OK. Here's mine. Sorry it took so long. Please test and get back.
> I have processed your suggestions the following way:
>
> a) removed the "SYN" notice because it produced lines with
> where the rulenumber was not any more in the same field
No. Options will also change the field. Keeping SYN. I know Bill
uses this for mason, and we simply can't break people auto-grepping
logs.
> b) added (behind the rulenum) two fields:
> 1. flags, in case of TCP something like "-FLAGS--", in case of
> other always "......" (extendable for future).
Hmm... I made this tcp specific. There's no indication that the 6
fields will be sufficient for another protocol anyway, so I made it
"FLAGS:------". Also only iff not a fragment. Will print crap for
underlength TCP packets, but that's harder to check for, and can be
useful if it's length 13.
> 2. MAC-source if the paket, if available, which seems to be
> only in the input chain.
Yes, but you can't do it the way you did: consider a logging chain
called from the input chain. Also, not all the world is an ethernet;
examine the mac-dumping code in route.c.
> Thereby answering your question: when I gave out
> skb->mac.ethernet.h_source in the output chain I saw random
> MAC numbers. I think that MAC's are filled in after ip_fw
> output- processing with the local MAC.
> Anyway, the MAC seem to be not valid during ip_fw output.
> So in case of input chain there is the source-MAC, else
> there is "00:00:00:00:00:00".
I also did your tcp check stuff in the logging: doesn't slow down the
`fast' path. (In truth, there isn't a fast path in ipchains, only a
`less slow' path 8-).
Please check before I send to Alan (hey, it compiles, it must be fine!)
Rusty.
--- ip_fw.c Tue Sep 28 17:50:35 1999
+++ /home/rusty/devel/kernel/linux-2.2/net/ipv4/ip_fw.c Tue Sep 28 18:07:07 1999
@@ -40,6 +40,9 @@
* 23-Jul-1999: Fixed small fragment security exposure opened on 15-May-1998.
* John McDonald <jm@dataprotect.com>
* Thomas Lopatic <tl@dataprotect.com>
+ * 21-Sep-1999: Added all tcp-flags and sender's MAC address in log message.
+ * Jens Hektor <hektor@rz.rwth-aachen.de>
+ * [ Finally gave in an applied w/ mods 28-Sep-1999 --RR ]
*/
/*
@@ -397,6 +400,7 @@
}
}
+/* You may add fields to end. You may NOT change existing fields. */
/*
* VERY ugly piece of code which actually
* makes kernel printf for matching packets...
@@ -408,13 +412,13 @@
__u16 src_port,
__u16 dst_port,
unsigned int count,
- int syn)
+ int syn,
+ unsigned char *machdr)
{
__u32 *opt = (__u32 *) (ip + 1);
int opti;
- if (f)
- {
+ if (f) {
printk(KERN_INFO "Packet log: %s ",chainlabel);
printk("%s ",branchname(f->branch,f->simplebranch));
@@ -440,7 +444,33 @@
for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++)
printk(" O=0x%8.8X", *opt++);
- printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count);
+ printk(" %s(#%d)", syn ? "SYN " : /* "PENANCE" */ "", count);
+
+ /* This code added to get a more detailed information about
+ * portscanners */
+ if (ip->protocol == IPPROTO_TCP
+ && !(ip->frag_off & __constant_htons(IP_OFFSET))) {
+ struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ip + ip->ihl);
+ printk(" FLAGS:%c%c%c%c%c%c",
+ tcp->urg ? 'U' : '-',
+ tcp->ack ? 'A' : '-',
+ tcp->psh ? 'P' : '-',
+ tcp->rst ? 'R' : '-',
+ tcp->syn ? 'S' : '-',
+ tcp->fin ? 'F' : '-');
+ }
+
+ if (machdr) {
+ /* We don't need to be efficient. */
+ struct device *dev = dev_get(ifname);
+
+ if (dev) {
+ unsigned int i;
+ for (i = 0; i < dev->hard_header_len; i++)
+ printk("%c%02x", i ? ':' : ' ', machdr[i]);
+ }
+ }
+ printk("\n");
}
/* function for checking chain labels for user space. */
@@ -530,12 +560,14 @@
unsigned int slot,
__u16 src_port, __u16 dst_port,
unsigned int count,
- int tcpsyn)
+ int tcpsyn,
+ int validmac)
{
f->counters[slot].bcnt+=ntohs(ip->tot_len);
f->counters[slot].pcnt++;
if (f->ipfw.fw_flg & IP_FW_F_PRN) {
- dump_packet(ip,rif,f,label,src_port,dst_port,count,tcpsyn);
+ dump_packet(ip,rif,f,label,src_port,dst_port,count,tcpsyn,
+ validmac ? skb->mac.raw : NULL);
}
ip->tos = (ip->tos & f->ipfw.fw_tosand) ^ f->ipfw.fw_tosxor;
@@ -588,7 +620,8 @@
struct ip_chain *chain,
struct sk_buff *skb,
unsigned int slot,
- int testing)
+ int testing,
+ int validmac)
{
struct tcphdr *tcp=(struct tcphdr *)((__u32 *)ip+ip->ihl);
struct udphdr *udp=(struct udphdr *)((__u32 *)ip+ip->ihl);
@@ -621,7 +654,8 @@
if (offset == 1 && ip->protocol == IPPROTO_TCP) {
if (!testing && net_ratelimit()) {
printk("Suspect TCP fragment.\n");
- dump_packet(ip,rif,NULL,NULL,0,0,0,0);
+ dump_packet(ip,rif,NULL,NULL,0,0,0,0,
+ validmac ? skb->mac.raw : NULL);
}
return FW_BLOCK;
}
@@ -656,7 +690,8 @@
if (offset && (ntohs(ip->frag_off) & IP_MF)) {
if (!testing && net_ratelimit()) {
printk("Suspect short first fragment.\n");
- dump_packet(ip,rif,NULL,NULL,0,0,0,0);
+ dump_packet(ip,rif,NULL,NULL,0,0,0,0,
+ validmac ? skb->mac.raw : NULL);
}
return FW_BLOCK;
}
@@ -734,7 +769,8 @@
&& !ip_fw_domatch(f, ip, rif, chain->label,
skb, slot,
src_port, dst_port,
- count, tcpsyn)) {
+ count, tcpsyn,
+ validmac)) {
ret = FW_BLOCK;
goto out;
}
@@ -1343,7 +1379,7 @@
else {
ret = ip_fw_check(ip, new->fwt_packet.fwp_vianame,
NULL, chain,
- NULL, SLOT_NUMBER(), 1);
+ NULL, SLOT_NUMBER(), 1, 0);
switch (ret) {
case FW_ACCEPT:
ret = 0; break;
@@ -1684,7 +1720,8 @@
void *phdr, void *arg, struct sk_buff **pskb)
{
return ip_fw_check(phdr, dev->name,
- arg, IP_FW_INPUT_CHAIN, *pskb, SLOT_NUMBER(), 0);
+ arg, IP_FW_INPUT_CHAIN, *pskb, SLOT_NUMBER(), 0,
+ 1);
}
int ipfw_output_check(struct firewall_ops *this, int pf, struct device *dev,
@@ -1695,14 +1732,16 @@
|| (*pskb)->len < sizeof(struct iphdr))
return FW_ACCEPT;
return ip_fw_check(phdr, dev->name,
- arg, IP_FW_OUTPUT_CHAIN, *pskb, SLOT_NUMBER(), 0);
+ arg, IP_FW_OUTPUT_CHAIN, *pskb, SLOT_NUMBER(), 0,
+ 0);
}
int ipfw_forward_check(struct firewall_ops *this, int pf, struct device *dev,
void *phdr, void *arg, struct sk_buff **pskb)
{
return ip_fw_check(phdr, dev->name,
- arg, IP_FW_FORWARD_CHAIN, *pskb, SLOT_NUMBER(), 0);
+ arg, IP_FW_FORWARD_CHAIN, *pskb, SLOT_NUMBER(), 0,
+ 0);
}
struct firewall_ops ipfw_ops=
-- Hacking time.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/