Print rewritten addresses in tcpdump(8) logged with pflog(4) for

rdr-to, nat-to, af-to rules.  The kernel uses the information from
the packet description and fills it into the fields in the pflog
header.  While doing this, it is trival to figure out whether the
packet has been rewritten.
OK sashan@

diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c
index b574900..7b63991 100644 (file)
--- a/sys/net/if_pflog.c
+++ b/sys/net/if_pflog.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_pflog.c,v 1.95 2021/01/19 22:22:23 bluhm Exp $     */
+/*     $OpenBSD: if_pflog.c,v 1.96 2021/01/20 13:40:15 bluhm Exp $     */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -230,11 +230,18 @@ pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm,
        hdr.rule_uid = rm->cuid;
        hdr.rule_pid = rm->cpid;
        hdr.dir = pd->dir;
+       hdr.af = pd->af;
 
+       if (pd->af != pd->naf ||
+           pf_addr_compare(pd->src, &pd->nsaddr, pd->naf) != 0 ||
+           pf_addr_compare(pd->dst, &pd->ndaddr, pd->naf) != 0 ||
+           pd->osport != pd->nsport ||
+           pd->odport != pd->ndport) {
+               hdr.rewritten = 1;
+       }
+       hdr.naf = pd->naf;
        pf_addrcpy(&hdr.saddr, &pd->nsaddr, pd->naf);
        pf_addrcpy(&hdr.daddr, &pd->ndaddr, pd->naf);
-       hdr.af = pd->af;
-       hdr.naf = pd->naf;
        hdr.sport = pd->nsport;
        hdr.dport = pd->ndport;
 

diff --git a/usr.sbin/tcpdump/print-pflog.c b/usr.sbin/tcpdump/print-pflog.c
index 26475f9..c207771 100644 (file)
--- a/usr.sbin/tcpdump/print-pflog.c
+++ b/usr.sbin/tcpdump/print-pflog.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: print-pflog.c,v 1.32 2018/10/22 16:12:45 kn Exp $     */
+/*     $OpenBSD: print-pflog.c,v 1.33 2021/01/20 13:40:15 bluhm Exp $  */
 
 /*
  * Copyright (c) 1990, 1991, 1993, 1994, 1995, 1996
@@ -64,7 +64,6 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h,
        const struct ip *ip;
        const struct ip6_hdr *ip6;
        const struct pfloghdr *hdr;
-       u_int8_t af;
 
        ts_print(&h->ts);
 
@@ -153,34 +152,40 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h,
                if (vflag && hdr->rewritten) {
                        char buf[48];
 
-                       if (inet_ntop(hdr->af, &hdr->saddr.v4, buf,
+                       printf("[rewritten: ");
+                       if (inet_ntop(hdr->naf, &hdr->saddr, buf,
                            sizeof(buf)) == NULL)
-                               printf("[orig src ?, ");
+                               printf("src ?");
                        else
-                               printf("[orig src %s:%u, ", buf,
-                                   ntohs(hdr->sport));
-                       if (inet_ntop(hdr->af, &hdr->daddr.v4, buf,
+                               printf("src %s:%u", buf, ntohs(hdr->sport));
+                       printf(", ");
+                       if (inet_ntop(hdr->naf, &hdr->daddr, buf,
                            sizeof(buf)) == NULL)
-                               printf("dst ?] ");
+                               printf("dst ?");
                        else
-                               printf("dst %s:%u] ", buf,
-                                   ntohs(hdr->dport));
+                               printf("dst %s:%u", buf, ntohs(hdr->dport));
+                       printf("] ");
                }
        }
-       af = hdr->naf;
        length -= hdrlen;
-       if (af == AF_INET) {
+       switch(hdr->af) {
+       case AF_INET:
                ip = (struct ip *)(p + hdrlen);
                ip_print((const u_char *)ip, length);
                if (xflag)
                        default_print((const u_char *)ip,
                            caplen - hdrlen);
-       } else {
+               break;
+       case AF_INET6:
                ip6 = (struct ip6_hdr *)(p + hdrlen);
                ip6_print((const u_char *)ip6, length);
                if (xflag)
                        default_print((const u_char *)ip6,
                            caplen - hdrlen);
+               break;
+       default:
+               printf("unknown-af %d", hdr->af);
+               break;
        }
 
 out: