diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2010-01-18 23:52:47 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2010-01-18 23:52:47 +0000 |
| commit | 5edcd5f8f5844e468d470c15de877705fb0d6d96 (patch) | |
| tree | 99bdb467f4d5982c62c360fb79fb06f77ff4f0fe /sys/net | |
| parent | 43bd8b3b6872298cb924f7c1f779da3bbb126fd6 (diff) | |
Convert pf debug logging to using log()/addlog(), a single standardised
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/if_pfsync.c | 81 | ||||
| -rw-r--r-- | sys/net/pf.c | 382 | ||||
| -rw-r--r-- | sys/net/pf_if.c | 25 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 14 | ||||
| -rw-r--r-- | sys/net/pf_lb.c | 28 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 114 | ||||
| -rw-r--r-- | sys/net/pf_osfp.c | 40 | ||||
| -rw-r--r-- | sys/net/pf_ruleset.c | 35 | ||||
| -rw-r--r-- | sys/net/pf_table.c | 3 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 36 |
10 files changed, 406 insertions, 352 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 6abc539b45c..c64b965a57d 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.140 2010/01/12 23:38:02 dlg Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.141 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -53,6 +53,7 @@ #include <sys/kernel.h> #include <sys/sysctl.h> #include <sys/pool.h> +#include <sys/syslog.h> #include <net/if.h> #include <net/if_types.h> @@ -80,6 +81,7 @@ #include <netinet/ip_carp.h> #endif +#define PF_DEBUGNAME "pfsync: " #include <net/pfvar.h> #include <net/if_pfsync.h> @@ -484,16 +486,15 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags) int pool_flags; int error; - if (sp->creatorid == 0 && pf_status.debug >= PF_DEBUG_MISC) { - printf("pfsync_state_import: invalid creator id:" - " %08x\n", ntohl(sp->creatorid)); + if (sp->creatorid == 0) { + DPFPRINTF(LOG_NOTICE, "pfsync_state_import: " + "invalid creator id: %08x", ntohl(sp->creatorid)); return (EINVAL); } if ((kif = pfi_kif_get(sp->ifname)) == NULL) { - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync_state_import: " - "unknown interface: %s\n", sp->ifname); + DPFPRINTF(LOG_NOTICE, "pfsync_state_import: " + "unknown interface: %s", sp->ifname); if (flags & PFSYNC_SI_IOCTL) return (EINVAL); return (0); /* skip this state */ @@ -814,10 +815,8 @@ pfsync_in_ins(struct pfsync_pkt *pkt, caddr_t buf, int len, int count) sp->dst.state > PF_TCPS_PROXY_DST || sp->direction > PF_OUT || (sp->af != AF_INET && sp->af != AF_INET6)) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pfsync_input: PFSYNC5_ACT_INS: " - "invalid value\n"); - } + DPFPRINTF(LOG_NOTICE, + "pfsync_input: PFSYNC5_ACT_INS: invalid value"); pfsyncstats.pfsyncs_badval++; continue; } @@ -912,10 +911,29 @@ pfsync_in_upd(struct pfsync_pkt *pkt, caddr_t buf, int len, int count) if (sp->timeout >= PFTM_MAX || sp->src.state > PF_TCPS_PROXY_DST || sp->dst.state > PF_TCPS_PROXY_DST) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pfsync_input: PFSYNC_ACT_UPD: " - "invalid value\n"); - } + DPFPRINTF(LOG_NOTICE, + "pfsync_input: PFSYNC_ACT_UPD: invalid value"); + pfsyncstats.pfsyncs_badval++; + continue; + } + + bcopy(sp->id, &id_key.id, sizeof(id_key.id)); + id_key.creatorid = sp->creatorid; + + st = pf_find_state_byid(&id_key); + if (st == NULL) { + /* insert the update */ + if (pfsync_state_import(sp, 0)) + pfsyncstats.pfsyncs_badstate++; + continue; + } + + if (ISSET(st->state_flags, PFSTATE_ACK)) + pfsync_deferred(st, 1); + + if (st->key[PF_SK_WIRE]->proto == IPPROTO_TCP) { + DPFPRINTF(LOG_NOTICE, + "pfsync_input: PFSYNC_ACT_UPD: invalid value"); pfsyncstats.pfsyncs_badval++; continue; } @@ -994,11 +1012,8 @@ pfsync_in_upd_c(struct pfsync_pkt *pkt, caddr_t buf, int len, int count) if (up->timeout >= PFTM_MAX || up->src.state > PF_TCPS_PROXY_DST || up->dst.state > PF_TCPS_PROXY_DST) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pfsync_input: " - "PFSYNC_ACT_UPD_C: " - "invalid value\n"); - } + DPFPRINTF(LOG_NOTICE, + "pfsync_input: PFSYNC_ACT_UPD_C: invalid value"); pfsyncstats.pfsyncs_badval++; continue; } @@ -1164,8 +1179,7 @@ pfsync_in_bus(struct pfsync_pkt *pkt, caddr_t buf, int len, int count) pf_pool_limits[PF_LIMIT_STATES].limit / ((sc->sc_if.if_mtu - PFSYNC_MINPKT) / sizeof(struct pfsync_state))); - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: received bulk update start\n"); + DPFPRINTF(LOG_INFO, "received bulk update start"); break; case PFSYNC_BUS_END: @@ -1180,13 +1194,10 @@ pfsync_in_bus(struct pfsync_pkt *pkt, caddr_t buf, int len, int count) carp_group_demote_adj(&sc->sc_if, -1); #endif pfsync_sync_ok = 1; - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: received valid " - "bulk update end\n"); + DPFPRINTF(LOG_INFO, "received valid bulk update end"); } else { - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: received invalid " - "bulk update end: bad timestamp\n"); + DPFPRINTF(LOG_WARNING, "received invalid " + "bulk update end: bad timestamp"); } break; } @@ -1246,9 +1257,8 @@ pfsync_update_net_tdb(struct pfsync_tdb *pt) return; bad: - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync_insert: PFSYNC_ACT_TDB_UPD: " - "invalid value\n"); + DPFPRINTF(LOG_WARNING, "pfsync_insert: PFSYNC_ACT_TDB_UPD: " + "invalid value"); pfsyncstats.pfsyncs_badstate++; return; } @@ -1875,8 +1885,7 @@ pfsync_request_full_update(struct pfsync_softc *sc) carp_group_demote_adj(&sc->sc_if, 1); #endif pfsync_sync_ok = 0; - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: requesting bulk update\n"); + DPFPRINTF(LOG_INFO, "requesting bulk update"); timeout_add(&sc->sc_bulkfail_tmo, 4 * hz + pf_pool_limits[PF_LIMIT_STATES].limit / ((sc->sc_if.if_mtu - PFSYNC_MINPKT) / @@ -2162,8 +2171,7 @@ pfsync_bulk_start(void) sc->sc_bulk_next = TAILQ_FIRST(&state_list); sc->sc_bulk_last = sc->sc_bulk_next; - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: received bulk update request\n"); + DPFPRINTF(LOG_INFO, "received bulk update request"); pfsync_bulk_status(PFSYNC_BUS_START); timeout_add(&sc->sc_bulk_tmo, 0); @@ -2250,8 +2258,7 @@ pfsync_bulk_fail(void *arg) carp_group_demote_adj(&sc->sc_if, -1); #endif pfsync_sync_ok = 1; - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: failed to receive bulk update\n"); + DPFPRINTF(LOG_ERR, "failed to receive bulk update"); } } diff --git a/sys/net/pf.c b/sys/net/pf.c index 1ab9d27f346..66f6aa08d70 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.688 2010/01/14 20:43:19 mcbride Exp $ */ +/* $OpenBSD: pf.c,v 1.689 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -51,6 +51,7 @@ #include <sys/pool.h> #include <sys/proc.h> #include <sys/rwlock.h> +#include <sys/syslog.h> #include <crypto/md5.h> @@ -95,8 +96,6 @@ #endif /* INET6 */ -#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x - /* * Global