1 // Copyright 2012 Google, Inc. All rights reserved.
3 // Use of this source code is governed by a BSD-style license
4 // that can be found in the LICENSE file in the root of the source
13 "github.com/google/gopacket"
16 type PFDirection uint8
19 PFDirectionInOut PFDirection = 0
20 PFDirectionIn PFDirection = 1
21 PFDirectionOut PFDirection = 2
24 // PFLog provides the layer for 'pf' packet-filter logging, as described at
25 // http://www.freebsd.org/cgi/man.cgi?query=pflog&sektion=4
31 IFName, Ruleset []byte
32 RuleNum, SubruleNum uint32
38 // The remainder is padding
41 func (pf *PFLog) DecodeFromBytes(data []byte, df gopacket.DecodeFeedback) error {
43 pf.Family = ProtocolFamily(data[1])
46 pf.IFName = data[4:20]
47 pf.Ruleset = data[20:36]
48 pf.RuleNum = binary.BigEndian.Uint32(data[36:40])
49 pf.SubruleNum = binary.BigEndian.Uint32(data[40:44])
50 pf.UID = binary.BigEndian.Uint32(data[44:48])
51 pf.PID = int32(binary.BigEndian.Uint32(data[48:52]))
52 pf.RuleUID = binary.BigEndian.Uint32(data[52:56])
53 pf.RulePID = int32(binary.BigEndian.Uint32(data[56:60]))
54 pf.Direction = PFDirection(data[60])
56 return errors.New("PFLog header length should be 3 less than multiple of 4")
58 actualLength := int(pf.Length) + 3
59 pf.Contents = data[:actualLength]
60 pf.Payload = data[actualLength:]
64 // LayerType returns layers.LayerTypePFLog
65 func (pf *PFLog) LayerType() gopacket.LayerType { return LayerTypePFLog }
67 func (pf *PFLog) CanDecode() gopacket.LayerClass { return LayerTypePFLog }
69 func (pf *PFLog) NextLayerType() gopacket.LayerType {
70 return pf.Family.LayerType()
73 func decodePFLog(data []byte, p gopacket.PacketBuilder) error {
75 return decodingLayerDecoder(pf, data, p)