Date: Fri, 22 Jun 2001 20:06:34 +0900 From: Jun Kuriyama <kuriyama@imgsrc.co.jp> To: Current <FreeBSD-current@FreeBSD.org> Subject: [patch] netinet6/ip6_fw.c: use syslog for logging Message-ID: <7m8zikeptx.wl@waterblue.imgsrc.co.jp>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I found logs from ipfw(8) and ip6fw(8) are stored to different place.
Former one is into <security.info> via syslog(3) but latter one is
into <kern.crit> via kernel printf().
The reason of this difference is came from missing "merge from
ip_fw.c". And I hope this patch will be first step to synchronize
ip_fw.c and ip6_fw.c.
So, I made a patch to merge the difference revision 1.117 and 1.118 of
ip_fw.c into ip6_fw.c to use syslog(3) interface for ip6fw(8) logging.
Please review this patch carefully because I'm not kernel hacker.
--
Jun Kuriyama <kuriyama@imgsrc.co.jp> // IMG SRC, Inc.
<kuriyama@FreeBSD.org> // FreeBSD Project
[-- Attachment #2 --]
Index: ip6_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet6/ip6_fw.c,v
retrieving revision 1.11
diff -u -r1.11 ip6_fw.c
--- ip6_fw.c 2001/06/11 12:39:05 1.11
+++ ip6_fw.c 2001/06/22 10:12:29
@@ -41,6 +41,7 @@
#include <sys/kernel.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
+#include <sys/syslog.h>
#include <sys/time.h>
#include <net/if.h>
#include <net/route.h>
@@ -93,11 +94,11 @@
SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw6_verbose_limit, 0, "");
#endif
-#define dprintf(a) if (!fw6_debug); else printf a
-
-#define print_ip6(a) printf("[%s]", ip6_sprintf(a))
-
-#define dprint_ip6(a) if (!fw6_debug); else print_ip6(a)
+#define dprintf(a) do { \
+ if (fw6_debug) \
+ printf a; \
+ } while (0)
+#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
static int add_entry6 __P((struct ip6_fw_head *chainptr, struct ip6_fw *frwl));
static int del_entry6 __P((struct ip6_fw_head *chainptr, u_short number));
@@ -332,93 +333,114 @@
struct udphdr *const udp = (struct udphdr *) ((caddr_t) ip6+ off);
struct icmp6_hdr *const icmp6 = (struct icmp6_hdr *) ((caddr_t) ip6+ off);
int count;
+ char *action;
+ char action2[32], proto[102], name[18];
+ int len;
count = f ? f->fw_pcnt : ++counter;
if (fw6_verbose_limit != 0 && count > fw6_verbose_limit)
return;
/* Print command name */
- printf("ip6fw: %d ", f ? f->fw_number : -1);
+ snprintf(SNPARGS(name, 0), "ip6fw: %d", f ? f->fw_number : -1);
+
+ action = action2;
if (!f)
- printf("Refuse");
- else
+ action = "Refuse";
+ else {
switch (f->fw_flg & IPV6_FW_F_COMMAND) {
case IPV6_FW_F_DENY:
- printf("Deny");
+ action = "Deny";
break;
case IPV6_FW_F_REJECT:
if (f->fw_reject_code == IPV6_FW_REJECT_RST)
- printf("Reset");
+ action = "Reset";
else
- printf("Unreach");
+ action = "Unreach";
break;
case IPV6_FW_F_ACCEPT:
- printf("Accept");
+ action = "Accept";
break;
case IPV6_FW_F_COUNT:
- printf("Count");
+ action = "Count";
break;
case IPV6_FW_F_DIVERT:
- printf("Divert %d", f->fw_divert_port);
+ snprintf(SNPARGS(action2, 0), "Divert %d",
+ f->fw_divert_port);
break;
case IPV6_FW_F_TEE:
- printf("Tee %d", f->fw_divert_port);
+ snprintf(SNPARGS(action2, 0), "Tee %d",
+ f->fw_divert_port);
break;
case IPV6_FW_F_SKIPTO:
- printf("SkipTo %d", f->fw_skipto_rule);
+ snprintf(SNPARGS(action2, 0), "SkipTo %d",
+ f->fw_skipto_rule);
break;
default:
- printf("UNKNOWN");
+ action = "UNKNOWN";
break;
}
- printf(" ");
+ }
switch (nxt) {
case IPPROTO_TCP:
- printf("TCP ");
- print_ip6(&ip6->ip6_src);
+ len = snprintf(SNPARGS(proto, 0), "TCP [%s]",
+ ip6_sprintf(&ip6->ip6_src));
if (off > 0)
- printf(":%d ", ntohs(tcp6->th_sport));
+ len += snprintf(SNPARGS(proto, len), ":%d ",
+ ntohs(tcp6->th_sport));
else
- printf(" ");
- print_ip6(&ip6->ip6_dst);
+ len += snprintf(SNPARGS(proto, len), " ");
+ len += snprintf(SNPARGS(proto, len), "[%s]",
+ ip6_sprintf(&ip6->ip6_dst));
if (off > 0)
- printf(":%d", ntohs(tcp6->th_dport));
+ snprintf(SNPARGS(proto, len), ":%d",
+ ntohs(tcp6->th_dport));
break;
case IPPROTO_UDP:
- printf("UDP ");
- print_ip6(&ip6->ip6_src);
+ len = snprintf(SNPARGS(proto, 0), "UDP [%s]",
+ ip6_sprintf(&ip6->ip6_src));
if (off > 0)
- printf(":%d ", ntohs(udp->uh_sport));
+ len += snprintf(SNPARGS(proto, len), ":%d ",
+ ntohs(udp->uh_sport));
else
- printf(" ");
- print_ip6(&ip6->ip6_dst);
+ len += snprintf(SNPARGS(proto, len), " ");
+ len += snprintf(SNPARGS(proto, len), "[%s]",
+ ip6_sprintf(&ip6->ip6_dst));
if (off > 0)
- printf(":%d", ntohs(udp->uh_dport));
+ snprintf(SNPARGS(proto, len), ":%d",
+ ntohs(udp->uh_dport));
break;
case IPPROTO_ICMPV6:
if (off > 0)
- printf("IPV6-ICMP:%u.%u ", icmp6->icmp6_type, icmp6->icmp6_code);
+ len = snprintf(SNPARGS(proto, 0), "IPV6-ICMP:%u.%u ",
+ icmp6->icmp6_type, icmp6->icmp6_code);
else
- printf("IPV6-ICMP ");
- print_ip6(&ip6->ip6_src);
- printf(" ");
- print_ip6(&ip6->ip6_dst);
+ len = snprintf(SNPARGS(proto, 0), "IPV6-ICMP ");
+ len = snprintf(SNPARGS(proto, len), "[%s]",
+ ip6_sprintf(&ip6->ip6_src));
+ snprintf(SNPARGS(proto, len), " [%s]",
+ ip6_sprintf(&ip6->ip6_dst));
break;
default:
- printf("P:%d ", nxt);
- print_ip6(&ip6->ip6_src);
- printf(" ");
- print_ip6(&ip6->ip6_dst);
+ len = snprintf(SNPARGS(proto, 0), "P:%d [%s]", nxt,
+ ip6_sprintf(&ip6->ip6_src));
+ snprintf(SNPARGS(proto, len), " [%s]",
+ ip6_sprintf(&ip6->ip6_dst));
break;
}
+
if (oif)
- printf(" out via %s", if_name(oif));
+ log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s\n",
+ name, action, proto, if_name(oif));
else if (rif)
- printf(" in via %s", if_name(rif));
- printf("\n");
+ log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s\n",
+ name, action, proto, if_name(rif));
+ else
+ log(LOG_SECURITY | LOG_INFO, "%s %s %s",
+ name, action, proto);
if (fw6_verbose_limit != 0 && count == fw6_verbose_limit)
- printf("ip6fw: limit reached on rule #%d\n",
+ log(LOG_SECURITY | LOG_INFO, "ip6fw: limit reached on entry %d\n",
f ? f->fw_number : -1);
}
@@ -907,9 +929,11 @@
if (fw6_verbose) {
if (frwl)
- printf("ip6fw: Entry %d cleared.\n", frwl->fw_number);
+ log(LOG_SECURITY | LOG_NOTICE,
+ "ip6fw: Entry %d cleared.\n", frwl->fw_number);
else
- printf("ip6fw: Accounting cleared.\n");
+ log(LOG_SECURITY | LOG_NOTICE,
+ "ip6fw: Accounting cleared.\n");
}
return(0);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7m8zikeptx.wl>