variables */ @@ -435,8 +434,9 @@ pf_src_connlimit(struct pf_state **state) u_int32_t killed = 0; pf_status.lcounters[LCNT_OVERLOAD_TABLE]++; - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf_src_connlimit: blocking address "); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: pf_src_connlimit: blocking address "); pf_print_host(&sn->addr, 0, (*state)->key[PF_SK_WIRE]->af); } @@ -489,11 +489,11 @@ pf_src_connlimit(struct pf_state **state) killed++; } } - if (pf_status.debug >= PF_DEBUG_MISC) - printf(", %u states killed", killed); + if (pf_status.debug >= LOG_NOTICE) + addlog(", %u states killed", killed); } - if (pf_status.debug >= PF_DEBUG_MISC) - printf("\n"); + if (pf_status.debug >= LOG_NOTICE) + addlog("\n"); } /* kill this state */ @@ -544,10 +544,11 @@ pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule, PF_ACPY(&(*sn)->raddr, raddr, af); if (RB_INSERT(pf_src_tree, &tree_src_tracking, *sn) != NULL) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: src_tree insert failed: "); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: src_tree insert failed: "); pf_print_host(&(*sn)->addr, 0, af); - printf("\n"); + addlog("\n"); } pool_put(&pf_src_tree_pl, *sn); return (-1); @@ -724,8 +725,9 @@ pf_state_key_attach(struct pf_state_key *sk, struct pf_state *s, int idx) /* unlink late or sks can go away */ olds = si->s; } else { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: %s key attach " + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: %s key attach " "failed on %s: ", (idx == PF_SK_WIRE) ? "wire" : "stack", @@ -735,13 +737,13 @@ pf_state_key_attach(struct pf_state_key *sk, struct pf_state *s, int idx) sk : NULL, (idx == PF_SK_STACK) ? sk : NULL); - printf(", existing: "); + addlog(", existing: "); pf_print_state_parts(si->s, (idx == PF_SK_WIRE) ? sk : NULL, (idx == PF_SK_STACK) ? sk : NULL); - printf("\n"); + addlog("\n"); } pool_put(&pf_state_key_pl, sk); return (-1); /* collision! */ @@ -872,10 +874,10 @@ pf_state_key_setup(struct pf_pdesc *pd, *skw = sk2; } - if (pf_status.debug >= PF_DEBUG_NOISY) { - printf("pf: key setup: "); + if (pf_status.debug >= LOG_DEBUG) { + log(LOG_DEBUG, "pf: key setup: "); pf_print_state_parts(NULL, *skw, *sks); - printf("\n"); + addlog("\n"); } return (0); @@ -908,11 +910,11 @@ pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw, s->creatorid = pf_status.hostid; } if (RB_INSERT(pf_state_tree_id, &tree_id, s) != NULL) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: state insert failed: " + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: state insert failed: " "id: %016llx creatorid: %08x", betoh64(s->id), ntohl(s->creatorid)); - printf("\n"); + addlog("\n"); } pf_detach_state(s); return (-1); @@ -949,19 +951,23 @@ pf_compare_state_keys(struct pf_state_key *a, struct pf_state_key *b, return (0); else { /* mismatch. must not happen. */ - printf("pf: state key linking mismatch! dir=%s, " - "if=%s, stored af=%u, a0: ", - dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af); - pf_print_host(&a->addr[0], a->port[0], a->af); - printf(", a1: "); - pf_print_host(&a->addr[1], a->port[1], a->af); - printf(", proto=%u", a->proto); - printf(", found af=%u, a0: ", b->af); - pf_print_host(&b->addr[0], b->port[0], b->af); - printf(", a1: "); - pf_print_host(&b->addr[1], b->port[1], b->af); - printf(", proto=%u", b->proto); - printf(".\n"); + if (pf_status.debug >= LOG_ERR) { + log(LOG_ERR, + "pf: state key linking mismatch! dir=%s, " + "if=%s, stored af=%u, a0: ", + dir == PF_OUT ? "OUT" : "IN", + kif->pfik_name, a->af); + pf_print_host(&a->addr[0], a->port[0], a->af); + addlog(", a1: "); + pf_print_host(&a->addr[1], a->port[1], a->af); + addlog(", proto=%u", a->proto); + addlog(", found af=%u, a0: ", b->af); + pf_print_host(&b->addr[0], b->port[0], b->af); + addlog(", a1: "); + pf_print_host(&b->addr[1], b->port[1], b->af); + addlog(", proto=%u", b->proto); + addlog("\n"); + } return (-1); } } @@ -974,10 +980,10 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, struct pf_state_item *si; pf_status.fcounters[FCNT_STATE_SEARCH]++; - if (pf_status.debug >= PF_DEBUG_NOISY) { - printf("pf: key search, if=%s: ", kif->pfik_name); + if (pf_status.debug >= LOG_DEBUG) { + log(LOG_DEBUG, "pf: key search, if=%s: ", kif->pfik_name); pf_print_state_parts(NULL, (struct pf_state_key *)key, NULL); - printf("\n"); + addlog("\n"); } if (dir == PF_OUT && m->m_pkthdr.pf.statekey && @@ -1292,11 +1298,11 @@ pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) #ifdef INET case AF_INET: { u_int32_t a = ntohl(addr->addr32[0]); - printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, + addlog("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, (a>>8)&255, a&255); if (p) { p = ntohs(p); - printf(":%u", p); + addlog(":%u", p); } break; } @@ -1328,19 +1334,19 @@ pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) for (i = 0; i < 8; i++) { if (i >= maxstart && i <= maxend) { if (i == 0) - printf(":"); + addlog(":"); if (i == maxend) - printf(":"); + addlog(":"); } else { b = ntohs(addr->addr16[i]); - printf("%x", b); + addlog("%x", b); if (i < 7) - printf(":"); + addlog(":"); } } if (p) { p = ntohs(p); - printf("[%u]", p); + addlog("[%u]", p); } break; } @@ -1369,70 +1375,70 @@ pf_print_state_parts(struct pf_state *s, switch (proto) { case IPPROTO_IPV4: - printf("IPv4"); + addlog("IPv4"); break; case IPPROTO_IPV6: - printf("IPv6"); + addlog("IPv6"); break; case IPPROTO_TCP: - printf("TCP"); + addlog("TCP"); break; case IPPROTO_UDP: - printf("UDP"); + addlog("UDP"); break; case IPPROTO_ICMP: - printf("ICMP"); + addlog("ICMP"); break; case IPPROTO_ICMPV6: - printf("ICMPv6"); + addlog("ICMPv6"); break; default: - printf("%u", proto); + addlog("%u", proto); break; } switch (dir) { case PF_IN: - printf(" in"); + addlog(" in"); break; case PF_OUT: - printf(" out"); + addlog(" out"); break; } if (skw) { - printf(" wire: (%d) ", skw->rdomain); + addlog(" wire: (%d) ", skw->rdomain); pf_print_host(&skw->addr[0], skw->port[0], skw->af); - printf(" "); + addlog(" "); pf_print_host(&skw->addr[1], skw->port[1], skw->af); } if (sks) { - printf(" stack: (%d) ", sks->rdomain); + addlog(" stack: (%d) ", sks->rdomain); if (sks != skw) { pf_print_host(&sks->addr[0], sks->port[0], sks->af); - printf(" "); + addlog(" "); pf_print_host(&sks->addr[1], sks->port[1], sks->af); } else - printf("-"); + addlog("-"); } if (s) { if (proto == IPPROTO_TCP) { - printf(" [lo=%u high=%u win=%u modulator=%u", + addlog(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo, s->src.seqhi, s->src.max_win, s->src.seqdiff); if (s->src.wscale && s->dst.wscale) - printf(" wscale=%u", + addlog(" wscale=%u", s->src.wscale & PF_WSCALE_MASK); - printf("]"); - printf(" [lo=%u high=%u win=%u