Re: Strange FTPD behavior
You could use ktrace(1) to determine what the ftpd daemon is actually doing. rh> Is the user's shell listed in /etc/shells? It must be there for ftpd to rh> let them in. vt> I run FreeBSD 4.3-STABLE machine. I use ftpd for ftp server daemon. It has vt> very strange behavior with one of user accounts on my machine. Every one user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: fixes for ipfw and pf lock ordering issues
On Tuesday 28 September 2004 20:01, Wiktor Niesiobedzki wrote:
> On Fri, Sep 24, 2004 at 10:37:54PM +, Christian S.J. Peron wrote:
> > Good day folks, we need some beta testers
>
> Hi, as an author of LOR reports I feel obliged to test this patch. I was
> running it for a 2 days and intended to report, that for me everything
> works ok, when an panic occured. Regretably, I do not have actual panic
> message, but the trace looks as follows:
> pf_socket_lookup(cbb24958,cbb2495c,2,cbb24a0c,c15275a0) at
> pf_socket_lookup+0x22
> pf_test_tcp(cbb249c0,cbb249bc,2,c14d6200,c139e500) at pf_test_tcp+0x648
> pf_test(2,c14b8014,cbb24aa8,c15275a0,c15661c0) at pf_test+0x53d
> pf_check_out(0,cbb24aa8,c14b8014,2,c15275a0) at pf_check_out+0x6d
> pfil_run_hooks(c066da00,cbb24b1c,c14b8014,2,c15275a0) at
> pfil_run_hooks+0xeb ip_output(c139e500,0,cbb24ae8,0,0) at ip_output+0x630
> tcp_twrespond(c18709a0,10,c0607304,69c,1) at tcp_twrespond+0x1ed
> tcp_twstart(c186b380,0,c0606ba2,96f,0) at tcp_twstart+0x1d3
> tcp_input(c139d800,14,c14b8014,1,0) at tcp_input+0x2c39
> ip_input(c139d800,0,c06053ae,e7,c066d098) at ip_input+0x5b0
> netisr_processqueue(c066d098,c0642940,1,c05fb4da,c10d62c0) at
> netisr_processqueu
> e+0x8e
> swi_net(0,0,c05f9b18,269,0) at swi_net+0xe9
> ithread_loop(c10de480,cbb24d48,c05f990f,31f,100) at ithread_loop+0x172
> fork_exit(c04a6520,c10de480,cbb24d48) at fork_exit+0xc6
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip = 0, esp = 0xcbb24d7c, ebp = 0 ---
> db>
>
> db> show locks
> exclusive sleep mutex inp (tcpinp) r = 0 (0xc1527630) locked @
> /usr/src/sys/neti
> net/tcp_input.c:737
> exclusive sleep mutex tcp r = 0 (0xc066de6c) locked @
> /usr/src/sys/netinet/tcp_i
> nput.c:611
> db>
>
> (gdb) l *pf_socket_lookup+0x22
> 0xc043a2d2 is in pf_socket_lookup (/usr/src/sys/contrib/pf/net/pf.c:2414).
> 2409#endif
> 2410struct inpcb*inp;
> 2411
> 2412#ifdef __FreeBSD__
> 2413if (inp_arg != NULL) {
> 2414*uid = inp_arg->inp_socket->so_cred->cr_uid;
> 2415*gid = inp_arg->inp_socket->so_cred->cr_groups[0];
> 2416return (1);
> 2417}
> 2418#endif
This should read:
> *uid = UID_MAX;
> *gid = GID_MAX;
> #ifdef __FreeBSD__
> if (inp_arg != NULL) {
> if (inp_arg->inp_socket) {
> *uid = inp_arg->inp_socket->so_cred->cr_uid;
> *gid = inp_arg->inp_socket->so_cred->cr_groups[0];
> return (1);
> } else
> return (0);
> }
> #endif
now. Thanks for testing, I will post an updated patch the other day.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpUicdL92FIN.pgp
Description: PGP signature
Re: remote debugging question
Hi Greg, thank you for all the feedback. The "set remotebaud 1" thing in my previous email was a typo, I usually enter 9600. So you're saying that I may have a communication problem. I would like to point out that I can use "cu -l cuaa0 -s 9600" on both side and all is well. What do you think could cause this communication issue? I will run another cvsup soon. May be a bug in 6.0current for kgdb. On Monday 27 September 2004 06:52 pm, Greg 'groggy' Lehey wrote: > > You'll need the sources as well, but that's the next problem, not the > one you're experiencing. > as for the sources that I am supposed to transfer to B (the remote), are you talking about /usr/src of A or /usr/obj of A or both? then mount_nfs? My next option will be firewire. thank you, Jerry ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: fixes for ipfw and pf lock ordering issues
On 28 Sep 2004 Wiktor Niesiobedzki wrote:
> pf_socket_lookup(cbb24958,cbb2495c,2,cbb24a0c,c15275a0) at
> pf_socket_lookup+0x22
> pf_test_tcp(cbb249c0,cbb249bc,2,c14d6200,c139e500) at pf_test_tcp+0x648
> pf_test(2,c14b8014,cbb24aa8,c15275a0,c15661c0) at pf_test+0x53d
> pf_check_out(0,cbb24aa8,c14b8014,2,c15275a0) at pf_check_out+0x6d
> pfil_run_hooks(c066da00,cbb24b1c,c14b8014,2,c15275a0) at pfil_run_hooks+0xeb
> ip_output(c139e500,0,cbb24ae8,0,0) at ip_output+0x630
> tcp_twrespond(c18709a0,10,c0607304,69c,1) at tcp_twrespond+0x1ed
> tcp_twstart(c186b380,0,c0606ba2,96f,0) at tcp_twstart+0x1d3
> tcp_input(c139d800,14,c14b8014,1,0) at tcp_input+0x2c39
> ip_input(c139d800,0,c06053ae,e7,c066d098) at ip_input+0x5b0
> netisr_processqueue(c066d098,c0642940,1,c05fb4da,c10d62c0) at
> netisr_processqueu
> e+0x8e
> swi_net(0,0,c05f9b18,269,0) at swi_net+0xe9
> ithread_loop(c10de480,cbb24d48,c05f990f,31f,100) at ithread_loop+0x172
> fork_exit(c04a6520,c10de480,cbb24d48) at fork_exit+0xc6
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip = 0, esp = 0xcbb24d7c, ebp = 0 ---
> db>
>
> db> show locks
> exclusive sleep mutex inp (tcpinp) r = 0 (0xc1527630) locked @
> /usr/src/sys/neti
> net/tcp_input.c:737
> exclusive sleep mutex tcp r = 0 (0xc066de6c) locked @
> /usr/src/sys/netinet/tcp_i
> nput.c:611
> db>
>
> (gdb) l *pf_socket_lookup+0x22
> 0xc043a2d2 is in pf_socket_lookup (/usr/src/sys/contrib/pf/net/pf.c:2414).
> 2409#endif
> 2410struct inpcb*inp;
> 2411
> 2412#ifdef __FreeBSD__
> 2413if (inp_arg != NULL) {
> 2414*uid = inp_arg->inp_socket->so_cred->cr_uid;
> 2415*gid = inp_arg->inp_socket->so_cred->cr_groups[0];
> 2416return (1);
> 2417}
> 2418#endif
>
Looks like it could be a bad pointer dereference, have you recompiled
your kernel and the pf/ipfw modules? If not, please try recompiling
your kernel. otherwise I will keep hunting for potentially bad
pointers being passed to the pfil hooks
--
Christian S.J. Peron
[EMAIL PROTECTED]
FreeBSD Committer
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ping(8) 64BTT friendly patch
Here is a patch stolen from OpenBSD via NetBSD (rev. 1.75 ping/ping.c)
which does two things:
- stores timestamp in network byte order;
- removes an assumption that sizeof(struct timeval) == 8 (it's not
true on sparc64).
Any comments?
