Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Dec 2000 23:59:17 -0800
From:      "Crist J. Clark" <cjclark@reflexnet.net>
To:        cjclark@alum.mit.edu
Cc:        Jev <jev@ecad.org>, freebsd-ipfw@FreeBSD.ORG, darcy@ok-connect.com
Subject:   Re: Extended ipfw Logging
Message-ID:  <20001212235917.J96105@149.211.6.64.reflexcom.com>
In-Reply-To: <20001212232319.I96105@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Tue, Dec 12, 2000 at 11:23:19PM -0800
References:  <20001210222316.A19100@149.211.6.64.reflexcom.com> <20001211081137.F9536@ecad.org> <20001212012641.C96105@149.211.6.64.reflexcom.com> <20001212232319.I96105@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Tue, Dec 12, 2000 at 11:23:19PM -0800, Crist J. Clark wrote:

[snip]

> They look good to me. The sysctl works as advertised above. You still
> need to add the IPFIREWALL_EXTRA_VERBOSE option to build in the
> functionality. A level of '2' for net.inet.ip.fw becomes the default
> when the option is built in.

Grrr... That ip_fw.patch was not the latest one in the version I was
testing. There is a small bug. Here is the correct one.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

[-- Attachment #2 --]
--- ip_fw.c	Sun Dec 10 19:13:17 2000
+++ /usr/src/sys/netinet/ip_fw.c	Tue Dec 12 23:55:04 2000
@@ -67,7 +67,11 @@
 
 static int fw_debug = 1;
 #ifdef IPFIREWALL_VERBOSE
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+static int fw_verbose = 2;
+#else
 static int fw_verbose = 1;
+#endif
 #else
 static int fw_verbose = 0;
 #endif
@@ -488,7 +492,7 @@
     struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
     u_int64_t count;
     char *action;
-    char action2[32], proto[47], name[18], fragment[17];
+    char action2[32], proto[97], name[18], fragment[17];
     int len;
 
     count = f ? f->fw_pcnt : ++counter;
@@ -572,9 +576,20 @@
 		    len += snprintf(SNPARGS(proto, len), " ");
 	    len += snprintf(SNPARGS(proto, len), "%s",
 		inet_ntoa(ip->ip_dst));
-	    if ((ip->ip_off & IP_OFFMASK) == 0)
-		    snprintf(SNPARGS(proto, len), ":%d",
+	    if ((ip->ip_off & IP_OFFMASK) == 0) {
+		    len += snprintf(SNPARGS(proto, len), ":%d",
 			ntohs(tcp->th_dport));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+		    if ( fw_verbose > 1 )
+			     snprintf(SNPARGS(proto, len),
+				 " f=0x%02x s=0x%08x a=0x%08x i=0x%04x t=0x%02x",
+				 tcp->th_flags,
+				 ntohl(tcp->th_seq),
+				 ntohl(tcp->th_ack),
+				 ntohs(ip->ip_id),
+				 ip->ip_ttl);
+#endif
+	    }
 	    break;
     case IPPROTO_UDP:
 	    len = snprintf(SNPARGS(proto, 0), "UDP %s",
@@ -586,9 +601,17 @@
 		    len += snprintf(SNPARGS(proto, len), " ");
 	    len += snprintf(SNPARGS(proto, len), "%s",
 		inet_ntoa(ip->ip_dst));
-	    if ((ip->ip_off & IP_OFFMASK) == 0)
-		    snprintf(SNPARGS(proto, len), ":%d",
+	    if ((ip->ip_off & IP_OFFMASK) == 0) {
+		    len += snprintf(SNPARGS(proto, len), ":%d",
 			ntohs(udp->uh_dport));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+	            if ( fw_verbose > 1 )
+			     snprintf(SNPARGS(proto, len),
+				 " i=0x%04x t=0x%02x",
+				 ntohs(ip->ip_id),
+				 ip->ip_ttl);
+#endif
+	    }
 	    break;
     case IPPROTO_ICMP:
 	    if ((ip->ip_off & IP_OFFMASK) == 0)
@@ -598,20 +621,55 @@
 		    len = snprintf(SNPARGS(proto, 0), "ICMP ");
 	    len += snprintf(SNPARGS(proto, len), "%s",
 		inet_ntoa(ip->ip_src));
-	    snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+	    len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+	    if ( fw_verbose > 1 )
+		    snprintf(SNPARGS(proto, len),
+			" i=0x%04x t=0x%02x",
+			ntohs(ip->ip_id),
+			ip->ip_ttl);
+#endif
 	    break;
     default:
 	    len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p,
 		inet_ntoa(ip->ip_src));
-	    snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+	    len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+	    if ( fw_verbose > 1 )
+		    snprintf(SNPARGS(proto, len), " i=0x%04x t=0x%02x",
+			ntohs(ip->ip_id),
+			ip->ip_ttl);
+#endif
 	    break;
     }
 
-    if ((ip->ip_off & IP_OFFMASK))
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+    if ( fw_verbose > 1 ) {
+	if (ip->ip_off & IP_DF)
+		len = snprintf(SNPARGS(fragment, 0), " DF");
+	else {
+		fragment[0] = '\0';
+		len = 0;
+	}
+	if (ip->ip_off & (IP_OFFMASK | IP_MF))
+		len += snprintf(SNPARGS(fragment, len), " Frag=%d",
+		    (ip->ip_off & IP_OFFMASK)<<3);
+	if (ip->ip_off & IP_MF)
+		len += snprintf(SNPARGS(fragment, len), "+");
+    } else {
+        if (ip->ip_off & (IP_OFFMASK | IP_MF))
+		snprintf(SNPARGS(fragment, 0), " Fragment = %d",
+	    	    ip->ip_off & IP_OFFMASK);
+        else
+		fragment[0] = '\0';
+    }
+#else
+    if (ip->ip_off & (IP_OFFMASK | IP_MF))
 	    snprintf(SNPARGS(fragment, 0), " Fragment = %d",
 		ip->ip_off & IP_OFFMASK);
     else
 	    fragment[0] = '\0';
+#endif
     if (oif)
 	    log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n",
 		name, action, proto, oif->if_name, oif->if_unit, fragment);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001212235917.J96105>