Subject: kern/18669: net.inet.tcp.log_refused may give misleading results
To: None <gnats-bugs@gnats.netbsd.org>
From: None <xs@kittenz.org>
List: netbsd-bugs
Date: 10/16/2002 14:08:17
>Number:         18669
>Category:       kern
>Synopsis:       net.inet.tcp.log_refused may give misleading results
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 16 06:11:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        NetBSD 1.6I
>Organization:
>Environment:
System: NetBSD stasis 1.6I NetBSD 1.6I (STASIS) #8: Thu Oct 10 13:02:47 BST 2002 xs@stasis:/usr/src/sys/arch/i386/compile/STASIS i386
Architecture: i386
Machine: i386
/sys/netinet/tcp_input.c:
     $NetBSD: tcp_input.c,v 1.155 2002/09/11 02:41:21 itojun Exp $
>Description:
	With net.inet.tcp.log_refused enabled, seemingly impossible
	connection attempts are logged. It turns out that this is
	because only TH_SYN is checked in the header, so, for example,
	TH_SYN|TH_ACK packets are considered connection attempts.

>How-To-Repeat:
	Change tcp4_log_refused to display flags:

Index: tcp_input.c
===================================================================
RCS file: /cvsroot/syssrc/sys/netinet/tcp_input.c,v
retrieving revision 1.155
diff -u -r1.155 tcp_input.c
--- tcp_input.c	2002/09/11 02:41:21	1.155
+++ tcp_input.c	2002/10/13 15:19:44
@@ -729,10 +729,24 @@
 		strcpy(src, "(unknown)");
 		strcpy(dst, "(unknown)");
 	}
+#ifndef TH_ECN
+#define	TH_ECN	0x40
+#endif
+#ifndef TH_CWR
+#define	TH_CWR	0x80
+#endif
 	log(LOG_INFO,
-	    "Connection attempt to TCP %s:%d from %s:%d\n",
+	    "Connection attempt to TCP %s:%d from %s:%d (%c%c%c%c%c%c%c%c)\n",
 	    dst, ntohs(th->th_dport),
-	    src, ntohs(th->th_sport));
+	    src, ntohs(th->th_sport),
+	    (th->th_flags & TH_FIN? 'F': '-'),
+	    (th->th_flags & TH_SYN? 'S': '-'),
+	    (th->th_flags & TH_RST? 'R': '-'),
+	    (th->th_flags & TH_PUSH?'P': '-'),
+	    (th->th_flags & TH_ACK? 'A': '-'),
+	    (th->th_flags & TH_URG? 'U': '-'),
+	    (th->th_flags & TH_ECN? 'E': '-'),
+	    (th->th_flags & TH_CWR? 'C': '-'));
 }
 #endif

	visit various websites. over time, it sometimes yields:

Connection attempt to TCP 10.2.0.2:64785 from 129.128.5.191:80 (-S--A---)

>Fix:
	perhaps check TH_SYN and not TH_ACK and/or display th_flags.

>Release-Note:
>Audit-Trail:
>Unformatted: