[PATCH] 2.2.7 & 2.3.x: ip_fw.c

Paul Rusty Russell (Paul.Russell@rustcorp.com.au)
Thu, 20 May 1999 20:46:40 +0930

In message <Pine.LNX.4.10.9905181859290.817-200000@Benjy> you write:
> I had the request from a user that they wanted to know which rule causes
> deny messages in syslog. While there are several ways to find it out it's
> much more convenient to see it in the logfile.

I agree. I modified your patch below: especially useful as
ipchains-1.3.9-pre has `--line-numbers' as an option anyway, and
counts must start at 1 for consistency (-R, -I and -D start at 1).

There are two issues:
1) People out there grepping for messages in syslogs. I simply can't
break this in the stable series. This means that the message has
to go at the end, despite esthetics.

2) It adds a counter to the packet compare path. I don't think this
is a major concern.

If this is OK, I'll send to Linus,
Rusty.
--- linux/net/ipv4/ip_fw.c Mon May 3 17:14:07 1999
+++ linux-old/net/ipv4/ip_fw.c Thu May 20 20:40:13 1999
@@ -34,6 +34,9 @@
* Marc Santoro <ultima@snicker.emoti.com>
* 29-Jan-1999: Locally generated bogus IPs dealt with, rather than crash
* during dump_packet. --RR.
+ * 19-May-1999: Star Wars: The Phantom Menace opened. Rule num
+ * printed in log (modified from Michael Hasenstein's patch)
+ * --RR
*/

/*
@@ -400,7 +403,8 @@
struct ip_fwkernel *f,
const ip_chainlabel chainlabel,
__u16 src_port,
- __u16 dst_port)
+ __u16 dst_port,
+ unsigned int count)
{
__u32 *opt = (__u32 *) (ip + 1);
int opti;
@@ -432,7 +436,7 @@

for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++)
printk(" O=0x%8.8X", *opt++);
- printk("\n");
+ printk("(#%d)\n", count);
}

/* function for checking chain labels for user space. */
@@ -520,12 +524,13 @@
const ip_chainlabel label,
struct sk_buff *skb,
unsigned int slot,
- __u16 src_port, __u16 dst_port)
+ __u16 src_port, __u16 dst_port,
+ unsigned int count)
{
f->counters[slot].bcnt+=ntohs(ip->tot_len);
f->counters[slot].pcnt++;
if (f->ipfw.fw_flg & IP_FW_F_PRN) {
- dump_packet(ip,rif,f,label,src_port,dst_port);
+ dump_packet(ip,rif,f,label,src_port,dst_port,count);
}
ip->tos = (ip->tos & f->ipfw.fw_tosand) ^ f->ipfw.fw_tosxor;

@@ -590,6 +595,7 @@
unsigned char oldtos;
struct ip_fwkernel *f;
int ret = FW_SKIP+2;
+ unsigned int count;

/* We handle fragments by dealing with the first fragment as
* if it was a normal packet. All other fragments are treated
@@ -610,7 +616,7 @@
if (offset == 1 && ip->protocol == IPPROTO_TCP) {
if (!testing && net_ratelimit()) {
printk("Suspect TCP fragment.\n");
- dump_packet(ip,rif,NULL,NULL,0,0);
+ dump_packet(ip,rif,NULL,NULL,0,0,0);
}
return FW_BLOCK;
}
@@ -702,13 +708,16 @@

f = chain->chain;
do {
+ count = 0;
for (; f; f = f->next) {
+ count++;
if (ip_rule_match(f,rif,ip,
tcpsyn,src_port,dst_port,offset)) {
if (!testing
&& !ip_fw_domatch(f, ip, rif, chain->label,
skb, slot,
- src_port, dst_port)) {
+ src_port, dst_port,
+ count)) {
ret = FW_BLOCK;
goto out;
}

--
Tridge, Raster, DaveM, Cort, maddog... Where will you be 9-11 July 1999?
                http://www.linux.org.au/projects/calu


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/