Site Navigation

Date:      Wed, 26 Feb 2003 02:49:53 +0100
From:      "Simon L. Nielsen" <simon@nitro.dk>
To:        Mikel King <mikel.king@ocsny.com>
Cc:        ipfw@freebsd.org
Subject:   Re: ipfw question
Message-ID:  <20030226014952.GH385@nitro.dk>
In-Reply-To: <3E5592C2.7000902@ocsny.com>
References:  <3E5592C2.7000902@ocsny.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--tsOsTdHNUZQcU9Ye
Content-Type: multipart/mixed; boundary="3MwIy2ne0vdjdPXF"
Content-Disposition: inline


--3MwIy2ne0vdjdPXF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2003.02.20 21:45:22 -0500, Mikel King wrote:

> In any event, it would be nice to have a rule option to define a=20
> specific logfac/file for a certain rule or group of rules. And of course=
=20
> this begs the  question of would such a rule impeade performance?
I wanted to try a bit of kernel hacking so I have implemented support
for this.

The only negative impact on performance I can see (with my patch) is
that each log rule will now use 4 more bytes of memory...

The attached patch is for -CURRENT and is not totally finished but it
works for me. I plan to send it has a PR when it has been cleaned up
more, but comments for this version are very welcome.

The usage is pretty simple :

ipfw add deny log logprio local0.debug udp from any to me 137-139

--=20
Simon L. Nielsen

--3MwIy2ne0vdjdPXF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipfw2-syslog.patch"
Content-Transfer-Encoding: quoted-printable

Index: sys/netinet/ip_fw.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/mirror/freebsd/ncvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.75
diff -u -d -r1.75 ip_fw.h
--- sys/netinet/ip_fw.h	24 Oct 2002 22:32:13 -0000	1.75
+++ sys/netinet/ip_fw.h	26 Feb 2003 01:33:50 -0000
@@ -246,6 +246,7 @@
         ipfw_insn o;
 	u_int32_t max_log;	/* how many do we log -- 0 =3D all */
 	u_int32_t log_left;	/* how many left to log 	*/
+	u_int32_t prio;	/* the level / facility to log to */
 } ipfw_insn_log;
=20
 /*
Index: sys/netinet/ip_fw2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/mirror/freebsd/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.27
diff -u -d -r1.27 ip_fw2.c
--- sys/netinet/ip_fw2.c	19 Feb 2003 05:47:34 -0000	1.27
+++ sys/netinet/ip_fw2.c	26 Feb 2003 01:33:50 -0000
@@ -418,6 +418,7 @@
 	char *action;
 	int limit_reached =3D 0;
 	char action2[40], proto[48], fragment[28];
+	int log_prio =3D LOG_SECURITY | LOG_INFO;
=20
 	fragment[0] =3D '\0';
 	proto[0] =3D '\0';
@@ -442,6 +443,7 @@
 		if (cmd->opcode =3D=3D O_PROB)
 			cmd +=3D F_LEN(cmd);
=20
+		log_prio =3D (int) l->prio;
 		action =3D action2;
 		switch (cmd->opcode) {
 		case O_DENY:
@@ -577,7 +579,7 @@
 			     (ip_off & IP_MF) ? "+" : "");
 	}
 	if (oif || m->m_pkthdr.rcvif)
-		log(LOG_SECURITY | LOG_INFO,
+		log(log_prio,
 		    "ipfw: %d %s %s %s via %s%d%s\n",
 		    f ? f->rulenum : -1,
 		    action, proto, oif ? "out" : "in",
@@ -585,7 +587,7 @@
 		    oif ? oif->if_unit : m->m_pkthdr.rcvif->if_unit,
 		    fragment);
 	else
-		log(LOG_SECURITY | LOG_INFO,
+		log(log_prio,
 		    "ipfw: %d %s %s [no if info]%s\n",
 		    f ? f->rulenum : -1,
 		    action, proto, fragment);
Index: sbin/ipfw/ipfw2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.21
diff -u -d -r1.21 ipfw2.c
--- sbin/ipfw/ipfw2.c	12 Jan 2003 03:31:10 -0000	1.21
+++ sbin/ipfw/ipfw2.c	26 Feb 2003 01:33:50 -0000
@@ -43,6 +43,8 @@
 #include <timeconv.h>
 #include <unistd.h>
 #include <sysexits.h>
+#define	SYSLOG_NAMES
+#include <syslog.h>
=20
 #include <net/if.h>
 #include <netinet/in.h>
@@ -347,6 +349,50 @@
 };
=20
 /**
+ * Decode a symbolic name to a numeric value
+ *
+ * The pencode and decode functions are "stolen" from usr.bin/logger/logge=
r.c
+ */
+int
+pencode(char *s)
+{
+	char *save;
+	int fac, lev;
+
+	for (save =3D s; *s && *s !=3D '.'; ++s);
+	if (*s) {
+		*s =3D '\0';
+		fac =3D decode(save, facilitynames);
+		if (fac < 0)
+			errx(1, "unknown facility name: %s", save);
+		*s++ =3D '.';
+	}
+	else {
+		fac =3D LOG_SECURITY;
+		s =3D save;
+	}
+	lev =3D decode(s, prioritynames);
+	if (lev < 0)
+		errx(1, "unknown priority name: %s", save);
+	return ((lev & LOG_PRIMASK) | (fac & LOG_FACMASK));
+}
+
+int
+decode(char *name, CODE *codetab)
+{
+	CODE *c;
+
+	if (isdigit(*name))
+		return (atoi(name));
+
+	for (c =3D codetab; c->c_name; c++)
+		if (!strcasecmp(name, c->c_name))
+			return (c->c_val);
+
+	return (-1);
+}
+
+/**
  * match_token takes a table and a string, returns the value associated
  * with the string (0 meaning an error in most cases)
  */
@@ -934,10 +980,12 @@
 		}
 	}
 	if (logptr) {
+		printf(" log");
 		if (logptr->max_log > 0)
-			printf(" log logamount %d", logptr->max_log);
-		else
-			printf(" log");
+ 			printf(" logamount %d", logptr->max_log);
+		if (logptr->prio !=3D LOG_SECURITY | LOG_INFO) /* XXX convert to text */
+			printf(" logprio %u.%u",
+			    LOG_FAC(logptr->prio), LOG_PRI(logptr->prio));
 	}
=20
 	/*
@@ -1695,7 +1743,7 @@
 {
=20
 	fprintf(stderr, "ipfw syntax summary:\n"
-"ipfw add [N] [prob {0..1}] ACTION [log [logamount N]] ADDR OPTIONS\n"
+"ipfw add [N] [prob {0..1}] ACTION [log [logamount N] [logprio <fac.>level=
]] ADDR OPTIONS\n"
 "ipfw {pipe|queue} N config BODY\n"
 "ipfw [pipe] {zero|delete|show} [N{,N}]\n"
 "\n"
@@ -2638,7 +2686,7 @@
 	action =3D next_cmd(action);
=20
 	/*
-	 * [log [logamount N]]	-- log, optional
+	 * [log [logamount N] [logprio <fac.>level]]	-- log, optional
 	 *
 	 * If exists, it goes first in the cmdbuf, but then it is
 	 * skipped in the copy section to the end of the buffer.
@@ -2648,6 +2696,7 @@
=20
 		cmd->len =3D F_INSN_SIZE(ipfw_insn_log);
 		cmd->opcode =3D O_LOG;
+		c->prio =3D LOG_SECURITY | LOG_INFO;
 		av++; ac--;
 		if (ac && !strncmp(*av, "logamount", strlen(*av))) {
 			ac--; av++;
@@ -2655,6 +2704,12 @@
 			c->max_log =3D atoi(*av);
 			if (c->max_log < 0)
 				errx(EX_DATAERR, "logamount must be positive");
+			ac--; av++;
+		}
+		if (ac && !strncmp(*av, "logprio", strlen(*av))) {
+			ac--; av++;
+			NEED1("logprio requires argument");
+			c->prio =3D (u_int32_t) pencode(*av);
 			ac--; av++;
 		}
 		cmd =3D next_cmd(cmd);

--3MwIy2ne0vdjdPXF--

--tsOsTdHNUZQcU9Ye
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+XB1A8kocFXgPTRwRAg9dAJ9MYieVm2Qntpqs5vOLiFglus3UlQCgqiqf
fGvyb4wuNfYA41Hv4Kz98Qs=
=XiB+
-----END PGP SIGNATURE-----

--tsOsTdHNUZQcU9Ye--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030226014952.GH385>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact