[PATCH] LOG target @ tunnel interfaces (SIT only)
Andras Kis-Szabo
kisza@securityaudit.hu
02 Apr 2002 23:54:50 +0200
--=-ToesYCJWBg/H4srioCGI
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Hi,
Original report: Peter Bieringer
The LOG target prints out a long garbage on a tunnel interface.
The wrong message:
MAC=45:00:00:7c:7f:ed:00:00:11:29:cd:54:yy:yy:yy:yy:xx:xx:xx:xx:60:00:00:00:00:40:3a:36:20:01:02:00:00:00
The origin of the problem:
When a packet arrives to a tunnel interface, the skb->mac pointer
changes to the encapsulating header (IPv4 header in this case), the
header lengh changes to 'LL_MAX_HEADER + sizeof(struct iphdr)', and the
heade pointer changes to the data area. (skb->mac.raw = skb->nh.raw;
skb->nh.raw = skb->data;)
Finally We found that the skb->dev->type field can be the best point
where we can identify the SIT tunnel interface.
The new syntax:
MAC=aa:00:04:00:01:04->00:30:4f:04:4d:5d
TUNNEL=yyy.yyy.yyy.yyy->xxx.xxx.xxx.xxx
Will You be so kind as to test the patch If you have got tunnel
interface (or native conenction)?
ip6tables -A INPUT -j LOG
The GRE and IPIP tunnels can be concerned, too!
(The SIT implementation cloned from them. I haven't got configured gre
and/or ipip tunnel :( )
Regards,
kisza
Harald: added 2 checks for the pointers inside the skb area.
(mac under- and ip overflow checks)
--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
kisza@SecurityAudit.hu /---------------------------------------------->
--=-ToesYCJWBg/H4srioCGI
Content-Disposition: attachment; filename=LOG.20020402
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; name=LOG.20020402; charset=ISO-8859-2
--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_LOG.c Sat Mar 23 17:31:38 =
2002
+++ linux/net/ipv6/netfilter/ip6t_LOG.c Tue Apr 2 23:25:12 2002
@@ -289,12 +289,39 @@
/* MAC logging for input chain only. */
printk("MAC=3D");
if ((*pskb)->dev && (*pskb)->dev->hard_header_len && (*pskb)->mac.raw !=
=3D (void*)ipv6h) {
- int i;
- unsigned char *p =3D (*pskb)->mac.raw;
- for (i =3D 0; i < (*pskb)->dev->hard_header_len; i++,p++)
+ if ((*pskb)->dev->type !=3D ARPHRD_SIT){
+ int i;
+ unsigned char *p =3D (*pskb)->mac.raw;
+ for (i =3D 0; i < (*pskb)->dev->hard_header_len; i++,p++)
printk("%02x%c", *p,
- i=3D=3D(*pskb)->dev->hard_header_len - 1
- ? ' ':':');
+ i=3D=3D(*pskb)->dev->hard_header_len - 1
+ ? ' ':':');
+ } else {
+ int i;
+ unsigned char *p =3D (*pskb)->mac.raw;
+ if ( p - (ETH_ALEN*2+2) > (*pskb)->head ){
+ p -=3D (ETH_ALEN+2);
+ for (i =3D 0; i < (ETH_ALEN); i++,p++)
+ printk("%02x%s", *p,
+ i =3D=3D ETH_ALEN-1 ? "->" : ":");
+ p -=3D (ETH_ALEN*2);
+ for (i =3D 0; i < (ETH_ALEN); i++,p++)
+ printk("%02x%c", *p,
+ i =3D=3D ETH_ALEN-1 ? ' ' : ':');
+ }
+ =20
+ if (((*pskb)->dev->addr_len =3D=3D 4) &&
+ (*pskb)->dev->hard_header_len > 20){
+ printk("TUNNEL=3D");
+ p =3D (*pskb)->mac.raw + 12;
+ for (i =3D 0; i < 4; i++,p++)
+ printk("%03d%s", *p,
+ i =3D=3D 3 ? "->" : ".");
+ for (i =3D 0; i < 4; i++,p++)
+ printk("%03d%c", *p,
+ i =3D=3D 3 ? ' ' : '.');
+ }
+ }
} else
printk(" ");
}
--=-ToesYCJWBg/H4srioCGI
Content-Disposition: attachment; filename=LOG.CVS.20020402
Content-Transfer-Encoding: quoted-printable
Content-Type: text/x-patch; name=LOG.CVS.20020402; charset=ISO-8859-2
diff -urN netfilter.old/userspace/patch-o-matic/extra/log-tunnel-fix.patch.=
ipv6 netfilter/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6
--- netfilter.old/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6 T=
hu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6 Tue A=
pr 2 23:28:33 2002
@@ -0,0 +1,47 @@
+--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_LOG.c Sat Mar 23 17:31:38=
2002
++++ linux/net/ipv6/netfilter/ip6t_LOG.c Tue Apr 2 23:25:12 2002
+@@ -289,12 +289,39 @@
+ /* MAC logging for input chain only. */
+ printk("MAC=3D");
+ if ((*pskb)->dev && (*pskb)->dev->hard_header_len && (*pskb)->mac.raw !=
=3D (void*)ipv6h) {
+- int i;
+- unsigned char *p =3D (*pskb)->mac.raw;
+- for (i =3D 0; i < (*pskb)->dev->hard_header_len; i++,p++)
++ if ((*pskb)->dev->type !=3D ARPHRD_SIT){
++ int i;
++ unsigned char *p =3D (*pskb)->mac.raw;
++ for (i =3D 0; i < (*pskb)->dev->hard_header_len; i++,p++)
+ printk("%02x%c", *p,
+- i=3D=3D(*pskb)->dev->hard_header_len - 1
+- ? ' ':':');
++ i=3D=3D(*pskb)->dev->hard_header_len - 1
++ ? ' ':':');
++ } else {
++ int i;
++ unsigned char *p =3D (*pskb)->mac.raw;
++ if ( p - (ETH_ALEN*2+2) > (*pskb)->head ){
++ p -=3D (ETH_ALEN+2);
++ for (i =3D 0; i < (ETH_ALEN); i++,p++)
++ printk("%02x%s", *p,
++ i =3D=3D ETH_ALEN-1 ? "->" : ":");
++ p -=3D (ETH_ALEN*2);
++ for (i =3D 0; i < (ETH_ALEN); i++,p++)
++ printk("%02x%c", *p,
++ i =3D=3D ETH_ALEN-1 ? ' ' : ':');
++ }
++ =20
++ if (((*pskb)->dev->addr_len =3D=3D 4) &&
++ (*pskb)->dev->hard_header_len > 20){
++ printk("TUNNEL=3D");
++ p =3D (*pskb)->mac.raw + 12;
++ for (i =3D 0; i < 4; i++,p++)
++ printk("%03d%s", *p,
++ i =3D=3D 3 ? "->" : ".");
++ for (i =3D 0; i < 4; i++,p++)
++ printk("%03d%c", *p,
++ i =3D=3D 3 ? ' ' : '.');
++ }
++ }
+ } else
+ printk(" ");
+ }
diff -urN netfilter.old/userspace/patch-o-matic/extra/log-tunnel-fix.patch.=
ipv6.help netfilter/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6=
.help
--- netfilter.old/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6.h=
elp Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6.help =
Mon Apr 1 22:16:57 2002
@@ -0,0 +1,9 @@
+Author: Andras Kis-Szabo <kisza@sch.bme.hu>
+Status: It works 4 me!
+
+ When the LOG target used with a tunnel device, it prints out the encapsul=
ator
+ header instead of the MAC addresses.
+ This patch is a quick workaround for the SIT-class devices. It prints out=
the
+ MAC addresses and the tunnel information. The offsets are hardcoded in th=
is
+ patch!
+
--=-ToesYCJWBg/H4srioCGI--