From owner-freebsd-audit  Fri Nov 16  9:41:33 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65])
	by hub.freebsd.org (Postfix) with ESMTP id 160E437B405
	for <audit@FreeBSD.ORG>; Fri, 16 Nov 2001 09:41:21 -0800 (PST)
Received: (from ru@localhost)
	by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fAGHdvb51990;
	Fri, 16 Nov 2001 19:39:57 +0200 (EET)
	(envelope-from ru)
Date: Fri, 16 Nov 2001 19:39:56 +0200
From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: Sheldon Hearn <sheldonh@starjuice.net>
Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>, audit@FreeBSD.ORG
Subject: Re: cvs commit: src/sbin/natd natd.8 natd.c
Message-ID: <20011116193956.A46779@sunbay.com>
References: <17182.1005930626@critter.freebsd.dk> <71993.1005931087@axl.seasidesoftware.co.za>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <71993.1005931087@axl.seasidesoftware.co.za>
User-Agent: Mutt/1.3.23i
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

On Fri, Nov 16, 2001 at 07:18:07PM +0200, Sheldon Hearn wrote:
> 
> 
> On Fri, 16 Nov 2001 18:10:26 +0100, Poul-Henning Kamp wrote:
> 
> > The compromise Ruslan and I ended up with when we discussed this in Brighton
> > was that the print would be disabled unless enabled specifically and that
> > the verbose option should also enable it, and that yes, adding useful
> > info to it makes sense.
> 
> I guess one argument in favour of this is the default brevity of the
> IPFW code itself, where the "log" keyword does nothing until special
> action is taken.
> 
> Okay, so Ruslan, are you happy with using getnameinfo() to add
> additional detail?  The only drawback I can think of is that it will
> defeat syslog(3) message coalescing (message repeated X times).
> 
> However, given the default behaviour that Poul-Henning describes, I
> don't think it makes too much sense to worry about that.
> 
Funny thing is that I was just working on this.  :-)

The below patch implements what we were discussing with Poul-Henning,
i.e., have the -log_ipfw_denied option enabled by default in -verbose
mode, when it really makes any sense.

Index: natd.8
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.8,v
retrieving revision 1.48
diff -u -p -r1.48 natd.8
--- natd.8	2001/10/31 16:08:49	1.48
+++ natd.8	2001/11/16 17:39:57
@@ -463,7 +463,11 @@ rules starting from the rule number
 will be used for punching firewall holes.
 The range will be cleared for all rules on startup.
 .It Fl log_ipfw_denied
-Log when a packet can't be re-injected because a ipfw rule deny it.
+Log when a packet can not be re-injected because an
+.Xr ipfw 8
+rule blocks it.
+This is the default with
+.Fl verbose .
 .El
 .Sh RUNNING NATD
 The following steps are necessary before attempting to run
Index: natd.c
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.c,v
retrieving revision 1.36
diff -u -p -r1.36 natd.c
--- natd.c	2001/10/31 16:08:49	1.36
+++ natd.c	2001/11/16 17:40:02
@@ -126,7 +126,7 @@ static 	int			packetDirection;
 static  int			dropIgnoredIncoming;
 static  int			logDropped;
 static	int			logFacility;
-static	int			log_ipfw_denied;
+static	int			logIpfwDenied;
 
 int main (int argc, char** argv)
 {
@@ -161,7 +161,7 @@ int main (int argc, char** argv)
 	dynamicMode		= 0;
  	logDropped		= 0;
  	logFacility		= LOG_DAEMON;
-	log_ipfw_denied		= 0;
+	logIpfwDenied		= -1;
 /*
  * Mark packet buffer empty.
  */
@@ -170,6 +170,11 @@ int main (int argc, char** argv)
 
 	ParseArgs (argc, argv);
 /*
+ * Log ipfw(8) denied packets by default in verbose mode.
+ */
+	if (logIpfwDenied == -1)
+		logIpfwDenied = verbose;
+/*
  * Open syslog channel.
  */
 	openlog ("natd", LOG_CONS | LOG_PID | (verbose ? LOG_PERROR : 0),
@@ -616,7 +621,7 @@ static void FlushPacketBuffer (int fd)
 						  (struct ip*) packetBuf,
 						  ifMTU - aliasOverhead);
 		}
-		else if (errno == EACCES && log_ipfw_denied) {
+		else if (errno == EACCES && logIpfwDenied) {
 
 			sprintf (msgBuf, "failed to write packet back");
 			Warn (msgBuf);
@@ -1257,7 +1262,7 @@ static void ParseOption (const char* opt
 		break;
 
 	case LogDenied:
-		logDropped = 1;
+		logDropped = yesNoValue;
 		break;
 
 	case LogFacility:
@@ -1283,8 +1288,10 @@ static void ParseOption (const char* opt
 	case PunchFW:
 		SetupPunchFW(strValue);
 		break;
+
 	case LogIpfwDenied:
-		log_ipfw_denied=1;
+		logIpfwDenied = yesNoValue;;
+		break;
 	}
 }
 

-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message