root/net/if_pflog.c

DEFINITIONS

1. pflogattach
2. pflog_clone_create
3. pflog_clone_destroy
4. pflogstart
5. pflogoutput
6. pflogioctl
7. pflog_packet

    1 /*      $OpenBSD: if_pflog.c,v 1.24 2007/05/26 17:13:30 jason Exp $     */
    2 /*
    3  * The authors of this code are John Ioannidis (ji@tla.org),
    4  * Angelos D. Keromytis (kermit@csd.uch.gr) and 
    5  * Niels Provos (provos@physnet.uni-hamburg.de).
    6  *
    7  * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
    8  * in November 1995.
    9  *
   10  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
   11  * by Angelos D. Keromytis.
   12  *
   13  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
   14  * and Niels Provos.
   15  *
   16  * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
   17  * and Niels Provos.
   18  * Copyright (c) 2001, Angelos D. Keromytis, Niels Provos.
   19  *
   20  * Permission to use, copy, and modify this software with or without fee
   21  * is hereby granted, provided that this entire notice is included in
   22  * all copies of any software which is or includes a copy or
   23  * modification of this software. 
   24  * You may use this code under the GNU public license if you so wish. Please
   25  * contribute changes back to the authors under this freer than GPL license
   26  * so that we may further the use of strong encryption without limitations to
   27  * all.
   28  *
   29  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
   30  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
   31  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
   32  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
   33  * PURPOSE.
   34  */
   36 #include "bpfilter.h"
   37 #include "pflog.h"
   39 #include <sys/param.h>
   40 #include <sys/systm.h>
   41 #include <sys/mbuf.h>
   42 #include <sys/proc.h>
   43 #include <sys/socket.h>
   44 #include <sys/ioctl.h>
   46 #include <net/if.h>
   47 #include <net/if_types.h>
   48 #include <net/route.h>
   49 #include <net/bpf.h>
   51 #ifdef  INET
   52 #include <netinet/in.h>
   53 #include <netinet/in_var.h>
   54 #include <netinet/in_systm.h>
   55 #include <netinet/ip.h>
   56 #endif
   58 #ifdef INET6
   59 #ifndef INET
   60 #include <netinet/in.h>
   61 #endif
   62 #include <netinet6/nd6.h>
   63 #endif /* INET6 */
   65 #include <net/pfvar.h>
   66 #include <net/if_pflog.h>
   68 #define PFLOGMTU        (32768 + MHLEN + MLEN)
   70 #ifdef PFLOGDEBUG
   71 #define DPRINTF(x)    do { if (pflogdebug) printf x ; } while (0)
   72 #else
   73 #define DPRINTF(x)
   74 #endif
   76 void    pflogattach(int);
   77 int     pflogoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
   78                        struct rtentry *);
   79 int     pflogioctl(struct ifnet *, u_long, caddr_t);
   80 void    pflogstart(struct ifnet *);
   81 int     pflog_clone_create(struct if_clone *, int);
   82 int     pflog_clone_destroy(struct ifnet *);
LIST_HEAD(, pflog_softc)        pflogif_list;
   85 struct if_clone pflog_cloner =
IF_CLONE_INITIALIZER("pflog", pflog_clone_create, pflog_clone_destroy);
   88 struct ifnet    *pflogifs[PFLOGIFS_MAX];        /* for fast access */
   90 void
pflogattach(int npflog)
   92 {
   93         int     i;
LIST_INIT(&pflogif_list);
   95         for (i = 0; i < PFLOGIFS_MAX; i++)
pflogifs[i] = NULL;
if_clone_attach(&pflog_cloner);
   98 }
  100 int
pflog_clone_create(struct if_clone *ifc, int unit)
  102 {
  103         struct ifnet *ifp;
  104         struct pflog_softc *pflogif;
  105         int s;
  107         if (unit >= PFLOGIFS_MAX)
  108                 return (EINVAL);
  110         if ((pflogif = malloc(sizeof(*pflogif), M_DEVBUF, M_NOWAIT)) == NULL)
  111                 return (ENOMEM);
bzero(pflogif, sizeof(*pflogif));
pflogif->sc_unit = unit;
