diff options
author | Camiel Dobbelaar <camield@cvs.openbsd.org> | 2005-06-07 04:37:33 +0000 |
---|---|---|
committer | Camiel Dobbelaar <camield@cvs.openbsd.org> | 2005-06-07 04:37:33 +0000 |
commit | 18b04af3af812d2a0deba6da7478775abd5b0c79 (patch) | |
tree | 2fa55f6673dc18c446be29c4eaa590d050660635 | |
parent | 359425b989195df1f76342a9bff387f589aafd5f (diff) |
Introduce verbose option to control the logging of the pf rules.
ok beck mpf
-rw-r--r-- | usr.sbin/ftp-proxy/filter.c | 13 | ||||
-rw-r--r-- | usr.sbin/ftp-proxy/filter.h | 2 | ||||
-rw-r--r-- | usr.sbin/ftp-proxy/ftp-proxy.8 | 15 | ||||
-rw-r--r-- | usr.sbin/ftp-proxy/ftp-proxy.c | 14 |
4 files changed, 30 insertions, 14 deletions
diff --git a/usr.sbin/ftp-proxy/filter.c b/usr.sbin/ftp-proxy/filter.c index b4e958aa64f..f2e987f356e 100644 --- a/usr.sbin/ftp-proxy/filter.c +++ b/usr.sbin/ftp-proxy/filter.c @@ -50,7 +50,7 @@ static struct pfioc_pooladdr pfp; static struct pfioc_rule pfr; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; -static int dev; +static int dev, rule_log; static char *qname; int @@ -157,12 +157,17 @@ do_rollback(void) } void -init_filter(char *opt_qname) +init_filter(char *opt_qname, int opt_verbose) { struct pf_status status; qname = opt_qname; + if (opt_verbose == 1) + rule_log = PF_LOG; + else if (opt_verbose == 2) + rule_log = PF_LOG_ALL; + dev = open("/dev/pf", O_RDWR); if (dev == -1) err(1, "/dev/pf"); @@ -273,13 +278,13 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, switch (rs_num) { case PF_RULESET_FILTER: /* - * pass quick log inet[6] proto tcp \ + * pass quick [log] inet[6] proto tcp \ * from $src to $dst port = $d_port flags S/SAFR keep state * (max 1) [queue qname] */ pfr.rule.action = PF_PASS; pfr.rule.quick = 1; - pfr.rule.log = 1; + pfr.rule.log = rule_log; pfr.rule.keep_state = 1; pfr.rule.flags = TH_SYN; pfr.rule.flagset = (TH_SYN|TH_ACK|TH_FIN|TH_RST); diff --git a/usr.sbin/ftp-proxy/filter.h b/usr.sbin/ftp-proxy/filter.h index cfb75b77dbf..3f0888a48a3 100644 --- a/usr.sbin/ftp-proxy/filter.h +++ b/usr.sbin/ftp-proxy/filter.h @@ -24,6 +24,6 @@ int add_rdr(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t, struct sockaddr *, u_int16_t); int do_commit(void); int do_rollback(void); -void init_filter(char *); +void init_filter(char *, int); int prepare_commit(u_int32_t); int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *); diff --git a/usr.sbin/ftp-proxy/ftp-proxy.8 b/usr.sbin/ftp-proxy/ftp-proxy.8 index ce84dbdcccf..5c6349cf5a6 100644 --- a/usr.sbin/ftp-proxy/ftp-proxy.8 +++ b/usr.sbin/ftp-proxy/ftp-proxy.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.2 2005/05/31 21:47:20 jmc Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.3 2005/06/07 04:37:32 camield Exp $ .\" .\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> .\" @@ -22,7 +22,7 @@ .Nd Internet File Transfer Protocol proxy daemon .Sh SYNOPSIS .Nm ftp-proxy -.Op Fl 6Adr +.Op Fl 6Adrv .Op Fl a Ar address .Op Fl b Ar address .Op Fl D Ar level @@ -63,16 +63,16 @@ adds the following rules to the various anchors. In case of active mode (PORT or EPRT): .Bd -literal -offset 2n rdr from $server to $proxy port $port -> $client -pass log quick inet proto tcp \e +pass quick inet proto tcp \e from $server to $client port $port flags S/SAFR keep state .Ed .Pp In case of passive mode (PASV or EPSV): .Bd -literal -offset 2n nat from $client to $server port $port -> $proxy -pass in log quick inet proto tcp \e +pass in quick inet proto tcp \e from $client to $server port $port flags S/SAFR keep state -pass out log quick inet proto tcp \e +pass out quick inet proto tcp \e from $proxy to $server port $port flags S/SAFR keep state .Ed .Pp @@ -133,6 +133,11 @@ proxy will disconnect. The default is 24 hours. Do not set this too low, because the control connection is usually idle when large data transfers are taking place. +.It Fl v +Set the 'log' flag on pf rules committed by +.Nm . +Use twice to set the 'log-all' flag. +The pf rules do not log by default. .El .Sh CONFIGURATION To make use of the proxy, diff --git a/usr.sbin/ftp-proxy/ftp-proxy.c b/usr.sbin/ftp-proxy/ftp-proxy.c index dfefecd925b..2c7c2c2109d 100644 --- a/usr.sbin/ftp-proxy/ftp-proxy.c +++ b/usr.sbin/ftp-proxy/ftp-proxy.c @@ -115,7 +115,7 @@ struct sockaddr_storage fixed_server_ss, fixed_proxy_ss; char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port, *qname; int anonymous_only, caught_sig, daemonize, id_count, ipv6_mode, loglevel, - max_sessions, rfc_mode, session_count, timeout; + max_sessions, rfc_mode, session_count, timeout, verbose; extern char *__progname; void @@ -594,12 +594,13 @@ main(int argc, char *argv[]) qname = NULL; rfc_mode = 0; timeout = 24 * 3600; + verbose = 0; /* Other initialization. */ id_count = 1; session_count = 0; - while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:")) != -1) { + while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:v")) != -1) { switch (ch) { case '6': ipv6_mode = 1; @@ -648,6 +649,11 @@ main(int argc, char *argv[]) if (timeout < 0) errx(1, "bad timeout"); break; + case 'v': + verbose++; + if (verbose > 2) + usage(); + break; default: usage(); } @@ -718,7 +724,7 @@ main(int argc, char *argv[]) freeaddrinfo(res); /* Initialize pf. */ - init_filter(qname); + init_filter(qname, verbose); if (daemonize) { if (daemon(0, 0) == -1) @@ -1085,7 +1091,7 @@ sock_ntop(struct sockaddr *sa) void usage(void) { - fprintf(stderr, "usage: %s [-6Adr] [-a address] [-b address]" + fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]" " [-D level] [-m maxsessions]\n [-P port]" " [-p port] [-q queue] [-R address] [-t timeout]\n", __progname); exit(1); |