Re: [PATCH 43415] Logging remote port.
On 09/24/2007 10:55 PM, Jeff Trawick wrote: On 9/24/07, Ruediger Pluem [EMAIL PROTECTED] wrote: 1. I would use strcasecmp instead of strcmp to avoid case issues in the config. sure; FWIW, some other format string comparisons are not case insignificant, but those can be checked for in the fullness of time Thanks for the pointer. I checked it and AFAICT the situation is as follows: 1. Access to headers, notes and env variables is case insensitve as apr_tables keys are case insensitive. 2. Cookie logging is case sensitive and IMHO needs to be as I think that case matters for cookie names. 3. Time formating is case sensitive and needs to be. 4. Process id / Thread id logging is case sensitive and very similar to the port case here, but I see no reason for it being case sensitive. So I think we should handle similar situations the same. So if you exchange strcmp in your patch with strcasecmp we should do the same afterwards for the process id case (I can do this). If we want to stick with strcmp in the process id case we should stick with strcmp in the port case. Regards Rüdiger
Re: [PATCH 43415] Logging remote port.
On 09/23/2007 10:49 PM, Jeff Trawick wrote: On 9/18/07, Plüm, Rüdiger, VF-Group [EMAIL PROTECTED] wrote: -Ursprüngliche Nachricht- Von: Adam Hasselbalch Hansen Gesendet: Dienstag, 18. September 2007 12:25 An: dev@httpd.apache.org Betreff: [PATCH 43415] Logging remote port. I have created a patch for httpd 2.2.6, giving the additional LogFormat directive %R, which logs the port of the host making the request. This is due to new legislation in Denmark, requiring ISPs and hosting companies to log the originating port of all traffic. 5 comments: 3. I am not too happy with using %R, but to be honest I have no better proposal :-). Maybe other have. %{canonical}p (default) %{local}p %{remote}p Sounds good to me. Regards Rüdiger
Re: [PATCH 43415] Logging remote port.
On 9/24/07, Ruediger Pluem [EMAIL PROTECTED] wrote: On 09/23/2007 10:49 PM, Jeff Trawick wrote: On 9/18/07, Plüm, Rüdiger, VF-Group [EMAIL PROTECTED] wrote: -Ursprüngliche Nachricht- Von: Adam Hasselbalch Hansen Gesendet: Dienstag, 18. September 2007 12:25 An: dev@httpd.apache.org Betreff: [PATCH 43415] Logging remote port. I have created a patch for httpd 2.2.6, giving the additional LogFormat directive %R, which logs the port of the host making the request. This is due to new legislation in Denmark, requiring ISPs and hosting companies to log the originating port of all traffic. 5 comments: 3. I am not too happy with using %R, but to be honest I have no better proposal :-). Maybe other have. %{canonical}p (default) %{local}p %{remote}p Sounds good to me. The attached patch works for me (though I haven't yet rebuilt the docs to see what that looks like). [EMAIL PROTECTED] httpd]$ egrep '(^ServerName|^.VirtualHost|^Listen|ports$)' /scratch/inst/23/conf/httpd.conf Listen 8089 LogFormat %h %l %u %t \%r\ %s %b PORTS: %p %{canonical}p %{local}p %{remote}p %{bogusarg}p ports CustomLog logs/access_log ports VirtualHost *:8089 ServerName localhost: [EMAIL PROTECTED] httpd]$ tail -1 /scratch/inst/23/logs/access_log 127.0.0.1 - - [24/Sep/2007:07:56:55 -0400] GET / HTTP/1.0 200 45 PORTS: 8089 65001 bogusarg -- Born in Roswell... married an alien... Index: modules/loggers/mod_log_config.c === --- modules/loggers/mod_log_config.c(revision 578767) +++ modules/loggers/mod_log_config.c(working copy) @@ -633,8 +633,22 @@ static const char *log_server_port(request_rec *r, char *a) { -return apr_psprintf(r-pool, %u, -r-server-port ? r-server-port : ap_default_port(r)); +apr_port_t port; + +if (*a == '\0' || !strcmp(a, canonical)) { +port = r-server-port ? r-server-port : ap_default_port(r); +} +else if (!strcmp(a, remote)) { +port = r-connection-remote_addr-port; +} +else if (!strcmp(a, local)) { +port = r-connection-local_addr-port; +} +else { +/* bogus format */ +return a; +} +return pfmt(r-pool, (int)port); } /* This respects the setting of UseCanonicalName so that Index: docs/manual/mod/mod_log_config.xml === --- docs/manual/mod/mod_log_config.xml (revision 578767) +++ docs/manual/mod/mod_log_config.xml (working copy) @@ -127,6 +127,12 @@ trtdcode%p/code/td tdThe canonical port of the server serving the request/td/tr +trtdcode%{varformat/var}p/code/td +tdThe canonical port of the server serving the request or the +server's actual port or the client's actual port. Valid formats +are codecanonical/code, codelocal/code, or coderemote/code. +/td/tr + trtdcode%P/code/td tdThe process ID of the child that serviced the request./td/tr
Re: [PATCH 43415] Logging remote port.
On 9/24/07, Jeff Trawick [EMAIL PROTECTED] wrote: On 9/24/07, Ruediger Pluem [EMAIL PROTECTED] wrote: On 09/23/2007 10:49 PM, Jeff Trawick wrote: On 9/18/07, Plüm, Rüdiger, VF-Group [EMAIL PROTECTED] wrote: -Ursprüngliche Nachricht- Von: Adam Hasselbalch Hansen Gesendet: Dienstag, 18. September 2007 12:25 An: dev@httpd.apache.org Betreff: [PATCH 43415] Logging remote port. I have created a patch for httpd 2.2.6, giving the additional LogFormat directive %R, which logs the port of the host making the request. This is due to new legislation in Denmark, requiring ISPs and hosting companies to log the originating port of all traffic. 5 comments: 3. I am not too happy with using %R, but to be honest I have no better proposal :-). Maybe other have. %{canonical}p (default) %{local}p %{remote}p Sounds good to me. The attached patch works for me (though I haven't yet rebuilt the docs to see what that looks like). I'm planning to commit sometime tomorrow unless somebody objects... -- Born in Roswell... married an alien...
Re: [PATCH 43415] Logging remote port.
On 09/24/2007 02:04 PM, Jeff Trawick wrote: On 9/24/07, Ruediger Pluem [EMAIL PROTECTED] wrote: On 09/23/2007 10:49 PM, Jeff Trawick wrote: On 9/18/07, Plüm, Rüdiger, VF-Group [EMAIL PROTECTED] wrote: -Ursprüngliche Nachricht- Von: Adam Hasselbalch Hansen Gesendet: Dienstag, 18. September 2007 12:25 An: dev@httpd.apache.org Betreff: [PATCH 43415] Logging remote port. I have created a patch for httpd 2.2.6, giving the additional LogFormat directive %R, which logs the port of the host making the request. This is due to new legislation in Denmark, requiring ISPs and hosting companies to log the originating port of all traffic. 5 comments: 3. I am not too happy with using %R, but to be honest I have no better proposal :-). Maybe other have. %{canonical}p (default) %{local}p %{remote}p Sounds good to me. The attached patch works for me (though I haven't yet rebuilt the docs to see what that looks like). Patch looks good to me (including docs, which I rebuilt in my working copy), but as most of the time some comments :-). 1. I would use strcasecmp instead of strcmp to avoid case issues in the config. 2. We can save a few cycles by using apr_itoa instead of pfmt as IMHO port is never = 0. BTW: I think format_integer should be removed as it is only used by pfmt. It can be replaced with apr_itoa. Just did this in r578927. Regards Rüdiger
Re: [PATCH 43415] Logging remote port.
On 9/24/07, Ruediger Pluem [EMAIL PROTECTED] wrote: On 09/24/2007 02:04 PM, Jeff Trawick wrote: On 9/24/07, Ruediger Pluem [EMAIL PROTECTED] wrote: On 09/23/2007 10:49 PM, Jeff Trawick wrote: On 9/18/07, Plüm, Rüdiger, VF-Group [EMAIL PROTECTED] wrote: -Ursprüngliche Nachricht- Von: Adam Hasselbalch Hansen Gesendet: Dienstag, 18. September 2007 12:25 An: dev@httpd.apache.org Betreff: [PATCH 43415] Logging remote port. I have created a patch for httpd 2.2.6, giving the additional LogFormat directive %R, which logs the port of the host making the request. This is due to new legislation in Denmark, requiring ISPs and hosting companies to log the originating port of all traffic. 5 comments: 3. I am not too happy with using %R, but to be honest I have no better proposal :-). Maybe other have. %{canonical}p (default) %{local}p %{remote}p Sounds good to me. The attached patch works for me (though I haven't yet rebuilt the docs to see what that looks like). Patch looks good to me (including docs, which I rebuilt in my working copy), but as most of the time some comments :-). thanks, of course! 1. I would use strcasecmp instead of strcmp to avoid case issues in the config. sure; FWIW, some other format string comparisons are not case insignificant, but those can be checked for in the fullness of time 2. We can save a few cycles by using apr_itoa instead of pfmt as IMHO port is never = 0. BTW: I think format_integer should be removed as it is only used by pfmt. It can be replaced with apr_itoa. Just did this in r578927. sure; I recall you mentioning apr_itoa() on this thread but I guess I forgot I'll fix up before long. Have fun!
Re: [PATCH 43415] Logging remote port.
On 9/18/07, Plüm, Rüdiger, VF-Group [EMAIL PROTECTED] wrote: -Ursprüngliche Nachricht- Von: Adam Hasselbalch Hansen Gesendet: Dienstag, 18. September 2007 12:25 An: dev@httpd.apache.org Betreff: [PATCH 43415] Logging remote port. I have created a patch for httpd 2.2.6, giving the additional LogFormat directive %R, which logs the port of the host making the request. This is due to new legislation in Denmark, requiring ISPs and hosting companies to log the originating port of all traffic. 5 comments: 3. I am not too happy with using %R, but to be honest I have no better proposal :-). Maybe other have. %{canonical}p (default) %{local}p %{remote}p
Re: [PATCH 43415] Logging remote port.
On Tue, Sep 18, 2007 at 02:04:32PM +0200, Adam Hasselbalch Hansen wrote: § 5. A provider of electronic communication nets or services for end users must register the following information about an internet session's initiating and terminating package: 1. Originating Internet Protocol address 2. Recipient Internet Protocol address 3. Transport protocol 4. Originating port number 5. Recipient port number 6. Time of start and end of communication. Looks harmless, and evidently adds value for you. Well, value, schmalue. But it's the law... I live in Sweden, and I really, really hope we never see the same thing here. But the point: Why implement this in e.g. Apache, when it is the ISP responsibility to store this information for all internet-sessions initiating and terminating package. This should be implemented in the firewall/router instead of on application level. A standalone sniffing box should be the best solution to this, I guess. That does NOT store the content. This is insane. -- magnus
Re: [PATCH 43415] Logging remote port.
Magnus Bodin wrote: A standalone sniffing box should be the best solution to this, I guess. That does NOT store the content. Ideally, until you note that if this machine is the SSL endpoint it's the only one with any privilage to put 2+2 together. Both a good and bad thing depending on what you are trying to accomplish. No problem with the patch (I too found %R sort of funky but... what else?) This is insane. We don't disagree :)
Re: [PATCH 43415] Logging remote port.
tisdagen den 18 september 2007 skrev Adam Hasselbalch Hansen: I have created a patch for httpd 2.2.6, giving the additional LogFormat directive %R, which logs the port of the host making the request. This is due to new legislation in Denmark, requiring ISPs and hosting companies to log the originating port of all traffic. Any feedback is appreciated :) FYI: This has been applied for the upcoming Mandriva 2008 release, thanks. -- Regards // Oden Eriksson
Re: [PATCH 43415] Logging remote port.
On 9/19/07, Plüm, Rüdiger, VF-Group [EMAIL PROTECTED] wrote: -Ursprüngliche Nachricht- Von: Adam Hasselbalch Hansen Gesendet: Mittwoch, 19. September 2007 11:13 An: dev@httpd.apache.org Betreff: Re: [PATCH 43415] Logging remote port. Plüm wrote: 1. Please provide a patch against trunk. mod_config_logger.c hasn't changed in trunk, so the patch will work fine. Sorry. Just a default comment if someone sends in a patch that is not against trunk :-). 2. Please also add a patch for the documentation. Done. Fine, I have already seen it in the report. 3. I am not too happy with using %R, but to be honest I have no better proposal :-). Maybe other have. Well, then... ;) I will leave around for just one or two days. If nobody has a better idea we just take %R. Feel free to bug me if your patch falls off my radar. There is an article on ONLamp a while back that used %S. But I like %R better ;) http://www.onlamp.com/pub/a/apache/2004/04/22/blackbox_logs.html?page=3 The patch just uses apr_itoa() -B
Re: [PATCH 43415] Logging remote port.
Plüm wrote: 1. Please provide a patch against trunk. mod_config_logger.c hasn't changed in trunk, so the patch will work fine. 2. Please also add a patch for the documentation. Done. 3. I am not too happy with using %R, but to be honest I have no better proposal :-). Maybe other have. Well, then... ;) 4. Instead of using + return apr_psprintf(r-pool, %u, r-connection-remote_addr-port); I would prefer + return pfmt(r-pool, (int) (r-connection-remote_addr-port)); like used for log_status. Well, in log_server_port, apr_psprintf is used, so that's what I used. But I really don't care one way or the other. Is there a particular reason for using one or the other? 5. Thanks for your patch :-). Welcome :) /Adam
Re: [PATCH 43415] Logging remote port.
Nick Kew wrote: Looks more like legislation for ISPs than folks with a webserver. ISPs and hosting companies alike. I'd be sceptical about that applying to non-sessions such as HTTP requests. I think that semantics are lost on these people. Part 4: [Requirements don't apply if they're not technically possible to meet] So if Apache doesn't support this, you're exempt, yesno? :-) No, that's the beauty of it. If it is not technically possible to log stuff, then you just have to log every 500 packets instead. Go figure /Adam
Re: [PATCH 43415] Logging remote port.
-Ursprüngliche Nachricht- Von: Adam Hasselbalch Hansen Gesendet: Mittwoch, 19. September 2007 11:13 An: dev@httpd.apache.org Betreff: Re: [PATCH 43415] Logging remote port. Plüm wrote: 1. Please provide a patch against trunk. mod_config_logger.c hasn't changed in trunk, so the patch will work fine. Sorry. Just a default comment if someone sends in a patch that is not against trunk :-). 2. Please also add a patch for the documentation. Done. Fine, I have already seen it in the report. 3. I am not too happy with using %R, but to be honest I have no better proposal :-). Maybe other have. Well, then... ;) I will leave around for just one or two days. If nobody has a better idea we just take %R. Feel free to bug me if your patch falls off my radar. 4. Instead of using + return apr_psprintf(r-pool, %u, r-connection-remote_addr-port); I would prefer + return pfmt(r-pool, (int) (r-connection-remote_addr-port)); like used for log_status. Well, in log_server_port, apr_psprintf is used, so that's what I used. But I really don't care one way or the other. Is there a particular reason for using one or the other? I think that using pfmt is more efficient and burns less cycles than apr_psprintf (I think this would be also the case for log_server_port), but I may be wrong on this. Additionally pfmt checks if port is = 0 and logs a - in this case, but this should not be the case for r-connection-remote_addr-port, so we could use format_integer or apr_itoa directly. Regards Rüdiger
Re: [PATCH 43415] Logging remote port.
On Tue, 18 Sep 2007 12:25:18 +0200 Adam Hasselbalch Hansen [EMAIL PROTECTED] wrote: I have created a patch for httpd 2.2.6, giving the additional LogFormat directive %R, which logs the port of the host making the request. This is due to new legislation in Denmark, requiring ISPs and hosting companies to log the originating port of all traffic. Is there a reference for that legislation, and whatever debate there was surrounding it? As in, what do they expect to gain from it? Any feedback is appreciated :) Looks harmless, and evidently adds value for you. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
Re: [PATCH 43415] Logging remote port.
-Ursprüngliche Nachricht- Von: Adam Hasselbalch Hansen Gesendet: Dienstag, 18. September 2007 12:25 An: dev@httpd.apache.org Betreff: [PATCH 43415] Logging remote port. I have created a patch for httpd 2.2.6, giving the additional LogFormat directive %R, which logs the port of the host making the request. This is due to new legislation in Denmark, requiring ISPs and hosting companies to log the originating port of all traffic. 5 comments: 1. Please provide a patch against trunk. 2. Please also add a patch for the documentation. 3. I am not too happy with using %R, but to be honest I have no better proposal :-). Maybe other have. 4. Instead of using +static const char *log_remote_port(request_rec *r, char *a) +{ + return apr_psprintf(r-pool, %u, r-connection-remote_addr-port); +} I would prefer +static const char *log_remote_port(request_rec *r, char *a) +{ + return pfmt(r-pool, (int) (r-connection-remote_addr-port)); +} like used for log_status. 5. Thanks for your patch :-). Regards Rüdiger
Re: [PATCH 43415] Logging remote port.
Nick Kew wrote: On Tue, 18 Sep 2007 12:25:18 +0200 Adam Hasselbalch Hansen [EMAIL PROTECTED] wrote: I have created a patch for httpd 2.2.6, giving the additional LogFormat directive %R, which logs the port of the host making the request. This is due to new legislation in Denmark, requiring ISPs and hosting companies to log the originating port of all traffic. Is there a reference for that legislation, and whatever debate there was surrounding it? As in, what do they expect to gain from it? Debate? It's the Justice Department that's had a brainfart, that's what's happened. Apparently it's meant to ease criminal investigations involving electronic communication (read: terror investigations). But it's totally meaningless, since public terminals (like in an Internet Cafe) are exempt from the law. You can read the entire thing in Danish here: http://www.folketinget.dk/samling/20061/Lovforslag/L63/Bilag/7/351262.PDF The relevant part is Section 5, which says (losely translated): § 5. A provider of electronic communication nets or services for end users must register the following information about an internet session's initiating and terminating package: 1. Originating Internet Protocol address 2. Recipient Internet Protocol address 3. Transport protocol 4. Originating port number 5. Recipient port number 6. Time of start and end of communication. Looks harmless, and evidently adds value for you. Well, value, schmalue. But it's the law...
Re: [PATCH 43415] Logging remote port.
On Tue, 18 Sep 2007 14:04:32 +0200 Adam Hasselbalch Hansen [EMAIL PROTECTED] wrote: You can read the entire thing in Danish here: http://www.folketinget.dk/samling/20061/Lovforslag/L63/Bilag/7/351262.PDF Looks more like legislation for ISPs than folks with a webserver. The relevant part is Section 5, which says (losely translated): § 5. A provider of electronic communication nets or services for end users must register the following information about an internet session's initiating and terminating package: The word session doesn't sit easily with a stateless protocol (HTTP), and neither does the information required: 6. Time of start and end of communication. ... which tends to suggest they really do mean sessions. I'd be sceptical about that applying to non-sessions such as HTTP requests. § 5 Part 2: [user's identity contact details]. Yeah, right. Part 3: [applies to mobile access] Part 4: [Requirements don't apply if they're not technically possible to meet] So if Apache doesn't support this, you're exempt, yesno? :-) I was kind-of wondering whether anyone's thinking in terms of fingerprinting botnet/malware attacks rather more than tracing death-threats or naughty pictures back to the last anonymiser or zombie in their path. If governments are doing that, it'll just induce botnets to randomise a bit more, or mimic patterns of legitimate users. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/