Date: Sun, 1 Jul 2001 19:40:49 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: freebsd-audit@freebsd.org Cc: ru@freebsd.org Subject: src/sys/netinet/ip_fw.c Patch Message-ID: <20010701194049.J296@blossom.cjclark.org>
next in thread | raw e-mail | index | archive | help
Since this is a patch to a security-critical area, I thought I would
make sure to send this here first. Presently, logging of IP
fragmentation is broken (see PR kern/23446). It was suggested that
instead of just fixing the bug, I go ahead and do it _all_ right.
This code prints fragment information tcpdump(8)-style. For example,
here is the ipfw log and tcpdump output of a 5000-byte ping,
Jul 1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP:8.0 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:1480@0+)
Jul 1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:1480@1480+)
Jul 1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:1480@2960+)
Jul 1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:568@4440)
19:38:45.075886 192.168.64.60 > 192.168.64.20: icmp: echo request (frag 53113:1480@0+) (ttl 255)
19:38:45.075896 192.168.64.60 > 192.168.64.20: (frag 53113:1480@1480+) (ttl 255)
19:38:45.075911 192.168.64.60 > 192.168.64.20: (frag 53113:1480@2960+) (ttl 255)
19:38:45.075917 192.168.64.60 > 192.168.64.20: (frag 53113:568@4440) (ttl 255)
Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.164
diff -u -r1.164 ip_fw.c
--- ip_fw.c 2001/04/06 06:52:25 1.164
+++ ip_fw.c 2001/07/02 02:23:12
@@ -206,7 +206,8 @@
static int tcpflg_match __P((struct tcphdr *tcp, struct ip_fw *f));
static int icmptype_match __P((struct icmp * icmp, struct ip_fw * f));
static void ipfw_report __P((struct ip_fw *f, struct ip *ip, int offset,
- struct ifnet *rif, struct ifnet *oif));
+ int ip_len, struct ifnet *rif,
+ struct ifnet *oif));
static void flush_rule_ptrs(void);
@@ -492,7 +493,7 @@
}
static void
-ipfw_report(struct ip_fw *f, struct ip *ip, int offset,
+ipfw_report(struct ip_fw *f, struct ip *ip, int offset, int ip_len,
struct ifnet *rif, struct ifnet *oif)
{
struct tcphdr *const tcp = (struct tcphdr *) ((u_int32_t *) ip+ ip->ip_hl);
@@ -500,7 +501,7 @@
struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
u_int64_t count;
char *action;
- char action2[32], proto[47], name[18], fragment[17];
+ char action2[32], proto[47], name[18], fragment[27];
int len;
count = f ? f->fw_pcnt : ++counter;
@@ -619,9 +620,11 @@
break;
}
- if (offset != 0)
- snprintf(SNPARGS(fragment, 0), " Fragment = %d",
- offset);
+ if (ip->ip_off & (IP_MF|IP_OFFMASK))
+ snprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)",
+ ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2),
+ offset << 3,
+ (ip->ip_off&IP_MF) ? "+" : "");
else
fragment[0] = '\0';
if (oif)
@@ -1326,7 +1329,7 @@
bogusfrag:
if (fw_verbose && ip != NULL)
- ipfw_report(NULL, ip, offset, rif, oif);
+ ipfw_report(NULL, ip, offset, ip_len, rif, oif);
goto dropit;
}
@@ -1349,7 +1352,7 @@
/* Log to console if desired */
if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose)
- ipfw_report(f, ip, offset, rif, oif);
+ ipfw_report(f, ip, offset, ip_len, rif, oif);
/* Take appropriate action */
switch (f->fw_flg & IP_FW_F_COMMAND) {
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010701194049.J296>