From owner-freebsd-ipfw Tue Dec 12 23:59:29 2000 From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 12 23:59:25 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6AAB937B400 for ; Tue, 12 Dec 2000 23:59:25 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 12 Dec 2000 23:57:47 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eBD7xLh29419; Tue, 12 Dec 2000 23:59:21 -0800 (PST) (envelope-from cjc) Date: Tue, 12 Dec 2000 23:59:17 -0800 From: "Crist J. Clark" To: cjclark@alum.mit.edu Cc: Jev , freebsd-ipfw@FreeBSD.ORG, darcy@ok-connect.com Subject: Re: Extended ipfw Logging Message-ID: <20001212235917.J96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001210222316.A19100@149.211.6.64.reflexcom.com> <20001211081137.F9536@ecad.org> <20001212012641.C96105@149.211.6.64.reflexcom.com> <20001212232319.I96105@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="hHWLQfXTYDoKhP50" X-Mailer: Mutt 1.0i In-Reply-To: <20001212232319.I96105@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Tue, Dec 12, 2000 at 11:23:19PM -0800 Sender: cjc@149.211.6.64.reflexcom.com Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --hHWLQfXTYDoKhP50 Content-Type: text/plain; charset=us-ascii On Tue, Dec 12, 2000 at 11:23:19PM -0800, Crist J. Clark wrote: [snip] > They look good to me. The sysctl works as advertised above. You still > need to add the IPFIREWALL_EXTRA_VERBOSE option to build in the > functionality. A level of '2' for net.inet.ip.fw becomes the default > when the option is built in. Grrr... That ip_fw.patch was not the latest one in the version I was testing. There is a small bug. Here is the correct one. -- Crist J. Clark cjclark@alum.mit.edu --hHWLQfXTYDoKhP50 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ip_fw.patch" --- ip_fw.c Sun Dec 10 19:13:17 2000 +++ /usr/src/sys/netinet/ip_fw.c Tue Dec 12 23:55:04 2000 @@ -67,7 +67,11 @@ static int fw_debug = 1; #ifdef IPFIREWALL_VERBOSE +#ifdef IPFIREWALL_EXTRA_VERBOSE +static int fw_verbose = 2; +#else static int fw_verbose = 1; +#endif #else static int fw_verbose = 0; #endif @@ -488,7 +492,7 @@ struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl); u_int64_t count; char *action; - char action2[32], proto[47], name[18], fragment[17]; + char action2[32], proto[97], name[18], fragment[17]; int len; count = f ? f->fw_pcnt : ++counter; @@ -572,9 +576,20 @@ len += snprintf(SNPARGS(proto, len), " "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_dst)); - if ((ip->ip_off & IP_OFFMASK) == 0) - snprintf(SNPARGS(proto, len), ":%d", + if ((ip->ip_off & IP_OFFMASK) == 0) { + len += snprintf(SNPARGS(proto, len), ":%d", ntohs(tcp->th_dport)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), + " f=0x%02x s=0x%08x a=0x%08x i=0x%04x t=0x%02x", + tcp->th_flags, + ntohl(tcp->th_seq), + ntohl(tcp->th_ack), + ntohs(ip->ip_id), + ip->ip_ttl); +#endif + } break; case IPPROTO_UDP: len = snprintf(SNPARGS(proto, 0), "UDP %s", @@ -586,9 +601,17 @@ len += snprintf(SNPARGS(proto, len), " "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_dst)); - if ((ip->ip_off & IP_OFFMASK) == 0) - snprintf(SNPARGS(proto, len), ":%d", + if ((ip->ip_off & IP_OFFMASK) == 0) { + len += snprintf(SNPARGS(proto, len), ":%d", ntohs(udp->uh_dport)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), + " i=0x%04x t=0x%02x", + ntohs(ip->ip_id), + ip->ip_ttl); +#endif + } break; case IPPROTO_ICMP: if ((ip->ip_off & IP_OFFMASK) == 0) @@ -598,20 +621,55 @@ len = snprintf(SNPARGS(proto, 0), "ICMP "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_src)); - snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); + len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), + " i=0x%04x t=0x%02x", + ntohs(ip->ip_id), + ip->ip_ttl); +#endif break; default: len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p, inet_ntoa(ip->ip_src)); - snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); + len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + snprintf(SNPARGS(proto, len), " i=0x%04x t=0x%02x", + ntohs(ip->ip_id), + ip->ip_ttl); +#endif break; } - if ((ip->ip_off & IP_OFFMASK)) +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) { + if (ip->ip_off & IP_DF) + len = snprintf(SNPARGS(fragment, 0), " DF"); + else { + fragment[0] = '\0'; + len = 0; + } + if (ip->ip_off & (IP_OFFMASK | IP_MF)) + len += snprintf(SNPARGS(fragment, len), " Frag=%d", + (ip->ip_off & IP_OFFMASK)<<3); + if (ip->ip_off & IP_MF) + len += snprintf(SNPARGS(fragment, len), "+"); + } else { + if (ip->ip_off & (IP_OFFMASK | IP_MF)) + snprintf(SNPARGS(fragment, 0), " Fragment = %d", + ip->ip_off & IP_OFFMASK); + else + fragment[0] = '\0'; + } +#else + if (ip->ip_off & (IP_OFFMASK | IP_MF)) snprintf(SNPARGS(fragment, 0), " Fragment = %d", ip->ip_off & IP_OFFMASK); else fragment[0] = '\0'; +#endif if (oif) log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n", name, action, proto, oif->if_name, oif->if_unit, fragment); --hHWLQfXTYDoKhP50-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message