Re: [PATCH] ipchains log will show all flags

Re: [PATCH] ipchains log will show all flags

[Tony Gale]

On 05-Dec-2000 Christian W. Zuckschwerdt wrote:
> Hi Linus,
> 
> This tiny patch extends ipchains logging. This way one can
> distinguish
> (plain) connection attempts and (Xmas, Fin,...) scans. E.g.
>  kernel: Packet log: input - lo PROTO=6 127.0.0.1:40326
> 127.0.0.1:80
>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1)
>  vs.
>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=-s--a-
>  and
>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=fs-p-u
> 
> Please comment on the format (B=...) and implementation details
> (speed).
> The patch is against 2.2.17's /net/ipv4/ip_fw.c 

Here's my version, which I have previously sent to Alan, but he
hasn't incorporated it - don't know why.

The format is slightly less obtuse, and more likely to be
compatible with existing tools.

-tony

PS: Rusty, putting "RR" in the header doesn't exactly flag you as
the maintainer.

--- ip_fw.c.orig	Thu Jul 13 12:44:42 2000
+++ ip_fw.c	Mon Sep 18 08:59:37 2000
@@ -41,6 +41,7 @@
  *              John McDonald <jm@dataprotect.com>
  *              Thomas Lopatic <tl@dataprotect.com>
  * 21-Oct-1999: Applied count fix by Emanuele Caratti <wiz@iol.it> --RR
+ * 13-Jul-2000: Log all TCP flags. Tony Gale <gale@dera.gov.uk>
  */
 
 /*
@@ -443,7 +444,17 @@
 
 	for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++)
 		printk(" O=0x%8.8X", *opt++);
-	printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count);
+	if (ip->protocol == IPPROTO_TCP) {
+		struct tcphdr *tcp=(struct tcphdr *)((__u32 *)ip+ip->ihl);		
+	        printk("%s%s%s%s%s%s",
+			syn ? " SYN" : "",
+			tcp->fin ? " FIN" : "",
+			tcp->rst ? " RST" : "",
+			tcp->psh ? " PSH" : "",
+			tcp->ack ? " ACK" : "",
+			tcp->urg ? " URG" : "");
+	}
+	printk(" (#%d)\n", count);
 }
 
 /* function for checking chain labels for user space. */

-- 
E-Mail: Tony Gale <gale@syntax.dera.gov.uk>
The views expressed above are entirely those of the writer
and do not represent the views, policy or understanding of
any other person or official body.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

[PATCH] ipchains log will show all flags

[Christian W. Zuckschwerdt]

Hi,

This tiny patch extends ipchains logging. This way one can distinguish
(plain) connection attempts and (stealth) scans. E.g.
kernel: Packet log: input - lo PROTO=6 127.0.0.1:40326 127.0.0.1:80
L=40 S=0x00 I=5808 F=0x0000 T=51 (#1)
vs.
L=40 S=0x00 I=5808 F=0x0000 T=51 SYN ACK (#1)
and
L=40 S=0x00 I=5808 F=0x0000 T=51 URG PSH SYN FIN (#1)

Some comments on the format have been considered. I dislike
bloating my logging with "URG ACK PSH RST SYN FIN " and like to see a
compact format (eg. "B=fsrpau"). Despite that iptables does it the 
former way (linux-2.4.0-test11/net/ipv4/netfilter/ipt_LOG.c).

Please note that SYN is not any longer SYN && !ACK && !RST. This will
break log parser that look for connection initiation packets.

Besides ipchains(8) man page is wrong. FIN should be RST?
       [!] -y, --syn
              Only match TCP packets with the SYN bit set and the
              ACK and FIN bits cleared.  Such packets are used to


Could you please comment on the tradeoff between multiple printk()'s and
the printk("%s", "")?

Logging the FW Mark value was suggested by Roberto Nibali <ratz@tac.ch>
Could be included as  printk(" M=%d", f->ipfw.fw_mark);


The patch is against 2.2.17's /net/ipv4/ip_fw.c 
ipchains logging all flags Christian W. Zuckschwerdt <zany@triq.net>

--- linux-2.2.17-pristine/net/ipv4/ip_fw.c.orig	Mon Nov 27 00:38:36 2000
+++ linux-2.2.17/net/ipv4/ip_fw.c	Mon Dec 11 15:10:51 2000
@@ -41,6 +41,9 @@
  *              John McDonald <jm@dataprotect.com>
  *              Thomas Lopatic <tl@dataprotect.com>
  * 21-Oct-1999: Applied count fix by Emanuele Caratti <wiz@iol.it> --RR
+ * 11-Dec-2000: Added "URG ACK PSH RST SYN FIN" in log message.
+ *              Please note SYN is no longer SYN && !ACK && !RST  
+ *              Christian W. Zuckschwerdt <zany@triq.net>
  */
 
 /*
@@ -443,7 +443,24 @@
 
 	for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++)
 		printk(" O=0x%8.8X", *opt++);
-	printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count);
+
+	if ((ip->protocol == IPPROTO_TCP) && !(ip->frag_off & htons(IP_OFFSET))) {
+		struct tcphdr *tcp=(struct tcphdr *)((__u32 *)ip+ip->ihl);
+		/* Max length: 36 " URG ACK PSH RST SYN FIN" */
+		if (tcp->urg)
+			printk(" URG");
+		if (tcp->ack)
+			printk(" ACK");
+		if (tcp->psh)
+			printk(" PSH");
+		if (tcp->rst)
+			printk(" RST");
+		if (tcp->syn)
+			printk(" SYN");
+		if (tcp->fin)
+			printk(" FIN");
+	}
+	printk(" (#%d) M=%d\n", count, f->ipfw.fw_mark);
 }
 
 /* function for checking chain labels for user space. */
-- 

  cu.
    :
    Christian


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: [PATCH] ipchains log will show all flags

[Mike A. Harris]

On Wed, 6 Dec 2000, Rusty Russell wrote:

>Date: Wed, 06 Dec 2000 11:40:12 +1100
>From: Rusty Russell <rusty@linuxcare.com.au>
>To: Mike A. Harris <mharris@opensourceadvocate.org>
>Cc: linux-kernel@vger.kernel.org
>Subject: Re: [PATCH] ipchains log will show all flags
>
>In message <Pine.LNX.4.30.0012051058090.620-100000@asdf.capslock.lan> you write
>:
>> Personally, I'd like to see the rule number stay on the end,and
>> have the new display just before it.  The rule number in the
>> middle looks messy.
>
>But what will break people's perl scripts?
>
>I think leaving the rule number at the end is probably the Right Thing
>from this point of view, so that would be a nice change.

I am of the camp "do it right, and fix problems that arise"
rather than doing things messy and/or kludgy in the name of
compatibility.

I'd rather see such a feature not get in than to see it get in as
a kludge that is permanent.

>But I prefer the compressed form of `-----' (with the old `SYN' kept
>there) to the "SYN FIN RST" alternative.

I prefer the SYN to disappear and be replaced with the new way
IMHO.  It'd be nice to see netfilter do this as well if it
doesn't already do similar.  2.4.0 isn't released yet, so
changing it now is safe IMHO.

Just some more food for thought...

Anyone?


----------------------------------------------------------------------
      Mike A. Harris  -  Linux advocate  -  Open source advocate
          This message is copyright 2000, all rights reserved.
  Views expressed are my own, not necessarily shared by my employer.
----------------------------------------------------------------------

If it weren't for C, we'd all be programming in BASI and OBOL.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: [PATCH] ipchains log will show all flags

[Rusty Russell]

In message <Pine.LNX.4.30.0012051058090.620-100000@asdf.capslock.lan> you write
:
> Personally, I'd like to see the rule number stay on the end,and
> have the new display just before it.  The rule number in the
> middle looks messy.

But what will break people's perl scripts?

I think leaving the rule number at the end is probably the Right Thing
from this point of view, so that would be a nice change.

But I prefer the compressed form of `-----' (with the old `SYN' kept
there) to the "SYN FIN RST" alternative.

Cheers,
Rusty.
--
Hacking time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: [PATCH] ipchains log will show all flags

[Mike A. Harris]

On Wed, 6 Dec 2000, Rusty Russell wrote:

