List Info

Thread: PF and tcpdump Label Patch
PF and tcpdump Label Patch
user name
 2006-06-21 13:39:17 
Hello,

I wrote a patch for PF to log "label" names like
IPF's log-tag option.
PF already has a label option to mark rules in `pfctl -sr `,
but it
does not write labels to log file, which is very usefull to
match log
entries to rules/or group of rules created by lists
( pass from any to any port {10,20,30,40} label
"passing_ports" etc...)

For example;

pass in log quick all keep state label MAIN_RULE

So log line like this

2006-06-21 18:26:06.969874 rule 67/0(match): pass in on
bge0: label
MAIN_RULE: 192.168.9.99.53568 > 66.249.85.99.80: S ...

To properly use tcpdump to display logs entries from pflog0
interface,
tcpdump has to be patched also. Since the above patch
changes a struct in
pflog, without patching tcpdump log packets appear
truncated.

I tested both of patches in FreeBSD 5.4 and FreeBSD 6.0.

I attached the both of patches.


Sincerly,

N. Ersen SISECI
http://www.enderunix.org


--- if_pflog.h.org	Wed Apr  5 10:10:56 2006
+++ if_pflog.h	Wed Apr  5 09:26:31 2006
 -40,6
+40,12 
 #define PF_RULESET_NAME_SIZE	 16
 #endif
 
+#ifndef  PF_RULE_LABEL_SIZE
+#define PF_RULE_LABEL_SIZE       64
+#endif
+
+#define PF_LOG_LABEL
+
 struct pfloghdr {
 	u_int8_t	length;
 	sa_family_t	af;
 -50,6
+56,9 
 	u_int32_t	rulenr;
 	u_int32_t	subrulenr;
 	u_int8_t	dir;
+#ifdef PF_LOG_LABEL
+	char		label[PF_RULE_LABEL_SIZE];
+#endif
 	u_int8_t	pad[3];
 };
 
--- if_pflog.c.org	Wed Apr  5 10:10:52 2006
+++ if_pflog.c	Wed Apr  5 10:47:01 2006
 -296,6
+296,7 
 	hdr.action = rm->action;
 	hdr.reason = reason;
 	memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
+	memcpy(hdr.label, rm->label, sizeof(rm->label));
 
 	if (am == NULL) {
 		hdr.rulenr = htonl(rm->nr);
--- pf.h.org	Wed Apr  5 10:15:22 2006
+++ pf.h	Wed Apr  5 10:18:15 2006
 -55,6
+55,8 
 }
 
 #define PF_RULESET_NAME_SIZE	16
+#define PF_RULE_LABEL_SIZE	64
+
 
 /*	from $OpenBSD: if_pflog.h,v 1.9 2003/07/15 20:27:27
dhartmei Exp $ */
 
 -62,6
+64,8 
 #define	IFNAMSIZ	16
 #endif
 
+#define PF_LOG_LABEL
+
 struct pfloghdr {
 	u_int8_t	length;
 	sa_family_t	af;
 -72,6
+76,9 
 	u_int32_t	rulenr;
 	u_int32_t	subrulenr;
 	u_int8_t	dir;
+#ifdef PF_LOG_LABEL
+	char		label[PF_RULE_LABEL_SIZE];
+#endif
 	u_int8_t	pad[3];
 };
 #define PFLOG_HDRLEN		sizeof(struct pfloghdr)
--- print-pflog.c.org	Wed Apr  5 10:15:31 2006
+++ print-pflog.c	Wed Apr  5 10:17:44 2006
 -81,11
+81,20 
 		printf("rule %u.%s.%u/",
ntohl(hdr->rulenr), hdr->ruleset,
 		    ntohl(hdr->subrulenr));
 
-	printf("%s: %s %s on %s: ",
+#ifndef PF_LOG_LABEL
+	printf("%s: %s %s on %s:",
 	    tok2str(pf_reasons, "unkn(%u)",
hdr->reason),
 	    tok2str(pf_actions, "unkn(%u)",
hdr->action),
 	    tok2str(pf_directions, "unkn(%u)",
hdr->dir),
 	    hdr->ifname);
+#else
+	printf("%s: %s %s on %s: label %s: ",
+	    tok2str(pf_reasons, "unkn(%u)",
hdr->reason),
+	    tok2str(pf_actions, "unkn(%u)",
hdr->action),
+	    tok2str(pf_directions, "unkn(%u)",
hdr->dir),
+	    hdr->ifname,
+	    hdr->label);
+#endif
 }
 
 u_int
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )