FreeBSD/Linux Kernel Cross Reference
sys/net/if_pflog.c
1 /* $OpenBSD: if_pflog.c,v 1.97 2021/01/20 23:25:19 bluhm Exp $ */
2 /*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr) and
5 * Niels Provos (provos@physnet.uni-hamburg.de).
6 *
7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
8 * in November 1995.
9 *
10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11 * by Angelos D. Keromytis.
12 *
13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14 * and Niels Provos.
15 *
16 * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
17 * and Niels Provos.
18 * Copyright (c) 2001, Angelos D. Keromytis, Niels Provos.
19 * Copyright (c) 2002 - 2010 Henning Brauer
20 *
21 * Permission to use, copy, and modify this software with or without fee
22 * is hereby granted, provided that this entire notice is included in
23 * all copies of any software which is or includes a copy or
24 * modification of this software.
25 * You may use this code under the GNU public license if you so wish. Please
26 * contribute changes back to the authors under this freer than GPL license
27 * so that we may further the use of strong encryption without limitations to
28 * all.
29 *
30 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
31 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
32 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
33 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
34 * PURPOSE.
35 */
36
37 #include "bpfilter.h"
38 #include "pflog.h"
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/mbuf.h>
43 #include <sys/proc.h>
44 #include <sys/socket.h>
45 #include <sys/stdint.h>
46 #include <sys/ioctl.h>
47
48 #include <net/if.h>
49 #include <net/if_var.h>
50 #include <net/if_types.h>
51 #if NBPFILTER > 0
52 #include <net/bpf.h>
53 #endif
54
55 #include <netinet/in.h>
56 #include <netinet/ip.h>
57 #include <netinet/ip_icmp.h>
58 #include <netinet/tcp.h>
59 #include <netinet/udp.h>
60
61 #ifdef INET6
62 #include <netinet/ip6.h>
63 #include <netinet/icmp6.h>
64 #endif /* INET6 */
65
66 #include <net/pfvar.h>
67 #include <net/pfvar_priv.h>
68 #include <net/if_pflog.h>
69
70 #define PFLOGMTU (32768 + MHLEN + MLEN)
71
72 #ifdef PFLOGDEBUG
73 #define DPRINTF(x) do { if (pflogdebug) printf x ; } while (0)
74 #else
75 #define DPRINTF(x)
76 #endif
77
78 void pflogattach(int);
79 int pflogoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
80 struct rtentry *);
81 int pflogioctl(struct ifnet *, u_long, caddr_t);
82 int pflog_clone_create(struct if_clone *, int);
83 int pflog_clone_destroy(struct ifnet *);
84 struct pflog_softc *pflog_getif(int);
85
86 struct if_clone pflog_cloner =
87 IF_CLONE_INITIALIZER("pflog", pflog_clone_create, pflog_clone_destroy);
88
89 LIST_HEAD(, pflog_softc) pflog_ifs = LIST_HEAD_INITIALIZER(pflog_ifs);
90
91 void
92 pflogattach(int npflog)
93 {
94 if_clone_attach(&pflog_cloner);
95 }
96
97 int
98 pflog_clone_create(struct if_clone *ifc, int unit)
99 {
100 struct ifnet *ifp;
101 struct pflog_softc *pflogif;
102
103 pflogif = malloc(sizeof(*pflogif), M_DEVBUF, M_WAITOK|M_ZERO);
104 pflogif->sc_unit = unit;
105 ifp = &pflogif->sc_if;
106 snprintf(ifp->if_xname, sizeof ifp->if_xname, "pflog%d", unit);
107 ifp->if_softc = pflogif;
108 ifp->if_mtu = PFLOGMTU;
109 ifp->if_ioctl = pflogioctl;
110 ifp->if_output = pflogoutput;
111 ifp->if_xflags = IFXF_CLONED;
112 ifp->if_type = IFT_PFLOG;
113 ifp->if_hdrlen = PFLOG_HDRLEN;