ifp = &pflogif->sc_if;
snprintf(ifp->if_xname, sizeof ifp->if_xname, "pflog%d", unit);
ifp->if_softc = pflogif;
ifp->if_mtu = PFLOGMTU;
ifp->if_ioctl = pflogioctl;
ifp->if_output = pflogoutput;
ifp->if_start = pflogstart;
ifp->if_type = IFT_PFLOG;
ifp->if_snd.ifq_maxlen = ifqmaxlen;
ifp->if_hdrlen = PFLOG_HDRLEN;
if_attach(ifp);
if_alloc_sadl(ifp);
  128 #if NBPFILTER > 0
bpfattach(&pflogif->sc_if.if_bpf, ifp, DLT_PFLOG, PFLOG_HDRLEN);
  130 #endif
s = splnet();
LIST_INSERT_HEAD(&pflogif_list, pflogif, sc_list);
pflogifs[unit] = ifp;
splx(s);
  137         return (0);
  138 }
  140 int
pflog_clone_destroy(struct ifnet *ifp)
  142 {
  143         struct pflog_softc      *pflogif = ifp->if_softc;
  144         int                      s;
s = splnet();
pflogifs[pflogif->sc_unit] = NULL;
LIST_REMOVE(pflogif, sc_list);
splx(s);
  151 #if NBPFILTER > 0
bpfdetach(ifp);
  153 #endif
if_detach(ifp);
free(pflogif, M_DEVBUF);
  156         return (0);
  157 }
  159 /*
  160  * Start output on the pflog interface.
  161  */
  162 void
pflogstart(struct ifnet *ifp)
  164 {
  165         struct mbuf *m;
  166         int s;
  168         for (;;) {
s = splnet();
IF_DROP(&ifp->if_snd);
IF_DEQUEUE(&ifp->if_snd, m);
splx(s);
  174                 if (m == NULL)
  175                         return;
  176                 else
m_freem(m);
  178         }
  179 }
  181 int
pflogoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
  183         struct rtentry *rt)
  184 {
m_freem(m);
  186         return (0);
  187 }
  189 /* ARGSUSED */
  190 int
pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
  192 {
  193         switch (cmd) {
  194         case SIOCSIFADDR:
  195         case SIOCAIFADDR:
  196         case SIOCSIFDSTADDR:
  197         case SIOCSIFFLAGS:
  198                 if (ifp->if_flags & IFF_UP)
ifp->if_flags |= IFF_RUNNING;
  200                 else
ifp->if_flags &= ~IFF_RUNNING;
  202                 break;
  203         default:
  204                 return (EINVAL);
  205         }
  207         return (0);
  208 }
  210 int
pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
u_int8_t reason, struct pf_rule *rm, struct pf_rule *am,
  213     struct pf_ruleset *ruleset, struct pf_pdesc *pd)
  214 {
  215 #if NBPFILTER > 0
  216         struct ifnet *ifn;
  217         struct pfloghdr hdr;
  219         if (kif == NULL || m == NULL || rm == NULL || pd == NULL)
  220                 return (-1);
  222         if ((ifn = pflogifs[rm->logif]) == NULL || !ifn->if_bpf)
  223                 return (0);
bzero(&hdr, sizeof(hdr));
hdr.length = PFLOG_REAL_HDRLEN;
hdr.af = af;
hdr.action = rm->action;
hdr.reason = reason;
memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
  232         if (am == NULL) {
hdr.rulenr = htonl(rm->nr);
hdr.subrulenr = -1;
  235         } else {
hdr.rulenr = htonl(am->nr);
hdr.subrulenr = htonl(rm->nr);
  238                 if (ruleset != NULL && ruleset->anchor != NULL)
strlcpy(hdr.ruleset, ruleset->anchor->name,
  240                             sizeof(hdr.ruleset));
  241         }
  242         if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
pd->lookup.done = pf_socket_lookup(dir, pd);
  244         if (pd->lookup.done > 0) {
hdr.uid = pd->lookup.uid;
hdr.pid = pd->lookup.pid;
  247         } else {
hdr.uid = UID_MAX;
hdr.pid = NO_PID;
  250         }
hdr.rule_uid = rm->cuid;
hdr.rule_pid = rm->cpid;
hdr.dir = dir;
  255 #ifdef INET
  256         if (af == AF_INET && dir == PF_OUT) {
  257                 struct ip *ip;
ip = mtod(m, struct ip *);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
  262         }
  263 #endif /* INET */
ifn->if_opackets++;
ifn->if_obytes += m->m_pkthdr.len;
bpf_mtap_hdr(ifn->if_bpf, (char *)&hdr, PFLOG_HDRLEN, m,
BPF_DIRECTION_OUT);
  269 #endif
  271         return (0);
  272 }