Date: Wed, 27 Aug 2008 02:26:34 GMT From: Diego Giagio <diego@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 148574 for review Message-ID: <200808270226.m7R2QYKq065756@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=148574 Change 148574 by diego@diego_black on 2008/08/27 02:26:21 User-land part of 'audit' keyword support for ipfw. Affected files ... .. //depot/projects/soc2008/diego-audit/src/sbin/ipfw/ipfw2.c#2 edit Differences ... ==== //depot/projects/soc2008/diego-audit/src/sbin/ipfw/ipfw2.c#2 (text+ko) ==== @@ -269,6 +269,7 @@ TOK_IN, TOK_LIMIT, TOK_KEEPSTATE, + TOK_AUDIT, TOK_LAYER2, TOK_OUT, TOK_DIVERTED, @@ -436,6 +437,7 @@ { "in", TOK_IN }, { "limit", TOK_LIMIT }, { "keep-state", TOK_KEEPSTATE }, + { "audit", TOK_AUDIT }, { "bridged", TOK_LAYER2 }, { "layer2", TOK_LAYER2 }, { "out", TOK_OUT }, @@ -2001,6 +2003,10 @@ printf(" keep-state"); break; + case O_AUDIT: + printf(" audit"); + break; + case O_LIMIT: { struct _s_x *p = limit_masks; ipfw_insn_limit *c = (ipfw_insn_limit *)cmd; @@ -2089,6 +2095,9 @@ case O_KEEP_STATE: /* bidir, no mask */ printf(" STATE"); break; + case O_AUDIT: + printf(" AUDIT"); + break; } if ((pe = getprotobynumber(d->id.proto)) != NULL) @@ -4680,9 +4689,15 @@ static ipfw_insn * add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode) { - if (_substrcmp(av, "any") == 0) { + /* + * 'any' and 'audit' keywords must not be treated as port numbers. + */ + if (_substrcmp(av, "any") == 0) + return NULL; + if (_substrcmp(av, "audit") == 0) return NULL; - } else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) { + + if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) { /* XXX todo: check that we have a protocol with ports */ cmd->opcode = opcode; return cmd; @@ -5489,12 +5504,23 @@ errx(EX_USAGE, "keep-state cannot be part " "of an or block"); if (have_state) - errx(EX_USAGE, "only one of keep-state " + errx(EX_USAGE, "only one of keep-state, audit " "and limit is allowed"); have_state = cmd; fill_cmd(cmd, O_KEEP_STATE, 0, 0); break; + case TOK_AUDIT: + if (open_par) + errx(EX_USAGE, "audit cannot be part of an or " + "block"); + if (have_state) + errx(EX_USAGE, "only one of audit, keep-state " + "and limit is allowed"); + have_state = cmd; + fill_cmd(cmd, O_AUDIT, 0, 0); + break; + case TOK_LIMIT: { ipfw_insn_limit *c = (ipfw_insn_limit *)cmd; int val; @@ -5503,8 +5529,8 @@ errx(EX_USAGE, "limit cannot be part of an or block"); if (have_state) - errx(EX_USAGE, "only one of keep-state and " - "limit is allowed"); + errx(EX_USAGE, "only one of audit, keep-state " + "and limit is allowed"); have_state = cmd; cmd->len = F_INSN_SIZE(ipfw_insn_limit); @@ -5699,13 +5725,15 @@ dst = next_cmd(dst); } - /* copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ, O_TAG */ + /* copy all commands but O_LOG, O_KEEP_STATE, O_AUDIT, O_LIMIT, O_ALTQ, + * O_TAG */ for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) { i = F_LEN(src); switch (src->opcode) { case O_LOG: case O_KEEP_STATE: + case O_AUDIT: case O_LIMIT: case O_ALTQ: case O_TAG:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808270226.m7R2QYKq065756>