and on top of the previous pflog diffs - pass original src and dst out
to userland and make tcpdump print them with -v and only if some
rewriting going on
02:06:54.231602 rule 9/(match) [uid 0, pid 27595] pass in on re0:
[orig src 192.168.254.52:33986, dst 192.168.254.84:2222]
192.168.254.52.33986 > 127.0.0.1.22: S 2714208976:2714208976(0)
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp
1079933916[|tcp]> (ttl 64, id 17254, len 64)
Index: sys/net/if_pflog.c
===================================================================
RCS file: /cvs/src/sys/net/if_pflog.c,v
retrieving revision 1.29
diff -u -p -r1.29 if_pflog.c
--- sys/net/if_pflog.c 21 Sep 2010 04:06:37 -0000 1.29
+++ sys/net/if_pflog.c 21 Sep 2010 08:10:35 -0000
@@ -286,6 +286,8 @@ pflog_bpfcopy(const void *src_arg, void
} pf_hdrs;
struct pf_pdesc pd;
+ struct pf_addr osaddr, odaddr;
+ u_int16_t osport, odport;
m = src_arg;
dst = dst_arg;
@@ -297,6 +299,7 @@ pflog_bpfcopy(const void *src_arg, void
pfloghdr = mtod(m, struct pfloghdr *);
count = min(m->m_len, len);
bcopy(pfloghdr, dst, count);
+ pfloghdr = (struct pfloghdr *)dst;
dst += count;
len -= count;
m = m->m_next;
@@ -333,8 +336,20 @@ pflog_bpfcopy(const void *src_arg, void
if (pf_setup_pdesc(pfloghdr->af, pfloghdr->dir, &pd, mfake, &action,
&reason, NULL, NULL, NULL, NULL, &off, &hdrlen) == -1)
return;
- if (pf_translate(&pd, &pfloghdr->saddr, pfloghdr->sport,
- &pfloghdr->daddr, pfloghdr->dport, 0, pfloghdr->dir, mfake))
+
+ PF_ACPY(&osaddr, pd.src, pd.af);
+ PF_ACPY(&odaddr, pd.dst, pd.af);
+ osport = *pd.sport;
+ odport = *pd.dport;
+
+ if ((pfloghdr->rewritten = pf_translate(&pd, &pfloghdr->saddr,
+ pfloghdr->sport, &pfloghdr->daddr, pfloghdr->dport, 0,
+ pfloghdr->dir, mfake))) {
m_copyback(mfake, off, min(mfake->m_len - off, hdrlen),
pd.hdr.any, M_NOWAIT);
+ PF_ACPY(&pfloghdr->saddr, &osaddr, pd.af);
+ PF_ACPY(&pfloghdr->daddr, &odaddr, pd.af);
+ pfloghdr->sport = osport;
+ pfloghdr->dport = odport;
+ }
}
Index: sys/net/if_pflog.h
===================================================================
RCS file: /cvs/src/sys/net/if_pflog.h,v
retrieving revision 1.16
diff -u -p -r1.16 if_pflog.h
--- sys/net/if_pflog.h 21 Sep 2010 04:06:37 -0000 1.16
+++ sys/net/if_pflog.h 21 Sep 2010 08:10:35 -0000
@@ -53,7 +53,8 @@ struct pfloghdr {
uid_t rule_uid;
pid_t rule_pid;
u_int8_t dir;
- u_int8_t pad[3];
+ u_int8_t rewritten;
+ u_int8_t pad[2];
struct pf_addr saddr;
struct pf_addr daddr;
u_int16_t sport;
Index: usr.sbin/tcpdump/print-pflog.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-pflog.c,v
retrieving revision 1.21
diff -u -p -r1.21 print-pflog.c
--- usr.sbin/tcpdump/print-pflog.c 26 Jun 2010 16:47:07 -0000 1.21
+++ usr.sbin/tcpdump/print-pflog.c 21 Sep 2010 08:10:35 -0000
@@ -21,6 +21,7 @@
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
+#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/socket.h>
@@ -43,6 +44,8 @@ struct rtentry;
#include <net/pfvar.h>
+#include <arpa/inet.h>
+
#include <ctype.h>
#include <netdb.h>
#include <pcap.h>
@@ -152,6 +155,22 @@ pflog_if_print(u_char *user, const struc
if (vflag && hdr->pid != NO_PID)
printf("[uid %u, pid %u] ", (unsigned)hdr->uid,
(unsigned)hdr->pid);
+ if (vflag && hdr->rewritten) {
+ char buf[48];
+
+ if (inet_ntop(hdr->af, &hdr->saddr.v4, buf,
+ sizeof(buf)) == NULL)
+ printf("[orig src ?, ");
+ else
+ printf("[orig src %s:%u, ", buf,
+ ntohs(hdr->sport));
+ if (inet_ntop(hdr->af, &hdr->daddr.v4, buf,
+ sizeof(buf)) == NULL)
+ printf("dst ?] ");
+ else
+ printf("dst %s:%u] ", buf,
+ ntohs(hdr->dport));
+ }
}
af = hdr->af;
length -= hdrlen;
--
Henning Brauer, [email protected], [email protected]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
