Date: Sun, 10 Dec 2000 22:23:16 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: freebsd-ipfw@freebsd.org Subject: Extended ipfw Logging Message-ID: <20001210222316.A19100@149.211.6.64.reflexcom.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I wanted to add a little information to my ipfw logs. Initially, I
just wanted to add TCP flags, but once I made the change, I figured I
might as well go ahead and dump most any field of interest.
The output of the TCP logging looks like,
Dec 10 22:07:57 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x02 s=0x7d43188c a=0x00000000 i=0x48bc t=0x40 in via ep0 DF
Dec 10 22:07:57 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:3036 f=0x12 s=0xbdcd5fc5 a=0x7d43188d i=0x11b7 t=0x40 out via ep0 DF
Dec 10 22:07:57 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x10 s=0x7d43188d a=0xbdcd5fc6 i=0x48bd t=0x40 in via ep0 DF
Dec 10 22:07:59 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x18 s=0x7d43188d a=0xbdcd5fc6 i=0x48be t=0x40 in via ep0 DF
Dec 10 22:07:59 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:3036 f=0x18 s=0xbdcd5fc6 a=0x7d431893 i=0x11b8 t=0x40 out via ep0 DF
Dec 10 22:08:00 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x10 s=0x7d431893 a=0xbdcd5fcc i=0x48bf t=0x40 in via ep0 DF
Dec 10 22:08:02 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x11 s=0x7d431893 a=0xbdcd5fcc i=0x48c0 t=0x40 in via ep0 DF
Dec 10 22:08:02 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:3036 f=0x10 s=0xbdcd5fcc a=0x7d431894 i=0x11b9 t=0x40 out via ep0 DF
Dec 10 22:08:02 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:3036 f=0x11 s=0xbdcd5fcc a=0x7d431894 i=0x11ba t=0x40 out via ep0 DF
Dec 10 22:08:02 bubbles /boot/kernel/kernel: ipfw: 400 Accept TCP 192.168.64.254:3036 192.168.64.20:7 f=0x10 s=0x7d431894 a=0xbdcd5fcd i=0x48c1 t=0x40 in via ep0 DF
Where we see TCP flags in the 'f=,' sequence numbers 's=,'
acknowledgement numbers 'a=,' IP ID number 'i=,' and TTL 't=.'
Some UDP and ICMP (a traceroute),
Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept UDP 192.168.64.254:51890 192.168.64.20:33435 i=0xcab3 t=0x01 in via ep0
Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP:3.3 192.168.64.20 192.168.64.254 i=0x11e0 t=0xff out via ep0
Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept UDP 192.168.64.254:51890 192.168.64.20:33436 i=0xcab4 t=0x01 in via ep0
Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP:3.3 192.168.64.20 192.168.64.254 i=0x11e1 t=0xff out via ep0
Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept UDP 192.168.64.254:51890 192.168.64.20:33437 i=0xcab5 t=0x01 in via ep0
Dec 10 22:08:38 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP:3.3 192.168.64.20 192.168.64.254 i=0x11e2 t=0xff out via ep0
Where we see some extra IP parameters again. Finally, some
fragmentation logging (an oversized ping and the pong back),
Dec 10 18:08:15 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP:8.0 192.168.64.254 192.168.64.20 i=0xc47e t=0xff in via ep0 Offset=0*
Dec 10 18:08:15 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP 192.168.64.254 192.168.64.20 i=0xc47e t=0xff in via ep0 Offset=1480*
Dec 10 18:08:15 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP 192.168.64.254 192.168.64.20 i=0xc47e t=0xff in via ep0 Offset=2960
Dec 10 18:08:15 bubbles /boot/kernel/kernel: ipfw: 400 Accept ICMP:0.0 192.168.64.20 192.168.64.254 i=0x005d t=0xff out via ep0
The patches are attached. In addition to the patches, you need to put,
options IPFIREWALL_EXTRA_VERBOSE
In your kernel config. The patches were diff'ed from CURRENT, but they
work fine on STABLE.
So, uh, is anyone besides me interested in getting a little more
information in ipfw logs? Let me know if you use these or have
suggestions.
If there is anyone interested, I was also considering building a
little daemon that uses divert(4) to do logging and some packet
capturing from userland. Seems like a good way to add arbitrary
logging abilities without having to mess with (and possibly bloat) the
kernel. It would also be a good diagnostic tool, especially with a
packet capture ability. Has anyone found themselves thinking they
would find something like that useful? Let me know. I have not decided
if I am going to do it yet.
--
Crist J. Clark cjclark@alum.mit.edu
[-- Attachment #2 --]
--- ip_fw.c Sun Dec 10 19:13:17 2000
+++ /usr/src/sys/netinet/ip_fw.c Sun Dec 10 19:01:03 2000
@@ -573,8 +573,19 @@
len += snprintf(SNPARGS(proto, len), "%s",
inet_ntoa(ip->ip_dst));
if ((ip->ip_off & IP_OFFMASK) == 0)
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ snprintf(SNPARGS(proto, len),
+ ":%d f=0x%02x s=0x%08x a=0x%08x i=0x%04x t=0x%02x",
+ ntohs(tcp->th_dport),
+ tcp->th_flags,
+ ntohl(tcp->th_seq),
+ ntohl(tcp->th_ack),
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#else
snprintf(SNPARGS(proto, len), ":%d",
ntohs(tcp->th_dport));
+#endif
break;
case IPPROTO_UDP:
len = snprintf(SNPARGS(proto, 0), "UDP %s",
@@ -587,8 +598,16 @@
len += snprintf(SNPARGS(proto, len), "%s",
inet_ntoa(ip->ip_dst));
if ((ip->ip_off & IP_OFFMASK) == 0)
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ snprintf(SNPARGS(proto, len),
+ ":%d i=0x%04x t=0x%02x",
+ ntohs(udp->uh_dport),
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#else
snprintf(SNPARGS(proto, len), ":%d",
ntohs(udp->uh_dport));
+#endif
break;
case IPPROTO_ICMP:
if ((ip->ip_off & IP_OFFMASK) == 0)
@@ -598,20 +617,48 @@
len = snprintf(SNPARGS(proto, 0), "ICMP ");
len += snprintf(SNPARGS(proto, len), "%s",
inet_ntoa(ip->ip_src));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ snprintf(SNPARGS(proto, len), " %s i=0x%04x t=0x%02x",
+ inet_ntoa(ip->ip_dst),
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#else
snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+#endif
break;
default:
len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p,
inet_ntoa(ip->ip_src));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ snprintf(SNPARGS(proto, len), " %s i=0x%04x t=0x%02x",
+ inet_ntoa(ip->ip_dst),
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#else
snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+#endif
break;
}
- if ((ip->ip_off & IP_OFFMASK))
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if (ip->ip_off & IP_DF)
+ len = snprintf(SNPARGS(fragment, 0), " DF");
+ else {
+ fragment[0] = '\0';
+ len = 0;
+ }
+ if (ip->ip_off & (IP_OFFMASK | IP_MF))
+ len = snprintf(SNPARGS(fragment, len), " Frag=%d",
+ (ip->ip_off & IP_OFFMASK)<<3);
+ if (ip->ip_off & IP_MF)
+ len = snprintf(SNPARGS(fragment, len), "+");
+#else
+ if (ip->ip_off & (IP_OFFMASK | IP_MF))
snprintf(SNPARGS(fragment, 0), " Fragment = %d",
ip->ip_off & IP_OFFMASK);
else
fragment[0] = '\0';
+#endif
if (oif)
log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n",
name, action, proto, oif->if_name, oif->if_unit, fragment);
[-- Attachment #3 --]
--- options Sun Dec 10 18:25:56 2000
+++ /usr/src/sys/conf/options Sun Dec 10 01:45:19 2000
@@ -245,6 +245,7 @@
PFIL_HOOKS opt_pfil_hooks.h
IPFIREWALL opt_ipfw.h
IPFIREWALL_VERBOSE opt_ipfw.h
+IPFIREWALL_EXTRA_VERBOSE opt_ipfw.h
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
IPFIREWALL_FORWARD opt_ipfw.h
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001210222316.A19100>