61#include <netinet/ip_fw.h> 62#include <netinet/ipfw/ip_fw_private.h> 63#include <netinet/tcp_var.h> 64#include <netinet/udp.h> 65 66#include <netinet/ip6.h> 67#include <netinet/icmp6.h> 68#ifdef INET6 69#include <netinet6/in6_var.h> /* ip6_sprintf() */ 70#endif 71 72#ifdef MAC 73#include <security/mac/mac_framework.h> 74#endif 75 76/* 77 * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T 78 * Other macros just cast void * into the appropriate type 79 */ 80#define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) 81#define TCP(p) ((struct tcphdr *)(p)) 82#define SCTP(p) ((struct sctphdr *)(p)) 83#define UDP(p) ((struct udphdr *)(p)) 84#define ICMP(p) ((struct icmphdr *)(p)) 85#define ICMP6(p) ((struct icmp6_hdr *)(p)) 86 87#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 88#define SNP(buf) buf, sizeof(buf) 89 90#ifdef WITHOUT_BPF 91void 92ipfw_log_bpf(int onoff) 93{ 94} 95#else /* !WITHOUT_BPF */ 96static struct ifnet *log_if; /* hook to attach to bpf */ 97 98/* we use this dummy function for all ifnet callbacks */ 99static int 100log_dummy(struct ifnet *ifp, u_long cmd, caddr_t addr) 101{ 102 return EINVAL; 103} 104 105void 106ipfw_log_bpf(int onoff) 107{ 108 struct ifnet *ifp; 109 110 if (onoff) { 111 if (log_if) 112 return; 113 ifp = if_alloc(IFT_ETHER); 114 if (ifp == NULL) 115 return; 116 if_initname(ifp, "ipfw", 0); 117 ifp->if_mtu = 65536; 118 ifp->if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; 119 ifp->if_init = (void *)log_dummy; 120 ifp->if_ioctl = log_dummy; 121 ifp->if_start = (void *)log_dummy; 122 ifp->if_output = (void *)log_dummy; 123 ifp->if_addrlen = 6; 124 ifp->if_hdrlen = 14; 125 if_attach(ifp); 126 ifp->if_baudrate = IF_Mbps(10); 127 bpfattach(ifp, DLT_EN10MB, 14); 128 log_if = ifp; 129 } else { 130 if (log_if) { 131 ether_ifdetach(log_if); 132 if_free(log_if); 133 } 134 log_if = NULL; 135 } 136} 137#endif /* !WITHOUT_BPF */ 138 139/* 140 * We enter here when we have a rule with O_LOG. 141 * XXX this function alone takes about 2Kbytes of code! 142 */ 143void 144ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, 145 struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg, 146 struct ip *ip) 147{ 148 char *action; 149 int limit_reached = 0; 150 char action2[40], proto[128], fragment[32]; 151 152 if (V_fw_verbose == 0) { 153#ifndef WITHOUT_BPF 154 struct m_hdr mh; 155 156 if (log_if == NULL || log_if->if_bpf == NULL) 157 return; 158 /* BPF treats the "mbuf" as read-only */ 159 mh.mh_next = m; 160 mh.mh_len = ETHER_HDR_LEN; 161 if (args->eh) { /* layer2, use orig hdr */ 162 mh.mh_data = (char *)args->eh; 163 } else { 164 /* add fake header. Later we will store 165 * more info in the header 166 */ 167 mh.mh_data = "DDDDDDSSSSSS\x08\x00"; 168 } 169 BPF_MTAP(log_if, (struct mbuf *)&mh); 170#endif /* !WITHOUT_BPF */ 171 return; 172 } 173 /* the old 'log' function */ 174 fragment[0] = '\0'; 175 proto[0] = '\0'; 176 177 if (f == NULL) { /* bogus pkt */ 178 if (V_verbose_limit != 0 && V_norule_counter >= V_verbose_limit) 179 return; 180 V_norule_counter++; 181 if (V_norule_counter == V_verbose_limit) 182 limit_reached = V_verbose_limit; 183 action = "Refuse"; 