>Date: Wed, 06 Dec 2000 00:55:09 +1100
>From: Rusty Russell <rusty@linuxcare.com.au>
>To: Christian W. Zuckschwerdt <zany@triq.net>
>Cc: linux-kernel@vger.kernel.org
>Subject: Re: [PATCH] ipchains log will show all flags
>
>In message <0012051408110.1526-100000@localhost> you write:
>> Hi Linus,
>>
>> This tiny patch extends ipchains logging. This way one can distinguish
>> (plain) connection attempts and (Xmas, Fin,...) scans. E.g.
>>  kernel: Packet log: input - lo PROTO=6 127.0.0.1:40326 127.0.0.1:80
>>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1)
>>  vs.
>>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=-s--a-
>>  and
>>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=fs-p-u
>>
>> Please comment on the format (B=...) and implementation details (speed).
>> The patch is against 2.2.17's /net/ipv4/ip_fw.c
>
>Looks OK, but CC'ing the maintainer is simple politeness.
>
>> +	if (ip->protocol == IPPROTO_TCP)
>
>You probably want to insert `&& !(ip->frag_off & htons(IP_OFFSET))'
>
>> +		       tcp-syn ? 's' : '-', tcp->rst ? 'r' : '-',
>
>You mean `tcp->syn' not `tcp-syn'.
>
>I like the fact that it doesn't disturb the format, simply appends,
>and it has been a not-uncommon request.
>
>But application is up to Alan Cox, who ruleth the 2.2 series.

Personally, I'd like to see the rule number stay on the end,and
have the new display just before it.  The rule number in the
middle looks messy.


----------------------------------------------------------------------
      Mike A. Harris  -  Linux advocate  -  Open source advocate
          This message is copyright 2000, all rights reserved.
  Views expressed are my own, not necessarily shared by my employer.
----------------------------------------------------------------------

Microsoft Windows(tm). A thirty-two bit extension and graphical shell
to a sixteen bit patch to an eight bit operating system originally
coded for a four bit microprocessor which was written by a two-bit
company that can't stand one bit of competition.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: [PATCH] ipchains log will show all flags

[Rusty Russell]

In message <0012051408110.1526-100000@localhost> you write:
> Hi Linus,
> 
> This tiny patch extends ipchains logging. This way one can distinguish
> (plain) connection attempts and (Xmas, Fin,...) scans. E.g.
>  kernel: Packet log: input - lo PROTO=6 127.0.0.1:40326 127.0.0.1:80
>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1)
>  vs.
>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=-s--a-
>  and
>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=fs-p-u
> 
> Please comment on the format (B=...) and implementation details (speed).
> The patch is against 2.2.17's /net/ipv4/ip_fw.c 

Looks OK, but CC'ing the maintainer is simple politeness.

> +	if (ip->protocol == IPPROTO_TCP)

You probably want to insert `&& !(ip->frag_off & htons(IP_OFFSET))'

> +		       tcp-syn ? 's' : '-', tcp->rst ? 'r' : '-',

You mean `tcp->syn' not `tcp-syn'.

I like the fact that it doesn't disturb the format, simply appends,
and it has been a not-uncommon request.

But application is up to Alan Cox, who ruleth the 2.2 series.

Rusty.
--
Hacking time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

[PATCH] ipchains log will show all flags

[Christian W. Zuckschwerdt]

Hi Linus,

This tiny patch extends ipchains logging. This way one can distinguish
(plain) connection attempts and (Xmas, Fin,...) scans. E.g.
 kernel: Packet log: input - lo PROTO=6 127.0.0.1:40326 127.0.0.1:80
  L=40 S=0x00 I=5808 F=0x0000 T=51 (#1)
 vs.
  L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=-s--a-
 and
  L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=fs-p-u

Please comment on the format (B=...) and implementation details (speed).
The patch is against 2.2.17's /net/ipv4/ip_fw.c 


ipchains log with flags  Christian W. Zuckschwerdt  <zany@triq.net>

--- linux-2.2.17-pristine/net/ipv4/ip_fw.c.orig	Mon Nov 27 00:38:36 2000
+++ linux-2.2.17/net/ipv4/ip_fw.c	Sun Dec  3 23:58:06 2000
@@ -415,6 +415,7 @@
 {
 	__u32 *opt = (__u32 *) (ip + 1);
 	int opti;
+	struct tcphdr *tcp=(struct tcphdr *)((__u32 *)ip+ip->ihl);
 	
 	if (f)
 	{
@@ -443,7 +444,15 @@
 
 	for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++)
 		printk(" O=0x%8.8X", *opt++);
-	printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count);
+	printk(" %s(#%d)", syn ? "SYN " : /* "PENANCE" */ "", count);
+
+	if (ip->protocol == IPPROTO_TCP)
+		printk(" B=%c%c%c%c%c%c\n", tcp->fin ? 'f' : '-',
+		       tcp-syn ? 's' : '-', tcp->rst ? 'r' : '-',
+		       tcp->psh ? 'p' : '-', tcp->ack ? 'a' : '-',
+		       tcp->urg ? 'u' : '-');
+	else
+		printk("\n");
 }
 
 /* function for checking chain labels for user space. */
-- 
  cu.
    :
    Christian

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/