Date: Tue, 15 Dec 2009 00:23:45 -0500 From: David Horn <dhorn2000@gmail.com> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: current@freebsd.org Subject: Re: [PATCH] ipfw logging through tcpdump ? Message-ID: <25ff90d60912142123o661097c1k1b42eb292efd8acf@mail.gmail.com> In-Reply-To: <20091214235307.GA5345@onelab2.iet.unipi.it> References: <20091214235307.GA5345@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 14, 2009 at 6:53 PM, Luigi Rizzo <rizzo@iet.unipi.it> wrote: > The following ipfw patch (which i wrote back in 2001/2002) makes > ipfw logging possible through tcpdump -- it works by passing to the > fake device 'ipfw0' all packets matching rules marked 'log' . > The use is very simple -- to test it just do > > =A0 =A0 =A0 =A0ipfw add 100 count log ip from any to any > > and then > > =A0 =A0 =A0 =A0tcpdump -ni ipfw0 > > will show all matching traffic. > > I think this is a quite convenient and flexible option, so if there > are no objections I plan to commit it to head. > > =A0 =A0 =A0 =A0cheers > =A0 =A0 =A0 =A0luigi > > Index: ../head/sys/netinet/ipfw/ip_fw2.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- ../head/sys/netinet/ipfw/ip_fw2.c =A0 (revision 200551) > +++ ../head/sys/netinet/ipfw/ip_fw2.c =A0 (working copy) > @@ -65,6 +65,8 @@ > =A0#include <sys/ucred.h> > =A0#include <net/ethernet.h> /* for ETHERTYPE_IP */ > =A0#include <net/if.h> > +#include <net/if_types.h> =A0 =A0 =A0/* for IFT_ETHER */ > +#include <net/bpf.h> =A0 =A0 =A0 =A0 =A0 /* for BPF */ > =A0#include <net/radix.h> > =A0#include <net/route.h> > =A0#include <net/pf_mtag.h> > @@ -338,6 +340,15 @@ > =A0 =A0 "Enable keepalives for dyn. rules"); > =A0#endif /* SYSCTL_NODE */ > > +#ifdef DEV_IPFW > +static struct ifnet *ifn; =A0 =A0 =A0/* hook to attach to bpf */ > +static int > +ipfw_ifnet_ioctl(struct ifnet *ifp, u_long cmd, caddr_t addr) > +{ > + =A0 =A0 =A0 return EINVAL; > +} > +#endif > + > =A0/* > =A0* L3HDR maps an ipv4 pointer into a layer3 header pointer of type T > =A0* Other macros just cast void * into the appropriate type > @@ -3056,6 +3067,29 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (V_fw_v= erbose) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0ipfw_log(f, hlen, args, m, > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0oif, offset, tablearg, ip); > +#ifdef DEV_IPFW > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 else if (if= n && ifn->if_bpf !=3D NULL) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* = This kludge is OK; BPF treats > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= *the "mbuf" as read-only */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 str= uct m_hdr mh; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 mh.= mh_next =3D m; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 mh.= mh_len =3D ETHER_HDR_LEN; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if = (args->eh) =A0 =A0 =A0 /* layer2, complete */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 mh.mh_data =3D (char *)args->eh; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 els= e { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 /* fake header and restore wire format*/ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 mh.mh_data =3D "DDDDDDSSSSSS\x08\x00"; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 ip->ip_off =3D ntohs(ip->ip_off); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 ip->ip_len =3D ntohs(ip->ip_len); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 BPF= _MTAP(ifn, (struct mbuf *)&mh); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if = (args->eh =3D=3D NULL) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 /* restore IP format */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 ip->ip_off =3D htons(ip->ip_off); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 ip->ip_len =3D htons(ip->ip_len); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } > +#endif /* DEV_IPFW */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0match =3D = 1; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > > @@ -4830,6 +4864,19 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0printf("limited to %d packets/entry by def= ault\n", > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0V_verbose_limit); > > +#ifdef DEV_IPFW =A0 =A0 =A0 =A0/** bpf code **/ > + =A0 =A0 =A0 ifn =3D if_alloc(IFT_ETHER); > + =A0 =A0 =A0 if_initname(ifn, "ipfw", 0); > + =A0 =A0 =A0 ifn->if_mtu =3D 65536; > + =A0 =A0 =A0 ifn->if_flags =3D IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; > + =A0 =A0 =A0 ifn->if_ioctl =3D ipfw_ifnet_ioctl; =A0 =A0 =A0 =A0/* getad= dr */ > + =A0 =A0 =A0 ifn->if_addrlen =3D 6; > + =A0 =A0 =A0 ifn->if_hdrlen =3D 14; > + =A0 =A0 =A0 if_attach(ifn); > + =A0 =A0 =A0 ifn->if_baudrate =3D IF_Mbps(10); > + =A0 =A0 =A0 bpfattach(ifn, DLT_EN10MB, 14); > +#endif /** end bpf code **/ > + > =A0 =A0 =A0 =A0return (error); > =A0} > > @@ -4840,6 +4887,11 @@ > =A0ipfw_destroy(void) > =A0{ > > +#ifdef DEV_IPFW > + =A0 =A0 =A0 ether_ifdetach(ifn); > + =A0 =A0 =A0 if_free(ifn); > + =A0 =A0 =A0 ifn =3D NULL; > +#endif > =A0 =A0 =A0 =A0uma_zdestroy(ipfw_dyn_rule_zone); > =A0 =A0 =A0 =A0IPFW_DYN_LOCK_DESTROY(); > =A0 =A0 =A0 =A0printf("IP firewall unloaded\n"); Code works well for me with latest current r200562, although a bit of extra fuzz factor was needed for the patch to apply cleanly. My only comment is that I would prefer a tunable or sysctl to having to recompile with CFLAGS+=3D -DDEV_IPFW added to the ipfw module Makefile. Very useful code. ---Dave Horn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25ff90d60912142123o661097c1k1b42eb292efd8acf>