From rea-fbsd@codelabs.ru  Mon Sep 24 17:35:54 2007
Return-Path: <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 64B3816A417;
	Mon, 24 Sep 2007 17:35:54 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 2527E13C45B;
	Mon, 24 Sep 2007 17:35:53 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by pobox.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1IZrqZ-000GUH-Ra; Mon, 24 Sep 2007 21:35:52 +0400
Message-Id: <20070924173551.4D5E71AF41C@void.codelabs.ru>
Date: Mon, 24 Sep 2007 21:35:51 +0400 (MSD)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: max@love2party.net, freebsd-current@freebsd.org
Subject: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         116610
>Category:       bin
>Synopsis:       [patch] teach tcpdump(1) to cope with the new-style pflog(4) output
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gavin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 24 17:40:02 GMT 2007
>Closed-Date:    Fri Jun 13 21:30:09 UTC 2008
>Last-Modified:  Fri Jun 13 21:30:09 UTC 2008
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
Code Labs
>Environment:

System: FreeBSD XXX 7.0-CURRENT FreeBSD 7.0-CURRENT #10: Wed Sep 12 16:16:49 MSD 2007 root@XXX:/usr/src/sys/i386/compile/XXX i386

>Description:

Version 1.9 of /sys/contrib/pf/net/if_pflog.h (Import of pf from
OpenBSD 4.1) introduced the backwards-incompatible change to the
'struct pfloghdr': the 'dir' and 'pad' members moved far away from
their previous positions.

This is not a problem for the pf itself, but tcpdump is no longer
able to print the packet direction correctly.

>How-To-Repeat:

Spawn tcpdump like 'tcpdump -lvvnetti pflog0' on the 7-CURRENT built
from the sources later than Tue Jul 3 16:16:07 2007 MSD and see
that the link-level header contains weird 'unkn(255)' direction:
"rule 14/0(match): block unkn(255) on uplink".

>Fix:

The following patch will cure the situation.  I know that the best
thing that can be done is to commit it to the tcpdump itself, but

a) this is a long process, since it requires tcpdump team to accept
   the patch and Someone (TM) to import new tcpdump sources to
   FreeBSD;
b) other eyes should see and criticize this patch.

I myself was tested this patch on the 7-CURRENT and 6.2-STABLE.
No regressions were seen yet and tcpdump works like a charm with
the new pflog0 packets showing 'in' and 'out' ;))

--- tcpdump-pflog-v2.patch begins here ---
--- contrib/tcpdump/pf.h.orig	2007-09-24 19:59:29.000000000 +0400
+++ contrib/tcpdump/pf.h	2007-09-24 20:31:40.000000000 +0400
@@ -29,6 +29,9 @@
  * @(#) $Header: /tcpdump/master/tcpdump/pf.h,v 1.2 2004/04/02 06:36:25 guy Exp $ (LBL)
  */
 
+/* We need offsetof() macro */
+#include <stddef.h>
+
 /*	from $OpenBSD: pfvar.h,v 1.170 2003/08/22 21:50:34 david Exp $ */
 
 enum	{ PF_INOUT=0, PF_IN=1, PF_OUT=2 };
@@ -75,3 +78,23 @@
 	u_int8_t	pad[3];
 };
 #define PFLOG_HDRLEN		sizeof(struct pfloghdr)
+
+/*	from $OpenBSD: if_pflog.h,v 1.14 2006/10/25 11:27:01 henning Exp $ */
+
+struct pfloghdr_v2 {
+	u_int8_t	length;
+	sa_family_t	af;
+	u_int8_t	action;
+	u_int8_t	reason;
+	char		ifname[IFNAMSIZ];
+	char		ruleset[PF_RULESET_NAME_SIZE];
+	u_int32_t	rulenr;
+	u_int32_t	subrulenr;
+	uid_t		uid;
+	pid_t		pid;
+	uid_t		rule_uid;
+	pid_t		rule_pid;
+	u_int8_t	dir;
+	u_int8_t	pad[3];
+};
+#define PFLOG_HDRV2_LEN		offsetof(struct pfloghdr_v2, pad)
--- contrib/tcpdump/print-pflog.c.orig	2007-09-24 19:10:09.000000000 +0400
+++ contrib/tcpdump/print-pflog.c	2007-09-24 20:30:36.000000000 +0400
@@ -72,25 +72,43 @@
 #define	OPENBSD_AF_INET		2
 #define	OPENBSD_AF_INET6	24
 
