Re: net/p5-Netpacket - PFLog.pm

Tue, 10 Oct 2006 19:34:58 -0700 

On 9/24/06, Jean Raby <[EMAIL PROTECTED]> wrote:

Hello,

here's a small diff for PFLog.pm in net/p5-NetPacket

the pflog header changed in src/sys/net/if_pflog.h rev 1.12
so PFLog.pm had to be changed accordingly.

The new fields should be documented
(which field is which? rule_uid/pid are the info about the process
that inserted the rule?)


from the cvs log message :
"log two pairs of uid/pid through pflog: the uid/pid of the process that
inserted the rule which causes the logging. secondly, the uid/pid of the
process in case the logged packet is delivered to/from a local socket."


This patch seems to work fine here,  at least i'm able to read $data



--- PFLog.pm.org    Fri Sep 22 00:13:56 2006
+++ PFLog.pm    Sun Sep 24 18:58:06 2006
@@ -58,7 +58,7 @@
 use constant DLT_PFLOG => 117;

 #  maximum size of the header (in bytes) in the pcap dump
-use constant PFLOG_HDRLEN => 48;
+use constant PFLOG_HDRLEN => 64;

 #  packet filter constants (src/sys/net/pfvar.h)
 my %PF_DIR = (
@@ -96,8 +96,8 @@
    # [OpenBSD]/src/sys/net/if_pflog.h v1.10
    if (defined $pkt) {
        my ($len, $af, $action, $reason, $ifname, $ruleset, $rulenr,
-           $subrulenr, $dir, $pad, $data) =
-           unpack("CCCCa16a16NNCa3a*", $pkt);
+           $subrulenr, $uid, $pid, $rule_uid, $rule_pid, $dir, $pad, $data) =
+           unpack("CCCCa16a16NNIiIiCa3a*", $pkt);

        #  strip trailing NULs
        $ifname =~ s/\W//g;
@@ -111,6 +111,10 @@
        $self->{ruleset} = $ruleset;
        $self->{rulenr} = $rulenr;
        $self->{subrulenr} = $subrulenr;
+       $self->{uid} = $uid;
+       $self->{pid} = $pid;
+       $self->{rule_uid} = $rule_uid;
+       $self->{rule_pid} = $rule_pid;
        $self->{dir} = $PF_DIR{$dir};
        $self->{pad} = $pad;

@@ -150,9 +154,10 @@

    # based on pfloghdr struct in:
    # [OpenBSD]/src/sys/net/if_pflog.h v1.10
-   my $packet = pack("CCCCa16a16NNCa3a*",
+   my $packet = pack("CCCCa16a16NNIiIiCa3a*",
        $self->{len}. $self->{af}, $action, $reason, $self->{ifname},
        $self->{ruleset}, $self->{rulenr}, $self->{subrulenr},
+       $self->{uid}, $self->{pid}, $self->{rule_uid}, $self->{rule_pid},
        $dir, $self->{pad}, $ip);

    return $packet;
@@ -255,6 +260,15 @@

 The rule number in the subruleset that the packet matched. The value
 will be 2^32-1 if the packet matched in the main ruleset only.
+
+=item uid
+
+=item pid
+
+=item rule_uid
+
+=item rule_pid
+

 =item dir



Hello,

I sent this to ports@ and to the maintainer of the port (msf@) a
couple of weeks ago
and haven't received any feedback yet.

NetPacket::PFLog has been broken for 16 months (since the pfloghdr
struct has changed)
has anyone looked into this?


Thanks

Jean

Reply via email to