Hi Pablo Pablo Neira Ayuso wrote:
Hm, I get this warnings with your patch:
Fixed it (added casts) within the attached patch.
Now arp_spa and arp_tpa use ptr instead of ui32. Please, clarify
I changed to ui32, since ip_addr is ui32, but the arp ip fields are ui8[4]. I think ui32 should be correct with the casts now. peter
Adds AF_BRIDGE and ARP header interpreter to BASE plugin This patch adds an AF_BRIDGE interpreter to ulogd_raw2packet_BASE plugin, which allows to log packets coming from ebtables. It also adds an ARP header decoder. Signed-off-by: Peter Warasin <peter@xxxxxxxxxx> --- filter/raw2packet/ulogd_raw2packet_BASE.c | 127 +++++++++++++++++++++++++++++- 1 file changed, 125 insertions(+), 2 deletions(-) Index: ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c =================================================================== --- ulogd2.orig/filter/raw2packet/ulogd_raw2packet_BASE.c 2008-02-13 23:58:17.000000000 +0100 +++ ulogd2/filter/raw2packet/ulogd_raw2packet_BASE.c 2008-02-15 18:17:07.000000000 +0100 @@ -10,6 +10,7 @@ * o UDP header * o ICMP header * o AH/ESP header + * o ARP header * * (C) 2000-2005 by Harald Welte <laforge@xxxxxxxxxxxx> * @@ -42,11 +43,13 @@ #include <netinet/udp.h> #include <ulogd/ulogd.h> #include <ulogd/ipfix_protocol.h> +#include <netinet/if_ether.h> enum input_keys { INKEY_RAW_PCKT, INKEY_RAW_PCKTLEN, INKEY_OOB_FAMILY, + INKEY_OOB_PROTOCOL, }; enum output_keys { @@ -101,6 +104,14 @@ KEY_ICMPV6_ECHOSEQ, KEY_ICMPV6_CSUM, KEY_AHESP_SPI, + KEY_OOB_PROTOCOL, + KEY_ARP_HTYPE, + KEY_ARP_PTYPE, + KEY_ARP_OPCODE, + KEY_ARP_SHA, + KEY_ARP_SPA, + KEY_ARP_THA, + KEY_ARP_TPA, }; static struct ulogd_key iphdr_rets[] = { @@ -455,7 +466,46 @@ .flags = ULOGD_RETF_NONE, .name = "ahesp.spi", }, - + [KEY_OOB_PROTOCOL] = { + .type = ULOGD_RET_UINT16, + .flags = ULOGD_RETF_NONE, + .name = "oob.protocol", + }, + [KEY_ARP_HTYPE] = { + .type = ULOGD_RET_UINT16, + .flags = ULOGD_RETF_NONE, + .name = "arp.hwtype", + }, + [KEY_ARP_PTYPE] = { + .type = ULOGD_RET_UINT16, + .flags = ULOGD_RETF_NONE, + .name = "arp.protocoltype", + }, + [KEY_ARP_OPCODE] = { + .type = ULOGD_RET_UINT16, + .flags = ULOGD_RETF_NONE, + .name = "arp.operation", + }, + [KEY_ARP_SHA] = { + .type = ULOGD_RET_RAW, + .flags = ULOGD_RETF_NONE, + .name = "arp.shwaddr", + }, + [KEY_ARP_SPA] = { + .type = ULOGD_RET_IPADDR, + .flags = ULOGD_RETF_NONE, + .name = "arp.saddr", + }, + [KEY_ARP_THA] = { + .type = ULOGD_RET_RAW, + .flags = ULOGD_RETF_NONE, + .name = "arp.dhwaddr", + }, + [KEY_ARP_TPA] = { + .type = ULOGD_RET_IPADDR, + .flags = ULOGD_RETF_NONE, + .name = "arp.daddr", + }, }; /*********************************************************************** @@ -825,16 +875,84 @@ return 0; } +/*********************************************************************** + * ARP HEADER + ***********************************************************************/ +static int _interp_arp(struct ulogd_pluginstance *pi, u_int32_t len) +{ + struct ulogd_key *ret = pi->output.keys; + const struct ether_arp *arph = + GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr; + + if (len < sizeof(struct ether_arp)) + return 0; + + ret[KEY_ARP_HTYPE].u.value.ui16 = ntohs(arph->arp_hrd); + SET_VALID(ret[KEY_ARP_HTYPE]); + ret[KEY_ARP_PTYPE].u.value.ui16 = ntohs(arph->arp_pro); + SET_VALID(ret[KEY_ARP_PTYPE]); + ret[KEY_ARP_OPCODE].u.value.ui16 = ntohs(arph->arp_op); + SET_VALID(ret[KEY_ARP_OPCODE]); + + ret[KEY_ARP_SHA].u.value.ptr = &arph->arp_sha; + SET_VALID(ret[KEY_ARP_SHA]); + ret[KEY_ARP_SPA].u.value.ui32 = (u_int32_t)arph->arp_spa; + SET_VALID(ret[KEY_ARP_SPA]); + + ret[KEY_ARP_THA].u.value.ptr = &arph->arp_tha; + SET_VALID(ret[KEY_ARP_THA]); + ret[KEY_ARP_TPA].u.value.ui32 = (u_int32_t)arph->arp_tpa; + SET_VALID(ret[KEY_ARP_TPA]); + + return 0; +} + +/*********************************************************************** + * ETHER HEADER + ***********************************************************************/ + +static int _interp_bridge(struct ulogd_pluginstance *pi, u_int32_t len) +{ + struct ulogd_key *ret = pi->output.keys; + const struct sk_buff *skb = + GET_VALUE(pi->input.keys, INKEY_RAW_PCKT).ptr; + const u_int16_t proto = + GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16; + + switch (proto) { + case ETH_P_IP: + _interp_iphdr(pi, len); + break; + case ETH_P_IPV6: + _interp_ipv6hdr(pi, len); + break; + case ETH_P_ARP: + _interp_arp(pi, len); + break; + /* ETH_P_8021Q ?? others? */ + }; + + return 0; +} + + static int _interp_pkt(struct ulogd_pluginstance *pi) { u_int32_t len = GET_VALUE(pi->input.keys, INKEY_RAW_PCKTLEN).ui32; u_int8_t family = GET_VALUE(pi->input.keys, INKEY_OOB_FAMILY).ui8; + struct ulogd_key *ret = pi->output.keys; + + ret[KEY_OOB_PROTOCOL].u.value.ui16 = + GET_VALUE(pi->input.keys, INKEY_OOB_PROTOCOL).ui16; + SET_VALID(ret[KEY_OOB_PROTOCOL]); switch (family) { case AF_INET: return _interp_iphdr(pi, len); case AF_INET6: return _interp_ipv6hdr(pi, len); + case AF_BRIDGE: + return _interp_bridge(pi, len); } return 0; } @@ -859,7 +977,12 @@ { .type = ULOGD_RET_UINT8, .name = "oob.family", - } + }, + { + .type = ULOGD_RET_UINT16, + .name = "oob.protocol", + }, + }; static struct ulogd_plugin base_plugin = {