PERFORCE change 148574 for review
Diego Giagio
diego at FreeBSD.org
Wed Aug 27 02:26:35 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=148574
Change 148574 by diego at diego_black on 2008/08/27 02:26:21
User-land part of 'audit' keyword support for ipfw.
Affected files ...
.. //depot/projects/soc2008/diego-audit/src/sbin/ipfw/ipfw2.c#2 edit
Differences ...
==== //depot/projects/soc2008/diego-audit/src/sbin/ipfw/ipfw2.c#2 (text+ko) ====
@@ -269,6 +269,7 @@
TOK_IN,
TOK_LIMIT,
TOK_KEEPSTATE,
+ TOK_AUDIT,
TOK_LAYER2,
TOK_OUT,
TOK_DIVERTED,
@@ -436,6 +437,7 @@
{ "in", TOK_IN },
{ "limit", TOK_LIMIT },
{ "keep-state", TOK_KEEPSTATE },
+ { "audit", TOK_AUDIT },
{ "bridged", TOK_LAYER2 },
{ "layer2", TOK_LAYER2 },
{ "out", TOK_OUT },
@@ -2001,6 +2003,10 @@
printf(" keep-state");
break;
+ case O_AUDIT:
+ printf(" audit");
+ break;
+
case O_LIMIT: {
struct _s_x *p = limit_masks;
ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
@@ -2089,6 +2095,9 @@
case O_KEEP_STATE: /* bidir, no mask */
printf(" STATE");
break;
+ case O_AUDIT:
+ printf(" AUDIT");
+ break;
}
if ((pe = getprotobynumber(d->id.proto)) != NULL)
@@ -4680,9 +4689,15 @@
static ipfw_insn *
add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode)
{
- if (_substrcmp(av, "any") == 0) {
+ /*
+ * 'any' and 'audit' keywords must not be treated as port numbers.
+ */
+ if (_substrcmp(av, "any") == 0)
+ return NULL;
+ if (_substrcmp(av, "audit") == 0)
return NULL;
- } else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) {
+
+ if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) {
/* XXX todo: check that we have a protocol with ports */
cmd->opcode = opcode;
return cmd;
@@ -5489,12 +5504,23 @@
errx(EX_USAGE, "keep-state cannot be part "
"of an or block");
if (have_state)
- errx(EX_USAGE, "only one of keep-state "
+ errx(EX_USAGE, "only one of keep-state, audit "
"and limit is allowed");
have_state = cmd;
fill_cmd(cmd, O_KEEP_STATE, 0, 0);
break;
+ case TOK_AUDIT:
+ if (open_par)
+ errx(EX_USAGE, "audit cannot be part of an or "
+ "block");
+ if (have_state)
+ errx(EX_USAGE, "only one of audit, keep-state "
+ "and limit is allowed");
+ have_state = cmd;
+ fill_cmd(cmd, O_AUDIT, 0, 0);
+ break;
+
case TOK_LIMIT: {
ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
int val;
@@ -5503,8 +5529,8 @@
errx(EX_USAGE,
"limit cannot be part of an or block");
if (have_state)
- errx(EX_USAGE, "only one of keep-state and "
- "limit is allowed");
+ errx(EX_USAGE, "only one of audit, keep-state "
+ "and limit is allowed");
have_state = cmd;
cmd->len = F_INSN_SIZE(ipfw_insn_limit);
@@ -5699,13 +5725,15 @@
dst = next_cmd(dst);
}
- /* copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ, O_TAG */
+ /* copy all commands but O_LOG, O_KEEP_STATE, O_AUDIT, O_LIMIT, O_ALTQ,
+ * O_TAG */
for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) {
i = F_LEN(src);
switch (src->opcode) {
case O_LOG:
case O_KEEP_STATE:
+ case O_AUDIT:
case O_LIMIT:
case O_ALTQ:
case O_TAG:
More information about the p4-projects
mailing list