Date: Mon, 10 Mar 2003 21:06:59 +0100 (CET) From: "Simon L.Nielsen" <simon@nitro.dk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/49086: [patch] Make ipfw2 log to different syslog priorities Message-ID: <20030310200659.E598A10BF94@arthur.nitro.dk>
next in thread | raw e-mail | index | archive | help
>Number: 49086
>Category: kern
>Synopsis: [patch] Make ipfw2 log to different syslog priorities
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 10 12:10:03 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Simon L. Nielsen
>Release: FreeBSD 4.8-RC i386
>Organization:
>Environment:
>Description:
This add extra functionality to ipfw2 so it can log to different
syslog priorities per rule. Sample use :
# ipfw add deny log logprio local0.debug udp from any to me 137-140
The default behavior if logprio is not specified is unaltered.
A few minor parts of the patch was "borrowed" from src/usr.bin/logger/.
>How-To-Repeat:
>Fix:
Patch for -CURRENT :
This is the same patch as the one I posted to the freebsd-ipfw
maillinglist 9 Mar 2003.
--- ipfw2-syslog.patch.3 begins here ---
Index: sys/netinet/ip_fw2.c
===================================================================
RCS file: /data/mirror/freebsd/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.27
diff -u -d -r1.27 ip_fw2.c
--- sys/netinet/ip_fw2.c 19 Feb 2003 05:47:34 -0000 1.27
+++ sys/netinet/ip_fw2.c 5 Mar 2003 21:54:34 -0000
@@ -418,6 +418,7 @@
char *action;
int limit_reached = 0;
char action2[40], proto[48], fragment[28];
+ int log_prio = LOG_SECURITY | LOG_INFO;
fragment[0] = '\0';
proto[0] = '\0';
@@ -442,6 +443,7 @@
if (cmd->opcode == O_PROB)
cmd += F_LEN(cmd);
+ log_prio = (int) l->prio;
action = action2;
switch (cmd->opcode) {
case O_DENY:
@@ -577,7 +579,7 @@
(ip_off & IP_MF) ? "+" : "");
}
if (oif || m->m_pkthdr.rcvif)
- log(LOG_SECURITY | LOG_INFO,
+ log(log_prio,
"ipfw: %d %s %s %s via %s%d%s\n",
f ? f->rulenum : -1,
action, proto, oif ? "out" : "in",
@@ -585,7 +587,7 @@
oif ? oif->if_unit : m->m_pkthdr.rcvif->if_unit,
fragment);
else
- log(LOG_SECURITY | LOG_INFO,
+ log(log_prio,
"ipfw: %d %s %s [no if info]%s\n",
f ? f->rulenum : -1,
action, proto, fragment);
Index: sys/netinet/ip_fw.h
===================================================================
RCS file: /data/mirror/freebsd/ncvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.75
diff -u -d -r1.75 ip_fw.h
--- sys/netinet/ip_fw.h 24 Oct 2002 22:32:13 -0000 1.75
+++ sys/netinet/ip_fw.h 5 Mar 2003 21:54:34 -0000
@@ -246,6 +246,7 @@
ipfw_insn o;
u_int32_t max_log; /* how many do we log -- 0 = all */
u_int32_t log_left; /* how many left to log */
+ u_int32_t prio; /* the level / facility to log to */
} ipfw_insn_log;
/*
Index: sbin/ipfw/ipfw2.c
===================================================================
RCS file: /data/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.21
diff -u -d -r1.21 ipfw2.c
--- sbin/ipfw/ipfw2.c 12 Jan 2003 03:31:10 -0000 1.21
+++ sbin/ipfw/ipfw2.c 6 Mar 2003 23:55:14 -0000
@@ -43,6 +43,8 @@
#include <timeconv.h>
#include <unistd.h>
#include <sysexits.h>
+#define SYSLOG_NAMES
+#include <syslog.h>
#include <net/if.h>
#include <netinet/in.h>
@@ -346,6 +348,70 @@
{ NULL, 0 }
};
+int slogpenc(char *s);
+int slogdec(char *name, CODE *codetab);
+const char* slogpdec(int num, CODE *codetab);
+
+
+/**
+ * slogpenc encodes a symbolic name syslog facility / priority name to a
+ * numeric value
+ */
+int
+slogpenc(char *s)
+{
+ char *save;
+ int fac, lev;
+
+ for (save = s; *s && *s != '.'; ++s);
+ if (*s) {
+ *s = '\0';
+ fac = slogdec(save, facilitynames);
+ if (fac < 0)
+ errx(1, "unknown facility name: %s", save);
+ *s++ = '.';
+ }
+ else {
+ fac = LOG_SECURITY;
+ s = save;
+ }
+ lev = slogdec(s, prioritynames);
+ if (lev < 0)
+ errx(1, "unknown priority name: %s", save);
+ return ((lev & LOG_PRIMASK) | (fac & LOG_FACMASK));
+}
+
+int
+slogdec(char *name, CODE *codetab)
+{
+ CODE *c;
+
+ if (isdigit(*name))
+ return (atoi(name));
+
+ for (c = codetab; c->c_name; c++)
+ if (!strcasecmp(name, c->c_name))
+ return (c->c_val);
+
+ return (-1);
+}
+
+/**
+ * slogpdec translates a log facility and priority to its symbolic name
+ */
