Skip to content

Commit

Permalink
firewall: show IPv6 ports in live log; closes #2190
Browse files Browse the repository at this point in the history 
(cherry picked from commit a83c91d)
(cherry picked from commit 44d4fa9)
(cherry picked from commit fb9029c)
(cherry picked from commit 5dd82c9)
(cherry picked from commit 26cda42)
(cherry picked from commit c142c5c)
  • Loading branch information
@fichtner
fichtner committed Feb 16, 2018
1 parent 9fb4415 commit dddfef4
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 11 deletions.
6 changes: 5 additions & 1 deletion src/opnsense/mvc/app/views/OPNsense/Diagnostics/fw_log.volt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,11 @@ POSSIBILITY OF SUCH DAMAGE.
case 'address':
log_td.text(record[column_name]);
if (record[column_name+'port'] != undefined) {
log_td.text(log_td.text()+':'+record[column_name+'port']);
if (record['version'] == 6) {
log_td.text('['+log_td.text()+']:'+record[column_name+'port']);
} else {
log_td.text(log_td.text()+':'+record[column_name+'port']);
}
}
break;
case 'info':
Expand Down
20 changes: 10 additions & 10 deletions src/opnsense/scripts/filter/read_log.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,14 @@
# define log layouts, every endpoint contains all options
# source : https://github.com/opnsense/ports/blob/master/opnsense/filterlog/files/description.txt
fields_general = 'rulenr,subrulenr,anchorname,ridentifier,interface,reason,action,dir,version'.split(',')
fields_ipv4 = fields_general + 'tos,ecn,ttl,id,offset,flags,proto,protoname,length,src,dst'.split(',')
fields_ipv4 = fields_general + 'tos,ecn,ttl,id,offset,ipflags,proto,protoname,length,src,dst'.split(',')
fields_ipv4_udp = fields_ipv4 + 'srcport,dstport,datalen'.split(',')
fields_ipv4_tcp = fields_ipv4 + 'srcport,dstport,datalen,flags,error_options'.split(',')
fields_ipv4_tcp = fields_ipv4 + 'srcport,dstport,datalen,tcpflags,seq,ack,urp,tcpopts'.split(',')
fields_ipv4_carp = fields_ipv4 + 'type,ttl,vhid,version,advskew,advbase'.split(',')

fields_ipv6 = fields_general + 'class,flowlabel,hlim,protoname,proto,payload-length,src,dst'.split(',')
fields_ipv6_udp = fields_ipv6 + 'srcport,dstport,datalen'.split(',')
fields_ipv6_tcp = fields_ipv6 + 'srcport,dstport,datalen,flags,error_options'.split(',')
fields_ipv6_tcp = fields_ipv6 + 'srcport,dstport,datalen,tcpflags,seq,ack,urp,tcpopts'.split(',')
fields_ipv6_carp = fields_ipv6 + 'type,ttl,vhid,version2,advskew,advbase'.split(',')

def update_rule(target, metadata_target, ruleparts, spec):
Expand Down Expand Up @@ -100,7 +100,7 @@ def fetch_rules_descriptions():
tmp = record['line'].split('filterlog:')[0].split()
metadata['__digest__'] = md5.new(record['line']).hexdigest()
metadata['__host__'] = tmp.pop()
metadata['__timestamp__'] = ' '.join(tmp)
metadata['__timestamp__'] = ' '.join(tmp)
rulep = record['line'].split('filterlog:')[1].strip().split(',')
update_rule(rule, metadata, rulep, fields_general)

Expand All @@ -110,18 +110,18 @@ def fetch_rules_descriptions():
if 'proto' in rule:
if rule['proto'] == '17': # UDP
update_rule(rule, metadata, rulep, fields_ipv4_udp)
elif rule['proto'] == '6': # TCP
elif rule['proto'] == '6': # TCP
update_rule(rule, metadata, rulep, fields_ipv4_tcp)
elif rule['proto'] == '112': # CARP
elif rule['proto'] == '112': # CARP
update_rule(rule, metadata, rulep, fields_ipv4_carp)
elif rule['version'] == '6':
update_rule(rule, metadata, rulep, fields_ipv6)
if 'next' in rule:
if rule['next'] == '17': # UDP
if 'proto' in rule:
if rule['proto'] == '17': # UDP
update_rule(rule, metadata, rulep, fields_ipv6_udp)
elif rule['next'] == '6': # TCP
elif rule['proto'] == '6': # TCP
update_rule(rule, metadata, rulep, fields_ipv6_tcp)
elif rule['next'] == '112': # CARP
elif rule['proto'] == '112': # CARP
update_rule(rule, metadata, rulep, fields_ipv6_carp)

rule.update(metadata)
Expand Down

3 comments on commit dddfef4

@tpcr
Copy link

@tpcr tpcr commented on dddfef4 Feb 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now I see either 'none' or DF (Don't Fragment) flag in ipflags.
So is this flag the tcpdump flag?
Will ACK, PSH, RST, SYN, and FIN flags also be displayed?
What I am looking for is a way to tell if the packet displayed in the firewall live log was blocked because of a fragmentation issue which, for example, is common after a state reset. These packets end up in the default deny rule.
So what flags displayed under the new ipflag label are ones I should look out for?

@fichtner
Copy link
Member Author

@fichtner fichtner commented on dddfef4 Feb 20, 2018 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tpcr
Copy link

@tpcr tpcr commented on dddfef4 Feb 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, see the tcpflags now. Thanks, just what I wanted.

Please sign in to comment.