PERFORCE change 148574 for review

[Diego Giagio]

http://perforce.freebsd.org/chv.cgi?CH=148574

Change 148574 by diego at diego_black on 2008/08/27 02:26:21

	User-land part of 'audit' keyword support for ipfw.

Affected files ...

.. //depot/projects/soc2008/diego-audit/src/sbin/ipfw/ipfw2.c#2 edit

Differences ...

==== //depot/projects/soc2008/diego-audit/src/sbin/ipfw/ipfw2.c#2 (text+ko) ====

@@ -269,6 +269,7 @@
 	TOK_IN,
 	TOK_LIMIT,
 	TOK_KEEPSTATE,
+	TOK_AUDIT,
 	TOK_LAYER2,
 	TOK_OUT,
 	TOK_DIVERTED,
@@ -436,6 +437,7 @@
 	{ "in",			TOK_IN },
 	{ "limit",		TOK_LIMIT },
 	{ "keep-state",		TOK_KEEPSTATE },
+	{ "audit",		TOK_AUDIT },
 	{ "bridged",		TOK_LAYER2 },
 	{ "layer2",		TOK_LAYER2 },
 	{ "out",		TOK_OUT },
@@ -2001,6 +2003,10 @@
 				printf(" keep-state");
 				break;
 
+			case O_AUDIT:
+				printf(" audit");
+				break;
+
 			case O_LIMIT: {
 				struct _s_x *p = limit_masks;
 				ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
@@ -2089,6 +2095,9 @@
 	case O_KEEP_STATE: /* bidir, no mask */
 		printf(" STATE");
 		break;
+	case O_AUDIT:
+		printf(" AUDIT");
+		break;
 	}
 
 	if ((pe = getprotobynumber(d->id.proto)) != NULL)
@@ -4680,9 +4689,15 @@
 static ipfw_insn *
 add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode)
 {
-	if (_substrcmp(av, "any") == 0) {
+	/*
+	 * 'any' and 'audit' keywords must not be treated as port numbers.
+	 */
+	if (_substrcmp(av, "any") == 0)
+		return NULL;
+	if (_substrcmp(av, "audit") == 0)
 		return NULL;
-	} else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) {
+
+	if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) {
 		/* XXX todo: check that we have a protocol with ports */
 		cmd->opcode = opcode;
 		return cmd;
@@ -5489,12 +5504,23 @@
 				errx(EX_USAGE, "keep-state cannot be part "
 				    "of an or block");
 			if (have_state)
-				errx(EX_USAGE, "only one of keep-state "
+				errx(EX_USAGE, "only one of keep-state, audit "
 					"and limit is allowed");
 			have_state = cmd;
 			fill_cmd(cmd, O_KEEP_STATE, 0, 0);
 			break;
 
+		case TOK_AUDIT:
+			if (open_par)
+				errx(EX_USAGE, "audit cannot be part of an or "
+				    "block");
+			if (have_state)
+				errx(EX_USAGE, "only one of audit, keep-state "
+					"and limit is allowed");
+			have_state = cmd;
+			fill_cmd(cmd, O_AUDIT, 0, 0);
+			break;
+
 		case TOK_LIMIT: {
 			ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
 			int val;
@@ -5503,8 +5529,8 @@
 				errx(EX_USAGE,
 				    "limit cannot be part of an or block");
 			if (have_state)
-				errx(EX_USAGE, "only one of keep-state and "
-				    "limit is allowed");
+				errx(EX_USAGE, "only one of audit, keep-state "
+				    "and limit is allowed");
 			have_state = cmd;
 
 			cmd->len = F_INSN_SIZE(ipfw_insn_limit);
@@ -5699,13 +5725,15 @@
 		dst = next_cmd(dst);
 	}
 
-	/* copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ, O_TAG */
+	/* copy all commands but O_LOG, O_KEEP_STATE, O_AUDIT, O_LIMIT, O_ALTQ,
+	 * O_TAG */
 	for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) {
 		i = F_LEN(src);
 
 		switch (src->opcode) {
 		case O_LOG:
 		case O_KEEP_STATE:
+		case O_AUDIT:
 		case O_LIMIT:
 		case O_ALTQ:
 		case O_TAG: