racluster..

Carter Bullard carter at qosient.com
Fri Nov 3 11:46:01 EST 2006


Hey Rick,
So I looked into it and the IPv6 addresses are not converted from NBO  
to HBO
in argus (I probably removed the ntohll loop by accident), so that  
the addresses
should be in NBO.  However, we do copy them once, so we should evaluate
whether the ipv6 flow construction is at all correct for little  
endian machines.

If you have an opinion, I would love to consider it!!!!

Carter


On Oct 19, 2006, at 8:29 AM, rick wrote:

>
>
> Carter,
>
> thankyou for your assistance i think the ipv6 is close and the v4  
> is correct
> i think... i am still a little concerned about the filtering of the  
> ipv6.
> The filter appears to work on ipv4. i will conduct more testing on  
> ipv6
> filtering.
>
> with the saddrlen changing to daddrlen on line 3401 of  
> argus_client.c and
> making the mask endian match the address endian at the point of  
> masking the
> daddr/prefixlen and daddr/v6_mask appear to work correctly.
>
> the mask and address endian doesn't match (on lsb arch) at the  
> point of
> masking. My previous patch converted both v4 and v6 masks to nbo  
> when they
> are parsed. This keeps them consistent however seemingly the v6  
> address is
> stored hbo instead of nbo like the v4 address. either the netmask  
> byte swap
> needs to come badck out or the address needs to be stored nbo like  
> the v4
>
> i suspect the v6 stored in struct in host order may affect output  
> files
> written to disk and possibly also affecting the ipv6 filtering code. i
> haven't done too much testing on this yet. i also not sure how much  
> other
> code this will affect that may be depending on v6 in hbo at the  
> moment..
>
> thoughts?
>
> this patch obviously comments the v6 netmask byte swap if this is your
> preferred choice.. IF this isn't breaking other code.
>
> thanks.
>
>
>
> --- argus_client.c.orig 2006-10-17 06:16:58.000000000 +1000
> +++ argus_client.c      2006-10-19 21:56:55.000000000 +1000
> @@ -3398,7 +3398,7 @@
>                                for (x = 0; x < 4; x++)
>                                   tflow.ipv6_flow.ip_dst[x] = flow- 
> >ipv6_flow.ip_dst[x];
>
> -                              if (na->saddrlen > 0)
> +                              if (na->daddrlen > 0)
>                                   for (x = 0; x < 4; x++)
>                                      tflow.ipv6_flow.ip_dst[x] &=  
> na->dmask.addr_un.ipv6[x];
>                                break;
> @@ -5734,10 +5734,12 @@
>              if (strchr(ptr, ':')) {
>                 if (!(inet_pton(AF_INET6, (const char *) ptr,  
> &mask.addr_un.ipv6) > 0))
>                    ArgusLog (LOG_ERR, "syntax error: %s %s", ptr,  
> strerror(errno));
> +#if 0
>  #if defined(_LITTLE_ENDIAN)
>                 for (x = 0 ; x < 4 ; x++)
>                    mask.addr_un.ipv6[x] = htonl(mask.addr_un.ipv6[x]);
>  #endif
> +#endif
>                 len = 128;
>              } else
>              if (strchr(ptr, '.')) {
>
>





More information about the argus mailing list