1 files changed, 252 insertions, 107 deletions

diff --git a/epan/dissectors/packet-pflog.c b/epan/dissectors/packet-pflog.c
index f4230c6693..6fe3c399f6 100644
--- a/epan/dissectors/packet-pflog.c
+++ b/epan/dissectors/packet-pflog.c
@@ -1,5 +1,5 @@
 /* packet-pflog.c
- * Routines for pflog (OpenBSD Firewall Logging) packet disassembly
+ * Routines for pflog (Firewall Logging) packet disassembly
  *
  * Copyright 2001 Mike Frantzen
  * All rights reserved.
@@ -7,10 +7,39 @@
  * SPDX-License-Identifier: BSD-1-Clause
  */
 
-/* Specifications... :
-http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.c
-http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h
-*/
+/*
+ * Specifications:
+ *
+ * OpenBSD PF log:
+ *
+ *	https://cvsweb.openbsd.org/src/sys/net/if_pflog.c
+ *	https://cvsweb.openbsd.org/src/sys/net/if_pflog.h
+ *	https://cvsweb.openbsd.org/src/sys/net/pfvar.h
+ *
+ * FreeBSD PF log:
+ *
+ *	https://cgit.freebsd.org/src/tree/sys/net/if_pflog.h
+ *	https://cgit.freebsd.org/src/tree/sys/netpfil/pf/if_pflog.c
+ *	https://cgit.freebsd.org/src/tree/sys/netpfil/pf/pf.h
+ *
+ * NetBSD PF log:
+ *
+ *	http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dist/pf/net/if_pflog.c
+ *	http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dist/pf/net/if_pflog.h
+ *	http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dist/pf/net/pfvar.h
+ *
+ * DragonFly BSD PF log:
+ *
+ *	https://gitweb.dragonflybsd.org/dragonfly.git/blob/HEAD:/sys/net/pf/if_pflog.c
+ *	https://gitweb.dragonflybsd.org/dragonfly.git/blob/HEAD:/sys/net/pf/if_pflog.h
+ *	https://gitweb.dragonflybsd.org/dragonfly.git/blob/HEAD:/sys/net/pf/pfvar.h
+ *
+ * macOS/Darwin PF log:
+ *
+ *	https://github.com/apple-oss-distributions/xnu/blob/main/bsd/net/if_pflog.c
+ *	https://github.com/apple-oss-distributions/xnu/blob/main/bsd/net/if_pflog.h
+ *	https://github.com/apple-oss-distributions/xnu/blob/main/bsd/net/pfvar.h
+ */
 #include "config.h"
 
 #include <epan/packet.h>
@@ -20,65 +49,109 @@ http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h
 #include <epan/expert.h>
 #include <epan/prefs.h>
 
+#include <wsutil/ws_roundup.h>
+
 void proto_register_pflog(void);
 void proto_reg_handoff_pflog(void);
 void proto_register_old_pflog(void);
 void proto_reg_handoff_old_pflog(void);
 
+static dissector_handle_t old_pflog_handle;
+static dissector_handle_t pflog_handle;
 static dissector_handle_t  ip_handle, ipv6_handle;
 
 /* header fields */
-static int proto_pflog = -1;
-static int hf_pflog_length = -1;
-static int hf_pflog_af = -1;
-static int hf_pflog_action = -1;
-static int hf_pflog_reason = -1;
-static int hf_pflog_ifname = -1;
-static int hf_pflog_ruleset = -1;
-static int hf_pflog_rulenr = -1;
-static int hf_pflog_subrulenr = -1;
-static int hf_pflog_uid = -1;
-static int hf_pflog_pid = -1;
-static int hf_pflog_rule_uid = -1;
-static int hf_pflog_rule_pid = -1;
-static int hf_pflog_dir = -1;
-static int hf_pflog_rewritten = -1;
-static int hf_pflog_pad = -1;
-static int hf_pflog_saddr_ipv4 = -1;
-static int hf_pflog_daddr_ipv4 = -1;
-static int hf_pflog_saddr_ipv6 = -1;
-static int hf_pflog_daddr_ipv6 = -1;
-static int hf_pflog_saddr = -1;
-static int hf_pflog_daddr = -1;
-static int hf_pflog_sport = -1;
-static int hf_pflog_dport = -1;
-static gint ett_pflog = -1;
-
-static expert_field ei_pflog_invalid_header_length = EI_INIT;
+static int proto_pflog;
+static int hf_pflog_length;
+static int hf_pflog_af;
+static int hf_pflog_action;
+static int hf_pflog_reason;
+static int hf_pflog_ifname;
+static int hf_pflog_ruleset;
+static int hf_pflog_rulenr;
+static int hf_pflog_subrulenr;
+static int hf_pflog_uid;
+static int hf_pflog_pid;
+static int hf_pflog_rule_uid;
+static int hf_pflog_rule_pid;
+static int hf_pflog_dir;
+static int hf_pflog_rewritten;
+static int hf_pflog_pad;
+static int hf_pflog_saddr_ipv4;
+static int hf_pflog_daddr_ipv4;
+static int hf_pflog_saddr_ipv6;
+static int hf_pflog_daddr_ipv6;
+static int hf_pflog_saddr;
+static int hf_pflog_daddr;
+static int hf_pflog_sport;
+static int hf_pflog_dport;
+static gint ett_pflog;
+
+static expert_field ei_pflog_invalid_header_length;
 
 /* old header */
-static int proto_old_pflog = -1;
-static int hf_old_pflog_af = -1;
-static int hf_old_pflog_ifname = -1;
-static int hf_old_pflog_rnr = -1;
-static int hf_old_pflog_reason = -1;
-static int hf_old_pflog_action = -1;
-static int hf_old_pflog_dir = -1;
+static int proto_old_pflog;
+static int hf_old_pflog_af;
+static int hf_old_pflog_ifname;
+static int hf_old_pflog_rnr;
+static int hf_old_pflog_reason;
+static int hf_old_pflog_action;
+static int hf_old_pflog_dir;
+
+static gint ett_old_pflog;
 
-static gint ett_old_pflog = -1;
+/*
+ * Because ENC_HOST_ENDIAN is either equal to ENC_BIG_ENDIAN or
+ * ENC_LITTLE_ENDIAN, it will be confusing if we use ENC_ values
+ * directly, as, if the current setting is "Host-endian", it'll
+ * look like "Big-endian" on big-endian machines and like
+ * "Little-endian" on little-endian machines, and will display
+ * as such if you open up the preferences.
+ */
+#define ID_HOST_ENDIAN   0
+#define ID_BIG_ENDIAN    1
+#define ID_LITTLE_ENDIAN 2
+
+static gint id_endian = ID_HOST_ENDIAN;
+static const enum_val_t id_endian_vals[] = {
+	{ "host", "Host-endian", ID_HOST_ENDIAN },
+	{ "big", "Big-endian", ID_BIG_ENDIAN },
+	{ "little", "Little-endian", ID_LITTLE_ENDIAN },
+	{ NULL, NULL, 0 }
+};
 
-static gboolean uid_endian = TRUE;
+/*
+ * Length as of OpenBSD 3.4, not including padding.
+ */
+#define LEN_PFLOG_OPENBSD_3_4 45
+
+/*
+ * Length as of OpenBSD 3.8, not including padding.
+ *
+ * Also the current length on DragonFly BSD, NetBSD, and Darwin;
+ * those all have the same log message header.
+ */
+#define LEN_PFLOG_OPENBSD_3_8 61
 
-#define LEN_PFLOG_BSD34 48
-#define LEN_PFLOG_BSD38 64
-#define LEN_PFLOG_BSD49 100
+/*
+ * Length as of OpenBSD 4.9; there are 2 internal pad bytes, but no
+ * padding at the end.
+ */
+#define LEN_PFLOG_OPENBSD_4_9 100
 
 static const value_string pflog_af_vals[] = {
   { BSD_AF_INET, "IPv4" },
   { BSD_AF_INET6_BSD, "IPv6" },
+  { BSD_AF_INET6_FREEBSD, "IPv6" },
+  { BSD_AF_INET6_DARWIN, "IPv6" },
   { 0, NULL }
 };
 
+/*
+ * Reason values.
+ *
+ * Past 14, these differ for different OSes.
+ */
 static const value_string pflog_reason_vals[] = {
   { 0, "match" },
   { 1, "bad-offset" },
@@ -95,27 +168,76 @@ static const value_string pflog_reason_vals[] = {
   { 12, "max-states" },
   { 13, "srcnode-limit" },
   { 14, "syn-proxy" },
+#if defined(__FreeBSD__)
+  { 15, "map-failed" },
+#elif defined(__NetBSD__)
+  { 15, "state-locked" },
+#elif defined(__OpenBSD__)
+  { 15, "translate" },
+  { 16, "no-route" },
+#elif defined(__APPLE__)
+  { 15, "dummynet" },
+#endif
   { 0, NULL }
 };
 
-/* Actions */
-enum    { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
-          PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER,
-          PF_MATCH, PF_DIVERT, PF_RT };
+/*
+ * Action values.
+ *
+ * Past 10, these differ for different OSes.
+ */
+#define PF_PASS          0
+#define PF_DROP          1
+#define PF_SCRUB         2
+#define PF_NOSCRUB       3
+#define PF_NAT           4
+#define PF_NONAT         5
+#define PF_BINAT         6
+#define PF_NOBINAT       7
+#define PF_RDR           8
+#define PF_NORDR         9
+#define PF_SYNPROXY_DROP 10
+#if defined(__FreeBSD__)
+#define PF_DEFER         11
+#elif defined(__OpenBSD__)
+#define PF_DEFER         11
+#define PF_MATCH         12
+#define PF_DIVERT        13
+#define PF_RT            14
+#define PF_AFRT          15
+#elif defined(__APPLE__)
+#define PF_DUMMYNET      11
+#define PF_NODUMMYNET    12
+#define PF_NAT64         13
+#define PF_NONAT64       14
+#endif
 
 static const value_string pflog_action_vals[] = {
-  { PF_MATCH, "match" },
-  { PF_SCRUB, "scrub" },
-  { PF_PASS,  "pass" },
-  { PF_DROP,  "block" },
-  { PF_DIVERT, "divert" },
-  { PF_NAT,   "nat" },
-  { PF_NONAT, "nat" },
-  { PF_BINAT, "binat" },
-  { PF_NOBINAT, "binat" },
-  { PF_RDR,   "rdr" },
-  { PF_NORDR, "rdr" },
-  { 0,        NULL }
+  { PF_PASS,          "pass" },
+  { PF_DROP,          "block" },
+  { PF_SCRUB,         "scrub" },
+  { PF_NAT,           "nat" },
+  { PF_NONAT,         "nonat" },
+  { PF_BINAT,         "binat" },
+  { PF_NOBINAT,       "nobinat" },
+  { PF_RDR,           "rdr" },
+  { PF_NORDR,         "nordr" },
+  { PF_SYNPROXY_DROP, "synproxy-drop" },
+#if defined(__FreeBSD__)
+  { PF_DEFER,         "defer" },
+#elif defined(__OpenBSD__)
+  { PF_DEFER,         "defer" },
+  { PF_MATCH,         "match" },
+  { PF_DIVERT,        "divert" },
+  { PF_RT,            "rt" },
+  { PF_AFRT,          "afrt" },
+#elif defined(__APPLE__)
+  { PF_DUMMYNET,      "dummynet" },
+  { PF_NODUMMYNET,    "nodummynet" },
+  { PF_NAT64,         "nat64" },
+  { PF_NONAT64,       "nonat64" },
+#endif
+  { 0,                NULL }
 };
 
