Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netpfil/ipfw/ip_fw_log.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 */ 25 26 #include <sys/cdefs.h> 27 __FBSDID("$FreeBSD: releng/10.1/sys/netpfil/ipfw/ip_fw_log.c 255928 2013-09-28 15:49:36Z philip $"); 28 29 /* 30 * Logging support for ipfw 31 */ 32 33 #include "opt_ipfw.h" 34 #include "opt_inet.h" 35 #ifndef INET 36 #error IPFIREWALL requires INET. 37 #endif /* INET */ 38 #include "opt_inet6.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/kernel.h> 44 #include <sys/socket.h> 45 #include <sys/sysctl.h> 46 #include <sys/syslog.h> 47 #include <sys/lock.h> 48 #include <sys/rwlock.h> 49 #include <net/ethernet.h> /* for ETHERTYPE_IP */ 50 #include <net/if.h> 51 #include <net/if_clone.h> 52 #include <net/vnet.h> 53 #include <net/if_types.h> /* for IFT_PFLOG */ 54 #include <net/bpf.h> /* for BPF */ 55 56 #include <netinet/in.h> 57 #include <netinet/ip.h> 58 #include <netinet/ip_icmp.h> 59 #include <netinet/ip_var.h> 60 #include <netinet/ip_fw.h> 61 #include <netinet/tcp_var.h> 62 #include <netinet/udp.h> 63 64 #include <netinet/ip6.h> 65 #include <netinet/icmp6.h> 66 #ifdef INET6 67 #include <netinet6/in6_var.h> /* ip6_sprintf() */ 68 #endif 69 70 #include <netpfil/ipfw/ip_fw_private.h> 71 72 #ifdef MAC 73 #include <security/mac/mac_framework.h> 74 #endif 75 76 /* 77 * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T 78 * Other macros just cast void * into the appropriate type 79 */ 80 #define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) 81 #define TCP(p) ((struct tcphdr *)(p)) 82 #define SCTP(p) ((struct sctphdr *)(p)) 83 #define UDP(p) ((struct udphdr *)(p)) 84 #define ICMP(p) ((struct icmphdr *)(p)) 85 #define ICMP6(p) ((struct icmp6_hdr *)(p)) 86 87 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 88 #define SNP(buf) buf, sizeof(buf) 89 90 #ifdef WITHOUT_BPF 91 void 92 ipfw_log_bpf(int onoff) 93 { 94 } 95 #else /* !WITHOUT_BPF */ 96 static struct ifnet *log_if; /* hook to attach to bpf */ 97 static struct rwlock log_if_lock; 98 #define LOGIF_LOCK_INIT(x) rw_init(&log_if_lock, "ipfw log_if lock") 99 #define LOGIF_LOCK_DESTROY(x) rw_destroy(&log_if_lock) 100 #define LOGIF_RLOCK(x) rw_rlock(&log_if_lock) 101 #define LOGIF_RUNLOCK(x) rw_runlock(&log_if_lock) 102 #define LOGIF_WLOCK(x) rw_wlock(&log_if_lock) 103 #define LOGIF_WUNLOCK(x) rw_wunlock(&log_if_lock) 104 105 static const char ipfwname[] = "ipfw"; 106 107 /* we use this dummy function for all ifnet callbacks */ 108 static int 109 log_dummy(struct ifnet *ifp, u_long cmd, caddr_t addr) 110 { 111 return EINVAL; 112 } 113 114 static int 115 ipfw_log_output(struct ifnet *ifp, struct mbuf *m, 116 const struct sockaddr *dst, struct route *ro) 117 { 118 if (m != NULL) 119 FREE_PKT(m); 120 