libpcap and tcpdump now understand the new pflog datalink type.

old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@

4 files changed, 139 insertions, 15 deletions

diff --git a/usr.sbin/tcpdump/interface.h b/usr.sbin/tcpdump/interface.h
index 34cfdfb2595..4f1b4ce745e 100644
--- a/usr.sbin/tcpdump/interface.h
+++ b/usr.sbin/tcpdump/interface.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: interface.h,v 1.36 2003/02/20 23:39:20 jason Exp $	*/
+/*	$OpenBSD: interface.h,v 1.37 2003/05/14 08:50:37 canacar Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -20,7 +20,7 @@
  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.36 2003/02/20 23:39:20 jason Exp $ (LBL)
+ * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.37 2003/05/14 08:50:37 canacar Exp $ (LBL)
  */
 
 #ifndef tcpdump_interface_h
@@ -195,6 +195,8 @@ extern void egp_print(const u_char *, u_int, const u_char *);
 extern void enc_if_print(u_char *, const struct pcap_pkthdr *, const u_char *);
 extern void pflog_if_print(u_char *, const struct pcap_pkthdr *,
         const u_char *);
+extern void pflog_old_if_print(u_char *, const struct pcap_pkthdr *,
+        const u_char *);
 extern void pfsync_if_print(u_char *, const struct pcap_pkthdr *,
         const u_char *);
 extern void ether_if_print(u_char *, const struct pcap_pkthdr *,
diff --git a/usr.sbin/tcpdump/print-pflog.c b/usr.sbin/tcpdump/print-pflog.c
index 109b80730a5..fefa4f741b9 100644
--- a/usr.sbin/tcpdump/print-pflog.c
+++ b/usr.sbin/tcpdump/print-pflog.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: print-pflog.c,v 1.12 2003/01/28 22:45:19 henning Exp $	*/
+/*	$OpenBSD: print-pflog.c,v 1.13 2003/05/14 08:50:37 canacar Exp $	*/
 
 /*
  * Copyright (c) 1990, 1991, 1993, 1994, 1995, 1996
@@ -23,7 +23,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-pflog.c,v 1.12 2003/01/28 22:45:19 henning Exp $ (LBL)";
+    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-pflog.c,v 1.13 2003/05/14 08:50:37 canacar Exp $ (LBL)";
 #endif
 
 #include <sys/param.h>
@@ -59,17 +59,32 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h,
      register const u_char *p)
 {
 	u_int length = h->len;
+	u_int hdrlen;
 	u_int caplen = h->caplen;
 	const struct ip *ip;
 	const struct ip6_hdr *ip6;
 	const struct pfloghdr *hdr;
-	u_short res;
+	u_int32_t res;
 	char reason[128], *why;
 	u_int8_t af;
 
 	ts_print(&h->ts);
 
-	if (caplen < PFLOG_HDRLEN) {
+	// check length
+	if (caplen < sizeof(u_int8_t)) {
+		printf("[|pflog]");
+		goto out;
+	}
+
+#define MIN_PFLOG_HDRLEN	45
+	hdr = (struct pfloghdr *)p;
+	if (hdr->length < MIN_PFLOG_HDRLEN) {
+		printf("[pflog: invalid header length!]");
+		goto out;
+	}
+	hdrlen = BPF_WORDALIGN(hdr->length);
+
+	if (caplen < hdrlen) {
 		printf("[|pflog]");
 		goto out;
 	}
@@ -84,6 +99,96 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h,
 
 	hdr = (struct pfloghdr *)p;
 	if (eflag) {
+		res = hdr->reason;
+		why = (res < PFRES_MAX) ? pf_reasons[res] : "unkn";
+
+		snprintf(reason, sizeof(reason), "%d(%s)", res, why);
+
+		if (ntohl(hdr->subrulenr) == (u_int32_t) -1)
+			printf("rule %u/%s: ",
+			   ntohl(hdr->rulenr), reason);
+		else
+			printf("rule %u.%s.%u/%s: ", ntohl(hdr->rulenr),
+			    hdr->ruleset, ntohl(hdr->subrulenr), reason);
+
+		switch (hdr->action) {
+		case PF_SCRUB:
+			printf("scrub");
+			break;
+		case PF_PASS:
+			printf("pass");
+			break;
+		case PF_DROP:
+			printf("block");
+			break;
+		case PF_NAT:
+		case PF_NONAT:
+			printf("nat");
+			break;
+		case PF_BINAT:
+		case PF_NOBINAT:
+			printf("binat");
+			break;
+		case PF_RDR:
+		case PF_NORDR:
+			printf("rdr");
+			break;
+		}
+		printf(" %s on %s: ",
+		    hdr->dir == PF_OUT ? "out" : "in",
+		    hdr->ifname);
+	}
+	af = hdr->af;
+	length -= hdrlen;
+	if (af == AF_INET) {
+		ip = (struct ip *)(p + hdrlen);
+		ip_print((const u_char *)ip, length);
+		if (xflag)
+			default_print((const u_char *)ip,
+			    caplen - hdrlen);
+	} else {
+		ip6 = (struct ip6_hdr *)(p + hdrlen);
+		ip6_print((const u_char *)ip6, length);
+		if (xflag)
+			default_print((const u_char *)ip6,
+			    caplen - hdrlen);
+	}
+
+out:
+	putchar('\n');
+}
+
+
+void
+pflog_old_if_print(u_char *user, const struct pcap_pkthdr *h,
+     register const u_char *p)
+{
+	u_int length = h->len;
+	u_int caplen = h->caplen;
+	const struct ip *ip;
+	const struct ip6_hdr *ip6;
+	const struct old_pfloghdr *hdr;
+	u_short res;
+	char reason[128], *why;
+	u_int8_t af;
+
+	ts_print(&h->ts);
+
+	if (caplen < OLD_PFLOG_HDRLEN) {
+		printf("[|pflog]");
+		goto out;
+	}
+
+	/*
+	 * Some printers want to get back at the link level addresses,
+	 * and/or check that they're not walking off the end of the packet.
+	 * Rather than pass them all the way down, we set these globals.
+	 */
+	packetp = p;
+	snapend = p + caplen;
+
+	hdr = (struct old_pfloghdr *)p;
+	if (eflag) {
 		res = ntohs(hdr->reason);
 		why = (res < PFRES_MAX) ? pf_reasons[res] : "unkn";
 
@@ -119,19 +224,19 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h,
 		    hdr->ifname);
 	}
 	af = ntohl(hdr->af);
-	length -= PFLOG_HDRLEN;
+	length -= OLD_PFLOG_HDRLEN;
 	if (af == AF_INET) {
-		ip = (struct ip *)(p + PFLOG_HDRLEN);
+		ip = (struct ip *)(p + OLD_PFLOG_HDRLEN);
 		ip_print((const u_char *)ip, length);
 		if (xflag)
 			default_print((const u_char *)ip,
-			    caplen - PFLOG_HDRLEN);
+			    caplen - OLD_PFLOG_HDRLEN);
 	} else {
-		ip6 = (struct ip6_hdr *)(p + PFLOG_HDRLEN);
+		ip6 = (struct ip6_hdr *)(p + OLD_PFLOG_HDRLEN);
 		ip6_print((const u_char *)ip6, length);
 		if (xflag)
 			default_print((const u_char *)ip6,
-			    caplen - PFLOG_HDRLEN);
+			    caplen - OLD_PFLOG_HDRLEN);
 	}
 
 out:
diff --git a/usr.sbin/tcpdump/tcpdump.8 b/usr.sbin/tcpdump/tcpdump.8
index 25e80a3d94c..3a4606384cc 100644
--- a/usr.sbin/tcpdump/tcpdump.8
+++ b/usr.sbin/tcpdump/tcpdump.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: tcpdump.8,v 1.33 2003/04/08 01:21:11 david Exp $
+.\"	$OpenBSD: tcpdump.8,v 1.34 2003/05/14 08:50:37 canacar Exp $
 .\"
 .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996
 .\"	The Regents of the University of California.  All rights reserved.
@@ -663,7 +663,7 @@ Synonymous with the
 modifier.
 .It Cm rnr Ar num
 True if the packet was logged as matching the specified PF rule number
-(applies only to packets logged by
+in the main ruleset (applies only to packets logged by
 .Xr pf 4 ).
 .It Cm rulenum Ar num
 Synonomous with the
@@ -681,6 +681,22 @@ and
 .Ar memory .
 (applies only to packets logged by
 .Xr pf 4 ).
+.It Cm rset Ar name
+True if the packet was logged as matching the specified PF ruleset
+name of an anchored ruleset (applies only to packets logged by
+.Xr pf 4 ).
+.It Cm ruleset Ar name
+Synonomous with the
+.Ar rset
+modifier.
+.It Cm srnr Ar num
+True if the packet was logged as matching the specified PF rule number
+of an anchored ruleset (applies only to packets logged by
+.Xr pf 4 ).
+.It Cm subrulenum Ar num
+Synonomous with the
+.Ar srnr
+modifier.
 .It Cm action Ar act
 True if PF took the specified action when the packet was logged.  Known actions
 are:
diff --git a/usr.sbin/tcpdump/tcpdump.c b/usr.sbin/tcpdump/tcpdump.c
index d1b50d8b42f..00825330d76 100644
--- a/usr.sbin/tcpdump/tcpdump.c
+++ b/usr.sbin/tcpdump/tcpdump.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcpdump.c,v 1.30 2002/11/30 13:56:23 mickey Exp $	*/
+/*	$OpenBSD: tcpdump.c,v 1.31 2003/05/14 08:50:37 canacar Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -26,7 +26,7 @@ static const char copyright[] =
     "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997\n\
 The Regents of the University of California.  All rights reserved.\n";
 static const char rcsid[] =
-    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/tcpdump.c,v 1.30 2002/11/30 13:56:23 mickey Exp $ (LBL)";
+    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/tcpdump.c,v 1.31 2003/05/14 08:50:37 canacar Exp $ (LBL)";
 #endif
 
 /*
@@ -111,6 +111,7 @@ static struct printer printers[] = {
 	{ loop_if_print, 	DLT_LOOP },
 	{ enc_if_print, 	DLT_ENC },
 	{ pflog_if_print, 	DLT_PFLOG },
+	{ pflog_old_if_print, 	DLT_OLD_PFLOG },
 	{ pfsync_if_print, 	DLT_PFSYNC },
 	{ NULL,			0 },
 };