|
osdir.com mailing list archive |
|
Subject: PF and tcpdump Label Patch - msg#00062List: os.freebsd.devel.pf4freebsdHello, I wrote a patch for PF to log "label" names like IPF's log-tag option. PF already has a label option to mark rules in `pfctl -sr `, but it does not write labels to log file, which is very usefull to match log entries to rules/or group of rules created by lists ( pass from any to any port {10,20,30,40} label "passing_ports" etc...) For example; pass in log quick all keep state label MAIN_RULE So log line like this 2006-06-21 18:26:06.969874 rule 67/0(match): pass in on bge0: label MAIN_RULE: 192.168.9.99.53568 > 66.249.85.99.80: S ... To properly use tcpdump to display logs entries from pflog0 interface, tcpdump has to be patched also. Since the above patch changes a struct in pflog, without patching tcpdump log packets appear truncated. I tested both of patches in FreeBSD 5.4 and FreeBSD 6.0. I attached the both of patches. Sincerly, N. Ersen SISECI http://www.enderunix.org --- if_pflog.h.org Wed Apr 5 10:10:56 2006 +++ if_pflog.h Wed Apr 5 09:26:31 2006 @@ -40,6 +40,12 @@ #define PF_RULESET_NAME_SIZE 16 #endif +#ifndef PF_RULE_LABEL_SIZE +#define PF_RULE_LABEL_SIZE 64 +#endif + +#define PF_LOG_LABEL + struct pfloghdr { u_int8_t length; sa_family_t af; @@ -50,6 +56,9 @@ u_int32_t rulenr; u_int32_t subrulenr; u_int8_t dir; +#ifdef PF_LOG_LABEL + char label[PF_RULE_LABEL_SIZE]; +#endif u_int8_t pad[3]; }; --- if_pflog.c.org Wed Apr 5 10:10:52 2006 +++ if_pflog.c Wed Apr 5 10:47:01 2006 @@ -296,6 +296,7 @@ hdr.action = rm->action; hdr.reason = reason; memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname)); + memcpy(hdr.label, rm->label, sizeof(rm->label)); if (am == NULL) { hdr.rulenr = htonl(rm->nr); --- pf.h.org Wed Apr 5 10:15:22 2006 +++ pf.h Wed Apr 5 10:18:15 2006 @@ -55,6 +55,8 @@ } #define PF_RULESET_NAME_SIZE 16 +#define PF_RULE_LABEL_SIZE 64 + /* from $OpenBSD: if_pflog.h,v 1.9 2003/07/15 20:27:27 dhartmei Exp $ */ @@ -62,6 +64,8 @@ #define IFNAMSIZ 16 #endif +#define PF_LOG_LABEL + struct pfloghdr { u_int8_t length; sa_family_t af; @@ -72,6 +76,9 @@ u_int32_t rulenr; u_int32_t subrulenr; u_int8_t dir; +#ifdef PF_LOG_LABEL + char label[PF_RULE_LABEL_SIZE]; +#endif u_int8_t pad[3]; }; #define PFLOG_HDRLEN sizeof(struct pfloghdr) --- print-pflog.c.org Wed Apr 5 10:15:31 2006 +++ print-pflog.c Wed Apr 5 10:17:44 2006 @@ -81,11 +81,20 @@ printf("rule %u.%s.%u/", ntohl(hdr->rulenr), hdr->ruleset, ntohl(hdr->subrulenr)); - printf("%s: %s %s on %s: ", +#ifndef PF_LOG_LABEL + printf("%s: %s %s on %s:", tok2str(pf_reasons, "unkn(%u)", hdr->reason), tok2str(pf_actions, "unkn(%u)", hdr->action), tok2str(pf_directions, "unkn(%u)", hdr->dir), hdr->ifname); +#else + printf("%s: %s %s on %s: label %s: ", + tok2str(pf_reasons, "unkn(%u)", hdr->reason), + tok2str(pf_actions, "unkn(%u)", hdr->action), + tok2str(pf_directions, "unkn(%u)", hdr->dir), + hdr->ifname, + hdr->label); +#endif } u_int _______________________________________________ freebsd-pf@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@xxxxxxxxxxx" Thread at a glance:
Previous Message by Date: click to view message previewRe: transparent proxy on bridgeRoman Gorohov. wrote: Hello list. I'm planning to configure pf in bridged environment(using if_bridge on 6.1), so I have question if transparent proxy will work? Is the any working config, or some known issues? TIA, Roman Gorohov. _______________________________________________ What kind of transparent proxy are we talking here, web? I guess most people would recommend squid, Out of interest I tested out the new proxy modules for Apache 2.0 and 2.2 as a proxy and it does work quite well, has a fair amount of options for cache size and what types to cache and expire. My main aim for it was just to run it in the office for a while and have a strict rule to just cache stuff over 1 meg or larger. To me it seems silly and a waste of cpu / hd / io on the proxy server if you bother caching 10k files while everyone in the office is downloading open office and firefox all day. I would of liked to try it in production if I could figure out how to run it transparently let alone for a bridge, but I couldn't quite get there. Mike _______________________________________________ freebsd-pf@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@xxxxxxxxxxx" Next Message by Date: click to view message previewpf and policy routingHi, I would like to have some advises on pf. I'd like to use pf for clustering a firewall and using pfsync. Actually I use a Linux Box to do this. The problem is that I have specific rules for routing with iproute2 because I got a lot of different subnets with multi-homing. It seems that freebsd support policy routing only with ipfw. My question is : is it possible to use ipfw just for policy routing and pf just for packet filtering ? For example I want to to do something like that : I had a default gateway (a) but if I received a packet from subnet(c) to subnet(d) --> use an another default gateway(y) a packet from subnet(a) to subnet(x) --> use an another default gateway(y) I wonder if route-to of pf is good for my exemple or if I should try something else like ipfw for routing and pf for firewalling as I said above. Actually I'm using freebsd 6.1 for some tests. Thanx for your answers. Sebastien AVELINE _______________________________________________ freebsd-pf@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@xxxxxxxxxxx" Previous Message by Thread: click to view message previewtransparent proxy on bridgeHello list. I'm planning to configure pf in bridged environment(using if_bridge on 6.1), so I have question if transparent proxy will work? Is the any working config, or some known issues? TIA, Roman Gorohov. _______________________________________________ freebsd-pf@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@xxxxxxxxxxx" Next Message by Thread: click to view message previewpf and policy routingHi, I would like to have some advises on pf. I'd like to use pf for clustering a firewall and using pfsync. Actually I use a Linux Box to do this. The problem is that I have specific rules for routing with iproute2 because I got a lot of different subnets with multi-homing. It seems that freebsd support policy routing only with ipfw. My question is : is it possible to use ipfw just for policy routing and pf just for packet filtering ? For example I want to to do something like that : I had a default gateway (a) but if I received a packet from subnet(c) to subnet(d) --> use an another default gateway(y) a packet from subnet(a) to subnet(x) --> use an another default gateway(y) I wonder if route-to of pf is good for my exemple or if I should try something else like ipfw for routing and pf for firewalling as I said above. Actually I'm using freebsd 6.1 for some tests. Thanx for your answers. Sebastien AVELINE _______________________________________________ freebsd-pf@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@xxxxxxxxxxx" Loading Comments...
|
|
