tcpdump mailing list archives
[patch] Teach tcpdump to recognize new OpenBSD pflog packets
From: Eygene Ryabinkin <rea-tcpdump () codelabs ru>
Date: Mon, 24 Sep 2007 22:25:47 +0400
Good day. OpenBSD 4.1 introduced an incompatible change to their pflog device packet header: some fields were stuffed into the 'struct pfloghdr' between 'subrulenr' and 'dir': http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h.diff?r1=1.11&r2=1.12 This broke tcpdump's ability to display the proper direction field for the pflog interfaces. The following patch corrects the situation. It was made and tested on FreeBSD 6.2-STABLE and 7-CURRENT for the system's tcpdump (3.9.4 with some FreeBSD changes) and for the 3.9.7 on FreeBSD 7-CURRENT and 6.2-STABLE. The problem was verified on the FreeBSD 7-CURRENT for the system's 3.9.4 and 3.9.7. There is FreeBSD problem report that discuisses the patch, http://www.freebsd.org/cgi/query-pr.cgi?pr=116610 The patch itself (needs patch -p2): ----- --- contrib/tcpdump/pf.h.orig 2007-09-24 19:59:29.000000000 +0400 +++ contrib/tcpdump/pf.h 2007-09-24 20:31:40.000000000 +0400 @@ -29,6 +29,9 @@ * @(#) $Header: /tcpdump/master/tcpdump/pf.h,v 1.2 2004/04/02 06:36:25 guy Exp $ (LBL) */ +/* We need offsetof() macro */ +#include <stddef.h> + /* from $OpenBSD: pfvar.h,v 1.170 2003/08/22 21:50:34 david Exp $ */ enum { PF_INOUT=0, PF_IN=1, PF_OUT=2 }; @@ -75,3 +78,23 @@ u_int8_t pad[3]; }; #define PFLOG_HDRLEN sizeof(struct pfloghdr) + +/* from $OpenBSD: if_pflog.h,v 1.14 2006/10/25 11:27:01 henning Exp $ */ + +struct pfloghdr_v2 { + u_int8_t length; + sa_family_t af; + u_int8_t action; + u_int8_t reason; + char ifname[IFNAMSIZ]; + char ruleset[PF_RULESET_NAME_SIZE]; + u_int32_t rulenr; + u_int32_t subrulenr; + uid_t uid; + pid_t pid; + uid_t rule_uid; + pid_t rule_pid; + u_int8_t dir; + u_int8_t pad[3]; +}; +#define PFLOG_HDRV2_LEN offsetof(struct pfloghdr_v2, pad) --- contrib/tcpdump/print-pflog.c.orig 2007-09-24 19:10:09.000000000 +0400 +++ contrib/tcpdump/print-pflog.c 2007-09-24 20:30:36.000000000 +0400 @@ -72,25 +72,43 @@ #define OPENBSD_AF_INET 2 #define OPENBSD_AF_INET6 24 +#define __PFLOG_PRINT_HDR(hdr) \ +do { \ + u_int32_t rulenr, subrulenr; \ + \ + rulenr = ntohl((hdr)->rulenr); \ + subrulenr = ntohl((hdr)->subrulenr); \ + if (subrulenr == (u_int32_t)-1) \ + printf("rule %u/", rulenr); \ + else \ + printf("rule %u.%s.%u/", rulenr, (hdr)->ruleset, \ + subrulenr); \ + \ + printf("%s: %s %s on %s: ", \ + tok2str(pf_reasons, "unkn(%u)", (hdr)->reason), \ + tok2str(pf_actions, "unkn(%u)", (hdr)->action), \ + tok2str(pf_directions, "unkn(%u)", (hdr)->dir), \ + (hdr)->ifname); \ +} while (0) + static void pflog_print(const struct pfloghdr *hdr) { - u_int32_t rulenr, subrulenr; + u_int8_t hdr_version; + struct pfloghdr_v2 *v2hdr; - rulenr = ntohl(hdr->rulenr); - subrulenr = ntohl(hdr->subrulenr); - if (subrulenr == (u_int32_t)-1) - printf("rule %u/", rulenr); - else - printf("rule %u.%s.%u/", rulenr, hdr->ruleset, subrulenr); - - printf("%s: %s %s on %s: ", - tok2str(pf_reasons, "unkn(%u)", hdr->reason), - tok2str(pf_actions, "unkn(%u)", hdr->action), - tok2str(pf_directions, "unkn(%u)", hdr->dir), - hdr->ifname); + if (hdr->length == PFLOG_HDRV2_LEN) { + hdr_version = 2; + v2hdr = (struct pfloghdr_v2 *)hdr; + __PFLOG_PRINT_HDR(v2hdr); + } else { + hdr_version = 1; + __PFLOG_PRINT_HDR(hdr); + } } +#undef __PFLOG_PRINT_HDR + u_int pflog_if_print(const struct pcap_pkthdr *h, register const u_char *p) { ----- Comments and suggestions are welcome! -- Eygene - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- [patch] Teach tcpdump to recognize new OpenBSD pflog packets Eygene Ryabinkin (Sep 24)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Guy Harris (Sep 24)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Eygene Ryabinkin (Sep 24)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Max Laier (Sep 27)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Gert Doering (Sep 28)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Eygene Ryabinkin (Sep 24)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Guy Harris (Sep 24)