Re: Log nat translation

Thu, 07 Nov 2024 22:10:16 -0800 

On Thu, Nov 07, 2024 at 05:06:34PM +0100, Marc Boisis wrote:
> 
> Hello,
> 
> In openBSD 7.3 and before we used tcpdump on pfsync0 to log NAT translation  .
> Since 7.4 , tcpdump only show "16:57:17.115752 PFSYNCv69 len 1488"
> 
> Have you got a solution to log NAT translation since OpenBSD 7.4  ?

can you try this?

Index: if_pfsync.c
===================================================================
RCS file: /cvs/src/sys/net/if_pfsync.c,v
diff -u -p -r1.326 if_pfsync.c
--- if_pfsync.c 24 May 2024 06:38:41 -0000      1.326
+++ if_pfsync.c 8 Nov 2024 06:07:53 -0000
@@ -100,9 +100,7 @@
 #include <net/pfvar_priv.h>
 #include <net/if_pfsync.h>
 
-#define PFSYNC_MINPKT ( \
-       sizeof(struct ip) + \
-       sizeof(struct pfsync_header))
+#define PFSYNC_MINPKT sizeof(struct pfsync_header)
 
 struct pfsync_softc;
 
@@ -212,6 +210,7 @@ struct pfsync_softc {
        struct task              sc_ltask;
        struct task              sc_dtask;
        struct ip                sc_template;
+       caddr_t                  sc_bpf;
 
        struct pfsync_slice      sc_slices[PFSYNC_NSLICES];
 
@@ -455,6 +454,7 @@ pfsync_clone_create(struct if_clone *ifc
 
 #if NBPFILTER > 0
        bpfattach(&sc->sc_if.if_bpf, ifp, DLT_PFSYNC, PFSYNC_HDRLEN);
+       bpfattach(&sc->sc_bpf, ifp, DLT_LOOP, sizeof(uint32_t));
 #endif
 
        return (0);
@@ -618,7 +618,7 @@ pfsync_set_mtu(struct pfsync_softc *sc, 
        if (ifp0 == NULL)
                return (EINVAL);
 
-       if (mtu <= PFSYNC_MINPKT || mtu > ifp0->if_mtu) {
+       if (mtu <= sizeof(struct ip) + PFSYNC_MINPKT || mtu > ifp0->if_mtu) {
                error = EINVAL;
                goto put;
        }
@@ -945,7 +945,7 @@ pfsync_bulk_req_nstate_bulk(struct pfsyn
 {
        /* calculate the number of packets we expect */
        int t = pf_pool_limits[PF_LIMIT_STATES].limit /
-           ((sc->sc_if.if_mtu - PFSYNC_MINPKT) /
+           ((sc->sc_if.if_mtu - (sizeof(struct ip) + PFSYNC_MINPKT)) /
             sizeof(struct pfsync_state));
 
        /* turn it into seconds */
@@ -1441,12 +1441,6 @@ pfsync_slice_write(struct pfsync_slice *
        ptr = mtod(m, caddr_t);
        off = 0;
 
-       ip = (struct ip *)(ptr + off);
-       off += sizeof(*ip);
-       *ip = sc->sc_template;
-       ip->ip_len = htons(m->m_pkthdr.len);
-       ip->ip_id = htons(ip_randomid());
-
        ph = (struct pfsync_header *)(ptr + off);
        off += sizeof(*ph);
        memset(ph, 0, sizeof(*ph));
@@ -1528,26 +1522,49 @@ static void
 pfsync_sendout(struct pfsync_softc *sc, struct mbuf *m)
 {
        struct ip_moptions imo;
-       unsigned int len = m->m_pkthdr.len;
+       unsigned int len;
+       struct ip *ip;
+
 #if NBPFILTER > 0
-       caddr_t if_bpf = sc->sc_if.if_bpf;
+       caddr_t if_bpf;
+
+       if_bpf = sc->sc_if.if_bpf;
        if (if_bpf)
                bpf_mtap(if_bpf, m, BPF_DIRECTION_OUT);
 #endif
 
+       m = m_prepend(m, sizeof(*ip), M_DONTWAIT);
+       if (m == NULL)
+               goto oerror;
+
+       ip = mtod(m, struct ip *);
+       *ip = sc->sc_template;
+       ip->ip_len = htons(m->m_pkthdr.len);
+       ip->ip_id = htons(ip_randomid());
+
+#if NBPFILTER > 0
+       if_bpf = sc->sc_bpf;
+       if (if_bpf)
+               bpf_mtap_af(if_bpf, AF_INET, m, BPF_DIRECTION_OUT);
+#endif
+
+       len = m->m_pkthdr.len;
+
        imo.imo_ifidx = sc->sc_sync_ifidx;
        imo.imo_ttl = PFSYNC_DFLTTL;
        imo.imo_loop = 0;
        m->m_pkthdr.ph_rtableid = sc->sc_if.if_rdomain;
 
-       if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &imo, NULL, 0) == 0) {
-               counters_pkt(sc->sc_if.if_counters, ifc_opackets,
-                   ifc_obytes, len);
-               pfsyncstat_inc(pfsyncs_opackets);
-       } else {
-               counters_inc(sc->sc_if.if_counters, ifc_oerrors);
-               pfsyncstat_inc(pfsyncs_oerrors);
-       }
+       if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &imo, NULL, 0) != 0)
+               goto oerror;
+
+       counters_pkt(sc->sc_if.if_counters, ifc_opackets, ifc_obytes, len);
+       pfsyncstat_inc(pfsyncs_opackets);
+       return;
+
+oerror:
+       counters_inc(sc->sc_if.if_counters, ifc_oerrors);
+       pfsyncstat_inc(pfsyncs_oerrors);
 }
 
 static void
@@ -2622,7 +2639,7 @@ pfsync_in_skip(struct pfsync_softc *sc,
 }
 
 static struct mbuf *
-pfsync_input(struct mbuf *m, uint8_t ttl, unsigned int hlen)
+pfsync_input(struct mbuf *m, int af, uint8_t ttl, unsigned int hlen)
 {
        struct pfsync_softc *sc;
        struct pfsync_header *ph;
@@ -2630,6 +2647,9 @@ pfsync_input(struct mbuf *m, uint8_t ttl
        unsigned int len;
        void (*in)(struct pfsync_softc *,
            const caddr_t, unsigned int, unsigned int);
+#if NBPFILTER > 0
+       caddr_t if_bpf;
+#endif
 
        pfsyncstat_inc(pfsyncs_ipackets);
 
@@ -2655,12 +2675,23 @@ pfsync_input(struct mbuf *m, uint8_t ttl
                goto leave;
        }
 
+#if NBPFILTER > 0
+       if_bpf = sc->sc_bpf;
+       if (if_bpf)
+               bpf_mtap_af(if_bpf, af, m, BPF_DIRECTION_IN);
+#endif
+
        m_adj(m, hlen);
 
        if (m->m_pkthdr.len < sizeof(*ph)) {
                pfsyncstat_inc(pfsyncs_hdrops);
                goto leave;
        }
+#if NBPFILTER > 0
+       if_bpf = sc->sc_if.if_bpf;
+       if (if_bpf)
+               bpf_mtap(if_bpf, m, BPF_DIRECTION_IN);
+#endif
        if (m->m_len < sizeof(*ph)) {
                m = m_pullup(m, sizeof(*ph));
                if (m == NULL)
@@ -3325,7 +3356,7 @@ pfsync_input4(struct mbuf **mp, int *off
 
        ip = mtod(m, struct ip *);
 
-       m = pfsync_input(m, ip->ip_ttl, ip->ip_hl << 2);
+       m = pfsync_input(m, af, ip->ip_ttl, ip->ip_hl << 2);
 
        m_freem(m);
        *mp = NULL;

Reply via email to