From stephen@cauchy.math.missouri.edu  Wed Jul 26 11:10:43 2000
Return-Path: <stephen@cauchy.math.missouri.edu>
Received: from cauchy.math.missouri.edu (cauchy.math.missouri.edu [128.206.49.166])
	by hub.freebsd.org (Postfix) with ESMTP id 79C4B37BF0D
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 26 Jul 2000 11:10:38 -0700 (PDT)
	(envelope-from stephen@cauchy.math.missouri.edu)
Received: (from stephen@localhost)
	by cauchy.math.missouri.edu (8.9.3/8.9.1) id NAA35666;
	Wed, 26 Jul 2000 13:10:38 -0500 (CDT)
Message-Id: <200007261810.NAA35666@cauchy.math.missouri.edu>
Date: Wed, 26 Jul 2000 13:10:38 -0500 (CDT)
From: Stephen Montgomery-Smith <stephen@cauchy.math.missouri.edu>
Reply-To: stephen@math.missouri.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: log setup of dynamic rules for ipfw
X-Send-Pr-Version: 3.2

>Number:         20198
>Category:       kern
>Synopsis:       log setup of dynamic rules for ipfw
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    luigi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 26 11:20:00 PDT 2000
>Closed-Date:    Fri Jun 22 08:44:05 PDT 2001
>Last-Modified:  Fri Jun 22 08:44:49 PDT 2001
>Originator:     Stephen Montgomery-Smith
>Release:        FreeBSD 4.1-RC i386
>Organization:
University of Missouri
>Environment:

Creating rules with ipfw with the keep-state option

>Description:

Suppose I create a rule with ipfw:
ipfw add pass log from xxx to yyy via zzz keep-state
Then every packet processed by this rule will create a log entry.

It would be nice to have the possibility to create a rule thus:
ipfw add pass from xxx to yyy via zzz keep-state log
This would have the effect that when this rule is first encountered
it creates a log entry, but subsequenctly when the rule is 
encountered in its dynamic state, it is not logged.  There
is only one log when the dynamic rule is created the first time.

Of course, if this rule is encounted by a packet with different
ip/port combination, then another dynamic rule is created, and
so is a new log entry.

The above syntax is my suggestion, but maybe you guys would 
prefer something else.  If you like this, and it is adopted, 
then I will write a diff for the man file also.

>How-To-Repeat:

>Fix:

Here is my patch.  

I use another of the bits of struct ip_fw.fw_flg bits, which seem 
to be in rather short supply - now only 6 bits left.

The small addition I made to ipfw.c to parse for the log option
works, but maybe I didn't do it in the spirit of the rest of the
code.

diff -ru /sys/netinet/ip_fw.c sys/netinet/ip_fw.c
--- /sys/netinet/ip_fw.c	Sat Jul 15 19:25:45 2000
+++ sys/netinet/ip_fw.c	Wed Jul 26 12:21:45 2000
@@ -1215,8 +1215,16 @@
 		f->timestamp = time_second;
 
 		/* Log to console if desired */
+#if STATEFUL
+		if (((f->fw_flg & IP_FW_F_PRN) || 
+		     ((f->fw_flg & IP_FW_F_PRN_S) && q == NULL)) && fw_verbose) {
+			ipfw_report(f, ip, rif, oif);
+		}
+			
+#else
 		if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose)
 			ipfw_report(f, ip, rif, oif);
+#endif
 
 		/* Take appropriate action */
 		switch (f->fw_flg & IP_FW_F_COMMAND) {
diff -ru /sys/netinet/ip_fw.h sys/netinet/ip_fw.h
--- /sys/netinet/ip_fw.h	Sat Jul 15 19:25:45 2000
+++ sys/netinet/ip_fw.h	Tue Jul 25 23:12:33 2000
@@ -204,8 +204,9 @@
 #define	IP_FW_BRIDGED	0x04000000	/* only match bridged packets		*/
 #define IP_FW_F_KEEP_S	0x08000000	/* keep state	 			*/
 #define IP_FW_F_CHECK_S	0x10000000	/* check state	 			*/
+#define IP_FW_F_PRN_S	0x20000000	/* Print if this state created		*/
 
-#define IP_FW_F_MASK	0x1FFFFFFF	/* All possible flag bits mask		*/
+#define IP_FW_F_MASK	0x3FFFFFFF	/* All possible flag bits mask		*/
 
 /*
  * For backwards compatibility with rules specifying "via iface" but
diff -ru /usr/src/sbin/ipfw/ipfw.c sbin/ipfw/ipfw.c
--- /usr/src/sbin/ipfw/ipfw.c	Sat Jul 15 19:25:50 2000
+++ sbin/ipfw/ipfw.c	Wed Jul 26 12:48:45 2000
@@ -385,6 +385,9 @@
                 else
                     printf(" keep-state");
         }
+        if (chain->fw_flg & IP_FW_F_PRN_S) {
+                printf(" log");
+        }
         /* Direction */
         if (chain->fw_flg & IP_FW_BRIDGED)
                 printf(" bridged");
@@ -1759,6 +1762,10 @@
                             av++; ac--;
                         }
                         continue;
+                }
+                if ((rule.fw_flg & IP_FW_F_KEEP_S) && !strncmp(*av,"log",strlen(*av))) { 
+                        rule.fw_flg |= IP_FW_F_PRN_S;
+                        av++; ac--; continue;
                 }
                 if (!strncmp(*av,"bridged",strlen(*av))) { 
                         rule.fw_flg |= IP_FW_BRIDGED;


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: sheldonh 
State-Changed-When: Thu Jul 27 04:31:49 PDT 2000 
State-Changed-Why:  
Does ``logamount'' (see ipfw(8)) not suit your needs? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20198 

From: Stephen Montgomery-Smith <stephen@math.missouri.edu>
To: Neil Blakey-Milner <nbm@mithrandr.moria.org>
Cc: sheldonh@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG
Subject: Re: kern/20198: log setup of dynamic rules for ipfw
Date: Thu, 27 Jul 2000 12:06:24 -0500

 This is a multi-part message in MIME format.
 --------------CC956E7E3750E59FCE350FBF
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 OK, how about this:
 
 Neil Blakey-Milner wrote:
 > 
 > On Thu 2000-07-27 (10:38), Stephen Montgomery-Smith wrote:
 > > > > add pass log logamount 10 from any to any 22 keep-state
 > > >
 > > > What about:
 > > >
 > > > add pass log logamount 10 from any to any 22 setup keep-state
 > > >
 > >
 > > That doesn't seem to work for me.
 > 
 > Then that is the problem.  No need to add new semantics when the above
 > is the obvious way it should function.  If you can determine why it
 > doesn't work, then that's the fix.
 >
 --------------CC956E7E3750E59FCE350FBF
 Content-Type: text/plain; charset=us-ascii;
  name="ddd"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="ddd"
 
 --- /sys/netinet/ip_fw.c	Sat Jul 15 19:25:45 2000
 +++ sys/netinet/ip_fw.c	Thu Jul 27 11:47:19 2000
 @@ -1215,8 +1215,18 @@
  		f->timestamp = time_second;
  
  		/* Log to console if desired */
 +#if STATEFUL
 +		if ((f->fw_flg & IP_FW_F_PRN) && 
 +		     /* Don't log for dynamic rules with keep state */
 +		     !((f->fw_flg & IP_FW_F_KEEP_S) && q != NULL) && 
 +		     fw_verbose) {
 +			ipfw_report(f, ip, rif, oif);
 +		}
 +			
 +#else
  		if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose)
  			ipfw_report(f, ip, rif, oif);
 +#endif
  
  		/* Take appropriate action */
  		switch (f->fw_flg & IP_FW_F_COMMAND) {
 
 --------------CC956E7E3750E59FCE350FBF--
 
 
 
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: johan 
Responsible-Changed-When: Wed Oct 11 12:59:07 PDT 2000 
Responsible-Changed-Why:  
Over to ipfw maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20198 

From: Stephen Montgomery-Smith <stephen@math.missouri.edu>
To: freebsd-gnats-submit@FreeBSD.org, stephen@math.missouri.edu
Cc:  
Subject: Re: kern/20198: log setup of dynamic rules for ipfw
Date: Sun, 17 Jun 2001 08:27:29 -0500

 There was a request to close PR's.  This is my PR.  I don't
 think that there was any interest in this (I myself stopped
 using dynamic rules in ipfw), so
 This PR can be closed
 
 -- 
 Stephen Montgomery-Smith
 stephen@math.missouri.edu
 http://www.math.missouri.edu/~stephen
State-Changed-From-To: feedback->closed 
State-Changed-By: phk 
State-Changed-When: Fri Jun 22 08:44:05 PDT 2001 
State-Changed-Why:  
done 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=20198 
>Unformatted:
 Stephen Montgomery-Smith
