From owner-freebsd-bugs Sat Mar 27 8:10:19 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 454DC14EBE for ; Sat, 27 Mar 1999 08:10:18 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.2/8.9.2) id IAA98302; Sat, 27 Mar 1999 08:10:00 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from quack.kfu.com (quack.kfu.com [170.1.70.2]) by hub.freebsd.org (Postfix) with ESMTP id 8B2C214D03 for ; Sat, 27 Mar 1999 08:02:15 -0800 (PST) (envelope-from nsayer@medusa.kfu.com) Received: from medusa.kfu.com (medusa.kfu.com [170.1.70.5]) by quack.kfu.com (8.9.2/8.8.5) with ESMTP id IAA68081 for ; Sat, 27 Mar 1999 08:01:55 -0800 (PST) Received: (from nsayer@localhost) by medusa.kfu.com (8.9.2/8.8.8) id IAA00448; Sat, 27 Mar 1999 08:01:54 -0800 (PST) (envelope-from nsayer) Message-Id: <199903271601.IAA00448@medusa.kfu.com> Date: Sat, 27 Mar 1999 08:01:54 -0800 (PST) From: Nick Sayer Reply-To: nsayer@quack.kfu.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/10818: ipfw reporting error with bridging Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 10818 >Category: kern >Synopsis: ipfw reporting error with bridging >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Mar 27 08:10:00 PST 1999 >Closed-Date: >Last-Modified: >Originator: Nick Sayer >Release: FreeBSD 3.1-RELEASE i386 >Organization: just me >Environment: 3.1-RELEASE, options BRIDGE & IPFIREWALL, sysctl -w net.link.ether.bridge_ipfw=1 >Description: When you have logging rules applying to bridged packets, the logs would not correctly parse the packet. This is because the IP header on bridged packets (in general) requires ntoh?() operations, while non-bridged packets do not (what a nightmare). >How-To-Repeat: In this example, a telnet packet is directed through the bridge to a machine on the other side: ipfw: 800 Deny TCP 170.1.70.2 170.1.70.3 in via tx0 Fragment = 64 In this example, a telnet packet is directed into the bridge machine: ipfw: 800 Deny TCP 170.1.70.2:2497 170.1.70.5:23 in via tx0 In both cases, the filtering works correctly. It is merely the report that is in error. >Fix: --- ip_fw.c.orig Sat Mar 27 07:53:27 1999 +++ ip_fw.c Sat Mar 27 07:50:37 1999 @@ -107,7 +107,8 @@ static int tcpflg_match __P((struct tcphdr *tcp, struct ip_fw *f)); static int icmptype_match __P((struct icmp * icmp, struct ip_fw * f)); static void ipfw_report __P((struct ip_fw *f, struct ip *ip, - struct ifnet *rif, struct ifnet *oif)); + struct ifnet *rif, struct ifnet *oif, + char)); static void flush_rule_ptrs(void); @@ -289,7 +290,7 @@ static void ipfw_report(struct ip_fw *f, struct ip *ip, - struct ifnet *rif, struct ifnet *oif) + struct ifnet *rif, struct ifnet *oif, char bridge_flag) { if (ip) { static u_int64_t counter; @@ -355,27 +356,27 @@ case IPPROTO_TCP: printf("TCP "); print_ip(ip->ip_src); - if ((ip->ip_off & IP_OFFMASK) == 0) + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0) printf(":%d ", ntohs(tcp->th_sport)); else printf(" "); print_ip(ip->ip_dst); - if ((ip->ip_off & IP_OFFMASK) == 0) + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0) printf(":%d", ntohs(tcp->th_dport)); break; case IPPROTO_UDP: printf("UDP "); print_ip(ip->ip_src); - if ((ip->ip_off & IP_OFFMASK) == 0) + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0) printf(":%d ", ntohs(udp->uh_sport)); else printf(" "); print_ip(ip->ip_dst); - if ((ip->ip_off & IP_OFFMASK) == 0) + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0) printf(":%d", ntohs(udp->uh_dport)); break; case IPPROTO_ICMP: - if ((ip->ip_off & IP_OFFMASK) == 0) + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0) printf("ICMP:%u.%u ", icmp->icmp_type, icmp->icmp_code); else printf("ICMP "); @@ -394,8 +395,8 @@ printf(" out via %s%d", oif->if_name, oif->if_unit); else if (rif) printf(" in via %s%d", rif->if_name, rif->if_unit); - if ((ip->ip_off & IP_OFFMASK)) - printf(" Fragment = %d",ip->ip_off & IP_OFFMASK); + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK)) + printf(" Fragment = %d",(bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK); printf("\n"); if (fw_verbose_limit != 0 && count == fw_verbose_limit) printf("ipfw: limit reached on rule #%d\n", @@ -558,7 +559,9 @@ case 1: /* match one type */ if ( /* ( (f->fw_flg & IP_FW_F_INVSRC) != 0) ^ */ ( f->fw_uar.fw_pts[0] == ntohs(eh->ether_type) ) ) { +#if 0 printf("match!\n"); +#endif goto got_match ; } break ; @@ -705,7 +708,7 @@ bogusfrag: if (fw_verbose) - ipfw_report(NULL, ip, rif, oif); + ipfw_report(NULL, ip, rif, oif, pip==NULL); goto dropit; } @@ -720,7 +723,7 @@ /* Log to console if desired */ if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose) - ipfw_report(f, ip, rif, oif); + ipfw_report(f, ip, rif, oif, pip==NULL); /* Take appropriate action */ switch (f->fw_flg & IP_FW_F_COMMAND) { >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message