modulator=%u", + addlog("]"); + addlog(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo, s->dst.seqhi, s->dst.max_win, s->dst.seqdiff); if (s->src.wscale && s->dst.wscale) - printf(" wscale=%u", + addlog(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK); - printf("]"); + addlog("]"); } - printf(" %u:%u", s->src.state, s->dst.state); + addlog(" %u:%u", s->src.state, s->dst.state); if (s->rule.ptr) - printf(" @%d", s->rule.ptr->nr); + addlog(" @%d", s->rule.ptr->nr); } } @@ -1440,23 +1446,23 @@ void pf_print_flags(u_int8_t f) { if (f) - printf(" "); + addlog(" "); if (f & TH_FIN) - printf("F"); + addlog("F"); if (f & TH_SYN) - printf("S"); + addlog("S"); if (f & TH_RST) - printf("R"); + addlog("R"); if (f & TH_PUSH) - printf("P"); + addlog("P"); if (f & TH_ACK) - printf("A"); + addlog("A"); if (f & TH_URG) - printf("U"); + addlog("U"); if (f & TH_ECE) - printf("E"); + addlog("E"); if (f & TH_CWR) - printf("W"); + addlog("W"); } #define PF_SET_SKIP_STEPS(i) \ @@ -1533,7 +1539,7 @@ pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) case PF_ADDR_RTLABEL: return (aw1->v.rtlabel != aw2->v.rtlabel); default: - printf("invalid address type: %d\n", aw1->type); + addlog("invalid address type: %d\n", aw1->type); return (1); } } @@ -2279,9 +2285,9 @@ pf_match_rcvif(struct mbuf *m, struct pf_rule *r) kif = (struct pfi_kif *)ifp->if_pf_kif; if (kif == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test_via: kif == NULL, @%d via %s\n", r->nr, - r->rcv_ifname)); + DPFPRINTF(LOG_ERR, + "pf_test_via: kif == NULL, @%d via %s", + r->nr, r->rcv_ifname); return (0); } @@ -2313,7 +2319,7 @@ pf_step_into_anchor(int *depth, struct pf_ruleset **rs, *match = 0; if (*depth >= sizeof(pf_anchor_stack) / sizeof(pf_anchor_stack[0])) { - printf("pf_step_into_anchor: stack overflow\n"); + log(LOG_ERR, "pf_step_into_anchor: stack overflow\n"); *r = TAILQ_NEXT(*r, entries); return; } else if (*depth == 0 && a != NULL) @@ -3177,8 +3183,8 @@ pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_pdesc *pd, pf_normalize_tcp_stateful(m, off, pd, &reason, th, s, &s->src, &s->dst, rewrite)) { /* This really shouldn't happen!!! */ - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_normalize_tcp_stateful failed on first pkt\n")); + DPFPRINTF(LOG_ERR, + "pf_normalize_tcp_stateful failed on first pkt"); goto csfailed; } } @@ -3675,11 +3681,11 @@ pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst, * and keep updating the state TTL. */ - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: loose state match: "); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: loose state match: "); pf_print_state(*state); pf_print_flags(th->th_flags); - printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " + addlog(" seq=%u (%u) ack=%u len=%u ackskew=%d " "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, pd->p_len, ackskew, (*state)->packets[0], (*state)->packets[1], @@ -3730,17 +3736,17 @@ pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst, src->seqlo = 0; src->seqhi = 1; src->max_win = 1; - } else if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: BAD state: "); + } else if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: BAD state: "); pf_print_state(*state); pf_print_flags(th->th_flags); - printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " + addlog(" seq=%u (%u) ack=%u len=%u ackskew=%d " "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, pd->p_len, ackskew, (*state)->packets[0], (*state)->packets[1], pd->dir == PF_IN ? "in" : "out", pd->dir == (*state)->direction ? "fwd" : "rev"); - printf("pf: State failure on: %c %c %c %c | %c %c\n", + addlog("pf: State failure on: %c %c %c %c | %c %c\n", SEQ_GEQ(src->seqhi, end) ? ' ' : '1', SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? ' ': '2', @@ -3951,11 +3957,11 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) && dst->state >= TCPS_FIN_WAIT_2 && src->state >= TCPS_FIN_WAIT_2) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: state reuse "); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: state reuse "); pf_print_state(*state); pf_print_flags(th->th_flags); - printf("\n"); + addlog("\n"); } /* XXX make sure it's the same direction ?? */ (*state)->src.state = (*state)->dst.state = TCPS_CLOSED; @@ -4118,11 +4124,12 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, (((!inner && (*state)->direction == direction) || (inner && (*state)->direction != direction)) ? PF_IN : PF_OUT) != icmp_dir) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: icmp type %d in wrong direction (%d): ", + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: icmp type %d in wrong direction (%d): ", ntohs(type), icmp_dir); pf_print_state(*state); - printf("\n"); + addlog("\n"); } return (PF_DROP); } @@ -4274,9 +4281,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(ip)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short (ip)"); return (PF_DROP); } /* @@ -4303,9 +4309,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(ip6)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short (ip6)"); return (PF_DROP); } pd2.proto = h2_6.ip6_nxt; @@ -4332,8 +4337,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, off2, &opt6, sizeof(opt6), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMPv6 short opt\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMPv6 short opt"); return (PF_DROP); } if (pd2.proto == IPPROTO_AH) @@ -4368,9 +4373,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, */ if (!pf_pull_hdr(m, off2, &th, 8, NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(tcp)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short (tcp)"); return (PF_DROP); } @@ -4408,28 +4412,30 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!((*state)->state_flags & PFSTATE_SLOPPY) && (!SEQ_GEQ(src->seqhi, seq) || !