Fix #496 - Add RFC8158 NAT event flags

Author: phaag

Diff for: src/lib/grammar.y

@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2016-2022, Peter Haag
+ *  Copyright (c) 2016-2023, Peter Haag
  *  Copyright (c) 2004-2008, SWITCH - Teleinformatikdienste fuer Lehre und Forschung
  *  All rights reserved.
  *  
@@ -1329,7 +1329,7 @@ term:	ANY { /* this is an unconditionally true expression, as a filter applies i
 	} 
 
 
-| PAYLOAD REGEX STRING {
+  | PAYLOAD REGEX STRING {
 		if (strlen($3)>64) {
 			yyerror("word too long");
 			YYABORT;
@@ -1344,7 +1344,7 @@ term:	ANY { /* this is an unconditionally true expression, as a filter applies i
 		$$.self = NewBlock(OffsetPayload, 0, 0, CMP_REGEX, FUNC_NONE, (char *)program); 
 	} 
 
-| PAYLOAD REGEX STRING STRING{
+  | PAYLOAD REGEX STRING STRING{
 		if (strlen($3)>64) {
 			yyerror("word too long");
 			YYABORT;

Diff for: src/lib/nfxV3.h

@@ -235,7 +235,7 @@ typedef struct EXflowMisc_s {
 #define SIZEflowEndReason MemberSize(EXflowMisc_t, flowEndReason)
     // align bytes
     uint8_t revTcpFlags;
-    uint8_t fill;
+    uint8_t fragmentFlags;  // XXX not yet implemented
 } EXflowMisc_t;
 #define EXflowMiscSize (sizeof(EXflowMisc_t) + sizeof(elementHeader_t))
 

Diff for: src/lib/output_util.c

@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2022, Peter Haag
+ *  Copyright (c) 2019-2023, Peter Haag
  *  All rights reserved.
  *
  *  Redistribution and use in source and binary forms, with or without
@@ -182,6 +182,57 @@ static char *protoList[NumProtos] = {
     "MPLS"    // 137	MPLS-in-IP
 };
 
+// RFC 8158, section 4.3, "Definition of NAT events"
+/*
+          +-------+------------------------------------+
+          | Value | Event Name                         |
+          +-------+------------------------------------+
+          | 0     | Reserved                           |
+          | 1     | NAT translation create (Historic)  |
+          | 2     | NAT translation delete (Historic)  |
+          | 3     | NAT Addresses exhausted            |
+          | 4     | NAT44 session create               |
+          | 5     | NAT44 session delete               |
+          | 6     | NAT64 session create               |
+          | 7     | NAT64 session delete               |
+          | 8     | NAT44 BIB create                   |
+          | 9     | NAT44 BIB delete                   |
+          | 10    | NAT64 BIB create                   |
+          | 11    | NAT64 BIB delete                   |
+          | 12    | NAT ports exhausted                |
+          | 13    | Quota Exceeded                     |
+          | 14    | Address binding create             |
+          | 15    | Address binding delete             |
+          | 16    | Port block allocation              |
+          | 17    | Port block de-allocation           |
+          | 18    | Threshold Reached                  |
+          +-------+------------------------------------+
+*/
+
+#define MAX_EVENTS 19
+static struct event_flags_s {
+    char *sname;
+    char *lname;
+} event_flags[MAX_EVENTS] = {{"INVALID", "INVALID"},
+                             {"ADD", "NAT translation create"},
+                             {"DELETE", "NAT translation delete"},
+                             {"EXHAUST", "NAT Addresses exhausted"},
+                             {"ADD44", "NAT44 session create"},
+                             {"DEL44", "NAT44 session delete"},
+                             {"ADD64", "NAT64 session create"},
+                             {"DEL64", "NAT64 session delete"},
+                             {"ADD44BIB", "NAT44 BIB create"},
+                             {"DEL44BIB", "NAT44 BIB delete"},
+                             {"ADD64BIB", "NAT64 BIB create"},
+                             {"DEL64BIB", "NAT64 BIB delete"},
+                             {"PEXHAUST", "NAT ports exhausted"},
+                             {"QUOTAEXH", "Quota Exceeded"},
+                             {"ADDADDR", "Address binding create"},
+                             {"DELADDR", "Address binding delete"},
+                             {"ADDPBLK", "Port block allocation"},
+                             {"DELPBLK", "Port block de-allocation"},
+                             {"THRESHLD", "Threshold Reached"}};
+
 char *ProtoString(uint8_t protoNum, uint32_t plainNumbers) {
     static char s[16];
 
@@ -351,20 +402,11 @@ char *FwEventString(int event) {
 
 }  // End of FwEventString
 
-char *EventString(int event) {
-    switch (event) {
-        case 0:
-            return "INVALID";
-            break;
-        case 1:
-            return "ADD";
-            break;
-        case 2:
-            return "DELETE";
-            break;
-        default:
-            return "UNKNOWN";
+char *EventString(int event, int longName) {
+    if (event >= MAX_EVENTS) {
+        event = 0;
     }
+    return longName ? event_flags[event].lname : event_flags[event].sname;
 
