Make ipfw's logging more dynamic. Now, log will use the default limit

_or_ you may specify "log logamount number" to set logging specifically the rule. In addition, "ipfw resetlog" has been added, which will reset the logging counters on any/all rule(s). ipfw resetlog does not affect the packet/byte counters (as ipfw reset does), and is the only "set" command that can be run at securelevel >= 3. This should address complaints about not being able to set logging amounts, not being able to restart logging at a high securelevel, and not being able to just reset logging without resetting all of the counters in a rule.
author: green <green@FreeBSD.org> 1999-08-01 16:57:24 +0000
committer: green <green@FreeBSD.org> 1999-08-01 16:57:24 +0000
commit: d848a791d143dcd43bbfd4243df4fe61c62fac41 (patch)
tree: 02d5b553f5f87af777c6d66d6b2b25611e79109b /sbin
parent: 7263583ccb568e6d5e6e6d32d6e126a50ea4229d (diff)
download: FreeBSD-src-d848a791d143dcd43bbfd4243df4fe61c62fac41.zip
FreeBSD-src-d848a791d143dcd43bbfd4243df4fe61c62fac41.tar.gz
2 files changed, 97 insertions, 11 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index ba3da16..e3933d5 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1,5 +1,5 @@
 .\"
-.\" $Id: ipfw.8,v 1.53 1999/06/15 12:56:38 ru Exp $
+.\" $Id: ipfw.8,v 1.54 1999/06/19 18:43:18 green Exp $
 .\"
 .Dd July 20, 1996
 .Dt IPFW 8
@@ -30,6 +30,12 @@ flush
 zero
 .Op Ar number ...
 .Nm ipfw
+.Oo
+.Fl q
+.Oc
+resetlog
+.Op Ar number ...
+.Nm ipfw
 delete
 .Ar number ...
 .Nm ipfw
@@ -49,7 +55,7 @@ show
 add
 .Op Ar number
 .Ar action 
-.Op log
+.Op log Op Ar logamount Ar number
 .Ar proto
 from
 .Ar src
@@ -227,6 +233,10 @@ The show command is equivalent to
 The zero operation zeroes the counters associated with rule number
 .Ar number .
 .Pp
+The resetlog operation resets the logging counters associated with
+rule number
+.Ar number .
+.Pp
 The flush operation removes all rules.
 .Pp
 Any command beginning with a 
@@ -265,7 +275,7 @@ Don't ask for confirmation for commands that can cause problems if misused
 .Ar Note ,
 if there is no tty associated with the process, this is implied.
 .It Fl q
-While adding, zeroing or flushing, be quiet about actions (implies
+While adding, zeroing, resetlogging or flushing, be quiet about actions (implies
 .Fl f Ns ).
 This is useful for adjusting rules by executing multiple
 .Nm
@@ -411,15 +421,22 @@ then when a packet matches a rule with the
 keyword a message will be printed on the console.
 If the kernel was compiled with the
 .Dv IPFIREWALL_VERBOSE_LIMIT
-option, then logging will cease after the number of packets
-specified by the option are received for that particular
-chain entry.  Logging may then be re-enabled by clearing
-the packet counter for that entry.
+option, then by default logging will cease after the number
+of packets specified by the option are received for that
+particular chain entry. However, if
+.Ar logamount Ar number
+is used, that
+.Ar number
+will be the default logging limit rather than
+.Dv IPFIREWALL_VERBOSE_LIMIT .
+Logging may then be re-enabled by clearing the logging counter
+or the packet counter for that entry.
 .Pp
 Console logging and the log limit are adjustable dynamically
 through the
 .Xr sysctl 8
-interface.
+interface in the MIB base of
+.Dv net.inet.ip.fw .
 .Pp
 .Ar proto :
 .Bl -hang -offset flag -width 1234567890123456
diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c
index 78d5474..1ff1ed7 100644
--- a/sbin/ipfw/ipfw.c
+++ b/sbin/ipfw/ipfw.c
@@ -20,13 +20,14 @@
 
 #ifndef lint
 static const char rcsid[] =
-	"$Id: ipfw.c,v 1.70 1999/06/11 09:43:53 ru Exp $";
+	"$Id: ipfw.c,v 1.71 1999/06/19 18:43:15 green Exp $";
 #endif /* not lint */
 
 
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/sockio.h>
+#include <sys/sysctl.h>
 #include <sys/time.h>
 #include <sys/wait.h>
 
@@ -247,8 +248,11 @@ show_ipfw(struct ip_fw *chain, int pcwidth, int bcwidth)
 			errx(EX_OSERR, "impossible");
 	}
    
-	if (chain->fw_flg & IP_FW_F_PRN)
+	if (chain->fw_flg & IP_FW_F_PRN) {
 		printf(" log");
+		if (chain->fw_logamount)
+			printf(" logamount %d", chain->fw_logamount);
+	}
 
 	pe = getprotobynumber(chain->fw_prot);
 	if (pe)
@@ -599,12 +603,13 @@ show_usage(const char *fmt, ...)
 "    [pipe] list [number ...]\n"
 "    [pipe] show [number ...]\n"
 "    zero [number ...]\n"
+"    resetlog [number ...]\n"
 "    pipe number config [pipeconfig]\n"
 "  rule:  action proto src dst extras...\n"
 "    action:\n"
 "      {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
 "       reset|count|skipto num|divert port|tee port|fwd ip|\n"
-"       pipe num} [log]\n"
+"       pipe num} [log [logamount count]]\n"
 "    proto: {ip|tcp|udp|icmp|<number>}\n"
 "    src: from [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
 "    dst: to [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
@@ -1164,6 +1169,18 @@ add(ac,av)
 	if (ac && !strncmp(*av,"log",strlen(*av))) {
 		rule.fw_flg |= IP_FW_F_PRN; av++; ac--;
 	}
+	if (ac && !strncmp(*av,"logamount",strlen(*av))) {
+		if (!(rule.fw_flg & IP_FW_F_PRN))
+			show_usage("``logamount'' not valid without ``log''");
+		ac--; av++;
+		if (!ac)
+			show_usage("``logamount'' requires argument");
+		rule.fw_logamount = atoi(*av);
+		if (rule.fw_logamount <= 0)
+			show_usage("``logamount'' argument must be greater "
+			    "than 0");
+		ac--; av++;
+	}
 
 	/* protocol */
 	if (ac == 0)
@@ -1385,6 +1402,17 @@ badviacombo:
 		if (rule.fw_nports)
 			show_usage("can't mix 'frag' and port specifications");
 	}
+	if (rule.fw_flg & IP_FW_F_PRN) {
+		if (!rule.fw_logamount) {
+			size_t len = sizeof(int);
+
+			if (sysctlbyname("net.inet.ip.fw.verbose_limit",
+			    &rule.fw_logamount, &len, NULL, 0) == -1)
+				errx(1, "sysctlbyname(\"%s\")",
+				    "net.inet.ip.fw.verbose_limit");
+		}
+		rule.fw_loghighest = rule.fw_logamount;
+	}
 
 	if (!do_quiet)
 		show_ipfw(&rule, 10, 10);
@@ -1432,6 +1460,45 @@ zero (ac, av)
 	}
 }
 
+static void
+resetlog (ac, av)
+	int ac;
+	char **av;
+{
+	av++; ac--;
+
+	if (!ac) {
+		/* clear all entries */
+		if (setsockopt(s,IPPROTO_IP,IP_FW_RESETLOG,NULL,0)<0)
+			err(EX_UNAVAILABLE, "setsockopt(%s)", "IP_FW_RESETLOG");
+		if (!do_quiet)
+			printf("Logging counts reset.\n");
+	} else {
+		struct ip_fw rule;
+		int failed = EX_OK;
+
+		memset(&rule, 0, sizeof rule);
+		while (ac) {
+			/* Rule number */
+			if (isdigit(**av)) {
+				rule.fw_number = atoi(*av); av++; ac--;
+				if (setsockopt(s, IPPROTO_IP,
+				    IP_FW_RESETLOG, &rule, sizeof rule)) {
+					warn("rule %u: setsockopt(%s)", rule.fw_number,
+						 "IP_FW_RESETLOG");
+					failed = EX_UNAVAILABLE;
+				}
+				else if (!do_quiet)
+					printf("Entry %d logging count reset\n",
+					    rule.fw_number);
+			} else
+				show_usage("invalid rule number ``%s''", *av);
+		}
+		if (failed != EX_OK)
+			exit(failed);
+	}
+}
+
 static int
 ipfw_main(ac,av)
 	int 	ac;
@@ -1527,6 +1594,8 @@ ipfw_main(ac,av)
 		}
 	} else if (!strncmp(*av, "zero", strlen(*av))) {
 		zero(ac,av);
+	} else if (!strncmp(*av, "resetlog", strlen(*av))) {
+		resetlog(ac,av);
 	} else if (!strncmp(*av, "print", strlen(*av))) {
 		list(--ac,++av);
 	} else if (!strncmp(*av, "list", strlen(*av))) {
author	green <green@FreeBSD.org>	1999-08-01 16:57:24 +0000
committer	green <green@FreeBSD.org>	1999-08-01 16:57:24 +0000
commit	d848a791d143dcd43bbfd4243df4fe61c62fac41 (patch)
tree	02d5b553f5f87af777c6d66d6b2b25611e79109b /sbin
parent	7263583ccb568e6d5e6e6d32d6e126a50ea4229d (diff)
download	FreeBSD-src-d848a791d143dcd43bbfd4243df4fe61c62fac41.zip FreeBSD-src-d848a791d143dcd43bbfd4243df4fe61c62fac41.tar.gz