IPFW ipfw in-kernel nat dtrace

VladiBG

VladiBG

Thanks to PMc for the inspiration of how to trace the libalias(3) nat translations using dtrace(1).

libalias.d
sh: 
fbt:libalias:AddLink:return
{
printf("\n%d icmp=%d udp=%d tcp=%d\nPro=%d (src_addr %d.%d.%d.%d:%d) (dst_addr %d.%d.%d.%d:%d)\n(alias_addr %d.%d.%d.%d:%d) (proxy_addr %d.%d.%d.%d:%d)\n", \
walltimestamp/1000000000, \
args[1]->la->icmpLinkCount, \
args[1]->la->udpLinkCount, \
args[1]->la->tcpLinkCount, \
args[1]->link_type, \
(args[1]->src_addr.s_addr)%256, \
(args[1]->src_addr.s_addr)/256%256, \
(args[1]->src_addr.s_addr)/65536%256, \
(args[1]->src_addr.s_addr)/16777216, \
args[1]->src_port%256*256+args[1]->src_port/256%256, \
(args[1]->dst_addr.s_addr)%256, \
(args[1]->dst_addr.s_addr)/256%256, \
(args[1]->dst_addr.s_addr)/65536%256, \
(args[1]->dst_addr.s_addr)/16777216, \
args[1]->dst_port%256*256+args[1]->dst_port/256%256, \
(args[1]->alias_addr.s_addr)%256, \
(args[1]->alias_addr.s_addr)/256%256, \
(args[1]->alias_addr.s_addr)/65536%256, \
(args[1]->alias_addr.s_addr)/16777216, \
args[1]->alias_port%256*256+args[1]->alias_port/256%256, \
(args[1]->proxy_addr.s_addr)%256, \
(args[1]->proxy_addr.s_addr)/256%256, \
(args[1]->proxy_addr.s_addr)/65536%256, \
(args[1]->proxy_addr.s_addr)/16777216,args[1]->proxy_port%256*256+args[1]->proxy_port/256%256);
}


dtrace -s libalias.d


original file which also include AddLink:entry and DeleteLink:entry
dtrace -n 'AddLink:entry { printf("%s %d icmp=%d udp=%d tcp=%d\n (src_addr %d.%d.%d.%d) (dst_addr %d.%d.%d.%d) (alias_addr %d.%d.%d.%d)\n (src_port %d)", execname, walltimestamp/1000000000, args[0]->icmpLinkCount, args[0]->udpLinkCount, args[0]->tcpLinkCount, arg1%256, arg1/256%256, arg1/65536%256, arg1/16777216, arg2%256, arg2/256%256, arg2/65536%256, arg2/16777216, arg3%256, arg3/256%256, arg3/65536%256, arg3/16777216, arg4%256*256+arg4/256%256); } AddLink:return { printf("%s %d icmp=%d udp=%d tcp=%d\n type=%d (src_addr %d.%d.%d.%d) (dst_addr %d.%d.%d.%d)\n (alias_addr %d.%d.%d.%d) (proxy_addr %d.%d.%d.%d)\n (src_port %d) (dst_port %d) (alias_port %d) (proxy_port %d)\n", execname, walltimestamp/1000000000, args[1]->la->icmpLinkCount, args[1]->la->udpLinkCount, args[1]->la->tcpLinkCount, args[1]->link_type, (args[1]->src_addr.s_addr)%256, (args[1]->src_addr.s_addr)/256%256, (args[1]->src_addr.s_addr)/65536%256, (args[1]->src_addr.s_addr)/16777216, (args[1]->dst_addr.s_addr)%256, (args[1]->dst_addr.s_addr)/256%256, (args[1]->dst_addr.s_addr)/65536%256, (args[1]->dst_addr.s_addr)/16777216, (args[1]->alias_addr.s_addr)%256, (args[1]->alias_addr.s_addr)/256%256, (args[1]->alias_addr.s_addr)/65536%256, (args[1]->alias_addr.s_addr)/16777216, (args[1]->proxy_addr.s_addr)%256, (args[1]->proxy_addr.s_addr)/256%256, (args[1]->proxy_addr.s_addr)/65536%256, (args[1]->proxy_addr.s_addr)/16777216, args[1]->src_port%256*256+args[1]->src_port/256%256, args[1]->dst_port%256*256+args[1]->dst_port/256%256, args[1]->alias_port%256*256+args[1]->alias_port/256%256, args[1]->proxy_port%256*256+args[1]->proxy_port/256%256); } DeleteLink:entry { printf("%s %d icmp=%d udp=%d tcp=%d\n%s type=%d (src_addr %d.%d.%d.%d) (dst_addr %d.%d.%d.%d)\n (alias_addr %d.%d.%d.%d) (proxy_addr %d.%d.%d.%d)\n (src_port %d) (dst_port %d) (alias_port %d) (proxy_port %d)\n", execname, walltimestamp/1000000000, (*(args[0]))->la->icmpLinkCount, (*(args[0]))->la->udpLinkCount, (*(args[0]))->la->tcpLinkCount, (args[1] ? "Perma" : ""), (*(args[0]))->link_type, ((*(args[0]))->src_addr.s_addr)%256, ((*(args[0]))->src_addr.s_addr)/256%256, ((*(args[0]))->src_addr.s_addr)/65536%256, ((*(args[0]))->src_addr.s_addr)/16777216, ((*(args[0]))->dst_addr.s_addr)%256, ((*(args[0]))->dst_addr.s_addr)/256%256, ((*(args[0]))->dst_addr.s_addr)/65536%256, ((*(args[0]))->dst_addr.s_addr)/16777216, ((*(args[0]))->alias_addr.s_addr)%256, ((*(args[0]))->alias_addr.s_addr)/256%256, ((*(args[0]))->alias_addr.s_addr)/65536%256, ((*(args[0]))->alias_addr.s_addr)/16777216, ((*(args[0]))->proxy_addr.s_addr)%256, ((*(args[0]))->proxy_addr.s_addr)/256%256, ((*(args[0]))->proxy_addr.s_addr)/65536%256, ((*(args[0]))->proxy_addr.s_addr)/16777216, (*(args[0]))->src_port%256*256+(*(args[0]))->src_port/256%256, (*(args[0]))->dst_port%256*256+(*(args[0]))->dst_port/256%256, (*(args[0]))->alias_port%256*256+(*(args[0]))->alias_port/256%256, (*(args[0]))->proxy_port%256*256+(*(args[0]))->proxy_port/256%256); }'
 
covacat said:
this looks like endian dependent but most hosts are little endian today. can you use htons and htonl here ?
Click to expand...

Here's the struct
Code: 
struct alias_link * LibAliasRedirectPort(struct libalias *, struct in_addr _src_addr,
            unsigned short _src_port, struct in_addr _dst_addr,
            unsigned short _dst_port, struct in_addr _alias_addr,
            unsigned short _alias_port, unsigned char _proto);
 
what i mean is that internally ips and ports are in big endian and when you print s_addr%256 as the first ip group on a big endian host will be the last group so the ip digit groups will be reversed
also port 80 will be 80*256 and so on
 
covacat Sorry i didn't understand what you mean at the first time. Can you check if this is ok:
C: 
fbt:libalias:AddLink:return
{
printf("\n%Y icmp=%d udp=%d tcp=%d\nPro=%d (src_addr %s:%d) (dst_addr %s:%d)\n(alias_addr %s:%d) (proxy_addr %s:%d)\n", \
walltimestamp, \
args[1]->la->icmpLinkCount, \
args[1]->la->udpLinkCount, \
args[1]->la->tcpLinkCount, \
args[1]->link_type, \
inet_ntoa(&args[1]->src_addr.s_addr), \
htons(args[1]->src_port), \
inet_ntoa(&args[1]->dst_addr.s_addr), \
htons(args[1]->dst_port), \
inet_ntoa(&args[1]->alias_addr.s_addr), \
htons(args[1]->alias_port), \
inet_ntoa(&args[1]->proxy_addr.s_addr), \
htons(args[1]->proxy_port) );
}
 
Without it i get error for incompatible argument with prototype. inet_ntoa expect in_addr_t*
The above example works for me with dtrace D lang
 
You must log in or register to reply here.
Back
Top