From owner-p4-projects@FreeBSD.ORG Wed Aug 27 02:26:34 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 82FE7106567F; Wed, 27 Aug 2008 02:26:34 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46F6F1065673 for ; Wed, 27 Aug 2008 02:26:34 +0000 (UTC) (envelope-from diego@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 1B2AF8FC14 for ; Wed, 27 Aug 2008 02:26:34 +0000 (UTC) (envelope-from diego@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.2/8.14.2) with ESMTP id m7R2QY9b065753 for ; Wed, 27 Aug 2008 02:26:34 GMT (envelope-from diego@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.2/8.14.1/Submit) id m7R2QYAq065751 for perforce@freebsd.org; Wed, 27 Aug 2008 02:26:34 GMT (envelope-from diego@FreeBSD.org) Date: Wed, 27 Aug 2008 02:26:34 GMT Message-Id: <200808270226.m7R2QYAq065751@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to diego@FreeBSD.org using -f From: Diego Giagio To: Perforce Change Reviews Cc: Subject: PERFORCE change 148573 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 02:26:34 -0000 http://perforce.freebsd.org/chv.cgi?CH=148573 Change 148573 by diego@diego_black on 2008/08/27 02:25:54 Kernel-land part of 'audit' keyword support for ipfw. Affected files ... .. //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw.h#5 edit .. //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#10 edit Differences ... ==== //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw.h#5 (text+ko) ==== @@ -102,7 +102,7 @@ O_PROBE_STATE, /* none */ O_KEEP_STATE, /* none */ - //O_AUDIT, /* none */ + O_AUDIT, /* none */ O_LIMIT, /* ipfw_insn_limit */ O_LIMIT_PARENT, /* dyn_type, not an opcode. */ ==== //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#10 (text+ko) ==== @@ -1066,7 +1066,7 @@ /* remove a refcount to the parent */ \ if (q->dyn_type == O_LIMIT) \ q->parent->count--; \ - /*if (q->dyn_type == O_AUDIT) { */ \ + if (q->dyn_type == O_AUDIT) { \ AUDIT_PFIL_ENTER(AUE_PFIL_FLOW_END, td, error); \ if (error == 0) { \ AUDIT_ARG(text, "ipfw"); \ @@ -1075,7 +1075,7 @@ AUDIT_ARG(socket_ex, AF_INET, SOCK_STREAM, \ (struct sockaddr *)&lsin, (struct sockaddr *)&rsin); \ } \ - /*}*/ \ + } \ if (!error) { \ DEB(printf( \ "ipfw: unlink entry 0x%08x %d -> 0x%08x %d, %d left\n", \ @@ -1384,7 +1384,7 @@ IPFW_DYN_LOCK_ASSERT(); - //if (dyn_type == O_AUDIT) + if (dyn_type == O_AUDIT) { AUDIT_PFIL_ENTER(AUE_PFIL_FLOW_BEGIN, td, error); if (error != 0) @@ -1441,7 +1441,7 @@ V_dyn_count ); ) done: - //if (dyn_type == O_AUDIT) + if (dyn_type == O_AUDIT) AUDIT_PFIL_EXIT(error, td); return r; } @@ -1540,7 +1540,8 @@ switch (cmd->o.opcode) { case O_KEEP_STATE: /* bidir rule */ - add_dyn_rule(&args->f_id, O_KEEP_STATE, rule); + case O_AUDIT: + add_dyn_rule(&args->f_id, cmd->o.opcode, rule); break; case O_LIMIT: { /* limit number of sessions */ @@ -3199,6 +3200,7 @@ */ case O_LIMIT: case O_KEEP_STATE: + case O_AUDIT: if (install_state(f, (ipfw_insn_limit *)cmd, args, tablearg)) { retval = IP_FW_DENY; @@ -3881,6 +3883,7 @@ switch (cmd->opcode) { case O_PROBE_STATE: case O_KEEP_STATE: + case O_AUDIT: case O_PROTO: case O_IP_SRC_ME: case O_IP_DST_ME: