diff options
| author | melifaro <melifaro@FreeBSD.org> | 2012-11-05 22:30:56 +0000 |
|---|---|---|
| committer | melifaro <melifaro@FreeBSD.org> | 2012-11-05 22:30:56 +0000 |
| commit | 6056a71b0eb3028cb5da432f3ef0f5a5545e8e65 (patch) | |
| tree | b1c7efa6571dd34711f780c79126414b39e2541f /sys/netpfil | |
| parent | 829a763edee0b5ebbcb8dcfbcd24876df1a3c34d (diff) | |
| download | FreeBSD-src-6056a71b0eb3028cb5da432f3ef0f5a5545e8e65.zip FreeBSD-src-6056a71b0eb3028cb5da432f3ef0f5a5545e8e65.tar.gz | |
Use unified print_dyn_rule_flags() function for debugging messages
instead of hand-made printfs in every place.
MFC after: 1 week
Diffstat (limited to 'sys/netpfil')
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw_dynamic.c | 120 |
1 files changed, 27 insertions, 93 deletions
diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c index 8714538..859df19 100644 --- a/sys/netpfil/ipfw/ip_fw_dynamic.c +++ b/sys/netpfil/ipfw/ip_fw_dynamic.c @@ -258,8 +258,12 @@ hash_packet(struct ipfw_flow_id *id) return i; } -static __inline void -unlink_dyn_rule_print(struct ipfw_flow_id *id) +/** + * Print customizable flow id description via log(9) facility. + */ +static void +print_dyn_rule_flags(struct ipfw_flow_id *id, int dyn_type, int log_flags, + char *prefix, char *postfix) { struct in_addr da; #ifdef INET6 @@ -280,10 +284,14 @@ unlink_dyn_rule_print(struct ipfw_flow_id *id) da.s_addr = htonl(id->dst_ip); inet_ntop(AF_INET, &da, dst, sizeof(dst)); } - printf("ipfw: unlink entry %s %d -> %s %d, %d left\n", - src, id->src_port, dst, id->dst_port, V_dyn_count - 1); + log(log_flags, "ipfw: %s type %d %s %d -> %s %d, %d %s\n", + prefix, dyn_type, src, id->src_port, dst, + id->dst_port, V_dyn_count, postfix); } +#define print_dyn_rule(id, dtype, prefix, postfix) \ + print_dyn_rule_flags(id, dtype, LOG_DEBUG, prefix, postfix) + /** * unlink a dynamic rule from a chain. prev is a pointer to * the previous one, q is a pointer to the rule to delete, @@ -296,12 +304,12 @@ unlink_dyn_rule_print(struct ipfw_flow_id *id) /* remove a refcount to the parent */ \ if (q->dyn_type == O_LIMIT) \ q->parent->count--; \ - DEB(unlink_dyn_rule_print(&q->id);) \ + V_dyn_count--; \ + DEB(print_dyn_rule(&q->id, q->dyn_type, "unlink entry", "left");) \ if (prev != NULL) \ prev->next = q = q->next; \ else \ head = q = q->next; \ - V_dyn_count--; \ uma_zfree(ipfw_dyn_rule_zone, old_q); } #define TIME_LEQ(a,b) ((int)((a)-(b)) <= 0) @@ -639,32 +647,7 @@ add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule) r->next = V_ipfw_dyn_v[i]; V_ipfw_dyn_v[i] = r; V_dyn_count++; - DEB({ - struct in_addr da; -#ifdef INET6 - char src[INET6_ADDRSTRLEN]; - char dst[INET6_ADDRSTRLEN]; -#else - char src[INET_ADDRSTRLEN]; - char dst[INET_ADDRSTRLEN]; -#endif - -#ifdef INET6 - if (IS_IP6_FLOW_ID(&(r->id))) { - ip6_sprintf(src, &r->id.src_ip6); - ip6_sprintf(dst, &r->id.dst_ip6); - } else -#endif - { - da.s_addr = htonl(r->id.src_ip); - inet_ntop(AF_INET, &da, src, sizeof(src)); - da.s_addr = htonl(r->id.dst_ip); - inet_ntop(AF_INET, &da, dst, sizeof(dst)); - } - printf("ipfw: add dyn entry ty %d %s %d -> %s %d, total %d\n", - dyn_type, src, r->id.src_port, dst, r->id.dst_port, - V_dyn_count); - }) + DEB(print_dyn_rule(id, dyn_type, "add dyn entry", "total");) return r; } @@ -701,7 +684,8 @@ lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule) ) ) { q->expire = time_uptime + V_dyn_short_lifetime; - DEB(printf("ipfw: lookup_dyn_parent found 0x%p\n",q);) + DEB(print_dyn_rule(pkt, q->dyn_type, + "lookup_dyn_parent found", "");) return q; } } @@ -720,38 +704,11 @@ ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, { static int last_log; ipfw_dyn_rule *q; - struct in_addr da; -#ifdef INET6 - char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2]; -#else - char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN]; -#endif - src[0] = '\0'; - dst[0] = '\0'; + DEB(print_dyn_rule(&args->f_id, cmd->o.opcode, "install_state", "");) IPFW_DYN_LOCK(); - DEB( -#ifdef INET6 - if (IS_IP6_FLOW_ID(&(args->f_id))) { - ip6_sprintf(src, &args->f_id.src_ip6); - ip6_sprintf(dst, &args->f_id.dst_ip6); - } else -#endif - { - da.s_addr = htonl(args->f_id.src_ip); - inet_ntop(AF_INET, &da, src, sizeof(src)); - da.s_addr = htonl(args->f_id.dst_ip); - inet_ntop(AF_INET, &da, dst, sizeof(dst)); - } - printf("ipfw: %s: type %d %s %u -> %s %u\n", - __func__, cmd->o.opcode, src, args->f_id.src_port, - dst, args->f_id.dst_port); - src[0] = '\0'; - dst[0] = '\0'; - ) - q = lookup_dyn_rule_locked(&args->f_id, NULL, NULL); if (q != NULL) { /* should never occur */ @@ -833,38 +790,15 @@ ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, if (parent->count >= conn_limit) { if (V_fw_verbose && last_log != time_uptime) { last_log = time_uptime; -#ifdef INET6 - /* - * XXX IPv6 flows are not - * supported yet. - */ - if (IS_IP6_FLOW_ID(&(args->f_id))) { - char ip6buf[INET6_ADDRSTRLEN]; - snprintf(src, sizeof(src), - "[%s]", ip6_sprintf(ip6buf, - &args->f_id.src_ip6)); - snprintf(dst, sizeof(dst), - "[%s]", ip6_sprintf(ip6buf, - &args->f_id.dst_ip6)); - } else -#endif - { - da.s_addr = - htonl(args->f_id.src_ip); - inet_ntop(AF_INET, &da, src, - sizeof(src)); - da.s_addr = - htonl(args->f_id.dst_ip); - inet_ntop(AF_INET, &da, dst, - sizeof(dst)); - } - log(LOG_SECURITY | LOG_DEBUG, - "ipfw: %d %s %s:%u -> %s:%u, %s\n", - parent->rule->rulenum, - "drop session", - src, (args->f_id.src_port), - dst, (args->f_id.dst_port), - "too many entries"); + char sbuf[24]; + last_log = time_uptime; + snprintf(sbuf, sizeof(sbuf), + "%d drop session", + parent->rule->rulenum); + print_dyn_rule_flags(&args->f_id, + cmd->o.opcode, + LOG_SECURITY | LOG_DEBUG, + sbuf, "too many entries"); } IPFW_DYN_UNLOCK(); return (1); |
