summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Obser <florian@cvs.openbsd.org>2013-05-03 15:33:48 +0000
committerFlorian Obser <florian@cvs.openbsd.org>2013-05-03 15:33:48 +0000
commit6a44f98cfdd99ed41c2c46af47cb6ce4082f4079 (patch)
treea4f4f21c1fc1787b1a60cbcc333bb8d7119f3381
parent579b51fc574dc41b79ef9eab2c7496e5ce84b9ec (diff)
Export ingress/egress interface index in pflow(4).
Report that this is needed for some netflow collector and tests by Chris Ivancic & Colin Ligertwood. OK mikeb@, benno@
-rw-r--r--sys/net/if_pflow.c30
-rw-r--r--sys/net/if_pflow.h20
-rw-r--r--sys/net/pf.c8
-rw-r--r--sys/net/pfvar.h4
4 files changed, 52 insertions, 10 deletions
diff --git a/sys/net/if_pflow.c b/sys/net/if_pflow.c
index f7faadca460..c141b2c7599 100644
--- a/sys/net/if_pflow.c
+++ b/sys/net/if_pflow.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pflow.c,v 1.28 2013/04/10 08:50:59 mpi Exp $ */
+/* $OpenBSD: if_pflow.c,v 1.29 2013/05/03 15:33:47 florian Exp $ */
/*
* Copyright (c) 2011 Florian Obser <florian@narrans.de>
@@ -152,6 +152,12 @@ pflow_clone_create(struct if_clone *ifc, int unit)
pflowif->sc_tmpl.ipv4_tmpl.dest_ip.field_id =
htons(PFIX_IE_destinationIPv4Address);
pflowif->sc_tmpl.ipv4_tmpl.dest_ip.len = htons(4);
+ pflowif->sc_tmpl.ipv4_tmpl.if_index_in.field_id =
+ htons(PFIX_IE_ingressInterface);
+ pflowif->sc_tmpl.ipv4_tmpl.if_index_in.len = htons(4);
+ pflowif->sc_tmpl.ipv4_tmpl.if_index_out.field_id =
+ htons(PFIX_IE_egressInterface);
+ pflowif->sc_tmpl.ipv4_tmpl.if_index_out.len = htons(4);
pflowif->sc_tmpl.ipv4_tmpl.packets.field_id =
htons(PFIX_IE_packetDeltaCount);
pflowif->sc_tmpl.ipv4_tmpl.packets.len = htons(8);
@@ -191,6 +197,12 @@ pflow_clone_create(struct if_clone *ifc, int unit)
pflowif->sc_tmpl.ipv6_tmpl.dest_ip.field_id =
htons(PFIX_IE_destinationIPv6Address);
pflowif->sc_tmpl.ipv6_tmpl.dest_ip.len = htons(16);
+ pflowif->sc_tmpl.ipv6_tmpl.if_index_in.field_id =
+ htons(PFIX_IE_ingressInterface);
+ pflowif->sc_tmpl.ipv6_tmpl.if_index_in.len = htons(4);
+ pflowif->sc_tmpl.ipv6_tmpl.if_index_out.field_id =
+ htons(PFIX_IE_egressInterface);
+ pflowif->sc_tmpl.ipv6_tmpl.if_index_out.len = htons(4);
pflowif->sc_tmpl.ipv6_tmpl.packets.field_id =
htons(PFIX_IE_packetDeltaCount);
pflowif->sc_tmpl.ipv6_tmpl.packets.len = htons(8);
@@ -563,8 +575,10 @@ copy_flow_data(struct pflow_flow *flow1, struct pflow_flow *flow2,
flow1->dest_as = flow2->src_as =
flow1->src_as = flow2->dest_as = 0;
- flow1->if_index_out = flow2->if_index_in =
- flow1->if_index_in = flow2->if_index_out = 0;
+ flow1->if_index_in = htons(st->if_index_in);
+ flow1->if_index_out = htons(st->if_index_out);
+ flow2->if_index_in = htons(st->if_index_out);
+ flow2->if_index_out = htons(st->if_index_in);
flow1->dest_mask = flow2->src_mask =
flow1->src_mask = flow2->dest_mask = 0;
@@ -598,6 +612,11 @@ copy_flow4_data(struct pflow_flow4 *flow1, struct pflow_flow4 *flow2,
flow1->dest_ip = flow2->src_ip = sk->addr[dst].v4.s_addr;
flow1->dest_port = flow2->src_port = sk->port[dst];
+ flow1->if_index_in = htonl(st->if_index_in);
+ flow1->if_index_out = htonl(st->if_index_out);
+ flow2->if_index_in = htonl(st->if_index_out);
+ flow2->if_index_out = htonl(st->if_index_in);
+
flow1->flow_packets = htobe64(st->packets[0]);
flow2->flow_packets = htobe64(st->packets[1]);
flow1->flow_octets = htobe64(st->bytes[0]);
@@ -643,6 +662,11 @@ copy_flow6_data(struct pflow_flow6 *flow1, struct pflow_flow6 *flow2,
bcopy(&sk->addr[dst].v6, &flow2->src_ip, sizeof(flow2->src_ip));
flow1->dest_port = flow2->src_port = sk->port[dst];
+ flow1->if_index_in = htonl(st->if_index_in);
+ flow1->if_index_out = htonl(st->if_index_out);
+ flow2->if_index_in = htonl(st->if_index_out);
+ flow2->if_index_out = htonl(st->if_index_in);
+
flow1->flow_packets = htobe64(st->packets[0]);
flow2->flow_packets = htobe64(st->packets[1]);
flow1->flow_octets = htobe64(st->bytes[0]);
diff --git a/sys/net/if_pflow.h b/sys/net/if_pflow.h
