Date: Tue, 12 Dec 2000 23:23:19 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: cjclark@alum.mit.edu Cc: Jev <jev@ecad.org>, freebsd-ipfw@FreeBSD.ORG, darcy@ok-connect.com Subject: Re: Extended ipfw Logging Message-ID: <20001212232319.I96105@149.211.6.64.reflexcom.com> In-Reply-To: <20001212012641.C96105@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Tue, Dec 12, 2000 at 01:26:41AM -0800 References: <20001210222316.A19100@149.211.6.64.reflexcom.com> <20001211081137.F9536@ecad.org> <20001212012641.C96105@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Tue, Dec 12, 2000 at 01:26:41AM -0800, Crist J. Clark wrote:
> On Mon, Dec 11, 2000 at 08:11:37AM +0000, Jev wrote:
> >
> > I would find this highly useful, would be great if you could turn it
> > on/off wuth sysctl :)
>
> Good idea. How's this:
>
> I did not add a new sysctl knob, instead, we still use
> net.inet.ip.fw.verbose, except that,
>
> net.inet.ip.fw.verbose=0 # Logging off
> net.inet.ip.fw.verbose=1 # Regular logging
> net.inet.ip.fw.verbose=2 # Enhanced logging
>
> Obviously, we could utilize more levels... but keep it sane.
>
> I made the code change, but it's getting too late for me to do enough
> testing to feel OK about posting patches. This sound good though?
They look good to me. The sysctl works as advertised above. You still
need to add the IPFIREWALL_EXTRA_VERBOSE option to build in the
functionality. A level of '2' for net.inet.ip.fw becomes the default
when the option is built in.
I have gotten a number of emails from people who like the idea. If
anyone is actually using it, please let me know. And of course, any
more suggestions are welcome.
--
Crist J. Clark cjclark@alum.mit.edu
[-- Attachment #2 --]
--- ip_fw.c Sun Dec 10 19:13:17 2000
+++ /usr/src/sys/netinet/ip_fw.c Tue Dec 12 01:47:30 2000
@@ -67,7 +67,11 @@
static int fw_debug = 1;
#ifdef IPFIREWALL_VERBOSE
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+static int fw_verbose = 2;
+#else
static int fw_verbose = 1;
+#endif
#else
static int fw_verbose = 0;
#endif
@@ -488,7 +492,7 @@
struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
u_int64_t count;
char *action;
- char action2[32], proto[47], name[18], fragment[17];
+ char action2[32], proto[97], name[18], fragment[17];
int len;
count = f ? f->fw_pcnt : ++counter;
@@ -572,9 +576,20 @@
len += snprintf(SNPARGS(proto, len), " ");
len += snprintf(SNPARGS(proto, len), "%s",
inet_ntoa(ip->ip_dst));
- if ((ip->ip_off & IP_OFFMASK) == 0)
+ if ((ip->ip_off & IP_OFFMASK) == 0) {
snprintf(SNPARGS(proto, len), ":%d",
ntohs(tcp->th_dport));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if ( fw_verbose > 1 )
+ snprintf(SNPARGS(proto, len),
+ " f=0x%02x s=0x%08x a=0x%08x i=0x%04x t=0x%02x",
+ tcp->th_flags,
+ ntohl(tcp->th_seq),
+ ntohl(tcp->th_ack),
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#endif
+ }
break;
case IPPROTO_UDP:
len = snprintf(SNPARGS(proto, 0), "UDP %s",
@@ -586,9 +601,17 @@
len += snprintf(SNPARGS(proto, len), " ");
len += snprintf(SNPARGS(proto, len), "%s",
inet_ntoa(ip->ip_dst));
- if ((ip->ip_off & IP_OFFMASK) == 0)
- snprintf(SNPARGS(proto, len), ":%d",
+ if ((ip->ip_off & IP_OFFMASK) == 0) {
+ len += snprintf(SNPARGS(proto, len), ":%d",
ntohs(udp->uh_dport));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if ( fw_verbose > 1 )
+ snprintf(SNPARGS(proto, len),
+ " i=0x%04x t=0x%02x",
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#endif
+ }
break;
case IPPROTO_ICMP:
if ((ip->ip_off & IP_OFFMASK) == 0)
@@ -598,20 +621,55 @@
len = snprintf(SNPARGS(proto, 0), "ICMP ");
len += snprintf(SNPARGS(proto, len), "%s",
inet_ntoa(ip->ip_src));
- snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+ len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if ( fw_verbose > 1 )
+ snprintf(SNPARGS(proto, len),
+ " i=0x%04x t=0x%02x",
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#endif
break;
default:
len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p,
inet_ntoa(ip->ip_src));
- snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+ len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if ( fw_verbose > 1 )
+ snprintf(SNPARGS(proto, len), " i=0x%04x t=0x%02x",
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#endif
break;
}
- if ((ip->ip_off & IP_OFFMASK))
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if ( fw_verbose > 1 ) {
+ if (ip->ip_off & IP_DF)
+ len = snprintf(SNPARGS(fragment, 0), " DF");
+ else {
+ fragment[0] = '\0';
+ len = 0;
+ }
+ if (ip->ip_off & (IP_OFFMASK | IP_MF))
+ len += snprintf(SNPARGS(fragment, len), " Frag=%d",
+ (ip->ip_off & IP_OFFMASK)<<3);
+ if (ip->ip_off & IP_MF)
+ len += snprintf(SNPARGS(fragment, len), "+");
+ } else {
+ if (ip->ip_off & (IP_OFFMASK | IP_MF))
+ snprintf(SNPARGS(fragment, 0), " Fragment = %d",
+ ip->ip_off & IP_OFFMASK);
+ else
+ fragment[0] = '\0';
+ }
+#else
+ if (ip->ip_off & (IP_OFFMASK | IP_MF))
snprintf(SNPARGS(fragment, 0), " Fragment = %d",
ip->ip_off & IP_OFFMASK);
else
fragment[0] = '\0';
+#endif
if (oif)
log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n",
name, action, proto, oif->if_name, oif->if_unit, fragment);
[-- Attachment #3 --]
--- options Sun Dec 10 18:25:56 2000
+++ /usr/src/sys/conf/options Sun Dec 10 01:45:19 2000
@@ -245,6 +245,7 @@
PFIL_HOOKS opt_pfil_hooks.h
IPFIREWALL opt_ipfw.h
IPFIREWALL_VERBOSE opt_ipfw.h
+IPFIREWALL_EXTRA_VERBOSE opt_ipfw.h
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
IPFIREWALL_FORWARD opt_ipfw.h
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001212232319.I96105>