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)))) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: BAD ICMP %d:%d ", + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: BAD ICMP %d:%d ", icmptype, pd->hdr.icmp->icmp_code); pf_print_host(pd->src, 0, pd->af); - printf(" -> "); + addlog(" -> "); pf_print_host(pd->dst, 0, pd->af); - printf(" state: "); + addlog(" state: "); pf_print_state(*state); - printf(" seq=%u\n", seq); + addlog(" seq=%u\n", seq); } REASON_SET(reason, PFRES_BADSTATE); return (PF_DROP); } else { - if (pf_status.debug >= PF_DEBUG_NOISY) { - printf("pf: OK ICMP %d:%d ", + if (pf_status.debug >= LOG_DEBUG) { + log(LOG_DEBUG, + "pf: OK ICMP %d:%d ", icmptype, pd->hdr.icmp->icmp_code); pf_print_host(pd->src, 0, pd->af); - printf(" -> "); + addlog(" -> "); pf_print_host(pd->dst, 0, pd->af); - printf(" state: "); + addlog(" state: "); pf_print_state(*state); - printf(" seq=%u\n", seq); + addlog(" seq=%u\n", seq); } } @@ -4496,9 +4502,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, off2, &uh, sizeof(uh), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(udp)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short (udp)"); return (PF_DROP); } @@ -4571,9 +4576,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short i" - "(icmp)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short (icmp)"); return (PF_DROP); } @@ -4632,9 +4636,9 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, off2, &iih, sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(icmp6)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short " + "(icmp6)"); return (PF_DROP); } @@ -5070,8 +5074,8 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, } if (m0->m_len < sizeof(struct ip)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: m0->m_len < sizeof(struct ip)\n")); + DPFPRINTF(LOG_ERR, + "pf_route: m0->m_len < sizeof(struct ip)"); goto bad; } @@ -5100,8 +5104,8 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, if (s == NULL) { if (pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, &naddr, NULL, &sn, &r->route, PF_SN_ROUTE)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: pf_map_addr() failed.\n")); + DPFPRINTF(LOG_ERR, + "pf_route: pf_map_addr() failed."); goto bad; } @@ -5126,8 +5130,8 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, else if (m0 == NULL) goto done; if (m0->m_len < sizeof(struct ip)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: m0->m_len < sizeof(struct ip)\n")); + DPFPRINTF(LOG_ERR, + "pf_route: m0->m_len < sizeof(struct ip)"); goto bad; } ip = mtod(m0, struct ip *); @@ -5260,8 +5264,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, } if (m0->m_len < sizeof(struct ip6_hdr)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n")); + DPFPRINTF(LOG_ERR, + "pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); goto bad; } ip6 = mtod(m0, struct ip6_hdr *); @@ -5283,8 +5287,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, if (s == NULL) { if (pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src, &naddr, NULL, &sn, &r->route, PF_SN_ROUTE)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route6: pf_map_addr() failed.\n")); + DPFPRINTF(LOG_ERR, + "pf_route6: pf_map_addr() failed."); goto bad; } if (!PF_AZERO(&naddr, AF_INET6)) @@ -5306,8 +5310,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, else if (m0 == NULL) goto done; if (m0->m_len < sizeof(struct ip6_hdr)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n")); + DPFPRINTF(LOG_ERR, + "pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); goto bad; } ip6 = mtod(m0, struct ip6_hdr *); @@ -5466,7 +5470,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct ether_header *eh) { struct pfi_kif *kif; - u_short action, reason = 0, log = 0; + u_short action, reason = 0, pflog = 0; struct mbuf *m = *m0; struct ip *h; struct pf_rule *a = NULL, *r = &pf_default_rule; @@ -5486,8 +5490,8 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, kif = (struct pfi_kif *)ifp->if_pf_kif; if (kif == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname)); + DPFPRINTF(LOG_ERR, + "pf_test: kif == NULL, if_xname %s", ifp->if_xname); return (PF_DROP); } if (kif->pfik_flags & PFI_IFLAG_SKIP) @@ -5501,7 +5505,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (m->m_pkthdr.len < (int)sizeof(*h)) { action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } @@ -5525,7 +5529,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (off < (int)sizeof(*h)) { action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } @@ -5560,7 +5564,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &th, sizeof(th), &action, &reason, AF_INET)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } pd.p_len = pd.tot_len - off - (th.th_off << 2); @@ -5579,7 +5583,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ipintrq); @@ -5600,7 +5604,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &uh, sizeof(uh), &action, &reason, AF_INET)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } if (uh.uh_dport == 0 || @@ -5619,7 +5623,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ipintrq); @@ -5633,7 +5637,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, &action, &reason, AF_INET)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, @@ -5644,7 +5648,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ipintrq); @@ -5653,8 +5657,8 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, case IPPROTO_ICMPV6: { action = PF_DROP; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping IPv4 packet with ICMPv6 payload\n")); + DPFPRINTF(LOG_NOTICE, + "pf: dropping IPv4 packet with ICMPv6 payload"); goto done; } @@ -5666,7 +5670,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ipintrq); @@ -5678,9 +5682,9 @@ done: !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log |= PF_LOG_FORCE; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping packet with ip options\n")); + pflog |= PF_LOG_FORCE; + DPFPRINTF(LOG_NOTICE, + "pf: dropping packet with ip options"); } if (s) { @@ -5741,10 +5745,10 @@ done: action = PF_DIVERT; } - if (log) { + if (pflog) { struct pf_rule_item *ri; - if (log & PF_LOG_FORCE || r->log & PF_LOG_ALL) + if (pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL) PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset, &pd); if (s) { @@ -5827,7 +5831,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct ether_header *eh) { struct pfi_kif *kif; - u_short action, reason = 0, log = 0; + u_short action, reason = 0, pflog = 0; struct mbuf *m = *m0, *n = NULL; struct ip6_hdr *h; struct pf_rule *a = NULL, *r = &pf_default_rule; @@ -5846,8 +5850,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, kif = (struct pfi_kif *)ifp->if_pf_kif; if (kif == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname)); + DPFPRINTF(LOG_ERR, + "pf_test6: kif == NULL, if_xname %s", ifp->if_xname); return (PF_DROP); } if (kif->pfik_flags & PFI_IFLAG_SKIP) @@ -5861,7 +5865,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (m->m_pkthdr.len < (int)sizeof(*h)) { action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } @@ -5887,7 +5891,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (htons(h->ip6_plen) == 0) { action = PF_DROP; REASON_SET(&reason, PFRES_NORM); /*XXX*/ - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } #endif @@ -5919,28 +5923,28 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct ip6_rthdr rthdr; if (rh_cnt++) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 more than one rthdr\n")); + DPFPRINTF(LOG_NOTICE, + "pf: IPv6 more than one rthdr"); action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL, &reason, pd.