 }  // End of EventString
 

Diff for: src/lib/output_util.h

@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2019-2022, Peter Haag
+ *  Copyright (c) 2019-2023, Peter Haag
  *  All rights reserved.
  *
  *  Redistribution and use in source and binary forms, with or without
@@ -47,7 +47,9 @@ void CondenseV6(char *s);
 
 char *FwEventString(int event);
 
-char *EventString(int event);
+#define SHORTNAME 0
+#define LONGNAME 1
+char *EventString(int event, int longName);
 
 char *EventXString(int xevent);
 

Diff for: src/output/output_fmt.c

@@ -450,7 +450,7 @@ static struct format_token_list_s {
                          // NSEL specifics
                          {"%nfc", 0, "   Conn-ID", String_nfc},                            // NSEL connection ID
                          {"%tevt", 0, "Event time             ", String_EventTime},        // NSEL Flow start time
-                         {"%evt", 0, " Event", String_evt},                                // NSEL event
+                         {"%evt", 0, "   Event", String_evt},                              // NSEL event
                          {"%xevt", 0, " XEvent", String_xevt},                             // NSEL xevent
                          {"%sgt", 0, "  SGT  ", String_sgt},                               // NSEL xevent
                          {"%msec", 0, "   Event Time", String_msecEvent},                  // NSEL event time in msec
@@ -466,7 +466,7 @@ static struct format_token_list_s {
 
                          // NEL
                          // for v.1.6.10 compatibility, keep NEL specific addr/port format tokens
-                         {"%nevt", 0, " Event", String_evt},                               // NAT event
+                         {"%nevt", 0, "   Event", String_evt},                             // NAT event
                          {"%nsa", 0, "   X-late Src IP", String_xlateSrcAddr},             // NAT XLATE src IP
                          {"%nda", 0, "   X-late Dst IP", String_xlateDstAddr},             // NAT XLATE dst IP
                          {"%nsp", 0, "XsPort", String_xlateSrcPort},                       // NAT XLATE src port
@@ -1700,9 +1700,9 @@ static void String_nfc(FILE *stream, master_record_t *r) { fprintf(stream, "%10u
 
 static void String_evt(FILE *stream, master_record_t *r) {
     if (r->fwXevent) {
-        fprintf(stream, "%7s", FwEventString(r->event));
+        fprintf(stream, "%8s", FwEventString(r->event));
     } else {
-        fprintf(stream, "%7s", EventString(r->event));
+        fprintf(stream, "%8s", EventString(r->event, SHORTNAME));
     }
 
 }  // End of String_evt

Diff for: src/output/output_json.c

@@ -451,7 +451,7 @@ static void stringEXnselCommon(FILE *stream, master_record_t *r) {
             "	\"event\" : \"%s\",\n"
             "	\"xevent_id\" : \"%u\",\n"
             "	\"t_event\" : \"%s.%llu\",\n",
-            r->connID, r->event, r->event_flag == FW_EVENT ? FwEventString(r->event) : EventString(r->event), r->fwXevent, datestr,
+            r->connID, r->event, r->event_flag == FW_EVENT ? FwEventString(r->event) : EventString(r->event, LONGNAME), r->fwXevent, datestr,
             r->msecEvent % 1000LL);
 
 }  // End of stringEXnselCommon

Diff for: src/output/output_raw.c

@@ -481,8 +481,8 @@ static void stringsEXnselCommon(FILE *stream, master_record_t *r) {
             "  fw event     =             %5u: %s\n"
             "  fw ext event =             %5u: %s\n"
             "  Event time   =     %13llu [%s.%03llu]\n",
-            r->connID, r->event, r->event_flag == FW_EVENT ? FwEventString(r->event) : EventString(r->event), r->fwXevent, EventXString(r->fwXevent),
-            (long long unsigned)r->msecEvent, datestr, (long long unsigned)(r->msecEvent % 1000L));
+            r->connID, r->event, r->event_flag == FW_EVENT ? FwEventString(r->event) : EventString(r->event, LONGNAME), r->fwXevent,
+            EventXString(r->fwXevent), (long long unsigned)r->msecEvent, datestr, (long long unsigned)(r->msecEvent % 1000L));
 
 }  // End of stringsEXnselCommon
 
@@ -542,7 +542,8 @@ static void stringsEXnselUserID(FILE *stream, master_record_t *r) {
 }  // End of stringsEXnselUserID
 
 static void stringsEXnelCommon(FILE *stream, master_record_t *r) {
-    fprintf(stream, "  nat event    =             %5u: %s\n", r->event, r->event_flag == FW_EVENT ? FwEventString(r->event) : EventString(r->event));
+    fprintf(stream, "  nat event    =             %5u: %s\n", r->event,
+            r->event_flag == FW_EVENT ? FwEventString(r->event) : EventString(r->event, LONGNAME));
 
 }  // End of stringsEXnelCommon