opnsenses/filterlog: avoid extracting IPv6 options that are never par…

…sed (opnsense#131) Basically this deletes a lot of esoteric code that was copied from tcpdump when filterlog was created. The options format is confusing and not supported by any parser we know of. Instead just jump through all options to see if we have something that looks like the right protocol (TCP, UDP or CARP/VRRP). PR: opnsense/core#5016
opnsense2 · Sep 6, 2021 · b221352 · b221352
1 parent 5e1cc16
commit b221352
Show file tree

Hide file tree

Showing 10 changed files with 75 additions and 722 deletions.
diff --git a/opnsense/filterlog/Makefile b/opnsense/filterlog/Makefile
@@ -1,6 +1,5 @@
 PORTNAME=	filterlog
-PORTVERSION=	0.4
-PORTREVISION=	3
+PORTVERSION=	0.5
 CATEGORIES=	sysutils
 MASTER_SITES=	# empty
 DISTFILES=	# none

diff --git a/opnsense/filterlog/files/Makefile b/opnsense/filterlog/files/Makefile
@@ -1,10 +1,11 @@
 PROG=	filterlog
 BINDIR= ${PREFIX}/sbin
 
-SRCS=	print-ip.c print-ip6.c print-ip6opts.c print-tcp.c \
-	print-mobility.c filterlog.c
+SRCS=	print-ip.c print-ip6.c print-tcp.c filterlog.c
 MAN=
 
+WARNS=	3
+
 LDADD+=	-lsbuf -lpcap
 
 .include <bsd.prog.mk>
diff --git a/opnsense/filterlog/files/common.h b/opnsense/filterlog/files/common.h
@@ -44,11 +44,6 @@ EXTRACT_32BITS(const void *p)
 const char *code2str(const struct tok *, const char[], int);
 void ip_print(struct sbuf *sbuf, const u_char *bp, u_int length);
 void ip6_print(struct sbuf *sbuf, const u_char *bp, u_int length);
-int mobility_print(struct sbuf *sbuf, const u_char *bp, int len);
-void tcp_print(struct sbuf *sbuf, register const u_char *bp, register u_int length,
-          register const u_char *bp2);
-int hbhopt_print(struct sbuf *sbuf, register const u_char *bp);
-int dstopt_print(struct sbuf *sbuf, register const u_char *bp);
-void ip6_opt_print(struct sbuf *sbuf, const u_char *bp, int len);
+void tcp_print(struct sbuf *sbuf, const u_char *bp, u_int length);
 
 #endif /* _FILTER_LOG_COMMON_H_ */
diff --git a/opnsense/filterlog/files/description.txt b/opnsense/filterlog/files/description.txt
@@ -16,44 +16,9 @@ IPv6
 ====
 
 [Packetfilter], ipversion, class, flow, hoplimit, protoname, protonum, length, src, dst
-[, HBHOPT ][, DSTOPT ][, FRAG6 ][, ROUTING ][, MOBILITY]
 
 The protonum/protoname order is reversed compared to IPv4.
 
-HBHOPT
-======
-
-"HBH", PAD1, PADN | PADNTRUNC
-       RTALERT,data | RTALERTTRUNC | RTALERTINVALID, len
-       JUMBO,data | JUMBOTRUNC | JUMBOINVALID, len
-       HOMEADDR,addr, otheroptions? | HOMEADDRESSINVALID, len | HOMEADDRESSTRUNC
-
-DSTOPT
-======
-
-"DSTOPT", opts...
-
-FRAG6
-=====
-
-"FRAG6", frag
-
-ROUTING
-=======
-
-"ROUTING", len, type, segleft, reserved, TRUNC | hdridx, addr
-
-MOBILITY
-========
-
-"MOBILITY" [, "BINDINGACK", status, flags, sequence, lifetime ]
-           [, "BINDINGERR", status, homeaddr ]
-           [, "BINDINGUPDATE", seq, flags, lifetime ]
-           [, "BRR" (binding request) ]
-           [, "HoTI" | "CoTI" (test init), "Home" | "Care-of", cookie ]
-           [, "HoT" | "CoT" (test), nonce, "Home" | "Care-of", cookie, keygen-token ]
-           [, "TYPE", type , length ]
-
 UDP
 ===
 