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 short rthdr\n")); + DPFPRINTF(LOG_NOTICE, + "pf: IPv6 short rthdr"); action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 rthdr0\n")); + DPFPRINTF(LOG_NOTICE, + "pf: IPv6 rthdr0"); action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } /* FALLTHROUGH */ @@ -5953,10 +5957,10 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), NULL, &reason, pd.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 short opt\n")); + DPFPRINTF(LOG_NOTICE, + "pf: IPv6 short opt"); action = PF_DROP; - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } if (pd.proto == IPPROTO_AH) @@ -5986,7 +5990,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &th, sizeof(th), &action, &reason, AF_INET6)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } pd.p_len = pd.tot_len - off - (th.th_off << 2); @@ -6003,7 +6007,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -6024,7 +6028,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &uh, sizeof(uh), &action, &reason, AF_INET6)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } if (uh.uh_dport == 0 || @@ -6043,7 +6047,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -6052,8 +6056,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, case IPPROTO_ICMP: { action = PF_DROP; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping IPv6 packet with ICMPv4 payload\n")); + DPFPRINTF(LOG_NOTICE, + "pf: dropping IPv6 packet with ICMPv4 payload"); goto done; } @@ -6069,7 +6073,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &ih, icmp_hlen, &action, &reason, AF_INET6)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } /* ICMP headers we look further into to match state */ @@ -6087,7 +6091,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, !pf_pull_hdr(m, off, &ih, icmp_hlen, &action, &reason, AF_INET6)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } action = pf_test_state_icmp(&s, dir, kif, @@ -6098,7 +6102,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -6113,7 +6117,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -6131,9 +6135,9 @@ done: !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log |= PF_LOG_FORCE;; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping packet with dangerous v6 headers\n")); + pflog |= PF_LOG_FORCE; + DPFPRINTF(LOG_NOTICE, + "pf: dropping packet with dangerous v6 headers"); } if (s) @@ -6184,10 +6188,10 @@ done: action = PF_DIVERT; } - if (log) { + if (pflog) { struct pf_rule_item *ri; - if (log & PF_LOG_FORCE || r->log & PF_LOG_ALL) + if (pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL) PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset, &pd); if (s) { diff --git a/sys/net/pf_if.c b/sys/net/pf_if.c index d598e224cc5..0816e3fbf20 100644 --- a/sys/net/pf_if.c +++ b/sys/net/pf_if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_if.c,v 1.59 2010/01/12 03:20:51 mcbride Exp $ */ +/* $OpenBSD: pf_if.c,v 1.60 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright 2005 Henning Brauer <henning@openbsd.org> @@ -42,6 +42,7 @@ #include <sys/device.h> #include <sys/time.h> #include <sys/pool.h> +#include <sys/syslog.h> #include <net/if.h> #include <net/if_types.h> @@ -151,21 +152,24 @@ pfi_kif_unref(struct pfi_kif *kif, enum pfi_kif_refs what) break; case PFI_KIF_REF_RULE: if (kif->pfik_rules <= 0) { - printf("pfi_kif_unref: rules refcount <= 0\n"); + DPFPRINTF(LOG_ERR, + "pfi_kif_unref: rules refcount <= 0"); return; } kif->pfik_rules--; break; case PFI_KIF_REF_STATE: if (kif->pfik_states <= 0) { - printf("pfi_kif_unref: state refcount <= 0\n"); + DPFPRINTF(LOG_ERR, + "pfi_kif_unref: state refcount <= 0"); return; } kif->pfik_states--; break; case PFI_KIF_REF_ROUTE: if (kif->pfik_routes <= 0) { - printf("pfi_kif_unref: state refcount <= 0\n"); + DPFPRINTF(LOG_ERR, + "pfi_kif_unref: state refcount <= 0"); return; } kif->pfik_routes--; @@ -457,8 +461,9 @@ pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, int net, int flags) if ((e = pfr_set_addrs(&kt->pfrkt_t, pfi_buffer, pfi_buffer_cnt, &size2, NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK))) - printf("pfi_table_update: cannot set %d new addresses " - "into table %s: %d\n", pfi_buffer_cnt, kt->pfrkt_name, e); + DPFPRINTF(LOG_ERR, + "pfi_table_update: cannot set %d new addresses " + "into table %s: %d", pfi_buffer_cnt, kt->pfrkt_name, e); } void @@ -528,15 +533,17 @@ pfi_address_add(struct sockaddr *sa, int af, int net) int new_max = pfi_buffer_max * 2; if (new_max > PFI_BUFFER_MAX) { - printf("pfi_address_add: address buffer full (%d/%d)\n", + DPFPRINTF(LOG_ERR, + "pfi_address_add: address buffer full (%d/%d)", pfi_buffer_cnt, PFI_BUFFER_MAX); return; } p = malloc(new_max * sizeof(*pfi_buffer), PFI_MTYPE, M_DONTWAIT); if (p == NULL) { - printf("pfi_address_add: no memory to grow buffer " - "(%d/%d)\n", pfi_buffer_cnt, PFI_BUFFER_MAX); + DPFPRINTF(LOG_ERR, + "pfi_address_add: no memory to grow buffer " + "(%d/%d)", pfi_buffer_cnt, PFI_BUFFER_MAX); return; } memcpy(p, pfi_buffer, pfi_buffer_max * sizeof(*pfi_buffer)); diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 4e898f9610b..d40db4590ce 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.231 2010/01/12 03:20:51 mcbride Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.232 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -53,6 +53,7 @@ #include <sys/malloc.h> #include <sys/kthread.h> #include <sys/rwlock.h> +#include <sys/syslog.h> #include <uvm/uvm_extern.h> #include <net/if.h> @@ -144,7 +145,6 @@ int pf_rtlabel_add(struct pf_addr_wrap *); void pf_rtlabel_remove(struct pf_addr_wrap *); void pf_rtlabel_copyout(struct pf_addr_wrap *); -#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x void pfattach(int num) @@ -223,7 +223,7 @@ pfattach(int num) pf_normalize_init(); bzero(&pf_status, sizeof(pf_status)); - pf_status.debug = PF_DEBUG_URGENT; + pf_status.debug = LOG_ERR; pf_status.reass = PF_REASS_ENABLED; /* XXX do our best to avoid a conflict */ @@ -978,7 +978,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) pf_status.stateid = time_second; pf_status.stateid = pf_status.stateid << 32; } - DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n")); + DPFPRINTF(LOG_NOTICE, "pf: started"); } break; @@ -988,7 +988,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) else { pf_status.running = 0; pf_status.since = time_second; - DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n")); + DPFPRINTF(LOG_NOTICE, "pf: stopped"); } break; @@ -1723,7 +1723,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } if (error == 0) pf_altq_running = 1; - DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n")); + DPFPRINTF(LOG_NOTICE, "altq: started"); break; } @@ -1740,7 +1740,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } if (error == 0) pf_altq_running = 0; - DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n")); + DPFPRINTF(LOG_NOTICE, "altq: stopped"); break; } diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c index 52c6a0f7e7f..06bc0342b0c 100644 --- a/sys/net/pf_lb.c +++ b/sys/net/pf_lb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_lb.c,v 1.10 2010/01/12 03:20:51 mcbride Exp $ */ +/* $OpenBSD: pf_lb.c,v 1.11 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -51,6 +51,7 @@ #include <sys/pool.h> #include <sys/proc.h> #include <sys/rwlock.h> +#include <sys/syslog.h> #include <crypto/md5.h> @@ -93,8 +94,6 @@ #endif /* INET6 */ -#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x - /* * Global variables */ @@ -282,13 +281,13 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, if (sns[type] != NULL) { if (!PF_AZERO(&(sns[type])->raddr, af)) PF_ACPY(naddr, &(sns[type])->raddr, af); - if (pf_status.debug >= PF_DEBUG_NOISY) { - printf("pf_map_addr: src tracking (%u) maps ", - type); + if (pf_status.debug >= LOG_DEBUG) { + log(LOG_DEBUG, "pf: pf_map_addr: " + "src tracking (%u) maps ", type); pf_print_host(&k.addr, 0, af); - printf(" to "); + addlog(" to "); pf_print_host(naddr, 0, af); - printf("\n"); + addlog("\n"); } return (0); } @@ -408,11 +407,11 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, return (1); } - if (pf_status.debug >= PF_DEBUG_MISC && + if (pf_status.debug >= LOG_NOTICE && (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { - printf("pf_map_addr: selected address "); + log(LOG_NOTICE, "pf: pf_map_addr: selected address "); pf_print_host(naddr, 0, af); - printf("\n"); + addlog("\n"); } return (0); @@ -432,11 +431,10 @@ pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, struct pf_addr *saddr, if (pf_get_sport(pd->af, pd->proto, r, saddr, daddr, *dport, &naddr, &nport, r->nat.proxy_port[0], r->nat.proxy_port[1], sns, pd->rdomain)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: NAT proxy port allocation " - "(%u-%u) failed\n", + DPFPRINTF(LOG_NOTICE, + "pf: NAT proxy port allocation (%u-%u) failed", r->nat.proxy_port[0], - r->nat.proxy_port[1])); + r->nat.proxy_port[1]); return (-1); } PF_ACPY(saddr, &naddr, pd->af); diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index c0ac7095c74..c3708d724da 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.120 2009/09/01 15:51:06 jsing Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.121 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -37,6 +37,7 @@ #include <sys/kernel.h> #include <sys/time.h> #include <sys/pool.h> +#include <sys/syslog.h> #include <dev/rndvar.h> #include <net/if.h> @@ -114,13 +115,6 @@ struct pf_fragment *pf_find_fragment(struct ip *, struct pf_frag_tree *); struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment **, struct pf_frent *, int); -#define DPFPRINTF(x) do { \ - if (pf_status.debug >= PF_DEBUG_MISC) { \ - printf("%s: ", __func__); \ - printf x ; \ - } \ -} while(0) - /* Globals */ struct pool pf_frent_pl, pf_frag_pl, pf_cache_pl, pf_cent_pl; struct pool pf_state_scrub_pl; @@ -181,7 +175,7 @@ pf_purge_expired_fragments(void) if (frag->fr_timeout > expire) break; - DPFPRINTF(("expiring %d(%p)\n", frag->fr_id, frag)); + DPFPRINTF(LOG_NOTICE, "expiring %d(%p)", frag->fr_id, frag); pf_free_fragment(frag); } @@ -190,7 +184,7 @@ pf_purge_expired_fragments(void) if (frag->fr_timeout > expire) break; - DPFPRINTF(("expiring %d(%p)\n", frag->fr_id, frag)); + DPFPRINTF(LOG_NOTICE, "expiring %d(%p)", frag->fr_id, frag); pf_free_fragment(frag); KASSERT(TAILQ_EMPTY(&pf_cachequeue) || TAILQ_LAST(&pf_cachequeue, pf_cachequeue) != frag); @@ -208,8 +202,8 @@ pf_flush_fragments(void) int goal; goal = pf_nfrents * 9 / 10; - DPFPRINTF(("trying to free > %d frents\n", - pf_nfrents - goal)); + DPFPRINTF(LOG_NOTICE, "trying to free > %d frents", + pf_nfrents - goal); while (goal < pf_nfrents) { frag = TAILQ_LAST(&pf_fragqueue, pf_fragqueue); if (frag == NULL) @@ -219,8 +213,8 @@ pf_flush_fragments(void) goal = pf_ncache * 9 / 10; - DPFPRINTF(("trying to free > %d cache entries\n", - pf_ncache - goal)); + DPFPRINTF(LOG_NOTICE, "trying to free > %d cache entries", + pf_ncache - goal); while (goal < pf_ncache) { frag = TAILQ_LAST(&pf_cachequeue, pf_cachequeue); if (frag == NULL) @@ -383,7 +377,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, if (precut >= ip_len) goto drop_fragment; m_adj(frent->fr_m, precut); - DPFPRINTF(("overlap -%d\n", precut)); + DPFPRINTF(LOG_NOTICE, "overlap -%d", precut); /* Enforce 8 byte boundaries */ ip->ip_off = htons(ntohs(ip->ip_off) + (precut >> 3)); off = (ntohs(ip->ip_off) & IP_OFFMASK) << 3; @@ -397,7 +391,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, u_int16_t aftercut; aftercut = ip_len + off - FR_IP_OFF(frea); - DPFPRINTF(("adjust overlap %d\n", aftercut)); + DPFPRINTF(LOG_NOTICE, "adjust overlap %d", aftercut); if (aftercut < ntohs(frea->fr_ip->ip_len) - frea->fr_ip->ip_hl * 4) { @@ -443,13 +437,14 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, if (off < (*frag)->fr_max && (next == NULL || FR_IP_OFF(next) != off)) { - DPFPRINTF(("missing fragment at %d, next %d, max %d\n", + DPFPRINTF(LOG_NOTICE, + "missing fragment at %d, next %d, max %d", off, next == NULL ? -1 : FR_IP_OFF(next), - (*frag)->fr_max)); + (*frag)->fr_max); return (NULL); } } - DPFPRINTF(("%d < %d?\n", off, (*frag)->fr_max)); + DPFPRINTF(LOG_NOTICE, "%d < %d?", off, (*frag)->fr_max); if (off < (*frag)->fr_max) return (NULL); @@ -457,7 +452,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, frent = LIST_FIRST(&(*frag)->fr_queue); KASSERT(frent != NULL); if ((frent->fr_ip->ip_hl << 2) + off > IP_MAXPACKET) { - DPFPRINTF(("drop: too big: %d\n", off)); + DPFPRINTF(LOG_NOTICE, "drop: too big: %d", off); pf_free_fragment(*frag); *frag = NULL; return (NULL); @@ -502,7 +497,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, m->m_pkthdr.len = plen; } - DPFPRINTF(("complete: %p(%d)\n", m, ntohs(ip->ip_len))); + DPFPRINTF(LOG_NOTICE, "complete: %p(%d)", m, ntohs(ip->ip_len)); return (m); drop_fragment: @@ -552,7 +547,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, * no-df above, fine. Otherwise drop it. */ if (h->ip_off & htons(IP_DF)) { - DPFPRINTF(("IP_DF\n")); + DPFPRINTF(LOG_NOTICE, "IP_DF"); goto bad; } @@ -561,13 +556,13 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, /* All fragments are 8 byte aligned */ if (mff && (ip_len & 0x7)) { - DPFPRINTF(("mff and %d\n", ip_len)); + DPFPRINTF(LOG_NOTICE, "mff and %d", ip_len); goto bad; } /* Respect maximum length */ if (fragoff + ip_len > IP_MAXPACKET) { - DPFPRINTF(("max packet %d\n", fragoff + ip_len)); + DPFPRINTF(LOG_NOTICE, "max packet %d", fragoff + ip_len); goto bad; } max = fragoff + ip_len; @@ -591,7 +586,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, frent->fr_m = m; /* Might return a completely reassembled mbuf, or NULL */ - DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max)); + DPFPRINTF(LOG_NOTICE, + "reass frag %d @ %d-%d\n", h->ip_id, fragoff, max); *m0 = m = pf_reassemble(m0, &frag, frent, mff); if (m == NULL) @@ -619,7 +615,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, return (PF_DROP); bad: - DPFPRINTF(("dropping bad fragment\n")); + DPFPRINTF(LOG_NOTICE, "dropping bad fragment"); /* Free associated fragments */ if (frag != NULL) @@ -992,10 +988,12 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, if (got_ts) { /* Huh? Multiple timestamps!? */ - if (pf_status.debug >= PF_DEBUG_MISC) { - DPFPRINTF(("multiple TS??")); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: %s: multiple TS??", + __func__); pf_print_state(state); - printf("\n"); + addlog("\n"); } REASON_SET(reason, PFRES_TS); return (PF_DROP); @@ -1061,20 +1059,20 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, if (src->scrub && (src->scrub->pfss_flags & PFSS_PAWS) && (uptime.tv_sec - src->scrub->pfss_last.tv_sec > TS_MAX_IDLE || time_second - state->creation > TS_MAX_CONN)) { - if (pf_status.debug >= PF_DEBUG_MISC) { - DPFPRINTF(("src idled out of PAWS\n")); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: src idled out of PAWS "); pf_print_state(state); - printf("\n"); + addlog("\n"); } src->scrub->pfss_flags = (src->scrub->pfss_flags & ~PFSS_PAWS) | PFSS_PAWS_IDLED; } if (dst->scrub && (dst->scrub->pfss_flags & PFSS_PAWS) && uptime.tv_sec - dst->scrub->pfss_last.tv_sec > TS_MAX_IDLE) { - if (pf_status.debug >= PF_DEBUG_MISC) { - DPFPRINTF(("dst idled out of PAWS\n")); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: dst idled out of PAWS "); pf_print_state(state); - printf("\n"); + addlog("\n"); } dst->scrub->pfss_flags = (dst->scrub->pfss_flags & ~PFSS_PAWS) | PFSS_PAWS_IDLED; @@ -1179,25 +1177,29 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, * an old timestamp. */ - DPFPRINTF(("Timestamp failed %c%c%c%c\n", + DPFPRINTF(LOG_NOTICE, "Timestamp failed %c%c%c%c", SEQ_LT(tsval, dst->scrub->pfss_tsecr) ? '0' : ' ', SEQ_GT(tsval, src->scrub->pfss_tsval + tsval_from_last) ? '1' : ' ', SEQ_GT(tsecr, dst->scrub->pfss_tsval) ? '2' : ' ', - SEQ_LT(tsecr, dst->scrub->pfss_tsval0)? '3' : ' ')); - DPFPRINTF((" tsval: %lu tsecr: %lu +ticks: %lu " - "idle: %lus %lums\n", + SEQ_LT(tsecr, dst->scrub->pfss_tsval0)? '3' : ' '); + DPFPRINTF(LOG_NOTICE, + " tsval: %lu tsecr: %lu +ticks: %lu " + "idle: %lus %lums", tsval, tsecr, tsval_from_last, delta_ts.tv_sec, - delta_ts.tv_usec / 1000)); - DPFPRINTF((" src->tsval: %lu tsecr: %lu\n", - src->scrub->pfss_tsval, src->scrub->pfss_tsecr)); - DPFPRINTF((" dst->tsval: %lu tsecr: %lu tsval0: %lu" - "\n", dst->scrub->pfss_tsval, - dst->scrub->pfss_tsecr, dst->scrub->pfss_tsval0)); - if (pf_status.debug >= PF_DEBUG_MISC) { + delta_ts.tv_usec / 1000); + DPFPRINTF(LOG_NOTICE, + " src->tsval: %lu tsecr: %lu", + src->scrub->pfss_tsval, src->scrub->pfss_tsecr); + DPFPRINTF(LOG_NOTICE, + " dst->tsval: %lu tsecr: %lu tsval0: %lu", + dst->scrub->pfss_tsval, dst->scrub->pfss_tsecr, + dst->scrub->pfss_tsval0); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: "); pf_print_state(state); pf_print_flags(th->th_flags); - printf("\n"); + addlog("\n"); } REASON_SET(reason, PFRES_TS); return (PF_DROP); @@ -1242,12 +1244,13 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, * Hey! Someone tried to sneak a packet in. Or the * stack changed its RFC1323 behavior?!?! */ - if (pf_status.debug >= PF_DEBUG_MISC) { - DPFPRINTF(("Did not receive expected RFC1323 " - "timestamp\n")); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: did not receive expected RFC1323 " + "timestamp"); pf_print_state(state); pf_print_flags(th->th_flags); - printf("\n"); + addlog("\n"); } REASON_SET(reason, PFRES_TS); return (PF_DROP); @@ -1269,15 +1272,16 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, src->scrub->pfss_flags |= PFSS_DATA_TS; else { src->scrub->pfss_flags |= PFSS_DATA_NOTS; - if (pf_status.debug >= PF_DEBUG_MISC && dst->scrub && + if (pf_status.debug >= LOG_NOTICE && dst->scrub && (dst->scrub->pfss_flags & PFSS_TIMESTAMP)) { /* Don't warn if other host rejected RFC1323 */ - DPFPRINTF(("Broken RFC1323 stack did not " + log(LOG_NOTICE, + "pf: broken RFC1323 stack did not " "timestamp data packet. Disabled PAWS " - "security.\n")); + "security."); pf_print_state(state); pf_print_flags(th->th_flags); - printf("\n"); + addlog("\n"); } } } diff --git a/sys/net/pf_osfp.c b/sys/net/pf_osfp.c index 75f33032e1a..0824e5b9ff2 100644 --- a/sys/net/pf_osfp.c +++ b/sys/net/pf_osfp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_osfp.c,v 1.15 2008/06/14 02:22:13 henning Exp $ */ +/* $OpenBSD: pf_osfp.c,v 1.16 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> @@ -24,6 +24,7 @@ #include <sys/pool.h> #endif /* _KERNEL */ #include <sys/mbuf.h> +#include <sys/syslog.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -40,9 +41,6 @@ #ifdef _KERNEL -# define DPFPRINTF(format, x...) \ - if (pf_status.debug >= PF_DEBUG_NOISY) \ - printf(format , ##x) typedef struct pool pool_t; #else @@ -60,11 +58,9 @@ typedef struct pool pool_t; # define pool_init(pool, size, a, ao, f, m, p) (*(pool)) = (size) # ifdef PFDEBUG -# include <sys/stdarg.h> -# define DPFPRINTF(format, x...) fprintf(stderr, format , ##x) -# else -# define DPFPRINTF(format, x...) ((void)0) +# include <sys/stdarg.h> /* for DPFPRINTF() */ # endif /* PFDEBUG */ + #endif /* _KERNEL */ @@ -240,8 +236,9 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const st optlen = MAX(optlen, 1); /* paranoia */ } - DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) " - "(TS=%s,M=%s%d,W=%s%d)\n", + DPFPRINTF(LOG_NOTICE, + "fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) " + "(TS=%s,M=%s%d,W=%s%d)", srcname, ntohs(tcp->th_sport), fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0, fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt, @@ -270,7 +267,7 @@ pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os) if (os == PF_OSFP_ANY) return (1); if (list == NULL) { - DPFPRINTF("osfp no match against %x\n", os); + DPFPRINTF(LOG_NOTICE, "osfp no match against %x", os); return (os == PF_OSFP_UNKNOWN); } PF_OSFP_UNPACK(os, os_class, os_version, os_subtype); @@ -279,13 +276,14 @@ pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os) if ((os_class == PF_OSFP_ANY || en_class == os_class) && (os_version == PF_OSFP_ANY || en_version == os_version) && (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) { - DPFPRINTF("osfp matched %s %s %s %x==%x\n", + DPFPRINTF(LOG_NOTICE, + "osfp matched %s %s %s %x==%x", entry->fp_class_nm, entry->fp_version_nm, entry->fp_subtype_nm, os, entry->fp_os); return (1); } } - DPFPRINTF("fingerprint 0x%x didn't match\n", os); + DPFPRINTF(LOG_NOTICE, "fingerprint 