From dd217a525406b95d9802d1a30c7b060b3957c186 Mon Sep 17 00:00:00 2001 From: maxim Date: Wed, 11 Oct 2006 11:52:34 +0000 Subject: o Extend not very informative ipfw(4) message 'drop session, too many entries' by src:port and dst:port pairs. IPv6 part is non-functional as ``limit'' does not support IPv6 flows. PR: kern/103967 Submitted by: based on Bruce Campbell patch MFC after: 1 month --- sys/netinet/ip_fw2.c | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) (limited to 'sys') diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 01f2f3e..ef23865 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -1424,8 +1424,12 @@ install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, struct ip_fw_args *args, uint32_t tablearg) { static int last_log; - ipfw_dyn_rule *q; + struct in_addr da; + char src[48], dst[48]; + + src[0] = '\0'; + dst[0] = '\0'; DEB( printf("ipfw: %s: type %d 0x%08x %u -> 0x%08x %u\n", @@ -1515,8 +1519,34 @@ install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, if (parent->count >= conn_limit) { if (fw_verbose && last_log != time_uptime) { last_log = time_uptime; +#ifdef INET6 + /* + * XXX IPv6 flows are not + * supported yet. + * */ + if (IS_IP6_FLOW_ID(&(args->f_id))) { + snprintf(src, sizeof(src), + "[%s]", ip6_sprintf( + &args->f_id.src_ip6)); + snprintf(dst, sizeof(dst), + "[%s]", ip6_sprintf( + &args->f_id.dst_ip6)); + } else +#endif + { + da.s_addr = + htonl(args->f_id.src_ip); + inet_ntoa_r(da, src); + da.s_addr = + htonl(args->f_id.dst_ip); + inet_ntoa_r(da, dst); + } log(LOG_SECURITY | LOG_DEBUG, - "drop session, too many entries\n"); + "%s %s:%u -> %s:%u, %s\n", + "drop session", + src, (args->f_id.src_port), + dst, (args->f_id.dst_port), + "too many entries"); } IPFW_DYN_UNLOCK(); return (1); -- cgit v1.1