Merge from netinet/ip_fw.c (1.117 -> 1.118).

o Use syslog(3) interface for logging.

Reviewed by:	ume
MFC after:	10 days
This commit is contained in:
Jun Kuriyama
2001-06-24 22:41:00 +00:00
parent b5bf845d5d
commit 6ce2587d28
+69 -45
View File
@@ -41,6 +41,7 @@
#include <sys/kernel.h> #include <sys/kernel.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <sys/socketvar.h> #include <sys/socketvar.h>
#include <sys/syslog.h>
#include <sys/time.h> #include <sys/time.h>
#include <net/if.h> #include <net/if.h>
#include <net/route.h> #include <net/route.h>
@@ -93,11 +94,11 @@ SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw6_verbose, 0, ""
SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw6_verbose_limit, 0, ""); SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw6_verbose_limit, 0, "");
#endif #endif
#define dprintf(a) if (!fw6_debug); else printf a #define dprintf(a) do { \
if (fw6_debug) \
#define print_ip6(a) printf("[%s]", ip6_sprintf(a)) printf a; \
} while (0)
#define dprint_ip6(a) if (!fw6_debug); else print_ip6(a) #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
static int add_entry6 __P((struct ip6_fw_head *chainptr, struct ip6_fw *frwl)); static int add_entry6 __P((struct ip6_fw_head *chainptr, struct ip6_fw *frwl));
static int del_entry6 __P((struct ip6_fw_head *chainptr, u_short number)); static int del_entry6 __P((struct ip6_fw_head *chainptr, u_short number));
@@ -332,93 +333,114 @@ ip6fw_report(struct ip6_fw *f, struct ip6_hdr *ip6,
struct udphdr *const udp = (struct udphdr *) ((caddr_t) ip6+ off); struct udphdr *const udp = (struct udphdr *) ((caddr_t) ip6+ off);
struct icmp6_hdr *const icmp6 = (struct icmp6_hdr *) ((caddr_t) ip6+ off); struct icmp6_hdr *const icmp6 = (struct icmp6_hdr *) ((caddr_t) ip6+ off);
int count; int count;
char *action;
char action2[32], proto[102], name[18];
int len;
count = f ? f->fw_pcnt : ++counter; count = f ? f->fw_pcnt : ++counter;
if (fw6_verbose_limit != 0 && count > fw6_verbose_limit) if (fw6_verbose_limit != 0 && count > fw6_verbose_limit)
return; return;
/* Print command name */ /* Print command name */
printf("ip6fw: %d ", f ? f->fw_number : -1); snprintf(SNPARGS(name, 0), "ip6fw: %d", f ? f->fw_number : -1);
action = action2;
if (!f) if (!f)
printf("Refuse"); action = "Refuse";
else else {
switch (f->fw_flg & IPV6_FW_F_COMMAND) { switch (f->fw_flg & IPV6_FW_F_COMMAND) {
case IPV6_FW_F_DENY: case IPV6_FW_F_DENY:
printf("Deny"); action = "Deny";
break; break;
case IPV6_FW_F_REJECT: case IPV6_FW_F_REJECT:
if (f->fw_reject_code == IPV6_FW_REJECT_RST) if (f->fw_reject_code == IPV6_FW_REJECT_RST)
printf("Reset"); action = "Reset";
else else
printf("Unreach"); action = "Unreach";
break; break;
case IPV6_FW_F_ACCEPT: case IPV6_FW_F_ACCEPT:
printf("Accept"); action = "Accept";
break; break;
case IPV6_FW_F_COUNT: case IPV6_FW_F_COUNT:
printf("Count"); action = "Count";
break; break;
case IPV6_FW_F_DIVERT: case IPV6_FW_F_DIVERT:
printf("Divert %d", f->fw_divert_port); snprintf(SNPARGS(action2, 0), "Divert %d",
f->fw_divert_port);
break; break;
case IPV6_FW_F_TEE: case IPV6_FW_F_TEE:
printf("Tee %d", f->fw_divert_port); snprintf(SNPARGS(action2, 0), "Tee %d",
f->fw_divert_port);
break; break;
case IPV6_FW_F_SKIPTO: case IPV6_FW_F_SKIPTO:
printf("SkipTo %d", f->fw_skipto_rule); snprintf(SNPARGS(action2, 0), "SkipTo %d",
f->fw_skipto_rule);
break; break;
default: default:
printf("UNKNOWN"); action = "UNKNOWN";
break; break;
} }
printf(" "); }
switch (nxt) { switch (nxt) {
case IPPROTO_TCP: case IPPROTO_TCP:
printf("TCP "); len = snprintf(SNPARGS(proto, 0), "TCP [%s]",
print_ip6(&ip6->ip6_src); ip6_sprintf(&ip6->ip6_src));
if (off > 0) if (off > 0)
printf(":%d ", ntohs(tcp6->th_sport)); len += snprintf(SNPARGS(proto, len), ":%d ",
ntohs(tcp6->th_sport));
else else
printf(" "); len += snprintf(SNPARGS(proto, len), " ");
print_ip6(&ip6->ip6_dst); len += snprintf(SNPARGS(proto, len), "[%s]",
ip6_sprintf(&ip6->ip6_dst));
if (off > 0) if (off > 0)
printf(":%d", ntohs(tcp6->th_dport)); snprintf(SNPARGS(proto, len), ":%d",
ntohs(tcp6->th_dport));
break; break;
case IPPROTO_UDP: case IPPROTO_UDP:
printf("UDP "); len = snprintf(SNPARGS(proto, 0), "UDP [%s]",
print_ip6(&ip6->ip6_src); ip6_sprintf(&ip6->ip6_src));
if (off > 0) if (off > 0)
printf(":%d ", ntohs(udp->uh_sport)); len += snprintf(SNPARGS(proto, len), ":%d ",
ntohs(udp->uh_sport));
else else
printf(" "); len += snprintf(SNPARGS(proto, len), " ");
print_ip6(&ip6->ip6_dst); len += snprintf(SNPARGS(proto, len), "[%s]",
ip6_sprintf(&ip6->ip6_dst));
if (off > 0) if (off > 0)
printf(":%d", ntohs(udp->uh_dport)); snprintf(SNPARGS(proto, len), ":%d",
ntohs(udp->uh_dport));
break; break;
case IPPROTO_ICMPV6: case IPPROTO_ICMPV6:
if (off > 0) if (off > 0)
printf("IPV6-ICMP:%u.%u ", icmp6->icmp6_type, icmp6->icmp6_code); len = snprintf(SNPARGS(proto, 0), "IPV6-ICMP:%u.%u ",
icmp6->icmp6_type, icmp6->icmp6_code);
else else
printf("IPV6-ICMP "); len = snprintf(SNPARGS(proto, 0), "IPV6-ICMP ");
print_ip6(&ip6->ip6_src); len = snprintf(SNPARGS(proto, len), "[%s]",
printf(" "); ip6_sprintf(&ip6->ip6_src));
print_ip6(&ip6->ip6_dst); snprintf(SNPARGS(proto, len), " [%s]",
ip6_sprintf(&ip6->ip6_dst));
break; break;
default: default:
printf("P:%d ", nxt); len = snprintf(SNPARGS(proto, 0), "P:%d [%s]", nxt,
print_ip6(&ip6->ip6_src); ip6_sprintf(&ip6->ip6_src));
printf(" "); snprintf(SNPARGS(proto, len), " [%s]",
print_ip6(&ip6->ip6_dst); ip6_sprintf(&ip6->ip6_dst));
break; break;
} }
if (oif) if (oif)
printf(" out via %s", if_name(oif)); log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s\n",
name, action, proto, if_name(oif));
else if (rif) else if (rif)
printf(" in via %s", if_name(rif)); log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s\n",
printf("\n"); name, action, proto, if_name(rif));
else
log(LOG_SECURITY | LOG_INFO, "%s %s %s",
name, action, proto);
if (fw6_verbose_limit != 0 && count == fw6_verbose_limit) if (fw6_verbose_limit != 0 && count == fw6_verbose_limit)
printf("ip6fw: limit reached on rule #%d\n", log(LOG_SECURITY | LOG_INFO, "ip6fw: limit reached on entry %d\n",
f ? f->fw_number : -1); f ? f->fw_number : -1);
} }
@@ -907,9 +929,11 @@ zero_entry6(struct mbuf *m)
if (fw6_verbose) { if (fw6_verbose) {
if (frwl) if (frwl)
printf("ip6fw: Entry %d cleared.\n", frwl->fw_number); log(LOG_SECURITY | LOG_NOTICE,
"ip6fw: Entry %d cleared.\n", frwl->fw_number);
else else
printf("ip6fw: Accounting cleared.\n"); log(LOG_SECURITY | LOG_NOTICE,
"ip6fw: Accounting cleared.\n");
} }
return(0); return(0);