diff --git a/FILES b/FILES index ff0ef98..fa1f553 100644 --- a/FILES +++ b/FILES @@ -67,6 +67,7 @@ pcap-win32.c pcap.3 pcap.c pcap.h +pf.h ppp.h savefile.c scanner.l diff --git a/INSTALL.txt b/INSTALL.txt index f50b265..ec2ae6f 100644 --- a/INSTALL.txt +++ b/INSTALL.txt @@ -1,4 +1,4 @@ -@(#) $Header: /tcpdump/master/libpcap/INSTALL.txt,v 1.4 2002-07-16 05:03:34 guy Exp $ (LBL) +@(#) $Header: /tcpdump/master/libpcap/INSTALL.txt,v 1.5 2003-03-11 06:23:52 guy Exp $ (LBL) To build libpcap, run "./configure" (a shell script). The configure script will determine your system attributes and generate an @@ -349,6 +349,7 @@ pcap-snoop.c - IRIX Snoop network monitoring support pcap.3 - manual entry pcap.c - pcap utility routines pcap.h - public libpcap definitions +pf.h - OpenBSD DLT_PFLOG definitions ppp.h - Point to Point Protocol definitions savefile.c - offline support scanner.l - filter string scanner diff --git a/gencode.c b/gencode.c index 1915d21..1c2ab10 100644 --- a/gencode.c +++ b/gencode.c @@ -21,7 +21,7 @@ */ #ifndef lint static const char rcsid[] = - "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.188 2003-03-08 08:42:13 guy Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.189 2003-03-11 06:23:52 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -70,6 +70,7 @@ static const char rcsid[] = #include "ppp.h" #include "sll.h" #include "arcnet.h" +#include "pf.h" #ifdef INET6 #ifndef WIN32 #include /* for "struct addrinfo" */ @@ -744,6 +745,12 @@ init_linktype(type) off_nl_nosnap = 12; /* no 802.2 LLC */ return; + case DLT_PFLOG: + off_linktype = 0; + off_nl = 28; + off_nl_nosnap = 28; /* no 802.2 LLC */ + return; + case DLT_PPP: case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ @@ -1530,6 +1537,7 @@ gen_linktype(proto) case DLT_NULL: case DLT_LOOP: case DLT_ENC: + case DLT_PFLOG: /* * For DLT_NULL, the link-layer header is a 32-bit * word containing an AF_ value in *host* byte order, @@ -1551,6 +1559,8 @@ gen_linktype(proto) * This means that, when reading a capture file, just * checking for our AF_INET6 value won't work if the * capture file came from another OS. + * + * XXX - what's the byte order for DLT_PFLOG? */ switch (proto) { @@ -4943,8 +4953,13 @@ gen_inbound(dir) } break; + case DLT_PFLOG: + b0 = gen_cmp(26, BPF_H, + (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); + break; + default: - bpf_error("inbound/outbound not supported on linktype %d\n", + bpf_error("inbound/outbound not supported on linktype %d", linktype); b0 = NULL; /* NOTREACHED */ @@ -4952,6 +4967,58 @@ gen_inbound(dir) return (b0); } +/* PF firewall log matched interface */ +struct block * +gen_pf_ifname(char *ifname) +{ + if (linktype != DLT_PFLOG) { + bpf_error("ifname supported only for DLT_PFLOG"); + /* NOTREACHED */ + } + if (strlen(ifname) >= 16) { + bpf_error("ifname interface names can't be larger than 16 characters"); + /* NOTREACHED */ + } + return (gen_bcmp(4, strlen(ifname), ifname)); +} + + +/* PF firewall log rule number */ +struct block * +gen_pf_rnr(int rnr) +{ + if (linktype != DLT_PFLOG) { + bpf_error("rnr supported only for DLT_PFLOG"); + /* NOTREACHED */ + } + + return (gen_cmp(20, BPF_H, (bpf_int32)rnr)); +} + +/* PF firewall log reason code */ +struct block * +gen_pf_reason(int reason) +{ + if (linktype != DLT_PFLOG) { + bpf_error("reason supported only for DLT_PFLOG"); + /* NOTREACHED */ + } + + return (gen_cmp(22, BPF_H, (bpf_int32)reason)); +} + +/* PF firewall log action */ +struct block * +gen_pf_action(int action) +{ + if (linktype != DLT_PFLOG) { + bpf_error("action supported only for DLT_PFLOG"); + /* NOTREACHED */ + } + + return (gen_cmp(24, BPF_H, (bpf_int32)action)); +} + struct block * gen_acode(eaddr, q) register const u_char *eaddr; diff --git a/gencode.h b/gencode.h index 1b9459f..441995e 100644 --- a/gencode.h +++ b/gencode.h @@ -18,7 +18,7 @@ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * @(#) $Header: /tcpdump/master/libpcap/gencode.h,v 1.56 2002-12-06 00:01:34 hannes Exp $ (LBL) + * @(#) $Header: /tcpdump/master/libpcap/gencode.h,v 1.57 2003-03-11 06:23:53 guy Exp $ (LBL) */ /* @@ -278,6 +278,12 @@ struct block *gen_atmfield_code(int atmfield, bpf_u_int32 jvalue, bpf_u_int32 jt struct block *gen_atmtype_abbrev(int type); struct block *gen_atmmulti_abbrev(int type); +struct block *gen_pf_ifname(char *); +struct block *gen_pf_rnr(int); +struct block *gen_pf_reason(int); +struct block *gen_pf_action(int); +struct block *gen_pf_dir(int); + void bpf_optimize(struct block **); void bpf_error(const char *, ...) #if HAVE___ATTRIBUTE__ diff --git a/grammar.y b/grammar.y index 1adc58c..b85ed28 100644 --- a/grammar.y +++ b/grammar.y @@ -22,7 +22,7 @@ */ #ifndef lint static const char rcsid[] = - "@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.78 2002-12-06 00:01:34 hannes Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.79 2003-03-11 06:23:53 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -53,6 +53,7 @@ struct rtentry; #include "pcap-int.h" #include "gencode.h" +#include "pf.h" #include #ifdef HAVE_OS_PROTO_H @@ -108,7 +109,7 @@ pcap_parse() %type arth narth %type byteop pname pnum relop irelop %type and or paren not null prog -%type other +%type other pfvar %type atmtype atmmultitype %type atmfield %type atmfieldvalue atmvalue atmlistvalue @@ -119,6 +120,7 @@ pcap_parse() %token ATALK AARP DECNET LAT SCA MOPRC MOPDL %token TK_BROADCAST TK_MULTICAST %token NUM INBOUND OUTBOUND +%token PF_IFNAME PF_RNR PF_REASON PF_ACTION %token LINK %token GEQ LEQ NEQ %token ID EID HID HID6 AID @@ -138,7 +140,7 @@ pcap_parse() %type EID %type AID %type HID HID6 -%type NUM +%type NUM action reason %left OR AND %nonassoc '!' @@ -321,7 +323,40 @@ other: pqual TK_BROADCAST { $$ = gen_broadcast($1); } | OUTBOUND { $$ = gen_inbound(1); } | VLAN pnum { $$ = gen_vlan($2); } | VLAN { $$ = gen_vlan(-1); } + | pfvar { $$ = $1; } ; + +pfvar: PF_IFNAME ID { $$ = gen_pf_ifname($2); } + | PF_RNR NUM { $$ = gen_pf_rnr($2); } + | PF_REASON reason { $$ = gen_pf_reason($2); } + | PF_ACTION action { $$ = gen_pf_action($2); } + ; + +reason: NUM { $$ = $1; } + | ID { const char *reasons[] = PFRES_NAMES; + int i; + for (i = 0; reasons[i]; i++) { + if (pcap_strcasecmp($1, reasons[i]) == 0) { + $$ = i; + break; + } + } + if (reasons[i] == NULL) + bpf_error("unknown PF reason"); + } + ; + +action: ID { if (pcap_strcasecmp($1, "pass") == 0 || + pcap_strcasecmp($1, "accept") == 0) + $$ = PF_PASS; + else if (pcap_strcasecmp($1, "drop") == 0 || + pcap_strcasecmp($1, "block") == 0) + $$ = PF_DROP; + else + bpf_error("unknown PF action"); + } + ; + relop: '>' { $$ = BPF_JGT; } | GEQ { $$ = BPF_JGE; } | '=' { $$ = BPF_JEQ; } diff --git a/pcap-bpf.h b/pcap-bpf.h index 8ac4527..9e2ac79 100644 --- a/pcap-bpf.h +++ b/pcap-bpf.h @@ -37,7 +37,7 @@ * * @(#)bpf.h 7.1 (Berkeley) 5/7/91 * - * @(#) $Header: /tcpdump/master/libpcap/pcap-bpf.h,v 1.5 2003-03-08 09:21:37 guy Exp $ (LBL) + * @(#) $Header: /tcpdump/master/libpcap/pcap-bpf.h,v 1.6 2003-03-11 06:23:53 guy Exp $ (LBL) */ /* @@ -158,6 +158,10 @@ struct bpf_version { #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ #endif +/* + * 17 is used for DLT_PFLOG in OpenBSD; don't use it for anything else. + */ + #define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ /* @@ -258,12 +262,14 @@ struct bpf_version { #define DLT_IPFILTER 116 /* - * Reserved for use in capture-file headers as a link-layer type - * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, - * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it - * in capture-file headers. + * OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, but that's DLT_LANE8023 + * in SuSE 6.3, so we can't use 17 for it in capture-file headers. */ +#ifdef __OpenBSD__ +#define DLT_PFLOG 17 +#else #define DLT_PFLOG 117 +#endif /* * Registered for Cisco-internal use. @@ -271,7 +277,7 @@ struct bpf_version { #define DLT_CISCO_IOS 118 /* - * Reserved for 802.11 cards using the Prism II chips, with a link-layer + * For 802.11 cards using the Prism II chips, with a link-layer * header including Prism monitor mode information plus an 802.11 * header. */ diff --git a/pcap-int.h b/pcap-int.h index d63a284..61c247b 100644 --- a/pcap-int.h +++ b/pcap-int.h @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * @(#) $Header: /tcpdump/master/libpcap/pcap-int.h,v 1.43 2002-12-28 00:44:04 guy Exp $ (LBL) + * @(#) $Header: /tcpdump/master/libpcap/pcap-int.h,v 1.44 2003-03-11 06:23:54 guy Exp $ (LBL) */ #ifndef pcap_int_h @@ -211,6 +211,8 @@ int sf_next_packet(pcap_t *, struct pcap_pkthdr *, u_char *, int); strlen((y))) #endif +int pcap_strcasecmp(const char *, const char *); + /* * Internal interface for "pcap_set_datalink()". Attempts to set the * link-layer type to the specified type; if that fails, returns -1. diff --git a/pcap.c b/pcap.c index ded9e7b..67e7a00 100644 --- a/pcap.c +++ b/pcap.c @@ -33,7 +33,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /tcpdump/master/libpcap/pcap.c,v 1.49 2003-02-13 07:54:59 guy Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/libpcap/pcap.c,v 1.50 2003-03-11 06:23:54 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -313,7 +313,7 @@ static const u_char charmap[] = { (u_char)'\374', (u_char)'\375', (u_char)'\376', (u_char)'\377', }; -static int +int pcap_strcasecmp(const char *s1, const char *s2) { register const u_char *cm = charmap, diff --git a/pf.h b/pf.h new file mode 100644 index 0000000..cec4278 --- /dev/null +++ b/pf.h @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2001 Daniel Hartmeier + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * @(#) $Header: /tcpdump/master/libpcap/Attic/pf.h,v 1.1 2003-03-11 06:23:54 guy Exp $ (LBL) + */ + +/* from $OpenBSD: pfvar.h,v 1.61 2002/01/11 20:13:11 mickey Exp $ */ + +enum { PF_IN=0, PF_OUT=1 }; +enum { PF_PASS=0, PF_DROP=1, PF_SCRUB=2 }; + +/* Reasons code for passing/dropping a packet */ +#define PFRES_MATCH 0 /* Explicit match of a rule */ +#define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ +#define PFRES_FRAG 2 /* Dropping following fragment */ +#define PFRES_SHORT 3 /* Dropping short packet */ +#define PFRES_NORM 4 /* Dropping by normalizer */ +#define PFRES_MEMORY 5 /* Dropped due to lacking mem */ +#define PFRES_MAX 6 /* total+1 */ + +#define PFRES_NAMES { \ + "match", \ + "bad-offset", \ + "fragment", \ + "short", \ + "normalize", \ + "memory", \ + NULL \ +} diff --git a/savefile.c b/savefile.c index b759130..089314c 100644 --- a/savefile.c +++ b/savefile.c @@ -30,7 +30,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.77 2003-03-08 08:42:14 guy Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.78 2003-03-11 06:23:55 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -162,6 +162,7 @@ static const char rcsid[] = #define LINKTYPE_LTALK 114 /* Apple LocalTalk hardware */ #define LINKTYPE_ECONET 115 /* Acorn Econet */ +#define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ #define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */ #define LINKTYPE_PRISM_HEADER 119 /* 802.11+Prism II monitor mode */ #define LINKTYPE_AIRONET_HEADER 120 /* FreeBSD Aironet driver stuff */ @@ -189,7 +190,6 @@ static const char rcsid[] = #define LINKTYPE_HIPPI 111 /* NetBSD HIPPI */ #define LINKTYPE_HDLC 112 /* NetBSD HDLC framing */ #define LINKTYPE_IPFILTER 116 /* IP Filter capture files */ -#define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ #define LINKTYPE_HHDLC 121 /* Siemens HiPath HDLC */ #define LINKTYPE_RIO 124 /* RapidIO */ #define LINKTYPE_PCI_EXP 125 /* PCI Express */ @@ -267,6 +267,9 @@ static struct linktype_map { /* Acorn Econet */ { DLT_ECONET, LINKTYPE_ECONET }, + /* OpenBSD DLT_PFLOG */ + { DLT_PFLOG, LINKTYPE_PFLOG }, + /* For Cisco-internal use */ { DLT_CISCO_IOS, LINKTYPE_CISCO_IOS }, diff --git a/scanner.l b/scanner.l index 0b5540b..46cfe27 100644 --- a/scanner.l +++ b/scanner.l @@ -22,7 +22,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.93 2003-03-08 05:53:11 guy Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.94 2003-03-11 06:23:55 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -276,6 +276,11 @@ vci return VCI; connectmsg return CONNECTMSG; metaconnect return METACONNECT; +on|ifname return PF_IFNAME; +rnr|rulenum return PF_RNR; +reason return PF_REASON; +action return PF_ACTION; + [ \r\n\t] ; [+\-*/:\[\]!<>()&|=] return yytext[0]; ">=" return GEQ;