From owner-p4-projects@FreeBSD.ORG  Tue Jul 29 02:49:41 2008
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 0C8E41065689; Tue, 29 Jul 2008 02:49:41 +0000 (UTC)
Delivered-To: perforce@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C438D106567F
	for <perforce@FreeBSD.org>; Tue, 29 Jul 2008 02:49:40 +0000 (UTC)
	(envelope-from diego@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id B8A5C8FC22
	for <perforce@FreeBSD.org>; Tue, 29 Jul 2008 02:49:40 +0000 (UTC)
	(envelope-from diego@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.2/8.14.2) with ESMTP id m6T2neFi032764
	for <perforce@FreeBSD.org>; Tue, 29 Jul 2008 02:49:40 GMT
	(envelope-from diego@FreeBSD.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.2/8.14.1/Submit) id m6T2ne2E032762
	for perforce@freebsd.org; Tue, 29 Jul 2008 02:49:40 GMT
	(envelope-from diego@FreeBSD.org)
Date: Tue, 29 Jul 2008 02:49:40 GMT
Message-Id: <200807290249.m6T2ne2E032762@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	diego@FreeBSD.org using -f
From: Diego Giagio <diego@FreeBSD.org>
To: Perforce Change Reviews <perforce@FreeBSD.org>
Cc: 
Subject: PERFORCE change 146176 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2008 02:49:41 -0000

http://perforce.freebsd.org/chv.cgi?CH=146176

Change 146176 by diego@diego_black on 2008/07/29 02:49:28

	Add connection events auditing support to ipfw.

Affected files ...

.. //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#6 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#12 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#9 edit

Differences ...

==== //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#6 (text+ko) ====

@@ -1230,6 +1230,15 @@
 			break;
 
 		case BOTH_SYN:			/* move to established */
+			if (IS_IP6_FLOW_ID(pkt)) {
+				AUDIT_CALL(audit_ipfw_flow6_begin(&pkt->src_ip6,
+				    pkt->src_port, &pkt->dst_ip6,
+				    pkt->dst_port, 0));
+			} else {
+				AUDIT_CALL(audit_ipfw_flow4_begin(pkt->src_ip,
+				    pkt->src_port, pkt->dst_ip, pkt->dst_port,
+				    0));
+			}
 		case BOTH_SYN | TH_FIN :	/* one side tries to close */
 		case BOTH_SYN | (TH_FIN << 8) :
  			if (tcp) {

==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#12 (text) ====

@@ -135,6 +135,11 @@
 void	 audit_ipfw_addtable(u_int table, int error);
 void	 audit_ipfw_deltable(u_int table, int error);
 void	 audit_ipfw_flushtable(u_int table, int error);
+void	 audit_ipfw_flow4_begin(u_int32_t src, u_int16_t src_port,
+	u_int32_t dst, u_int16_t dst_port, int error);
+struct	in6_addr;
+void	 audit_ipfw_flow6_begin(struct in6_addr *src, u_int16_t src_port,
+	struct in6_addr *dst, u_int16_t dst_port, int error);
 
 void	 audit_pf_enable(int error);
 void	 audit_pf_disable(int error);

==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#9 (text+ko) ====

@@ -34,6 +34,7 @@
 #include <net/if.h>
 #include <netinet/in.h>
 #include <netinet/ip_fw.h>
+#include <netinet6/scope6_var.h>
 
 #include <sys/sbuf.h>
 
@@ -320,3 +321,46 @@
 	audit_commit(ar, error, 0);
 }
 
+static void
+addr_to_sin(u_int32_t addr, struct sockaddr_in *sin)
+{
+	sin->sin_len = sizeof(struct sockaddr_in);
+	sin->sin_family = PF_INET;
+	sin->sin_port = 0;
+	sin->sin_addr.s_addr = addr;
+}
+
+void
+audit_ipfw_flow4_begin(u_int32_t src, u_int16_t src_port, u_int32_t dst,
+	u_int16_t dst_port, int error)
+{
+	struct kaudit_record *ar;
+	struct sockaddr_in lsin;
+	struct sockaddr_in rsin;
+
+	ar = audit_begin(AUE_PFIL_FLOW_BEGIN, curthread);
+	if (ar == NULL)
+		return;
+
+	/* XXXDG: need to check which address is local. for now, we're
+	 * assuming src address is local.
+	 *
+	 * TODO: check MATCH_FORWARD / MATCH_REVERSE on ip_fw2.c
+	 */
+	addr_to_sin(src, &lsin);
+	addr_to_sin(dst, &rsin);
+
+	audit_record_arg_text(ar, "ipfw");
+	audit_record_arg_socket_ex(ar, PF_INET, SOCK_STREAM, src_port, dst_port,
+	    (struct sockaddr*)&lsin, (struct sockaddr*)&rsin);
+	audit_commit(ar, error, 0);
+}
+
+void
+audit_ipfw_flow6_begin(struct in6_addr *src, u_int16_t src_port,
+	struct in6_addr *dst, u_int16_t dst_port, int error)
+{
+	/* XXXDG: implement IPv6 support.
+	 */
+}
+