git: 4a02faa114c5 - main - ipfw: add IPv6 logging support for fwd tablearg opcode

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Andrey V. Elsukov <ae_at_FreeBSD.org>
Date: Fri, 18 Apr 2025 12:34:16 UTC
The branch main has been updated by ae:

URL: https://cgit.FreeBSD.org/src/commit/?id=4a02faa114c5914dd13a25d81d36b3bb44e70dc9

commit 4a02faa114c5914dd13a25d81d36b3bb44e70dc9
Author:     Andrey V. Elsukov <ae@FreeBSD.org>
AuthorDate: 2025-04-18 11:40:14 +0000
Commit:     Andrey V. Elsukov <ae@FreeBSD.org>
CommitDate: 2025-04-18 11:40:14 +0000

    ipfw: add IPv6 logging support for fwd tablearg opcode
    
    Obtained from:  Yandex LLC
    MFC after:      2 weeks
    Sponsored by:   Yandex LLC
---
 sys/netpfil/ipfw/ip_fw_log.c | 81 ++++++++++++++++++++++++++++----------------
 1 file changed, 52 insertions(+), 29 deletions(-)

diff --git a/sys/netpfil/ipfw/ip_fw_log.c b/sys/netpfil/ipfw/ip_fw_log.c
index 389b04ccbace..3f3980b8ee65 100644
--- a/sys/netpfil/ipfw/ip_fw_log.c
+++ b/sys/netpfil/ipfw/ip_fw_log.c
@@ -224,39 +224,62 @@ ipfw_log_syslog(struct ip_fw_chain *chain, struct ip_fw *f, u_int hlen,
 			snprintf(SNPARGS(action2, 0), "Queue %d",
 				TARG(cmd->arg1, pipe));
 			break;
-		case O_FORWARD_IP: {
-			char buf[INET_ADDRSTRLEN];
-			ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd;
-			int len;
-			struct in_addr dummyaddr;
-			if (sa->sa.sin_addr.s_addr == INADDR_ANY)
-				dummyaddr.s_addr = htonl(tablearg);
-			else
-				dummyaddr.s_addr = sa->sa.sin_addr.s_addr;
-
-			len = snprintf(SNPARGS(action2, 0), "Forward to %s",
-				inet_ntoa_r(dummyaddr, buf));
-
-			if (sa->sa.sin_port)
-				snprintf(SNPARGS(action2, len), ":%d",
-				    sa->sa.sin_port);
+		case O_FORWARD_IP:
+			if (IS_IP4_FLOW_ID(&args->f_id)) {
+				char buf[INET_ADDRSTRLEN];
+				const struct sockaddr_in *sin = &insntod(cmd, sa)->sa;
+				int len;
+
+				/* handle fwd tablearg */
+				if (sin->sin_addr.s_addr == INADDR_ANY) {
+					struct in_addr tmp;
+
+					tmp.s_addr = htonl(
+					    TARG_VAL(chain, tablearg, nh4));
+					inet_ntoa_r(tmp, buf);
+				} else
+					inet_ntoa_r(sin->sin_addr, buf);
+				len = snprintf(SNPARGS(action2, 0),
+				    "Forward to %s", buf);
+				if (sin->sin_port != 0)
+					snprintf(SNPARGS(action2, len), ":%d",
+					    sin->sin_port);
 			}
-			break;
+			/* FALLTHROUGH */
 #ifdef INET6
-		case O_FORWARD_IP6: {
-			char buf[INET6_ADDRSTRLEN];
-			ipfw_insn_sa6 *sa = (ipfw_insn_sa6 *)cmd;
-			int len;
-
-			len = snprintf(SNPARGS(action2, 0), "Forward to [%s]",
-			    ip6_sprintf(buf, &sa->sa.sin6_addr));
-
-			if (sa->sa.sin6_port)
-				snprintf(SNPARGS(action2, len), ":%u",
-				    sa->sa.sin6_port);
+		case O_FORWARD_IP6:
+			if (IS_IP6_FLOW_ID(&args->f_id)) {
+				char buf[INET6_ADDRSTRLEN];
+				struct sockaddr_in6 tmp;
+				const struct sockaddr_in *sin = &insntod(cmd, sa)->sa;
+				struct sockaddr_in6 *sin6 = &insntod(cmd, sa6)->sa;
+				int len;
+
+				if (cmd->opcode == O_FORWARD_IP &&
+				    sin->sin_addr.s_addr == INADDR_ANY) {
+					sin6 = &tmp;
+					sin6->sin6_addr =
+					    TARG_VAL(chain, tablearg, nh6);
+					sin6->sin6_scope_id =
+					    TARG_VAL(chain, tablearg, zoneid);
+					sin6->sin6_port = sin->sin_port;
+				}
+
+				ip6_sprintf(buf, &sin6->sin6_addr);
+				if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) &&
+				    sin6->sin6_scope_id != 0)
+					len = snprintf(SNPARGS(action2, 0),
+					    "Forward to [%s%%%u]",
+					    buf, sin6->sin6_scope_id);
+				else
+					len = snprintf(SNPARGS(action2, 0),
+					    "Forward to [%s]", buf);
+				if (sin6->sin6_port != 0)
+					snprintf(SNPARGS(action2, len), ":%u",
+					    sin6->sin6_port);
 			}
-			break;
 #endif
+			break;
 		case O_NETGRAPH:
 			snprintf(SNPARGS(action2, 0), "Netgraph %d",
 				cmd->arg1);