PERFORCE change 148573 for review

Diego Giagio diego at FreeBSD.org
Wed Aug 27 02:26:34 UTC 2008 

http://perforce.freebsd.org/chv.cgi?CH=148573

Change 148573 by diego at diego_black on 2008/08/27 02:25:54

	Kernel-land part of 'audit' keyword support for ipfw.

Affected files ...

.. //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw.h#5 edit
.. //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#10 edit

Differences ...

==== //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw.h#5 (text+ko) ====

@@ -102,7 +102,7 @@
 
 	O_PROBE_STATE,		/* none				*/
 	O_KEEP_STATE,		/* none				*/
-	//O_AUDIT,		/* none				*/
+	O_AUDIT,		/* none				*/
 	O_LIMIT,		/* ipfw_insn_limit		*/
 	O_LIMIT_PARENT,		/* dyn_type, not an opcode.	*/
 

==== //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#10 (text+ko) ====

@@ -1066,7 +1066,7 @@
 	/* remove a refcount to the parent */				\
 	if (q->dyn_type == O_LIMIT)					\
 		q->parent->count--;					\
-	/*if (q->dyn_type == O_AUDIT) {	*/				\
+	if (q->dyn_type == O_AUDIT) {					\
 		AUDIT_PFIL_ENTER(AUE_PFIL_FLOW_END, td, error);		\
 		if (error == 0) {					\
 			AUDIT_ARG(text, "ipfw");			\
@@ -1075,7 +1075,7 @@
 			AUDIT_ARG(socket_ex, AF_INET, SOCK_STREAM,	     \
 		    	(struct sockaddr *)&lsin, (struct sockaddr *)&rsin); \
 		}							\
-	/*}*/								\
+	}								\
 	if (!error) {							\
 		DEB(printf(						\
 		    "ipfw: unlink entry 0x%08x %d -> 0x%08x %d, %d left\n", \
@@ -1384,7 +1384,7 @@
 
 	IPFW_DYN_LOCK_ASSERT();
 
-	//if (dyn_type == O_AUDIT)
+	if (dyn_type == O_AUDIT)
 	{
 		AUDIT_PFIL_ENTER(AUE_PFIL_FLOW_BEGIN, td, error);
 		if (error != 0)
@@ -1441,7 +1441,7 @@
 	   V_dyn_count ); )
 
 done:
-	//if (dyn_type == O_AUDIT)
+	if (dyn_type == O_AUDIT)
 		AUDIT_PFIL_EXIT(error, td);
 	return r;
 }
@@ -1540,7 +1540,8 @@
 
 	switch (cmd->o.opcode) {
 	case O_KEEP_STATE:	/* bidir rule */
-		add_dyn_rule(&args->f_id, O_KEEP_STATE, rule);
+	case O_AUDIT:
+		add_dyn_rule(&args->f_id, cmd->o.opcode, rule);
 		break;
 
 	case O_LIMIT: {		/* limit number of sessions */
@@ -3199,6 +3200,7 @@
 			 */
 			case O_LIMIT:
 			case O_KEEP_STATE:
+			case O_AUDIT:
 				if (install_state(f,
 				    (ipfw_insn_limit *)cmd, args, tablearg)) {
 					retval = IP_FW_DENY;
@@ -3881,6 +3883,7 @@
 		switch (cmd->opcode) {
 		case O_PROBE_STATE:
 		case O_KEEP_STATE:
+		case O_AUDIT:
 		case O_PROTO:
 		case O_IP_SRC_ME:
 		case O_IP_DST_ME:

More information about the p4-projects mailing list