diff options
Diffstat (limited to 'epan/dissectors/packet-pflog.c')
-rw-r--r-- | epan/dissectors/packet-pflog.c | 359 |
1 files changed, 252 insertions, 107 deletions
diff --git a/epan/dissectors/packet-pflog.c b/epan/dissectors/packet-pflog.c index f4230c6693..6fe3c399f6 100644 --- a/epan/dissectors/packet-pflog.c +++ b/epan/dissectors/packet-pflog.c @@ -1,5 +1,5 @@ /* packet-pflog.c - * Routines for pflog (OpenBSD Firewall Logging) packet disassembly + * Routines for pflog (Firewall Logging) packet disassembly * * Copyright 2001 Mike Frantzen * All rights reserved. @@ -7,10 +7,39 @@ * SPDX-License-Identifier: BSD-1-Clause */ -/* Specifications... : -http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.c -http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h -*/ +/* + * Specifications: + * + * OpenBSD PF log: + * + * https://cvsweb.openbsd.org/src/sys/net/if_pflog.c + * https://cvsweb.openbsd.org/src/sys/net/if_pflog.h + * https://cvsweb.openbsd.org/src/sys/net/pfvar.h + * + * FreeBSD PF log: + * + * https://cgit.freebsd.org/src/tree/sys/net/if_pflog.h + * https://cgit.freebsd.org/src/tree/sys/netpfil/pf/if_pflog.c + * https://cgit.freebsd.org/src/tree/sys/netpfil/pf/pf.h + * + * NetBSD PF log: + * + * http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dist/pf/net/if_pflog.c + * http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dist/pf/net/if_pflog.h + * http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dist/pf/net/pfvar.h + * + * DragonFly BSD PF log: + * + * https://gitweb.dragonflybsd.org/dragonfly.git/blob/HEAD:/sys/net/pf/if_pflog.c + * https://gitweb.dragonflybsd.org/dragonfly.git/blob/HEAD:/sys/net/pf/if_pflog.h + * https://gitweb.dragonflybsd.org/dragonfly.git/blob/HEAD:/sys/net/pf/pfvar.h + * + * macOS/Darwin PF log: + * + * https://github.com/apple-oss-distributions/xnu/blob/main/bsd/net/if_pflog.c + * https://github.com/apple-oss-distributions/xnu/blob/main/bsd/net/if_pflog.h + * https://github.com/apple-oss-distributions/xnu/blob/main/bsd/net/pfvar.h + */ #include "config.h" #include <epan/packet.h> @@ -20,65 +49,109 @@ http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h #include <epan/expert.h> #include <epan/prefs.h> +#include <wsutil/ws_roundup.h> + void proto_register_pflog(void); void proto_reg_handoff_pflog(void); void proto_register_old_pflog(void); void proto_reg_handoff_old_pflog(void); +static dissector_handle_t old_pflog_handle; +static dissector_handle_t pflog_handle; static dissector_handle_t ip_handle, ipv6_handle; /* header fields */ -static int proto_pflog = -1; -static int hf_pflog_length = -1; -static int hf_pflog_af = -1; -static int hf_pflog_action = -1; -static int hf_pflog_reason = -1; -static int hf_pflog_ifname = -1; -static int hf_pflog_ruleset = -1; -static int hf_pflog_rulenr = -1; -static int hf_pflog_subrulenr = -1; -static int hf_pflog_uid = -1; -static int hf_pflog_pid = -1; -static int hf_pflog_rule_uid = -1; -static int hf_pflog_rule_pid = -1; -static int hf_pflog_dir = -1; -static int hf_pflog_rewritten = -1; -static int hf_pflog_pad = -1; -static int hf_pflog_saddr_ipv4 = -1; -static int hf_pflog_daddr_ipv4 = -1; -static int hf_pflog_saddr_ipv6 = -1; -static int hf_pflog_daddr_ipv6 = -1; -static int hf_pflog_saddr = -1; -static int hf_pflog_daddr = -1; -static int hf_pflog_sport = -1; -static int hf_pflog_dport = -1; -static gint ett_pflog = -1; - -static expert_field ei_pflog_invalid_header_length = EI_INIT; +static int proto_pflog; +static int hf_pflog_length; +static int hf_pflog_af; +static int hf_pflog_action; +static int hf_pflog_reason; +static int hf_pflog_ifname; +static int hf_pflog_ruleset; +static int hf_pflog_rulenr; +static int hf_pflog_subrulenr; +static int hf_pflog_uid; +static int hf_pflog_pid; +static int hf_pflog_rule_uid; +static int hf_pflog_rule_pid; +static int hf_pflog_dir; +static int hf_pflog_rewritten; +static int hf_pflog_pad; +static int hf_pflog_saddr_ipv4; +static int hf_pflog_daddr_ipv4; +static int hf_pflog_saddr_ipv6; +static int hf_pflog_daddr_ipv6; +static int hf_pflog_saddr; +static int hf_pflog_daddr; +static int hf_pflog_sport; +static int hf_pflog_dport; +static gint ett_pflog; + +static expert_field ei_pflog_invalid_header_length; /* old header */ -static int proto_old_pflog = -1; -static int hf_old_pflog_af = -1; -static int hf_old_pflog_ifname = -1; -static int hf_old_pflog_rnr = -1; -static int hf_old_pflog_reason = -1; -static int hf_old_pflog_action = -1; -static int hf_old_pflog_dir = -1; +static int proto_old_pflog; +static int hf_old_pflog_af; +static int hf_old_pflog_ifname; +static int hf_old_pflog_rnr; +static int hf_old_pflog_reason; +static int hf_old_pflog_action; +static int hf_old_pflog_dir; + +static gint ett_old_pflog; -static gint ett_old_pflog = -1; +/* + * Because ENC_HOST_ENDIAN is either equal to ENC_BIG_ENDIAN or + * ENC_LITTLE_ENDIAN, it will be confusing if we use ENC_ values + * directly, as, if the current setting is "Host-endian", it'll + * look like "Big-endian" on big-endian machines and like + * "Little-endian" on little-endian machines, and will display + * as such if you open up the preferences. + */ +#define ID_HOST_ENDIAN 0 +#define ID_BIG_ENDIAN 1 +#define ID_LITTLE_ENDIAN 2 + +static gint id_endian = ID_HOST_ENDIAN; +static const enum_val_t id_endian_vals[] = { + { "host", "Host-endian", ID_HOST_ENDIAN }, + { "big", "Big-endian", ID_BIG_ENDIAN }, + { "little", "Little-endian", ID_LITTLE_ENDIAN }, + { NULL, NULL, 0 } +}; -static gboolean uid_endian = TRUE; +/* + * Length as of OpenBSD 3.4, not including padding. + */ +#define LEN_PFLOG_OPENBSD_3_4 45 + +/* + * Length as of OpenBSD 3.8, not including padding. + * + * Also the current length on DragonFly BSD, NetBSD, and Darwin; + * those all have the same log message header. + */ +#define LEN_PFLOG_OPENBSD_3_8 61 -#define LEN_PFLOG_BSD34 48 -#define LEN_PFLOG_BSD38 64 -#define LEN_PFLOG_BSD49 100 +/* + * Length as of OpenBSD 4.9; there are 2 internal pad bytes, but no + * padding at the end. + */ +#define LEN_PFLOG_OPENBSD_4_9 100 static const value_string pflog_af_vals[] = { { BSD_AF_INET, "IPv4" }, { BSD_AF_INET6_BSD, "IPv6" }, + { BSD_AF_INET6_FREEBSD, "IPv6" }, + { BSD_AF_INET6_DARWIN, "IPv6" }, { 0, NULL } }; +/* + * Reason values. + * + * Past 14, these differ for different OSes. + */ static const value_string pflog_reason_vals[] = { { 0, "match" }, { 1, "bad-offset" }, @@ -95,27 +168,76 @@ static const value_string pflog_reason_vals[] = { { 12, "max-states" }, { 13, "srcnode-limit" }, { 14, "syn-proxy" }, +#if defined(__FreeBSD__) + { 15, "map-failed" }, +#elif defined(__NetBSD__) + { 15, "state-locked" }, +#elif defined(__OpenBSD__) + { 15, "translate" }, + { 16, "no-route" }, +#elif defined(__APPLE__) + { 15, "dummynet" }, +#endif { 0, NULL } }; -/* Actions */ -enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, - PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER, - PF_MATCH, PF_DIVERT, PF_RT }; +/* + * Action values. + * + * Past 10, these differ for different OSes. + */ +#define PF_PASS 0 +#define PF_DROP 1 +#define PF_SCRUB 2 +#define PF_NOSCRUB 3 +#define PF_NAT 4 +#define PF_NONAT 5 +#define PF_BINAT 6 +#define PF_NOBINAT 7 +#define PF_RDR 8 +#define PF_NORDR 9 +#define PF_SYNPROXY_DROP 10 +#if defined(__FreeBSD__) +#define PF_DEFER 11 +#elif defined(__OpenBSD__) +#define PF_DEFER 11 +#define PF_MATCH 12 +#define PF_DIVERT 13 +#define PF_RT 14 +#define PF_AFRT 15 +#elif defined(__APPLE__) +#define PF_DUMMYNET 11 +#define PF_NODUMMYNET 12 +#define PF_NAT64 13 +#define PF_NONAT64 14 +#endif static const value_string pflog_action_vals[] = { - { PF_MATCH, "match" }, - { PF_SCRUB, "scrub" }, - { PF_PASS, "pass" }, - { PF_DROP, "block" }, - { PF_DIVERT, "divert" }, - { PF_NAT, "nat" }, - { PF_NONAT, "nat" }, - { PF_BINAT, "binat" }, - { PF_NOBINAT, "binat" }, - { PF_RDR, "rdr" }, - { PF_NORDR, "rdr" }, - { 0, NULL } + { PF_PASS, "pass" }, + { PF_DROP, "block" }, + { PF_SCRUB, "scrub" }, + { PF_NAT, "nat" }, + { PF_NONAT, "nonat" }, + { PF_BINAT, "binat" }, + { PF_NOBINAT, "nobinat" }, + { PF_RDR, "rdr" }, + { PF_NORDR, "nordr" }, + { PF_SYNPROXY_DROP, "synproxy-drop" }, +#if defined(__FreeBSD__) + { PF_DEFER, "defer" }, +#elif defined(__OpenBSD__) + { PF_DEFER, "defer" }, + { PF_MATCH, "match" }, + { PF_DIVERT, "divert" }, + { PF_RT, "rt" }, + { PF_AFRT, "afrt" }, +#elif defined(__APPLE__) + { PF_DUMMYNET, "dummynet" }, + { PF_NODUMMYNET, "nodummynet" }, + { PF_NAT64, "nat64" }, + { PF_NONAT64, "nonat64" }, +#endif + { 0, NULL } }; /* Directions */ @@ -125,6 +247,7 @@ static const value_string pflog_action_vals[] = { #define PF_INOUT 0 #define PF_IN 1 #define PF_OUT 2 +#define PF_FWD 3 /* for now, 3 is only used by OpenBSD */ static const value_string pflog_old_dir_vals[] = { { PF_OLD_IN, "in" }, @@ -136,6 +259,7 @@ static const value_string pflog_dir_vals[] = { { PF_INOUT, "inout" }, { PF_IN, "in" }, { PF_OUT, "out" }, + { PF_FWD, "fwd" }, { 0, NULL } }; @@ -145,11 +269,10 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U tvbuff_t *next_tvb; proto_tree *pflog_tree; proto_item *ti = NULL, *ti_len; - int length; - guint8 af, action; + guint32 length, padded_length; + guint32 af, action; const guint8 *ifname; - guint32 rulenr; - guint8 pad_len = 3; + gint32 rulenr; gint offset = 0; col_set_str(pinfo->cinfo, COL_PROTOCOL, "PFLOG"); @@ -157,22 +280,20 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U ti = proto_tree_add_item(tree, proto_pflog, tvb, offset, -1, ENC_NA); pflog_tree = proto_item_add_subtree(ti, ett_pflog); - length = tvb_get_guint8(tvb, offset) + pad_len; - - ti_len = proto_tree_add_item(pflog_tree, hf_pflog_length, tvb, offset, 1, ENC_BIG_ENDIAN); - if(length < LEN_PFLOG_BSD34) + ti_len = proto_tree_add_item_ret_uint(pflog_tree, hf_pflog_length, tvb, offset, 1, ENC_BIG_ENDIAN, &length); + if(length < LEN_PFLOG_OPENBSD_3_4) { expert_add_info_format(pinfo, ti_len, &ei_pflog_invalid_header_length, "Invalid header length %u", length); } + padded_length = WS_ROUNDUP_4(length); + offset += 1; - proto_tree_add_item(pflog_tree, hf_pflog_af, tvb, offset, 1, ENC_BIG_ENDIAN); - af = tvb_get_guint8(tvb, offset); + proto_tree_add_item_ret_uint(pflog_tree, hf_pflog_af, tvb, offset, 1, ENC_BIG_ENDIAN, &af); offset += 1; - proto_tree_add_item(pflog_tree, hf_pflog_action, tvb, offset, 1, ENC_BIG_ENDIAN); - action = tvb_get_guint8(tvb, offset); + proto_tree_add_item_ret_uint(pflog_tree, hf_pflog_action, tvb, offset, 1, ENC_BIG_ENDIAN, &action); offset += 1; proto_tree_add_item(pflog_tree, hf_pflog_reason, tvb, offset, 1, ENC_BIG_ENDIAN); @@ -181,19 +302,37 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U proto_tree_add_item_ret_string(pflog_tree, hf_pflog_ifname, tvb, offset, 16, ENC_ASCII|ENC_NA, pinfo->pool, &ifname); offset += 16; - proto_tree_add_item(pflog_tree, hf_pflog_ruleset, tvb, offset, 16, ENC_ASCII|ENC_NA); + proto_tree_add_item(pflog_tree, hf_pflog_ruleset, tvb, offset, 16, ENC_ASCII); offset += 16; - proto_tree_add_item(pflog_tree, hf_pflog_rulenr, tvb, offset, 4, ENC_BIG_ENDIAN); - rulenr = tvb_get_ntohs(tvb, offset); + proto_tree_add_item_ret_int(pflog_tree, hf_pflog_rulenr, tvb, offset, 4, ENC_BIG_ENDIAN, &rulenr); offset += 4; proto_tree_add_item(pflog_tree, hf_pflog_subrulenr, tvb, offset, 4, ENC_BIG_ENDIAN); offset += 4; - if(length >= LEN_PFLOG_BSD38) + if(length >= LEN_PFLOG_OPENBSD_3_8) { - int endian = uid_endian ? ENC_BIG_ENDIAN : ENC_LITTLE_ENDIAN; + int endian; + + switch (id_endian) { + + case ID_HOST_ENDIAN: + endian = ENC_HOST_ENDIAN; + break; + + case ID_BIG_ENDIAN: + endian = ENC_BIG_ENDIAN; + break; + + case ID_LITTLE_ENDIAN: + endian = ENC_LITTLE_ENDIAN; + break; + + default: + DISSECTOR_ASSERT_NOT_REACHED(); + } + proto_tree_add_item(pflog_tree, hf_pflog_uid, tvb, offset, 4, endian); offset += 4; @@ -209,19 +348,15 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U proto_tree_add_item(pflog_tree, hf_pflog_dir, tvb, offset, 1, ENC_BIG_ENDIAN); offset += 1; - if(length >= LEN_PFLOG_BSD49) + if(length >= LEN_PFLOG_OPENBSD_4_9) { - pad_len = 2; - length -= 3; /* With OpenBSD >= 4.8 the length is the length of full Header (with padding..) */ proto_tree_add_item(pflog_tree, hf_pflog_rewritten, tvb, offset, 1, ENC_BIG_ENDIAN); offset += 1; - } - proto_tree_add_item(pflog_tree, hf_pflog_pad, tvb, offset, pad_len, ENC_NA); - offset += pad_len; + /* Internal padding */ + proto_tree_add_item(pflog_tree, hf_pflog_pad, tvb, offset, 2, ENC_NA); + offset += 2; - if(length >= LEN_PFLOG_BSD49) - { switch (af) { case BSD_AF_INET: @@ -254,19 +389,21 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U proto_tree_add_item(pflog_tree, hf_pflog_dport, tvb, offset, 2, ENC_BIG_ENDIAN); offset += 2; + } else { + /* End-of-header padding */ + proto_tree_add_item(pflog_tree, hf_pflog_pad, tvb, offset, 3, ENC_NA); + offset += 3; } - proto_item_set_text(ti, "PF Log %s %s on %s by rule %u", + proto_item_set_text(ti, "PF Log %s %s on %s by rule %d", val_to_str(af, pflog_af_vals, "unknown (%u)"), val_to_str(action, pflog_action_vals, "unknown (%u)"), ifname, rulenr); proto_item_set_len(ti, offset); - - /* Set the tvbuff for the payload after the header */ - next_tvb = tvb_new_subset_remaining(tvb, length); + next_tvb = tvb_new_subset_remaining(tvb, padded_length); switch (af) { @@ -275,6 +412,8 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U break; case BSD_AF_INET6_BSD: + case BSD_AF_INET6_FREEBSD: + case BSD_AF_INET6_DARWIN: call_dissector(ipv6_handle, next_tvb, pinfo, tree); break; @@ -283,7 +422,7 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U break; } - col_prepend_fstr(pinfo->cinfo, COL_INFO, "[%s %s/%u] ", + col_prepend_fstr(pinfo->cinfo, COL_INFO, "[%s %s/%d] ", val_to_str(action, pflog_action_vals, "unknown (%u)"), ifname, rulenr); @@ -312,6 +451,17 @@ proto_register_pflog(void) { &hf_pflog_ruleset, { "Ruleset", "pflog.ruleset", FT_STRING, BASE_NONE, NULL, 0x0, "Ruleset name in anchor", HFILL }}, + /* + * XXX - these are u_int32_t/uint32_t in struct pfloghdr, but are + * FT_INT32 here, and at least one capture, from issue #6115, has + * 0xFFFFFFFF as a sub rule number; that looks suspiciously as + * if it's -1. + * + * At least in OpenBSD, the rule and subrule are unsigned in the + * kernel, and -1 - which really means 0xFFFFFFFFU - is used if + * there is no subrule. Perhaps we should treat that value + * specially and report it as "None" or something such as that. + */ { &hf_pflog_rulenr, { "Rule Number", "pflog.rulenr", FT_INT32, BASE_DEC, NULL, 0x0, "Last matched firewall main ruleset rule number", HFILL }}, @@ -373,31 +523,29 @@ proto_register_pflog(void) expert_module_t* expert_pflog; module_t *pflog_module; - proto_pflog = proto_register_protocol("OpenBSD Packet Filter log file", - "PFLOG", "pflog"); + proto_pflog = proto_register_protocol("OpenBSD Packet Filter log file", "PFLOG", "pflog"); proto_register_field_array(proto_pflog, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); expert_pflog = expert_register_protocol(proto_pflog); expert_register_field_array(expert_pflog, ei, array_length(ei)); - pflog_module = prefs_register_protocol(proto_pflog, NULL); + pflog_handle = register_dissector("pflog", dissect_pflog, proto_pflog); - prefs_register_bool_preference(pflog_module, "uid_endian", - "Display UID as big endian value", - "Whether or not UID and PID fields are dissected in big or little endian", - &uid_endian); + pflog_module = prefs_register_protocol(proto_pflog, NULL); + prefs_register_enum_preference(pflog_module, "id_endian", + "Byte order for UID and PID fields", + "Whether or not UID and PID fields are dissected in host, big, or little endian byte order", + &id_endian, id_endian_vals, FALSE); + prefs_register_obsolete_preference(pflog_module, "uid_endian"); } void proto_reg_handoff_pflog(void) { - dissector_handle_t pflog_handle; - ip_handle = find_dissector_add_dependency("ip", proto_pflog); ipv6_handle = find_dissector_add_dependency("ipv6", proto_pflog); - pflog_handle = create_dissector_handle(dissect_pflog, proto_pflog); dissector_add_uint("wtap_encap", WTAP_ENCAP_PFLOG, pflog_handle); } @@ -497,20 +645,17 @@ proto_register_old_pflog(void) }; static gint *ett[] = { &ett_old_pflog }; - proto_old_pflog = proto_register_protocol( - "OpenBSD Packet Filter log file, pre 3.4", - "PFLOG-OLD", "pflog-old"); + proto_old_pflog = proto_register_protocol("OpenBSD Packet Filter log file, pre 3.4", "PFLOG-OLD", "pflog-old"); proto_register_field_array(proto_old_pflog, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); + + old_pflog_handle = register_dissector("pflog-old", dissect_old_pflog, proto_old_pflog); } void proto_reg_handoff_old_pflog(void) { - dissector_handle_t pflog_handle; - - pflog_handle = create_dissector_handle(dissect_old_pflog, proto_old_pflog); - dissector_add_uint("wtap_encap", WTAP_ENCAP_OLD_PFLOG, pflog_handle); + dissector_add_uint("wtap_encap", WTAP_ENCAP_OLD_PFLOG, old_pflog_handle); } /* * Editor modelines |