Index: ping.c
===
RCS file: /home/ncvs/src/sbin/ping/ping.c,v
retrieving revision 1.105
diff -u -r1.105 ping.c
--- ping.c 14 Aug 2004 17:46:10 - 1.105
+++ ping.c 28 Sep 2004 14:51:04 -
@@ -92,7 +92,7 @@
#include
#defineINADDR_LEN ((int)sizeof(in_addr_t))
-#defineTIMEVAL_LEN ((int)sizeof(struct timeval))
+#defineTIMEVAL_LEN ((int)sizeof(struct tv32))
#defineMASK_LEN(ICMP_MASKLEN - ICMP_MINLEN)
#defineTS_LEN (ICMP_TSLEN - ICMP_MINLEN)
#defineDEFDATALEN 56 /* default data length */
@@ -110,6 +110,11 @@
#defineCLR(bit)(A(bit) &= (~B(bit)))
#defineTST(bit)(A(bit) & B(bit))
+struct tv32 {
+ int32_t tv32_sec;
+ int32_t tv32_usec;
+};
+
/* various options */
int options;
#defineF_FLOOD 0x0001
@@ -838,6 +843,7 @@
pinger(void)
{
struct timeval now;
+ struct tv32 tv32;
struct ip *ip;
struct icmp *icp;
int cc, i;
@@ -856,13 +862,15 @@
if ((options & F_TIME) || timing) {
(void)gettimeofday(&now, NULL);
+ tv32.tv32_sec = htonl(now.tv_sec);
+ tv32.tv32_usec = htonl(now.tv_usec);
if (options & F_TIME)
icp->icmp_otime = htonl((now.tv_sec % (24*60*60))
* 1000 + now.tv_usec / 1000);
if (timing)
- bcopy((void *)&now,
+ bcopy((void *)&tv32,
(void *)&outpack[ICMP_MINLEN + phdr_len],
- sizeof(struct timeval));
+ sizeof(tv32));
}
cc = ICMP_MINLEN + phdr_len + datalen;
@@ -942,6 +950,7 @@
triptime = 0.0;
if (timing) {
struct timeval tv1;
+ struct tv32 tv32;
#ifndef icmp_data
tp = &icp->icmp_ip;
#else
@@ -951,7 +960,9 @@
if (cc - ICMP_MINLEN - phdr_len >= sizeof(tv1)) {
/* Copy to avoid alignment problems: */
- memcpy(&tv1, tp, sizeof(tv1));
+ memcpy(&tv32, tp, sizeof(tv32));
+ tv1.tv_sec = ntohl(tv32.tv32_sec);
+ tv1.tv_usec = ntohl(tv32.tv32_usec);
tvsub(tv, &tv1);
triptime = ((double)tv->tv_sec) * 1000.0 +
((double)tv->tv_usec) / 1000.0;
%%%
--
Maxim Konovalov
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Midnight Commander
Hello, World! Can somebody explain me why Midnight Commander always says "cannot chdir to ..." whenever I do something on his right panel? When I switch pannels using Crtl+U command, the left panel gets into the same trouble. Igor. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: divert , ipfw question
Hello Zrelli, the rule 65000 allow ip from any to any stops processing of a packet, so it will never reach diverting rule 65100. see man ipfw about rule-processing Tuesday, September 28, 2004, 2:08:36 PM, Zrelli Saber Ben Mohamed wrote: ZSBM> Hi , ZSBM> I'm interesed in the "divert" mechanism and want to try it out , ZSBM> so I recompiled the kernel ( FreeBSD 5.2.1-RELEASE #0 ) after adding the ZSBM> IPDIVERT option and then added the needed lines in the rc.conf file, ZSBM> after that , I set up ipfw to divert packets to some port ZSBM> here is my ipfw rule set . ZSBM> 00100 allow ip from any to any via lo0 ZSBM> 00200 deny ip from any to 127.0.0.0/8 ZSBM> 00300 deny ip from 127.0.0.0/8 to any ZSBM> 65000 allow ip from any to any ZSBM> 65100 divert 5000 ip from any 22 to me < the divert rule ZSBM> 65535 deny ip from any to any ZSBM> then, I wanted to monitor the diverted traffic using tcpdump : ZSBM> $ tcpdump port 5000 ZSBM> when I do a telnet connection to the port 22 from a remote host , I was ZSBM> expecting that tcpdump will display packets diverted to the port 5000 by ZSBM> ipfw. ZSBM> The remote host I use shows that it connects to port 22 and the ipfw ZSBM> divert rule seems not to work. ZSBM> I can set another rule to block the traffic in the port 22 , and it works. ZSBM> only the divert rule seems to fail. ZSBM> I wrote some piece of code using divert socket to read packets from the ZSBM> divert port , but no result ... ZSBM> I think I'm missing something , ZSBM> so please enlighten my mind ... ZSBM> Many Thanks ZSBM> -- ZSBM> Saber -- Best regards, ; Nickolay A. Kritsky ; SysAdmin STAR Software LLC ; mailto:[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: hacking SCO....
John Von Essen wrote: > Unfortunately, I have inherited a Intel P200 with SCO OpenServer 5.0.4 > with a 4Gb SCSI drive. Condolences ! SCO is Horrible to work on, & a waste of time, erase ASAP ! > SCO is of no help, they cant provide replacement boot floppy, only sell > me complete distribution version 5.0.7 for $100. > Any ideas on how I should go about this. All I need to do is get that > data from the tape onto the disk and I should good to go. > SCO is of no help, they cant provide replacement boot floppy, only sell > me complete distribution version 5.0.7 for $100. SCO used to give away licences free for 5.0.4 &/or 5.0.5 for restricted use. One could legally download cdrom images & burn them. Good denough to rescue data & then erase SCO & install BSD If you can't rescue the data while running FreeBSD, either: Non Commercial solution: Look around find someone near who has a 5.0.4 or 5 cdrom, (maybe even SCO site somewhere) get a copy, (cdrom contains floppy images too I recall), rescue data, delete SCO very quickly from your machine, (before you discover the pain of running SCO, (& if you really must run SCO then Do get their Skunkware CDROM too (yes that's it's real name! it's full of FSF/GNU stuff & free & makes using SCO rather less unpleasant (not unpleasant, just rather less). Commercial solution. Pay the $100, if its for a commercial job it's cheap. No point quibbling. SCO used to cost about 2000 German Deutschmarks, for end users, (& was the Unix I found most crippled. BSD is cheaper, but if it's for business, & it's their legal right, cheap enough. There's SCO forums somewhere, but probably the wrong route. Their manuals used to just present work-rounds for obsolete old software everyone else wasn't using anymore eg at one stage they were SVR3 & all other vendors were SVR4 based. Last time I was contracted to work on SCO, I just kept tossing more modern source eg X11R6 & lesstif & GNU src/ on top of the base obsolete SCO, till obsolete SCO libraries no longer broke my project. Reading SCO manuals was a waste of time, better to just to rip it out & replace it with better software, either per utility that annoys, or per whole OS. - Julian Stacey. Unix,C,Net & Sys. Eng. Consultant, Munich. http://berklix.com Mail in Ascii, Html dumped as Spam. Ihr Rauch = mein allergischer Kopfschmerz. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: divert , ipfw question
Thanks !
I got it working.
--
Saber
Zrelli Saber Ben Mohamed wrote:
Hi ,
I'm interesed in the "divert" mechanism and want to try it out ,
so I recompiled the kernel ( FreeBSD 5.2.1-RELEASE #0 ) after adding
the IPDIVERT option and then added the needed lines in the rc.conf file,
after that , I set up ipfw to divert packets to some port
here is my ipfw rule set .
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65100 divert 5000 ip from any 22 to me < the divert rule
65535 deny ip from any to any
then, I wanted to monitor the diverted traffic using tcpdump :
$ tcpdump port 5000
when I do a telnet connection to the port 22 from a remote host , I
was expecting that tcpdump will display packets diverted to the port
5000 by ipfw.
The remote host I use shows that it connects to port 22 and the ipfw
divert rule seems not to work.
I can set another rule to block the traffic in the port 22 , and it
works.
only the divert rule seems to fail.
I wrote some piece of code using divert socket to read packets from
the divert port , but no result ...
I think I'm missing something ,
so please enlighten my mind ...
Many Thanks
--
Saber
/*#include
#include
#include
#include
#include
#include
#include
*/
#include /* NB: we rely on this for */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef IPSEC
#include
#endif /*IPSEC*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define BUFSIZE 65535
int
main(int argc, char **argv)
{
int fd, rawfd, fdfw, ret, n;
int on = 1;
struct sockaddr_in bindPort, sin;
int sinlen;
int port_nb;
struct ip *hdr;
unsigned char packet[BUFSIZE];
struct in_addr addr;
int i, direction;
struct ip_mreq mreq;
if (argc != 2) {
fprintf(stderr, "Usage: %s \n", argv[0]);
exit(1);
}
bindPort.sin_family = AF_INET;
bindPort.sin_port = htons(atol(argv[1]));
bindPort.sin_addr.s_addr = 0;
fprintf(stderr, "%s:Creating a socket\n", argv[0]);
/* open a divert socket */
fd = socket(AF_INET, SOCK_RAW, IPPROTO_DIVERT);
if (fd == -1) {
fprintf(stderr, "%s:We could not open a divert socket\n", argv[0]);
exit(1);
}
bindPort.sin_family = AF_INET;
bindPort.sin_port = htons(atol(argv[1]));
bindPort.sin_addr.s_addr = 0;
fprintf(stderr, "%s:Binding a socket\n", argv[0]);
ret = bind(fd, (struct sockaddr*)&bindPort, sizeof(struct sockaddr_in));
if (ret != 0) {
close(fd);
fprintf(stderr, "%s: Error bind(): %s", argv[0], strerror(ret));
exit(2);
}
printf("%s: Waiting for data...\n", argv[0]);
/* read data in */
sinlen = sizeof(struct sockaddr_in);
while (1) {
n = recvfrom(fd, packet, BUFSIZE, 0, (struct sockaddr*)&sin, &sinlen);
hdr = (struct ip *) packet;
printf("%s: The packet looks like this:\n", argv[0]);
for (i = 0; i < 40; i++) {
printf("%02x ", (int)*(packet + i));
if (!((i + 1) % 16))
printf("\n");
};
printf("\n");
printf("%s: Source address: %s\n", argv[0], inet_ntoa(hdr->ip_src));
printf("%s: Destination address: %s\n", argv[0],
inet_ntoa(hdr->ip_dst));
printf("%s: Receiving IF address: %s\n", argv[0],
inet_ntoa(sin.sin_addr));
printf("%s: Protocol number: %i\n", argv[0], hdr->ip_p);
}
}
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: divert , ipfw question
Zrelli Saber Ben Mohamed wrote:
Hi ,
I'm interesed in the "divert" mechanism and want to try it out ,
so I recompiled the kernel ( FreeBSD 5.2.1-RELEASE #0 ) after adding the
IPDIVERT option and then added the needed lines in the rc.conf file,
after that , I set up ipfw to divert packets to some port
here is my ipfw rule set .
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65100 divert 5000 ip from any 22 to me < the divert rule
65535 deny ip from any to any
then, I wanted to monitor the diverted traffic using tcpdump :
$ tcpdump port 5000
when I do a telnet connection to the port 22 from a remote host , I was
expecting that tcpdump will display packets diverted to the port 5000 by
ipfw.
The remote host I use shows that it connects to port 22 and the ipfw
divert rule seems not to work.
I can set another rule to block the traffic in the port 22 , and it works.
only the divert rule seems to fail.
I wrote some piece of code using divert socket to read packets from the
divert port , but no result ...
I think I'm missing something ,
so please enlighten my mind ...
you have 2 problems..
firstly, all packats never get to your divert rule ecause they are accepted by
the previous rule..
65000 allow ip from any to any
secondly "divert" sends teh data to a "DIVERT" socket..
you can also use a 'tee' command in teh ipfw to just get a copy
of the packet in which case you will see the negotioation continue.
Divert sockets remove the packet from the kernel.
Since you do not pass the packet BACK to the kernel again
no further negotiation will occur as no tcp handshake will occur.
If you use the 'tee' rule you are effectively simulating bpf and libpcap.
If you use 'divert' then you need to write the packet (and the sockaddr) back
to the divert socket to reinject it to the system after you have examined
(and possibly modified) it.
Many Thanks
--
Saber
/*#include
#include
#include
#include
#include
#include
#include
*/
#include /* NB: we rely on this for */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef IPSEC
#include
#endif /*IPSEC*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define BUFSIZE 65535
int
main(int argc, char **argv)
{
int fd, rawfd, fdfw, ret, n;
int on = 1;
struct sockaddr_in bindPort, sin;
int sinlen;
int port_nb;
struct ip *hdr;
unsigned char packet[BUFSIZE];
struct in_addr addr;
int i, direction;
struct ip_mreq mreq;
if (argc != 2) {
fprintf(stderr, "Usage: %s \n", argv[0]);
exit(1);
}
bindPort.sin_family = AF_INET;
bindPort.sin_port = htons(atol(argv[1]));
bindPort.sin_addr.s_addr = 0;
fprintf(stderr, "%s:Creating a socket\n", argv[0]);
/* open a divert socket */
fd = socket(AF_INET, SOCK_RAW, IPPROTO_DIVERT);
if (fd == -1) {
fprintf(stderr, "%s:We could not open a divert socket\n", argv[0]);
exit(1);
}
bindPort.sin_family = AF_INET;
bindPort.sin_port = htons(atol(argv[1]));
bindPort.sin_addr.s_addr = 0;
fprintf(stderr, "%s:Binding a socket\n", argv[0]);
ret = bind(fd, (struct sockaddr*)&bindPort, sizeof(struct sockaddr_in));
if (ret != 0) {
close(fd);
fprintf(stderr, "%s: Error bind(): %s", argv[0], strerror(ret));
exit(2);
}
printf("%s: Waiting for data...\n", argv[0]);
/* read data in */
sinlen = sizeof(struct sockaddr_in);
while (1) {
n = recvfrom(fd, packet, BUFSIZE, 0, (struct sockaddr*)&sin, &sinlen);
hdr = (struct ip *) packet;
printf("%s: The packet looks like this:\n", argv[0]);
for (i = 0; i < 40; i++) {
printf("%02x ", (int)*(packet + i));
if (!((i + 1) % 16))
printf("\n");
};
printf("\n");
printf("%s: Source address: %s\n", argv[0], inet_ntoa(hdr->ip_src));
printf("%s: Destination address: %s\n", argv[0],
inet_ntoa(hdr->ip_dst));
printf("%s: Receiving IF address: %s\n", argv[0],
inet_ntoa(sin.sin_addr));
printf("%s: Protocol number: %i\n", argv[0], hdr->ip_p);
}
}
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
divert , ipfw question
Hi ,
I'm interesed in the "divert" mechanism and want to try it out ,
so I recompiled the kernel ( FreeBSD 5.2.1-RELEASE #0 ) after adding the
IPDIVERT option and then added the needed lines in the rc.conf file,
after that , I set up ipfw to divert packets to some port
here is my ipfw rule set .