@@ -68,3 +33,9 @@ CARP
 ====
 
 [IPv4 | IPv6], type, ttl | hoplimit, vhid, version, advskew, advbase
+
+Caveats
+=======
+
+Partial data may be returned by each component depending on forged packet
+integrity, snap length and other factors, e.g. hardware corruption of packages.
diff --git a/opnsense/filterlog/files/filterlog.c b/opnsense/filterlog/files/filterlog.c
@@ -150,7 +150,7 @@ decode_packet(u_char *user __unused, const struct pcap_pkthdr *pkthdr, const u_c
 	ip = (const struct ip *)packet;
 
         if (length < 4) {
-                sbuf_printf(&sbuf, "%d, IP(truncated-ip %d) ", IP_V(ip), length);
+                sbuf_printf(&sbuf, "%d,truncated-ip=%u", IP_V(ip), length);
 		goto printsbuf;
         }
 

diff --git a/opnsense/filterlog/files/print-ip.c b/opnsense/filterlog/files/print-ip.c
@@ -62,7 +62,7 @@ ip_print_demux(struct sbuf *sbuf, struct ip_print_demux_state *ipds)
 	switch (ipds->nh) {
 	case IPPROTO_TCP:
 		/* pass on the MF bit plus the offset to detect fragments */
-		tcp_print(sbuf, ipds->cp, ipds->len, (const u_char *)ipds->ip);
+		tcp_print(sbuf, ipds->cp, ipds->len);
 		break;
 	case IPPROTO_UDP: {
 		const struct udphdr *up = (const struct udphdr *)ipds->cp;
@@ -72,14 +72,6 @@ ip_print_demux(struct sbuf *sbuf, struct ip_print_demux_state *ipds)
 		    EXTRACT_16BITS(&up->uh_ulen));
 		break;
 	}
-	case IPPROTO_IPV4:
-		/* DVMRP multicast tunnel (ip-in-ip encapsulation) */
-		sbuf_printf(sbuf, "IPV4-IN-IPV4,");
-		break;
-	case IPPROTO_IPV6:
-		/* ip6-in-ip encapsulation */
-		sbuf_printf(sbuf, "IPV6-IN-IPV4,");
-		break;
 	case IPPROTO_VRRP:
 		/* Type, ttl, vhid, version, adbskew, advbase */
 		sbuf_printf(sbuf, "%s,%d,%d,%d,%d,%d",
@@ -88,7 +80,7 @@ ip_print_demux(struct sbuf *sbuf, struct ip_print_demux_state *ipds)
 				ipds->cp[2], ipds->cp[5]);
 		break;
 	default:
-		sbuf_printf(sbuf, "datalength=%d ", ipds->len);
+		sbuf_printf(sbuf, "datalength=%d", ipds->len);
 		break;
 	}
 }
@@ -111,23 +103,22 @@ ip_print(struct sbuf *sbuf,
 	sbuf_printf(sbuf, "%u,", IP_V(ipds->ip));
 
 	if (ntohs(ipds->ip->ip_len) > MAXIMUM_SNAPLEN) {
-		sbuf_printf(sbuf, "[|ip]),");
+		sbuf_printf(sbuf, "[|ip],");
 		return;
 	}
 	if (length < sizeof (struct ip)) {
-		sbuf_printf(sbuf, "truncated-ip= %u),", length);
+		sbuf_printf(sbuf, "truncated-ip=%u,", length);
 		return;
 	}
 	hlen = IP_HL(ipds->ip) * 4;
 	if (hlen < sizeof (struct ip)) {
-		sbuf_printf(sbuf, "bad-hlen=%u),", hlen);
+		sbuf_printf(sbuf, "bad-hlen=%u,", hlen);
 		return;
 	}
 
 	ipds->len = EXTRACT_16BITS(&ipds->ip->ip_len);
 	if (length < ipds->len)
-		sbuf_printf(sbuf, "error='truncated-ip %u bytes missing!',",
-			ipds->len - length);
+		sbuf_printf(sbuf, "truncated-ip=%u,", ipds->len);
 	if (ipds->len < hlen) {
 	    sbuf_printf(sbuf, "bad-len=%u,", ipds->len);
 	    return;