index 0bb0ebbc93c..250ff7e47ef 100644
--- a/sys/net/if_pflow.h
+++ b/sys/net/if_pflow.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pflow.h,v 1.7 2013/02/05 11:58:39 florian Exp $ */
+/* $OpenBSD: if_pflow.h,v 1.8 2013/05/03 15:33:47 florian Exp $ */
/*
* Copyright (c) 2008 Henning Brauer <henning@openbsd.org>
@@ -40,8 +40,10 @@
#define PFIX_IE_ipClassOfService 5
#define PFIX_IE_sourceTransportPort 7
#define PFIX_IE_sourceIPv4Address 8
+#define PFIX_IE_ingressInterface 10
#define PFIX_IE_destinationTransportPort 11
#define PFIX_IE_destinationIPv4Address 12
+#define PFIX_IE_egressInterface 14
#define PFIX_IE_flowEndSysUpTime 21
#define PFIX_IE_flowStartSysUpTime 22
#define PFIX_IE_sourceIPv6Address 27
@@ -91,11 +93,13 @@ struct pflow_tmpl_fspec {
u_int16_t len;
} __packed;
-/* update pflow_clone_create() when changing pflow_v10_tmpl_v4 */
+/* update pflow_clone_create() when changing pflow_tmpl_ipv4 */
struct pflow_tmpl_ipv4 {
struct pflow_tmpl_hdr h;
struct pflow_tmpl_fspec src_ip;
struct pflow_tmpl_fspec dest_ip;
+ struct pflow_tmpl_fspec if_index_in;
+ struct pflow_tmpl_fspec if_index_out;
struct pflow_tmpl_fspec packets;
struct pflow_tmpl_fspec octets;
struct pflow_tmpl_fspec start;
@@ -104,15 +108,17 @@ struct pflow_tmpl_ipv4 {
struct pflow_tmpl_fspec dest_port;
struct pflow_tmpl_fspec tos;
struct pflow_tmpl_fspec protocol;
-#define PFLOW_TMPL_IPV4_FIELD_COUNT 10
+#define PFLOW_TMPL_IPV4_FIELD_COUNT 12
#define PFLOW_TMPL_IPV4_ID 256
} __packed;
-/* update pflow_clone_create() when changing pflow_v10_tmpl_v6 */
+/* update pflow_clone_create() when changing pflow_tmpl_v6 */
struct pflow_tmpl_ipv6 {
struct pflow_tmpl_hdr h;
struct pflow_tmpl_fspec src_ip;
struct pflow_tmpl_fspec dest_ip;
+ struct pflow_tmpl_fspec if_index_in;
+ struct pflow_tmpl_fspec if_index_out;
struct pflow_tmpl_fspec packets;
struct pflow_tmpl_fspec octets;
struct pflow_tmpl_fspec start;
@@ -121,7 +127,7 @@ struct pflow_tmpl_ipv6 {
struct pflow_tmpl_fspec dest_port;
struct pflow_tmpl_fspec tos;
struct pflow_tmpl_fspec protocol;
-#define PFLOW_TMPL_IPV6_FIELD_COUNT 10
+#define PFLOW_TMPL_IPV6_FIELD_COUNT 12
#define PFLOW_TMPL_IPV6_ID 257
} __packed;
@@ -134,6 +140,8 @@ struct pflow_tmpl {
struct pflow_flow4 {
u_int32_t src_ip; /* sourceIPv4Address*/
u_int32_t dest_ip; /* destinationIPv4Address */
+ u_int32_t if_index_in; /* ingressInterface */
+ u_int32_t if_index_out; /* egressInterface */
u_int64_t flow_packets; /* packetDeltaCount */
u_int64_t flow_octets; /* octetDeltaCount */
u_int32_t flow_start; /* flowStartSysUpTime */
@@ -148,6 +156,8 @@ struct pflow_flow4 {
struct pflow_flow6 {
struct in6_addr src_ip; /* sourceIPv6Address */
struct in6_addr dest_ip; /* destinationIPv6Address */
+ u_int32_t if_index_in; /* ingressInterface */
+ u_int32_t if_index_out; /* egressInterface */
u_int64_t flow_packets; /* packetDeltaCount */
u_int64_t flow_octets; /* octetDeltaCount */
u_int32_t flow_start; /*
diff --git a/sys/net/pf.c b/sys/net/pf.c
index e98f265405a..c71cfc00635 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.822 2013/04/10 08:50:59 mpi Exp $ */
+/* $OpenBSD: pf.c,v 1.823 2013/05/03 15:33:47 florian Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -7037,6 +7037,12 @@ done:
action = pf_refragment6(m0, mtag, fwdir);
}
#endif
+ if (s && action != PF_DROP) {
+ if (!s->if_index_in && dir == PF_IN)
+ s->if_index_in = ifp->if_index;
+ else if (!s->if_index_out && dir == PF_OUT)
+ s->if_index_out = ifp->if_index;
+ }
return (action);
}
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 67eb9a7fce4..6da20f48bf1 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.377 2013/03/11 19:48:40 sthen Exp $ */
+/* $OpenBSD: pfvar.h,v 1.378 2013/05/03 15:33:47 florian Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -851,6 +851,8 @@ struct pf_state {
u_int8_t set_tos;
u_int8_t set_prio[2];
u_int16_t max_mss;
+ u_int16_t if_index_in;
+ u_int16_t if_index_out;
u_int8_t pad2[2];
};