From owner-freebsd-audit  Sun Jul  1 19:40:57 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from snipe.mail.pas.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1C44C37B407; Sun,  1 Jul 2001 19:40:54 -0700 (PDT)
	(envelope-from cjc@earthlink.net)
Received: from blossom.cjclark.org (dialup-209.245.135.39.Dial1.SanJose1.Level3.net [209.245.135.39])
	by snipe.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id TAA15280;
	Sun, 1 Jul 2001 19:40:51 -0700 (PDT)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.4/8.11.3) id f622enZ11653;
	Sun, 1 Jul 2001 19:40:49 -0700 (PDT)
	(envelope-from cjc)
Date: Sun, 1 Jul 2001 19:40:49 -0700
From: "Crist J. Clark" <cristjc@earthlink.net>
To: freebsd-audit@freebsd.org
Cc: ru@freebsd.org
Subject: src/sys/netinet/ip_fw.c Patch
Message-ID: <20010701194049.J296@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

Since this is a patch to a security-critical area, I thought I would
make sure to send this here first. Presently, logging of IP
fragmentation is broken (see PR kern/23446). It was suggested that
instead of just fixing the bug, I go ahead and do it _all_ right.
This code prints fragment information tcpdump(8)-style. For example,
here is the ipfw log and tcpdump output of a 5000-byte ping,

  Jul  1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP:8.0 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:1480@0+)
  Jul  1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:1480@1480+)
 Jul  1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:1480@2960+)
  Jul  1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:568@4440)

  19:38:45.075886 192.168.64.60 > 192.168.64.20: icmp: echo request (frag 53113:1480@0+) (ttl 255)
  19:38:45.075896 192.168.64.60 > 192.168.64.20: (frag 53113:1480@1480+) (ttl 255)
  19:38:45.075911 192.168.64.60 > 192.168.64.20: (frag 53113:1480@2960+) (ttl 255)
  19:38:45.075917 192.168.64.60 > 192.168.64.20: (frag 53113:568@4440) (ttl 255)

Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.164
diff -u -r1.164 ip_fw.c
--- ip_fw.c     2001/04/06 06:52:25     1.164
+++ ip_fw.c     2001/07/02 02:23:12
@@ -206,7 +206,8 @@
 static int     tcpflg_match __P((struct tcphdr *tcp, struct ip_fw *f));
 static int     icmptype_match __P((struct icmp *  icmp, struct ip_fw * f));
 static void    ipfw_report __P((struct ip_fw *f, struct ip *ip, int offset,
-                               struct ifnet *rif, struct ifnet *oif));
+                               int ip_len, struct ifnet *rif,
+                               struct ifnet *oif));
 
 static void flush_rule_ptrs(void);
 
@@ -492,7 +493,7 @@
 }
 
 static void
-ipfw_report(struct ip_fw *f, struct ip *ip, int offset,
+ipfw_report(struct ip_fw *f, struct ip *ip, int offset, int ip_len,
        struct ifnet *rif, struct ifnet *oif)
 {
     struct tcphdr *const tcp = (struct tcphdr *) ((u_int32_t *) ip+ ip->ip_hl);
@@ -500,7 +501,7 @@
     struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
     u_int64_t count;
     char *action;
-    char action2[32], proto[47], name[18], fragment[17];
+    char action2[32], proto[47], name[18], fragment[27];
     int len;
 
     count = f ? f->fw_pcnt : ++counter;
@@ -619,9 +620,11 @@
            break;
     }
 
-    if (offset != 0)
-           snprintf(SNPARGS(fragment, 0), " Fragment = %d",
-               offset);
+    if (ip->ip_off & (IP_MF|IP_OFFMASK))
+           snprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)", 
+                    ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2),
+                    offset << 3,
+                    (ip->ip_off&IP_MF) ? "+" : "");
     else
            fragment[0] = '\0';
     if (oif)
@@ -1326,7 +1329,7 @@
 
 bogusfrag:
                if (fw_verbose && ip != NULL)
-                       ipfw_report(NULL, ip, offset, rif, oif);
+                       ipfw_report(NULL, ip, offset, ip_len, rif, oif);
                goto dropit;
 
                }
@@ -1349,7 +1352,7 @@
 
                /* Log to console if desired */
                if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose)
-                       ipfw_report(f, ip, offset, rif, oif);
+                       ipfw_report(f, ip, offset, ip_len, rif, oif);
 
                /* Take appropriate action */
                switch (f->fw_flg & IP_FW_F_COMMAND) {

-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message