return EINVAL; 121 } 122 123 static void 124 ipfw_log_start(struct ifnet* ifp) 125 { 126 panic("ipfw_log_start() must not be called"); 127 } 128 129 static const u_char ipfwbroadcastaddr[6] = 130 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 131 132 static int 133 ipfw_log_clone_match(struct if_clone *ifc, const char *name) 134 { 135 136 return (strncmp(name, ipfwname, sizeof(ipfwname) - 1) == 0); 137 } 138 139 static int 140 ipfw_log_clone_create(struct if_clone *ifc, char *name, size_t len, 141 caddr_t params) 142 { 143 int error; 144 int unit; 145 struct ifnet *ifp; 146 147 error = ifc_name2unit(name, &unit); 148 if (error) 149 return (error); 150 151 error = ifc_alloc_unit(ifc, &unit); 152 if (error) 153 return (error); 154 155 ifp = if_alloc(IFT_PFLOG); 156 if (ifp == NULL) { 157 ifc_free_unit(ifc, unit); 158 return (ENOSPC); 159 } 160 ifp->if_dname = ipfwname; 161 ifp->if_dunit = unit; 162 snprintf(ifp->if_xname, IFNAMSIZ, "%s%d", ipfwname, unit); 163 strlcpy(name, ifp->if_xname, len); 164 ifp->if_mtu = 65536; 165 ifp->if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; 166 ifp->if_init = (void *)log_dummy; 167 ifp->if_ioctl = log_dummy; 168 ifp->if_start = ipfw_log_start; 169 ifp->if_output = ipfw_log_output; 170 ifp->if_addrlen = 6; 171 ifp->if_hdrlen = 14; 172 ifp->if_broadcastaddr = ipfwbroadcastaddr; 173 ifp->if_baudrate = IF_Mbps(10); 174 175 LOGIF_WLOCK(); 176 if (log_if == NULL) 177 log_if = ifp; 178 else { 179 LOGIF_WUNLOCK(); 180 if_free(ifp); 181 ifc_free_unit(ifc, unit); 182 return (EEXIST); 183 } 184 LOGIF_WUNLOCK(); 185 if_attach(ifp); 186 bpfattach(ifp, DLT_EN10MB, 14); 187 188 return (0); 189 } 190 191 static int 192 ipfw_log_clone_destroy(struct if_clone *ifc, struct ifnet *ifp) 193 { 194 int unit; 195 196 if (ifp == NULL) 197 return (0); 198 199 LOGIF_WLOCK(); 200 if (log_if != NULL && ifp == log_if) 201 log_if = NULL; 202 else { 203 LOGIF_WUNLOCK(); 204 return (EINVAL); 205 } 206 LOGIF_WUNLOCK(); 207 208 unit = ifp->if_dunit; 209 bpfdetach(ifp); 210 if_detach(ifp); 211 if_free(ifp); 212 ifc_free_unit(ifc, unit); 213 214 return (0); 215 } 216 217 static struct if_clone *ipfw_log_cloner; 218 219 void 220 ipfw_log_bpf(int onoff) 221 { 222 223 if (onoff) { 224 LOGIF_LOCK_INIT(); 225 ipfw_log_cloner = if_clone_advanced(ipfwname, 0, 226 ipfw_log_clone_match, ipfw_log_clone_create, 227 ipfw_log_clone_destroy); 228 } else { 229 if_clone_detach(ipfw_log_cloner); 230 LOGIF_LOCK_DESTROY(); 231 } 232 } 233 #endif /* !WITHOUT_BPF */ 234 235 /* 236 * We enter here when we have a rule with O_LOG. 237 * XXX this function alone takes about 2Kbytes of code! 238 */ 239 void 240 ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, 241 struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg, 242 struct ip *ip) 243 { 244 char *action; 245 int limit_reached = 0; 246 char action2[92], proto[128], fragment[32]; 247 248 if (V_fw_verbose == 0) { 249 #ifndef WITHOUT_BPF 250 LOGIF_RLOCK(); 251 if (log_if == NULL || log_if->if_bpf == NULL) { 252 LOGIF_RUNLOCK(); 253 return; 254 } 255 256 if (args->eh) /* layer2, use orig hdr */ 257 BPF_MTAP2(log_if, args->eh, ETHER_HDR_LEN, m); 258 else { 259 /* Add fake header. Later we will store 260 * more info in the header. 261 */ 262 if (ip->ip_v == 4) 263 BPF_MTAP2(log_if, "DDDDDDSSSSSS\x08\x00", ETHER_HDR_LEN, m); 264 else if (ip->ip_v == 6) 265 BPF_MTAP2(log_if, "DDDDDDSSSSSS\x86\xdd", ETHER_HDR_LEN, m); 266 else 267 /* Obviously bogus EtherType. */ 268 BPF_MTAP2(log_if, "DDDDDDSSSSSS\xff\xff", ETHER_HDR_LEN, m); 269 } 270 LOGIF_RUNLOCK(); 271 #endif /* !WITHOUT_BPF */ 272 return; 273 } 274 /* the old 'log' function */ 275 fragment[0] = '\0'; 276 proto[0] = '\0'; 277 278 if (f == NULL) { /* bogus pkt */ 279 if (V_verbose_limit != 0 && V_norule_counter >= V_verbose_limit) 280 return; 281 V_norule_counter++; 282 if (V_norule_counter == V_verbose_limit) 283 limit_reached = V_verbose_limit; 284 action = "Refuse"; 285 } else { /* O_LOG is the first action, find the real one */ 286 ipfw_insn *cmd = ACTION_PTR(f); 287 ipfw_insn_log *l = (ipfw_insn_log *)cmd; 288 289 if (l->max_log != 0 && l->log_left == 0) 290 return; 291 l->log_left--; 292 if (l->log_left == 0) 293 limit_reached = l->max_log; 294 cmd += F_LEN(cmd); /* point to first action */ 295 if (cmd->opcode == O_ALTQ) { 296 ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd; 297 298 snprintf(SNPARGS(action2, 0), "Altq %d", 299 altq->qid); 300 cmd += F_LEN(cmd); 301 } 302 if (cmd->opcode == O_PROB || cmd->opcode == O_TAG || 303 cmd->opcode == O_SETDSCP) 304 cmd += F_LEN(cmd); 305 306 action = action2; 307 switch (cmd->opcode) { 308 case O_DENY: 309 action = "Deny"; 310 break; 311 312 case O_REJECT: 313 if (cmd->arg1==ICMP_REJECT_RST) 314 action = "Reset"; 315 else if (cmd->arg1==ICMP_UNREACH_HOST) 316 action = "Reject"; 317 else 318 snprintf(SNPARGS(action2, 0), "Unreach %d", 319 cmd->arg1); 320 break; 321 322 case O_UNREACH6: 323 if (cmd->arg1==ICMP6_UNREACH_RST) 324 action = "Reset"; 325 else 326 snprintf(SNPARGS(action2, 0), "Unreach %d", 327 cmd->arg1); 328 break; 329 330 case O_ACCEPT: 331 action = "Accept"; 332 break; 333 case O_COUNT: 334 action = "Count"; 335 break; 336 case O_DIVERT: 337 snprintf(SNPARGS(action2, 0), "Divert %d", 338 cmd->arg1); 339 break; 340 case O_TEE: 341 snprintf(SNPARGS(action2, 0), "Tee %d", 342 cmd->arg1); 343 break; 344 case O_SETFIB: 345 snprintf(SNPARGS(action2, 0), "SetFib %d", 346 IP_FW_ARG_TABLEARG(cmd->arg1)); 347 break; 348 case O_SKIPTO: 349 snprintf(SNPARGS(action2, 0), "SkipTo %d", 350 IP_FW_ARG_TABLEARG(cmd->arg1)); 351 break; 352 case O_PIPE: 353 snprintf(SNPARGS(action2, 0), "Pipe %d", 354 IP_FW_ARG_TABLEARG(cmd->arg1)); 355 break; 356 case O_QUEUE: 357 snprintf(SNPARGS(action2, 0), "Queue %d", 358 IP_FW_ARG_TABLEARG(cmd->arg1)); 359 break; 360 case O_FORWARD_IP: { 361 ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd; 362 int len; 363 struct in_addr dummyaddr; 364 if (sa->sa.sin_addr.s_addr == INADDR_ANY) 365 dummyaddr.s_addr = htonl(tablearg); 366 else 367 dummyaddr.s_addr = sa->sa.sin_addr.s_addr; 368 369 len = snprintf(SNPARGS(action2, 0), "Forward to %s", 370 inet_ntoa(dummyaddr)); 371 372 if (sa->sa.sin_port) 373 snprintf(SNPARGS(action2, len), ":%d", 374 sa->sa.sin_port); 375 } 376 break; 377 #ifdef INET6 378 case O_FORWARD_IP6: { 379 char buf[INET6_ADDRSTRLEN]; 380 ipfw_insn_sa6 *sa = (ipfw_insn_sa6 *)cmd; 381 int len; 382 383 len = snprintf(SNPARGS(action2, 0), "Forward to [%s]", 384 ip6_sprintf(buf, &sa->sa.sin6_addr)); 385 386 if (sa->sa.sin6_port) 387 snprintf(SNPARGS(action2, len), ":%u", 388 sa->sa.sin6_port); 389 } 390 break; 391 #endif 392 case O_NETGRAPH: 393 snprintf(SNPARGS(action2, 0), "Netgraph %d", 394 cmd->arg1); 395 break; 396 case O_NGTEE: 397 snprintf(SNPARGS(action2, 0), "Ngtee %d", 398 cmd->arg1); 399 break; 400 case O_NAT: 401 action = "Nat"; 402 break; 403 case O_REASS: 404 action = "Reass"; 405 break; 406 case O_CALLRETURN: 407 if (cmd->len & F_NOT) 408 action = "Return"; 409 else 410 snprintf(SNPARGS(action2, 0), "Call %d", 411 cmd->arg1); 412 break; 413 default: 414 action = "UNKNOWN"; 415 break; 416 } 417 } 418 419 if (hlen == 0) { /* non-ip */ 420 snprintf(SNPARGS(proto, 0), "MAC"); 421 422 } else { 423 int len; 424 #ifdef INET6 425 char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2]; 426 #else 427 char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN]; 428 #endif 429 struct icmphdr *icmp; 430 struct tcphdr *tcp; 431 struct udphdr *udp; 432 #ifdef INET6 433 struct ip6_hdr *ip6 = NULL; 434 struct icmp6_hdr *icmp6; 435 u_short ip6f_mf; 436 #endif 437 src[0] = '\0'; 438 dst[0] = '\0'; 439 #ifdef INET6 440 ip6f_mf = offset & IP6F_MORE_FRAG; 441 offset &= IP6F_OFF_MASK; 442 443 if (IS_IP6_FLOW_ID(&(args->f_id))) { 444 char ip6buf[INET6_ADDRSTRLEN]; 445 snprintf(src, sizeof(src), "[%s]", 446 ip6_sprintf(ip6buf, &args->f_id.src_ip6)); 447 snprintf(dst, sizeof(dst), "[%s]", 448 ip6_sprintf(ip6buf, &args->f_id.dst_ip6)); 449 450 ip6 = (struct ip6_hdr *)ip; 451 tcp = (struct tcphdr *)(((char *)ip) + hlen); 452 udp = (struct udphdr *)(((char *)ip) + hlen); 453 } else 454 #endif 455 { 456 tcp = L3HDR(struct tcphdr, ip); 457 udp = L3HDR(struct udphdr, ip); 458 459 inet_ntop(AF_INET, &ip->ip_src, src, sizeof(src)); 460 inet_ntop(AF_INET, &ip->ip_dst, dst, sizeof(dst)); 