0x%x didn't match", os); return (0); } @@ -335,9 +333,9 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc) fpadd.fp_wscale = fpioc->fp_wscale; fpadd.fp_ttl = fpioc->fp_ttl; -#if 0 /* XXX RYAN wants to fix logging */ - DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d " - "(TS=%s,M=%s%d,W=%s%d) %x\n", + DPFPRINTF(LOG_DEBUG, + "adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d " + "(TS=%s,M=%s%d,W=%s%d) %x", fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm, fpioc->fp_os.fp_subtype_nm, (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" : @@ -359,7 +357,6 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc) (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "", fpadd.fp_wscale, fpioc->fp_os.fp_os); -#endif if ((fp = pf_osfp_find_exact(&pf_osfp_list, &fpadd))) { SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) { @@ -401,7 +398,8 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc) #ifdef PFDEBUG if ((fp = pf_osfp_validate())) - printf("Invalid fingerprint list\n"); + DPFPRINTF(LOG_NOTICE, + "Invalid fingerprint list"); #endif /* PFDEBUG */ return (0); } @@ -570,7 +568,8 @@ pf_osfp_validate(void) find.fp_wsize *= 2; if (f != (f2 = pf_osfp_find(&pf_osfp_list, &find, 0))) { if (f2) - printf("Found \"%s %s %s\" instead of " + DPFPRINTF(LOG_NOTICE, + "Found \"%s %s %s\" instead of " "\"%s %s %s\"\n", SLIST_FIRST(&f2->fp_oses)->fp_class_nm, SLIST_FIRST(&f2->fp_oses)->fp_version_nm, @@ -579,7 +578,8 @@ pf_osfp_validate(void) SLIST_FIRST(&f->fp_oses)->fp_version_nm, SLIST_FIRST(&f->fp_oses)->fp_subtype_nm); else - printf("Couldn't find \"%s %s %s\"\n", + DPFPRINTF(LOG_NOTICE, + "Couldn't find \"%s %s %s\"\n", SLIST_FIRST(&f->fp_oses)->fp_class_nm, SLIST_FIRST(&f->fp_oses)->fp_version_nm, SLIST_FIRST(&f->fp_oses)->fp_subtype_nm); diff --git a/sys/net/pf_ruleset.c b/sys/net/pf_ruleset.c index 313462fc7e6..31c5e86e7cb 100644 --- a/sys/net/pf_ruleset.c +++ b/sys/net/pf_ruleset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ruleset.c,v 1.5 2009/11/22 22:34:50 henning Exp $ */ +/* $OpenBSD: pf_ruleset.c,v 1.6 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -41,6 +41,7 @@ # include <sys/systm.h> #endif /* _KERNEL */ #include <sys/mbuf.h> +#include <sys/syslog.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -56,9 +57,6 @@ #ifdef _KERNEL -# define DPFPRINTF(format, x...) \ - if (pf_status.debug >= PF_DEBUG_NOISY) \ - printf(format , ##x) #define rs_malloc(x) malloc(x, M_TEMP, M_WAITOK|M_CANFAIL|M_ZERO) #define rs_free(x) free(x, M_TEMP) @@ -74,11 +72,8 @@ # define rs_free(x) free(x) # ifdef PFDEBUG -# include <sys/stdarg.h> -# define DPFPRINTF(format, x...) fprintf(stderr, format , ##x) -# else -# define DPFPRINTF(format, x...) ((void)0) -# endif /* PFDEBUG */ +# include <sys/stdarg.h> /* for DPFPRINTF() */ +# endif #endif /* _KERNEL */ @@ -196,8 +191,9 @@ pf_find_or_create_ruleset(const char *path) strlcat(anchor->path, anchor->name, sizeof(anchor->path)); if ((dup = RB_INSERT(pf_anchor_global, &pf_anchors, anchor)) != NULL) { - printf("pf_find_or_create_ruleset: RB_INSERT1 " - "'%s' '%s' collides with '%s' '%s'\n", + DPFPRINTF(LOG_NOTICE, + "pf_find_or_create_ruleset: RB_INSERT1 " + "'%s' '%s' collides with '%s' '%s'", anchor->path, anchor->name, dup->path, dup->name); rs_free(anchor); rs_free(p); @@ -207,9 +203,10 @@ pf_find_or_create_ruleset(const char *path) anchor->parent = parent; if ((dup = RB_INSERT(pf_anchor_node, &parent->children, anchor)) != NULL) { - printf("pf_find_or_create_ruleset: " + DPFPRINTF(LOG_NOTICE, + "pf_find_or_create_ruleset: " "RB_INSERT2 '%s' '%s' collides with " - "'%s' '%s'\n", anchor->path, anchor->name, + "'%s' '%s'", anchor->path, anchor->name, dup->path, dup->name); RB_REMOVE(pf_anchor_global, &pf_anchors, anchor); @@ -282,7 +279,8 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, strlcpy(path, s->anchor->path, MAXPATHLEN); while (name[0] == '.' && name[1] == '.' && name[2] == '/') { if (!path[0]) { - printf("pf_anchor_setup: .. beyond root\n"); + DPFPRINTF(LOG_NOTICE, + "pf_anchor_setup: .. beyond root"); rs_free(path); return (1); } @@ -304,7 +302,8 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, ruleset = pf_find_or_create_ruleset(path); rs_free(path); if (ruleset == NULL || ruleset->anchor == NULL) { - printf("pf_anchor_setup: ruleset\n"); + DPFPRINTF(LOG_NOTICE, + "pf_anchor_setup: ruleset"); return (1); } r->anchor = ruleset->anchor; @@ -342,7 +341,8 @@ pf_anchor_copyout(const struct pf_ruleset *rs, const struct pf_rule *r, sizeof(pr->anchor_call)); } if (strncmp(a, r->anchor->path, strlen(a))) { - printf("pf_anchor_copyout: '%s' '%s'\n", a, + DPFPRINTF(LOG_NOTICE, + "pf_anchor_copyout: '%s' '%s'", a, r->anchor->path); rs_free(a); return (1); @@ -364,7 +364,8 @@ pf_anchor_remove(struct pf_rule *r) if (r->anchor == NULL) return; if (r->anchor->refcnt <= 0) { - printf("pf_anchor_remove: broken refcount\n"); + DPFPRINTF(LOG_NOTICE, + "pf_anchor_remove: broken refcount"); r->anchor = NULL; return; } diff --git a/sys/net/pf_table.c b/sys/net/pf_table.c index 42fa919c4b4..073b745a69e 100644 --- a/sys/net/pf_table.c +++ b/sys/net/pf_table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_table.c,v 1.81 2010/01/12 03:20:51 mcbride Exp $ */ +/* $OpenBSD: pf_table.c,v 1.82 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -36,6 +36,7 @@ #include <sys/mbuf.h> #include <sys/kernel.h> #include <sys/pool.h> +#include <sys/syslog.h> #include <net/if.h> #include <net/route.h> diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 84d48fe84ff..8b2acb3ff8b 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.305 2010/01/13 01:54:38 jsg Exp $ */ +/* $OpenBSD: pfvar.h,v 1.306 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -64,7 +64,6 @@ enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, enum { PF_TRANS_RULESET, PF_TRANS_ALTQ, PF_TRANS_TABLE }; enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; -enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; @@ -185,11 +184,44 @@ struct pfi_dynaddr { sa_family_t pfid_af; /* rule af */ u_int8_t pfid_iflags; /* PFI_AFLAG_* */ }; +#endif /* _KERNEL */ + + +/* + * Logging macros + */ + +#ifndef PF_DEBUGNAME +#define PF_DEBUGNAME "pf: " +#endif + +#ifdef _KERNEL +#define DPFPRINTF(n, format, x...) \ + do { \ + if (pf_status.debug >= (n)) { \ + log(n, PF_DEBUGNAME); \ + addlog(format, ##x); \ + addlog("\n"); \ + } \ + } while (0) +#else +#ifdef PFDEBUG \ +#define DPFPRINTF(n, format, x...) \ + do { \ + fprintf(stderr, format, ##x); \ + fprintf(stderr, "\n"); \ + } while (0) +#else +#define DPFPRINTF(n, format, x...) ((void)0) +#endif /* PFDEBUG */ +#endif /* _KERNEL */ + /* * Address manipulation macros */ +#ifdef _KERNEL #ifdef INET #ifndef INET6 #define PF_INET_ONLY |