diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2005-05-26 15:29:49 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2005-05-26 15:29:49 +0000 |
| commit | 3fed2ac9c28a2b2b7ac4ecb26c33ed867ef50b5a (patch) | |
| tree | 35d7fbb431ddef2a4f442d7d37939c6c85c3ddee /sys/net/pf.c | |
| parent | e70b56c153f9c0e8f3a956724bf142a0d3e7cfb9 (diff) | |
support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patch
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants.
ok frantzen@, camield@
Diffstat (limited to 'sys/net/pf.c')
| -rw-r--r-- | sys/net/pf.c | 62 |
1 files changed, 45 insertions, 17 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 8dea6c47aca..7ef95995677 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.490 2005/05/23 23:28:53 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.491 2005/05/26 15:29:48 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2805,10 +2805,11 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, REASON_SET(&reason, PFRES_MATCH); - if (r->log) { + if (r->log || (nr != NULL && nr->natpass && nr->log)) { if (rewrite) m_copyback(m, off, sizeof(*th), th); - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); + PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, + a, ruleset); } if ((r->action == PF_DROP) && @@ -2911,7 +2912,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & 2; + s->log = r->log & PF_LOGALL; + if (nr != NULL) + s->log |= nr->log & PF_LOGALL; s->proto = IPPROTO_TCP; s->direction = direction; s->af = af; @@ -3176,10 +3179,11 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, REASON_SET(&reason, PFRES_MATCH); - if (r->log) { + if (r->log || (nr != NULL && nr->natpass && nr->log)) { if (rewrite) m_copyback(m, off, sizeof(*uh), uh); - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); + PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, + a, ruleset); } if ((r->action == PF_DROP) && @@ -3264,7 +3268,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & 2; + s->log = r->log & PF_LOGALL; + if (nr != NULL) + s->log |= nr->log & PF_LOGALL; s->proto = IPPROTO_UDP; s->direction = direction; s->af = af; @@ -3491,13 +3497,14 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, REASON_SET(&reason, PFRES_MATCH); - if (r->log) { + if (r->log || (nr != NULL && nr->natpass && nr->log)) { #ifdef INET6 if (rewrite) m_copyback(m, off, sizeof(struct icmp6_hdr), pd->hdr.icmp6); #endif /* INET6 */ - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); + PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, + a, ruleset); } if (r->action != PF_PASS) @@ -3559,7 +3566,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & 2; + s->log = r->log & PF_LOGALL; + if (nr != NULL) + s->log |= nr->log & PF_LOGALL; s->proto = pd->proto; s->direction = direction; s->af = af; @@ -3738,8 +3747,9 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, REASON_SET(&reason, PFRES_MATCH); - if (r->log) - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); + if (r->log || (nr != NULL && nr->natpass && nr->log)) + PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, + a, ruleset); if ((r->action == PF_DROP) && ((r->rule_flag & PFRULE_RETURNICMP) || @@ -3834,7 +3844,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & 2; + s->log = r->log & PF_LOGALL; + if (nr != NULL) + s->log |= nr->log & PF_LOGALL; s->proto = pd->proto; s->direction = direction; s->af = af; @@ -5924,8 +5936,16 @@ done: REASON_SET(&reason, PFRES_MEMORY); } - if (log) - PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset); + if (log) { + struct pf_rule *lr; + + if (s != NULL && s->nat_rule.ptr != NULL && + s->nat_rule.ptr->log & PF_LOGALL) + lr = s->nat_rule.ptr; + else + lr = r; + PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, lr, a, ruleset); + } kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++; @@ -6258,8 +6278,16 @@ done: REASON_SET(&reason, PFRES_MEMORY); } - if (log) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset); + if (log) { + struct pf_rule *lr; + + if (s != NULL && s->nat_rule.ptr != NULL && + s->nat_rule.ptr->log & PF_LOGALL) + lr = s->nat_rule.ptr; + else + lr = r; + PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset); + } kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len; kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++; |