From owner-freebsd-bugs@FreeBSD.ORG  Mon Sep 24 17:40:04 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E86CA16A418
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 24 Sep 2007 17:40:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id D5FB013C45A
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 24 Sep 2007 17:40:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l8OHe3Xj091832
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 24 Sep 2007 17:40:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l8OHe3c5091831;
	Mon, 24 Sep 2007 17:40:03 GMT (envelope-from gnats)
Resent-Date: Mon, 24 Sep 2007 17:40:03 GMT
Resent-Message-Id: <200709241740.l8OHe3c5091831@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 64B3816A417;
	Mon, 24 Sep 2007 17:35:54 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 2527E13C45B;
	Mon, 24 Sep 2007 17:35:53 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by pobox.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1IZrqZ-000GUH-Ra; Mon, 24 Sep 2007 21:35:52 +0400
Message-Id: <20070924173551.4D5E71AF41C@void.codelabs.ru>
Date: Mon, 24 Sep 2007 21:35:51 +0400 (MSD)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: max@love2party.net, freebsd-current@FreeBSD.org
Subject: bin/116610: [patch] teach tcpdump(1) to cope with the new-style
	pflog(4) output
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2007 17:40:04 -0000


>Number:         116610
>Category:       bin
>Synopsis:       [patch] teach tcpdump(1) to cope with the new-style pflog(4) output
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 24 17:40:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
Code Labs
>Environment:

System: FreeBSD XXX 7.0-CURRENT FreeBSD 7.0-CURRENT #10: Wed Sep 12 16:16:49 MSD 2007 root@XXX:/usr/src/sys/i386/compile/XXX i386

>Description:

Version 1.9 of /sys/contrib/pf/net/if_pflog.h (Import of pf from
OpenBSD 4.1) introduced the backwards-incompatible change to the
'struct pfloghdr': the 'dir' and 'pad' members moved far away from
their previous positions.

This is not a problem for the pf itself, but tcpdump is no longer
able to print the packet direction correctly.

>How-To-Repeat:

Spawn tcpdump like 'tcpdump -lvvnetti pflog0' on the 7-CURRENT built
from the sources later than Tue Jul 3 16:16:07 2007 MSD and see
that the link-level header contains weird 'unkn(255)' direction:
"rule 14/0(match): block unkn(255) on uplink".

>Fix:

The following patch will cure the situation.  I know that the best
thing that can be done is to commit it to the tcpdump itself, but

a) this is a long process, since it requires tcpdump team to accept
   the patch and Someone (TM) to import new tcpdump sources to
   FreeBSD;
b) other eyes should see and criticize this patch.

I myself was tested this patch on the 7-CURRENT and 6.2-STABLE.
No regressions were seen yet and tcpdump works like a charm with
the new pflog0 packets showing 'in' and 'out' ;))

--- tcpdump-pflog-v2.patch begins here ---
--- contrib/tcpdump/pf.h.orig	2007-09-24 19:59:29.000000000 +0400
+++ contrib/tcpdump/pf.h	2007-09-24 20:31:40.000000000 +0400
@@ -29,6 +29,9 @@
  * @(#) $Header: /tcpdump/master/tcpdump/pf.h,v 1.2 2004/04/02 06:36:25 guy Exp $ (LBL)
  */
 
+/* We need offsetof() macro */
+#include <stddef.h>
+
 /*	from $OpenBSD: pfvar.h,v 1.170 2003/08/22 21:50:34 david Exp $ */
 
 enum	{ PF_INOUT=0, PF_IN=1, PF_OUT=2 };
@@ -75,3 +78,23 @@
 	u_int8_t	pad[3];
 };
 #define PFLOG_HDRLEN		sizeof(struct pfloghdr)
+
+/*	from $OpenBSD: if_pflog.h,v 1.14 2006/10/25 11:27:01 henning Exp $ */
+
+struct pfloghdr_v2 {
+	u_int8_t	length;
+	sa_family_t	af;
+	u_int8_t	action;
+	u_int8_t	reason;
+	char		ifname[IFNAMSIZ];
+	char		ruleset[PF_RULESET_NAME_SIZE];
+	u_int32_t	rulenr;
+	u_int32_t	subrulenr;
+	uid_t		uid;
+	pid_t		pid;
+	uid_t		rule_uid;
+	pid_t		rule_pid;
+	u_int8_t	dir;
+	u_int8_t	pad[3];
+};
+#define PFLOG_HDRV2_LEN		offsetof(struct pfloghdr_v2, pad)
--- contrib/tcpdump/print-pflog.c.orig	2007-09-24 19:10:09.000000000 +0400
+++ contrib/tcpdump/print-pflog.c	2007-09-24 20:30:36.000000000 +0400
@@ -72,25 +72,43 @@
 #define	OPENBSD_AF_INET		2
 #define	OPENBSD_AF_INET6	24
 
+#define __PFLOG_PRINT_HDR(hdr)						\
+do {									\
+	u_int32_t rulenr, subrulenr;					\
+									\
+	rulenr = ntohl((hdr)->rulenr);					\
+	subrulenr = ntohl((hdr)->subrulenr);				\
+	if (subrulenr == (u_int32_t)-1)					\
+		printf("rule %u/", rulenr);				\
+	else								\
+		printf("rule %u.%s.%u/", rulenr, (hdr)->ruleset,	\
+		    subrulenr);						\
+									\
+	printf("%s: %s %s on %s: ",					\
+	    tok2str(pf_reasons, "unkn(%u)", (hdr)->reason),		\
+	    tok2str(pf_actions, "unkn(%u)", (hdr)->action),		\
+	    tok2str(pf_directions, "unkn(%u)", (hdr)->dir),		\
+	    (hdr)->ifname);						\
+} while (0)
+
 static void
 pflog_print(const struct pfloghdr *hdr)
 {
-	u_int32_t rulenr, subrulenr;
+	u_int8_t hdr_version;
+	struct pfloghdr_v2 *v2hdr;
 
-	rulenr = ntohl(hdr->rulenr);
-	subrulenr = ntohl(hdr->subrulenr);
-	if (subrulenr == (u_int32_t)-1)
-		printf("rule %u/", rulenr);
-	else
-		printf("rule %u.%s.%u/", rulenr, hdr->ruleset, subrulenr);
-
-	printf("%s: %s %s on %s: ",
-	    tok2str(pf_reasons, "unkn(%u)", hdr->reason),
-	    tok2str(pf_actions, "unkn(%u)", hdr->action),
-	    tok2str(pf_directions, "unkn(%u)", hdr->dir),
-	    hdr->ifname);
+	if (hdr->length == PFLOG_HDRV2_LEN) {
+		hdr_version = 2;
+		v2hdr = (struct pfloghdr_v2 *)hdr;
+		__PFLOG_PRINT_HDR(v2hdr);
+	} else {
+		hdr_version = 1;
+		__PFLOG_PRINT_HDR(hdr);
+	}
 }
 
+#undef __PFLOG_PRINT_HDR
+
 u_int
 pflog_if_print(const struct pcap_pkthdr *h, register const u_char *p)
 {
--- tcpdump-pflog-v2.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted: