Log Labels?

N. Ersen SISECI siseci at gmail.com
Thu Mar 12 23:55:41 PDT 2009 

   Hi,
   I didn't submit this patch to OpenBSD guys. I have just only sent this
   to the list.
   I didn't try to patch wireshark. But  i think it is as easy as
   tcpdump.
   And i didn't test on OpenBSD. May be i should test on OpenBSD first
   and then
   send this patch to OpenBSD list.
   This is the patch for FreeBSD 7.0 pf.
   --- if_pflog.h.orig     2008-07-10 14:20:58.000000000 +0300
   +++ if_pflog.h  2008-07-10 14:21:59.000000000 +0300
   @@ -44,6 +44,12 @@
    #define PFLOG_RULESET_NAME_SIZE        16
   +#ifndef PFLOG_RULE_LABEL_SIZE
   +#define PFLOG_RULE_LABEL_SIZE       64
   +#endif
   +
   +#define PFLOG_LOG_LABEL
   +
    struct pfloghdr {
           u_int8_t        length;
           sa_family_t     af;
   @@ -58,6 +64,9 @@
           uid_t           rule_uid;
           pid_t           rule_pid;
           u_int8_t        dir;
   +#ifdef PFLOG_LOG_LABEL
   +       char            label[PFLOG_RULE_LABEL_SIZE];
   +#endif
           u_int8_t        pad[3];
    };
   --- if_pflog.c.orig     2008-07-10 14:22:11.000000000 +0300
   +++ if_pflog.c  2008-07-10 14:22:48.000000000 +0300
   @@ -342,6 +342,7 @@
           hdr.action = rm->action;
           hdr.reason = reason;
           memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
   +       memcpy(hdr.label, rm->label, sizeof(rm->label));
           if (am == NULL) {
                   hdr.rulenr = htonl(rm->nr);
   And this is for Tcpdump.
   --- print-pflog.c.orig  2008-07-10 14:30:30.000000000 +0300
   +++ print-pflog.c       2008-07-10 14:33:42.000000000 +0300
   @@ -106,11 +106,21 @@
           else
                   printf("rule %u.%s.%u/", rulenr, hdr->ruleset,
   subrulenr);
   -       printf("%s: %s %s on %s: ",
   +#ifndef PFLOG_LOG_LABEL
   +        printf("%s: %s %s on %s:",
               tok2str(pf_reasons, "unkn(%u)", hdr->reason),
               tok2str(pf_actions, "unkn(%u)", hdr->action),
               tok2str(pf_directions, "unkn(%u)", hdr->dir),
               hdr->ifname);
   +#else
   +       printf("%s: %s %s on %s: label %s: ",
   +           tok2str(pf_reasons, "unkn(%u)", hdr->reason),
   +           tok2str(pf_actions, "unkn(%u)", hdr->action),
   +           tok2str(pf_directions, "unkn(%u)", hdr->dir),
   +           hdr->ifname,
   +           hdr->label);
   +#endif
   +
    }
    u_int
   Petersen, Mark yazmis:

Great, I would love to try a patch for 7.0.  Do you have a patch for wireshark/
tshark/mergecap as well by any chance?  Have you submitted these patches to Ope
nBSD people?  Any feedback on getting this merged in?

Thanks,
Mark

  

-----Original Message-----
From: N. Ersen SISECI [[1]mailto:siseci at gmail.com]
Sent: Thursday, March 12, 2009 1:25 AM
To: Petersen, Mark
Cc: [2]freebsd-pf at freebsd.org
Subject: Re: Log Labels?

Hello,

I have been using this patch for a long time. If you apply if_pflog
patchs to pf and
print-pflog.c to tcpdump you should see label values in log lines.

If you are interested in this patch i can send you its 7.0 version.

# tcpdump -nttttveli pflog0 -s 1024
2009-03-12 08:23:22.206866 rule 2336/0(match): pass in on em0: label
70:
(tos 0x0, ttl 128, id 1054, offset 0, flags [DF], proto: TCP (6),
length: 48) 192.168.6.2.4252 > 1.2.3.4.443: S, cksum 0x1480 (correct),
3376786061:3376786061(0) win 65535 <mss 1460,nop,nop,sackOK>


Thanks,

N. Ersen SISECI
[3]http://www.enderunix.org


Petersen, Mark yazmis:


Hello,

I'm trying to find out if it's possible to do IPF like log-tags with


pf.


I found an interesting patch here -
[4]http://osdir.com/ml/os.freebsd.devel.pf4freebsd/2006-06/msg00062.html
that enables this.  It doesn't appear to have made it into pflog


though.


Is there a way to use this feature?  I'd much rather be logging a


label


and rule #.  I can see if these patches still work with 7 of course.
Has anyone tried this?

Finally - it appears there are only patches for pf, but if I compile
tcpdump with the pf patches, will it work?  What about using mergecap
with this?  If I recompile mergecap/tshark would this work?  I know I
can just try, but no sense reinventing the wheel if someone else


spent


some time trying to do the same.

Thanks,
Mark

_______________________________________________
[5]freebsd-pf at freebsd.org mailing list
[6]http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to [7]"freebsd-pf-unsubscribe at freebsd.org"

References

   1. mailto:siseci at gmail.com
   2. mailto:freebsd-pf at freebsd.org
   3. http://www.enderunix.org/
   4. http://osdir.com/ml/os.freebsd.devel.pf4freebsd/2006-06/msg00062.html
   5. mailto:freebsd-pf at freebsd.org
   6. http://lists.freebsd.org/mailman/listinfo/freebsd-pf
   7. mailto:freebsd-pf-unsubscribe at freebsd.org

More information about the freebsd-pf mailing list