Site Navigation

Date:      Sat, 27 Mar 1999 08:01:54 -0800 (PST)
From:      Nick Sayer <nsayer@quack.kfu.com>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/10818: ipfw reporting error with bridging
Message-ID:  <199903271601.IAA00448@medusa.kfu.com>

---

next in thread | raw e-mail | index | archive | help

---

>Number:         10818
>Category:       kern
>Synopsis:       ipfw reporting error with bridging
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 27 08:10:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Nick Sayer
>Release:        FreeBSD 3.1-RELEASE i386
>Organization:
just me
>Environment:

3.1-RELEASE, options BRIDGE & IPFIREWALL,
sysctl -w net.link.ether.bridge_ipfw=1

>Description:

When you have logging rules applying to bridged packets, the logs would
not correctly parse the packet. This is because the IP header on bridged
packets (in general) requires ntoh?() operations, while non-bridged
packets do not (what a nightmare).

>How-To-Repeat:

In this example, a telnet packet is directed through the bridge to
a machine on the other side:

ipfw: 800 Deny TCP 170.1.70.2 170.1.70.3 in via tx0 Fragment = 64

In this example, a telnet packet is directed into the bridge machine:

ipfw: 800 Deny TCP 170.1.70.2:2497 170.1.70.5:23 in via tx0

In both cases, the filtering works correctly. It is merely the report
that is in error.

>Fix:

--- ip_fw.c.orig	Sat Mar 27 07:53:27 1999
+++ ip_fw.c	Sat Mar 27 07:50:37 1999
@@ -107,7 +107,8 @@
 static int	tcpflg_match __P((struct tcphdr *tcp, struct ip_fw *f));
 static int	icmptype_match __P((struct icmp *  icmp, struct ip_fw * f));
 static void	ipfw_report __P((struct ip_fw *f, struct ip *ip,
-				struct ifnet *rif, struct ifnet *oif));
+				struct ifnet *rif, struct ifnet *oif,
+				char));
 
 static void flush_rule_ptrs(void);
 
@@ -289,7 +290,7 @@
 
 static void
 ipfw_report(struct ip_fw *f, struct ip *ip,
-	struct ifnet *rif, struct ifnet *oif)
+	struct ifnet *rif, struct ifnet *oif, char bridge_flag)
 {
     if (ip) {
 	static u_int64_t counter;
@@ -355,27 +356,27 @@
 	case IPPROTO_TCP:
 		printf("TCP ");
 		print_ip(ip->ip_src);
-		if ((ip->ip_off & IP_OFFMASK) == 0)
+		if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0)
 			printf(":%d ", ntohs(tcp->th_sport));
 		else
 			printf(" ");
 		print_ip(ip->ip_dst);
-		if ((ip->ip_off & IP_OFFMASK) == 0)
+		if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0)
 			printf(":%d", ntohs(tcp->th_dport));
 		break;
 	case IPPROTO_UDP:
 		printf("UDP ");
 		print_ip(ip->ip_src);
-		if ((ip->ip_off & IP_OFFMASK) == 0)
+		if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0)
 			printf(":%d ", ntohs(udp->uh_sport));
 		else
 			printf(" ");
 		print_ip(ip->ip_dst);
-		if ((ip->ip_off & IP_OFFMASK) == 0)
+		if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0)
 			printf(":%d", ntohs(udp->uh_dport));
 		break;
 	case IPPROTO_ICMP:
-		if ((ip->ip_off & IP_OFFMASK) == 0)
+		if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK) == 0)
 			printf("ICMP:%u.%u ", icmp->icmp_type, icmp->icmp_code);
 		else
 			printf("ICMP ");
@@ -394,8 +395,8 @@
 		printf(" out via %s%d", oif->if_name, oif->if_unit);
 	else if (rif)
 		printf(" in via %s%d", rif->if_name, rif->if_unit);
-	if ((ip->ip_off & IP_OFFMASK)) 
-		printf(" Fragment = %d",ip->ip_off & IP_OFFMASK);
+	if (((bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK)) 
+		printf(" Fragment = %d",(bridge_flag?ntohs(ip->ip_off):ip->ip_off) & IP_OFFMASK);
 	printf("\n");
 	if (fw_verbose_limit != 0 && count == fw_verbose_limit)
 		printf("ipfw: limit reached on rule #%d\n",
@@ -558,7 +559,9 @@
 		    case 1: /* match one type */
 			if (  /* ( (f->fw_flg & IP_FW_F_INVSRC) != 0) ^ */
 				( f->fw_uar.fw_pts[0] == ntohs(eh->ether_type) )  ) {
+#if 0
 			    printf("match!\n");
+#endif
 			    goto got_match ;
 			}
 			break ;
@@ -705,7 +708,7 @@
 
 bogusfrag:
 			if (fw_verbose)
-				ipfw_report(NULL, ip, rif, oif);
+				ipfw_report(NULL, ip, rif, oif, pip==NULL);
 			goto dropit;
 		}
 
@@ -720,7 +723,7 @@
 
 		/* Log to console if desired */
 		if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose)
-			ipfw_report(f, ip, rif, oif);
+			ipfw_report(f, ip, rif, oif, pip==NULL);
 
 		/* Take appropriate action */
 		switch (f->fw_flg & IP_FW_F_COMMAND) {

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903271601.IAA00448>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact