Subject: kern/18669: net.inet.tcp.log_refused may give misleading results
To: None <gnats-bugs@gnats.netbsd.org>
From: None <xs@kittenz.org>
List: netbsd-bugs
Date: 10/16/2002 14:08:17
>Number: 18669
>Category: kern
>Synopsis: net.inet.tcp.log_refused may give misleading results
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Oct 16 06:11:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:
>Release: NetBSD 1.6I
>Organization:
>Environment:
System: NetBSD stasis 1.6I NetBSD 1.6I (STASIS) #8: Thu Oct 10 13:02:47 BST 2002 xs@stasis:/usr/src/sys/arch/i386/compile/STASIS i386
Architecture: i386
Machine: i386
/sys/netinet/tcp_input.c:
$NetBSD: tcp_input.c,v 1.155 2002/09/11 02:41:21 itojun Exp $
>Description:
With net.inet.tcp.log_refused enabled, seemingly impossible
connection attempts are logged. It turns out that this is
because only TH_SYN is checked in the header, so, for example,
TH_SYN|TH_ACK packets are considered connection attempts.
>How-To-Repeat:
Change tcp4_log_refused to display flags:
Index: tcp_input.c
===================================================================
RCS file: /cvsroot/syssrc/sys/netinet/tcp_input.c,v
retrieving revision 1.155
diff -u -r1.155 tcp_input.c
--- tcp_input.c 2002/09/11 02:41:21 1.155
+++ tcp_input.c 2002/10/13 15:19:44
@@ -729,10 +729,24 @@
strcpy(src, "(unknown)");
strcpy(dst, "(unknown)");
}
+#ifndef TH_ECN
+#define TH_ECN 0x40
+#endif
+#ifndef TH_CWR
+#define TH_CWR 0x80
+#endif
log(LOG_INFO,
- "Connection attempt to TCP %s:%d from %s:%d\n",
+ "Connection attempt to TCP %s:%d from %s:%d (%c%c%c%c%c%c%c%c)\n",
dst, ntohs(th->th_dport),
- src, ntohs(th->th_sport));
+ src, ntohs(th->th_sport),
+ (th->th_flags & TH_FIN? 'F': '-'),
+ (th->th_flags & TH_SYN? 'S': '-'),
+ (th->th_flags & TH_RST? 'R': '-'),
+ (th->th_flags & TH_PUSH?'P': '-'),
+ (th->th_flags & TH_ACK? 'A': '-'),
+ (th->th_flags & TH_URG? 'U': '-'),
+ (th->th_flags & TH_ECN? 'E': '-'),
+ (th->th_flags & TH_CWR? 'C': '-'));
}
#endif
visit various websites. over time, it sometimes yields:
Connection attempt to TCP 10.2.0.2:64785 from 129.128.5.191:80 (-S--A---)
>Fix:
perhaps check TH_SYN and not TH_ACK and/or display th_flags.
>Release-Note:
>Audit-Trail:
>Unformatted: