From owner-freebsd-current@FreeBSD.ORG Tue Dec 15 05:55:26 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FAE11065693 for ; Tue, 15 Dec 2009 05:55:26 +0000 (UTC) (envelope-from dhorn2000@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id 1CADB8FC14 for ; Tue, 15 Dec 2009 05:55:25 +0000 (UTC) Received: by fxm27 with SMTP id 27so3872962fxm.3 for ; Mon, 14 Dec 2009 21:55:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ONwpmEk2zZOjPj/L+MSHUInJpT9mYOuqgUKUKJSLoAs=; b=RMgIh6ThbSgQL0a8kUmrGfgymIna7125Olb/RkcGU+tQvLBxrISKl031lNJYd3G1x9 S26sDXQT+PrhwdYWcnoYzNOjdhJktcrXcNThcAweFChTDMrtul3zGnPcOzWoYRBnNJAh dIq08ywx7gJiQriQAwygTOjGIroca29dV4htk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=DkSdWJMhk91z9YxxObe2ig5Sk7ejbUt1Vu7E083hERuqmaAi+qXKprf24dosdlrzTC PkSHaJrc6J1cb1vG4lxncXGu59+UmPYi/zeAJpZ6fGD/txLhJM1CJEQKNWau76mZuFYA 4qpnHQHAg1iisd/oJA+gg0yjK3sb+i1JpPHE0= MIME-Version: 1.0 Received: by 10.239.145.163 with SMTP id s35mr610273hba.42.1260854625945; Mon, 14 Dec 2009 21:23:45 -0800 (PST) In-Reply-To: <20091214235307.GA5345@onelab2.iet.unipi.it> References: <20091214235307.GA5345@onelab2.iet.unipi.it> Date: Tue, 15 Dec 2009 00:23:45 -0500 Message-ID: <25ff90d60912142123o661097c1k1b42eb292efd8acf@mail.gmail.com> From: David Horn To: Luigi Rizzo Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: current@freebsd.org Subject: Re: [PATCH] ipfw logging through tcpdump ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 05:55:26 -0000 On Mon, Dec 14, 2009 at 6:53 PM, Luigi Rizzo wrote: > The following ipfw patch (which i wrote back in 2001/2002) makes > ipfw logging possible through tcpdump -- it works by passing to the > fake device 'ipfw0' all packets matching rules marked 'log' . > The use is very simple -- to test it just do > > =A0 =A0 =A0 =A0ipfw add 100 count log ip from any to any > > and then > > =A0 =A0 =A0 =A0tcpdump -ni ipfw0 > > will show all matching traffic. > > I think this is a quite convenient and flexible option, so if there > are no objections I plan to commit it to head. > > =A0 =A0 =A0 =A0cheers > =A0 =A0 =A0 =A0luigi > > Index: ../head/sys/netinet/ipfw/ip_fw2.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- ../head/sys/netinet/ipfw/ip_fw2.c =A0 (revision 200551) > +++ ../head/sys/netinet/ipfw/ip_fw2.c =A0 (working copy) > @@ -65,6 +65,8 @@ > =A0#include > =A0#include /* for ETHERTYPE_IP */ > =A0#include > +#include =A0 =A0 =A0/* for IFT_ETHER */ > +#include =A0 =A0 =A0 =A0 =A0 /* for BPF */ > =A0#include > =A0#include > =A0#include > @@ -338,6 +340,15 @@ > =A0 =A0 "Enable keepalives for dyn. rules"); > =A0#endif /* SYSCTL_NODE */ > > +#ifdef DEV_IPFW > +static struct ifnet *ifn; =A0 =A0 =A0/* hook to attach to bpf */ > +static int > +ipfw_ifnet_ioctl(struct ifnet *ifp, u_long cmd, caddr_t addr) > +{ > + =A0 =A0 =A0 return EINVAL; > +} > +#endif > + > =A0/* > =A0* L3HDR maps an ipv4 pointer into a layer3 header pointer of type T > =A0* Other macros just cast void * into the appropriate type > @@ -3056,6 +3067,29 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (V_fw_v= erbose) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0ipfw_log(f, hlen, args, m, > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0oif, offset, tablearg, ip); > +#ifdef DEV_IPFW > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 else if (if= n && ifn->if_bpf !=3D NULL) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* = This kludge is OK; BPF treats > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= *the "mbuf" as read-only */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 str= uct m_hdr mh; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 mh.= mh_next =3D m; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 mh.= mh_len =3D ETHER_HDR_LEN; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if = (args->eh) =A0 =A0 =A0 /* layer2, complete */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 mh.mh_data =3D (char *)args->eh; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 els= e { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 /* fake header and restore wire format*/ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 mh.mh_data =3D "DDDDDDSSSSSS\x08\x00"; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 ip->ip_off =3D ntohs(ip->ip_off); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 ip->ip_len =3D ntohs(ip->ip_len); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 BPF= _MTAP(ifn, (struct mbuf *)&mh); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if = (args->eh =3D=3D NULL) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 /* restore IP format */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 ip->ip_off =3D htons(ip->ip_off); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 ip->ip_len =3D htons(ip->ip_len); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } > +#endif /* DEV_IPFW */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0match =3D = 1; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > > @@ -4830,6 +4864,19 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0printf("limited to %d packets/entry by def= ault\n", > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0V_verbose_limit); > > +#ifdef DEV_IPFW =A0 =A0 =A0 =A0/** bpf code **/ > + =A0 =A0 =A0 ifn =3D if_alloc(IFT_ETHER); > + =A0 =A0 =A0 if_initname(ifn, "ipfw", 0); > + =A0 =A0 =A0 ifn->if_mtu =3D 65536; > + =A0 =A0 =A0 ifn->if_flags =3D IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; > + =A0 =A0 =A0 ifn->if_ioctl =3D ipfw_ifnet_ioctl; =A0 =A0 =A0 =A0/* getad= dr */ > + =A0 =A0 =A0 ifn->if_addrlen =3D 6; > + =A0 =A0 =A0 ifn->if_hdrlen =3D 14; > + =A0 =A0 =A0 if_attach(ifn); > + =A0 =A0 =A0 ifn->if_baudrate =3D IF_Mbps(10); > + =A0 =A0 =A0 bpfattach(ifn, DLT_EN10MB, 14); > +#endif /** end bpf code **/ > + > =A0 =A0 =A0 =A0return (error); > =A0} > > @@ -4840,6 +4887,11 @@ > =A0ipfw_destroy(void) > =A0{ > > +#ifdef DEV_IPFW > + =A0 =A0 =A0 ether_ifdetach(ifn); > + =A0 =A0 =A0 if_free(ifn); > + =A0 =A0 =A0 ifn =3D NULL; > +#endif > =A0 =A0 =A0 =A0uma_zdestroy(ipfw_dyn_rule_zone); > =A0 =A0 =A0 =A0IPFW_DYN_LOCK_DESTROY(); > =A0 =A0 =A0 =A0printf("IP firewall unloaded\n"); Code works well for me with latest current r200562, although a bit of extra fuzz factor was needed for the patch to apply cleanly. My only comment is that I would prefer a tunable or sysctl to having to recompile with CFLAGS+=3D -DDEV_IPFW added to the ipfw module Makefile. Very useful code. ---Dave Horn