1 /*-
2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23 * SUCH DAMAGE.
24 */
25
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD: releng/10.1/sys/netpfil/ipfw/ip_fw_log.c 255928 2013-09-28 15:49:36Z philip $");
28
29 /*
30 * Logging support for ipfw
31 */
32
33 #include "opt_ipfw.h"
34 #include "opt_inet.h"
35 #ifndef INET
36 #error IPFIREWALL requires INET.
37 #endif /* INET */
38 #include "opt_inet6.h"
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/mbuf.h>
43 #include <sys/kernel.h>
44 #include <sys/socket.h>
45 #include <sys/sysctl.h>
46 #include <sys/syslog.h>
47 #include <sys/lock.h>
48 #include <sys/rwlock.h>
49 #include <net/ethernet.h> /* for ETHERTYPE_IP */
50 #include <net/if.h>
51 #include <net/if_clone.h>
52 #include <net/vnet.h>
53 #include <net/if_types.h> /* for IFT_PFLOG */
54 #include <net/bpf.h> /* for BPF */
55
56 #include <netinet/in.h>
57 #include <netinet/ip.h>
58 #include <netinet/ip_icmp.h>
59 #include <netinet/ip_var.h>
60 #include <netinet/ip_fw.h>
61 #include <netinet/tcp_var.h>
62 #include <netinet/udp.h>
63
64 #include <netinet/ip6.h>
65 #include <netinet/icmp6.h>
66 #ifdef INET6
67 #include <netinet6/in6_var.h> /* ip6_sprintf() */
68 #endif
69
70 #include <netpfil/ipfw/ip_fw_private.h>
71
72 #ifdef MAC
73 #include <security/mac/mac_framework.h>
74 #endif
75
76 /*
77 * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T
78 * Other macros just cast void * into the appropriate type
79 */
80 #define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl))
81 #define TCP(p) ((struct tcphdr *)(p))
82 #define SCTP(p) ((struct sctphdr *)(p))
83 #define UDP(p) ((struct udphdr *)(p))
84 #define ICMP(p) ((struct icmphdr *)(p))
85 #define ICMP6(p) ((struct icmp6_hdr *)(p))
86
87 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
88 #define SNP(buf) buf, sizeof(buf)
89
90 #ifdef WITHOUT_BPF
91 void
92 ipfw_log_bpf(int onoff)
93 {
94 }
95 #else /* !WITHOUT_BPF */
96 static struct ifnet *log_if; /* hook to attach to bpf */
97 static struct rwlock log_if_lock;
98 #define LOGIF_LOCK_INIT(x) rw_init(&log_if_lock, "ipfw log_if lock")
99 #define LOGIF_LOCK_DESTROY(x) rw_destroy(&log_if_lock)
100 #define LOGIF_RLOCK(x) rw_rlock(&log_if_lock)
101 #define LOGIF_RUNLOCK(x) rw_runlock(&log_if_lock)
102 #define LOGIF_WLOCK(x) rw_wlock(&log_if_lock)
103 #define LOGIF_WUNLOCK(x) rw_wunlock(&log_if_lock)
104
105 static const char ipfwname[] = "ipfw";
106
107 /* we use this dummy function for all ifnet callbacks */
108 static int
109 log_dummy(struct ifnet *ifp, u_long cmd, caddr_t addr)
110 {
111 return EINVAL;
112 }
113
114 static int
115 ipfw_log_output(struct ifnet *ifp, struct mbuf *m,
116 const struct sockaddr *dst, struct route *ro)
117 {
118 if (m != NULL)
119 FREE_PKT(m);
120 return EINVAL;
121 }
122
123 static void
124 ipfw_log_start(struct ifnet* ifp)
125 {
126 panic("ipfw_log_start() must not be called");
127 }
128
129 static const u_char ipfwbroadcastaddr[6] =
130 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
131
132 static int
133 ipfw_log_clone_match(struct if_clone *ifc, const char *name)
134 {
135
136 return (strncmp(name, ipfwname, sizeof(ipfwname) - 1) == 0);
137 }
138
139 static int
140 ipfw_log_clone_create(struct if_clone *ifc, char *name, size_t len,
141 caddr_t params)
142 {
143 int error;
144 int unit;
145 struct ifnet *ifp;
146
147 error = ifc_name2unit(name, &unit);
148 if (error)
149 return (error);
150
151 error = ifc_alloc_unit(ifc, &unit);
152 if (error)
153 return (error);
154
155 ifp = if_alloc(IFT_PFLOG);
156 if (ifp == NULL) {
157 ifc_free_unit(ifc, unit);
158 return (ENOSPC);
159 }
160 ifp->if_dname = ipfwname;
161 ifp->if_dunit = unit;
162 snprintf(ifp->if_xname, IFNAMSIZ, "%s%d", ipfwname, unit);
163 strlcpy(name, ifp->if_xname, len);
164 ifp->if_mtu = 65536;
165 ifp->if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST;
166 ifp->if_init = (void *)log_dummy;
167 ifp->if_ioctl = log_dummy;
168 ifp->if_start = ipfw_log_start;
169 ifp->if_output = ipfw_log_output;
170 ifp->if_addrlen = 6;
171 ifp->if_hdrlen = 14;
172 ifp->if_broadcastaddr = ipfwbroadcastaddr;
173 ifp->if_baudrate = IF_Mbps(10);
174
175 LOGIF_WLOCK();
176 if (log_if == NULL)
177 log_if = ifp;
178 else {
179 LOGIF_WUNLOCK();
180 if_free(ifp);
181 ifc_free_unit(ifc, unit);
182 return (EEXIST);
183 }
184 LOGIF_WUNLOCK();
185 if_attach(ifp);
186 bpfattach(ifp, DLT_EN10MB, 14);
187
188 return (0);
189 }
190
191 static int
192 ipfw_log_clone_destroy(struct if_clone *ifc, struct ifnet *ifp)
193 {
194 int unit;
195
196 if (ifp == NULL)
197 return (0);
198
199 LOGIF_WLOCK();
200 if (log_if != NULL && ifp == log_if)
201 log_if = NULL;
202 else {
203 LOGIF_WUNLOCK();
204 return (EINVAL);
205 }
206 LOGIF_WUNLOCK();
207
208 unit = ifp->if_dunit;
209 bpfdetach(ifp);
210 if_detach(ifp);
211 if_free(ifp);
212 ifc_free_unit(ifc, unit);
213
214 return (0);
215 }
216
217 static struct if_clone *ipfw_log_cloner;
218
219 void
220 ipfw_log_bpf(int onoff)
221 {
222
223 if (onoff) {
224 LOGIF_LOCK_INIT();
225 ipfw_log_cloner = if_clone_advanced(ipfwname, 0,
226 ipfw_log_clone_match, ipfw_log_clone_create,
227 ipfw_log_clone_destroy);
228 } else {
229 if_clone_detach(ipfw_log_cloner);
230 LOGIF_LOCK_DESTROY();
231 }
232 }
233 #endif /* !WITHOUT_BPF */
234
235 /*
236 * We enter here when we have a rule with O_LOG.
237 * XXX this function alone takes about 2Kbytes of code!
238 */
239 void
240 ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args,
241 struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg,
242 struct ip *ip)
243 {
244 char *action;
245 int limit_reached = 0;
246 char action2[92], proto[128], fragment[32];
247
248 if (V_fw_verbose == 0) {
249 #ifndef WITHOUT_BPF
250 LOGIF_RLOCK();
251 if (log_if == NULL || log_if->if_bpf == NULL) {
252 LOGIF_RUNLOCK();
253 return;
254 }
255
256 if (args->eh) /* layer2, use orig hdr */
257 BPF_MTAP2(log_if, args->eh, ETHER_HDR_LEN, m);
258 else {
259 /* Add fake header. Later we will store
260 * more info in the header.
261 */
262 if (ip->ip_v == 4)
263 BPF_MTAP2(log_if, "DDDDDDSSSSSS\x08\x00", ETHER_HDR_LEN, m);
264 else if (ip->ip_v == 6)
265 BPF_MTAP2(log_if, "DDDDDDSSSSSS\x86\xdd", ETHER_HDR_LEN, m);
266 else
267 /* Obviously bogus EtherType. */
268 BPF_MTAP2(log_if, "DDDDDDSSSSSS\xff\xff", ETHER_HDR_LEN, m);
269 }
270 LOGIF_RUNLOCK();
271 #endif /* !WITHOUT_BPF */
272 return;
273 }
274 /* the old 'log' function */
275 fragment[0] = '\0';
276 proto[0] = '\0';
277
278 if (f == NULL) { /* bogus pkt */
279 if (V_verbose_limit != 0 && V_norule_counter >= V_verbose_limit)
280 return;
281 V_norule_counter++;
282 if (V_norule_counter == V_verbose_limit)
283 limit_reached = V_verbose_limit;
284 action = "Refuse";
285 } else { /* O_LOG is the first action, find the real one */
286 ipfw_insn *cmd = ACTION_PTR(f);
287 ipfw_insn_log *l = (ipfw_insn_log *)cmd;
288
289 if (l->max_log != 0 && l->log_left == 0)
290 return;
291 l->log_left--;
292 if (l->log_left == 0)
293 limit_reached = l->max_log;
294 cmd += F_LEN(cmd); /* point to first action */
295 if (cmd->opcode == O_ALTQ) {
296 ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
297
298 snprintf(SNPARGS(action2, 0), "Altq %d",
299 altq->qid);
300 cmd += F_LEN(cmd);
301 }
302 if (cmd->opcode == O_PROB || cmd->opcode == O_TAG ||
303 cmd->opcode == O_SETDSCP)
304 cmd += F_LEN(cmd);
305
306 action = action2;
307 switch (cmd->opcode) {
308 case O_DENY:
309 action = "Deny";
310 break;
311
312 case O_REJECT:
313 if (cmd->arg1==ICMP_REJECT_RST)
314 action = "Reset";
315 else if (cmd->arg1==ICMP_UNREACH_HOST)
316 action = "Reject";
317 else
318 snprintf(SNPARGS(action2, 0), "Unreach %d",
319 cmd->arg1);
320 break;
321
322 case O_UNREACH6:
323 if (cmd->arg1==ICMP6_UNREACH_RST)
324 action = "Reset";
325 else
326 snprintf(SNPARGS(action2, 0), "Unreach %d",
327 cmd->arg1);
328 break;
329
330 case O_ACCEPT:
331 action = "Accept";
332 break;
333 case O_COUNT:
334 action = "Count";
335 break;
336 case O_DIVERT:
337 snprintf(SNPARGS(action2, 0), "Divert %d",
338 cmd->arg1);
339 break;
340 case O_TEE:
341 snprintf(SNPARGS(action2, 0), "Tee %d",
342 cmd->arg1);
343 break;
344 case O_SETFIB:
345 snprintf(SNPARGS(action2, 0), "SetFib %d",
346 IP_FW_ARG_TABLEARG(cmd->arg1));
347 break;
348 case O_SKIPTO:
349 snprintf(SNPARGS(action2, 0), "SkipTo %d",
350 IP_FW_ARG_TABLEARG(cmd->arg1));
351 break;
352 case O_PIPE:
353 snprintf(SNPARGS(action2, 0), "Pipe %d",
354 IP_FW_ARG_TABLEARG(cmd->arg1));
355 break;
356 case O_QUEUE:
357 snprintf(SNPARGS(action2, 0), "Queue %d",
358 IP_FW_ARG_TABLEARG(cmd->arg1));
359 break;
360 case O_FORWARD_IP: {
361 ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd;
362 int len;
363 struct in_addr dummyaddr;
364 if (sa->sa.sin_addr.s_addr == INADDR_ANY)
365 dummyaddr.s_addr = htonl(tablearg);
366 else
367 dummyaddr.s_addr = sa->sa.sin_addr.s_addr;
368
369 len = snprintf(SNPARGS(action2, 0), "Forward to %s",
370 inet_ntoa(dummyaddr));
371
372 if (sa->sa.sin_port)
373 snprintf(SNPARGS(action2, len), ":%d",
374 sa->sa.sin_port);
375 }
376 break;
377 #ifdef INET6
378 case O_FORWARD_IP6: {
379 char buf[INET6_ADDRSTRLEN];
380 ipfw_insn_sa6 *sa = (ipfw_insn_sa6 *)cmd;
381 int len;
382
383 len = snprintf(SNPARGS(action2, 0), "Forward to [%s]",
384 ip6_sprintf(buf, &sa->sa.sin6_addr));
385
386 if (sa->sa.sin6_port)
387 snprintf(SNPARGS(action2, len), ":%u",
388 sa->sa.sin6_port);
389 }
390 break;
391 #endif
392 case O_NETGRAPH:
393 snprintf(SNPARGS(action2, 0), "Netgraph %d",
394 cmd->arg1);
395 break;
396 case O_NGTEE:
397 snprintf(SNPARGS(action2, 0), "Ngtee %d",
398 cmd->arg1);
399 break;
400 case O_NAT:
401 action = "Nat";
402 break;
403 case O_REASS:
404 action = "Reass";
405 break;
406 case O_CALLRETURN:
407 if (cmd->len & F_NOT)
408 action = "Return";
409 else
410 snprintf(SNPARGS(action2, 0), "Call %d",
411 cmd->arg1);
412 break;
413 default:
414 action = "UNKNOWN";
415 break;
416 }
417 }
418
419 if (hlen == 0) { /* non-ip */
420 snprintf(SNPARGS(proto, 0), "MAC");
421
422 } else {
423 int len;
424 #ifdef INET6
425 char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2];
426 #else
427 char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN];
428 #endif
429 struct icmphdr *icmp;
430 struct tcphdr *tcp;
431 struct udphdr *udp;
432 #ifdef INET6
433 struct ip6_hdr *ip6 = NULL;
434 struct icmp6_hdr *icmp6;
435 u_short ip6f_mf;
436 #endif
437 src[0] = '\0';
438 dst[0] = '\0';
439 #ifdef INET6
440 ip6f_mf = offset & IP6F_MORE_FRAG;
441 offset &= IP6F_OFF_MASK;
442
443 if (IS_IP6_FLOW_ID(&(args->f_id))) {
444 char ip6buf[INET6_ADDRSTRLEN];
445 snprintf(src, sizeof(src), "[%s]",
446 ip6_sprintf(ip6buf, &args->f_id.src_ip6));
447 snprintf(dst, sizeof(dst), "[%s]",
448 ip6_sprintf(ip6buf, &args->f_id.dst_ip6));
449
450 ip6 = (struct ip6_hdr *)ip;
451 tcp = (struct tcphdr *)(((char *)ip) + hlen);
452 udp = (struct udphdr *)(((char *)ip) + hlen);
453 } else
454 #endif
455 {
456 tcp = L3HDR(struct tcphdr, ip);
457 udp = L3HDR(struct udphdr, ip);
458
459 inet_ntop(AF_INET, &ip->ip_src, src, sizeof(src));
460 inet_ntop(AF_INET, &ip->ip_dst, dst, sizeof(dst));
461 }
462
463 switch (args->f_id.proto) {
464 case IPPROTO_TCP:
465 len = snprintf(SNPARGS(proto, 0), "TCP %s", src);
