summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiels Provos <provos@cvs.openbsd.org>2001-06-26 19:01:56 +0000
committerNiels Provos <provos@cvs.openbsd.org>2001-06-26 19:01:56 +0000
commit7a7cf35debfee9134589786db7c1a67edf079cfd (patch)
tree0b9d6a32450a63e04b82bf7fc323f626cef5d11a
parent6d94cf6e02dda5a15ba6645de3ec6fcd9ec4f399 (diff)
use reasons in pull_hdr, default log if pull_hdr fails. okay deraadt@
-rw-r--r--sys/net/if_pflog.h4
-rw-r--r--sys/net/pf.c62
-rw-r--r--sys/net/pfvar.h5
3 files changed, 45 insertions, 26 deletions
diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h
index 3cb7f7ff346..b454c0ba427 100644
--- a/sys/net/if_pflog.h
+++ b/sys/net/if_pflog.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pflog.h,v 1.3 2001/06/26 15:33:00 provos Exp $ */
+/* $OpenBSD: if_pflog.h,v 1.4 2001/06/26 19:01:54 provos Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -43,7 +43,7 @@ struct pflog_softc {
struct pfloghdr {
u_int32_t af;
char ifname[IFNAMSIZ];
- u_short rnr;
+ short rnr;
u_short reason;
u_short action;
u_short dir;
diff --git a/sys/net/pf.c b/sys/net/pf.c
index b714244c30d..9b3dba83ce2 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.55 2001/06/26 18:17:53 deraadt Exp $ */
+/* $OpenBSD: pf.c,v 1.56 2001/06/26 19:01:55 provos Exp $ */
/*
* Copyright (c) 2001, Daniel Hartmeier
@@ -161,8 +161,8 @@ struct pf_state *pf_test_state_udp(int, struct ifnet *, struct mbuf *,
struct pf_state *pf_test_state_icmp(int, struct ifnet *, struct mbuf *,
int, int, struct ip *, struct icmp *);
void *pull_hdr(struct ifnet *, struct mbuf *, int, int, void *, int,
- struct ip *, int *);
-int pflog_packet(struct mbuf *, int, u_short, u_short, u_short,
+ struct ip *, u_short *, u_short *);
+int pflog_packet(struct mbuf *, int, u_short, u_short, short,
struct pf_rule *);
#if NPFLOG > 0
@@ -356,7 +356,7 @@ tree_remove(struct pf_tree_node **p, struct pf_tree_key *key)
int
pflog_packet(struct mbuf *m, int af, u_short dir, u_short reason,
- u_short nr, struct pf_rule *rm)
+ short nr, struct pf_rule *rm)
{
#if NBPFILTER > 0
struct ifnet *ifn, *ifp = NULL;
@@ -1863,10 +1863,10 @@ pf_test_state_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
struct ip h2;
int ipoff2;
int off2;
- int dummy;
ipoff2 = off + 8; /* offset of h2 in mbuf chain */
- if (!pull_hdr(ifp, m, 0, ipoff2, &h2, sizeof(h2), h, &dummy)) {
+ if (!pull_hdr(ifp, m, 0, ipoff2, &h2, sizeof(h2), h,
+ NULL, NULL)) {
printf("pf: ICMP error message too short\n");
return (NULL);
}
@@ -1884,7 +1884,7 @@ pf_test_state_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
int ackskew;
if (!pull_hdr(ifp, m, ipoff2, off2, &th, sizeof(th),
- &h2, &dummy)) {
+ &h2, NULL, NULL)) {
printf("pf: "
"ICMP error message too short\n");
return NULL;
@@ -1963,7 +1963,7 @@ pf_test_state_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
struct pf_tree_key key;
if (!pull_hdr(ifp, m, ipoff2, off2, &uh, sizeof(uh),
- &h2, &dummy)) {
+ &h2, NULL, NULL)) {
printf("pf: ICMP error message too short\n");
return NULL;
}
@@ -2021,46 +2021,46 @@ pf_test_state_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
}
}
+#define SAVE_SET(a,x) do { if ((a) != NULL) *(a) = (x); } while (0)
+
/*
* ipoff and off are measured from the start of the mbuf chain.
* h must be at "ipoff" on the mbuf chain.
*/
void *
pull_hdr(struct ifnet *ifp, struct mbuf *m, int ipoff, int off, void *p,
- int len, struct ip *h, int *action)
+ int len, struct ip *h, u_short *action, u_short *reason)
{
u_int16_t fragoff = (h->ip_off & IP_OFFMASK) << 3;
/* sanity check */
if (ipoff > off) {
- printf("pf: assumption failed on header location");
- *action = PF_DROP;
+ SAVE_SET(action, PF_DROP);
+ SAVE_SET(reason, PFRES_BADOFF);
return NULL;
}
if (fragoff) {
if (fragoff >= len)
- *action = PF_PASS;
+ SAVE_SET(action, PF_PASS);
else {
- *action = PF_DROP;
- printf("pf: dropping following fragment");
- print_ip(ifp, h);
+ SAVE_SET(action, PF_DROP);
+ SAVE_SET(reason, PFRES_FRAG);
}
return (NULL);
}
if (m->m_pkthdr.len < off + len || ipoff + h->ip_len < off + len) {
- *action = PF_DROP;
- printf("pf: dropping short packet");
- print_ip(ifp, h);
+ SAVE_SET(action, PF_DROP);
+ SAVE_SET(reason, PFRES_SHORT);
return (NULL);
}
m_copydata(m, off, len, p);
- return p;
+ return (p);
}
int
pf_test(int direction, struct ifnet *ifp, struct mbuf *m)
{
- int action;
+ u_short action, reason = 0, log = 0;
struct ip *h;
int off;
@@ -2093,8 +2093,11 @@ pf_test(int direction, struct ifnet *ifp, struct mbuf *m)
case IPPROTO_TCP: {
struct tcphdr th;
- if (!pull_hdr(ifp, m, 0, off, &th, sizeof(th), h, &action))
+ if (!pull_hdr(ifp, m, 0, off, &th, sizeof(th), h,
+ &action, &reason)) {
+ log = 1;
goto done;
+ }
if (pf_test_state_tcp(direction, ifp, m, 0, off, h, &th))
action = PF_PASS;
else
@@ -2106,8 +2109,11 @@ pf_test(int direction, struct ifnet *ifp, struct mbuf *m)
case IPPROTO_UDP: {
struct udphdr uh;
- if (!pull_hdr(ifp, m, 0, off, &uh, sizeof(uh), h, &action))
+ if (!pull_hdr(ifp, m, 0, off, &uh, sizeof(uh), h,
+ &action, &reason)) {
+ log = 1;
goto done;
+ }
if (pf_test_state_udp(direction, ifp, m, 0, off, h, &uh))
action = PF_PASS;
else
@@ -2119,8 +2125,11 @@ pf_test(int direction, struct ifnet *ifp, struct mbuf *m)
case IPPROTO_ICMP: {
struct icmp ih;
- if (!pull_hdr(ifp, m, 0, off, &ih, sizeof(ih), h, &action))
+ if (!pull_hdr(ifp, m, 0, off, &ih, sizeof(ih), h,
+ &action, &reason)) {
+ log = 1;
goto done;
+ }
if (pf_test_state_icmp(direction, ifp, m, 0, off, h, &ih))
action = PF_PASS;
else
@@ -2139,5 +2148,12 @@ done:
pf_status.bytes[direction] += h->ip_len;
pf_status.packets[direction][action]++;
}
+ if (log && action != PF_PASS) {
+ struct pf_rule r;
+
+ r.ifp = ifp;
+ r.action = action;
+ PFLOG_PACKET(h, m, AF_INET, direction, reason, -1, &r);
+ }
return (action);
}
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index f0ca3500c1e..262ce4600ec 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.15 2001/06/26 18:17:53 deraadt Exp $ */
+/* $OpenBSD: pfvar.h,v 1.16 2001/06/26 19:01:55 provos Exp $ */
/*
* Copyright (c) 2001, Daniel Hartmeier
@@ -189,6 +189,9 @@ struct pfioc_if {
/* Reasons code for passing/dropping a packet */
#define PFRES_MATCH 0 /* Explicit match of a rule */
+#define PFRES_BADOFF 1 /* Bad offset for pull_hdr */
+#define PFRES_FRAG 2 /* Dropping following fragment */
+#define PFRES_SHORT 3 /* Dropping short packet */
#ifdef _KERNEL