Re: [PATCH] ipchains log will show all flags

Tue, 05 Dec 2000 06:34:06 -0800 

On 05-Dec-2000 Christian W. Zuckschwerdt wrote:
> Hi Linus,
> 
> This tiny patch extends ipchains logging. This way one can
> distinguish
> (plain) connection attempts and (Xmas, Fin,...) scans. E.g.
>  kernel: Packet log: input - lo PROTO=6 127.0.0.1:40326
> 127.0.0.1:80
>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1)
>  vs.
>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=-s--a-
>  and
>   L=40 S=0x00 I=5808 F=0x0000 T=51 (#1) B=fs-p-u
> 
> Please comment on the format (B=...) and implementation details
> (speed).
> The patch is against 2.2.17's /net/ipv4/ip_fw.c 

Here's my version, which I have previously sent to Alan, but he
hasn't incorporated it - don't know why.

The format is slightly less obtuse, and more likely to be
compatible with existing tools.

-tony

PS: Rusty, putting "RR" in the header doesn't exactly flag you as
the maintainer.

--- ip_fw.c.orig        Thu Jul 13 12:44:42 2000
+++ ip_fw.c     Mon Sep 18 08:59:37 2000
@@ -41,6 +41,7 @@
  *              John McDonald <[EMAIL PROTECTED]>
  *              Thomas Lopatic <[EMAIL PROTECTED]>
  * 21-Oct-1999: Applied count fix by Emanuele Caratti <[EMAIL PROTECTED]> --RR
+ * 13-Jul-2000: Log all TCP flags. Tony Gale <[EMAIL PROTECTED]>
  */
 
 /*
@@ -443,7 +444,17 @@
 
        for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++)
                printk(" O=0x%8.8X", *opt++);
-       printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count);
+       if (ip->protocol == IPPROTO_TCP) {
+               struct tcphdr *tcp=(struct tcphdr *)((__u32 *)ip+ip->ihl);             
+ 
+               printk("%s%s%s%s%s%s",
+                       syn ? " SYN" : "",
+                       tcp->fin ? " FIN" : "",
+                       tcp->rst ? " RST" : "",
+                       tcp->psh ? " PSH" : "",
+                       tcp->ack ? " ACK" : "",
+                       tcp->urg ? " URG" : "");
+       }
+       printk(" (#%d)\n", count);
 }
 
 /* function for checking chain labels for user space. */

-- 
E-Mail: Tony Gale <[EMAIL PROTECTED]>
The views expressed above are entirely those of the writer
and do not represent the views, policy or understanding of
any other person or official body.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/

Reply via email to