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65100 divert 5000 ip from any 22 to me < the divert rule
65535 deny ip from any to any
then, I wanted to monitor the diverted traffic using tcpdump :
$ tcpdump port 5000
when I do a telnet connection to the port 22 from a remote host , I was
expecting that tcpdump will display packets diverted to the port 5000 by
ipfw.
The remote host I use shows that it connects to port 22 and the ipfw
divert rule seems not to work.
I can set another rule to block the traffic in the port 22 , and it works.
only the divert rule seems to fail.
I wrote some piece of code using divert socket to read packets from the
divert port , but no result ...
I think I'm missing something ,
so please enlighten my mind ...
Many Thanks
--
Saber
/*#include
#include
#include
#include
#include
#include
#include
*/
#include /* NB: we rely on this for */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef IPSEC
#include
#endif /*IPSEC*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define BUFSIZE 65535
int
main(int argc, char **argv)
{
int fd, rawfd, fdfw, ret, n;
int on = 1;
struct sockaddr_in bindPort, sin;
int sinlen;
int port_nb;
struct ip *hdr;
unsigned char packet[BUFSIZE];
struct in_addr addr;
int i, direction;
struct ip_mreq mreq;
if (argc != 2) {
fprintf(stderr, "Usage: %s \n", argv[0]);
exit(1);
}
bindPort.sin_family = AF_INET;
bindPort.sin_port = htons(atol(argv[1]));
bindPort.sin_addr.s_addr = 0;
fprintf(stderr, "%s:Creating a socket\n", argv[0]);
/* open a divert socket */
fd = socket(AF_INET, SOCK_RAW, IPPROTO_DIVERT);
if (fd == -1) {
fprintf(stderr, "%s:We could not open a divert socket\n", argv[0]);
exit(1);
}
bindPort.sin_family = AF_INET;
bindPort.sin_port = htons(atol(argv[1]));
bindPort.sin_addr.s_addr = 0;
fprintf(stderr, "%s:Binding a socket\n", argv[0]);
ret = bind(fd, (struct sockaddr*)&bindPort, sizeof(struct sockaddr_in));
if (ret != 0) {
close(fd);
fprintf(stderr, "%s: Error bind(): %s", argv[0], strerror(ret));
exit(2);
}
printf("%s: Waiting for data...\n", argv[0]);
/* read data in */
sinlen = sizeof(struct sockaddr_in);
while (1) {
n = recvfrom(fd, packet, BUFSIZE, 0, (struct sockaddr*)&sin, &sinlen);
hdr = (struct ip *) packet;
printf("%s: The packet looks like this:\n", argv[0]);
for (i = 0; i < 40; i++) {
printf("%02x ", (int)*(packet + i));
if (!((i + 1) % 16))
printf("\n");
};
printf("\n");
printf("%s: Source address: %s\n", argv[0], inet_ntoa(hdr->ip_src));
printf("%s: Destination address: %s\n", argv[0],
inet_ntoa(hdr->ip_dst));
printf("%s: Receiving IF address: %s\n", argv[0],
inet_ntoa(sin.sin_addr));
printf("%s: Protocol number: %i\n", argv[0], hdr->ip_p);
}
}
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
