Support for (OpenBSD) PFLog low-level pseudo packet type

[Pierre LALET]

This patch adds support for the OpenBSD PFLog low-level pseudo packet type. This is used by Packet Filter to store packet logged (via /var/log/pflog or pflog pseudo-interfaces).

--- scapy.py.official	2006-08-11 14:47:52.000000000 +0200
+++ scapy.py	2006-08-22 21:33:23.000000000 +0200
@@ -3923,6 +3923,13 @@ class StrField(Field):
         self.shift = shift
     def i2len(self, pkt, i):
         return len(i)+self.shift
+    def i2repr(self, pkt, x):
+        try:
+            while x[-1] == "\x00":
+                x = x[:-1]
+        except IndexError:
+            pass
+        return x
     def i2m(self, pkt, x):
         if x is None:
             x = ""
@@ -5831,8 +5838,46 @@ class CookedLinux(Packet):
                     ShortField("lladdrlen",0),
                     StrFixedLenField("src","",8),
                     XShortEnumField("proto",0x800,ETHER_TYPES) ]
-                    
-                                   
+
+
+class PFLog(Packet):
+    name = "PFLog"
+    # from OpenBSD src/sys/net/pfvar.h and src/sys/net/if_pflog.h
+    fields_desc = [ ByteField("hdrlen", 0),
+                    ByteEnumField("addrfamily", 2, {socket.AF_INET: "IPv4",
+                                                    socket.AF_INET6: "IPv6"}),
+                    ByteEnumField("action", 1, {0: "pass", 1: "drop",
+                                                2: "scrub", 3: "no-scrub",
+                                                4: "nat", 5: "no-nat",
+                                                6: "binat", 7: "no-binat",
+                                                8: "rdr", 9: "no-rdr",
+                                                10: "syn-proxy-drop" }),
+                    ByteEnumField("reason", 0, {0: "match", 1: "bad-offset",
+                                                2: "fragment", 3: "short",
+                                                4: "normalize", 5: "memory",
+                                                6: "bad-timestamp",
+                                                7: "congestion",
+                                                8: "ip-options",
+                                                9: "proto-cksum",
+                                                10: "state-mismatch",
+                                                11: "state-insert",
+                                                12: "state-limit",
+                                                13: "src-limit",
+                                                14: "syn-proxy" }),
+                    StrFixedLenField("iface", "", 16),
+                    StrFixedLenField("ruleset", "", 16),
+                    SignedIntField("rulenumber", 0),
+                    SignedIntField("subrulenumber", 0),
+                    SignedIntField("uid", 0),
+                    IntField("pid", 0),
+                    SignedIntField("ruleuid", 0),
+                    IntField("rulepid", 0),
+                    ByteEnumField("direction", 255, {0: "inout", 1: "in",
+                                                     2:"out", 255: "unknown"}),
+                    StrFixedLenField("pad", "\x00\x00\x00", 3 ) ]
+    def mysummary(self):
+        return self.sprintf("%PFLog.addrfamily% %PFLog.action% on %PFLog.iface% by rule %PFLog.rulenumber%")
+
 
 class SNAP(Packet):
     name = "SNAP"
@@ -8287,6 +8332,8 @@ layer_bonds = [ ( Dot3,   LLC,      { } 
                 ( CookedLinux,  EAPOL,    { "proto" : 0x888e } ),
                 ( CookedLinux,  PPPoED,   { "proto" : 0x8863 } ),
                 ( CookedLinux,  PPPoE,    { "proto" : 0x8864 } ),
+                ( PFLog,  IP,       { "addrfamily" : socket.AF_INET } ),
+                ( PFLog,  IP,       { "addrfamily" : socket.AF_INET6 } ),
                 ( GRE,    LLC,      { "proto" : 0x007a } ),
                 ( GRE,    Dot1Q,    { "proto" : 0x8100 } ),
                 ( GRE,    Ether,    { "proto" : 0x0001 } ),
@@ -8456,6 +8503,7 @@ LLTypes = { ARPHDR_ETHER : Ether_Dot3_Di
             802 : PrismHeader,
             105 : Dot11,
             113 : CookedLinux,
+            117 : PFLog,
             119 : PrismHeader, # for atheros
             144 : CookedLinux, # called LINUX_IRDA, similar to CookedLinux
             783 : IrLAPHead,
@@ -8469,6 +8517,7 @@ LLNumTypes = { Ether : ARPHDR_ETHER,
                PrismHeader : 802,
                Dot11 : 105,
                CookedLinux : 113,
+               PFLog : 117,
                CookedLinux : 144,
                IrLAPHead : 783
             }

[Pierre LALET]

By the way, I forgot to mention that I've added an overload for the i2repr() method in StrField? class, to remove trailing '\x00', because I didn't want them to appear in the 'iface' and 'ruleset' fields.

I don't know if the trailing '\x00' can be needed, in some other protocols. If so, I suggest to write a new class StrFixedLenNonZero?(StrFixedLen?) for example that would only overload i2repr().

[Pierre LALET]

The real payload type when the addrfamily field is socket.AF_INET6 is IPv6, of course. So this part of the patch it should be :

@@ -8287,6 +8332,8 @@ layer_bonds = [ ( Dot3,   LLC,      { } 
                 ( CookedLinux,  EAPOL,    { "proto" : 0x888e } ),
                 ( CookedLinux,  PPPoED,   { "proto" : 0x8863 } ),
                 ( CookedLinux,  PPPoE,    { "proto" : 0x8864 } ),
+                ( PFLog,  IP,       { "addrfamily" : socket.AF_INET } ),
+                ( PFLog,  IPv6,     { "addrfamily" : socket.AF_INET6 } ),
                 ( GRE,    LLC,      { "proto" : 0x007a } ),
                 ( GRE,    Dot1Q,    { "proto" : 0x8100 } ),
                 ( GRE,    Ether,    { "proto" : 0x0001 } ),

[pbi]

Milestone network layers deleted

[pbi]

Integrated in [0e75a1764b76]. StrFixedLenField? changed in [d64575f85d44].