114 if_attach(ifp);
115 if_alloc_sadl(ifp);
116
117 #if NBPFILTER > 0
118 bpfattach(&pflogif->sc_if.if_bpf, ifp, DLT_PFLOG, PFLOG_HDRLEN);
119 #endif
120
121 NET_LOCK();
122 LIST_INSERT_HEAD(&pflog_ifs, pflogif, sc_entry);
123 NET_UNLOCK();
124
125 return (0);
126 }
127
128 int
129 pflog_clone_destroy(struct ifnet *ifp)
130 {
131 struct pflog_softc *pflogif = ifp->if_softc;
132
133 NET_LOCK();
134 LIST_REMOVE(pflogif, sc_entry);
135 NET_UNLOCK();
136
137 if_detach(ifp);
138 free(pflogif, M_DEVBUF, sizeof(*pflogif));
139
140 return (0);
141 }
142
143 int
144 pflogoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
145 struct rtentry *rt)
146 {
147 m_freem(m); /* drop packet */
148 return (EAFNOSUPPORT);
149 }
150
151 int
152 pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
153 {
154 switch (cmd) {
155 case SIOCSIFFLAGS:
156 if (ifp->if_flags & IFF_UP)
157 ifp->if_flags |= IFF_RUNNING;
158 else
159 ifp->if_flags &= ~IFF_RUNNING;
160 break;
161 default:
162 return (ENOTTY);
163 }
164
165 return (0);
166 }
167
168 struct pflog_softc *
169 pflog_getif(int unit)
170 {
171 struct pflog_softc *pflogif;
172
173 NET_ASSERT_LOCKED();
174
175 LIST_FOREACH(pflogif, &pflog_ifs, sc_entry) {
176 if (pflogif->sc_unit == unit)
177 break;
178 }
179
180 return pflogif;
181 }
182
183 int
184 pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm,
185 struct pf_rule *am, struct pf_ruleset *ruleset, struct pf_rule *trigger)
186 {
187 #if NBPFILTER > 0
188 struct pflog_softc *pflogif;
189 struct ifnet *ifn;
190 caddr_t if_bpf;
191 struct pfloghdr hdr;
192
193 if (rm == NULL || pd == NULL || pd->kif == NULL || pd->m == NULL)
194 return (-1);
195 if (trigger == NULL)
196 trigger = rm;
197 pflogif = pflog_getif(trigger->logif);
198 if (pflogif == NULL)
199 return (0);
200 ifn = &pflogif->sc_if;
201 if_bpf = ifn->if_bpf;
202 if (!if_bpf)
203 return (0);
204
205 bzero(&hdr, sizeof(hdr));
206 hdr.length = PFLOG_REAL_HDRLEN;
207 hdr.action = rm->action;
208 hdr.reason = reason;
209 memcpy(hdr.ifname, pd->kif->pfik_name, sizeof(hdr.ifname));
210
211 if (am == NULL) {
212 hdr.rulenr = htonl(rm->nr);
213 hdr.subrulenr = -1;
214 } else {
215 hdr.rulenr = htonl(am->nr);
216 hdr.subrulenr = htonl(rm->nr);
217 if (ruleset != NULL && ruleset->anchor != NULL)
218 strlcpy(hdr.ruleset, ruleset->anchor->name,
219 sizeof(hdr.ruleset));
220 }
221 if (trigger->log & PF_LOG_USER && !pd->lookup.done)
222 pd->lookup.done = pf_socket_lookup(pd);
223 if (trigger->log & PF_LOG_USER && pd->lookup.done > 0) {
224 hdr.uid = pd->lookup.uid;
225 hdr.pid = pd->lookup.pid;
226 } else {
227 hdr.uid = -1;
228 hdr.pid = NO_PID;
229 }
230 hdr.rule_uid = rm->cuid;
231 hdr.rule_pid = rm->cpid;
232 hdr.dir = pd->dir;
233 hdr.af = pd->af;
234
235 if (pd->src != NULL && pd->dst != NULL) {
236 if (pd->af != pd->naf ||
237 pf_addr_compare(pd->src, &pd->nsaddr, pd->naf) != 0 ||
238 pf_addr_compare(pd->dst, &pd->ndaddr, pd->naf) != 0 ||
239 pd->osport != pd->nsport ||
240 pd->odport != pd->ndport) {
241 hdr.rewritten = 1;
242 }
243 }
244 hdr.naf = pd->naf;
245 pf_addrcpy(&hdr.saddr, &pd->nsaddr, pd->naf);
246 pf_addrcpy(&hdr.daddr, &pd->ndaddr, pd->naf);
247 hdr.sport = pd->nsport;
248 hdr.dport = pd->ndport;
249
250 ifn->if_opackets++;
251 ifn->if_obytes += pd->m->m_pkthdr.len;
252
253 bpf_mtap_hdr(if_bpf, &hdr, sizeof(hdr), pd->m, BPF_DIRECTION_OUT);
254 #endif
255
256 return (0);
257 }
Cache object: 03ebdf41031fa63fb523934853d29c21
|