Date: Sun, 9 Mar 2003 16:38:58 +0100 From: "Simon L. Nielsen" <simon@nitro.dk> To: freebsd-ipfw@freebsd.org Subject: Request for commets: ipfw2 syslog patch Message-ID: <20030309153857.GA17210@nitro.dk>
next in thread | raw e-mail | index | archive | help
--i0/AhcQY5QxfSsSZ Content-Type: multipart/mixed; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello I have now completed the patch to make ipfw2 log to different syslog priorities. I have tested it under -CURRENT and -STABLE on i386 where it works fine. I would like to get comments before submitting it as a PR. The usage is quite simple : # ipfw add deny log logprio local0.debug udp from any to me 137-140 The patch does not change the default behavior of ipfw. Therefor it also still logs all 'limit reached on entry' messages to security.notice (the default for the main packet log messages is security.info). I think it would be better if 'limit reached' messages where logged with the same priority as the actual ipfw packet log messages. That would require changing the current behavior for packets with the default log priority which might not be a good idea? (POLA) A patch for 4-STABLE can be found on http://simon.nitro.dk/freebsd/ . A few minor parts of the patch was "borrowed" from src/usr.bin/logger/. --=20 Simon L. Nielsen --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw2-syslog.patch.3" Content-Transfer-Encoding: quoted-printable Index: sys/netinet/ip_fw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /data/mirror/freebsd/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.27 diff -u -d -r1.27 ip_fw2.c --- sys/netinet/ip_fw2.c 19 Feb 2003 05:47:34 -0000 1.27 +++ sys/netinet/ip_fw2.c 5 Mar 2003 21:54:34 -0000 @@ -418,6 +418,7 @@ char *action; int limit_reached =3D 0; char action2[40], proto[48], fragment[28]; + int log_prio =3D LOG_SECURITY | LOG_INFO; =20 fragment[0] =3D '\0'; proto[0] =3D '\0'; @@ -442,6 +443,7 @@ if (cmd->opcode =3D=3D O_PROB) cmd +=3D F_LEN(cmd); =20 + log_prio =3D (int) l->prio; action =3D action2; switch (cmd->opcode) { case O_DENY: @@ -577,7 +579,7 @@ (ip_off & IP_MF) ? "+" : ""); } if (oif || m->m_pkthdr.rcvif) - log(LOG_SECURITY | LOG_INFO, + log(log_prio, "ipfw: %d %s %s %s via %s%d%s\n", f ? f->rulenum : -1, action, proto, oif ? "out" : "in", @@ -585,7 +587,7 @@ oif ? oif->if_unit : m->m_pkthdr.rcvif->if_unit, fragment); else - log(LOG_SECURITY | LOG_INFO, + log(log_prio, "ipfw: %d %s %s [no if info]%s\n", f ? f->rulenum : -1, action, proto, fragment); Index: sys/netinet/ip_fw.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /data/mirror/freebsd/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.75 diff -u -d -r1.75 ip_fw.h --- sys/netinet/ip_fw.h 24 Oct 2002 22:32:13 -0000 1.75 +++ sys/netinet/ip_fw.h 5 Mar 2003 21:54:34 -0000 @@ -246,6 +246,7 @@ ipfw_insn o; u_int32_t max_log; /* how many do we log -- 0 =3D all */ u_int32_t log_left; /* how many left to log */ + u_int32_t prio; /* the level / facility to log to */ } ipfw_insn_log; =20 /* Index: sbin/ipfw/ipfw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /data/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.21 diff -u -d -r1.21 ipfw2.c --- sbin/ipfw/ipfw2.c 12 Jan 2003 03:31:10 -0000 1.21 +++ sbin/ipfw/ipfw2.c 6 Mar 2003 23:55:14 -0000 @@ -43,6 +43,8 @@ #include <timeconv.h> #include <unistd.h> #include <sysexits.h> +#define SYSLOG_NAMES +#include <syslog.h> =20 #include <net/if.h> #include <netinet/in.h> @@ -346,6 +348,70 @@ { NULL, 0 } }; =20 +int slogpenc(char *s); +int slogdec(char *name, CODE *codetab); +const char* slogpdec(int num, CODE *codetab); + + +/** + * slogpenc encodes a symbolic name syslog facility / priority name to a + * numeric value + */ +int +slogpenc(char *s) +{ + char *save; + int fac, lev; + + for (save =3D s; *s && *s !=3D '.'; ++s); + if (*s) { + *s =3D '\0'; + fac =3D slogdec(save, facilitynames); + if (fac < 0) + errx(1, "unknown facility name: %s", save); + *s++ =3D '.'; + } + else { + fac =3D LOG_SECURITY; + s =3D save; + } + lev =3D slogdec(s, prioritynames); + if (lev < 0) + errx(1, "unknown priority name: %s", save); + return ((lev & LOG_PRIMASK) | (fac & LOG_FACMASK)); +} + +int +slogdec(char *name, CODE *codetab) +{ + CODE *c; + + if (isdigit(*name)) + return (atoi(name)); + + for (c =3D codetab; c->c_name; c++) + if (!strcasecmp(name, c->c_name)) + return (c->c_val); + + return (-1); +} + +/** + * slogpdec translates a log facility and priority to its symbolic name + */ +const char* +slogpdec(int num, CODE *codetab) +{ + CODE *c; + + for (c =3D codetab; c->c_name; c++) + if (num =3D=3D c->c_val) + return c->c_name; + + return NULL; +} + +=09 /** * match_token takes a table and a string, returns the value associated * with the string (0 meaning an error in most cases) @@ -934,10 +1000,13 @@ } } if (logptr) { + printf(" log"); if (logptr->max_log > 0) - printf(" log logamount %d", logptr->max_log); - else - printf(" log"); + printf(" logamount %d", logptr->max_log); + if (logptr->prio !=3D (LOG_SECURITY | LOG_INFO)) + printf(" logprio %s.%s", + slogpdec(logptr->prio & LOG_FACMASK, facilitynames), + slogpdec(LOG_PRI(logptr->prio), prioritynames)); } =20 /* @@ -1695,7 +1764,7 @@ { =20 fprintf(stderr, "ipfw syntax summary:\n" -"ipfw add [N] [prob {0..1}] ACTION [log [logamount N]] ADDR OPTIONS\n" +"ipfw add [N] [prob {0..1}] ACTION LOG ADDR OPTIONS\n" "ipfw {pipe|queue} N config BODY\n" "ipfw [pipe] {zero|delete|show} [N{,N}]\n" "\n" @@ -1710,6 +1779,7 @@ " [ from IPLIST [ PORT ] to IPLIST [ PORTLIST ] ]\n" "IPLIST: IPADDR | ( IPADDR or ... or IPADDR )\n" "IPADDR: [not] { any | me | ip | ip/bits | ip:mask | ip/bits{x,y,z} }\n" +"LOG: [log [logamount N] [logprio [facility.]level]]\n" "OPTION_LIST: OPTION [,OPTION_LIST]\n" ); exit(0); @@ -2638,7 +2708,7 @@ action =3D next_cmd(action); =20 /* - * [log [logamount N]] -- log, optional + * [log [logamount N] [logprio [facility.]level]] -- log, optional * * If exists, it goes first in the cmdbuf, but then it is * skipped in the copy section to the end of the buffer. @@ -2648,6 +2718,7 @@ =20 cmd->len =3D F_INSN_SIZE(ipfw_insn_log); cmd->opcode =3D O_LOG; + c->prio =3D LOG_SECURITY | LOG_INFO; av++; ac--; if (ac && !strncmp(*av, "logamount", strlen(*av))) { ac--; av++; @@ -2655,6 +2726,12 @@ c->max_log =3D atoi(*av); if (c->max_log < 0) errx(EX_DATAERR, "logamount must be positive"); + ac--; av++; + } + if (ac && !strncmp(*av, "logprio", strlen(*av))) { + ac--; av++; + NEED1("logprio requires argument"); + c->prio =3D (u_int32_t) slogpenc(*av); ac--; av++; } cmd =3D next_cmd(cmd); Index: sbin/ipfw/ipfw.8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /data/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.121 diff -u -d -r1.121 ipfw.8 --- sbin/ipfw/ipfw.8 3 Mar 2003 22:46:36 -0000 1.121 +++ sbin/ipfw/ipfw.8 9 Mar 2003 12:30:45 -0000 @@ -395,7 +395,10 @@ .Op Cm prob Ar match_probability .br .Ar " " action -.Op Cm log Op Cm logamount Ar number +.Oo +.Cm log Op Cm logamount Ar number +.Op logprio Ar pri +.Oc .Ar body .Ed .Pp @@ -478,13 +481,15 @@ .Pp Note: this condition is checked before any other condition, including ones such as keep-state or check-state which might have side effects. -.It Cm log Op Cm logamount Ar number +.It Cm log Op Cm logamount Ar number Xo +.Op Cm logprio Ar pri +.Xc When a packet matches a rule with the .Cm log keyword, a message will be logged to .Xr syslogd 8 -with a +by default with a .Dv LOG_SECURITY facility. The logging only occurs if the sysctl variable @@ -501,6 +506,20 @@ is specified, the limit is taken from the sysctl variable .Em net.inet.ip.fw.verbose_limit . In both cases, a value of 0 removes the logging limit. +The +.Cm logprio +parameter can be set to change the default syslog priority. +The priority may be specified numerically or as a=20 +.Dq facility.level +pair. +For example, +.Dq Cm logprio No local3.info +logs the messages as +.Ar info Ns rmational +level in the +.Ar local3 +facility. The facility may be omitted and it then defaults to +.Dv LOG_SECURITY . .Pp Once the limit is reached, logging can be re-enabled by clearing the logging counter or the packet counter for that entry, see the @@ -510,6 +529,11 @@ Note: logging is done after all other packet matching conditions have been successfully verified, and before performing the final action (accept, deny, etc.) on the packet. +.Pp +Note: The message +.Dq limit reached on entry +is always logged to +.Dq security.notice . .El .Ss RULE ACTIONS A rule can be associated with one of the following actions, which --NzB8fVQJ5HfG6fxh-- --i0/AhcQY5QxfSsSZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+a2AR8kocFXgPTRwRAlJIAJ4lJkNZen28lCBocmlF8f2eTJRYFwCgg2kn IwN24og3LQM0hXdKiv+JKhA= =b5VP -----END PGP SIGNATURE----- --i0/AhcQY5QxfSsSZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030309153857.GA17210>