summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sbin/pfctl/pfctl.832
-rw-r--r--sbin/pfctl/pfctl.c92
-rw-r--r--sbin/pfctl/pfctl_parser.c62
-rw-r--r--sbin/pfctl/pfctl_parser.h5
-rw-r--r--sys/net/if_pfsync.c81
-rw-r--r--sys/net/pf.c382
-rw-r--r--sys/net/pf_if.c25
-rw-r--r--sys/net/pf_ioctl.c14
-rw-r--r--sys/net/pf_lb.c28
-rw-r--r--sys/net/pf_norm.c114
-rw-r--r--sys/net/pf_osfp.c40
-rw-r--r--sys/net/pf_ruleset.c35
-rw-r--r--sys/net/pf_table.c3
-rw-r--r--sys/net/pfvar.h36
14 files changed, 520 insertions, 429 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 7c59a593594..d98ee96e7e4 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.141 2009/09/28 22:13:20 dlg Exp $
+.\" $OpenBSD: pfctl.8,v 1.142 2010/01/18 23:52:46 mcbride Exp $
.\"
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
.\"
@@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: September 28 2009 $
+.Dd $Mdocdate: January 18 2010 $
.Dt PFCTL 8
.Os
.Sh NAME
@@ -640,19 +640,21 @@ will produce even more verbose output including ruleset warnings.
See the previous section for its effect on table commands.
.It Fl x Ar level
Set the debug
-.Ar level
-(may be abbreviated) to one of the following:
-.Pp
-.Bl -tag -width xxxxxxxxxxxx -compact
-.It Fl x Cm none
-Don't generate debug messages.
-.It Fl x Cm urgent
-Generate debug messages only for serious errors.
-.It Fl x Cm misc
-Generate debug messages for various errors.
-.It Fl x Cm loud
-Generate debug messages for common conditions.
-.El
+.Ar level ,
+which limits the severity of log messages printed by pf. This should be is a
+keyword from the following ordered list (highest to lowest):
+.Ar emerg ,
+.Ar alert ,
+.Ar crit ,
+.Ar err ,
+.Ar warning ,
+.Ar notice ,
+.Ar info ,
+and
+.Ar debug .
+These keywords correspond to the similar (LOG_) values specified
+to the syslog library routine, and may be abbreviated on the command
+line.
.It Fl z
Clear per-rule statistics.
.El
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 3681d43faee..c9bcb4f84d6 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.293 2010/01/13 01:41:58 jsg Exp $ */
+/* $OpenBSD: pfctl.c,v 1.294 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -53,6 +53,8 @@
#include <string.h>
#include <unistd.h>
+#include <syslog.h>
+
#include "pfctl_parser.h"
#include "pfctl.h"
@@ -214,7 +216,10 @@ static const char *tblcmdopt_list[] = {
};
static const char *debugopt_list[] = {
- "none", "urgent", "misc", "loud", NULL
+ "debug", "info", "notice", "warning",
+ "error", "crit", "alert", "emerg",
+ "none", "urgent", "misc", "loud",
+ NULL
};
static const char *optiopt_list[] = {
@@ -1382,7 +1387,8 @@ pfctl_init_options(struct pfctl *pf)
if (mem <= 100*1024*1024)
pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL;
- pf->debug = PF_DEBUG_URGENT;
+ pf->debug = LOG_ERR;
+ pf->debug_set = 0;
pf->reassemble = PF_REASS_ENABLED;
}
@@ -1667,23 +1673,26 @@ int
pfctl_set_debug(struct pfctl *pf, char *d)
{
u_int32_t level;
+ int loglevel;
if ((loadopt & PFCTL_FLAG_OPTION) == 0)
return (0);
if (!strcmp(d, "none"))
- pf->debug = PF_DEBUG_NONE;
+ level = LOG_CRIT;
else if (!strcmp(d, "urgent"))
- pf->debug = PF_DEBUG_URGENT;
+ level = LOG_ERR;
else if (!strcmp(d, "misc"))
- pf->debug = PF_DEBUG_MISC;
+ level = LOG_NOTICE;
else if (!strcmp(d, "loud"))
- pf->debug = PF_DEBUG_NOISY;
+ level = LOG_DEBUG;
+ else if ((loglevel = string_to_loglevel(d)) >= 0)
+ level = loglevel;
else {
warnx("unknown debug level \"%s\"", d);
return (-1);
}
-
+ pf->debug = level;
pf->debug_set = 1;
if ((pf->opts & PF_OPT_NOACTION) == 0)
@@ -1746,27 +1755,9 @@ pfctl_debug(int dev, u_int32_t level, int opts)
pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
err(1, "pfctl_debug ioctl");
- if ((opts & PF_OPT_QUIET) == 0) {
- fprintf(stderr, "debug level set to '");
- switch (level) {
- case PF_DEBUG_NONE:
- fprintf(stderr, "none");
- break;
- case PF_DEBUG_URGENT:
- fprintf(stderr, "urgent");
- break;
- case PF_DEBUG_MISC:
- fprintf(stderr, "misc");
- break;
- case PF_DEBUG_NOISY:
- fprintf(stderr, "loud");
- break;
- default:
- fprintf(stderr, "<invalid>");
- break;
- }
- fprintf(stderr, "'\n");
- }
+ if ((opts & PF_OPT_QUIET) == 0)
+ fprintf(stderr, "debug level set to '%s'\n",
+ loglevel_to_string(level));
}
int
@@ -1828,11 +1819,17 @@ pfctl_show_anchors(int dev, int opts, char *anchorname)
const char *
pfctl_lookup_option(char *cmd, const char **list)
{
+ const char *item = NULL;
if (cmd != NULL && *cmd)
for (; *list; list++)
- if (!strncmp(cmd, *list, strlen(cmd)))
- return (*list);
- return (NULL);
+ if (!strncmp(cmd, *list, strlen(cmd))) {
+ if (item == NULL)
+ item = *list;
+ else
+ errx(1, "%s is ambigious", cmd);
+ }
+
+ return (item);
}
@@ -1912,6 +1909,7 @@ main(int argc, char *argv[])
int mode = O_RDONLY;
int opts = 0;
int optimize = PF_OPTIMIZE_BASIC;
+ int level;
char anchorname[MAXPATHLEN];
char *path;
char *lfile = NULL, *sfile = NULL;
@@ -2277,20 +2275,24 @@ main(int argc, char *argv[])
error = 1;
if (debugopt != NULL) {
- switch (*debugopt) {
- case 'n':
- pfctl_debug(dev, PF_DEBUG_NONE, opts);
- break;
- case 'u':
- pfctl_debug(dev, PF_DEBUG_URGENT, opts);
- break;
- case 'm':
- pfctl_debug(dev, PF_DEBUG_MISC, opts);
- break;
- case 'l':
- pfctl_debug(dev, PF_DEBUG_NOISY, opts);
- break;
+ if ((level = string_to_loglevel((char *)debugopt)) < 0) {
+ switch (*debugopt) {
+ case 'n':
+ level = LOG_CRIT;
+ break;
+ case 'u':
+ level = LOG_ERR;
+ break;
+ case 'm':
+ level = LOG_NOTICE;
+ break;
+ case 'l':
+ level = LOG_DEBUG;
+ break;
+ }
}
+ if (level >= 0)
+ pfctl_debug(dev, level, opts);
}
if (sfile != NULL)
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index c661fe4f74a..a5837f2943e 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.c,v 1.261 2010/01/13 05:09:07 deraadt Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.262 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -56,6 +56,9 @@
#include <ifaddrs.h>
#include <unistd.h>
+#define SYSLOG_NAMES
+#include <syslog.h>
+
#include "pfctl_parser.h"
#include "pfctl.h"
@@ -292,6 +295,45 @@ geticmpcodebyname(u_long type, char *w, sa_family_t af)
return (NULL);
}
+/*
+ * Decode a symbolic name to a numeric value.
+ * From syslogd.
+ */
+int
+string_to_loglevel(const char *name)
+{
+ CODE *c;
+ char *p, buf[40];
+
+ if (isdigit(*name))
+ return (atoi(name));
+
+ for (p = buf; *name && p < &buf[sizeof(buf) - 1]; p++, name++) {
+ if (isupper(*name))
+ *p = tolower(*name);
+ else
+ *p = *name;
+ }
+ *p = '\0';
+ for (c = prioritynames; c->c_name; c++)
+ if (!strcmp(buf, c->c_name))
+ return (c->c_val);
+
+ return (-1);
+}
+
+const char *
+loglevel_to_string(int level)
+{
+ CODE *c;
+
+ for (c = prioritynames; c->c_name; c++)
+ if (c->c_val == level)
+ return (c->c_name);
+
+ return ("unknown");
+}
+
void
print_op(u_int8_t op, const char *a1, const char *a2)
{
@@ -460,7 +502,7 @@ const char *pf_scounters[FCNT_MAX+1] = FCNT_NAMES;
void
print_status(struct pf_status *s, int opts)
{
- char statline[80], *running;
+ char statline[80], *running, *debug;
time_t runtime;
int i;
char buf[PF_MD5_DIGEST_LENGTH * 2 + 1];
@@ -484,20 +526,8 @@ print_status(struct pf_status *s, int opts)
} else
snprintf(statline, sizeof(statline), "Status: %s", running);
printf("%-44s", statline);
- switch (s->debug) {
- case PF_DEBUG_NONE:
- printf("%15s\n\n", "Debug: None");
- break;
- case PF_DEBUG_URGENT:
- printf("%15s\n\n", "Debug: Urgent");
- break;
- case PF_DEBUG_MISC:
- printf("%15s\n\n", "Debug: Misc");
- break;
- case PF_DEBUG_NOISY:
- printf("%15s\n\n", "Debug: Loud");
- break;
- }
+ asprintf(&debug, "Debug: %s", loglevel_to_string(s->debug));
+ printf("%15s\n\n", debug);
if (opts & PF_OPT_VERBOSE) {
printf("Hostid: 0x%08x\n", ntohl(s->hostid));
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index 1ed6450ef41..a1145a34214 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.h,v 1.91 2010/01/12 03:20:51 mcbride Exp $ */
+/* $OpenBSD: pfctl_parser.h,v 1.92 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -257,6 +257,9 @@ const struct icmptypeent *geticmptypebyname(char *, u_int8_t);
const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t);
const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t);
+int string_to_loglevel(const char *);
+const char *loglevel_to_string(int);
+
struct pf_timeout {
const char *name;
int timeout;
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 6abc539b45c..c64b965a57d 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pfsync.c,v 1.140 2010/01/12 23:38:02 dlg Exp $ */
+/* $OpenBSD: if_pfsync.c,v 1.141 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2002 Michael Shalayeff
@@ -53,6 +53,7 @@
#include <sys/kernel.h>
#include <sys/sysctl.h>
#include <sys/pool.h>
+#include <sys/syslog.h>
#include <net/if.h>
#include <net/if_types.h>
@@ -80,6 +81,7 @@
#include <netinet/ip_carp.h>
#endif
+#define PF_DEBUGNAME "pfsync: "
#include <net/pfvar.h>
#include <net/if_pfsync.h>
@@ -484,16 +486,15 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
int pool_flags;
int error;
- if (sp->creatorid == 0 && pf_status.debug >= PF_DEBUG_MISC) {
- printf("pfsync_state_import: invalid creator id:"
- " %08x\n", ntohl(sp->creatorid));
+ if (sp->creatorid == 0) {
+ DPFPRINTF(LOG_NOTICE, "pfsync_state_import: "
+ "invalid creator id: %08x", ntohl(sp->creatorid));
return (EINVAL);
}
if ((kif = pfi_kif_get(sp->ifname)) == NULL) {
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync_state_import: "
- "unknown interface: %s\n", sp->ifname);
+ DPFPRINTF(LOG_NOTICE, "pfsync_state_import: "
+ "unknown interface: %s", sp->ifname);
if (flags & PFSYNC_SI_IOCTL)
return (EINVAL);
return (0); /* skip this state */
@@ -814,10 +815,8 @@ pfsync_in_ins(struct pfsync_pkt *pkt, caddr_t buf, int len, int count)
sp->dst.state > PF_TCPS_PROXY_DST ||
sp->direction > PF_OUT ||
(sp->af != AF_INET && sp->af != AF_INET6)) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pfsync_input: PFSYNC5_ACT_INS: "
- "invalid value\n");
- }
+ DPFPRINTF(LOG_NOTICE,
+ "pfsync_input: PFSYNC5_ACT_INS: invalid value");
pfsyncstats.pfsyncs_badval++;
continue;
}
@@ -912,10 +911,29 @@ pfsync_in_upd(struct pfsync_pkt *pkt, caddr_t buf, int len, int count)
if (sp->timeout >= PFTM_MAX ||
sp->src.state > PF_TCPS_PROXY_DST ||
sp->dst.state > PF_TCPS_PROXY_DST) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pfsync_input: PFSYNC_ACT_UPD: "
- "invalid value\n");
- }
+ DPFPRINTF(LOG_NOTICE,
+ "pfsync_input: PFSYNC_ACT_UPD: invalid value");
+ pfsyncstats.pfsyncs_badval++;
+ continue;
+ }
+
+ bcopy(sp->id, &id_key.id, sizeof(id_key.id));
+ id_key.creatorid = sp->creatorid;
+
+ st = pf_find_state_byid(&id_key);
+ if (st == NULL) {
+ /* insert the update */
+ if (pfsync_state_import(sp, 0))
+ pfsyncstats.pfsyncs_badstate++;
+ continue;
+ }
+
+ if (ISSET(st->state_flags, PFSTATE_ACK))
+ pfsync_deferred(st, 1);
+
+ if (st->key[PF_SK_WIRE]->proto == IPPROTO_TCP) {
+ DPFPRINTF(LOG_NOTICE,
+ "pfsync_input: PFSYNC_ACT_UPD: invalid value");
pfsyncstats.pfsyncs_badval++;
continue;
}
@@ -994,11 +1012,8 @@ pfsync_in_upd_c(struct pfsync_pkt *pkt, caddr_t buf, int len, int count)
if (up->timeout >= PFTM_MAX ||
up->src.state > PF_TCPS_PROXY_DST ||
up->dst.state > PF_TCPS_PROXY_DST) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pfsync_input: "
- "PFSYNC_ACT_UPD_C: "
- "invalid value\n");
- }
+ DPFPRINTF(LOG_NOTICE,
+ "pfsync_input: PFSYNC_ACT_UPD_C: invalid value");
pfsyncstats.pfsyncs_badval++;
continue;
}
@@ -1164,8 +1179,7 @@ pfsync_in_bus(struct pfsync_pkt *pkt, caddr_t buf, int len, int count)
pf_pool_limits[PF_LIMIT_STATES].limit /
((sc->sc_if.if_mtu - PFSYNC_MINPKT) /
sizeof(struct pfsync_state)));
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: received bulk update start\n");
+ DPFPRINTF(LOG_INFO, "received bulk update start");
break;
case PFSYNC_BUS_END:
@@ -1180,13 +1194,10 @@ pfsync_in_bus(struct pfsync_pkt *pkt, caddr_t buf, int len, int count)
carp_group_demote_adj(&sc->sc_if, -1);
#endif
pfsync_sync_ok = 1;
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: received valid "
- "bulk update end\n");
+ DPFPRINTF(LOG_INFO, "received valid bulk update end");
} else {
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: received invalid "
- "bulk update end: bad timestamp\n");
+ DPFPRINTF(LOG_WARNING, "received invalid "
+ "bulk update end: bad timestamp");
}
break;
}
@@ -1246,9 +1257,8 @@ pfsync_update_net_tdb(struct pfsync_tdb *pt)
return;
bad:
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync_insert: PFSYNC_ACT_TDB_UPD: "
- "invalid value\n");
+ DPFPRINTF(LOG_WARNING, "pfsync_insert: PFSYNC_ACT_TDB_UPD: "
+ "invalid value");
pfsyncstats.pfsyncs_badstate++;
return;
}
@@ -1875,8 +1885,7 @@ pfsync_request_full_update(struct pfsync_softc *sc)
carp_group_demote_adj(&sc->sc_if, 1);
#endif
pfsync_sync_ok = 0;
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: requesting bulk update\n");
+ DPFPRINTF(LOG_INFO, "requesting bulk update");
timeout_add(&sc->sc_bulkfail_tmo, 4 * hz +
pf_pool_limits[PF_LIMIT_STATES].limit /
((sc->sc_if.if_mtu - PFSYNC_MINPKT) /
@@ -2162,8 +2171,7 @@ pfsync_bulk_start(void)
sc->sc_bulk_next = TAILQ_FIRST(&state_list);
sc->sc_bulk_last = sc->sc_bulk_next;
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: received bulk update request\n");
+ DPFPRINTF(LOG_INFO, "received bulk update request");
pfsync_bulk_status(PFSYNC_BUS_START);
timeout_add(&sc->sc_bulk_tmo, 0);
@@ -2250,8 +2258,7 @@ pfsync_bulk_fail(void *arg)
carp_group_demote_adj(&sc->sc_if, -1);
#endif
pfsync_sync_ok = 1;
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: failed to receive bulk update\n");
+ DPFPRINTF(LOG_ERR, "failed to receive bulk update");
}
}
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 1ab9d27f346..66f6aa08d70 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.688 2010/01/14 20:43:19 mcbride Exp $ */
+/* $OpenBSD: pf.c,v 1.689 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -51,6 +51,7 @@
#include <sys/pool.h>
#include <sys/proc.h>
#include <sys/rwlock.h>
+#include <sys/syslog.h>
#include <crypto/md5.h>
@@ -95,8 +96,6 @@
#endif /* INET6 */
-#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
-
/*
* Global variables
*/
@@ -435,8 +434,9 @@ pf_src_connlimit(struct pf_state **state)
u_int32_t killed = 0;
pf_status.lcounters[LCNT_OVERLOAD_TABLE]++;
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pf_src_connlimit: blocking address ");
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE,
+ "pf: pf_src_connlimit: blocking address ");
pf_print_host(&sn->addr, 0,
(*state)->key[PF_SK_WIRE]->af);
}
@@ -489,11 +489,11 @@ pf_src_connlimit(struct pf_state **state)
killed++;
}
}
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf(", %u states killed", killed);
+ if (pf_status.debug >= LOG_NOTICE)
+ addlog(", %u states killed", killed);
}
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("\n");
+ if (pf_status.debug >= LOG_NOTICE)
+ addlog("\n");
}
/* kill this state */
@@ -544,10 +544,11 @@ pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
PF_ACPY(&(*sn)->raddr, raddr, af);
if (RB_INSERT(pf_src_tree,
&tree_src_tracking, *sn) != NULL) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pf: src_tree insert failed: ");
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE,
+ "pf: src_tree insert failed: ");
pf_print_host(&(*sn)->addr, 0, af);
- printf("\n");
+ addlog("\n");
}
pool_put(&pf_src_tree_pl, *sn);
return (-1);
@@ -724,8 +725,9 @@ pf_state_key_attach(struct pf_state_key *sk, struct pf_state *s, int idx)
/* unlink late or sks can go away */
olds = si->s;
} else {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pf: %s key attach "
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE,
+ "pf: %s key attach "
"failed on %s: ",
(idx == PF_SK_WIRE) ?
"wire" : "stack",
@@ -735,13 +737,13 @@ pf_state_key_attach(struct pf_state_key *sk, struct pf_state *s, int idx)
sk : NULL,
(idx == PF_SK_STACK) ?
sk : NULL);
- printf(", existing: ");
+ addlog(", existing: ");
pf_print_state_parts(si->s,
(idx == PF_SK_WIRE) ?
sk : NULL,
(idx == PF_SK_STACK) ?
sk : NULL);
- printf("\n");
+ addlog("\n");
}
pool_put(&pf_state_key_pl, sk);
return (-1); /* collision! */
@@ -872,10 +874,10 @@ pf_state_key_setup(struct pf_pdesc *pd,
*skw = sk2;
}
- if (pf_status.debug >= PF_DEBUG_NOISY) {
- printf("pf: key setup: ");
+ if (pf_status.debug >= LOG_DEBUG) {
+ log(LOG_DEBUG, "pf: key setup: ");
pf_print_state_parts(NULL, *skw, *sks);
- printf("\n");
+ addlog("\n");
}
return (0);
@@ -908,11 +910,11 @@ pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw,
s->creatorid = pf_status.hostid;
}
if (RB_INSERT(pf_state_tree_id, &tree_id, s) != NULL) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pf: state insert failed: "
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE, "pf: state insert failed: "
"id: %016llx creatorid: %08x",
betoh64(s->id), ntohl(s->creatorid));
- printf("\n");
+ addlog("\n");
}
pf_detach_state(s);
return (-1);
@@ -949,19 +951,23 @@ pf_compare_state_keys(struct pf_state_key *a, struct pf_state_key *b,
return (0);
else {
/* mismatch. must not happen. */
- printf("pf: state key linking mismatch! dir=%s, "
- "if=%s, stored af=%u, a0: ",
- dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af);
- pf_print_host(&a->addr[0], a->port[0], a->af);
- printf(", a1: ");
- pf_print_host(&a->addr[1], a->port[1], a->af);
- printf(", proto=%u", a->proto);
- printf(", found af=%u, a0: ", b->af);
- pf_print_host(&b->addr[0], b->port[0], b->af);
- printf(", a1: ");
- pf_print_host(&b->addr[1], b->port[1], b->af);
- printf(", proto=%u", b->proto);
- printf(".\n");
+ if (pf_status.debug >= LOG_ERR) {
+ log(LOG_ERR,
+ "pf: state key linking mismatch! dir=%s, "
+ "if=%s, stored af=%u, a0: ",
+ dir == PF_OUT ? "OUT" : "IN",
+ kif->pfik_name, a->af);
+ pf_print_host(&a->addr[0], a->port[0], a->af);
+ addlog(", a1: ");
+ pf_print_host(&a->addr[1], a->port[1], a->af);
+ addlog(", proto=%u", a->proto);
+ addlog(", found af=%u, a0: ", b->af);
+ pf_print_host(&b->addr[0], b->port[0], b->af);
+ addlog(", a1: ");
+ pf_print_host(&b->addr[1], b->port[1], b->af);
+ addlog(", proto=%u", b->proto);
+ addlog("\n");
+ }
return (-1);
}
}
@@ -974,10 +980,10 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir,
struct pf_state_item *si;
pf_status.fcounters[FCNT_STATE_SEARCH]++;
- if (pf_status.debug >= PF_DEBUG_NOISY) {
- printf("pf: key search, if=%s: ", kif->pfik_name);
+ if (pf_status.debug >= LOG_DEBUG) {
+ log(LOG_DEBUG, "pf: key search, if=%s: ", kif->pfik_name);
pf_print_state_parts(NULL, (struct pf_state_key *)key, NULL);
- printf("\n");
+ addlog("\n");
}
if (dir == PF_OUT && m->m_pkthdr.pf.statekey &&
@@ -1292,11 +1298,11 @@ pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
#ifdef INET
case AF_INET: {
u_int32_t a = ntohl(addr->addr32[0]);
- printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
+ addlog("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
(a>>8)&255, a&255);
if (p) {
p = ntohs(p);
- printf(":%u", p);
+ addlog(":%u", p);
}
break;
}
@@ -1328,19 +1334,19 @@ pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
for (i = 0; i < 8; i++) {
if (i >= maxstart && i <= maxend) {
if (i == 0)
- printf(":");
+ addlog(":");
if (i == maxend)
- printf(":");
+ addlog(":");
} else {
b = ntohs(addr->addr16[i]);
- printf("%x", b);
+ addlog("%x", b);
if (i < 7)
- printf(":");
+ addlog(":");
}
}
if (p) {
p = ntohs(p);
- printf("[%u]", p);
+ addlog("[%u]", p);
}
break;
}
@@ -1369,70 +1375,70 @@ pf_print_state_parts(struct pf_state *s,
switch (proto) {
case IPPROTO_IPV4:
- printf("IPv4");
+ addlog("IPv4");
break;
case IPPROTO_IPV6:
- printf("IPv6");
+ addlog("IPv6");
break;
case IPPROTO_TCP:
- printf("TCP");
+ addlog("TCP");
break;
case IPPROTO_UDP:
- printf("UDP");
+ addlog("UDP");
break;
case IPPROTO_ICMP:
- printf("ICMP");
+ addlog("ICMP");
break;
case IPPROTO_ICMPV6:
- printf("ICMPv6");
+ addlog("ICMPv6");
break;
default:
- printf("%u", proto);
+ addlog("%u", proto);
break;
}
switch (dir) {
case PF_IN:
- printf(" in");
+ addlog(" in");
break;
case PF_OUT:
- printf(" out");
+ addlog(" out");
break;
}
if (skw) {
- printf(" wire: (%d) ", skw->rdomain);
+ addlog(" wire: (%d) ", skw->rdomain);
pf_print_host(&skw->addr[0], skw->port[0], skw->af);
- printf(" ");
+ addlog(" ");
pf_print_host(&skw->addr[1], skw->port[1], skw->af);
}
if (sks) {
- printf(" stack: (%d) ", sks->rdomain);
+ addlog(" stack: (%d) ", sks->rdomain);
if (sks != skw) {
pf_print_host(&sks->addr[0], sks->port[0], sks->af);
- printf(" ");
+ addlog(" ");
pf_print_host(&sks->addr[1], sks->port[1], sks->af);
} else
- printf("-");
+ addlog("-");
}
if (s) {
if (proto == IPPROTO_TCP) {
- printf(" [lo=%u high=%u win=%u modulator=%u",
+ addlog(" [lo=%u high=%u win=%u modulator=%u",
s->src.seqlo, s->src.seqhi,
s->src.max_win, s->src.seqdiff);
if (s->src.wscale && s->dst.wscale)
- printf(" wscale=%u",
+ addlog(" wscale=%u",
s->src.wscale & PF_WSCALE_MASK);
- printf("]");
- printf(" [lo=%u high=%u win=%u modulator=%u",
+ addlog("]");
+ addlog(" [lo=%u high=%u win=%u modulator=%u",
s->dst.seqlo, s->dst.seqhi,
s->dst.max_win, s->dst.seqdiff);
if (s->src.wscale && s->dst.wscale)
- printf(" wscale=%u",
+ addlog(" wscale=%u",
s->dst.wscale & PF_WSCALE_MASK);
- printf("]");
+ addlog("]");
}
- printf(" %u:%u", s->src.state, s->dst.state);
+ addlog(" %u:%u", s->src.state, s->dst.state);
if (s->rule.ptr)
- printf(" @%d", s->rule.ptr->nr);
+ addlog(" @%d", s->rule.ptr->nr);
}
}
@@ -1440,23 +1446,23 @@ void
pf_print_flags(u_int8_t f)
{
if (f)
- printf(" ");
+ addlog(" ");
if (f & TH_FIN)
- printf("F");
+ addlog("F");
if (f & TH_SYN)
- printf("S");
+ addlog("S");
if (f & TH_RST)
- printf("R");
+ addlog("R");
if (f & TH_PUSH)
- printf("P");
+ addlog("P");
if (f & TH_ACK)
- printf("A");
+ addlog("A");
if (f & TH_URG)
- printf("U");
+ addlog("U");
if (f & TH_ECE)
- printf("E");
+ addlog("E");
if (f & TH_CWR)
- printf("W");
+ addlog("W");
}
#define PF_SET_SKIP_STEPS(i) \
@@ -1533,7 +1539,7 @@ pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
case PF_ADDR_RTLABEL:
return (aw1->v.rtlabel != aw2->v.rtlabel);
default:
- printf("invalid address type: %d\n", aw1->type);
+ addlog("invalid address type: %d\n", aw1->type);
return (1);
}
}
@@ -2279,9 +2285,9 @@ pf_match_rcvif(struct mbuf *m, struct pf_rule *r)
kif = (struct pfi_kif *)ifp->if_pf_kif;
if (kif == NULL) {
- DPFPRINTF(PF_DEBUG_URGENT,
- ("pf_test_via: kif == NULL, @%d via %s\n", r->nr,
- r->rcv_ifname));
+ DPFPRINTF(LOG_ERR,
+ "pf_test_via: kif == NULL, @%d via %s",
+ r->nr, r->rcv_ifname);
return (0);
}
@@ -2313,7 +2319,7 @@ pf_step_into_anchor(int *depth, struct pf_ruleset **rs,
*match = 0;
if (*depth >= sizeof(pf_anchor_stack) /
sizeof(pf_anchor_stack[0])) {
- printf("pf_step_into_anchor: stack overflow\n");
+ log(LOG_ERR, "pf_step_into_anchor: stack overflow\n");
*r = TAILQ_NEXT(*r, entries);
return;
} else if (*depth == 0 && a != NULL)
@@ -3177,8 +3183,8 @@ pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_pdesc *pd,
pf_normalize_tcp_stateful(m, off, pd, &reason, th, s,
&s->src, &s->dst, rewrite)) {
/* This really shouldn't happen!!! */
- DPFPRINTF(PF_DEBUG_URGENT,
- ("pf_normalize_tcp_stateful failed on first pkt\n"));
+ DPFPRINTF(LOG_ERR,
+ "pf_normalize_tcp_stateful failed on first pkt");
goto csfailed;
}
}
@@ -3675,11 +3681,11 @@ pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst,
* and keep updating the state TTL.
*/
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pf: loose state match: ");
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE, "pf: loose state match: ");
pf_print_state(*state);
pf_print_flags(th->th_flags);
- printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
+ addlog(" seq=%u (%u) ack=%u len=%u ackskew=%d "
"pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack,
pd->p_len, ackskew, (*state)->packets[0],
(*state)->packets[1],
@@ -3730,17 +3736,17 @@ pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst,
src->seqlo = 0;
src->seqhi = 1;
src->max_win = 1;
- } else if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pf: BAD state: ");
+ } else if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE, "pf: BAD state: ");
pf_print_state(*state);
pf_print_flags(th->th_flags);
- printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
+ addlog(" seq=%u (%u) ack=%u len=%u ackskew=%d "
"pkts=%llu:%llu dir=%s,%s\n",
seq, orig_seq, ack, pd->p_len, ackskew,
(*state)->packets[0], (*state)->packets[1],
pd->dir == PF_IN ? "in" : "out",
pd->dir == (*state)->direction ? "fwd" : "rev");
- printf("pf: State failure on: %c %c %c %c | %c %c\n",
+ addlog("pf: State failure on: %c %c %c %c | %c %c\n",
SEQ_GEQ(src->seqhi, end) ? ' ' : '1',
SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
' ': '2',
@@ -3951,11 +3957,11 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) &&
dst->state >= TCPS_FIN_WAIT_2 &&
src->state >= TCPS_FIN_WAIT_2) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pf: state reuse ");
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE, "pf: state reuse ");
pf_print_state(*state);
pf_print_flags(th->th_flags);
- printf("\n");
+ addlog("\n");
}
/* XXX make sure it's the same direction ?? */
(*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
@@ -4118,11 +4124,12 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
(((!inner && (*state)->direction == direction) ||
(inner && (*state)->direction != direction)) ?
PF_IN : PF_OUT) != icmp_dir) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pf: icmp type %d in wrong direction (%d): ",
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE,
+ "pf: icmp type %d in wrong direction (%d): ",
ntohs(type), icmp_dir);
pf_print_state(*state);
- printf("\n");
+ addlog("\n");
}
return (PF_DROP);
}
@@ -4274,9 +4281,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),
NULL, reason, pd2.af)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(ip)\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: ICMP error message too short (ip)");
return (PF_DROP);
}
/*
@@ -4303,9 +4309,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),
NULL, reason, pd2.af)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(ip6)\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: ICMP error message too short (ip6)");
return (PF_DROP);
}
pd2.proto = h2_6.ip6_nxt;
@@ -4332,8 +4337,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
if (!pf_pull_hdr(m, off2, &opt6,
sizeof(opt6), NULL, reason,
pd2.af)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMPv6 short opt\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: ICMPv6 short opt");
return (PF_DROP);
}
if (pd2.proto == IPPROTO_AH)
@@ -4368,9 +4373,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
*/
if (!pf_pull_hdr(m, off2, &th, 8, NULL, reason,
pd2.af)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(tcp)\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: ICMP error message too short (tcp)");
return (PF_DROP);
}
@@ -4408,28 +4412,30 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
if (!((*state)->state_flags & PFSTATE_SLOPPY) &&
(!SEQ_GEQ(src->seqhi, seq) ||
!SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)))) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pf: BAD ICMP %d:%d ",
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE,
+ "pf: BAD ICMP %d:%d ",
icmptype, pd->hdr.icmp->icmp_code);
pf_print_host(pd->src, 0, pd->af);
- printf(" -> ");
+ addlog(" -> ");
pf_print_host(pd->dst, 0, pd->af);
- printf(" state: ");
+ addlog(" state: ");
pf_print_state(*state);
- printf(" seq=%u\n", seq);
+ addlog(" seq=%u\n", seq);
}
REASON_SET(reason, PFRES_BADSTATE);
return (PF_DROP);
} else {
- if (pf_status.debug >= PF_DEBUG_NOISY) {
- printf("pf: OK ICMP %d:%d ",
+ if (pf_status.debug >= LOG_DEBUG) {
+ log(LOG_DEBUG,
+ "pf: OK ICMP %d:%d ",
icmptype, pd->hdr.icmp->icmp_code);
pf_print_host(pd->src, 0, pd->af);
- printf(" -> ");
+ addlog(" -> ");
pf_print_host(pd->dst, 0, pd->af);
- printf(" state: ");
+ addlog(" state: ");
pf_print_state(*state);
- printf(" seq=%u\n", seq);
+ addlog(" seq=%u\n", seq);
}
}
@@ -4496,9 +4502,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
if (!pf_pull_hdr(m, off2, &uh, sizeof(uh),
NULL, reason, pd2.af)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(udp)\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: ICMP error message too short (udp)");
return (PF_DROP);
}
@@ -4571,9 +4576,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,
NULL, reason, pd2.af)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short i"
- "(icmp)\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: ICMP error message too short (icmp)");
return (PF_DROP);
}
@@ -4632,9 +4636,9 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
if (!pf_pull_hdr(m, off2, &iih,
sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(icmp6)\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: ICMP error message too short "
+ "(icmp6)");
return (PF_DROP);
}
@@ -5070,8 +5074,8 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
}
if (m0->m_len < sizeof(struct ip)) {
- DPFPRINTF(PF_DEBUG_URGENT,
- ("pf_route: m0->m_len < sizeof(struct ip)\n"));
+ DPFPRINTF(LOG_ERR,
+ "pf_route: m0->m_len < sizeof(struct ip)");
goto bad;
}
@@ -5100,8 +5104,8 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
if (s == NULL) {
if (pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
&naddr, NULL, &sn, &r->route, PF_SN_ROUTE)) {
- DPFPRINTF(PF_DEBUG_URGENT,
- ("pf_route: pf_map_addr() failed.\n"));
+ DPFPRINTF(LOG_ERR,
+ "pf_route: pf_map_addr() failed.");
goto bad;
}
@@ -5126,8 +5130,8 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
else if (m0 == NULL)
goto done;
if (m0->m_len < sizeof(struct ip)) {
- DPFPRINTF(PF_DEBUG_URGENT,
- ("pf_route: m0->m_len < sizeof(struct ip)\n"));
+ DPFPRINTF(LOG_ERR,
+ "pf_route: m0->m_len < sizeof(struct ip)");
goto bad;
}
ip = mtod(m0, struct ip *);
@@ -5260,8 +5264,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
}
if (m0->m_len < sizeof(struct ip6_hdr)) {
- DPFPRINTF(PF_DEBUG_URGENT,
- ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n"));
+ DPFPRINTF(LOG_ERR,
+ "pf_route6: m0->m_len < sizeof(struct ip6_hdr)");
goto bad;
}
ip6 = mtod(m0, struct ip6_hdr *);
@@ -5283,8 +5287,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
if (s == NULL) {
if (pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,
&naddr, NULL, &sn, &r->route, PF_SN_ROUTE)) {
- DPFPRINTF(PF_DEBUG_URGENT,
- ("pf_route6: pf_map_addr() failed.\n"));
+ DPFPRINTF(LOG_ERR,
+ "pf_route6: pf_map_addr() failed.");
goto bad;
}
if (!PF_AZERO(&naddr, AF_INET6))
@@ -5306,8 +5310,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
else if (m0 == NULL)
goto done;
if (m0->m_len < sizeof(struct ip6_hdr)) {
- DPFPRINTF(PF_DEBUG_URGENT,
- ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n"));
+ DPFPRINTF(LOG_ERR,
+ "pf_route6: m0->m_len < sizeof(struct ip6_hdr)");
goto bad;
}
ip6 = mtod(m0, struct ip6_hdr *);
@@ -5466,7 +5470,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
struct ether_header *eh)
{
struct pfi_kif *kif;
- u_short action, reason = 0, log = 0;
+ u_short action, reason = 0, pflog = 0;
struct mbuf *m = *m0;
struct ip *h;
struct pf_rule *a = NULL, *r = &pf_default_rule;
@@ -5486,8 +5490,8 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
kif = (struct pfi_kif *)ifp->if_pf_kif;
if (kif == NULL) {
- DPFPRINTF(PF_DEBUG_URGENT,
- ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname));
+ DPFPRINTF(LOG_ERR,
+ "pf_test: kif == NULL, if_xname %s", ifp->if_xname);
return (PF_DROP);
}
if (kif->pfik_flags & PFI_IFLAG_SKIP)
@@ -5501,7 +5505,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
if (m->m_pkthdr.len < (int)sizeof(*h)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_SHORT);
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
@@ -5525,7 +5529,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
if (off < (int)sizeof(*h)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_SHORT);
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
@@ -5560,7 +5564,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
if (!pf_pull_hdr(m, off, &th, sizeof(th),
&action, &reason, AF_INET)) {
if (action != PF_PASS)
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
pd.p_len = pd.tot_len - off - (th.th_off << 2);
@@ -5579,7 +5583,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log |= s->log;
+ pflog |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ipintrq);
@@ -5600,7 +5604,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
&action, &reason, AF_INET)) {
if (action != PF_PASS)
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
if (uh.uh_dport == 0 ||
@@ -5619,7 +5623,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log |= s->log;
+ pflog |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ipintrq);
@@ -5633,7 +5637,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN,
&action, &reason, AF_INET)) {
if (action != PF_PASS)
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
@@ -5644,7 +5648,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log |= s->log;
+ pflog |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ipintrq);
@@ -5653,8 +5657,8 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
case IPPROTO_ICMPV6: {
action = PF_DROP;
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: dropping IPv4 packet with ICMPv6 payload\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: dropping IPv4 packet with ICMPv6 payload");
goto done;
}
@@ -5666,7 +5670,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log |= s->log;
+ pflog |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, h,
&pd, &a, &ruleset, &ipintrq);
@@ -5678,9 +5682,9 @@ done:
!((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_IPOPTIONS);
- log |= PF_LOG_FORCE;
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: dropping packet with ip options\n"));
+ pflog |= PF_LOG_FORCE;
+ DPFPRINTF(LOG_NOTICE,
+ "pf: dropping packet with ip options");
}
if (s) {
@@ -5741,10 +5745,10 @@ done:
action = PF_DIVERT;
}
- if (log) {
+ if (pflog) {
struct pf_rule_item *ri;
- if (log & PF_LOG_FORCE || r->log & PF_LOG_ALL)
+ if (pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL)
PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a,
ruleset, &pd);
if (s) {
@@ -5827,7 +5831,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
struct ether_header *eh)
{
struct pfi_kif *kif;
- u_short action, reason = 0, log = 0;
+ u_short action, reason = 0, pflog = 0;
struct mbuf *m = *m0, *n = NULL;
struct ip6_hdr *h;
struct pf_rule *a = NULL, *r = &pf_default_rule;
@@ -5846,8 +5850,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
kif = (struct pfi_kif *)ifp->if_pf_kif;
if (kif == NULL) {
- DPFPRINTF(PF_DEBUG_URGENT,
- ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname));
+ DPFPRINTF(LOG_ERR,
+ "pf_test6: kif == NULL, if_xname %s", ifp->if_xname);
return (PF_DROP);
}
if (kif->pfik_flags & PFI_IFLAG_SKIP)
@@ -5861,7 +5865,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
if (m->m_pkthdr.len < (int)sizeof(*h)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_SHORT);
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
@@ -5887,7 +5891,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
if (htons(h->ip6_plen) == 0) {
action = PF_DROP;
REASON_SET(&reason, PFRES_NORM); /*XXX*/
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
#endif
@@ -5919,28 +5923,28 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
struct ip6_rthdr rthdr;
if (rh_cnt++) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: IPv6 more than one rthdr\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: IPv6 more than one rthdr");
action = PF_DROP;
REASON_SET(&reason, PFRES_IPOPTIONS);
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL,
&reason, pd.af)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: IPv6 short rthdr\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: IPv6 short rthdr");
action = PF_DROP;
REASON_SET(&reason, PFRES_SHORT);
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: IPv6 rthdr0\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: IPv6 rthdr0");
action = PF_DROP;
REASON_SET(&reason, PFRES_IPOPTIONS);
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
/* FALLTHROUGH */
@@ -5953,10 +5957,10 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),
NULL, &reason, pd.af)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: IPv6 short opt\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: IPv6 short opt");
action = PF_DROP;
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
if (pd.proto == IPPROTO_AH)
@@ -5986,7 +5990,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
if (!pf_pull_hdr(m, off, &th, sizeof(th),
&action, &reason, AF_INET6)) {
if (action != PF_PASS)
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
pd.p_len = pd.tot_len - off - (th.th_off << 2);
@@ -6003,7 +6007,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log |= s->log;
+ pflog |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
@@ -6024,7 +6028,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
&action, &reason, AF_INET6)) {
if (action != PF_PASS)
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
if (uh.uh_dport == 0 ||
@@ -6043,7 +6047,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log |= s->log;
+ pflog |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
@@ -6052,8 +6056,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
case IPPROTO_ICMP: {
action = PF_DROP;
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: dropping IPv6 packet with ICMPv4 payload\n"));
+ DPFPRINTF(LOG_NOTICE,
+ "pf: dropping IPv6 packet with ICMPv4 payload");
goto done;
}
@@ -6069,7 +6073,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
if (!pf_pull_hdr(m, off, &ih, icmp_hlen,
&action, &reason, AF_INET6)) {
if (action != PF_PASS)
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
/* ICMP headers we look further into to match state */
@@ -6087,7 +6091,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
!pf_pull_hdr(m, off, &ih, icmp_hlen,
&action, &reason, AF_INET6)) {
if (action != PF_PASS)
- log |= PF_LOG_FORCE;
+ pflog |= PF_LOG_FORCE;
goto done;
}
action = pf_test_state_icmp(&s, dir, kif,
@@ -6098,7 +6102,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log |= s->log;
+ pflog |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
@@ -6113,7 +6117,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log |= s->log;
+ pflog |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, h,
&pd, &a, &ruleset, &ip6intrq);
@@ -6131,9 +6135,9 @@ done:
!((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_IPOPTIONS);
- log |= PF_LOG_FORCE;;
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: dropping packet with dangerous v6 headers\n"));
+ pflog |= PF_LOG_FORCE;
+ DPFPRINTF(LOG_NOTICE,
+ "pf: dropping packet with dangerous v6 headers");
}
if (s)
@@ -6184,10 +6188,10 @@ done:
action = PF_DIVERT;
}
- if (log) {
+ if (pflog) {
struct pf_rule_item *ri;
- if (log & PF_LOG_FORCE || r->log & PF_LOG_ALL)
+ if (pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL)
PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a,
ruleset, &pd);
if (s) {
diff --git a/sys/net/pf_if.c b/sys/net/pf_if.c
index d598e224cc5..0816e3fbf20 100644
--- a/sys/net/pf_if.c
+++ b/sys/net/pf_if.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_if.c,v 1.59 2010/01/12 03:20:51 mcbride Exp $ */
+/* $OpenBSD: pf_if.c,v 1.60 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright 2005 Henning Brauer <henning@openbsd.org>
@@ -42,6 +42,7 @@
#include <sys/device.h>
#include <sys/time.h>
#include <sys/pool.h>
+#include <sys/syslog.h>
#include <net/if.h>
#include <net/if_types.h>
@@ -151,21 +152,24 @@ pfi_kif_unref(struct pfi_kif *kif, enum pfi_kif_refs what)
break;
case PFI_KIF_REF_RULE:
if (kif->pfik_rules <= 0) {
- printf("pfi_kif_unref: rules refcount <= 0\n");
+ DPFPRINTF(LOG_ERR,
+ "pfi_kif_unref: rules refcount <= 0");
return;
}
kif->pfik_rules--;
break;
case PFI_KIF_REF_STATE:
if (kif->pfik_states <= 0) {
- printf("pfi_kif_unref: state refcount <= 0\n");
+ DPFPRINTF(LOG_ERR,
+ "pfi_kif_unref: state refcount <= 0");
return;
}
kif->pfik_states--;
break;
case PFI_KIF_REF_ROUTE:
if (kif->pfik_routes <= 0) {
- printf("pfi_kif_unref: state refcount <= 0\n");
+ DPFPRINTF(LOG_ERR,
+ "pfi_kif_unref: state refcount <= 0");
return;
}
kif->pfik_routes--;
@@ -457,8 +461,9 @@ pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, int net, int flags)
if ((e = pfr_set_addrs(&kt->pfrkt_t, pfi_buffer, pfi_buffer_cnt, &size2,
NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK)))
- printf("pfi_table_update: cannot set %d new addresses "
- "into table %s: %d\n", pfi_buffer_cnt, kt->pfrkt_name, e);
+ DPFPRINTF(LOG_ERR,
+ "pfi_table_update: cannot set %d new addresses "
+ "into table %s: %d", pfi_buffer_cnt, kt->pfrkt_name, e);
}
void
@@ -528,15 +533,17 @@ pfi_address_add(struct sockaddr *sa, int af, int net)
int new_max = pfi_buffer_max * 2;
if (new_max > PFI_BUFFER_MAX) {
- printf("pfi_address_add: address buffer full (%d/%d)\n",
+ DPFPRINTF(LOG_ERR,
+ "pfi_address_add: address buffer full (%d/%d)",
pfi_buffer_cnt, PFI_BUFFER_MAX);
return;
}
p = malloc(new_max * sizeof(*pfi_buffer), PFI_MTYPE,
M_DONTWAIT);
if (p == NULL) {
- printf("pfi_address_add: no memory to grow buffer "
- "(%d/%d)\n", pfi_buffer_cnt, PFI_BUFFER_MAX);
+ DPFPRINTF(LOG_ERR,
+ "pfi_address_add: no memory to grow buffer "
+ "(%d/%d)", pfi_buffer_cnt, PFI_BUFFER_MAX);
return;
}
memcpy(p, pfi_buffer, pfi_buffer_max * sizeof(*pfi_buffer));
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 4e898f9610b..d40db4590ce 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.231 2010/01/12 03:20:51 mcbride Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.232 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -53,6 +53,7 @@
#include <sys/malloc.h>
#include <sys/kthread.h>
#include <sys/rwlock.h>
+#include <sys/syslog.h>
#include <uvm/uvm_extern.h>
#include <net/if.h>
@@ -144,7 +145,6 @@ int pf_rtlabel_add(struct pf_addr_wrap *);
void pf_rtlabel_remove(struct pf_addr_wrap *);
void pf_rtlabel_copyout(struct pf_addr_wrap *);
-#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
void
pfattach(int num)
@@ -223,7 +223,7 @@ pfattach(int num)
pf_normalize_init();
bzero(&pf_status, sizeof(pf_status));
- pf_status.debug = PF_DEBUG_URGENT;
+ pf_status.debug = LOG_ERR;
pf_status.reass = PF_REASS_ENABLED;
/* XXX do our best to avoid a conflict */
@@ -978,7 +978,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
pf_status.stateid = time_second;
pf_status.stateid = pf_status.stateid << 32;
}
- DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
+ DPFPRINTF(LOG_NOTICE, "pf: started");
}
break;
@@ -988,7 +988,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
else {
pf_status.running = 0;
pf_status.since = time_second;
- DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
+ DPFPRINTF(LOG_NOTICE, "pf: stopped");
}
break;
@@ -1723,7 +1723,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
}
if (error == 0)
pf_altq_running = 1;
- DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n"));
+ DPFPRINTF(LOG_NOTICE, "altq: started");
break;
}
@@ -1740,7 +1740,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
}
if (error == 0)
pf_altq_running = 0;
- DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n"));
+ DPFPRINTF(LOG_NOTICE, "altq: stopped");
break;
}
diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c
index 52c6a0f7e7f..06bc0342b0c 100644
--- a/sys/net/pf_lb.c
+++ b/sys/net/pf_lb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_lb.c,v 1.10 2010/01/12 03:20:51 mcbride Exp $ */
+/* $OpenBSD: pf_lb.c,v 1.11 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -51,6 +51,7 @@
#include <sys/pool.h>
#include <sys/proc.h>
#include <sys/rwlock.h>
+#include <sys/syslog.h>
#include <crypto/md5.h>
@@ -93,8 +94,6 @@
#endif /* INET6 */
-#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
-
/*
* Global variables
*/
@@ -282,13 +281,13 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
if (sns[type] != NULL) {
if (!PF_AZERO(&(sns[type])->raddr, af))
PF_ACPY(naddr, &(sns[type])->raddr, af);
- if (pf_status.debug >= PF_DEBUG_NOISY) {
- printf("pf_map_addr: src tracking (%u) maps ",
- type);
+ if (pf_status.debug >= LOG_DEBUG) {
+ log(LOG_DEBUG, "pf: pf_map_addr: "
+ "src tracking (%u) maps ", type);
pf_print_host(&k.addr, 0, af);
- printf(" to ");
+ addlog(" to ");
pf_print_host(naddr, 0, af);
- printf("\n");
+ addlog("\n");
}
return (0);
}
@@ -408,11 +407,11 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
return (1);
}
- if (pf_status.debug >= PF_DEBUG_MISC &&
+ if (pf_status.debug >= LOG_NOTICE &&
(rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
- printf("pf_map_addr: selected address ");
+ log(LOG_NOTICE, "pf: pf_map_addr: selected address ");
pf_print_host(naddr, 0, af);
- printf("\n");
+ addlog("\n");
}
return (0);
@@ -432,11 +431,10 @@ pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, struct pf_addr *saddr,
if (pf_get_sport(pd->af, pd->proto, r, saddr,
daddr, *dport, &naddr, &nport, r->nat.proxy_port[0],
r->nat.proxy_port[1], sns, pd->rdomain)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: NAT proxy port allocation "
- "(%u-%u) failed\n",
+ DPFPRINTF(LOG_NOTICE,
+ "pf: NAT proxy port allocation (%u-%u) failed",
r->nat.proxy_port[0],
- r->nat.proxy_port[1]));
+ r->nat.proxy_port[1]);
return (-1);
}
PF_ACPY(saddr, &naddr, pd->af);
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index c0ac7095c74..c3708d724da 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_norm.c,v 1.120 2009/09/01 15:51:06 jsing Exp $ */
+/* $OpenBSD: pf_norm.c,v 1.121 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -37,6 +37,7 @@
#include <sys/kernel.h>
#include <sys/time.h>
#include <sys/pool.h>
+#include <sys/syslog.h>
#include <dev/rndvar.h>
#include <net/if.h>
@@ -114,13 +115,6 @@ struct pf_fragment *pf_find_fragment(struct ip *, struct pf_frag_tree *);
struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment **,
struct pf_frent *, int);
-#define DPFPRINTF(x) do { \
- if (pf_status.debug >= PF_DEBUG_MISC) { \
- printf("%s: ", __func__); \
- printf x ; \
- } \
-} while(0)
-
/* Globals */
struct pool pf_frent_pl, pf_frag_pl, pf_cache_pl, pf_cent_pl;
struct pool pf_state_scrub_pl;
@@ -181,7 +175,7 @@ pf_purge_expired_fragments(void)
if (frag->fr_timeout > expire)
break;
- DPFPRINTF(("expiring %d(%p)\n", frag->fr_id, frag));
+ DPFPRINTF(LOG_NOTICE, "expiring %d(%p)", frag->fr_id, frag);
pf_free_fragment(frag);
}
@@ -190,7 +184,7 @@ pf_purge_expired_fragments(void)
if (frag->fr_timeout > expire)
break;
- DPFPRINTF(("expiring %d(%p)\n", frag->fr_id, frag));
+ DPFPRINTF(LOG_NOTICE, "expiring %d(%p)", frag->fr_id, frag);
pf_free_fragment(frag);
KASSERT(TAILQ_EMPTY(&pf_cachequeue) ||
TAILQ_LAST(&pf_cachequeue, pf_cachequeue) != frag);
@@ -208,8 +202,8 @@ pf_flush_fragments(void)
int goal;
goal = pf_nfrents * 9 / 10;
- DPFPRINTF(("trying to free > %d frents\n",
- pf_nfrents - goal));
+ DPFPRINTF(LOG_NOTICE, "trying to free > %d frents",
+ pf_nfrents - goal);
while (goal < pf_nfrents) {
frag = TAILQ_LAST(&pf_fragqueue, pf_fragqueue);
if (frag == NULL)
@@ -219,8 +213,8 @@ pf_flush_fragments(void)
goal = pf_ncache * 9 / 10;
- DPFPRINTF(("trying to free > %d cache entries\n",
- pf_ncache - goal));
+ DPFPRINTF(LOG_NOTICE, "trying to free > %d cache entries",
+ pf_ncache - goal);
while (goal < pf_ncache) {
frag = TAILQ_LAST(&pf_cachequeue, pf_cachequeue);
if (frag == NULL)
@@ -383,7 +377,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag,
if (precut >= ip_len)
goto drop_fragment;
m_adj(frent->fr_m, precut);
- DPFPRINTF(("overlap -%d\n", precut));
+ DPFPRINTF(LOG_NOTICE, "overlap -%d", precut);
/* Enforce 8 byte boundaries */
ip->ip_off = htons(ntohs(ip->ip_off) + (precut >> 3));
off = (ntohs(ip->ip_off) & IP_OFFMASK) << 3;
@@ -397,7 +391,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag,
u_int16_t aftercut;
aftercut = ip_len + off - FR_IP_OFF(frea);
- DPFPRINTF(("adjust overlap %d\n", aftercut));
+ DPFPRINTF(LOG_NOTICE, "adjust overlap %d", aftercut);
if (aftercut < ntohs(frea->fr_ip->ip_len) - frea->fr_ip->ip_hl
* 4)
{
@@ -443,13 +437,14 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag,
if (off < (*frag)->fr_max &&
(next == NULL || FR_IP_OFF(next) != off))
{
- DPFPRINTF(("missing fragment at %d, next %d, max %d\n",
+ DPFPRINTF(LOG_NOTICE,
+ "missing fragment at %d, next %d, max %d",
off, next == NULL ? -1 : FR_IP_OFF(next),
- (*frag)->fr_max));
+ (*frag)->fr_max);
return (NULL);
}
}
- DPFPRINTF(("%d < %d?\n", off, (*frag)->fr_max));
+ DPFPRINTF(LOG_NOTICE, "%d < %d?", off, (*frag)->fr_max);
if (off < (*frag)->fr_max)
return (NULL);
@@ -457,7 +452,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag,
frent = LIST_FIRST(&(*frag)->fr_queue);
KASSERT(frent != NULL);
if ((frent->fr_ip->ip_hl << 2) + off > IP_MAXPACKET) {
- DPFPRINTF(("drop: too big: %d\n", off));
+ DPFPRINTF(LOG_NOTICE, "drop: too big: %d", off);
pf_free_fragment(*frag);
*frag = NULL;
return (NULL);
@@ -502,7 +497,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag,
m->m_pkthdr.len = plen;
}
- DPFPRINTF(("complete: %p(%d)\n", m, ntohs(ip->ip_len)));
+ DPFPRINTF(LOG_NOTICE, "complete: %p(%d)", m, ntohs(ip->ip_len));
return (m);
drop_fragment:
@@ -552,7 +547,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason,
* no-df above, fine. Otherwise drop it.
