          "3(short)" },
 118         { PFRES_NORM,           "4(normalize)" },
 119         { PFRES_MEMORY,         "5(memory)" },
 120         { PFRES_TS,             "6(bad-timestamp)" },
 121         { PFRES_CONGEST,        "7(congestion)" },
 122         { PFRES_IPOPTIONS,      "8(ip-option)" },
 123         { PFRES_PROTCKSUM,      "9(proto-cksum)" },
 124         { PFRES_BADSTATE,       "10(state-mismatch)" },
 125         { PFRES_STATEINS,       "11(state-insert)" },
 126         { PFRES_MAXSTATES,      "12(state-limit)" },
 127         { PFRES_SRCLIMIT,       "13(src-limit)" },
 128         { PFRES_SYNPROXY,       "14(synproxy)" },
 129 #if defined(__FreeBSD__)
 130         { PFRES_MAPFAILED,      "15(map-failed)" },
 131 #elif defined(__NetBSD__)
 132         { PFRES_STATELOCKED,    "15(state-locked)" },
 133 #elif defined(__OpenBSD__)
 134         { PFRES_TRANSLATE,      "15(translate)" },
 135         { PFRES_NOROUTE,        "16(no-route)" },
 136 #elif defined(__APPLE__)
 137         { PFRES_DUMMYNET,       "15(dummynet)" },
 138 #endif
 139         { 0,    NULL }
 140 };
 141
 142 /*
 143  * Action values.
 144  */
 145 #define PF_PASS                 0
 146 #define PF_DROP                 1
 147 #define PF_SCRUB                2
 148 #define PF_NOSCRUB              3
 149 #define PF_NAT                  4
 150 #define PF_NONAT                5
 151 #define PF_BINAT                6
 152 #define PF_NOBINAT              7
 153 #define PF_RDR                  8
 154 #define PF_NORDR                9
 155 #define PF_SYNPROXY_DROP        10
 156 #if defined(__FreeBSD__)
 157 #define PF_DEFER                11
 158 #define PF_MATCH                12
 159 #elif defined(__OpenBSD__)
 160 #define PF_DEFER                11
 161 #define PF_MATCH                12
 162 #define PF_DIVERT               13
 163 #define PF_RT                   14
 164 #define PF_AFRT                 15
 165 #elif defined(__APPLE__)
 166 #define PF_DUMMYNET             11
 167 #define PF_NODUMMYNET           12
 168 #define PF_NAT64                13
 169 #define PF_NONAT64              14
 170 #endif
 171
 172 static const struct tok pf_actions[] = {
 173         { PF_PASS,              "pass" },
 174         { PF_DROP,              "block" },
 175         { PF_SCRUB,             "scrub" },
 176         { PF_NOSCRUB,           "noscrub" },
 177         { PF_NAT,               "nat" },
 178         { PF_NONAT,             "nonat" },
 179         { PF_BINAT,             "binat" },
 180         { PF_NOBINAT,           "nobinat" },
 181         { PF_RDR,               "rdr" },
 182         { PF_NORDR,             "nordr" },
 183         { PF_SYNPROXY_DROP,     "synproxy-drop" },
 184 #if defined(__FreeBSD__)
 185         { PF_DEFER,             "defer" },
 186         { PF_MATCH,             "match" },
 187 #elif defined(__OpenBSD__)
 188         { PF_DEFER,             "defer" },
 189         { PF_MATCH,             "match" },
 190         { PF_DIVERT,            "divert" },
 191         { PF_RT,                "rt" },
 192         { PF_AFRT,              "afrt" },
 193 #elif defined(__APPLE__)
 194         { PF_DUMMYNET,          "dummynet" },
 195         { PF_NODUMMYNET,        "nodummynet" },
 196         { PF_NAT64,             "nat64" },
 197         { PF_NONAT64,           "nonat64" },
 198 #endif
 199         { 0,                    NULL }
 200 };
 201
 202 /*
 203  * Direction values.
 204  */
 205 #define PF_INOUT        0
 206 #define PF_IN           1
 207 #define PF_OUT          2
 208 #if defined(__OpenBSD__)
 209 #define PF_FWD          3
 210 #endif
 211
 212 static const struct tok pf_directions[] = {
 213         { PF_INOUT,     "in/out" },
 214         { PF_IN,        "in" },
 215         { PF_OUT,       "out" },
 216 #if defined(__OpenBSD__)
 217         { PF_FWD,       "fwd" },
 218 #endif
 219         { 0,            NULL }
 220 };
 221
 222 static void
 223 pflog_print(netdissect_options *ndo, const struct pfloghdr *hdr)
 224 {
 225         uint32_t rulenr, subrulenr;
 226
 227         ndo->ndo_protocol = "pflog";
 228         rulenr = GET_BE_U_4(hdr->rulenr);
 229         subrulenr = GET_BE_U_4(hdr->subrulenr);
 230         if (subrulenr == (uint32_t)-1)
 231                 ND_PRINT("rule %u/", rulenr);
 232         else {
 233                 ND_PRINT("rule %u.", rulenr);
 234                 nd_printjnp(ndo, (const u_char*)hdr->ruleset, PFLOG_RULESET_NAME_SIZE);
 235                 ND_PRINT(".%u/", subrulenr);
 236         }
 237
 238         ND_PRINT("%s: %s %s on ",
 239             tok2str(pf_reasons, "unkn(%u)", GET_U_1(hdr->reason)),
 240             tok2str(pf_actions, "unkn(%u)", GET_U_1(hdr->action)),
 241             tok2str(pf_directions, "unkn(%u)", GET_U_1(hdr->dir)));
 242         nd_printjnp(ndo, (const u_char*)hdr->ifname, PFLOG_IFNAMSIZ);
 243         ND_PRINT(": ");
 244 }
 245
 246 void
 247 pflog_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h,
 248                const u_char *p)
 249 {
 250         u_int length = h->len;
 251         u_int hdrlen;
 252         u_int caplen = h->caplen;
 253         const struct pfloghdr *hdr;
 254         uint8_t af;
 255
 256         ndo->ndo_protocol = "pflog";
 257         /* check length */
 258         ND_ICHECK_U(length, <, MIN_PFLOG_HDRLEN);
 259
 260         hdr = (const struct pfloghdr *)p;
 261         hdrlen = GET_U_1(hdr->length);
 262         ND_ICHECK_U(hdrlen, <, MIN_PFLOG_HDRLEN);
 263         hdrlen = roundup2(hdrlen, 4);
 264         ND_ICHECK_U(hdrlen, >, MAX_PFLOG_HDRLEN);
 265
 266         /* print what we know */
 267         ND_TCHECK_LEN(hdr, hdrlen);
 268         ndo->ndo_ll_hdr_len += hdrlen;
 269         if (ndo->ndo_eflag)
 270                 pflog_print(ndo, hdr);
 271
 272         /* skip to the real packet */
 273         af = GET_U_1(hdr->af);
 274         length -= hdrlen;
 275         caplen -= hdrlen;
 276         p += hdrlen;
 277         switch (af) {
 278
 279                 /*
 280                  * If there's a system that doesn't use the AF_INET
 281                  * from 4.2BSD, feel free to add its value to af.h
 282                  * and use it here.
 283                  *
 284                  * Hopefully, there isn't.
 285                  */
 286                 case BSD_AF_INET:
 287                         ip_print(ndo, p, length);
 288                         break;
 289
 290                 /*
 291                  * Try all AF_INET6 values for all systems with pflog,
 292                  * including Darwin.
 293                  */
 294                 case BSD_AF_INET6_BSD:
 295                 case BSD_AF_INET6_FREEBSD:
 296                 case BSD_AF_INET6_DARWIN:
 297                         ip6_print(ndo, p, length);
 298                         break;
 299
 300         default:
 301                 /* address family not handled, print raw packet */
 302                 if (!ndo->ndo_eflag)
 303                         pflog_print(ndo, hdr);
 304                 if (!ndo->ndo_suppress_default_print)
 305                         ND_DEFAULTPRINT(p, caplen);
 306         }
 307
 308         return;
 309
 310 invalid:
 311         nd_print_invalid(ndo);
 312 }