From: Tony Gale <gale@syntax.dera.gov.uk>
To: linux-kernel@vger.kernel.org
Cc: Rusty Russell <rusty@linuxcare.com.au>
Subject: Re: [PATCH] ipchains log will show all flags
Date: Tue, 5 Dec 2000 14:44:03 +0000 [thread overview]
Message-ID: <20001205144403.A30345@syntax.dera.gov.uk> (raw)
On 05-Dec-2000 Christian W. Zuckschwerdt wrote:
> Hi Linus,
>
> This tiny patch extends ipchains logging. This way one can
> distinguish
> (plain) connection attempts and (Xmas, Fin,...) scans. E.g.
> kernel: Packet log: input - lo PROTO=6 127.0.0.1:40326
> 127.0.0.1:80
> L=40 S=0x00 I=5808 F=0x0000 T=51 (#1)
> vs.
> L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=-s--a-
> and
> L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=fs-p-u
>
> Please comment on the format (B=...) and implementation details
> (speed).
> The patch is against 2.2.17's /net/ipv4/ip_fw.c
Here's my version, which I have previously sent to Alan, but he
hasn't incorporated it - don't know why.
The format is slightly less obtuse, and more likely to be
compatible with existing tools.
-tony
PS: Rusty, putting "RR" in the header doesn't exactly flag you as
the maintainer.
--- ip_fw.c.orig Thu Jul 13 12:44:42 2000
+++ ip_fw.c Mon Sep 18 08:59:37 2000
@@ -41,6 +41,7 @@
* John McDonald <jm@dataprotect.com>
* Thomas Lopatic <tl@dataprotect.com>
* 21-Oct-1999: Applied count fix by Emanuele Caratti <wiz@iol.it> --RR
+ * 13-Jul-2000: Log all TCP flags. Tony Gale <gale@dera.gov.uk>
*/
/*
@@ -443,7 +444,17 @@
for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++)
printk(" O=0x%8.8X", *opt++);
- printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count);
+ if (ip->protocol == IPPROTO_TCP) {
+ struct tcphdr *tcp=(struct tcphdr *)((__u32 *)ip+ip->ihl);
+ printk("%s%s%s%s%s%s",
+ syn ? " SYN" : "",
+ tcp->fin ? " FIN" : "",
+ tcp->rst ? " RST" : "",
+ tcp->psh ? " PSH" : "",
+ tcp->ack ? " ACK" : "",
+ tcp->urg ? " URG" : "");
+ }
+ printk(" (#%d)\n", count);
}
/* function for checking chain labels for user space. */
--
E-Mail: Tony Gale <gale@syntax.dera.gov.uk>
The views expressed above are entirely those of the writer
and do not represent the views, policy or understanding of
any other person or official body.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
next reply other threads:[~2000-12-05 15:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2000-12-05 14:44 Tony Gale [this message]
-- strict thread matches above, loose matches on Subject: below --
2000-12-11 14:52 [PATCH] ipchains log will show all flags Christian W. Zuckschwerdt
2000-12-05 13:22 Christian W. Zuckschwerdt
2000-12-05 13:55 ` Rusty Russell
2000-12-05 16:00 ` Mike A. Harris
2000-12-06 0:40 ` Rusty Russell
2000-12-06 7:29 ` Mike A. Harris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20001205144403.A30345@syntax.dera.gov.uk \
--to=gale@syntax.dera.gov.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@linuxcare.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.