Date: Wed, 26 Jul 2000 13:10:38 -0500 (CDT) From: Stephen Montgomery-Smith <stephen@cauchy.math.missouri.edu> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/20198: log setup of dynamic rules for ipfw Message-ID: <200007261810.NAA35666@cauchy.math.missouri.edu>
next in thread | raw e-mail | index | archive | help
>Number: 20198
>Category: kern
>Synopsis: log setup of dynamic rules for ipfw
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 26 11:20:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Stephen Montgomery-Smith
>Release: FreeBSD 4.1-RC i386
>Organization:
University of Missouri
>Environment:
Creating rules with ipfw with the keep-state option
>Description:
Suppose I create a rule with ipfw:
ipfw add pass log from xxx to yyy via zzz keep-state
Then every packet processed by this rule will create a log entry.
It would be nice to have the possibility to create a rule thus:
ipfw add pass from xxx to yyy via zzz keep-state log
This would have the effect that when this rule is first encountered
it creates a log entry, but subsequenctly when the rule is
encountered in its dynamic state, it is not logged. There
is only one log when the dynamic rule is created the first time.
Of course, if this rule is encounted by a packet with different
ip/port combination, then another dynamic rule is created, and
so is a new log entry.
The above syntax is my suggestion, but maybe you guys would
prefer something else. If you like this, and it is adopted,
then I will write a diff for the man file also.
>How-To-Repeat:
>Fix:
Here is my patch.
I use another of the bits of struct ip_fw.fw_flg bits, which seem
to be in rather short supply - now only 6 bits left.
The small addition I made to ipfw.c to parse for the log option
works, but maybe I didn't do it in the spirit of the rest of the
code.
diff -ru /sys/netinet/ip_fw.c sys/netinet/ip_fw.c
--- /sys/netinet/ip_fw.c Sat Jul 15 19:25:45 2000
+++ sys/netinet/ip_fw.c Wed Jul 26 12:21:45 2000
@@ -1215,8 +1215,16 @@
f->timestamp = time_second;
/* Log to console if desired */
+#if STATEFUL
+ if (((f->fw_flg & IP_FW_F_PRN) ||
+ ((f->fw_flg & IP_FW_F_PRN_S) && q == NULL)) && fw_verbose) {
+ ipfw_report(f, ip, rif, oif);
+ }
+
+#else
if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose)
ipfw_report(f, ip, rif, oif);
+#endif
/* Take appropriate action */
switch (f->fw_flg & IP_FW_F_COMMAND) {
diff -ru /sys/netinet/ip_fw.h sys/netinet/ip_fw.h
--- /sys/netinet/ip_fw.h Sat Jul 15 19:25:45 2000
+++ sys/netinet/ip_fw.h Tue Jul 25 23:12:33 2000
@@ -204,8 +204,9 @@
#define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */
#define IP_FW_F_KEEP_S 0x08000000 /* keep state */
#define IP_FW_F_CHECK_S 0x10000000 /* check state */
+#define IP_FW_F_PRN_S 0x20000000 /* Print if this state created */
-#define IP_FW_F_MASK 0x1FFFFFFF /* All possible flag bits mask */
+#define IP_FW_F_MASK 0x3FFFFFFF /* All possible flag bits mask */
/*
* For backwards compatibility with rules specifying "via iface" but
diff -ru /usr/src/sbin/ipfw/ipfw.c sbin/ipfw/ipfw.c
--- /usr/src/sbin/ipfw/ipfw.c Sat Jul 15 19:25:50 2000
+++ sbin/ipfw/ipfw.c Wed Jul 26 12:48:45 2000
@@ -385,6 +385,9 @@
else
printf(" keep-state");
}
+ if (chain->fw_flg & IP_FW_F_PRN_S) {
+ printf(" log");
+ }
/* Direction */
if (chain->fw_flg & IP_FW_BRIDGED)
printf(" bridged");
@@ -1759,6 +1762,10 @@
av++; ac--;
}
continue;
+ }
+ if ((rule.fw_flg & IP_FW_F_KEEP_S) && !strncmp(*av,"log",strlen(*av))) {
+ rule.fw_flg |= IP_FW_F_PRN_S;
+ av++; ac--; continue;
}
if (!strncmp(*av,"bridged",strlen(*av))) {
rule.fw_flg |= IP_FW_BRIDGED;
>Release-Note:
>Audit-Trail:
>Unformatted:
Stephen Montgomery-Smith
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007261810.NAA35666>