From a0942b10af817d9babc3e6a5ec8005dfb7e4e3e8 Mon Sep 17 00:00:00 2001 From: bluhm Date: Wed, 20 Jan 2021 13:40:15 +0000 Subject: [PATCH] Print rewritten addresses in tcpdump(8) logged with pflog(4) for rdr-to, nat-to, af-to rules. The kernel uses the information from the packet description and fills it into the fields in the pflog header. While doing this, it is trival to figure out whether the packet has been rewritten. OK sashan@ --- sys/net/if_pflog.c | 13 ++++++++++--- usr.sbin/tcpdump/print-pflog.c | 31 ++++++++++++++++++------------- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c index b574900593e..7b63991676e 100644 --- a/sys/net/if_pflog.c +++ b/sys/net/if_pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.c,v 1.95 2021/01/19 22:22:23 bluhm Exp $ */ +/* $OpenBSD: if_pflog.c,v 1.96 2021/01/20 13:40:15 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -230,11 +230,18 @@ pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm, hdr.rule_uid = rm->cuid; hdr.rule_pid = rm->cpid; hdr.dir = pd->dir; + hdr.af = pd->af; + if (pd->af != pd->naf || + pf_addr_compare(pd->src, &pd->nsaddr, pd->naf) != 0 || + pf_addr_compare(pd->dst, &pd->ndaddr, pd->naf) != 0 || + pd->osport != pd->nsport || + pd->odport != pd->ndport) { + hdr.rewritten = 1; + } + hdr.naf = pd->naf; pf_addrcpy(&hdr.saddr, &pd->nsaddr, pd->naf); pf_addrcpy(&hdr.daddr, &pd->ndaddr, pd->naf); - hdr.af = pd->af; - hdr.naf = pd->naf; hdr.sport = pd->nsport; hdr.dport = pd->ndport; diff --git a/usr.sbin/tcpdump/print-pflog.c b/usr.sbin/tcpdump/print-pflog.c index 26475f9df33..c207771d936 100644 --- a/usr.sbin/tcpdump/print-pflog.c +++ b/usr.sbin/tcpdump/print-pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-pflog.c,v 1.32 2018/10/22 16:12:45 kn Exp $ */ +/* $OpenBSD: print-pflog.c,v 1.33 2021/01/20 13:40:15 bluhm Exp $ */ /* * Copyright (c) 1990, 1991, 1993, 1994, 1995, 1996 @@ -64,7 +64,6 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h, const struct ip *ip; const struct ip6_hdr *ip6; const struct pfloghdr *hdr; - u_int8_t af; ts_print(&h->ts); @@ -153,34 +152,40 @@ pflog_if_print(u_char *user, const struct pcap_pkthdr *h, if (vflag && hdr->rewritten) { char buf[48]; - if (inet_ntop(hdr->af, &hdr->saddr.v4, buf, + printf("[rewritten: "); + if (inet_ntop(hdr->naf, &hdr->saddr, buf, sizeof(buf)) == NULL) - printf("[orig src ?, "); + printf("src ?"); else - printf("[orig src %s:%u, ", buf, - ntohs(hdr->sport)); - if (inet_ntop(hdr->af, &hdr->daddr.v4, buf, + printf("src %s:%u", buf, ntohs(hdr->sport)); + printf(", "); + if (inet_ntop(hdr->naf, &hdr->daddr, buf, sizeof(buf)) == NULL) - printf("dst ?] "); + printf("dst ?"); else - printf("dst %s:%u] ", buf, - ntohs(hdr->dport)); + printf("dst %s:%u", buf, ntohs(hdr->dport)); + printf("] "); } } - af = hdr->naf; length -= hdrlen; - if (af == AF_INET) { + switch(hdr->af) { + case AF_INET: ip = (struct ip *)(p + hdrlen); ip_print((const u_char *)ip, length); if (xflag) default_print((const u_char *)ip, caplen - hdrlen); - } else { + break; + case AF_INET6: ip6 = (struct ip6_hdr *)(p + hdrlen); ip6_print((const u_char *)ip6, length); if (xflag) default_print((const u_char *)ip6, caplen - hdrlen); + break; + default: + printf("unknown-af %d", hdr->af); + break; } out: -- 2.20.1