184 } else { /* O_LOG is the first action, find the real one */ 185 ipfw_insn *cmd = ACTION_PTR(f); 186 ipfw_insn_log *l = (ipfw_insn_log *)cmd; 187 188 if (l->max_log != 0 && l->log_left == 0) 189 return; 190 l->log_left--; 191 if (l->log_left == 0) 192 limit_reached = l->max_log; 193 cmd += F_LEN(cmd); /* point to first action */ 194 if (cmd->opcode == O_ALTQ) { 195 ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd; 196 197 snprintf(SNPARGS(action2, 0), "Altq %d", 198 altq->qid); 199 cmd += F_LEN(cmd); 200 } 201 if (cmd->opcode == O_PROB) 202 cmd += F_LEN(cmd); 203 204 if (cmd->opcode == O_TAG) 205 cmd += F_LEN(cmd); 206 207 action = action2; 208 switch (cmd->opcode) { 209 case O_DENY: 210 action = "Deny"; 211 break; 212 213 case O_REJECT: 214 if (cmd->arg1==ICMP_REJECT_RST) 215 action = "Reset"; 216 else if (cmd->arg1==ICMP_UNREACH_HOST) 217 action = "Reject"; 218 else 219 snprintf(SNPARGS(action2, 0), "Unreach %d", 220 cmd->arg1); 221 break; 222 223 case O_UNREACH6: 224 if (cmd->arg1==ICMP6_UNREACH_RST) 225 action = "Reset"; 226 else 227 snprintf(SNPARGS(action2, 0), "Unreach %d", 228 cmd->arg1); 229 break; 230 231 case O_ACCEPT: 232 action = "Accept"; 233 break; 234 case O_COUNT: 235 action = "Count"; 236 break; 237 case O_DIVERT: 238 snprintf(SNPARGS(action2, 0), "Divert %d", 239 cmd->arg1); 240 break; 241 case O_TEE: 242 snprintf(SNPARGS(action2, 0), "Tee %d", 243 cmd->arg1); 244 break; 245 case O_SETFIB: 246 snprintf(SNPARGS(action2, 0), "SetFib %d", 247 cmd->arg1); 248 break; 249 case O_SKIPTO: 250 snprintf(SNPARGS(action2, 0), "SkipTo %d", 251 cmd->arg1); 252 break; 253 case O_PIPE: 254 snprintf(SNPARGS(action2, 0), "Pipe %d", 255 cmd->arg1); 256 break; 257 case O_QUEUE: 258 snprintf(SNPARGS(action2, 0), "Queue %d", 259 cmd->arg1); 260 break; 261 case O_FORWARD_IP: { 262 ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd; 263 int len; 264 struct in_addr dummyaddr; 265 if (sa->sa.sin_addr.s_addr == INADDR_ANY) 266 dummyaddr.s_addr = htonl(tablearg); 267 else 268 dummyaddr.s_addr = sa->sa.sin_addr.s_addr; 269 270 len = snprintf(SNPARGS(action2, 0), "Forward to %s", 271 inet_ntoa(dummyaddr)); 272 273 if (sa->sa.sin_port) 274 snprintf(SNPARGS(action2, len), ":%d", 275 sa->sa.sin_port); 276 } 277 break; 278 case O_NETGRAPH: 279 snprintf(SNPARGS(action2, 0), "Netgraph %d", 280 cmd->arg1); 281 break; 282 case O_NGTEE: 283 snprintf(SNPARGS(action2, 0), "Ngtee %d", 284 cmd->arg1); 285 break; 286 case O_NAT: 287 action = "Nat"; 288 break; 289 case O_REASS: 290 action = "Reass"; 291 break; 292 default: 293 action = "UNKNOWN"; 294 break; 295 } 296 } 297 298 if (hlen == 0) { /* non-ip */ 299 snprintf(SNPARGS(proto, 0), "MAC"); 300 301 } else { 302 int len; 303#ifdef INET6 304 char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2]; 305#else 306 char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN]; 307#endif 308 struct icmphdr *icmp; 309 struct tcphdr *tcp; 310 struct udphdr *udp; 311#ifdef INET6 312 struct ip6_hdr *ip6 = NULL; 313 struct icmp6_hdr *icmp6; 314#endif 315 src[0] = '\0'; 316 dst[0] = '\0'; 317#ifdef INET6 318 if (IS_IP6_FLOW_ID(&(args->f_id))) { 319 char ip6buf[INET6_ADDRSTRLEN]; 320 snprintf(src, sizeof(src), "[%s]", 321 ip6_sprintf(ip6buf, &args->f_id.src_ip6)); 322 snprintf(dst, sizeof(dst), "[%s]", 323 ip6_sprintf(ip6buf, &args->f_id.dst_ip6)); 324 325 ip6 = (struct ip6_hdr *)ip; 326 tcp = (struct tcphdr *)(((char *)ip) + hlen); 327 udp = (struct udphdr *)(((char *)ip) + hlen); 328 } else 329#endif 330 { 331 tcp = L3HDR(struct tcphdr, ip); 332 udp = L3HDR(struct udphdr, ip); 333 334 inet_ntoa_r(ip->ip_src, src); 335 inet_ntoa_r(ip->ip_dst, dst); 336 } 337 338 switch (args->f_id.proto) { 339 case IPPROTO_TCP: 340 len = snprintf(SNPARGS(proto, 0), "TCP %s", src); 341 if (offset == 0) 342 snprintf(SNPARGS(proto, len), ":%d %s:%d", 343 ntohs(tcp->th_sport), 344 dst, 345 ntohs(tcp->th_dport)); 346 else 347 snprintf(SNPARGS(proto, len), " %s", dst); 348 break; 349 350 case IPPROTO_UDP: 351 len = snprintf(SNPARGS(proto, 0), "UDP %s", src); 352 if (offset == 0) 353 snprintf(SNPARGS(proto, len), ":%d %s:%d", 354 ntohs(udp->uh_sport), 355 dst, 356 ntohs(udp->uh_dport)); 357 else 358 snprintf(SNPARGS(proto, len), " %s", dst); 359 break; 360 361 case IPPROTO_ICMP: 362 icmp = L3HDR(struct icmphdr, ip); 363 if (offset == 0) 364 len = snprintf(SNPARGS(proto, 0), 365 "ICMP:%u.%u ", 366 icmp->icmp_type, icmp->icmp_code); 367 else 368 len = snprintf(SNPARGS(proto, 0), "ICMP "); 369 len += snprintf(SNPARGS(proto, len), "%s", src); 370 snprintf(SNPARGS(proto, len), " %s", dst); 371 break; 372#ifdef INET6 373 case IPPROTO_ICMPV6: 374 icmp6 = (struct icmp6_hdr *)(((char *)ip) + hlen); 375 if (offset == 0) 376 len = snprintf(SNPARGS(proto, 0), 377 "ICMPv6:%u.%u ", 378 icmp6->icmp6_type, icmp6->icmp6_code); 379 else 380 len = snprintf(SNPARGS(proto, 0), "ICMPv6 "); 381 len += snprintf(SNPARGS(proto, len), "%s", src); 382 snprintf(SNPARGS(proto, len), " %s", dst); 383 break; 384#endif 385 default: 386 len = snprintf(SNPARGS(proto, 0), "P:%d %s", 387 args->f_id.proto, src); 388 snprintf(SNPARGS(proto, len), " %s", dst); 389 break; 390 } 391 392#ifdef INET6 393 if (IS_IP6_FLOW_ID(&(args->f_id))) { 394 if (offset & (IP6F_OFF_MASK | IP6F_MORE_FRAG)) 395 snprintf(SNPARGS(fragment, 0), 396 " (frag %08x:%d@%d%s)", 397 args->f_id.frag_id6, 398 ntohs(ip6->ip6_plen) - hlen, 399 ntohs(offset & IP6F_OFF_MASK) << 3, 400 (offset & IP6F_MORE_FRAG) ? "+" : ""); 401 } else 402#endif 403 { 404 int ipoff, iplen; 405 ipoff = ntohs(ip->ip_off); 406 iplen = ntohs(ip->ip_len); 407 if (ipoff & (IP_MF | IP_OFFMASK)) 408 snprintf(SNPARGS(fragment, 0), 409 " (frag %d:%d@%d%s)", 410 ntohs(ip->ip_id), iplen - (ip->ip_hl << 2), 411 offset << 3, 412 (ipoff & IP_MF) ? "+" : ""); 413 } 414 } 415 if (oif || m->m_pkthdr.rcvif) 416 log(LOG_SECURITY | LOG_INFO, 417 "ipfw: %d %s %s %s via %s%s\n", 418 f ? f->rulenum : -1, 419 action, proto, oif ? "out" : "in", 420 oif ? oif->if_xname : m->m_pkthdr.rcvif->if_xname, 421 fragment); 422 else 423 log(LOG_SECURITY | LOG_INFO, 424 "ipfw: %d %s %s [no if info]%s\n", 425 f ? f->rulenum : -1, 426 action, proto, fragment); 427 if (limit_reached) 428 log(LOG_SECURITY | LOG_NOTICE, 429 "ipfw: limit %d reached on entry %d\n", 430 limit_reached, f ? f->rulenum : -1); 431} 432/* end of file */
| 62#include <netinet/ip_fw.h> 63#include <netinet/ipfw/ip_fw_private.h> 64#include <netinet/tcp_var.h> 65#include <netinet/udp.h> 66 67#include <netinet/ip6.h> 68#include <netinet/icmp6.h> 69#ifdef INET6 70#include <netinet6/in6_var.h> /* ip6_sprintf() */ 71#endif 72 73#ifdef MAC 74#include <security/mac/mac_framework.h> 75#endif 76 77/* 78 * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T 79 * Other macros just cast void * into the appropriate type 80 */ 81#define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) 82#define TCP(p) ((struct tcphdr *)(p)) 83#define SCTP(p) ((struct sctphdr *)(p)) 84#define UDP(p) ((struct udphdr *)(p)) 85#define ICMP(p) ((struct icmphdr *)(p)) 86#define ICMP6(p) ((struct icmp6_hdr *)(p)) 87 88#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 89#define SNP(buf) buf, sizeof(buf) 90 91#ifdef WITHOUT_BPF 92void 93ipfw_log_bpf(int onoff) 94{ 95} 96#else /* !WITHOUT_BPF */ 97static struct ifnet *log_if; /* hook to attach to bpf */ 98 99/* we use this dummy function for all ifnet callbacks */ 100static int 101log_dummy(struct ifnet *ifp, u_long cmd, caddr_t addr) 102{ 103 return EINVAL; 104} 105 106void 107ipfw_log_bpf(int onoff) 108{ 109 struct ifnet *ifp; 110 111 if (onoff) { 112 if (log_if) 113 return; 114 ifp = if_alloc(IFT_ETHER); 115 if (ifp == NULL) 116 return; 117 if_initname(ifp, "ipfw", 0); 118 ifp->if_mtu = 65536; 119 ifp->if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; 120 ifp->if_init = (void *)log_dummy; 121 ifp->if_ioctl = log_dummy; 122 ifp->if_start = (void *)log_dummy; 123 ifp->if_output = (void *)log_dummy; 124 ifp->if_addrlen = 6; 125 ifp->if_hdrlen = 14; 126 if_attach(ifp); 127 ifp->if_baudrate = IF_Mbps(10); 128 bpfattach(ifp, DLT_EN10MB, 14); 129 log_if = ifp; 130 } else { 131 if (log_if) { 132 ether_ifdetach(log_if); 133 if_free(log_if); 134 } 135 log_if = NULL; 136 } 137} 138#endif /* !WITHOUT_BPF */ 139 140/* 141 * We enter here when we have a rule with O_LOG. 142 * XXX this function alone takes about 2Kbytes of code! 143 */ 144void 145ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, 146 struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg, 147 struct ip *ip) 148{ 149 char *action; 150 int limit_reached = 0; 151 char action2[40], proto[128], fragment[32]; 152 153 if (V_fw_verbose == 0) { 154#ifndef WITHOUT_BPF 155 struct m_hdr mh; 156 157 if (log_if == NULL || log_if->if_bpf == NULL) 158 return; 159 /* BPF treats the "mbuf" as read-only */ 160 mh.mh_next = m; 161 mh.mh_len = ETHER_HDR_LEN; 162 if (args->eh) { /* layer2, use orig hdr */ 163 mh.mh_data = (char *)args->eh; 164 } else { 165 /* add fake header. Later we will store 166 * more info in the header 167 */ 168 mh.mh_data = "DDDDDDSSSSSS\x08\x00"; 169 } 170 BPF_MTAP(log_if, (struct mbuf *)&mh); 171#endif /* !WITHOUT_BPF */ 172 return; 173 } 174 /* the old 'log' function */ 175 fragment[0] = '\0'; 176 proto[0] = '\0'; 177 178 if (f == NULL) { /* bogus pkt */ 179 if (V_verbose_limit != 0 && V_norule_counter >= V_verbose_limit) 180 return; 181 V_norule_counter++; 182 if (V_norule_counter == V_verbose_limit) 183 limit_reached = V_verbose_limit; 184 action = "Refuse"; 185 } else { /* O_LOG is the first action, find the real one */ 186 ipfw_insn *cmd = ACTION_PTR(f); 187 ipfw_insn_log *l = (ipfw_insn_log *)cmd; 188 189 if (l->max_log != 0 && l->log_left == 0) 190 return; 191 l->log_left--; 192 if (l->log_left == 0) 193 limit_reached = l->max_log; 194 cmd += F_LEN(cmd); /* point to first action */ 195 if (cmd->opcode == O_ALTQ) { 196 ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd; 197 198 snprintf(SNPARGS(action2, 0), "Altq %d", 199 altq->qid); 200 cmd += F_LEN(cmd); 201 } 202 if (cmd->opcode == O_PROB) 203 cmd += F_LEN(cmd); 204 205 if (cmd->opcode == O_TAG) 206 cmd += F_LEN(cmd); 207 208 action = action2; 209 switch (cmd->opcode) { 210 case O_DENY: 211 action = "Deny"; 212 break; 213 214 case O_REJECT: 215 if (cmd->arg1==ICMP_REJECT_RST) 216 action = "Reset"; 217 else if (cmd->arg1==ICMP_UNREACH_HOST) 218 action = "Reject"; 219 else 220 snprintf(SNPARGS(action2, 0), "Unreach %d", 221 cmd->arg1); 222 break; 223 224 case O_UNREACH6: 225 if (cmd->arg1==ICMP6_UNREACH_RST) 226 action = "Reset"; 227 else 228 snprintf(SNPARGS(action2, 0), "Unreach %d", 229 cmd->arg1); 230 break; 231 232 case O_ACCEPT: 233 action = "Accept"; 234 break; 235 case O_COUNT: 236 action = "Count"; 237 break; 238 case O_DIVERT: 239 snprintf(SNPARGS(action2, 0), "Divert %d", 240 cmd->arg1); 241 break; 242 case O_TEE: 243 snprintf(SNPARGS(action2, 0), "Tee %d", 244 cmd->arg1); 245 break; 246 case O_SETFIB: 247 snprintf(SNPARGS(action2, 0), "SetFib %d", 248 cmd->arg1); 249 break; 250 case O_SKIPTO: 251 snprintf(SNPARGS(action2, 0), "SkipTo %d", 252 cmd->arg1); 253 break; 254 case O_PIPE: 255 snprintf(SNPARGS(action2, 0), "Pipe %d", 256 cmd->arg1); 257 break; 258 case O_QUEUE: 259 snprintf(SNPARGS(action2, 0), "Queue %d", 260 cmd->arg1); 261 break; 262 case O_FORWARD_IP: { 263 ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd; 264 int len; 265 struct in_addr dummyaddr; 266 if (sa->sa.sin_addr.s_addr == INADDR_ANY) 267 dummyaddr.s_addr = htonl(tablearg); 268 else 269 dummyaddr.s_addr = sa->sa.sin_addr.s_addr; 270 271 len = snprintf(SNPARGS(action2, 0), "Forward to %s", 272 inet_ntoa(dummyaddr)); 273 274 if (sa->sa.sin_port) 275 snprintf(SNPARGS(action2, len), ":%d", 276 sa->sa.sin_port); 277 } 278 break; 279 case O_NETGRAPH: 280 snprintf(SNPARGS(action2, 0), "Netgraph %d", 281 cmd->arg1); 282 break; 283 case O_NGTEE: 284 snprintf(SNPARGS(action2, 0), "Ngtee %d", 285 cmd->arg1); 286 break; 287 case O_NAT: 288 action = "Nat"; 289 break; 290 case O_REASS: 291 action = "Reass"; 292 break; 293 default: 294 action = "UNKNOWN"; 295 break; 296 } 297 } 298 299 if (hlen == 0) { /* non-ip */ 300 snprintf(SNPARGS(proto, 0), "MAC"); 301 302 } else { 303 int len; 304#ifdef INET6 305 char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2]; 306#else 307 char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN]; 308#endif 309 struct icmphdr *icmp; 310 struct tcphdr *tcp; 311 struct udphdr *udp; 312#ifdef INET6 313 struct ip6_hdr *ip6 = NULL; 314 struct icmp6_hdr *icmp6; 315#endif 316 src[0] = '\0'; 317 dst[0] = '\0'; 318#ifdef INET6 319 if (IS_IP6_FLOW_ID(&(args->f_id))) { 320 char ip6buf[INET6_ADDRSTRLEN]; 321 snprintf(src, sizeof(src), "[%s]", 322 ip6_sprintf(ip6buf, &args->f_id.src_ip6)); 323 snprintf(dst, sizeof(dst), "[%s]", 324 ip6_sprintf(ip6buf, &args->f_id.dst_ip6)); 325 326 ip6 = (struct ip6_hdr *)ip; 327 tcp = (struct tcphdr *)(((char *)ip) + hlen); 328 udp = (struct udphdr *)(((char *)ip) + hlen); 329 } else 330#endif 331 { 332 tcp = L3HDR(struct tcphdr, ip); 333 udp = L3HDR(struct udphdr, ip); 334 335 inet_ntoa_r(ip->ip_src, src); 336 inet_ntoa_r(ip->ip_dst, dst); 337 } 338 339 switch (args->f_id.proto) { 340 case IPPROTO_TCP: 341 len = snprintf(SNPARGS(proto, 0), "TCP %s", src); 342 if (offset == 0) 343 snprintf(SNPARGS(proto, len), ":%d %s:%d", 344 ntohs(tcp->th_sport), 345 dst, 346 ntohs(tcp->th_dport)); 347 else 348 snprintf(SNPARGS(proto, len), " %s", dst); 349 break; 350 351 case IPPROTO_UDP: 352 len = snprintf(SNPARGS(proto, 0), "UDP %s", src); 353 if (offset == 0) 354 snprintf(SNPARGS(proto, len), ":%d %s:%d", 355 ntohs(udp->uh_sport), 356 dst, 357 ntohs(udp->uh_dport)); 358 else 359 snprintf(SNPARGS(proto, len), " %s", dst); 360 break; 361 362 case IPPROTO_ICMP: 363 icmp = L3HDR(struct icmphdr, ip); 364 if (offset == 0) 365 len = snprintf(SNPARGS(proto, 0), 366 "ICMP:%u.%u ", 367 icmp->icmp_type, icmp->icmp_code); 368 else 369 len = snprintf(SNPARGS(proto, 0), "ICMP "); 370 len += snprintf(SNPARGS(proto, len), "%s", src); 371 snprintf(SNPARGS(proto, len), " %s", dst); 372 break; 373#ifdef INET6 374 case IPPROTO_ICMPV6: 375 icmp6 = (struct icmp6_hdr *)(((char *)ip) + hlen); 376 if (offset == 0) 377 len = snprintf(SNPARGS(proto, 0), 378 "ICMPv6:%u.%u ", 379 icmp6->icmp6_type, icmp6->icmp6_code); 380 else 381 len = snprintf(SNPARGS(proto, 0), "ICMPv6 "); 382 len += snprintf(SNPARGS(proto, len), "%s", src); 383 snprintf(SNPARGS(proto, len), " %s", dst); 384 break; 385#endif 386 default: 387 len = snprintf(SNPARGS(proto, 0), "P:%d %s", 388 args->f_id.proto, src); 389 snprintf(SNPARGS(proto, len), " %s", dst); 390 break; 391 } 392 393#ifdef INET6 394 if (IS_IP6_FLOW_ID(&(args->f_id))) { 395 if (offset & (IP6F_OFF_MASK | IP6F_MORE_FRAG)) 396 snprintf(SNPARGS(fragment, 0), 397 " (frag %08x:%d@%d%s)", 398 args->f_id.frag_id6, 399 ntohs(ip6->ip6_plen) - hlen, 400 ntohs(offset & IP6F_OFF_MASK) << 3, 401 (offset & IP6F_MORE_FRAG) ? "+" : ""); 402 } else 403#endif 404 { 405 int ipoff, iplen; 406 ipoff = ntohs(ip->ip_off); 407 iplen = ntohs(ip->ip_len); 408 if (ipoff & (IP_MF | IP_OFFMASK)) 409 snprintf(SNPARGS(fragment, 0), 410 " (frag %d:%d@%d%s)", 411 ntohs(ip->ip_id), iplen - (ip->ip_hl << 2), 412 offset << 3, 413 (ipoff & IP_MF) ? "+" : ""); 414 } 415 } 416 if (oif || m->m_pkthdr.rcvif) 417 log(LOG_SECURITY | LOG_INFO, 418 "ipfw: %d %s %s %s via %s%s\n", 419 f ? f->rulenum : -1, 420 action, proto, oif ? "out" : "in", 421 oif ? oif->if_xname : m->m_pkthdr.rcvif->if_xname, 422 fragment); 423 else 424 log(LOG_SECURITY | LOG_INFO, 425 "ipfw: %d %s %s [no if info]%s\n", 426 f ? f->rulenum : -1, 427 action, proto, fragment); 428 if (limit_reached) 429 log(LOG_SECURITY | LOG_NOTICE, 430 "ipfw: limit %d reached on entry %d\n", 431 limit_reached, f ? f->rulenum : -1); 432} 433/* end of file */
|