461 } 462 463 switch (args->f_id.proto) { 464 case IPPROTO_TCP: 465 len = snprintf(SNPARGS(proto, 0), "TCP %s", src); 466 if (offset == 0) 467 snprintf(SNPARGS(proto, len), ":%d %s:%d", 468 ntohs(tcp->th_sport), 469 dst, 470 ntohs(tcp->th_dport)); 471 else 472 snprintf(SNPARGS(proto, len), " %s", dst); 473 break; 474 475 case IPPROTO_UDP: 476 len = snprintf(SNPARGS(proto, 0), "UDP %s", src); 477 if (offset == 0) 478 snprintf(SNPARGS(proto, len), ":%d %s:%d", 479 ntohs(udp->uh_sport), 480 dst, 481 ntohs(udp->uh_dport)); 482 else 483 snprintf(SNPARGS(proto, len), " %s", dst); 484 break; 485 486 case IPPROTO_ICMP: 487 icmp = L3HDR(struct icmphdr, ip); 488 if (offset == 0) 489 len = snprintf(SNPARGS(proto, 0), 490 "ICMP:%u.%u ", 491 icmp->icmp_type, icmp->icmp_code); 492 else 493 len = snprintf(SNPARGS(proto, 0), "ICMP "); 494 len += snprintf(SNPARGS(proto, len), "%s", src); 495 snprintf(SNPARGS(proto, len), " %s", dst); 496 break; 497 #ifdef INET6 498 case IPPROTO_ICMPV6: 499 icmp6 = (struct icmp6_hdr *)(((char *)ip) + hlen); 500 if (offset == 0) 501 len = snprintf(SNPARGS(proto, 0), 502 "ICMPv6:%u.%u ", 503 icmp6->icmp6_type, icmp6->icmp6_code); 504 else 505 len = snprintf(SNPARGS(proto, 0), "ICMPv6 "); 506 len += snprintf(SNPARGS(proto, len), "%s", src); 507 snprintf(SNPARGS(proto, len), " %s", dst); 508 break; 509 #endif 510 default: 511 len = snprintf(SNPARGS(proto, 0), "P:%d %s", 512 args->f_id.proto, src); 513 snprintf(SNPARGS(proto, len), " %s", dst); 514 break; 515 } 516 517 #ifdef INET6 518 if (IS_IP6_FLOW_ID(&(args->f_id))) { 519 if (offset & (IP6F_OFF_MASK | IP6F_MORE_FRAG)) 520 snprintf(SNPARGS(fragment, 0), 521 " (frag %08x:%d@%d%s)", 522 args->f_id.extra, 523 ntohs(ip6->ip6_plen) - hlen, 524 ntohs(offset) << 3, ip6f_mf ? "+" : ""); 525 } else 526 #endif 527 { 528 int ipoff, iplen; 529 ipoff = ntohs(ip->ip_off); 530 iplen = ntohs(ip->ip_len); 531 if (ipoff & (IP_MF | IP_OFFMASK)) 532 snprintf(SNPARGS(fragment, 0), 533 " (frag %d:%d@%d%s)", 534 ntohs(ip->ip_id), iplen - (ip->ip_hl << 2), 535 offset << 3, 536 (ipoff & IP_MF) ? "+" : ""); 537 } 538 } 539 #ifdef __FreeBSD__ 540 if (oif || m->m_pkthdr.rcvif) 541 log(LOG_SECURITY | LOG_INFO, 542 "ipfw: %d %s %s %s via %s%s\n", 543 f ? f->rulenum : -1, 544 action, proto, oif ? "out" : "in", 545 oif ? oif->if_xname : m->m_pkthdr.rcvif->if_xname, 546 fragment); 547 else 548 #endif 549 log(LOG_SECURITY | LOG_INFO, 550 "ipfw: %d %s %s [no if info]%s\n", 551 f ? f->rulenum : -1, 552 action, proto, fragment); 553 if (limit_reached) 554 log(LOG_SECURITY | LOG_NOTICE, 555 "ipfw: limit %d reached on entry %d\n", 556 limit_reached, f ? f->rulenum : -1); 557 } 558 /* end of file */
Cache object: 3d40c2525edb13b58991a88f2a26e0fa
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]