Hi,
Original report: Peter Bieringer
The LOG target prints out a long garbage on a tunnel interface.
The wrong message:
MAC=45:00:00:7c:7f:ed:00:00:11:29:cd:54:yy:yy:yy:yy:xx:xx:xx:xx:60:00:00:00:00:40:3a:36:20:01:02:00:00:00
The origin of the problem:
When a packet arrives to a tunnel interface, the skb->mac pointer
changes to the encapsulating header (IPv4 header in this case), the
header lengh changes to 'LL_MAX_HEADER + sizeof(struct iphdr)', and the
heade pointer changes to the data area. (skb->mac.raw = skb->nh.raw;
skb->nh.raw = skb->data;)
Finally We found that the skb->dev->type field can be the best point
where we can identify the SIT tunnel interface.
The new syntax:
MAC=aa:00:04:00:01:04->00:30:4f:04:4d:5d
TUNNEL=yyy.yyy.yyy.yyy->xxx.xxx.xxx.xxx
Will You be so kind as to test the patch If you have got tunnel
interface (or native conenction)?
ip6tables -A INPUT -j LOG
The GRE and IPIP tunnels can be concerned, too!
(The SIT implementation cloned from them. I haven't got configured gre
and/or ipip tunnel :( )
Regards,
kisza
Harald: added 2 checks for the pointers inside the skb area.
(mac under- and ip overflow checks)
--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /---------------------------------------------->
--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_LOG.c Sat Mar 23 17:31:38 2002
+++ linux/net/ipv6/netfilter/ip6t_LOG.c Tue Apr 2 23:25:12 2002
@@ -289,12 +289,39 @@
/* MAC logging for input chain only. */
printk("MAC=");
if ((*pskb)->dev && (*pskb)->dev->hard_header_len && (*pskb)->mac.raw
!= (void*)ipv6h) {
- int i;
- unsigned char *p = (*pskb)->mac.raw;
- for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
+ if ((*pskb)->dev->type != ARPHRD_SIT){
+ int i;
+ unsigned char *p = (*pskb)->mac.raw;
+ for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
printk("%02x%c", *p,
- i==(*pskb)->dev->hard_header_len - 1
- ? ' ':':');
+ i==(*pskb)->dev->hard_header_len - 1
+ ? ' ':':');
+ } else {
+ int i;
+ unsigned char *p = (*pskb)->mac.raw;
+ if ( p - (ETH_ALEN*2+2) > (*pskb)->head ){
+ p -= (ETH_ALEN+2);
+ for (i = 0; i < (ETH_ALEN); i++,p++)
+ printk("%02x%s", *p,
+ i == ETH_ALEN-1 ? "->" : ":");
+ p -= (ETH_ALEN*2);
+ for (i = 0; i < (ETH_ALEN); i++,p++)
+ printk("%02x%c", *p,
+ i == ETH_ALEN-1 ? ' ' : ':');
+ }
+
+ if (((*pskb)->dev->addr_len == 4) &&
+ (*pskb)->dev->hard_header_len > 20){
+ printk("TUNNEL=");
+ p = (*pskb)->mac.raw + 12;
+ for (i = 0; i < 4; i++,p++)
+ printk("%03d%s", *p,
+ i == 3 ? "->" : ".");
+ for (i = 0; i < 4; i++,p++)
+ printk("%03d%c", *p,
+ i == 3 ? ' ' : '.');
+ }
+ }
} else
printk(" ");
}
diff -urN netfilter.old/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6 netfilter/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6
--- netfilter.old/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6 Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6 Tue Apr 2 23:28:33 2002
@@ -0,0 +1,47 @@
+--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_LOG.c Sat Mar 23 17:31:38 2002
++++ linux/net/ipv6/netfilter/ip6t_LOG.c Tue Apr 2 23:25:12 2002
+@@ -289,12 +289,39 @@
+ /* MAC logging for input chain only. */
+ printk("MAC=");
+ if ((*pskb)->dev && (*pskb)->dev->hard_header_len && (*pskb)->mac.raw != (void*)ipv6h) {
+- int i;
+- unsigned char *p = (*pskb)->mac.raw;
+- for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
++ if ((*pskb)->dev->type != ARPHRD_SIT){
++ int i;
++ unsigned char *p = (*pskb)->mac.raw;
++ for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
+ printk("%02x%c", *p,
+- i==(*pskb)->dev->hard_header_len - 1
+- ? ' ':':');
++ i==(*pskb)->dev->hard_header_len - 1
++ ? ' ':':');
++ } else {
++ int i;
++ unsigned char *p = (*pskb)->mac.raw;
++ if ( p - (ETH_ALEN*2+2) > (*pskb)->head ){
++ p -= (ETH_ALEN+2);
++ for (i = 0; i < (ETH_ALEN); i++,p++)
++ printk("%02x%s", *p,
++ i == ETH_ALEN-1 ? "->" : ":");
++ p -= (ETH_ALEN*2);
++ for (i = 0; i < (ETH_ALEN); i++,p++)
++ printk("%02x%c", *p,
++ i == ETH_ALEN-1 ? ' ' : ':');
++ }
++
++ if (((*pskb)->dev->addr_len == 4) &&
++ (*pskb)->dev->hard_header_len > 20){
++ printk("TUNNEL=");
++ p = (*pskb)->mac.raw + 12;
++ for (i = 0; i < 4; i++,p++)
++ printk("%03d%s", *p,
++ i == 3 ? "->" : ".");
++ for (i = 0; i < 4; i++,p++)
++ printk("%03d%c", *p,
++ i == 3 ? ' ' : '.');
++ }
++ }
+ } else
+ printk(" ");
+ }
diff -urN netfilter.old/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6.help netfilter/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6.help
--- netfilter.old/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6.help Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/extra/log-tunnel-fix.patch.ipv6.help Mon Apr 1 22:16:57 2002
@@ -0,0 +1,9 @@
+Author: Andras Kis-Szabo <[EMAIL PROTECTED]>
+Status: It works 4 me!
+
+ When the LOG target used with a tunnel device, it prints out the encapsulator
+ header instead of the MAC addresses.
+ This patch is a quick workaround for the SIT-class devices. It prints out the
+ MAC addresses and the tunnel information. The offsets are hardcoded in this
+ patch!
+
