Date: Tue, 12 Dec 2000 23:59:17 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: cjclark@alum.mit.edu Cc: Jev <jev@ecad.org>, freebsd-ipfw@FreeBSD.ORG, darcy@ok-connect.com Subject: Re: Extended ipfw Logging Message-ID: <20001212235917.J96105@149.211.6.64.reflexcom.com> In-Reply-To: <20001212232319.I96105@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Tue, Dec 12, 2000 at 11:23:19PM -0800 References: <20001210222316.A19100@149.211.6.64.reflexcom.com> <20001211081137.F9536@ecad.org> <20001212012641.C96105@149.211.6.64.reflexcom.com> <20001212232319.I96105@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--hHWLQfXTYDoKhP50
Content-Type: text/plain; charset=us-ascii
On Tue, Dec 12, 2000 at 11:23:19PM -0800, Crist J. Clark wrote:
[snip]
> They look good to me. The sysctl works as advertised above. You still
> need to add the IPFIREWALL_EXTRA_VERBOSE option to build in the
> functionality. A level of '2' for net.inet.ip.fw becomes the default
> when the option is built in.
Grrr... That ip_fw.patch was not the latest one in the version I was
testing. There is a small bug. Here is the correct one.
--
Crist J. Clark cjclark@alum.mit.edu
--hHWLQfXTYDoKhP50
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ip_fw.patch"
--- ip_fw.c Sun Dec 10 19:13:17 2000
+++ /usr/src/sys/netinet/ip_fw.c Tue Dec 12 23:55:04 2000
@@ -67,7 +67,11 @@
static int fw_debug = 1;
#ifdef IPFIREWALL_VERBOSE
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+static int fw_verbose = 2;
+#else
static int fw_verbose = 1;
+#endif
#else
static int fw_verbose = 0;
#endif
@@ -488,7 +492,7 @@
struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
u_int64_t count;
char *action;
- char action2[32], proto[47], name[18], fragment[17];
+ char action2[32], proto[97], name[18], fragment[17];
int len;
count = f ? f->fw_pcnt : ++counter;
@@ -572,9 +576,20 @@
len += snprintf(SNPARGS(proto, len), " ");
len += snprintf(SNPARGS(proto, len), "%s",
inet_ntoa(ip->ip_dst));
- if ((ip->ip_off & IP_OFFMASK) == 0)
- snprintf(SNPARGS(proto, len), ":%d",
+ if ((ip->ip_off & IP_OFFMASK) == 0) {
+ len += snprintf(SNPARGS(proto, len), ":%d",
ntohs(tcp->th_dport));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if ( fw_verbose > 1 )
+ snprintf(SNPARGS(proto, len),
+ " f=0x%02x s=0x%08x a=0x%08x i=0x%04x t=0x%02x",
+ tcp->th_flags,
+ ntohl(tcp->th_seq),
+ ntohl(tcp->th_ack),
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#endif
+ }
break;
case IPPROTO_UDP:
len = snprintf(SNPARGS(proto, 0), "UDP %s",
@@ -586,9 +601,17 @@
len += snprintf(SNPARGS(proto, len), " ");
len += snprintf(SNPARGS(proto, len), "%s",
inet_ntoa(ip->ip_dst));
- if ((ip->ip_off & IP_OFFMASK) == 0)
- snprintf(SNPARGS(proto, len), ":%d",
+ if ((ip->ip_off & IP_OFFMASK) == 0) {
+ len += snprintf(SNPARGS(proto, len), ":%d",
ntohs(udp->uh_dport));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if ( fw_verbose > 1 )
+ snprintf(SNPARGS(proto, len),
+ " i=0x%04x t=0x%02x",
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#endif
+ }
break;
case IPPROTO_ICMP:
if ((ip->ip_off & IP_OFFMASK) == 0)
@@ -598,20 +621,55 @@
len = snprintf(SNPARGS(proto, 0), "ICMP ");
len += snprintf(SNPARGS(proto, len), "%s",
inet_ntoa(ip->ip_src));
- snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+ len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if ( fw_verbose > 1 )
+ snprintf(SNPARGS(proto, len),
+ " i=0x%04x t=0x%02x",
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#endif
break;
default:
len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p,
inet_ntoa(ip->ip_src));
- snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+ len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if ( fw_verbose > 1 )
+ snprintf(SNPARGS(proto, len), " i=0x%04x t=0x%02x",
+ ntohs(ip->ip_id),
+ ip->ip_ttl);
+#endif
break;
}
- if ((ip->ip_off & IP_OFFMASK))
+#ifdef IPFIREWALL_EXTRA_VERBOSE
+ if ( fw_verbose > 1 ) {
+ if (ip->ip_off & IP_DF)
+ len = snprintf(SNPARGS(fragment, 0), " DF");
+ else {
+ fragment[0] = '\0';
+ len = 0;
+ }
+ if (ip->ip_off & (IP_OFFMASK | IP_MF))
+ len += snprintf(SNPARGS(fragment, len), " Frag=%d",
+ (ip->ip_off & IP_OFFMASK)<<3);
+ if (ip->ip_off & IP_MF)
+ len += snprintf(SNPARGS(fragment, len), "+");
+ } else {
+ if (ip->ip_off & (IP_OFFMASK | IP_MF))
+ snprintf(SNPARGS(fragment, 0), " Fragment = %d",
+ ip->ip_off & IP_OFFMASK);
+ else
+ fragment[0] = '\0';
+ }
+#else
+ if (ip->ip_off & (IP_OFFMASK | IP_MF))
snprintf(SNPARGS(fragment, 0), " Fragment = %d",
ip->ip_off & IP_OFFMASK);
else
fragment[0] = '\0';
+#endif
if (oif)
log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n",
name, action, proto, oif->if_name, oif->if_unit, fragment);
--hHWLQfXTYDoKhP50--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001212235917.J96105>