diff options
| -rw-r--r-- | sbin/pfctl/parse.y | 17 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 7 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 18 | ||||
| -rw-r--r-- | sys/net/if_pflog.c | 12 | ||||
| -rw-r--r-- | sys/net/if_pflog.h | 10 | ||||
| -rw-r--r-- | sys/net/pf.c | 99 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 7 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 16 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 17 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/print-pflog.c | 15 |
10 files changed, 140 insertions, 78 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index a4da86b3477..c4a62a84d78 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.488 2005/05/27 03:54:27 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.489 2005/05/27 17:22:40 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -416,8 +416,8 @@ typedef struct { %type <v.interface> interface if_list if_item_not if_item %type <v.number> number icmptype icmp6type uid gid %type <v.number> tos not yesno -%type <v.i> no dir log af fragcache sourcetrack flush -%type <v.i> unaryop statelock +%type <v.i> no dir log logopts logopt af fragcache +%type <v.i> sourcetrack flush unaryop statelock %type <v.b> action nataction natpass scrubaction %type <v.b> flags flag blockspec %type <v.range> port rport @@ -2029,9 +2029,18 @@ logquick : /* empty */ { $$.log = 0; $$.quick = 0; } ; log : LOG { $$ = PF_LOG; } - | LOGALL { $$ = PF_LOGALL; } + | LOG '(' logopts ')' { $$ = PF_LOG | $3; } + | LOGALL { $$ = PF_LOG_ALL; } + | LOGALL '(' logopts ')' { $$ = PF_LOG_ALL | $3; } ; +logopts : /* empty */ { $$ = 0; } + | logopt { $$ = $1; } + | logopts comma logopt { $$ = $1 | $3; } + +logopt : USER { $$ = PF_LOG_SOCKET_LOOKUP; } + | GROUP { $$ = PF_LOG_SOCKET_LOOKUP; } + interface : /* empty */ { $$ = NULL; } | ON if_item_not { $$ = $2; } | ON '{' if_list '}' { $$ = $3; } diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index c2038a72576..f1aadd4d859 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.238 2005/05/23 23:28:53 dhartmei Exp $ */ +/* $OpenBSD: pfctl.c,v 1.239 2005/05/27 17:22:40 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -589,12 +589,15 @@ pfctl_print_rule_counters(struct pf_rule *rule, int opts) printf(" [ queue: qname=%s qid=%u pqname=%s pqid=%u ]\n", rule->qname, rule->qid, rule->pqname, rule->pqid); } - if (opts & PF_OPT_VERBOSE) + if (opts & PF_OPT_VERBOSE) { printf(" [ Evaluations: %-8llu Packets: %-8llu " "Bytes: %-10llu States: %-6u]\n", (unsigned long long)rule->evaluations, (unsigned long long)rule->packets, (unsigned long long)rule->bytes, rule->states); + printf(" [ Inserted: uid %u pid %u ]\n", + (unsigned)rule->cuid, (unsigned)rule->cpid); + } } void diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index ef5f8e7c146..2e2fb19efae 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.213 2005/05/26 15:30:39 dhartmei Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.214 2005/05/27 17:22:40 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -714,10 +714,18 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) printf(" in"); else if (r->direction == PF_OUT) printf(" out"); - if (r->log == PF_LOG) - printf(" log"); - else if (r->log == PF_LOGALL) - printf(" log-all"); + if (r->log) { + if (r->log & PF_LOG_ALL) + printf(" log-all"); + else + printf(" log"); + if (r->log & ~(PF_LOG | PF_LOG_ALL)) { + printf(" ("); + if (r->log & PF_LOG_SOCKET_LOOKUP) + printf("user"); + printf(")"); + } + } if (r->quick) printf(" quick"); if (r->ifname[0]) { diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c index 41e1e656471..158743d8083 100644 --- a/sys/net/if_pflog.c +++ b/sys/net/if_pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.c,v 1.12 2004/05/19 17:50:51 dhartmei Exp $ */ +/* $OpenBSD: if_pflog.c,v 1.13 2005/05/27 17:22:40 dhartmei Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -174,14 +174,14 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data) int pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, u_int8_t reason, struct pf_rule *rm, struct pf_rule *am, - struct pf_ruleset *ruleset) + struct pf_ruleset *ruleset, struct pf_pdesc *pd) { #if NBPFILTER > 0 struct ifnet *ifn; struct pfloghdr hdr; struct mbuf m1; - if (kif == NULL || m == NULL || rm == NULL) + if (kif == NULL || m == NULL || rm == NULL || pd == NULL) return (-1); bzero(&hdr, sizeof(hdr)); @@ -201,6 +201,12 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, strlcpy(hdr.ruleset, ruleset->anchor->name, sizeof(hdr.ruleset)); } + if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done) + pd->lookup.done = pf_socket_lookup(dir, pd); + hdr.uid = pd->lookup.uid; + hdr.pid = pd->lookup.pid; + hdr.rule_uid = rm->cuid; + hdr.rule_pid = rm->cpid; hdr.dir = dir; #ifdef INET diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index 7a43b10c215..c80a1973456 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.h,v 1.11 2004/05/19 17:50:51 dhartmei Exp $ */ +/* $OpenBSD: if_pflog.h,v 1.12 2005/05/27 17:22:40 dhartmei Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -42,6 +42,10 @@ struct pfloghdr { char ruleset[PFLOG_RULESET_NAME_SIZE]; u_int32_t rulenr; u_int32_t subrulenr; + uid_t uid; + pid_t pid; + uid_t rule_uid; + pid_t rule_pid; u_int8_t dir; u_int8_t pad[3]; }; @@ -64,9 +68,9 @@ struct old_pfloghdr { #ifdef _KERNEL #if NPFLOG > 0 -#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g) pflog_packet(i,a,b,c,d,e,f,g) +#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) pflog_packet(i,a,b,c,d,e,f,g,h) #else -#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g) ((void)0) +#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) ((void)0) #endif /* NPFLOG > 0 */ #endif /* _KERNEL */ #endif /* _NET_IF_PFLOG_H_ */ diff --git a/sys/net/pf.c b/sys/net/pf.c index 7ef95995677..16b02168174 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.491 2005/05/26 15:29:48 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.492 2005/05/27 17:22:40 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -48,6 +48,7 @@ #include <sys/kernel.h> #include <sys/time.h> #include <sys/pool.h> +#include <sys/proc.h> #include <net/if.h> #include <net/if_types.h> @@ -198,8 +199,7 @@ void pf_route(struct mbuf **, struct pf_rule *, int, struct ifnet *, struct pf_state *); void pf_route6(struct mbuf **, struct pf_rule *, int, struct ifnet *, struct pf_state *); -int pf_socket_lookup(uid_t *, gid_t *, - int, struct pf_pdesc *); +int pf_socket_lookup(int, struct pf_pdesc *); u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, sa_family_t); u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, @@ -2455,28 +2455,35 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, } int -pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd) +pf_socket_lookup(int direction, struct pf_pdesc *pd) { struct pf_addr *saddr, *daddr; u_int16_t sport, dport; struct inpcbtable *tb; struct inpcb *inp; - *uid = UID_MAX; - *gid = GID_MAX; + if (pd == NULL) + return (-1); + pd->lookup.uid = UID_MAX; + pd->lookup.gid = GID_MAX; + pd->lookup.pid = NO_PID; switch (pd->proto) { case IPPROTO_TCP: + if (pd->hdr.tcp == NULL) + return (-1); sport = pd->hdr.tcp->th_sport; dport = pd->hdr.tcp->th_dport; tb = &tcbtable; break; case IPPROTO_UDP: + if (pd->hdr.udp == NULL) + return (-1); sport = pd->hdr.udp->uh_sport; dport = pd->hdr.udp->uh_dport; tb = &udbtable; break; default: - return (0); + return (-1); } if (direction == PF_IN) { saddr = pd->src; @@ -2497,7 +2504,7 @@ pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd) if (inp == NULL) { inp = in_pcblookup_listen(tb, daddr->v4, dport, 0); if (inp == NULL) - return (0); + return (-1); } break; #endif /* INET */ @@ -2508,16 +2515,17 @@ pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd) if (inp == NULL) { inp = in6_pcblookup_listen(tb, &daddr->v6, dport, 0); if (inp == NULL) - return (0); + return (-1); } break; #endif /* INET6 */ default: - return (0); + return (-1); } - *uid = inp->inp_socket->so_euid; - *gid = inp->inp_socket->so_egid; + pd->lookup.uid = inp->inp_socket->so_euid; + pd->lookup.gid = inp->inp_socket->so_egid; + pd->lookup.pid = inp->inp_socket->so_cpid; return (1); } @@ -2688,9 +2696,6 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, struct tcphdr *th = pd->hdr.tcp; u_int16_t bport, nport = 0; sa_family_t af = pd->af; - int lookup = -1; - uid_t uid; - gid_t gid; struct pf_rule *r, *a = NULL; struct pf_ruleset *ruleset = NULL; struct pf_src_node *nsn = NULL; @@ -2764,15 +2769,15 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); else if ((r->flagset & th->th_flags) != r->flags) r = TAILQ_NEXT(r, entries); - else if (r->uid.op && (lookup != -1 || (lookup = - pf_socket_lookup(&uid, &gid, direction, pd), 1)) && + else if (r->uid.op && (pd->lookup.done || (pd->lookup.done = + pf_socket_lookup(direction, pd), 1)) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], - uid)) + pd->lookup.uid)) r = TAILQ_NEXT(r, entries); - else if (r->gid.op && (lookup != -1 || (lookup = - pf_socket_lookup(&uid, &gid, direction, pd), 1)) && + else if (r->gid.op && (pd->lookup.done || (pd->lookup.done = + pf_socket_lookup(direction, pd), 1)) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], - gid)) + pd->lookup.gid)) r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); @@ -2809,7 +2814,7 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, if (rewrite) m_copyback(m, off, sizeof(*th), th); PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, - a, ruleset); + a, ruleset, pd); } if ((r->action == PF_DROP) && @@ -2912,9 +2917,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & PF_LOGALL; + s->log = r->log & PF_LOG_ALL; if (nr != NULL) - s->log |= nr->log & PF_LOGALL; + s->log |= nr->log & PF_LOG_ALL; s->proto = IPPROTO_TCP; s->direction = direction; s->af = af; @@ -3066,9 +3071,6 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, struct udphdr *uh = pd->hdr.udp; u_int16_t bport, nport = 0; sa_family_t af = pd->af; - int lookup = -1; - uid_t uid; - gid_t gid; struct pf_rule *r, *a = NULL; struct pf_ruleset *ruleset = NULL; struct pf_src_node *nsn = NULL; @@ -3139,15 +3141,15 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); else if (r->rule_flag & PFRULE_FRAGMENT) r = TAILQ_NEXT(r, entries); - else if (r->uid.op && (lookup != -1 || (lookup = - pf_socket_lookup(&uid, &gid, direction, pd), 1)) && + else if (r->uid.op && (pd->lookup.done || (pd->lookup.done = + pf_socket_lookup(direction, pd), 1)) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], - uid)) + pd->lookup.uid)) r = TAILQ_NEXT(r, entries); - else if (r->gid.op && (lookup != -1 || (lookup = - pf_socket_lookup(&uid, &gid, direction, pd), 1)) && + else if (r->gid.op && (pd->lookup.done || (pd->lookup.done = + pf_socket_lookup(direction, pd), 1)) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], - gid)) + pd->lookup.gid)) r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); @@ -3183,7 +3185,7 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, if (rewrite) m_copyback(m, off, sizeof(*uh), uh); PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, - a, ruleset); + a, ruleset, pd); } if ((r->action == PF_DROP) && @@ -3268,9 +3270,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & PF_LOGALL; + s->log = r->log & PF_LOG_ALL; if (nr != NULL) - s->log |= nr->log & PF_LOGALL; + s->log |= nr->log & PF_LOG_ALL; s->proto = IPPROTO_UDP; s->direction = direction; s->af = af; @@ -3504,7 +3506,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, pd->hdr.icmp6); #endif /* INET6 */ PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, - a, ruleset); + a, ruleset, pd); } if (r->action != PF_PASS) @@ -3566,9 +3568,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & PF_LOGALL; + s->log = r->log & PF_LOG_ALL; if (nr != NULL) - s->log |= nr->log & PF_LOGALL; + s->log |= nr->log & PF_LOG_ALL; s->proto = pd->proto; s->direction = direction; s->af = af; @@ -3749,7 +3751,7 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, if (r->log || (nr != NULL && nr->natpass && nr->log)) PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, - a, ruleset); + a, ruleset, pd); if ((r->action == PF_DROP) && ((r->rule_flag & PFRULE_RETURNICMP) || @@ -3844,9 +3846,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & PF_LOGALL; + s->log = r->log & PF_LOG_ALL; if (nr != NULL) - s->log |= nr->log & PF_LOGALL; + s->log |= nr->log & PF_LOG_ALL; s->proto = pd->proto; s->direction = direction; s->af = af; @@ -3958,7 +3960,8 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, REASON_SET(&reason, PFRES_MATCH); if (r->log) - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); + PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset, + pd); if (r->action != PF_PASS) return (PF_DROP); @@ -5940,11 +5943,12 @@ done: struct pf_rule *lr; if (s != NULL && s->nat_rule.ptr != NULL && - s->nat_rule.ptr->log & PF_LOGALL) + s->nat_rule.ptr->log & PF_LOG_ALL) lr = s->nat_rule.ptr; else lr = r; - PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, lr, a, ruleset); + PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, lr, a, ruleset, + &pd); } kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; @@ -6282,11 +6286,12 @@ done: struct pf_rule *lr; if (s != NULL && s->nat_rule.ptr != NULL && - s->nat_rule.ptr->log & PF_LOGALL) + s->nat_rule.ptr->log & PF_LOG_ALL) lr = s->nat_rule.ptr; else lr = r; - PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset); + PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset, + &pd); } kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len; diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index ce16ce4bda1..e74e9ba925c 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.141 2005/05/21 21:03:57 henning Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.142 2005/05/27 17:22:41 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -48,6 +48,7 @@ #include <sys/time.h> #include <sys/timeout.h> #include <sys/pool.h> +#include <sys/proc.h> #include <sys/malloc.h> #include <net/if.h> @@ -1159,6 +1160,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } bcopy(&pr->rule, rule, sizeof(struct pf_rule)); + rule->cuid = p->p_cred->p_ruid; + rule->cpid = p->p_pid; rule->anchor = NULL; rule->kif = NULL; TAILQ_INIT(&rule->rpool.list); @@ -1389,6 +1392,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } bcopy(&pcr->rule, newrule, sizeof(struct pf_rule)); + newrule->cuid = p->p_cred->p_ruid; + newrule->cpid = p->p_pid; TAILQ_INIT(&newrule->rpool.list); /* initialize refcounting */ newrule->states = 0; diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index c3033539dda..b404ecd7352 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.99 2005/05/22 16:22:41 dhartmei Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.100 2005/05/27 17:22:41 dhartmei Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -1001,13 +1001,13 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, no_mem: REASON_SET(reason, PFRES_MEMORY); if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET, dir, *reason, r, NULL, NULL); + PFLOG_PACKET(kif, h, m, AF_INET, dir, *reason, r, NULL, NULL, pd); return (PF_DROP); drop: REASON_SET(reason, PFRES_NORM); if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET, dir, *reason, r, NULL, NULL); + PFLOG_PACKET(kif, h, m, AF_INET, dir, *reason, r, NULL, NULL, pd); return (PF_DROP); bad: @@ -1019,7 +1019,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, REASON_SET(reason, PFRES_FRAG); if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET, dir, *reason, r, NULL, NULL); + PFLOG_PACKET(kif, h, m, AF_INET, dir, *reason, r, NULL, NULL, pd); return (PF_DROP); } @@ -1182,19 +1182,19 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kif *kif, shortpkt: REASON_SET(reason, PFRES_SHORT); if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, *reason, r, NULL, NULL); + PFLOG_PACKET(kif, h, m, AF_INET6, dir, *reason, r, NULL, NULL, pd); return (PF_DROP); drop: REASON_SET(reason, PFRES_NORM); if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, *reason, r, NULL, NULL); + PFLOG_PACKET(kif, h, m, AF_INET6, dir, *reason, r, NULL, NULL, pd); return (PF_DROP); badfrag: REASON_SET(reason, PFRES_FRAG); if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, *reason, r, NULL, NULL); + PFLOG_PACKET(kif, h, m, AF_INET6, dir, *reason, r, NULL, NULL, pd); return (PF_DROP); } #endif /* INET6 */ @@ -1306,7 +1306,7 @@ pf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff, tcp_drop: REASON_SET(&reason, PFRES_NORM); if (rm != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, NULL, NULL); + PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, NULL, NULL, pd); return (PF_DROP); } diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 3761928e6d9..1c946226e6e 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.219 2005/05/26 15:29:48 dhartmei Exp $ */ +/* $OpenBSD: pfvar.h,v 1.220 2005/05/27 17:22:41 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -108,7 +108,8 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, #define PF_WSCALE_MASK 0x0f #define PF_LOG 0x01 -#define PF_LOGALL 0x02 +#define PF_LOG_ALL 0x02 +#define PF_LOG_SOCKET_LOOKUP 0x04 struct pf_addr { union { @@ -533,6 +534,8 @@ struct pf_rule { u_int32_t rt_listid; u_int32_t nr; u_int32_t prob; + uid_t cuid; + pid_t cpid; u_int16_t return_icmp; u_int16_t return_icmp6; @@ -881,6 +884,12 @@ enum pfi_kif_refs { #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ struct pf_pdesc { + struct { + int done; + uid_t uid; + gid_t gid; + pid_t pid; + } lookup; u_int64_t tot_len; /* Make Mickey money */ union { struct tcphdr *tcp; @@ -1432,7 +1441,8 @@ void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *, sa_family_t); void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t, - u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *); + u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *, + struct pf_pdesc *); int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, struct pf_addr *, sa_family_t); int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t); @@ -1458,6 +1468,7 @@ u_int32_t void pf_purge_expired_fragments(void); int pf_routable(struct pf_addr *addr, sa_family_t af); int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *); +int pf_socket_lookup(int, struct pf_pdesc *); void pfr_initialize(void); int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, diff --git a/usr.sbin/tcpdump/print-pflog.c b/usr.sbin/tcpdump/print-pflog.c index 37e261b379b..2f16d51c971 100644 --- a/usr.sbin/tcpdump/print-pflog.c +++ b/usr.sbin/tcpdump/print-pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-pflog.c,v 1.15 2005/03/11 15:54:11 dhartmei Exp $ */ +/* $OpenBSD: print-pflog.c,v 1.16 2005/05/27 17:22:41 dhartmei Exp $ */ /* * Copyright (c) 1990, 1991, 1993, 1994, 1995, 1996 @@ -23,7 +23,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-pflog.c,v 1.15 2005/03/11 15:54:11 dhartmei Exp $ (LBL)"; + "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-pflog.c,v 1.16 2005/05/27 17:22:41 dhartmei Exp $ (LBL)"; #endif #include <sys/param.h> @@ -32,6 +32,11 @@ static const char rcsid[] = #include <sys/file.h> #include <sys/ioctl.h> #include <sys/mbuf.h> +#include <sys/proc.h> + +#ifndef NO_PID +#define NO_PID (32766+1) +#endif struct rtentry; #include <net/if.h> @@ -116,6 +121,9 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h, printf("/(%s) ", pf_reasons[hdr->reason]); else printf("/(unkn %u) ", (unsigned)hdr->reason); + if (vflag) + printf("[uid %u, pid %u] ", (unsigned)hdr->rule_uid, + (unsigned)hdr->rule_pid); switch (hdr->action) { case PF_SCRUB: @@ -143,6 +151,9 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h, printf(" %s on %s: ", hdr->dir == PF_OUT ? "out" : "in", hdr->ifname); + if (vflag && hdr->pid != NO_PID) + printf("[uid %u, pid %u] ", (unsigned)hdr->uid, + (unsigned)hdr->pid); } af = hdr->af; length -= hdrlen; |