*/
if (h->ip_off & htons(IP_DF)) {
- DPFPRINTF(("IP_DF\n"));
+ DPFPRINTF(LOG_NOTICE, "IP_DF");
goto bad;
}
@@ -561,13 +556,13 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason,
/* All fragments are 8 byte aligned */
if (mff && (ip_len & 0x7)) {
- DPFPRINTF(("mff and %d\n", ip_len));
+ DPFPRINTF(LOG_NOTICE, "mff and %d", ip_len);
goto bad;
}
/* Respect maximum length */
if (fragoff + ip_len > IP_MAXPACKET) {
- DPFPRINTF(("max packet %d\n", fragoff + ip_len));
+ DPFPRINTF(LOG_NOTICE, "max packet %d", fragoff + ip_len);
goto bad;
}
max = fragoff + ip_len;
@@ -591,7 +586,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason,
frent->fr_m = m;
/* Might return a completely reassembled mbuf, or NULL */
- DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max));
+ DPFPRINTF(LOG_NOTICE,
+ "reass frag %d @ %d-%d\n", h->ip_id, fragoff, max);
*m0 = m = pf_reassemble(m0, &frag, frent, mff);
if (m == NULL)
@@ -619,7 +615,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason,
return (PF_DROP);
bad:
- DPFPRINTF(("dropping bad fragment\n"));
+ DPFPRINTF(LOG_NOTICE, "dropping bad fragment");
/* Free associated fragments */
if (frag != NULL)
@@ -992,10 +988,12 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd,
if (got_ts) {
/* Huh? Multiple timestamps!? */
- if (pf_status.debug >= PF_DEBUG_MISC) {
- DPFPRINTF(("multiple TS??"));
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE,
+ "pf: %s: multiple TS??",
+ __func__);
pf_print_state(state);
- printf("\n");
+ addlog("\n");
}
REASON_SET(reason, PFRES_TS);
return (PF_DROP);
@@ -1061,20 +1059,20 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd,
if (src->scrub && (src->scrub->pfss_flags & PFSS_PAWS) &&
(uptime.tv_sec - src->scrub->pfss_last.tv_sec > TS_MAX_IDLE ||
time_second - state->creation > TS_MAX_CONN)) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- DPFPRINTF(("src idled out of PAWS\n"));
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE, "pf: src idled out of PAWS ");
pf_print_state(state);
- printf("\n");
+ addlog("\n");
}
src->scrub->pfss_flags = (src->scrub->pfss_flags & ~PFSS_PAWS)
| PFSS_PAWS_IDLED;
}
if (dst->scrub && (dst->scrub->pfss_flags & PFSS_PAWS) &&
uptime.tv_sec - dst->scrub->pfss_last.tv_sec > TS_MAX_IDLE) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- DPFPRINTF(("dst idled out of PAWS\n"));
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE, "pf: dst idled out of PAWS ");
pf_print_state(state);
- printf("\n");
+ addlog("\n");
}
dst->scrub->pfss_flags = (dst->scrub->pfss_flags & ~PFSS_PAWS)
| PFSS_PAWS_IDLED;
@@ -1179,25 +1177,29 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd,
* an old timestamp.
*/
- DPFPRINTF(("Timestamp failed %c%c%c%c\n",
+ DPFPRINTF(LOG_NOTICE, "Timestamp failed %c%c%c%c",
SEQ_LT(tsval, dst->scrub->pfss_tsecr) ? '0' : ' ',
SEQ_GT(tsval, src->scrub->pfss_tsval +
tsval_from_last) ? '1' : ' ',
SEQ_GT(tsecr, dst->scrub->pfss_tsval) ? '2' : ' ',
- SEQ_LT(tsecr, dst->scrub->pfss_tsval0)? '3' : ' '));
- DPFPRINTF((" tsval: %lu tsecr: %lu +ticks: %lu "
- "idle: %lus %lums\n",
+ SEQ_LT(tsecr, dst->scrub->pfss_tsval0)? '3' : ' ');
+ DPFPRINTF(LOG_NOTICE,
+ " tsval: %lu tsecr: %lu +ticks: %lu "
+ "idle: %lus %lums",
tsval, tsecr, tsval_from_last, delta_ts.tv_sec,
- delta_ts.tv_usec / 1000));
- DPFPRINTF((" src->tsval: %lu tsecr: %lu\n",
- src->scrub->pfss_tsval, src->scrub->pfss_tsecr));
- DPFPRINTF((" dst->tsval: %lu tsecr: %lu tsval0: %lu"
- "\n", dst->scrub->pfss_tsval,
- dst->scrub->pfss_tsecr, dst->scrub->pfss_tsval0));
- if (pf_status.debug >= PF_DEBUG_MISC) {
+ delta_ts.tv_usec / 1000);
+ DPFPRINTF(LOG_NOTICE,
+ " src->tsval: %lu tsecr: %lu",
+ src->scrub->pfss_tsval, src->scrub->pfss_tsecr);
+ DPFPRINTF(LOG_NOTICE,
+ " dst->tsval: %lu tsecr: %lu tsval0: %lu",
+ dst->scrub->pfss_tsval, dst->scrub->pfss_tsecr,
+ dst->scrub->pfss_tsval0);
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE, "pf: ");
pf_print_state(state);
pf_print_flags(th->th_flags);
- printf("\n");
+ addlog("\n");
}
REASON_SET(reason, PFRES_TS);
return (PF_DROP);
@@ -1242,12 +1244,13 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd,
* Hey! Someone tried to sneak a packet in. Or the
* stack changed its RFC1323 behavior?!?!
*/
- if (pf_status.debug >= PF_DEBUG_MISC) {
- DPFPRINTF(("Did not receive expected RFC1323 "
- "timestamp\n"));
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE,
+ "pf: did not receive expected RFC1323 "
+ "timestamp");
pf_print_state(state);
pf_print_flags(th->th_flags);
- printf("\n");
+ addlog("\n");
}
REASON_SET(reason, PFRES_TS);
return (PF_DROP);
@@ -1269,15 +1272,16 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd,
src->scrub->pfss_flags |= PFSS_DATA_TS;
else {
src->scrub->pfss_flags |= PFSS_DATA_NOTS;
- if (pf_status.debug >= PF_DEBUG_MISC && dst->scrub &&
+ if (pf_status.debug >= LOG_NOTICE && dst->scrub &&
(dst->scrub->pfss_flags & PFSS_TIMESTAMP)) {
/* Don't warn if other host rejected RFC1323 */
- DPFPRINTF(("Broken RFC1323 stack did not "
+ log(LOG_NOTICE,
+ "pf: broken RFC1323 stack did not "
"timestamp data packet. Disabled PAWS "
- "security.\n"));
+ "security.");
pf_print_state(state);
pf_print_flags(th->th_flags);
- printf("\n");
+ addlog("\n");
}
}
}
diff --git a/sys/net/pf_osfp.c b/sys/net/pf_osfp.c
index 75f33032e1a..0824e5b9ff2 100644
--- a/sys/net/pf_osfp.c
+++ b/sys/net/pf_osfp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_osfp.c,v 1.15 2008/06/14 02:22:13 henning Exp $ */
+/* $OpenBSD: pf_osfp.c,v 1.16 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
@@ -24,6 +24,7 @@
#include <sys/pool.h>
#endif /* _KERNEL */
#include <sys/mbuf.h>
+#include <sys/syslog.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -40,9 +41,6 @@
#ifdef _KERNEL
-# define DPFPRINTF(format, x...) \
- if (pf_status.debug >= PF_DEBUG_NOISY) \
- printf(format , ##x)
typedef struct pool pool_t;
#else
@@ -60,11 +58,9 @@ typedef struct pool pool_t;
# define pool_init(pool, size, a, ao, f, m, p) (*(pool)) = (size)
# ifdef PFDEBUG
-# include <sys/stdarg.h>
-# define DPFPRINTF(format, x...) fprintf(stderr, format , ##x)
-# else
-# define DPFPRINTF(format, x...) ((void)0)
+# include <sys/stdarg.h> /* for DPFPRINTF() */
# endif /* PFDEBUG */
+
#endif /* _KERNEL */
@@ -240,8 +236,9 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const st
optlen = MAX(optlen, 1); /* paranoia */
}
- DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) "
- "(TS=%s,M=%s%d,W=%s%d)\n",
+ DPFPRINTF(LOG_NOTICE,
+ "fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) "
+ "(TS=%s,M=%s%d,W=%s%d)",
srcname, ntohs(tcp->th_sport),
fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0,
fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt,
@@ -270,7 +267,7 @@ pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os)
if (os == PF_OSFP_ANY)
return (1);
if (list == NULL) {
- DPFPRINTF("osfp no match against %x\n", os);
+ DPFPRINTF(LOG_NOTICE, "osfp no match against %x", os);
return (os == PF_OSFP_UNKNOWN);
}
PF_OSFP_UNPACK(os, os_class, os_version, os_subtype);
@@ -279,13 +276,14 @@ pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os)
if ((os_class == PF_OSFP_ANY || en_class == os_class) &&
(os_version == PF_OSFP_ANY || en_version == os_version) &&
(os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) {
- DPFPRINTF("osfp matched %s %s %s %x==%x\n",
+ DPFPRINTF(LOG_NOTICE,
+ "osfp matched %s %s %s %x==%x",
entry->fp_class_nm, entry->fp_version_nm,
entry->fp_subtype_nm, os, entry->fp_os);
return (1);
}
}
- DPFPRINTF("fingerprint 0x%x didn't match\n", os);
+ DPFPRINTF(LOG_NOTICE, "fingerprint 0x%x didn't match", os);
return (0);
}
@@ -335,9 +333,9 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc)
fpadd.fp_wscale = fpioc->fp_wscale;
fpadd.fp_ttl = fpioc->fp_ttl;
-#if 0 /* XXX RYAN wants to fix logging */
- DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d "
- "(TS=%s,M=%s%d,W=%s%d) %x\n",
+ DPFPRINTF(LOG_DEBUG,
+ "adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d "
+ "(TS=%s,M=%s%d,W=%s%d) %x",
fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm,
fpioc->fp_os.fp_subtype_nm,
(fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" :
@@ -359,7 +357,6 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc)
(fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
fpadd.fp_wscale,
fpioc->fp_os.fp_os);
-#endif
if ((fp = pf_osfp_find_exact(&pf_osfp_list, &fpadd))) {
SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
@@ -401,7 +398,8 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc)
#ifdef PFDEBUG
if ((fp = pf_osfp_validate()))
- printf("Invalid fingerprint list\n");
+ DPFPRINTF(LOG_NOTICE,
+ "Invalid fingerprint list");
#endif /* PFDEBUG */
return (0);
}
@@ -570,7 +568,8 @@ pf_osfp_validate(void)
find.fp_wsize *= 2;
if (f != (f2 = pf_osfp_find(&pf_osfp_list, &find, 0))) {
if (f2)
- printf("Found \"%s %s %s\" instead of "
+ DPFPRINTF(LOG_NOTICE,
+ "Found \"%s %s %s\" instead of "
"\"%s %s %s\"\n",
SLIST_FIRST(&f2->fp_oses)->fp_class_nm,
SLIST_FIRST(&f2->fp_oses)->fp_version_nm,
@@ -579,7 +578,8 @@ pf_osfp_validate(void)
SLIST_FIRST(&f->fp_oses)->fp_version_nm,
SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
else
- printf("Couldn't find \"%s %s %s\"\n",
+ DPFPRINTF(LOG_NOTICE,
+ "Couldn't find \"%s %s %s\"\n",
SLIST_FIRST(&f->fp_oses)->fp_class_nm,
SLIST_FIRST(&f->fp_oses)->fp_version_nm,
SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
diff --git a/sys/net/pf_ruleset.c b/sys/net/pf_ruleset.c
index 313462fc7e6..31c5e86e7cb 100644
--- a/sys/net/pf_ruleset.c
+++ b/sys/net/pf_ruleset.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ruleset.c,v 1.5 2009/11/22 22:34:50 henning Exp $ */
+/* $OpenBSD: pf_ruleset.c,v 1.6 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -41,6 +41,7 @@
# include <sys/systm.h>
#endif /* _KERNEL */
#include <sys/mbuf.h>
+#include <sys/syslog.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -56,9 +57,6 @@
#ifdef _KERNEL
-# define DPFPRINTF(format, x...) \
- if (pf_status.debug >= PF_DEBUG_NOISY) \
- printf(format , ##x)
#define rs_malloc(x) malloc(x, M_TEMP, M_WAITOK|M_CANFAIL|M_ZERO)
#define rs_free(x) free(x, M_TEMP)
@@ -74,11 +72,8 @@
# define rs_free(x) free(x)
# ifdef PFDEBUG
-# include <sys/stdarg.h>
-# define DPFPRINTF(format, x...) fprintf(stderr, format , ##x)
-# else
-# define DPFPRINTF(format, x...) ((void)0)
-# endif /* PFDEBUG */
+# include <sys/stdarg.h> /* for DPFPRINTF() */
+# endif
#endif /* _KERNEL */
@@ -196,8 +191,9 @@ pf_find_or_create_ruleset(const char *path)
strlcat(anchor->path, anchor->name, sizeof(anchor->path));
if ((dup = RB_INSERT(pf_anchor_global, &pf_anchors, anchor)) !=
NULL) {
- printf("pf_find_or_create_ruleset: RB_INSERT1 "
- "'%s' '%s' collides with '%s' '%s'\n",
+ DPFPRINTF(LOG_NOTICE,
+ "pf_find_or_create_ruleset: RB_INSERT1 "
+ "'%s' '%s' collides with '%s' '%s'",
anchor->path, anchor->name, dup->path, dup->name);
rs_free(anchor);
rs_free(p);
@@ -207,9 +203,10 @@ pf_find_or_create_ruleset(const char *path)
anchor->parent = parent;
if ((dup = RB_INSERT(pf_anchor_node, &parent->children,
anchor)) != NULL) {
- printf("pf_find_or_create_ruleset: "
+ DPFPRINTF(LOG_NOTICE,
+ "pf_find_or_create_ruleset: "
"RB_INSERT2 '%s' '%s' collides with "
- "'%s' '%s'\n", anchor->path, anchor->name,
+ "'%s' '%s'", anchor->path, anchor->name,
dup->path, dup->name);
RB_REMOVE(pf_anchor_global, &pf_anchors,
anchor);
@@ -282,7 +279,8 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
strlcpy(path, s->anchor->path, MAXPATHLEN);
while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
if (!path[0]) {
- printf("pf_anchor_setup: .. beyond root\n");
+ DPFPRINTF(LOG_NOTICE,
+ "pf_anchor_setup: .. beyond root");
rs_free(path);
return (1);
}
@@ -304,7 +302,8 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
ruleset = pf_find_or_create_ruleset(path);
rs_free(path);
if (ruleset == NULL || ruleset->anchor == NULL) {
- printf("pf_anchor_setup: ruleset\n");
+ DPFPRINTF(LOG_NOTICE,
+ "pf_anchor_setup: ruleset");
return (1);
}
r->anchor = ruleset->anchor;
@@ -342,7 +341,8 @@ pf_anchor_copyout(const struct pf_ruleset *rs, const struct pf_rule *r,
sizeof(pr->anchor_call));
}
if (strncmp(a, r->anchor->path, strlen(a))) {
- printf("pf_anchor_copyout: '%s' '%s'\n", a,
+ DPFPRINTF(LOG_NOTICE,
+ "pf_anchor_copyout: '%s' '%s'", a,
r->anchor->path);
rs_free(a);
return (1);
@@ -364,7 +364,8 @@ pf_anchor_remove(struct pf_rule *r)
if (r->anchor == NULL)
return;
if (r->anchor->refcnt <= 0) {
- printf("pf_anchor_remove: broken refcount\n");
+ DPFPRINTF(LOG_NOTICE,
+ "pf_anchor_remove: broken refcount");
r->anchor = NULL;
return;
}
diff --git a/sys/net/pf_table.c b/sys/net/pf_table.c
index 42fa919c4b4..073b745a69e 100644
--- a/sys/net/pf_table.c
+++ b/sys/net/pf_table.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_table.c,v 1.81 2010/01/12 03:20:51 mcbride Exp $ */
+/* $OpenBSD: pf_table.c,v 1.82 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2002 Cedric Berger
@@ -36,6 +36,7 @@
#include <sys/mbuf.h>
#include <sys/kernel.h>
#include <sys/pool.h>
+#include <sys/syslog.h>
#include <net/if.h>
#include <net/route.h>
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 84d48fe84ff..8b2acb3ff8b 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.305 2010/01/13 01:54:38 jsg Exp $ */
+/* $OpenBSD: pfvar.h,v 1.306 2010/01/18 23:52:46 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -64,7 +64,6 @@ enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
enum { PF_TRANS_RULESET, PF_TRANS_ALTQ, PF_TRANS_TABLE };
enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
-enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
@@ -185,11 +184,44 @@ struct pfi_dynaddr {
sa_family_t pfid_af; /* rule af */
u_int8_t pfid_iflags; /* PFI_AFLAG_* */
};
+#endif /* _KERNEL */
+
+
+/*
+ * Logging macros
+ */
+
+#ifndef PF_DEBUGNAME
+#define PF_DEBUGNAME "pf: "
+#endif
+
+#ifdef _KERNEL
+#define DPFPRINTF(n, format, x...) \
+ do { \
+ if (pf_status.debug >= (n)) { \
+ log(n, PF_DEBUGNAME); \
+ addlog(format, ##x); \
+ addlog("\n"); \
+ } \
+ } while (0)
+#else
+#ifdef PFDEBUG \
+#define DPFPRINTF(n, format, x...) \
+ do { \
+ fprintf(stderr, format, ##x); \
+ fprintf(stderr, "\n"); \
+ } while (0)
+#else
+#define DPFPRINTF(n, format, x...) ((void)0)
+#endif /* PFDEBUG */
+#endif /* _KERNEL */
+
/*
* Address manipulation macros
*/
+#ifdef _KERNEL
#ifdef INET
#ifndef INET6
#define PF_INET_ONLY