Date: Fri, 16 Nov 2001 19:39:56 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>, audit@FreeBSD.ORG Subject: Re: cvs commit: src/sbin/natd natd.8 natd.c Message-ID: <20011116193956.A46779@sunbay.com> In-Reply-To: <71993.1005931087@axl.seasidesoftware.co.za> References: <17182.1005930626@critter.freebsd.dk> <71993.1005931087@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 16, 2001 at 07:18:07PM +0200, Sheldon Hearn wrote:
>
>
> On Fri, 16 Nov 2001 18:10:26 +0100, Poul-Henning Kamp wrote:
>
> > The compromise Ruslan and I ended up with when we discussed this in Brighton
> > was that the print would be disabled unless enabled specifically and that
> > the verbose option should also enable it, and that yes, adding useful
> > info to it makes sense.
>
> I guess one argument in favour of this is the default brevity of the
> IPFW code itself, where the "log" keyword does nothing until special
> action is taken.
>
> Okay, so Ruslan, are you happy with using getnameinfo() to add
> additional detail? The only drawback I can think of is that it will
> defeat syslog(3) message coalescing (message repeated X times).
>
> However, given the default behaviour that Poul-Henning describes, I
> don't think it makes too much sense to worry about that.
>
Funny thing is that I was just working on this. :-)
The below patch implements what we were discussing with Poul-Henning,
i.e., have the -log_ipfw_denied option enabled by default in -verbose
mode, when it really makes any sense.
Index: natd.8
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.8,v
retrieving revision 1.48
diff -u -p -r1.48 natd.8
--- natd.8 2001/10/31 16:08:49 1.48
+++ natd.8 2001/11/16 17:39:57
@@ -463,7 +463,11 @@ rules starting from the rule number
will be used for punching firewall holes.
The range will be cleared for all rules on startup.
.It Fl log_ipfw_denied
-Log when a packet can't be re-injected because a ipfw rule deny it.
+Log when a packet can not be re-injected because an
+.Xr ipfw 8
+rule blocks it.
+This is the default with
+.Fl verbose .
.El
.Sh RUNNING NATD
The following steps are necessary before attempting to run
Index: natd.c
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.c,v
retrieving revision 1.36
diff -u -p -r1.36 natd.c
--- natd.c 2001/10/31 16:08:49 1.36
+++ natd.c 2001/11/16 17:40:02
@@ -126,7 +126,7 @@ static int packetDirection;
static int dropIgnoredIncoming;
static int logDropped;
static int logFacility;
-static int log_ipfw_denied;
+static int logIpfwDenied;
int main (int argc, char** argv)
{
@@ -161,7 +161,7 @@ int main (int argc, char** argv)
dynamicMode = 0;
logDropped = 0;
logFacility = LOG_DAEMON;
- log_ipfw_denied = 0;
+ logIpfwDenied = -1;
/*
* Mark packet buffer empty.
*/
@@ -170,6 +170,11 @@ int main (int argc, char** argv)
ParseArgs (argc, argv);
/*
+ * Log ipfw(8) denied packets by default in verbose mode.
+ */
+ if (logIpfwDenied == -1)
+ logIpfwDenied = verbose;
+/*
* Open syslog channel.
*/
openlog ("natd", LOG_CONS | LOG_PID | (verbose ? LOG_PERROR : 0),
@@ -616,7 +621,7 @@ static void FlushPacketBuffer (int fd)
(struct ip*) packetBuf,
ifMTU - aliasOverhead);
}
- else if (errno == EACCES && log_ipfw_denied) {
+ else if (errno == EACCES && logIpfwDenied) {
sprintf (msgBuf, "failed to write packet back");
Warn (msgBuf);
@@ -1257,7 +1262,7 @@ static void ParseOption (const char* opt
break;
case LogDenied:
- logDropped = 1;
+ logDropped = yesNoValue;
break;
case LogFacility:
@@ -1283,8 +1288,10 @@ static void ParseOption (const char* opt
case PunchFW:
SetupPunchFW(strValue);
break;
+
case LogIpfwDenied:
- log_ipfw_denied=1;
+ logIpfwDenied = yesNoValue;;
+ break;
}
}
--
Ruslan Ermilov Oracle Developer/DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011116193956.A46779>