void
ipfw_bpf_mtap2(void *data, u_int dlen, struct mbuf *m)
{
LOGIF_RLOCK_TRACKER;
LOGIF_RLOCK();
if (dlen == ETHER_HDR_LEN) {
if (V_log_if == NULL) {
LOGIF_RUNLOCK();
return;
}
BPF_MTAP2(V_log_if, data, dlen, m);
} else if (dlen == PFLOG_HDRLEN) {
if (V_pflog_if == NULL) {
LOGIF_RUNLOCK();
return;
}
BPF_MTAP2(V_pflog_if, data, dlen, m);
}
LOGIF_RUNLOCK();
}
/*
* We enter here when we have a rule with O_LOG.
* XXX this function alone takes about 2Kbytes of code!
*/
void
ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args,
struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg,
struct ip *ip)
{
char *action;
int limit_reached = 0;
char action2[92], proto[128], fragment[32];
if (V_fw_verbose == 0) {
#ifndef WITHOUT_BPF
LOGIF_RLOCK();
if (log_if == NULL || log_if->if_bpf == NULL) {
LOGIF_RUNLOCK();
return;
}
if (args->eh) /* layer2, use orig hdr */
BPF_MTAP2(log_if, args->eh, ETHER_HDR_LEN, m);
else
/* Add fake header. Later we will store
* more info in the header.
*/
BPF_MTAP2(log_if, "DDDDDDSSSSSS\x08\x00", ETHER_HDR_LEN, m);
LOGIF_RUNLOCK();
#endif /* !WITHOUT_BPF */
return;
}
/* the old 'log' function */
fragment[0] = '\0';
proto[0] = '\0';
if (f == NULL) { /* bogus pkt */
if (V_verbose_limit != 0 && V_norule_counter >= V_verbose_limit)
return;
V_norule_counter++;
if (V_norule_counter == V_verbose_limit)
limit_reached = V_verbose_limit;
action = "Refuse";
} else { /* O_LOG is the first action, find the real one */
ipfw_insn *cmd = ACTION_PTR(f);
ipfw_insn_log *l = (ipfw_insn_log *)cmd;
if (l->max_log != 0 && l->log_left == 0)
return;
l->log_left--;
if (l->log_left == 0)
limit_reached = l->max_log;
cmd += F_LEN(cmd); /* point to first action */
if (cmd->opcode == O_ALTQ) {
ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
snprintf(SNPARGS(action2, 0), "Altq %d",
altq->qid);
cmd += F_LEN(cmd);
}
if (cmd->opcode == O_PROB)
cmd += F_LEN(cmd);
if (cmd->opcode == O_TAG)
cmd += F_LEN(cmd);
action = action2;
switch (cmd->opcode) {
case O_DENY:
action = "Deny";
break;
case O_REJECT:
if (cmd->arg1==ICMP_REJECT_RST)
action = "Reset";
else if (cmd->arg1==ICMP_UNREACH_HOST)
action = "Reject";
else
snprintf(SNPARGS(action2, 0), "Unreach %d",
cmd->arg1);
break;
case O_UNREACH6:
if (cmd->arg1==ICMP6_UNREACH_RST)
action = "Reset";
else
snprintf(SNPARGS(action2, 0), "Unreach %d",
cmd->arg1);
break;
case O_ACCEPT:
action = "Accept";
break;
case O_COUNT:
action = "Count";
break;
case O_DIVERT:
snprintf(SNPARGS(action2, 0), "Divert %d",
cmd->arg1);
break;
case O_TEE:
snprintf(SNPARGS(action2, 0), "Tee %d",
cmd->arg1);
break;
case O_SETFIB:
snprintf(SNPARGS(action2, 0), "SetFib %d",
IP_FW_ARG_TABLEARG(cmd->arg1));
break;
case O_SKIPTO:
snprintf(SNPARGS(action2, 0), "SkipTo %d",
IP_FW_ARG_TABLEARG(cmd->arg1));
break;
case O_PIPE:
snprintf(SNPARGS(action2, 0), "Pipe %d",
IP_FW_ARG_TABLEARG(cmd->arg1));
break;
case O_QUEUE:
snprintf(SNPARGS(action2, 0), "Queue %d",
IP_FW_ARG_TABLEARG(cmd->arg1));
break;
case O_FORWARD_IP: {
ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd;
int len;
struct in_addr dummyaddr;
if (sa->sa.sin_addr.s_addr == INADDR_ANY)
dummyaddr.s_addr = htonl(tablearg);
else
dummyaddr.s_addr = sa->sa.sin_addr.s_addr;
len = snprintf(SNPARGS(action2, 0), "Forward to %s",
inet_ntoa(dummyaddr));
if (sa->sa.sin_port)
snprintf(SNPARGS(action2, len), ":%d",
sa->sa.sin_port);
}
break;
#ifdef INET6
case O_FORWARD_IP6: {
char buf[INET6_ADDRSTRLEN];
ipfw_insn_sa6 *sa = (ipfw_insn_sa6 *)cmd;
int len;
len = snprintf(SNPARGS(action2, 0), "Forward to [%s]",
ip6_sprintf(buf, &sa->sa.sin6_addr));
if (sa->sa.sin6_port)
snprintf(SNPARGS(action2, len), ":%u",
sa->sa.sin6_port);
}
break;
#endif
case O_NETGRAPH:
snprintf(SNPARGS(action2, 0), "Netgraph %d",
cmd->arg1);
break;
case O_NGTEE:
snprintf(SNPARGS(action2, 0), "Ngtee %d",
cmd->arg1);
break;
case O_NAT:
action = "Nat";
break;
case O_REASS:
action = "Reass";
break;
case O_CALLRETURN:
if (cmd->len & F_NOT)
action = "Return";
else
snprintf(SNPARGS(action2, 0), "Call %d",
cmd->arg1);
break;
default:
action = "UNKNOWN";
break;
}
}
if (hlen == 0) { /* non-ip */
snprintf(SNPARGS(proto, 0), "MAC");
} else {
int len;
#ifdef INET6
char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2];
#else
char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN];
#endif
struct icmphdr *icmp;
struct tcphdr *tcp;
struct udphdr *udp;
#ifdef INET6
struct ip6_hdr *ip6 = NULL;
struct icmp6_hdr *icmp6;
u_short ip6f_mf;
#endif
src[0] = '\0';
dst[0] = '\0';
#ifdef INET6
ip6f_mf = offset & IP6F_MORE_FRAG;
offset &= IP6F_OFF_MASK;
if (IS_IP6_FLOW_ID(&(args->f_id))) {
char ip6buf[INET6_ADDRSTRLEN];
snprintf(src, sizeof(src), "[%s]",
ip6_sprintf(ip6buf, &args->f_id.src_ip6));
snprintf(dst, sizeof(dst), "[%s]",
ip6_sprintf(ip6buf, &args->f_id.dst_ip6));
ip6 = (struct ip6_hdr *)ip;
tcp = (struct tcphdr *)(((char *)ip) + hlen);
udp = (struct udphdr *)(((char *)ip) + hlen);
} else
#endif
{
tcp = L3HDR(struct tcphdr, ip);
udp = L3HDR(struct udphdr, ip);
inet_ntop(AF_INET, &ip->ip_src, src, sizeof(src));
inet_ntop(AF_INET, &ip->ip_dst, dst, sizeof(dst));
}
switch (args->f_id.proto) {
case IPPROTO_TCP:
len = snprintf(SNPARGS(proto, 0), "TCP %s", src);
if (offset == 0)
snprintf(SNPARGS(proto, len), ":%d %s:%d",
ntohs(tcp->th_sport),
dst,
ntohs(tcp->th_dport));
else
snprintf(SNPARGS(proto, len), " %s", dst);
break;
case IPPROTO_UDP:
len = snprintf(SNPARGS(proto, 0), "UDP %s", src);
if (offset == 0)
snprintf(SNPARGS(proto, len), ":%d %s:%d",
ntohs(udp->uh_sport),
dst,
ntohs(udp->uh_dport));
else
snprintf(SNPARGS(proto, len), " %s", dst);
break;
case IPPROTO_ICMP:
icmp = L3HDR(struct icmphdr, ip);
if (offset == 0)
len = snprintf(SNPARGS(proto, 0),
"ICMP:%u.%u ",
icmp->icmp_type, icmp->icmp_code);
else
len = snprintf(SNPARGS(proto, 0), "ICMP ");
len += snprintf(SNPARGS(proto, len), "%s", src);
snprintf(SNPARGS(proto, len), " %s", dst);
break;
#ifdef INET6
case IPPROTO_ICMPV6:
icmp6 = (struct icmp6_hdr *)(((char *)ip) + hlen);
if (offset == 0)
len = snprintf(SNPARGS(proto, 0),
"ICMPv6:%u.%u ",
icmp6->icmp6_type, icmp6->icmp6_code);
else
len = snprintf(SNPARGS(proto, 0), "ICMPv6 ");
len += snprintf(SNPARGS(proto, len), "%s", src);
snprintf(SNPARGS(proto, len), " %s", dst);
break;
#endif
default:
len = snprintf(SNPARGS(proto, 0), "P:%d %s",
args->f_id.proto, src);
snprintf(SNPARGS(proto, len), " %s", dst);
break;
}
#ifdef INET6
if (IS_IP6_FLOW_ID(&(args->f_id))) {
if (offset & (IP6F_OFF_MASK | IP6F_MORE_FRAG))
snprintf(SNPARGS(fragment, 0),
" (frag %08x:%d@%d%s)",
args->f_id.extra,
ntohs(ip6->ip6_plen) - hlen,
ntohs(offset) << 3, ip6f_mf ? "+" : "");
} else
#endif
{
int ipoff, iplen;
ipoff = ntohs(ip->ip_off);
iplen = ntohs(ip->ip_len);
if (ipoff & (IP_MF | IP_OFFMASK))
snprintf(SNPARGS(fragment, 0),
" (frag %d:%d@%d%s)",
ntohs(ip->ip_id), iplen - (ip->ip_hl << 2),
offset << 3,
(ipoff & IP_MF) ? "+" : "");
}
}
#ifdef __FreeBSD__
if (oif || m->m_pkthdr.rcvif)
log(LOG_SECURITY | LOG_INFO,
"ipfw: %d %s %s %s via %s%s\n",
f ? f->rulenum : -1,
action, proto, oif ? "out" : "in",
oif ? oif->if_xname : m->m_pkthdr.rcvif->if_xname,
fragment);
else
#endif
log(LOG_SECURITY | LOG_INFO,
"ipfw: %d %s %s [no if info]%s\n",
f ? f->rulenum : -1,
action, proto, fragment);
if (limit_reached)
log(LOG_SECURITY | LOG_NOTICE,
"ipfw: limit %d reached on entry %d\n",
limit_reached, f ? f->rulenum : -1);
}
static int
pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
u_int8_t reason, struct pf_rule *rm, struct pf_rule *am,
struct pf_ruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
{
struct ifnet *ifn;
struct pfloghdr hdr;
if (kif == NULL || m == NULL || rm == NULL || pd == NULL)
return ( 1);
if ((ifn = pflogifs[rm->logif]) == NULL || !ifn->if_bpf)
return (0);
bzero(&hdr, sizeof(hdr));
hdr.length = PFLOG_REAL_HDRLEN;
hdr.af = af;
hdr.action = rm->action;
hdr.reason = reason;
memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
if (am == NULL) {
hdr.rulenr = htonl(rm->nr);
hdr.subrulenr = 1;
} else {
hdr.rulenr = htonl(am->nr);
hdr.subrulenr = htonl(rm->nr);
if (ruleset != NULL && ruleset->anchor != NULL)
strlcpy(hdr.ruleset, ruleset->anchor->name,
sizeof(hdr.ruleset));
}
/*
* XXXGL: we avoid pf_socket_lookup() when we are holding
* state lock, since this leads to unsafe LOR.
* These conditions are very very rare, however.
*/
if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe)
pd->lookup.done = pf_socket_lookup(dir, pd, m);
if (pd->lookup.done > 0)
hdr.uid = pd->lookup.uid;
else
hdr.uid = UID_MAX;
hdr.pid = NO_PID;
hdr.rule_uid = rm->cuid;
hdr.rule_pid = rm->cpid;
hdr.dir = dir;
#ifdef INET
if (af == AF_INET && dir == PF_OUT) {
struct ip *ip;
ip = mtod(m, struct ip *);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
}
#endif /* INET */
ifn->if_opackets++;
ifn->if_obytes += m->m_pkthdr.len;
BPF_MTAP2(ifn, &hdr, PFLOG_HDRLEN, m);
return (0);
}
int
pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
u_int8_t reason, struct pf_rule *rm, struct pf_rule *am,
struct pf_ruleset *ruleset)
{
#if NBPFILTER > 0
struct ifnet *ifn;
struct pfloghdr hdr;
#ifndef __FreeBSD__
struct mbuf m1;
#endif
if (kif == NULL || m == NULL || rm == NULL)
return (-1);
bzero(&hdr, sizeof(hdr));
hdr.length = PFLOG_REAL_HDRLEN;
hdr.af = af;
hdr.action = rm->action;
hdr.reason = reason;
memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
if (am == NULL) {
hdr.rulenr = htonl(rm->nr);
hdr.subrulenr = -1;
} else {
hdr.rulenr = htonl(am->nr);
hdr.subrulenr = htonl(rm->nr);
if (ruleset != NULL)
memcpy(hdr.ruleset, ruleset->name,
sizeof(hdr.ruleset));
}
hdr.dir = dir;
#ifdef INET
if (af == AF_INET && dir == PF_OUT) {
struct ip *ip;
ip = mtod(m, struct ip *);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
}
#endif /* INET */
#ifndef __FreeBSD__
m1.m_next = m;
m1.m_len = PFLOG_HDRLEN;
m1.m_data = (char *) &hdr;
#endif
#ifdef __FreeBSD__
KASSERT((!LIST_EMPTY(&pflog_list)), ("pflog: no interface"));
ifn = &LIST_FIRST(&pflog_list)->sc_if;
BPF_MTAP2(ifn, &hdr, sizeof(hdr), m);
#else
ifn = &(pflogif[0].sc_if);
if (ifn->if_bpf)
bpf_mtap(ifn->if_bpf, &m1);
#endif
#endif
return (0);
}
/*
* icoutput()
*/
static int
icoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
struct route *ro)
{
struct ic_softc *sc = ifp->if_softc;
device_t icdev = sc->ic_dev;
device_t parent = device_get_parent(icdev);
int len, sent;
struct mbuf *mm;
u_char *cp;
u_int32_t hdr;
/* BPF writes need to be handled specially. */
if (dst->sa_family == AF_UNSPEC)
bcopy(dst->sa_data, &hdr, sizeof(hdr));
else
hdr = dst->sa_family;
mtx_lock(&sc->ic_lock);
ifp->if_drv_flags |= IFF_DRV_RUNNING;
/* already sending? */
if (sc->ic_flags & IC_SENDING) {
ifp->if_oerrors++;
goto error;
}
/* insert header */
bcopy ((char *)&hdr, sc->ic_obuf, ICHDRLEN);
cp = sc->ic_obuf + ICHDRLEN;
len = 0;
mm = m;
do {
if (len + mm->m_len > sc->ic_ifp->if_mtu) {
/* packet too large */
ifp->if_oerrors++;
goto error;
}
bcopy(mtod(mm,char *), cp, mm->m_len);
cp += mm->m_len;
len += mm->m_len;
} while ((mm = mm->m_next));
BPF_MTAP2(ifp, &hdr, sizeof(hdr), m);
sc->ic_flags |= (IC_SENDING | IC_OBUF_BUSY);
m_freem(m);
mtx_unlock(&sc->ic_lock);
/* send the packet */
if (iicbus_block_write(parent, sc->ic_addr, sc->ic_obuf,
len + ICHDRLEN, &sent))
ifp->if_oerrors++;
else {
ifp->if_opackets++;
ifp->if_obytes += len;
}
mtx_lock(&sc->ic_lock);
sc->ic_flags &= ~(IC_SENDING | IC_OBUF_BUSY);
if ((sc->ic_flags & (IC_BUFFERS_BUSY | IC_BUFFER_WAITER)) ==
IC_BUFFER_WAITER)
wakeup(&sc);
mtx_unlock(&sc->ic_lock);
return (0);
error:
m_freem(m);
mtx_unlock(&sc->ic_lock);
return(0);
}
int
pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
u_int8_t reason, struct pf_rule *rm, struct pf_rule *am,
struct pf_ruleset *ruleset, struct pf_pdesc *pd)
{
#if NBPFILTER > 0
struct ifnet *ifn;
struct pfloghdr hdr;
if (kif == NULL || m == NULL || rm == NULL || pd == NULL)
return (-1);
if ((ifn = pflogifs[rm->logif]) == NULL || !ifn->if_bpf)
return (0);
bzero(&hdr, sizeof(hdr));
hdr.length = PFLOG_REAL_HDRLEN;
hdr.af = af;
hdr.action = rm->action;
hdr.reason = reason;
memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
if (am == NULL) {
hdr.rulenr = htonl(rm->nr);
hdr.subrulenr = -1;
} else {
hdr.rulenr = htonl(am->nr);
hdr.subrulenr = htonl(rm->nr);
if (ruleset != NULL && ruleset->anchor != NULL)
strlcpy(hdr.ruleset, ruleset->anchor->name,
sizeof(hdr.ruleset));
}
if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
#ifdef __FreeBSD__
/*
* XXX: This should not happen as we force an early lookup
* via debug.pfugidhack
*/
; /* empty */
#else
pd->lookup.done = pf_socket_lookup(dir, pd);
#endif
if (pd->lookup.done > 0) {
hdr.uid = pd->lookup.uid;
hdr.pid = pd->lookup.pid;
} else {
hdr.uid = UID_MAX;
hdr.pid = NO_PID;
}
hdr.rule_uid = rm->cuid;
hdr.rule_pid = rm->cpid;
hdr.dir = dir;
#ifdef INET
if (af == AF_INET && dir == PF_OUT) {
struct ip *ip;
ip = mtod(m, struct ip *);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
}
#endif /* INET */
ifn->if_opackets++;
ifn->if_obytes += m->m_pkthdr.len;
#ifdef __FreeBSD__
BPF_MTAP2(ifn, &hdr, PFLOG_HDRLEN, m);
#else
bpf_mtap_hdr(ifn->if_bpf, (char *)&hdr, PFLOG_HDRLEN, m,
BPF_DIRECTION_OUT);
#endif
#endif
return (0);
}