 /* Directions */
@@ -125,6 +247,7 @@ static const value_string pflog_action_vals[] = {
 #define PF_INOUT 0
 #define PF_IN    1
 #define PF_OUT   2
+#define PF_FWD   3  /* for now, 3 is only used by OpenBSD */
 
 static const value_string pflog_old_dir_vals[] = {
   { PF_OLD_IN,  "in" },
@@ -136,6 +259,7 @@ static const value_string pflog_dir_vals[] = {
   { PF_INOUT, "inout" },
   { PF_IN,    "in" },
   { PF_OUT,   "out" },
+  { PF_FWD,   "fwd" },
   { 0,        NULL }
 };
 
@@ -145,11 +269,10 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U
   tvbuff_t *next_tvb;
   proto_tree *pflog_tree;
   proto_item *ti = NULL, *ti_len;
-  int length;
-  guint8 af, action;
+  guint32 length, padded_length;
+  guint32 af, action;
   const guint8 *ifname;
-  guint32 rulenr;
-  guint8 pad_len = 3;
+  gint32 rulenr;
   gint offset = 0;
 
   col_set_str(pinfo->cinfo, COL_PROTOCOL, "PFLOG");
@@ -157,22 +280,20 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U
   ti = proto_tree_add_item(tree, proto_pflog, tvb, offset, -1, ENC_NA);
   pflog_tree = proto_item_add_subtree(ti, ett_pflog);
 
-  length = tvb_get_guint8(tvb, offset) + pad_len;
-
-  ti_len = proto_tree_add_item(pflog_tree, hf_pflog_length, tvb, offset, 1, ENC_BIG_ENDIAN);
-  if(length < LEN_PFLOG_BSD34)
+  ti_len = proto_tree_add_item_ret_uint(pflog_tree, hf_pflog_length, tvb, offset, 1, ENC_BIG_ENDIAN, &length);
+  if(length < LEN_PFLOG_OPENBSD_3_4)
   {
     expert_add_info_format(pinfo, ti_len, &ei_pflog_invalid_header_length, "Invalid header length %u", length);
   }
 
+  padded_length = WS_ROUNDUP_4(length);
+
   offset += 1;
 
-  proto_tree_add_item(pflog_tree, hf_pflog_af, tvb, offset, 1, ENC_BIG_ENDIAN);
-  af = tvb_get_guint8(tvb, offset);
+  proto_tree_add_item_ret_uint(pflog_tree, hf_pflog_af, tvb, offset, 1, ENC_BIG_ENDIAN, &af);
   offset += 1;
 
-  proto_tree_add_item(pflog_tree, hf_pflog_action, tvb, offset, 1, ENC_BIG_ENDIAN);
-  action = tvb_get_guint8(tvb, offset);
+  proto_tree_add_item_ret_uint(pflog_tree, hf_pflog_action, tvb, offset, 1, ENC_BIG_ENDIAN, &action);
   offset += 1;
 
   proto_tree_add_item(pflog_tree, hf_pflog_reason, tvb, offset, 1, ENC_BIG_ENDIAN);
@@ -181,19 +302,37 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U
   proto_tree_add_item_ret_string(pflog_tree, hf_pflog_ifname, tvb, offset, 16, ENC_ASCII|ENC_NA, pinfo->pool, &ifname);
   offset += 16;
 
-  proto_tree_add_item(pflog_tree, hf_pflog_ruleset, tvb, offset, 16, ENC_ASCII|ENC_NA);
+  proto_tree_add_item(pflog_tree, hf_pflog_ruleset, tvb, offset, 16, ENC_ASCII);
   offset += 16;
 
-  proto_tree_add_item(pflog_tree, hf_pflog_rulenr, tvb, offset, 4, ENC_BIG_ENDIAN);
-  rulenr = tvb_get_ntohs(tvb, offset);
+  proto_tree_add_item_ret_int(pflog_tree, hf_pflog_rulenr, tvb, offset, 4, ENC_BIG_ENDIAN, &rulenr);
   offset += 4;
 
   proto_tree_add_item(pflog_tree, hf_pflog_subrulenr, tvb, offset, 4, ENC_BIG_ENDIAN);
   offset += 4;
 
-  if(length >= LEN_PFLOG_BSD38)
+  if(length >= LEN_PFLOG_OPENBSD_3_8)
   {
-    int endian = uid_endian ? ENC_BIG_ENDIAN : ENC_LITTLE_ENDIAN;
+    int endian;
+
+    switch (id_endian) {
+
+    case ID_HOST_ENDIAN:
+      endian = ENC_HOST_ENDIAN;
+      break;
+
+    case ID_BIG_ENDIAN:
+      endian = ENC_BIG_ENDIAN;
+      break;
+
+    case ID_LITTLE_ENDIAN:
+      endian = ENC_LITTLE_ENDIAN;
+      break;
+
+    default:
+      DISSECTOR_ASSERT_NOT_REACHED();
+    }
+
     proto_tree_add_item(pflog_tree, hf_pflog_uid, tvb, offset, 4, endian);
     offset += 4;
 
@@ -209,19 +348,15 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U
   proto_tree_add_item(pflog_tree, hf_pflog_dir, tvb, offset, 1, ENC_BIG_ENDIAN);
   offset += 1;
 
-  if(length >= LEN_PFLOG_BSD49)
+  if(length >= LEN_PFLOG_OPENBSD_4_9)
   {
-    pad_len = 2;
-    length -= 3; /* With OpenBSD >= 4.8 the length is the length of full Header (with padding..) */
     proto_tree_add_item(pflog_tree, hf_pflog_rewritten, tvb, offset, 1, ENC_BIG_ENDIAN);
     offset += 1;
-  }
 
-  proto_tree_add_item(pflog_tree, hf_pflog_pad, tvb, offset, pad_len, ENC_NA);
-  offset += pad_len;
+    /* Internal padding */
+    proto_tree_add_item(pflog_tree, hf_pflog_pad, tvb, offset, 2, ENC_NA);
+    offset += 2;
 
-  if(length >= LEN_PFLOG_BSD49)
-  {
     switch (af) {
 
     case BSD_AF_INET:
@@ -254,19 +389,21 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U
 
     proto_tree_add_item(pflog_tree, hf_pflog_dport, tvb, offset, 2, ENC_BIG_ENDIAN);
     offset += 2;
+  } else {
+    /* End-of-header padding */
+    proto_tree_add_item(pflog_tree, hf_pflog_pad, tvb, offset, 3, ENC_NA);
+    offset += 3;
   }
 
-  proto_item_set_text(ti, "PF Log %s %s on %s by rule %u",
+  proto_item_set_text(ti, "PF Log %s %s on %s by rule %d",
     val_to_str(af, pflog_af_vals, "unknown (%u)"),
     val_to_str(action, pflog_action_vals, "unknown (%u)"),
     ifname,
     rulenr);
   proto_item_set_len(ti, offset);
 
-
-
   /* Set the tvbuff for the payload after the header */
-  next_tvb = tvb_new_subset_remaining(tvb, length);
+  next_tvb = tvb_new_subset_remaining(tvb, padded_length);
 
   switch (af) {
 
@@ -275,6 +412,8 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U
     break;
 
   case BSD_AF_INET6_BSD:
+  case BSD_AF_INET6_FREEBSD:
+  case BSD_AF_INET6_DARWIN:
     call_dissector(ipv6_handle, next_tvb, pinfo, tree);
     break;
 
@@ -283,7 +422,7 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U
     break;
   }
 
-  col_prepend_fstr(pinfo->cinfo, COL_INFO, "[%s %s/%u] ",
+  col_prepend_fstr(pinfo->cinfo, COL_INFO, "[%s %s/%d] ",
         val_to_str(action, pflog_action_vals, "unknown (%u)"),
         ifname,
         rulenr);
@@ -312,6 +451,17 @@ proto_register_pflog(void)
     { &hf_pflog_ruleset,
       { "Ruleset", "pflog.ruleset", FT_STRING, BASE_NONE, NULL, 0x0,
         "Ruleset name in anchor", HFILL }},
+    /*
+     * XXX - these are u_int32_t/uint32_t in struct pfloghdr, but are
+     * FT_INT32 here, and at least one capture, from issue #6115, has
+     * 0xFFFFFFFF as a sub rule number; that looks suspiciously as
+     * if it's -1.
+     *
+     * At least in OpenBSD, the rule and subrule are unsigned in the
+     * kernel, and -1 - which really means 0xFFFFFFFFU - is used if
+     * there is no subrule.  Perhaps we should treat that value
+     * specially and report it as "None" or something such as that.
+     */
     { &hf_pflog_rulenr,
       { "Rule Number", "pflog.rulenr", FT_INT32, BASE_DEC, NULL, 0x0,
         "Last matched firewall main ruleset rule number", HFILL }},
@@ -373,31 +523,29 @@ proto_register_pflog(void)
   expert_module_t* expert_pflog;
   module_t *pflog_module;
 
-  proto_pflog = proto_register_protocol("OpenBSD Packet Filter log file",
-                                        "PFLOG", "pflog");
+  proto_pflog = proto_register_protocol("OpenBSD Packet Filter log file", "PFLOG", "pflog");
   proto_register_field_array(proto_pflog, hf, array_length(hf));
   proto_register_subtree_array(ett, array_length(ett));
   expert_pflog = expert_register_protocol(proto_pflog);
   expert_register_field_array(expert_pflog, ei, array_length(ei));
 
-  pflog_module = prefs_register_protocol(proto_pflog, NULL);
+  pflog_handle = register_dissector("pflog", dissect_pflog, proto_pflog);
 
-  prefs_register_bool_preference(pflog_module, "uid_endian",
-        "Display UID as big endian value",
-        "Whether or not UID and PID fields are dissected in big or little endian",
-        &uid_endian);
+  pflog_module = prefs_register_protocol(proto_pflog, NULL);
 
+  prefs_register_enum_preference(pflog_module, "id_endian",
+        "Byte order for UID and PID fields",
+        "Whether or not UID and PID fields are dissected in host, big, or little endian byte order",
+        &id_endian, id_endian_vals, FALSE);
+  prefs_register_obsolete_preference(pflog_module, "uid_endian");
 }
 
 void
 proto_reg_handoff_pflog(void)
 {
-  dissector_handle_t pflog_handle;
-
   ip_handle = find_dissector_add_dependency("ip", proto_pflog);
   ipv6_handle = find_dissector_add_dependency("ipv6", proto_pflog);
 
-  pflog_handle = create_dissector_handle(dissect_pflog, proto_pflog);
   dissector_add_uint("wtap_encap", WTAP_ENCAP_PFLOG, pflog_handle);
 }
 
@@ -497,20 +645,17 @@ proto_register_old_pflog(void)
   };
   static gint *ett[] = { &ett_old_pflog };
 
-  proto_old_pflog = proto_register_protocol(
-          "OpenBSD Packet Filter log file, pre 3.4",
-          "PFLOG-OLD", "pflog-old");
+  proto_old_pflog = proto_register_protocol("OpenBSD Packet Filter log file, pre 3.4", "PFLOG-OLD", "pflog-old");
   proto_register_field_array(proto_old_pflog, hf, array_length(hf));
   proto_register_subtree_array(ett, array_length(ett));
+
+  old_pflog_handle = register_dissector("pflog-old", dissect_old_pflog, proto_old_pflog);
 }
 
 void
 proto_reg_handoff_old_pflog(void)
 {
-  dissector_handle_t pflog_handle;
-
-  pflog_handle = create_dissector_handle(dissect_old_pflog, proto_old_pflog);
-  dissector_add_uint("wtap_encap", WTAP_ENCAP_OLD_PFLOG, pflog_handle);
+  dissector_add_uint("wtap_encap", WTAP_ENCAP_OLD_PFLOG, old_pflog_handle);
 }
 /*
  * Editor modelines