+const char*
+slogpdec(int num, CODE *codetab)
+{
+ CODE *c;
+
+ for (c = codetab; c->c_name; c++)
+ if (num == c->c_val)
+ return c->c_name;
+
+ return NULL;
+}
+
+
/**
* match_token takes a table and a string, returns the value associated
* with the string (0 meaning an error in most cases)
@@ -934,10 +1000,13 @@
}
}
if (logptr) {
+ printf(" log");
if (logptr->max_log > 0)
- printf(" log logamount %d", logptr->max_log);
- else
- printf(" log");
+ printf(" logamount %d", logptr->max_log);
+ if (logptr->prio != (LOG_SECURITY | LOG_INFO))
+ printf(" logprio %s.%s",
+ slogpdec(logptr->prio & LOG_FACMASK, facilitynames),
+ slogpdec(LOG_PRI(logptr->prio), prioritynames));
}
/*
@@ -1695,7 +1764,7 @@
{
fprintf(stderr, "ipfw syntax summary:\n"
-"ipfw add [N] [prob {0..1}] ACTION [log [logamount N]] ADDR OPTIONS\n"
+"ipfw add [N] [prob {0..1}] ACTION LOG ADDR OPTIONS\n"
"ipfw {pipe|queue} N config BODY\n"
"ipfw [pipe] {zero|delete|show} [N{,N}]\n"
"\n"
@@ -1710,6 +1779,7 @@
" [ from IPLIST [ PORT ] to IPLIST [ PORTLIST ] ]\n"
"IPLIST: IPADDR | ( IPADDR or ... or IPADDR )\n"
"IPADDR: [not] { any | me | ip | ip/bits | ip:mask | ip/bits{x,y,z} }\n"
+"LOG: [log [logamount N] [logprio [facility.]level]]\n"
"OPTION_LIST: OPTION [,OPTION_LIST]\n"
);
exit(0);
@@ -2638,7 +2708,7 @@
action = next_cmd(action);
/*
- * [log [logamount N]] -- log, optional
+ * [log [logamount N] [logprio [facility.]level]] -- log, optional
*
* If exists, it goes first in the cmdbuf, but then it is
* skipped in the copy section to the end of the buffer.
@@ -2648,6 +2718,7 @@
cmd->len = F_INSN_SIZE(ipfw_insn_log);
cmd->opcode = O_LOG;
+ c->prio = LOG_SECURITY | LOG_INFO;
av++; ac--;
if (ac && !strncmp(*av, "logamount", strlen(*av))) {
ac--; av++;
@@ -2655,6 +2726,12 @@
c->max_log = atoi(*av);
if (c->max_log < 0)
errx(EX_DATAERR, "logamount must be positive");
+ ac--; av++;
+ }
+ if (ac && !strncmp(*av, "logprio", strlen(*av))) {
+ ac--; av++;
+ NEED1("logprio requires argument");
+ c->prio = (u_int32_t) slogpenc(*av);
ac--; av++;
}
cmd = next_cmd(cmd);
Index: sbin/ipfw/ipfw.8
===================================================================
RCS file: /data/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw.8,v
retrieving revision 1.121
diff -u -d -r1.121 ipfw.8
--- sbin/ipfw/ipfw.8 3 Mar 2003 22:46:36 -0000 1.121
+++ sbin/ipfw/ipfw.8 9 Mar 2003 12:30:45 -0000
@@ -395,7 +395,10 @@
.Op Cm prob Ar match_probability
.br
.Ar " " action
-.Op Cm log Op Cm logamount Ar number
+.Oo
+.Cm log Op Cm logamount Ar number
+.Op logprio Ar pri
+.Oc
.Ar body
.Ed
.Pp
@@ -478,13 +481,15 @@
.Pp
Note: this condition is checked before any other condition, including
ones such as keep-state or check-state which might have side effects.
-.It Cm log Op Cm logamount Ar number
+.It Cm log Op Cm logamount Ar number Xo
+.Op Cm logprio Ar pri
+.Xc
When a packet matches a rule with the
.Cm log
keyword, a message will be
logged to
.Xr syslogd 8
-with a
+by default with a
.Dv LOG_SECURITY
facility.
The logging only occurs if the sysctl variable
@@ -501,6 +506,20 @@
is specified, the limit is taken from the sysctl variable
.Em net.inet.ip.fw.verbose_limit .
In both cases, a value of 0 removes the logging limit.
+The
+.Cm logprio
+parameter can be set to change the default syslog priority.
+The priority may be specified numerically or as a
+.Dq facility.level
+pair.
+For example,
+.Dq Cm logprio No local3.info
+logs the messages as
+.Ar info Ns rmational
+level in the
+.Ar local3
+facility. The facility may be omitted and it then defaults to
+.Dv LOG_SECURITY .
.Pp
Once the limit is reached, logging can be re-enabled by
clearing the logging counter or the packet counter for that entry, see the
@@ -510,6 +529,11 @@
Note: logging is done after all other packet matching conditions
have been successfully verified, and before performing the final
action (accept, deny, etc.) on the packet.
+.Pp
+Note: The message
+.Dq limit reached on entry
+is always logged to
+.Dq security.notice .
.El
.Ss RULE ACTIONS
A rule can be associated with one of the following actions, which
--- ipfw2-syslog.patch.3 ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030310200659.E598A10BF94>