diff options
author | Florian Obser <florian@cvs.openbsd.org> | 2013-05-03 15:33:48 +0000 |
---|---|---|
committer | Florian Obser <florian@cvs.openbsd.org> | 2013-05-03 15:33:48 +0000 |
commit | 6a44f98cfdd99ed41c2c46af47cb6ce4082f4079 (patch) | |
tree | a4f4f21c1fc1787b1a60cbcc333bb8d7119f3381 | |
parent | 579b51fc574dc41b79ef9eab2c7496e5ce84b9ec (diff) |
Export ingress/egress interface index in pflow(4).
Report that this is needed for some netflow collector and tests by
Chris Ivancic & Colin Ligertwood.
OK mikeb@, benno@
-rw-r--r-- | sys/net/if_pflow.c | 30 | ||||
-rw-r--r-- | sys/net/if_pflow.h | 20 | ||||
-rw-r--r-- | sys/net/pf.c | 8 | ||||
-rw-r--r-- | sys/net/pfvar.h | 4 |
4 files changed, 52 insertions, 10 deletions
diff --git a/sys/net/if_pflow.c b/sys/net/if_pflow.c index f7faadca460..c141b2c7599 100644 --- a/sys/net/if_pflow.c +++ b/sys/net/if_pflow.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflow.c,v 1.28 2013/04/10 08:50:59 mpi Exp $ */ +/* $OpenBSD: if_pflow.c,v 1.29 2013/05/03 15:33:47 florian Exp $ */ /* * Copyright (c) 2011 Florian Obser <florian@narrans.de> @@ -152,6 +152,12 @@ pflow_clone_create(struct if_clone *ifc, int unit) pflowif->sc_tmpl.ipv4_tmpl.dest_ip.field_id = htons(PFIX_IE_destinationIPv4Address); pflowif->sc_tmpl.ipv4_tmpl.dest_ip.len = htons(4); + pflowif->sc_tmpl.ipv4_tmpl.if_index_in.field_id = + htons(PFIX_IE_ingressInterface); + pflowif->sc_tmpl.ipv4_tmpl.if_index_in.len = htons(4); + pflowif->sc_tmpl.ipv4_tmpl.if_index_out.field_id = + htons(PFIX_IE_egressInterface); + pflowif->sc_tmpl.ipv4_tmpl.if_index_out.len = htons(4); pflowif->sc_tmpl.ipv4_tmpl.packets.field_id = htons(PFIX_IE_packetDeltaCount); pflowif->sc_tmpl.ipv4_tmpl.packets.len = htons(8); @@ -191,6 +197,12 @@ pflow_clone_create(struct if_clone *ifc, int unit) pflowif->sc_tmpl.ipv6_tmpl.dest_ip.field_id = htons(PFIX_IE_destinationIPv6Address); pflowif->sc_tmpl.ipv6_tmpl.dest_ip.len = htons(16); + pflowif->sc_tmpl.ipv6_tmpl.if_index_in.field_id = + htons(PFIX_IE_ingressInterface); + pflowif->sc_tmpl.ipv6_tmpl.if_index_in.len = htons(4); + pflowif->sc_tmpl.ipv6_tmpl.if_index_out.field_id = + htons(PFIX_IE_egressInterface); + pflowif->sc_tmpl.ipv6_tmpl.if_index_out.len = htons(4); pflowif->sc_tmpl.ipv6_tmpl.packets.field_id = htons(PFIX_IE_packetDeltaCount); pflowif->sc_tmpl.ipv6_tmpl.packets.len = htons(8); @@ -563,8 +575,10 @@ copy_flow_data(struct pflow_flow *flow1, struct pflow_flow *flow2, flow1->dest_as = flow2->src_as = flow1->src_as = flow2->dest_as = 0; - flow1->if_index_out = flow2->if_index_in = - flow1->if_index_in = flow2->if_index_out = 0; + flow1->if_index_in = htons(st->if_index_in); + flow1->if_index_out = htons(st->if_index_out); + flow2->if_index_in = htons(st->if_index_out); + flow2->if_index_out = htons(st->if_index_in); flow1->dest_mask = flow2->src_mask = flow1->src_mask = flow2->dest_mask = 0; @@ -598,6 +612,11 @@ copy_flow4_data(struct pflow_flow4 *flow1, struct pflow_flow4 *flow2, flow1->dest_ip = flow2->src_ip = sk->addr[dst].v4.s_addr; flow1->dest_port = flow2->src_port = sk->port[dst]; + flow1->if_index_in = htonl(st->if_index_in); + flow1->if_index_out = htonl(st->if_index_out); + flow2->if_index_in = htonl(st->if_index_out); + flow2->if_index_out = htonl(st->if_index_in); + flow1->flow_packets = htobe64(st->packets[0]); flow2->flow_packets = htobe64(st->packets[1]); flow1->flow_octets = htobe64(st->bytes[0]); @@ -643,6 +662,11 @@ copy_flow6_data(struct pflow_flow6 *flow1, struct pflow_flow6 *flow2, bcopy(&sk->addr[dst].v6, &flow2->src_ip, sizeof(flow2->src_ip)); flow1->dest_port = flow2->src_port = sk->port[dst]; + flow1->if_index_in = htonl(st->if_index_in); + flow1->if_index_out = htonl(st->if_index_out); + flow2->if_index_in = htonl(st->if_index_out); + flow2->if_index_out = htonl(st->if_index_in); + flow1->flow_packets = htobe64(st->packets[0]); flow2->flow_packets = htobe64(st->packets[1]); flow1->flow_octets = htobe64(st->bytes[0]); diff --git a/sys/net/if_pflow.h b/sys/net/if_pflow.h index 0bb0ebbc93c..250ff7e47ef 100644 --- a/sys/net/if_pflow.h +++ b/sys/net/if_pflow.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflow.h,v 1.7 2013/02/05 11:58:39 florian Exp $ */ +/* $OpenBSD: if_pflow.h,v 1.8 2013/05/03 15:33:47 florian Exp $ */ /* * Copyright (c) 2008 Henning Brauer <henning@openbsd.org> @@ -40,8 +40,10 @@ #define PFIX_IE_ipClassOfService 5 #define PFIX_IE_sourceTransportPort 7 #define PFIX_IE_sourceIPv4Address 8 +#define PFIX_IE_ingressInterface 10 #define PFIX_IE_destinationTransportPort 11 #define PFIX_IE_destinationIPv4Address 12 +#define PFIX_IE_egressInterface 14 #define PFIX_IE_flowEndSysUpTime 21 #define PFIX_IE_flowStartSysUpTime 22 #define PFIX_IE_sourceIPv6Address 27 @@ -91,11 +93,13 @@ struct pflow_tmpl_fspec { u_int16_t len; } __packed; -/* update pflow_clone_create() when changing pflow_v10_tmpl_v4 */ +/* update pflow_clone_create() when changing pflow_tmpl_ipv4 */ struct pflow_tmpl_ipv4 { struct pflow_tmpl_hdr h; struct pflow_tmpl_fspec src_ip; struct pflow_tmpl_fspec dest_ip; + struct pflow_tmpl_fspec if_index_in; + struct pflow_tmpl_fspec if_index_out; struct pflow_tmpl_fspec packets; struct pflow_tmpl_fspec octets; struct pflow_tmpl_fspec start; @@ -104,15 +108,17 @@ struct pflow_tmpl_ipv4 { struct pflow_tmpl_fspec dest_port; struct pflow_tmpl_fspec tos; struct pflow_tmpl_fspec protocol; -#define PFLOW_TMPL_IPV4_FIELD_COUNT 10 +#define PFLOW_TMPL_IPV4_FIELD_COUNT 12 #define PFLOW_TMPL_IPV4_ID 256 } __packed; -/* update pflow_clone_create() when changing pflow_v10_tmpl_v6 */ +/* update pflow_clone_create() when changing pflow_tmpl_v6 */ struct pflow_tmpl_ipv6 { struct pflow_tmpl_hdr h; struct pflow_tmpl_fspec src_ip; struct pflow_tmpl_fspec dest_ip; + struct pflow_tmpl_fspec if_index_in; + struct pflow_tmpl_fspec if_index_out; struct pflow_tmpl_fspec packets; struct pflow_tmpl_fspec octets; struct pflow_tmpl_fspec start; @@ -121,7 +127,7 @@ struct pflow_tmpl_ipv6 { struct pflow_tmpl_fspec dest_port; struct pflow_tmpl_fspec tos; struct pflow_tmpl_fspec protocol; -#define PFLOW_TMPL_IPV6_FIELD_COUNT 10 +#define PFLOW_TMPL_IPV6_FIELD_COUNT 12 #define PFLOW_TMPL_IPV6_ID 257 } __packed; @@ -134,6 +140,8 @@ struct pflow_tmpl { struct pflow_flow4 { u_int32_t src_ip; /* sourceIPv4Address*/ u_int32_t dest_ip; /* destinationIPv4Address */ + u_int32_t if_index_in; /* ingressInterface */ + u_int32_t if_index_out; /* egressInterface */ u_int64_t flow_packets; /* packetDeltaCount */ u_int64_t flow_octets; /* octetDeltaCount */ u_int32_t flow_start; /* flowStartSysUpTime */ @@ -148,6 +156,8 @@ struct pflow_flow4 { struct pflow_flow6 { struct in6_addr src_ip; /* sourceIPv6Address */ struct in6_addr dest_ip; /* destinationIPv6Address */ + u_int32_t if_index_in; /* ingressInterface */ + u_int32_t if_index_out; /* egressInterface */ u_int64_t flow_packets; /* packetDeltaCount */ u_int64_t flow_octets; /* octetDeltaCount */ u_int32_t flow_start; /* diff --git a/sys/net/pf.c b/sys/net/pf.c index e98f265405a..c71cfc00635 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.822 2013/04/10 08:50:59 mpi Exp $ */ +/* $OpenBSD: pf.c,v 1.823 2013/05/03 15:33:47 florian Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -7037,6 +7037,12 @@ done: action = pf_refragment6(m0, mtag, fwdir); } #endif + if (s && action != PF_DROP) { + if (!s->if_index_in && dir == PF_IN) + s->if_index_in = ifp->if_index; + else if (!s->if_index_out && dir == PF_OUT) + s->if_index_out = ifp->if_index; + } return (action); } diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 67eb9a7fce4..6da20f48bf1 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.377 2013/03/11 19:48:40 sthen Exp $ */ +/* $OpenBSD: pfvar.h,v 1.378 2013/05/03 15:33:47 florian Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -851,6 +851,8 @@ struct pf_state { u_int8_t set_tos; u_int8_t set_prio[2]; u_int16_t max_mss; + u_int16_t if_index_in; + u_int16_t if_index_out; u_int8_t pad2[2]; }; |