466 if (offset == 0)
467 snprintf(SNPARGS(proto, len), ":%d %s:%d",
468 ntohs(tcp->th_sport),
469 dst,
470 ntohs(tcp->th_dport));
471 else
472 snprintf(SNPARGS(proto, len), " %s", dst);
473 break;
474
475 case IPPROTO_UDP:
476 len = snprintf(SNPARGS(proto, 0), "UDP %s", src);
477 if (offset == 0)
478 snprintf(SNPARGS(proto, len), ":%d %s:%d",
479 ntohs(udp->uh_sport),
480 dst,
481 ntohs(udp->uh_dport));
482 else
483 snprintf(SNPARGS(proto, len), " %s", dst);
484 break;
485
486 case IPPROTO_ICMP:
487 icmp = L3HDR(struct icmphdr, ip);
488 if (offset == 0)
489 len = snprintf(SNPARGS(proto, 0),
490 "ICMP:%u.%u ",
491 icmp->icmp_type, icmp->icmp_code);
492 else
493 len = snprintf(SNPARGS(proto, 0), "ICMP ");
494 len += snprintf(SNPARGS(proto, len), "%s", src);
495 snprintf(SNPARGS(proto, len), " %s", dst);
496 break;
497 #ifdef INET6
498 case IPPROTO_ICMPV6:
499 icmp6 = (struct icmp6_hdr *)(((char *)ip) + hlen);
500 if (offset == 0)
501 len = snprintf(SNPARGS(proto, 0),
502 "ICMPv6:%u.%u ",
503 icmp6->icmp6_type, icmp6->icmp6_code);
504 else
505 len = snprintf(SNPARGS(proto, 0), "ICMPv6 ");
506 len += snprintf(SNPARGS(proto, len), "%s", src);
507 snprintf(SNPARGS(proto, len), " %s", dst);
508 break;
509 #endif
510 default:
511 len = snprintf(SNPARGS(proto, 0), "P:%d %s",
512 args->f_id.proto, src);
513 snprintf(SNPARGS(proto, len), " %s", dst);
514 break;
515 }
516
517 #ifdef INET6
518 if (IS_IP6_FLOW_ID(&(args->f_id))) {
519 if (offset & (IP6F_OFF_MASK | IP6F_MORE_FRAG))
520 snprintf(SNPARGS(fragment, 0),
521 " (frag %08x:%d@%d%s)",
522 args->f_id.extra,
523 ntohs(ip6->ip6_plen) - hlen,
524 ntohs(offset) << 3, ip6f_mf ? "+" : "");
525 } else
526 #endif
527 {
528 int ipoff, iplen;
529 ipoff = ntohs(ip->ip_off);
530 iplen = ntohs(ip->ip_len);
531 if (ipoff & (IP_MF | IP_OFFMASK))
532 snprintf(SNPARGS(fragment, 0),
533 " (frag %d:%d@%d%s)",
534 ntohs(ip->ip_id), iplen - (ip->ip_hl << 2),
535 offset << 3,
536 (ipoff & IP_MF) ? "+" : "");
537 }
538 }
539 #ifdef __FreeBSD__
540 if (oif || m->m_pkthdr.rcvif)
541 log(LOG_SECURITY | LOG_INFO,
542 "ipfw: %d %s %s %s via %s%s\n",
543 f ? f->rulenum : -1,
544 action, proto, oif ? "out" : "in",
545 oif ? oif->if_xname : m->m_pkthdr.rcvif->if_xname,
546 fragment);
547 else
548 #endif
549 log(LOG_SECURITY | LOG_INFO,
550 "ipfw: %d %s %s [no if info]%s\n",
551 f ? f->rulenum : -1,
552 action, proto, fragment);
553 if (limit_reached)
554 log(LOG_SECURITY | LOG_NOTICE,
555 "ipfw: limit %d reached on entry %d\n",
556 limit_reached, f ? f->rulenum : -1);
557 }
558 /* end of file */
Cache object: 3d40c2525edb13b58991a88f2a26e0fa
|