+#define __PFLOG_PRINT_HDR(hdr)						\
+do {									\
+	u_int32_t rulenr, subrulenr;					\
+									\
+	rulenr = ntohl((hdr)->rulenr);					\
+	subrulenr = ntohl((hdr)->subrulenr);				\
+	if (subrulenr == (u_int32_t)-1)					\
+		printf("rule %u/", rulenr);				\
+	else								\
+		printf("rule %u.%s.%u/", rulenr, (hdr)->ruleset,	\
+		    subrulenr);						\
+									\
+	printf("%s: %s %s on %s: ",					\
+	    tok2str(pf_reasons, "unkn(%u)", (hdr)->reason),		\
+	    tok2str(pf_actions, "unkn(%u)", (hdr)->action),		\
+	    tok2str(pf_directions, "unkn(%u)", (hdr)->dir),		\
+	    (hdr)->ifname);						\
+} while (0)
+
 static void
 pflog_print(const struct pfloghdr *hdr)
 {
-	u_int32_t rulenr, subrulenr;
+	u_int8_t hdr_version;
+	struct pfloghdr_v2 *v2hdr;
 
-	rulenr = ntohl(hdr->rulenr);
-	subrulenr = ntohl(hdr->subrulenr);
-	if (subrulenr == (u_int32_t)-1)
-		printf("rule %u/", rulenr);
-	else
-		printf("rule %u.%s.%u/", rulenr, hdr->ruleset, subrulenr);
-
-	printf("%s: %s %s on %s: ",
-	    tok2str(pf_reasons, "unkn(%u)", hdr->reason),
-	    tok2str(pf_actions, "unkn(%u)", hdr->action),
-	    tok2str(pf_directions, "unkn(%u)", hdr->dir),
-	    hdr->ifname);
+	if (hdr->length == PFLOG_HDRV2_LEN) {
+		hdr_version = 2;
+		v2hdr = (struct pfloghdr_v2 *)hdr;
+		__PFLOG_PRINT_HDR(v2hdr);
+	} else {
+		hdr_version = 1;
+		__PFLOG_PRINT_HDR(hdr);
+	}
 }
 
+#undef __PFLOG_PRINT_HDR
+
 u_int
 pflog_if_print(const struct pcap_pkthdr *h, register const u_char *p)
 {
--- tcpdump-pflog-v2.patch ends here ---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: remko 
Responsible-Changed-When: Thu Sep 27 17:01:13 UTC 2007 
Responsible-Changed-Why:  
Reassign to PF team since this influences the PF application suite 
(I understand that the change must be made in tcpdump so perhaps 
we should allocate someone else, but lets see what the PF team can 
do for us). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116610 

From: Peter Jeremy <peterjeremy@optushome.com.au>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output
Date: Fri, 13 Jun 2008 07:08:30 +1000

 --YiEDa0DAkWCtVeE4
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 This PR seems to have been obsoleted by the import of tcpdump 3.9.8
 in October 2007.
 --=20
 Peter Jeremy
 
 --YiEDa0DAkWCtVeE4
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkhRkE4ACgkQ/opHv/APuIdc9gCgpRDgmA5uGW09UkSyDBOyzT/A
 sVoAoJVMFrUerBILjpG+e8DKa4DKJdoC
 =dbTA
 -----END PGP SIGNATURE-----
 
 --YiEDa0DAkWCtVeE4--
 
State-Changed-From-To: open->feedback 
State-Changed-By: gavin 
State-Changed-When: Fri Jun 13 14:05:10 UTC 2008 
State-Changed-Why:  
To submitter: it looks like this PR is no longer relevent to  
RELENG_7 after the import of tcpdump 3.9.8 in October 2007.  Can 
you confirm that this now works for you on 7.0-RELEASE please? 

Note that it has not been MFC'd to RELENG_6 so won't work there yet. 


Responsible-Changed-From-To: freebsd-pf->gavin 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Fri Jun 13 14:05:10 UTC 2008 
Responsible-Changed-Why:  
Track 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116610 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/116610: [patch] teach tcpdump(1) to cope with the new-style pflog(4) output
Date: Fri, 13 Jun 2008 22:11:18 +0400

 Peter, good day.
 
 Fri, Jun 13, 2008 at 07:08:30AM +1000, Peter Jeremy wrote:
 > This PR seems to have been obsoleted by the import of tcpdump 3.9.8
 > in October 2007.
 
 Yes: new tcpdump understands the new format and the general consensus
 between tcpdump developers and Max Laier was that tcpdump will
 recognize pflog traces from the local machine and it is not guaranteed
 that v1 traces will be readable on machines that has pf v2 and vice
 versa.
 
 Thank you!
 -- 
 Eygene
State-Changed-From-To: feedback->closed 
State-Changed-By: remko 
State-Changed-When: Fri Jun 13 21:30:05 UTC 2008 
State-Changed-Why:  
Eygene reported that this had been resolved indeed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116610 
>Unformatted:
