From owner-freebsd-pf@FreeBSD.ORG Wed Jun 21 13:39:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07A8B16A47D for ; Wed, 21 Jun 2006 13:39:26 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3964043D64 for ; Wed, 21 Jun 2006 13:39:23 +0000 (GMT) (envelope-from siseci@gmail.com) Received: by nf-out-0910.google.com with SMTP id x30so90222nfb for ; Wed, 21 Jun 2006 06:39:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type; b=uY+SgpSVlAEGAZFf870C/oR+jwsCUaLdbnSLxdXKIZ369G5el03776g9julaK5uUFeMY6onxsuOfI93VFXgkpikUHsEeXzmDcHSbtk/VYW2D5KRIGySqBzDDkXTEAnz+MErIwPdHYx54KzqegDGV9nVTVqMSqN1TKrVJNov3zlE= Received: by 10.49.58.3 with SMTP id l3mr584070nfk; Wed, 21 Jun 2006 06:39:21 -0700 (PDT) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.gmail.com with ESMTP id i1sm720594nfe.2006.06.21.06.39.21; Wed, 21 Jun 2006 06:39:21 -0700 (PDT) Message-ID: <44994C05.7050007@gmail.com> Date: Wed, 21 Jun 2006 16:39:17 +0300 From: "N. Ersen SISECI" User-Agent: Mozilla Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: multipart/mixed; boundary="------------070404010607040601040006" Cc: Subject: PF and tcpdump Label Patch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 13:39:26 -0000 This is a multi-part message in MIME format. --------------070404010607040601040006 Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Hello, I wrote a patch for PF to log "label" names like IPF's log-tag option. PF already has a label option to mark rules in `pfctl -sr `, but it does not write labels to log file, which is very usefull to match log entries to rules/or group of rules created by lists ( pass from any to any port {10,20,30,40} label "passing_ports" etc...) For example; pass in log quick all keep state label MAIN_RULE So log line like this 2006-06-21 18:26:06.969874 rule 67/0(match): pass in on bge0: label MAIN_RULE: 192.168.9.99.53568 > 66.249.85.99.80: S ... To properly use tcpdump to display logs entries from pflog0 interface, tcpdump has to be patched also. Since the above patch changes a struct in pflog, without patching tcpdump log packets appear truncated. I tested both of patches in FreeBSD 5.4 and FreeBSD 6.0. I attached the both of patches. Sincerly, N. Ersen SISECI http://www.enderunix.org --------------070404010607040601040006 Content-Type: text/plain; name="pf.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="pf.patch" --- if_pflog.h.org Wed Apr 5 10:10:56 2006 +++ if_pflog.h Wed Apr 5 09:26:31 2006 @@ -40,6 +40,12 @@ #define PF_RULESET_NAME_SIZE 16 #endif +#ifndef PF_RULE_LABEL_SIZE +#define PF_RULE_LABEL_SIZE 64 +#endif + +#define PF_LOG_LABEL + struct pfloghdr { u_int8_t length; sa_family_t af; @@ -50,6 +56,9 @@ u_int32_t rulenr; u_int32_t subrulenr; u_int8_t dir; +#ifdef PF_LOG_LABEL + char label[PF_RULE_LABEL_SIZE]; +#endif u_int8_t pad[3]; }; --- if_pflog.c.org Wed Apr 5 10:10:52 2006 +++ if_pflog.c Wed Apr 5 10:47:01 2006 @@ -296,6 +296,7 @@ hdr.action = rm->action; hdr.reason = reason; memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname)); + memcpy(hdr.label, rm->label, sizeof(rm->label)); if (am == NULL) { hdr.rulenr = htonl(rm->nr); --------------070404010607040601040006 Content-Type: text/plain; name="tcpdump.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="tcpdump.patch" --- pf.h.org Wed Apr 5 10:15:22 2006 +++ pf.h Wed Apr 5 10:18:15 2006 @@ -55,6 +55,8 @@ } #define PF_RULESET_NAME_SIZE 16 +#define PF_RULE_LABEL_SIZE 64 + /* from $OpenBSD: if_pflog.h,v 1.9 2003/07/15 20:27:27 dhartmei Exp $ */ @@ -62,6 +64,8 @@ #define IFNAMSIZ 16 #endif +#define PF_LOG_LABEL + struct pfloghdr { u_int8_t length; sa_family_t af; @@ -72,6 +76,9 @@ u_int32_t rulenr; u_int32_t subrulenr; u_int8_t dir; +#ifdef PF_LOG_LABEL + char label[PF_RULE_LABEL_SIZE]; +#endif u_int8_t pad[3]; }; #define PFLOG_HDRLEN sizeof(struct pfloghdr) --- print-pflog.c.org Wed Apr 5 10:15:31 2006 +++ print-pflog.c Wed Apr 5 10:17:44 2006 @@ -81,11 +81,20 @@ printf("rule %u.%s.%u/", ntohl(hdr->rulenr), hdr->ruleset, ntohl(hdr->subrulenr)); - printf("%s: %s %s on %s: ", +#ifndef PF_LOG_LABEL + printf("%s: %s %s on %s:", tok2str(pf_reasons, "unkn(%u)", hdr->reason), tok2str(pf_actions, "unkn(%u)", hdr->action), tok2str(pf_directions, "unkn(%u)", hdr->dir), hdr->ifname); +#else + printf("%s: %s %s on %s: label %s: ", + tok2str(pf_reasons, "unkn(%u)", hdr->reason), + tok2str(pf_actions, "unkn(%u)", hdr->action), + tok2str(pf_directions, "unkn(%u)", hdr->dir), + hdr->ifname, + hdr->label); +#endif } u_int --------------070404010607040601040006--