From owner-p4-projects@FreeBSD.ORG Wed Aug 27 02:26:35 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id BF6F5106574B; Wed, 27 Aug 2008 02:26:34 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6966E1065675 for ; Wed, 27 Aug 2008 02:26:34 +0000 (UTC) (envelope-from diego@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 3DA838FC15 for ; Wed, 27 Aug 2008 02:26:34 +0000 (UTC) (envelope-from diego@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.2/8.14.2) with ESMTP id m7R2QYpQ065758 for ; Wed, 27 Aug 2008 02:26:34 GMT (envelope-from diego@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.2/8.14.1/Submit) id m7R2QYKq065756 for perforce@freebsd.org; Wed, 27 Aug 2008 02:26:34 GMT (envelope-from diego@FreeBSD.org) Date: Wed, 27 Aug 2008 02:26:34 GMT Message-Id: <200808270226.m7R2QYKq065756@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to diego@FreeBSD.org using -f From: Diego Giagio To: Perforce Change Reviews Cc: Subject: PERFORCE change 148574 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 02:26:35 -0000 http://perforce.freebsd.org/chv.cgi?CH=148574 Change 148574 by diego@diego_black on 2008/08/27 02:26:21 User-land part of 'audit' keyword support for ipfw. Affected files ... .. //depot/projects/soc2008/diego-audit/src/sbin/ipfw/ipfw2.c#2 edit Differences ... ==== //depot/projects/soc2008/diego-audit/src/sbin/ipfw/ipfw2.c#2 (text+ko) ==== @@ -269,6 +269,7 @@ TOK_IN, TOK_LIMIT, TOK_KEEPSTATE, + TOK_AUDIT, TOK_LAYER2, TOK_OUT, TOK_DIVERTED, @@ -436,6 +437,7 @@ { "in", TOK_IN }, { "limit", TOK_LIMIT }, { "keep-state", TOK_KEEPSTATE }, + { "audit", TOK_AUDIT }, { "bridged", TOK_LAYER2 }, { "layer2", TOK_LAYER2 }, { "out", TOK_OUT }, @@ -2001,6 +2003,10 @@ printf(" keep-state"); break; + case O_AUDIT: + printf(" audit"); + break; + case O_LIMIT: { struct _s_x *p = limit_masks; ipfw_insn_limit *c = (ipfw_insn_limit *)cmd; @@ -2089,6 +2095,9 @@ case O_KEEP_STATE: /* bidir, no mask */ printf(" STATE"); break; + case O_AUDIT: + printf(" AUDIT"); + break; } if ((pe = getprotobynumber(d->id.proto)) != NULL) @@ -4680,9 +4689,15 @@ static ipfw_insn * add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode) { - if (_substrcmp(av, "any") == 0) { + /* + * 'any' and 'audit' keywords must not be treated as port numbers. + */ + if (_substrcmp(av, "any") == 0) + return NULL; + if (_substrcmp(av, "audit") == 0) return NULL; - } else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) { + + if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) { /* XXX todo: check that we have a protocol with ports */ cmd->opcode = opcode; return cmd; @@ -5489,12 +5504,23 @@ errx(EX_USAGE, "keep-state cannot be part " "of an or block"); if (have_state) - errx(EX_USAGE, "only one of keep-state " + errx(EX_USAGE, "only one of keep-state, audit " "and limit is allowed"); have_state = cmd; fill_cmd(cmd, O_KEEP_STATE, 0, 0); break; + case TOK_AUDIT: + if (open_par) + errx(EX_USAGE, "audit cannot be part of an or " + "block"); + if (have_state) + errx(EX_USAGE, "only one of audit, keep-state " + "and limit is allowed"); + have_state = cmd; + fill_cmd(cmd, O_AUDIT, 0, 0); + break; + case TOK_LIMIT: { ipfw_insn_limit *c = (ipfw_insn_limit *)cmd; int val; @@ -5503,8 +5529,8 @@ errx(EX_USAGE, "limit cannot be part of an or block"); if (have_state) - errx(EX_USAGE, "only one of keep-state and " - "limit is allowed"); + errx(EX_USAGE, "only one of audit, keep-state " + "and limit is allowed"); have_state = cmd; cmd->len = F_INSN_SIZE(ipfw_insn_limit); @@ -5699,13 +5725,15 @@ dst = next_cmd(dst); } - /* copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ, O_TAG */ + /* copy all commands but O_LOG, O_KEEP_STATE, O_AUDIT, O_LIMIT, O_ALTQ, + * O_TAG */ for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) { i = F_LEN(src); switch (src->opcode) { case O_LOG: case O_KEEP_STATE: + case O_AUDIT: case O_LIMIT: case O_ALTQ: case O_TAG: