Date: Sat, 27 Mar 1999 08:01:54 -0800 (PST) From: Nick Sayer <nsayer@quack.kfu.com> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/10818: ipfw reporting error with bridging Message-ID: <199903271601.IAA00448@medusa.kfu.com>
next in thread | raw e-mail | index | archive | help
>Number: 10818 >Category: kern >Synopsis: ipfw reporting error with bridging >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Mar 27 08:10:00 PST 1999 >Closed-Date: >Last-Modified: >Originator: Nick Sayer >Release: FreeBSD 3.1-RELEASE i386 >Organization: just me >Environment: 3.1-RELEASE, options BRIDGE & IPFIREWALL, sysctl -w net.link.ether.bridge_ipfw=1 >Description: When you have logging rules applying to bridged packets, the logs would not correctly parse the packet. This is because the IP header on bridged packets (in general) requires ntoh?() operations, while non-bridged packets do not (what a nightmare). >How-To-Repeat: In this example, a telnet packet is directed through the bridge to a machine on the other side: ipfw: 800 Deny TCP 170.1.70.2 170.1.70.3 in via tx0 Fragment = 64 In this example, a telnet packet is directed into the bridge machine: ipfw: 800 Deny TCP 170.1.70.2:2497 170.1.70.5:23 in via tx0 In both cases, the filtering works correctly. It is merely the report that is in error. >Fix: --- ip_fw.c.orig Sat Mar 27 07:53:27 1999 +++ ip_fw.c Sat Mar 27 07:50:37 1999 @@ -107,7 +107,8 @@ static int tcpflg_match __P((struct tcphdr *tcp, struct ip_fw *f)); static int icmptype_match __P((struct icmp * icmp, struct ip_fw * f)); static void ipfw_report __P((struct ip_fw *f, struct ip *ip, - struct ifnet *rif, struct ifnet *oif)); + struct ifnet *rif, struct ifnet *oif, + char)); static void flush_rule_ptrs(void); @@ -289,7 +290,7 @@ static void ipfw_report(struct ip_fw *f, struct ip *ip, - struct ifnet *rif, struct ifnet *oif) + struct ifnet *rif, struct ifnet *oif, char bridge_flag) { if (ip) { static u_int64_t counter; @@ -355,27 +356,27 @@ case IPPROTO_TCP: printf("TCP "); print_ip(ip->ip_src); - if ((ip->ip_off & IP_OFFMASK) == 0) + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0) printf(":%d ", ntohs(tcp->th_sport)); else printf(" "); print_ip(ip->ip_dst); - if ((ip->ip_off & IP_OFFMASK) == 0) + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0) printf(":%d", ntohs(tcp->th_dport)); break; case IPPROTO_UDP: printf("UDP "); print_ip(ip->ip_src); - if ((ip->ip_off & IP_OFFMASK) == 0) + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0) printf(":%d ", ntohs(udp->uh_sport)); else printf(" "); print_ip(ip->ip_dst); - if ((ip->ip_off & IP_OFFMASK) == 0) + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0) printf(":%d", ntohs(udp->uh_dport)); break; case IPPROTO_ICMP: - if ((ip->ip_off & IP_OFFMASK) == 0) + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0) printf("ICMP:%u.%u ", icmp->icmp_type, icmp->icmp_code); else printf("ICMP "); @@ -394,8 +395,8 @@ printf(" out via %s%d", oif->if_name, oif->if_unit); else if (rif) printf(" in via %s%d", rif->if_name, rif->if_unit); - if ((ip->ip_off & IP_OFFMASK)) - printf(" Fragment = %d",ip->ip_off & IP_OFFMASK); + if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK)) + printf(" Fragment = %d",(bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK); printf("\n"); if (fw_verbose_limit != 0 && count == fw_verbose_limit) printf("ipfw: limit reached on rule #%d\n", @@ -558,7 +559,9 @@ case 1: /* match one type */ if ( /* ( (f->fw_flg & IP_FW_F_INVSRC) != 0) ^ */ ( f->fw_uar.fw_pts[0] == ntohs(eh->ether_type) ) ) { +#if 0 printf("match!\n"); +#endif goto got_match ; } break ; @@ -705,7 +708,7 @@ bogusfrag: if (fw_verbose) - ipfw_report(NULL, ip, rif, oif); + ipfw_report(NULL, ip, rif, oif, pip==NULL); goto dropit; } @@ -720,7 +723,7 @@ /* Log to console if desired */ if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose) - ipfw_report(f, ip, rif, oif); + ipfw_report(f, ip, rif, oif, pip==NULL); /* Take appropriate action */ switch (f->fw_flg & IP_FW_F_COMMAND) { >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903271601.IAA00448>