From owner-freebsd-bugs Mon Mar 10 12:10:15 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9446037B401 for ; Mon, 10 Mar 2003 12:10:05 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 720DE43F85 for ; Mon, 10 Mar 2003 12:10:04 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2AKA4NS026051 for ; Mon, 10 Mar 2003 12:10:04 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2AKA40a026050; Mon, 10 Mar 2003 12:10:04 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D253137B401 for ; Mon, 10 Mar 2003 12:07:04 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37EB643F3F for ; Mon, 10 Mar 2003 12:07:01 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id E598A10BF94; Mon, 10 Mar 2003 21:06:59 +0100 (CET) Message-Id: <20030310200659.E598A10BF94@arthur.nitro.dk> Date: Mon, 10 Mar 2003 21:06:59 +0100 (CET) From: "Simon L.Nielsen" Reply-To: "Simon L.Nielsen" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/49086: [patch] Make ipfw2 log to different syslog priorities Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 49086 >Category: kern >Synopsis: [patch] Make ipfw2 log to different syslog priorities >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Mar 10 12:10:03 PST 2003 >Closed-Date: >Last-Modified: >Originator: Simon L. Nielsen >Release: FreeBSD 4.8-RC i386 >Organization: >Environment: >Description: This add extra functionality to ipfw2 so it can log to different syslog priorities per rule. Sample use : # ipfw add deny log logprio local0.debug udp from any to me 137-140 The default behavior if logprio is not specified is unaltered. A few minor parts of the patch was "borrowed" from src/usr.bin/logger/. >How-To-Repeat: >Fix: Patch for -CURRENT : This is the same patch as the one I posted to the freebsd-ipfw maillinglist 9 Mar 2003. --- ipfw2-syslog.patch.3 begins here --- Index: sys/netinet/ip_fw2.c =================================================================== RCS file: /data/mirror/freebsd/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.27 diff -u -d -r1.27 ip_fw2.c --- sys/netinet/ip_fw2.c 19 Feb 2003 05:47:34 -0000 1.27 +++ sys/netinet/ip_fw2.c 5 Mar 2003 21:54:34 -0000 @@ -418,6 +418,7 @@ char *action; int limit_reached = 0; char action2[40], proto[48], fragment[28]; + int log_prio = LOG_SECURITY | LOG_INFO; fragment[0] = '\0'; proto[0] = '\0'; @@ -442,6 +443,7 @@ if (cmd->opcode == O_PROB) cmd += F_LEN(cmd); + log_prio = (int) l->prio; action = action2; switch (cmd->opcode) { case O_DENY: @@ -577,7 +579,7 @@ (ip_off & IP_MF) ? "+" : ""); } if (oif || m->m_pkthdr.rcvif) - log(LOG_SECURITY | LOG_INFO, + log(log_prio, "ipfw: %d %s %s %s via %s%d%s\n", f ? f->rulenum : -1, action, proto, oif ? "out" : "in", @@ -585,7 +587,7 @@ oif ? oif->if_unit : m->m_pkthdr.rcvif->if_unit, fragment); else - log(LOG_SECURITY | LOG_INFO, + log(log_prio, "ipfw: %d %s %s [no if info]%s\n", f ? f->rulenum : -1, action, proto, fragment); Index: sys/netinet/ip_fw.h =================================================================== RCS file: /data/mirror/freebsd/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.75 diff -u -d -r1.75 ip_fw.h --- sys/netinet/ip_fw.h 24 Oct 2002 22:32:13 -0000 1.75 +++ sys/netinet/ip_fw.h 5 Mar 2003 21:54:34 -0000 @@ -246,6 +246,7 @@ ipfw_insn o; u_int32_t max_log; /* how many do we log -- 0 = all */ u_int32_t log_left; /* how many left to log */ + u_int32_t prio; /* the level / facility to log to */ } ipfw_insn_log; /* Index: sbin/ipfw/ipfw2.c =================================================================== RCS file: /data/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.21 diff -u -d -r1.21 ipfw2.c --- sbin/ipfw/ipfw2.c 12 Jan 2003 03:31:10 -0000 1.21 +++ sbin/ipfw/ipfw2.c 6 Mar 2003 23:55:14 -0000 @@ -43,6 +43,8 @@ #include #include #include +#define SYSLOG_NAMES +#include #include #include @@ -346,6 +348,70 @@ { NULL, 0 } }; +int slogpenc(char *s); +int slogdec(char *name, CODE *codetab); +const char* slogpdec(int num, CODE *codetab); + + +/** + * slogpenc encodes a symbolic name syslog facility / priority name to a + * numeric value + */ +int +slogpenc(char *s) +{ + char *save; + int fac, lev; + + for (save = s; *s && *s != '.'; ++s); + if (*s) { + *s = '\0'; + fac = slogdec(save, facilitynames); + if (fac < 0) + errx(1, "unknown facility name: %s", save); + *s++ = '.'; + } + else { + fac = LOG_SECURITY; + s = save; + } + lev = slogdec(s, prioritynames); + if (lev < 0) + errx(1, "unknown priority name: %s", save); + return ((lev & LOG_PRIMASK) | (fac & LOG_FACMASK)); +} + +int +slogdec(char *name, CODE *codetab) +{ + CODE *c; + + if (isdigit(*name)) + return (atoi(name)); + + for (c = codetab; c->c_name; c++) + if (!strcasecmp(name, c->c_name)) + return (c->c_val); + + return (-1); +} + +/** + * slogpdec translates a log facility and priority to its symbolic name + */ +const char* +slogpdec(int num, CODE *codetab) +{ + CODE *c; + + for (c = codetab; c->c_name; c++) + if (num == c->c_val) + return c->c_name; + + return NULL; +} + + /** * match_token takes a table and a string, returns the value associated * with the string (0 meaning an error in most cases) @@ -934,10 +1000,13 @@ } } if (logptr) { + printf(" log"); if (logptr->max_log > 0) - printf(" log logamount %d", logptr->max_log); - else - printf(" log"); + printf(" logamount %d", logptr->max_log); + if (logptr->prio != (LOG_SECURITY | LOG_INFO)) + printf(" logprio %s.%s", + slogpdec(logptr->prio & LOG_FACMASK, facilitynames), + slogpdec(LOG_PRI(logptr->prio), prioritynames)); } /* @@ -1695,7 +1764,7 @@ { fprintf(stderr, "ipfw syntax summary:\n" -"ipfw add [N] [prob {0..1}] ACTION [log [logamount N]] ADDR OPTIONS\n" +"ipfw add [N] [prob {0..1}] ACTION LOG ADDR OPTIONS\n" "ipfw {pipe|queue} N config BODY\n" "ipfw [pipe] {zero|delete|show} [N{,N}]\n" "\n" @@ -1710,6 +1779,7 @@ " [ from IPLIST [ PORT ] to IPLIST [ PORTLIST ] ]\n" "IPLIST: IPADDR | ( IPADDR or ... or IPADDR )\n" "IPADDR: [not] { any | me | ip | ip/bits | ip:mask | ip/bits{x,y,z} }\n" +"LOG: [log [logamount N] [logprio [facility.]level]]\n" "OPTION_LIST: OPTION [,OPTION_LIST]\n" ); exit(0); @@ -2638,7 +2708,7 @@ action = next_cmd(action); /* - * [log [logamount N]] -- log, optional + * [log [logamount N] [logprio [facility.]level]] -- log, optional * * If exists, it goes first in the cmdbuf, but then it is * skipped in the copy section to the end of the buffer. @@ -2648,6 +2718,7 @@ cmd->len = F_INSN_SIZE(ipfw_insn_log); cmd->opcode = O_LOG; + c->prio = LOG_SECURITY | LOG_INFO; av++; ac--; if (ac && !strncmp(*av, "logamount", strlen(*av))) { ac--; av++; @@ -2655,6 +2726,12 @@ c->max_log = atoi(*av); if (c->max_log < 0) errx(EX_DATAERR, "logamount must be positive"); + ac--; av++; + } + if (ac && !strncmp(*av, "logprio", strlen(*av))) { + ac--; av++; + NEED1("logprio requires argument"); + c->prio = (u_int32_t) slogpenc(*av); ac--; av++; } cmd = next_cmd(cmd); Index: sbin/ipfw/ipfw.8 =================================================================== RCS file: /data/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.121 diff -u -d -r1.121 ipfw.8 --- sbin/ipfw/ipfw.8 3 Mar 2003 22:46:36 -0000 1.121 +++ sbin/ipfw/ipfw.8 9 Mar 2003 12:30:45 -0000 @@ -395,7 +395,10 @@ .Op Cm prob Ar match_probability .br .Ar " " action -.Op Cm log Op Cm logamount Ar number +.Oo +.Cm log Op Cm logamount Ar number +.Op logprio Ar pri +.Oc .Ar body .Ed .Pp @@ -478,13 +481,15 @@ .Pp Note: this condition is checked before any other condition, including ones such as keep-state or check-state which might have side effects. -.It Cm log Op Cm logamount Ar number +.It Cm log Op Cm logamount Ar number Xo +.Op Cm logprio Ar pri +.Xc When a packet matches a rule with the .Cm log keyword, a message will be logged to .Xr syslogd 8 -with a +by default with a .Dv LOG_SECURITY facility. The logging only occurs if the sysctl variable @@ -501,6 +506,20 @@ is specified, the limit is taken from the sysctl variable .Em net.inet.ip.fw.verbose_limit . In both cases, a value of 0 removes the logging limit. +The +.Cm logprio +parameter can be set to change the default syslog priority. +The priority may be specified numerically or as a +.Dq facility.level +pair. +For example, +.Dq Cm logprio No local3.info +logs the messages as +.Ar info Ns rmational +level in the +.Ar local3 +facility. The facility may be omitted and it then defaults to +.Dv LOG_SECURITY . .Pp Once the limit is reached, logging can be re-enabled by clearing the logging counter or the packet counter for that entry, see the @@ -510,6 +529,11 @@ Note: logging is done after all other packet matching conditions have been successfully verified, and before performing the final action (accept, deny, etc.) on the packet. +.Pp +Note: The message +.Dq limit reached on entry +is always logged to +.Dq security.notice . .El .Ss RULE ACTIONS A rule can be associated with one of the following actions, which --- ipfw2-syslog.patch.3 ends here --- >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message