From owner-freebsd-bugs  Wed Jul 26 11:20: 9 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 101E937BF2C
	for <freebsd-bugs@FreeBSD.org>; Wed, 26 Jul 2000 11:20:01 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id LAA56923;
	Wed, 26 Jul 2000 11:20:01 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from cauchy.math.missouri.edu (cauchy.math.missouri.edu [128.206.49.166])
	by hub.freebsd.org (Postfix) with ESMTP id 79C4B37BF0D
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 26 Jul 2000 11:10:38 -0700 (PDT)
	(envelope-from stephen@cauchy.math.missouri.edu)
Received: (from stephen@localhost)
	by cauchy.math.missouri.edu (8.9.3/8.9.1) id NAA35666;
	Wed, 26 Jul 2000 13:10:38 -0500 (CDT)
Message-Id: <200007261810.NAA35666@cauchy.math.missouri.edu>
Date: Wed, 26 Jul 2000 13:10:38 -0500 (CDT)
From: Stephen Montgomery-Smith <stephen@cauchy.math.missouri.edu>
Reply-To: stephen@math.missouri.edu
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/20198: log setup of dynamic rules for ipfw
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         20198
>Category:       kern
>Synopsis:       log setup of dynamic rules for ipfw
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 26 11:20:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Stephen Montgomery-Smith
>Release:        FreeBSD 4.1-RC i386
>Organization:
University of Missouri
>Environment:

Creating rules with ipfw with the keep-state option

>Description:

Suppose I create a rule with ipfw:
ipfw add pass log from xxx to yyy via zzz keep-state
Then every packet processed by this rule will create a log entry.

It would be nice to have the possibility to create a rule thus:
ipfw add pass from xxx to yyy via zzz keep-state log
This would have the effect that when this rule is first encountered
it creates a log entry, but subsequenctly when the rule is 
encountered in its dynamic state, it is not logged.  There
is only one log when the dynamic rule is created the first time.

Of course, if this rule is encounted by a packet with different
ip/port combination, then another dynamic rule is created, and
so is a new log entry.

The above syntax is my suggestion, but maybe you guys would 
prefer something else.  If you like this, and it is adopted, 
then I will write a diff for the man file also.

>How-To-Repeat:

>Fix:

Here is my patch.  

I use another of the bits of struct ip_fw.fw_flg bits, which seem 
to be in rather short supply - now only 6 bits left.

The small addition I made to ipfw.c to parse for the log option
works, but maybe I didn't do it in the spirit of the rest of the
code.

diff -ru /sys/netinet/ip_fw.c sys/netinet/ip_fw.c
--- /sys/netinet/ip_fw.c	Sat Jul 15 19:25:45 2000
+++ sys/netinet/ip_fw.c	Wed Jul 26 12:21:45 2000
@@ -1215,8 +1215,16 @@
 		f->timestamp = time_second;
 
 		/* Log to console if desired */
+#if STATEFUL
+		if (((f->fw_flg & IP_FW_F_PRN) || 
+		     ((f->fw_flg & IP_FW_F_PRN_S) && q == NULL)) && fw_verbose) {
+			ipfw_report(f, ip, rif, oif);
+		}
+			
+#else
 		if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose)
 			ipfw_report(f, ip, rif, oif);
+#endif
 
 		/* Take appropriate action */
 		switch (f->fw_flg & IP_FW_F_COMMAND) {
diff -ru /sys/netinet/ip_fw.h sys/netinet/ip_fw.h
--- /sys/netinet/ip_fw.h	Sat Jul 15 19:25:45 2000
+++ sys/netinet/ip_fw.h	Tue Jul 25 23:12:33 2000
@@ -204,8 +204,9 @@
 #define	IP_FW_BRIDGED	0x04000000	/* only match bridged packets		*/
 #define IP_FW_F_KEEP_S	0x08000000	/* keep state	 			*/
 #define IP_FW_F_CHECK_S	0x10000000	/* check state	 			*/
+#define IP_FW_F_PRN_S	0x20000000	/* Print if this state created		*/
 
-#define IP_FW_F_MASK	0x1FFFFFFF	/* All possible flag bits mask		*/
+#define IP_FW_F_MASK	0x3FFFFFFF	/* All possible flag bits mask		*/
 
 /*
  * For backwards compatibility with rules specifying "via iface" but
diff -ru /usr/src/sbin/ipfw/ipfw.c sbin/ipfw/ipfw.c
--- /usr/src/sbin/ipfw/ipfw.c	Sat Jul 15 19:25:50 2000
+++ sbin/ipfw/ipfw.c	Wed Jul 26 12:48:45 2000
@@ -385,6 +385,9 @@
                 else
                     printf(" keep-state");
         }
+        if (chain->fw_flg & IP_FW_F_PRN_S) {
+                printf(" log");
+        }
         /* Direction */
         if (chain->fw_flg & IP_FW_BRIDGED)
                 printf(" bridged");
@@ -1759,6 +1762,10 @@
                             av++; ac--;
                         }
                         continue;
+                }
+                if ((rule.fw_flg & IP_FW_F_KEEP_S) && !strncmp(*av,"log",strlen(*av))) { 
+                        rule.fw_flg |= IP_FW_F_PRN_S;
+                        av++; ac--; continue;
                 }
                 if (!strncmp(*av,"bridged",strlen(*av))) { 
                         rule.fw_flg |= IP_FW_BRIDGED;


>Release-Note:
>Audit-Trail:
>Unformatted:
 Stephen Montgomery-Smith


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message