diff options
-rw-r--r-- | sbin/pfctl/pfctl.8 | 32 | ||||
-rw-r--r-- | sbin/pfctl/pfctl.c | 92 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.c | 62 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.h | 5 | ||||
-rw-r--r-- | sys/net/if_pfsync.c | 81 | ||||
-rw-r--r-- | sys/net/pf.c | 382 | ||||
-rw-r--r-- | sys/net/pf_if.c | 25 | ||||
-rw-r--r-- | sys/net/pf_ioctl.c | 14 | ||||
-rw-r--r-- | sys/net/pf_lb.c | 28 | ||||
-rw-r--r-- | sys/net/pf_norm.c | 114 | ||||
-rw-r--r-- | sys/net/pf_osfp.c | 40 | ||||
-rw-r--r-- | sys/net/pf_ruleset.c | 35 | ||||
-rw-r--r-- | sys/net/pf_table.c | 3 | ||||
-rw-r--r-- | sys/net/pfvar.h | 36 |
14 files changed, 520 insertions, 429 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 7c59a593594..d98ee96e7e4 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.141 2009/09/28 22:13:20 dlg Exp $ +.\" $OpenBSD: pfctl.8,v 1.142 2010/01/18 23:52:46 mcbride Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 28 2009 $ +.Dd $Mdocdate: January 18 2010 $ .Dt PFCTL 8 .Os .Sh NAME @@ -640,19 +640,21 @@ will produce even more verbose output including ruleset warnings. See the previous section for its effect on table commands. .It Fl x Ar level Set the debug -.Ar level -(may be abbreviated) to one of the following: -.Pp -.Bl -tag -width xxxxxxxxxxxx -compact -.It Fl x Cm none -Don't generate debug messages. -.It Fl x Cm urgent -Generate debug messages only for serious errors. -.It Fl x Cm misc -Generate debug messages for various errors. -.It Fl x Cm loud -Generate debug messages for common conditions. -.El +.Ar level , +which limits the severity of log messages printed by pf. This should be is a +keyword from the following ordered list (highest to lowest): +.Ar emerg , +.Ar alert , +.Ar crit , +.Ar err , +.Ar warning , +.Ar notice , +.Ar info , +and +.Ar debug . +These keywords correspond to the similar (LOG_) values specified +to the syslog library routine, and may be abbreviated on the command +line. .It Fl z Clear per-rule statistics. .El diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 3681d43faee..c9bcb4f84d6 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.293 2010/01/13 01:41:58 jsg Exp $ */ +/* $OpenBSD: pfctl.c,v 1.294 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -53,6 +53,8 @@ #include <string.h> #include <unistd.h> +#include <syslog.h> + #include "pfctl_parser.h" #include "pfctl.h" @@ -214,7 +216,10 @@ static const char *tblcmdopt_list[] = { }; static const char *debugopt_list[] = { - "none", "urgent", "misc", "loud", NULL + "debug", "info", "notice", "warning", + "error", "crit", "alert", "emerg", + "none", "urgent", "misc", "loud", + NULL }; static const char *optiopt_list[] = { @@ -1382,7 +1387,8 @@ pfctl_init_options(struct pfctl *pf) if (mem <= 100*1024*1024) pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL; - pf->debug = PF_DEBUG_URGENT; + pf->debug = LOG_ERR; + pf->debug_set = 0; pf->reassemble = PF_REASS_ENABLED; } @@ -1667,23 +1673,26 @@ int pfctl_set_debug(struct pfctl *pf, char *d) { u_int32_t level; + int loglevel; if ((loadopt & PFCTL_FLAG_OPTION) == 0) return (0); if (!strcmp(d, "none")) - pf->debug = PF_DEBUG_NONE; + level = LOG_CRIT; else if (!strcmp(d, "urgent")) - pf->debug = PF_DEBUG_URGENT; + level = LOG_ERR; else if (!strcmp(d, "misc")) - pf->debug = PF_DEBUG_MISC; + level = LOG_NOTICE; else if (!strcmp(d, "loud")) - pf->debug = PF_DEBUG_NOISY; + level = LOG_DEBUG; + else if ((loglevel = string_to_loglevel(d)) >= 0) + level = loglevel; else { warnx("unknown debug level \"%s\"", d); return (-1); } - + pf->debug = level; pf->debug_set = 1; if ((pf->opts & PF_OPT_NOACTION) == 0) @@ -1746,27 +1755,9 @@ pfctl_debug(int dev, u_int32_t level, int opts) pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) err(1, "pfctl_debug ioctl"); - if ((opts & PF_OPT_QUIET) == 0) { - fprintf(stderr, "debug level set to '"); - switch (level) { - case PF_DEBUG_NONE: - fprintf(stderr, "none"); - break; - case PF_DEBUG_URGENT: - fprintf(stderr, "urgent"); - break; - case PF_DEBUG_MISC: - fprintf(stderr, "misc"); - break; - case PF_DEBUG_NOISY: - fprintf(stderr, "loud"); - break; - default: - fprintf(stderr, "<invalid>"); - break; - } - fprintf(stderr, "'\n"); - } + if ((opts & PF_OPT_QUIET) == 0) + fprintf(stderr, "debug level set to '%s'\n", + loglevel_to_string(level)); } int @@ -1828,11 +1819,17 @@ pfctl_show_anchors(int dev, int opts, char *anchorname) const char * pfctl_lookup_option(char *cmd, const char **list) { + const char *item = NULL; if (cmd != NULL && *cmd) for (; *list; list++) - if (!strncmp(cmd, *list, strlen(cmd))) - return (*list); - return (NULL); + if (!strncmp(cmd, *list, strlen(cmd))) { + if (item == NULL) + item = *list; + else + errx(1, "%s is ambigious", cmd); + } + + return (item); } @@ -1912,6 +1909,7 @@ main(int argc, char *argv[]) int mode = O_RDONLY; int opts = 0; int optimize = PF_OPTIMIZE_BASIC; + int level; char anchorname[MAXPATHLEN]; char *path; char *lfile = NULL, *sfile = NULL; @@ -2277,20 +2275,24 @@ main(int argc, char *argv[]) error = 1; if (debugopt != NULL) { - switch (*debugopt) { - case 'n': - pfctl_debug(dev, PF_DEBUG_NONE, opts); - break; - case 'u': - pfctl_debug(dev, PF_DEBUG_URGENT, opts); - break; - case 'm': - pfctl_debug(dev, PF_DEBUG_MISC, opts); - break; - case 'l': - pfctl_debug(dev, PF_DEBUG_NOISY, opts); - break; + if ((level = string_to_loglevel((char *)debugopt)) < 0) { + switch (*debugopt) { + case 'n': + level = LOG_CRIT; + break; + case 'u': + level = LOG_ERR; + break; + case 'm': + level = LOG_NOTICE; + break; + case 'l': + level = LOG_DEBUG; + break; + } } + if (level >= 0) + pfctl_debug(dev, level, opts); } if (sfile != NULL) diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index c661fe4f74a..a5837f2943e 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.261 2010/01/13 05:09:07 deraadt Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.262 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -56,6 +56,9 @@ #include <ifaddrs.h> #include <unistd.h> +#define SYSLOG_NAMES +#include <syslog.h> + #include "pfctl_parser.h" #include "pfctl.h" @@ -292,6 +295,45 @@ geticmpcodebyname(u_long type, char *w, sa_family_t af) return (NULL); } +/* + * Decode a symbolic name to a numeric value. + * From syslogd. + */ +int +string_to_loglevel(const char *name) +{ + CODE *c; + char *p, buf[40]; + + if (isdigit(*name)) + return (atoi(name)); + + for (p = buf; *name && p < &buf[sizeof(buf) - 1]; p++, name++) { + if (isupper(*name)) + *p = tolower(*name); + else + *p = *name; + } + *p = '\0'; + for (c = prioritynames; c->c_name; c++) + if (!strcmp(buf, c->c_name)) + return (c->c_val); + + return (-1); +} + +const char * +loglevel_to_string(int level) +{ + CODE *c; + + for (c = prioritynames; c->c_name; c++) + if (c->c_val == level) + return (c->c_name); + + return ("unknown"); +} + void print_op(u_int8_t op, const char *a1, const char *a2) { @@ -460,7 +502,7 @@ const char *pf_scounters[FCNT_MAX+1] = FCNT_NAMES; void print_status(struct pf_status *s, int opts) { - char statline[80], *running; + char statline[80], *running, *debug; time_t runtime; int i; char buf[PF_MD5_DIGEST_LENGTH * 2 + 1]; @@ -484,20 +526,8 @@ print_status(struct pf_status *s, int opts) } else snprintf(statline, sizeof(statline), "Status: %s", running); printf("%-44s", statline); - switch (s->debug) { - case PF_DEBUG_NONE: - printf("%15s\n\n", "Debug: None"); - break; - case PF_DEBUG_URGENT: - printf("%15s\n\n", "Debug: Urgent"); - break; - case PF_DEBUG_MISC: - printf("%15s\n\n", "Debug: Misc"); - break; - case PF_DEBUG_NOISY: - printf("%15s\n\n", "Debug: Loud"); - break; - } + asprintf(&debug, "Debug: %s", loglevel_to_string(s->debug)); + printf("%15s\n\n", debug); if (opts & PF_OPT_VERBOSE) { printf("Hostid: 0x%08x\n", ntohl(s->hostid)); diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 1ed6450ef41..a1145a34214 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.91 2010/01/12 03:20:51 mcbride Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.92 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -257,6 +257,9 @@ const struct icmptypeent *geticmptypebyname(char *, u_int8_t); const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t); const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t); +int string_to_loglevel(const char *); +const char *loglevel_to_string(int); + struct pf_timeout { const char *name; int timeout; diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 6abc539b45c..c64b965a57d 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.140 2010/01/12 23:38:02 dlg Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.141 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -53,6 +53,7 @@ #include <sys/kernel.h> #include <sys/sysctl.h> #include <sys/pool.h> +#include <sys/syslog.h> #include <net/if.h> #include <net/if_types.h> @@ -80,6 +81,7 @@ #include <netinet/ip_carp.h> #endif +#define PF_DEBUGNAME "pfsync: " #include <net/pfvar.h> #include <net/if_pfsync.h> @@ -484,16 +486,15 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags) int pool_flags; int error; - if (sp->creatorid == 0 && pf_status.debug >= PF_DEBUG_MISC) { - printf("pfsync_state_import: invalid creator id:" - " %08x\n", ntohl(sp->creatorid)); + if (sp->creatorid == 0) { + DPFPRINTF(LOG_NOTICE, "pfsync_state_import: " + "invalid creator id: %08x", ntohl(sp->creatorid)); return (EINVAL); } if ((kif = pfi_kif_get(sp->ifname)) == NULL) { - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync_state_import: " - "unknown interface: %s\n", sp->ifname); + DPFPRINTF(LOG_NOTICE, "pfsync_state_import: " + "unknown interface: %s", sp->ifname); if (flags & PFSYNC_SI_IOCTL) return (EINVAL); return (0); /* skip this state */ @@ -814,10 +815,8 @@ pfsync_in_ins(struct pfsync_pkt *pkt, caddr_t buf, int len, int count) sp->dst.state > PF_TCPS_PROXY_DST || sp->direction > PF_OUT || (sp->af != AF_INET && sp->af != AF_INET6)) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pfsync_input: PFSYNC5_ACT_INS: " - "invalid value\n"); - } + DPFPRINTF(LOG_NOTICE, + "pfsync_input: PFSYNC5_ACT_INS: invalid value"); pfsyncstats.pfsyncs_badval++; continue; } @@ -912,10 +911,29 @@ pfsync_in_upd(struct pfsync_pkt *pkt, caddr_t buf, int len, int count) if (sp->timeout >= PFTM_MAX || sp->src.state > PF_TCPS_PROXY_DST || sp->dst.state > PF_TCPS_PROXY_DST) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pfsync_input: PFSYNC_ACT_UPD: " - "invalid value\n"); - } + DPFPRINTF(LOG_NOTICE, + "pfsync_input: PFSYNC_ACT_UPD: invalid value"); + pfsyncstats.pfsyncs_badval++; + continue; + } + + bcopy(sp->id, &id_key.id, sizeof(id_key.id)); + id_key.creatorid = sp->creatorid; + + st = pf_find_state_byid(&id_key); + if (st == NULL) { + /* insert the update */ + if (pfsync_state_import(sp, 0)) + pfsyncstats.pfsyncs_badstate++; + continue; + } + + if (ISSET(st->state_flags, PFSTATE_ACK)) + pfsync_deferred(st, 1); + + if (st->key[PF_SK_WIRE]->proto == IPPROTO_TCP) { + DPFPRINTF(LOG_NOTICE, + "pfsync_input: PFSYNC_ACT_UPD: invalid value"); pfsyncstats.pfsyncs_badval++; continue; } @@ -994,11 +1012,8 @@ pfsync_in_upd_c(struct pfsync_pkt *pkt, caddr_t buf, int len, int count) if (up->timeout >= PFTM_MAX || up->src.state > PF_TCPS_PROXY_DST || up->dst.state > PF_TCPS_PROXY_DST) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pfsync_input: " - "PFSYNC_ACT_UPD_C: " - "invalid value\n"); - } + DPFPRINTF(LOG_NOTICE, + "pfsync_input: PFSYNC_ACT_UPD_C: invalid value"); pfsyncstats.pfsyncs_badval++; continue; } @@ -1164,8 +1179,7 @@ pfsync_in_bus(struct pfsync_pkt *pkt, caddr_t buf, int len, int count) pf_pool_limits[PF_LIMIT_STATES].limit / ((sc->sc_if.if_mtu - PFSYNC_MINPKT) / sizeof(struct pfsync_state))); - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: received bulk update start\n"); + DPFPRINTF(LOG_INFO, "received bulk update start"); break; case PFSYNC_BUS_END: @@ -1180,13 +1194,10 @@ pfsync_in_bus(struct pfsync_pkt *pkt, caddr_t buf, int len, int count) carp_group_demote_adj(&sc->sc_if, -1); #endif pfsync_sync_ok = 1; - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: received valid " - "bulk update end\n"); + DPFPRINTF(LOG_INFO, "received valid bulk update end"); } else { - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: received invalid " - "bulk update end: bad timestamp\n"); + DPFPRINTF(LOG_WARNING, "received invalid " + "bulk update end: bad timestamp"); } break; } @@ -1246,9 +1257,8 @@ pfsync_update_net_tdb(struct pfsync_tdb *pt) return; bad: - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync_insert: PFSYNC_ACT_TDB_UPD: " - "invalid value\n"); + DPFPRINTF(LOG_WARNING, "pfsync_insert: PFSYNC_ACT_TDB_UPD: " + "invalid value"); pfsyncstats.pfsyncs_badstate++; return; } @@ -1875,8 +1885,7 @@ pfsync_request_full_update(struct pfsync_softc *sc) carp_group_demote_adj(&sc->sc_if, 1); #endif pfsync_sync_ok = 0; - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: requesting bulk update\n"); + DPFPRINTF(LOG_INFO, "requesting bulk update"); timeout_add(&sc->sc_bulkfail_tmo, 4 * hz + pf_pool_limits[PF_LIMIT_STATES].limit / ((sc->sc_if.if_mtu - PFSYNC_MINPKT) / @@ -2162,8 +2171,7 @@ pfsync_bulk_start(void) sc->sc_bulk_next = TAILQ_FIRST(&state_list); sc->sc_bulk_last = sc->sc_bulk_next; - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: received bulk update request\n"); + DPFPRINTF(LOG_INFO, "received bulk update request"); pfsync_bulk_status(PFSYNC_BUS_START); timeout_add(&sc->sc_bulk_tmo, 0); @@ -2250,8 +2258,7 @@ pfsync_bulk_fail(void *arg) carp_group_demote_adj(&sc->sc_if, -1); #endif pfsync_sync_ok = 1; - if (pf_status.debug >= PF_DEBUG_MISC) - printf("pfsync: failed to receive bulk update\n"); + DPFPRINTF(LOG_ERR, "failed to receive bulk update"); } } diff --git a/sys/net/pf.c b/sys/net/pf.c index 1ab9d27f346..66f6aa08d70 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.688 2010/01/14 20:43:19 mcbride Exp $ */ +/* $OpenBSD: pf.c,v 1.689 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -51,6 +51,7 @@ #include <sys/pool.h> #include <sys/proc.h> #include <sys/rwlock.h> +#include <sys/syslog.h> #include <crypto/md5.h> @@ -95,8 +96,6 @@ #endif /* INET6 */ -#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x - /* * Global variables */ @@ -435,8 +434,9 @@ pf_src_connlimit(struct pf_state **state) u_int32_t killed = 0; pf_status.lcounters[LCNT_OVERLOAD_TABLE]++; - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf_src_connlimit: blocking address "); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: pf_src_connlimit: blocking address "); pf_print_host(&sn->addr, 0, (*state)->key[PF_SK_WIRE]->af); } @@ -489,11 +489,11 @@ pf_src_connlimit(struct pf_state **state) killed++; } } - if (pf_status.debug >= PF_DEBUG_MISC) - printf(", %u states killed", killed); + if (pf_status.debug >= LOG_NOTICE) + addlog(", %u states killed", killed); } - if (pf_status.debug >= PF_DEBUG_MISC) - printf("\n"); + if (pf_status.debug >= LOG_NOTICE) + addlog("\n"); } /* kill this state */ @@ -544,10 +544,11 @@ pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule, PF_ACPY(&(*sn)->raddr, raddr, af); if (RB_INSERT(pf_src_tree, &tree_src_tracking, *sn) != NULL) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: src_tree insert failed: "); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: src_tree insert failed: "); pf_print_host(&(*sn)->addr, 0, af); - printf("\n"); + addlog("\n"); } pool_put(&pf_src_tree_pl, *sn); return (-1); @@ -724,8 +725,9 @@ pf_state_key_attach(struct pf_state_key *sk, struct pf_state *s, int idx) /* unlink late or sks can go away */ olds = si->s; } else { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: %s key attach " + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: %s key attach " "failed on %s: ", (idx == PF_SK_WIRE) ? "wire" : "stack", @@ -735,13 +737,13 @@ pf_state_key_attach(struct pf_state_key *sk, struct pf_state *s, int idx) sk : NULL, (idx == PF_SK_STACK) ? sk : NULL); - printf(", existing: "); + addlog(", existing: "); pf_print_state_parts(si->s, (idx == PF_SK_WIRE) ? sk : NULL, (idx == PF_SK_STACK) ? sk : NULL); - printf("\n"); + addlog("\n"); } pool_put(&pf_state_key_pl, sk); return (-1); /* collision! */ @@ -872,10 +874,10 @@ pf_state_key_setup(struct pf_pdesc *pd, *skw = sk2; } - if (pf_status.debug >= PF_DEBUG_NOISY) { - printf("pf: key setup: "); + if (pf_status.debug >= LOG_DEBUG) { + log(LOG_DEBUG, "pf: key setup: "); pf_print_state_parts(NULL, *skw, *sks); - printf("\n"); + addlog("\n"); } return (0); @@ -908,11 +910,11 @@ pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw, s->creatorid = pf_status.hostid; } if (RB_INSERT(pf_state_tree_id, &tree_id, s) != NULL) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: state insert failed: " + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: state insert failed: " "id: %016llx creatorid: %08x", betoh64(s->id), ntohl(s->creatorid)); - printf("\n"); + addlog("\n"); } pf_detach_state(s); return (-1); @@ -949,19 +951,23 @@ pf_compare_state_keys(struct pf_state_key *a, struct pf_state_key *b, return (0); else { /* mismatch. must not happen. */ - printf("pf: state key linking mismatch! dir=%s, " - "if=%s, stored af=%u, a0: ", - dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af); - pf_print_host(&a->addr[0], a->port[0], a->af); - printf(", a1: "); - pf_print_host(&a->addr[1], a->port[1], a->af); - printf(", proto=%u", a->proto); - printf(", found af=%u, a0: ", b->af); - pf_print_host(&b->addr[0], b->port[0], b->af); - printf(", a1: "); - pf_print_host(&b->addr[1], b->port[1], b->af); - printf(", proto=%u", b->proto); - printf(".\n"); + if (pf_status.debug >= LOG_ERR) { + log(LOG_ERR, + "pf: state key linking mismatch! dir=%s, " + "if=%s, stored af=%u, a0: ", + dir == PF_OUT ? "OUT" : "IN", + kif->pfik_name, a->af); + pf_print_host(&a->addr[0], a->port[0], a->af); + addlog(", a1: "); + pf_print_host(&a->addr[1], a->port[1], a->af); + addlog(", proto=%u", a->proto); + addlog(", found af=%u, a0: ", b->af); + pf_print_host(&b->addr[0], b->port[0], b->af); + addlog(", a1: "); + pf_print_host(&b->addr[1], b->port[1], b->af); + addlog(", proto=%u", b->proto); + addlog("\n"); + } return (-1); } } @@ -974,10 +980,10 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, struct pf_state_item *si; pf_status.fcounters[FCNT_STATE_SEARCH]++; - if (pf_status.debug >= PF_DEBUG_NOISY) { - printf("pf: key search, if=%s: ", kif->pfik_name); + if (pf_status.debug >= LOG_DEBUG) { + log(LOG_DEBUG, "pf: key search, if=%s: ", kif->pfik_name); pf_print_state_parts(NULL, (struct pf_state_key *)key, NULL); - printf("\n"); + addlog("\n"); } if (dir == PF_OUT && m->m_pkthdr.pf.statekey && @@ -1292,11 +1298,11 @@ pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) #ifdef INET case AF_INET: { u_int32_t a = ntohl(addr->addr32[0]); - printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, + addlog("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, (a>>8)&255, a&255); if (p) { p = ntohs(p); - printf(":%u", p); + addlog(":%u", p); } break; } @@ -1328,19 +1334,19 @@ pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) for (i = 0; i < 8; i++) { if (i >= maxstart && i <= maxend) { if (i == 0) - printf(":"); + addlog(":"); if (i == maxend) - printf(":"); + addlog(":"); } else { b = ntohs(addr->addr16[i]); - printf("%x", b); + addlog("%x", b); if (i < 7) - printf(":"); + addlog(":"); } } if (p) { p = ntohs(p); - printf("[%u]", p); + addlog("[%u]", p); } break; } @@ -1369,70 +1375,70 @@ pf_print_state_parts(struct pf_state *s, switch (proto) { case IPPROTO_IPV4: - printf("IPv4"); + addlog("IPv4"); break; case IPPROTO_IPV6: - printf("IPv6"); + addlog("IPv6"); break; case IPPROTO_TCP: - printf("TCP"); + addlog("TCP"); break; case IPPROTO_UDP: - printf("UDP"); + addlog("UDP"); break; case IPPROTO_ICMP: - printf("ICMP"); + addlog("ICMP"); break; case IPPROTO_ICMPV6: - printf("ICMPv6"); + addlog("ICMPv6"); break; default: - printf("%u", proto); + addlog("%u", proto); break; } switch (dir) { case PF_IN: - printf(" in"); + addlog(" in"); break; case PF_OUT: - printf(" out"); + addlog(" out"); break; } if (skw) { - printf(" wire: (%d) ", skw->rdomain); + addlog(" wire: (%d) ", skw->rdomain); pf_print_host(&skw->addr[0], skw->port[0], skw->af); - printf(" "); + addlog(" "); pf_print_host(&skw->addr[1], skw->port[1], skw->af); } if (sks) { - printf(" stack: (%d) ", sks->rdomain); + addlog(" stack: (%d) ", sks->rdomain); if (sks != skw) { pf_print_host(&sks->addr[0], sks->port[0], sks->af); - printf(" "); + addlog(" "); pf_print_host(&sks->addr[1], sks->port[1], sks->af); } else - printf("-"); + addlog("-"); } if (s) { if (proto == IPPROTO_TCP) { - printf(" [lo=%u high=%u win=%u modulator=%u", + addlog(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo, s->src.seqhi, s->src.max_win, s->src.seqdiff); if (s->src.wscale && s->dst.wscale) - printf(" wscale=%u", + addlog(" wscale=%u", s->src.wscale & PF_WSCALE_MASK); - printf("]"); - printf(" [lo=%u high=%u win=%u modulator=%u", + addlog("]"); + addlog(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo, s->dst.seqhi, s->dst.max_win, s->dst.seqdiff); if (s->src.wscale && s->dst.wscale) - printf(" wscale=%u", + addlog(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK); - printf("]"); + addlog("]"); } - printf(" %u:%u", s->src.state, s->dst.state); + addlog(" %u:%u", s->src.state, s->dst.state); if (s->rule.ptr) - printf(" @%d", s->rule.ptr->nr); + addlog(" @%d", s->rule.ptr->nr); } } @@ -1440,23 +1446,23 @@ void pf_print_flags(u_int8_t f) { if (f) - printf(" "); + addlog(" "); if (f & TH_FIN) - printf("F"); + addlog("F"); if (f & TH_SYN) - printf("S"); + addlog("S"); if (f & TH_RST) - printf("R"); + addlog("R"); if (f & TH_PUSH) - printf("P"); + addlog("P"); if (f & TH_ACK) - printf("A"); + addlog("A"); if (f & TH_URG) - printf("U"); + addlog("U"); if (f & TH_ECE) - printf("E"); + addlog("E"); if (f & TH_CWR) - printf("W"); + addlog("W"); } #define PF_SET_SKIP_STEPS(i) \ @@ -1533,7 +1539,7 @@ pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) case PF_ADDR_RTLABEL: return (aw1->v.rtlabel != aw2->v.rtlabel); default: - printf("invalid address type: %d\n", aw1->type); + addlog("invalid address type: %d\n", aw1->type); return (1); } } @@ -2279,9 +2285,9 @@ pf_match_rcvif(struct mbuf *m, struct pf_rule *r) kif = (struct pfi_kif *)ifp->if_pf_kif; if (kif == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test_via: kif == NULL, @%d via %s\n", r->nr, - r->rcv_ifname)); + DPFPRINTF(LOG_ERR, + "pf_test_via: kif == NULL, @%d via %s", + r->nr, r->rcv_ifname); return (0); } @@ -2313,7 +2319,7 @@ pf_step_into_anchor(int *depth, struct pf_ruleset **rs, *match = 0; if (*depth >= sizeof(pf_anchor_stack) / sizeof(pf_anchor_stack[0])) { - printf("pf_step_into_anchor: stack overflow\n"); + log(LOG_ERR, "pf_step_into_anchor: stack overflow\n"); *r = TAILQ_NEXT(*r, entries); return; } else if (*depth == 0 && a != NULL) @@ -3177,8 +3183,8 @@ pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_pdesc *pd, pf_normalize_tcp_stateful(m, off, pd, &reason, th, s, &s->src, &s->dst, rewrite)) { /* This really shouldn't happen!!! */ - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_normalize_tcp_stateful failed on first pkt\n")); + DPFPRINTF(LOG_ERR, + "pf_normalize_tcp_stateful failed on first pkt"); goto csfailed; } } @@ -3675,11 +3681,11 @@ pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst, * and keep updating the state TTL. */ - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: loose state match: "); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: loose state match: "); pf_print_state(*state); pf_print_flags(th->th_flags); - printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " + addlog(" seq=%u (%u) ack=%u len=%u ackskew=%d " "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, pd->p_len, ackskew, (*state)->packets[0], (*state)->packets[1], @@ -3730,17 +3736,17 @@ pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst, src->seqlo = 0; src->seqhi = 1; src->max_win = 1; - } else if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: BAD state: "); + } else if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: BAD state: "); pf_print_state(*state); pf_print_flags(th->th_flags); - printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " + addlog(" seq=%u (%u) ack=%u len=%u ackskew=%d " "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, pd->p_len, ackskew, (*state)->packets[0], (*state)->packets[1], pd->dir == PF_IN ? "in" : "out", pd->dir == (*state)->direction ? "fwd" : "rev"); - printf("pf: State failure on: %c %c %c %c | %c %c\n", + addlog("pf: State failure on: %c %c %c %c | %c %c\n", SEQ_GEQ(src->seqhi, end) ? ' ' : '1', SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? ' ': '2', @@ -3951,11 +3957,11 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) && dst->state >= TCPS_FIN_WAIT_2 && src->state >= TCPS_FIN_WAIT_2) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: state reuse "); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: state reuse "); pf_print_state(*state); pf_print_flags(th->th_flags); - printf("\n"); + addlog("\n"); } /* XXX make sure it's the same direction ?? */ (*state)->src.state = (*state)->dst.state = TCPS_CLOSED; @@ -4118,11 +4124,12 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, (((!inner && (*state)->direction == direction) || (inner && (*state)->direction != direction)) ? PF_IN : PF_OUT) != icmp_dir) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: icmp type %d in wrong direction (%d): ", + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: icmp type %d in wrong direction (%d): ", ntohs(type), icmp_dir); pf_print_state(*state); - printf("\n"); + addlog("\n"); } return (PF_DROP); } @@ -4274,9 +4281,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(ip)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short (ip)"); return (PF_DROP); } /* @@ -4303,9 +4309,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(ip6)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short (ip6)"); return (PF_DROP); } pd2.proto = h2_6.ip6_nxt; @@ -4332,8 +4337,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, off2, &opt6, sizeof(opt6), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMPv6 short opt\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMPv6 short opt"); return (PF_DROP); } if (pd2.proto == IPPROTO_AH) @@ -4368,9 +4373,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, */ if (!pf_pull_hdr(m, off2, &th, 8, NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(tcp)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short (tcp)"); return (PF_DROP); } @@ -4408,28 +4412,30 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!((*state)->state_flags & PFSTATE_SLOPPY) && (!SEQ_GEQ(src->seqhi, seq) || !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)))) { - if (pf_status.debug >= PF_DEBUG_MISC) { - printf("pf: BAD ICMP %d:%d ", + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: BAD ICMP %d:%d ", icmptype, pd->hdr.icmp->icmp_code); pf_print_host(pd->src, 0, pd->af); - printf(" -> "); + addlog(" -> "); pf_print_host(pd->dst, 0, pd->af); - printf(" state: "); + addlog(" state: "); pf_print_state(*state); - printf(" seq=%u\n", seq); + addlog(" seq=%u\n", seq); } REASON_SET(reason, PFRES_BADSTATE); return (PF_DROP); } else { - if (pf_status.debug >= PF_DEBUG_NOISY) { - printf("pf: OK ICMP %d:%d ", + if (pf_status.debug >= LOG_DEBUG) { + log(LOG_DEBUG, + "pf: OK ICMP %d:%d ", icmptype, pd->hdr.icmp->icmp_code); pf_print_host(pd->src, 0, pd->af); - printf(" -> "); + addlog(" -> "); pf_print_host(pd->dst, 0, pd->af); - printf(" state: "); + addlog(" state: "); pf_print_state(*state); - printf(" seq=%u\n", seq); + addlog(" seq=%u\n", seq); } } @@ -4496,9 +4502,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, off2, &uh, sizeof(uh), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(udp)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short (udp)"); return (PF_DROP); } @@ -4571,9 +4576,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short i" - "(icmp)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short (icmp)"); return (PF_DROP); } @@ -4632,9 +4636,9 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, if (!pf_pull_hdr(m, off2, &iih, sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(icmp6)\n")); + DPFPRINTF(LOG_NOTICE, + "pf: ICMP error message too short " + "(icmp6)"); return (PF_DROP); } @@ -5070,8 +5074,8 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, } if (m0->m_len < sizeof(struct ip)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: m0->m_len < sizeof(struct ip)\n")); + DPFPRINTF(LOG_ERR, + "pf_route: m0->m_len < sizeof(struct ip)"); goto bad; } @@ -5100,8 +5104,8 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, if (s == NULL) { if (pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, &naddr, NULL, &sn, &r->route, PF_SN_ROUTE)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: pf_map_addr() failed.\n")); + DPFPRINTF(LOG_ERR, + "pf_route: pf_map_addr() failed."); goto bad; } @@ -5126,8 +5130,8 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, else if (m0 == NULL) goto done; if (m0->m_len < sizeof(struct ip)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: m0->m_len < sizeof(struct ip)\n")); + DPFPRINTF(LOG_ERR, + "pf_route: m0->m_len < sizeof(struct ip)"); goto bad; } ip = mtod(m0, struct ip *); @@ -5260,8 +5264,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, } if (m0->m_len < sizeof(struct ip6_hdr)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n")); + DPFPRINTF(LOG_ERR, + "pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); goto bad; } ip6 = mtod(m0, struct ip6_hdr *); @@ -5283,8 +5287,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, if (s == NULL) { if (pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src, &naddr, NULL, &sn, &r->route, PF_SN_ROUTE)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route6: pf_map_addr() failed.\n")); + DPFPRINTF(LOG_ERR, + "pf_route6: pf_map_addr() failed."); goto bad; } if (!PF_AZERO(&naddr, AF_INET6)) @@ -5306,8 +5310,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, else if (m0 == NULL) goto done; if (m0->m_len < sizeof(struct ip6_hdr)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n")); + DPFPRINTF(LOG_ERR, + "pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); goto bad; } ip6 = mtod(m0, struct ip6_hdr *); @@ -5466,7 +5470,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct ether_header *eh) { struct pfi_kif *kif; - u_short action, reason = 0, log = 0; + u_short action, reason = 0, pflog = 0; struct mbuf *m = *m0; struct ip *h; struct pf_rule *a = NULL, *r = &pf_default_rule; @@ -5486,8 +5490,8 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, kif = (struct pfi_kif *)ifp->if_pf_kif; if (kif == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname)); + DPFPRINTF(LOG_ERR, + "pf_test: kif == NULL, if_xname %s", ifp->if_xname); return (PF_DROP); } if (kif->pfik_flags & PFI_IFLAG_SKIP) @@ -5501,7 +5505,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (m->m_pkthdr.len < (int)sizeof(*h)) { action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } @@ -5525,7 +5529,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (off < (int)sizeof(*h)) { action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } @@ -5560,7 +5564,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &th, sizeof(th), &action, &reason, AF_INET)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } pd.p_len = pd.tot_len - off - (th.th_off << 2); @@ -5579,7 +5583,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ipintrq); @@ -5600,7 +5604,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &uh, sizeof(uh), &action, &reason, AF_INET)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } if (uh.uh_dport == 0 || @@ -5619,7 +5623,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ipintrq); @@ -5633,7 +5637,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, &action, &reason, AF_INET)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, @@ -5644,7 +5648,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ipintrq); @@ -5653,8 +5657,8 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, case IPPROTO_ICMPV6: { action = PF_DROP; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping IPv4 packet with ICMPv6 payload\n")); + DPFPRINTF(LOG_NOTICE, + "pf: dropping IPv4 packet with ICMPv6 payload"); goto done; } @@ -5666,7 +5670,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ipintrq); @@ -5678,9 +5682,9 @@ done: !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log |= PF_LOG_FORCE; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping packet with ip options\n")); + pflog |= PF_LOG_FORCE; + DPFPRINTF(LOG_NOTICE, + "pf: dropping packet with ip options"); } if (s) { @@ -5741,10 +5745,10 @@ done: action = PF_DIVERT; } - if (log) { + if (pflog) { struct pf_rule_item *ri; - if (log & PF_LOG_FORCE || r->log & PF_LOG_ALL) + if (pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL) PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset, &pd); if (s) { @@ -5827,7 +5831,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct ether_header *eh) { struct pfi_kif *kif; - u_short action, reason = 0, log = 0; + u_short action, reason = 0, pflog = 0; struct mbuf *m = *m0, *n = NULL; struct ip6_hdr *h; struct pf_rule *a = NULL, *r = &pf_default_rule; @@ -5846,8 +5850,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, kif = (struct pfi_kif *)ifp->if_pf_kif; if (kif == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname)); + DPFPRINTF(LOG_ERR, + "pf_test6: kif == NULL, if_xname %s", ifp->if_xname); return (PF_DROP); } if (kif->pfik_flags & PFI_IFLAG_SKIP) @@ -5861,7 +5865,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (m->m_pkthdr.len < (int)sizeof(*h)) { action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } @@ -5887,7 +5891,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (htons(h->ip6_plen) == 0) { action = PF_DROP; REASON_SET(&reason, PFRES_NORM); /*XXX*/ - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } #endif @@ -5919,28 +5923,28 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct ip6_rthdr rthdr; if (rh_cnt++) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 more than one rthdr\n")); + DPFPRINTF(LOG_NOTICE, + "pf: IPv6 more than one rthdr"); action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL, &reason, pd.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 short rthdr\n")); + DPFPRINTF(LOG_NOTICE, + "pf: IPv6 short rthdr"); action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 rthdr0\n")); + DPFPRINTF(LOG_NOTICE, + "pf: IPv6 rthdr0"); action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } /* FALLTHROUGH */ @@ -5953,10 +5957,10 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), NULL, &reason, pd.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 short opt\n")); + DPFPRINTF(LOG_NOTICE, + "pf: IPv6 short opt"); action = PF_DROP; - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } if (pd.proto == IPPROTO_AH) @@ -5986,7 +5990,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &th, sizeof(th), &action, &reason, AF_INET6)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } pd.p_len = pd.tot_len - off - (th.th_off << 2); @@ -6003,7 +6007,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -6024,7 +6028,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &uh, sizeof(uh), &action, &reason, AF_INET6)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } if (uh.uh_dport == 0 || @@ -6043,7 +6047,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -6052,8 +6056,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, case IPPROTO_ICMP: { action = PF_DROP; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping IPv6 packet with ICMPv4 payload\n")); + DPFPRINTF(LOG_NOTICE, + "pf: dropping IPv6 packet with ICMPv4 payload"); goto done; } @@ -6069,7 +6073,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (!pf_pull_hdr(m, off, &ih, icmp_hlen, &action, &reason, AF_INET6)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } /* ICMP headers we look further into to match state */ @@ -6087,7 +6091,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, !pf_pull_hdr(m, off, &ih, icmp_hlen, &action, &reason, AF_INET6)) { if (action != PF_PASS) - log |= PF_LOG_FORCE; + pflog |= PF_LOG_FORCE; goto done; } action = pf_test_state_icmp(&s, dir, kif, @@ -6098,7 +6102,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -6113,7 +6117,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log |= s->log; + pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -6131,9 +6135,9 @@ done: !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log |= PF_LOG_FORCE;; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping packet with dangerous v6 headers\n")); + pflog |= PF_LOG_FORCE; + DPFPRINTF(LOG_NOTICE, + "pf: dropping packet with dangerous v6 headers"); } if (s) @@ -6184,10 +6188,10 @@ done: action = PF_DIVERT; } - if (log) { + if (pflog) { struct pf_rule_item *ri; - if (log & PF_LOG_FORCE || r->log & PF_LOG_ALL) + if (pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL) PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset, &pd); if (s) { diff --git a/sys/net/pf_if.c b/sys/net/pf_if.c index d598e224cc5..0816e3fbf20 100644 --- a/sys/net/pf_if.c +++ b/sys/net/pf_if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_if.c,v 1.59 2010/01/12 03:20:51 mcbride Exp $ */ +/* $OpenBSD: pf_if.c,v 1.60 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright 2005 Henning Brauer <henning@openbsd.org> @@ -42,6 +42,7 @@ #include <sys/device.h> #include <sys/time.h> #include <sys/pool.h> +#include <sys/syslog.h> #include <net/if.h> #include <net/if_types.h> @@ -151,21 +152,24 @@ pfi_kif_unref(struct pfi_kif *kif, enum pfi_kif_refs what) break; case PFI_KIF_REF_RULE: if (kif->pfik_rules <= 0) { - printf("pfi_kif_unref: rules refcount <= 0\n"); + DPFPRINTF(LOG_ERR, + "pfi_kif_unref: rules refcount <= 0"); return; } kif->pfik_rules--; break; case PFI_KIF_REF_STATE: if (kif->pfik_states <= 0) { - printf("pfi_kif_unref: state refcount <= 0\n"); + DPFPRINTF(LOG_ERR, + "pfi_kif_unref: state refcount <= 0"); return; } kif->pfik_states--; break; case PFI_KIF_REF_ROUTE: if (kif->pfik_routes <= 0) { - printf("pfi_kif_unref: state refcount <= 0\n"); + DPFPRINTF(LOG_ERR, + "pfi_kif_unref: state refcount <= 0"); return; } kif->pfik_routes--; @@ -457,8 +461,9 @@ pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, int net, int flags) if ((e = pfr_set_addrs(&kt->pfrkt_t, pfi_buffer, pfi_buffer_cnt, &size2, NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK))) - printf("pfi_table_update: cannot set %d new addresses " - "into table %s: %d\n", pfi_buffer_cnt, kt->pfrkt_name, e); + DPFPRINTF(LOG_ERR, + "pfi_table_update: cannot set %d new addresses " + "into table %s: %d", pfi_buffer_cnt, kt->pfrkt_name, e); } void @@ -528,15 +533,17 @@ pfi_address_add(struct sockaddr *sa, int af, int net) int new_max = pfi_buffer_max * 2; if (new_max > PFI_BUFFER_MAX) { - printf("pfi_address_add: address buffer full (%d/%d)\n", + DPFPRINTF(LOG_ERR, + "pfi_address_add: address buffer full (%d/%d)", pfi_buffer_cnt, PFI_BUFFER_MAX); return; } p = malloc(new_max * sizeof(*pfi_buffer), PFI_MTYPE, M_DONTWAIT); if (p == NULL) { - printf("pfi_address_add: no memory to grow buffer " - "(%d/%d)\n", pfi_buffer_cnt, PFI_BUFFER_MAX); + DPFPRINTF(LOG_ERR, + "pfi_address_add: no memory to grow buffer " + "(%d/%d)", pfi_buffer_cnt, PFI_BUFFER_MAX); return; } memcpy(p, pfi_buffer, pfi_buffer_max * sizeof(*pfi_buffer)); diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 4e898f9610b..d40db4590ce 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.231 2010/01/12 03:20:51 mcbride Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.232 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -53,6 +53,7 @@ #include <sys/malloc.h> #include <sys/kthread.h> #include <sys/rwlock.h> +#include <sys/syslog.h> #include <uvm/uvm_extern.h> #include <net/if.h> @@ -144,7 +145,6 @@ int pf_rtlabel_add(struct pf_addr_wrap *); void pf_rtlabel_remove(struct pf_addr_wrap *); void pf_rtlabel_copyout(struct pf_addr_wrap *); -#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x void pfattach(int num) @@ -223,7 +223,7 @@ pfattach(int num) pf_normalize_init(); bzero(&pf_status, sizeof(pf_status)); - pf_status.debug = PF_DEBUG_URGENT; + pf_status.debug = LOG_ERR; pf_status.reass = PF_REASS_ENABLED; /* XXX do our best to avoid a conflict */ @@ -978,7 +978,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) pf_status.stateid = time_second; pf_status.stateid = pf_status.stateid << 32; } - DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n")); + DPFPRINTF(LOG_NOTICE, "pf: started"); } break; @@ -988,7 +988,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) else { pf_status.running = 0; pf_status.since = time_second; - DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n")); + DPFPRINTF(LOG_NOTICE, "pf: stopped"); } break; @@ -1723,7 +1723,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } if (error == 0) pf_altq_running = 1; - DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n")); + DPFPRINTF(LOG_NOTICE, "altq: started"); break; } @@ -1740,7 +1740,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } if (error == 0) pf_altq_running = 0; - DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n")); + DPFPRINTF(LOG_NOTICE, "altq: stopped"); break; } diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c index 52c6a0f7e7f..06bc0342b0c 100644 --- a/sys/net/pf_lb.c +++ b/sys/net/pf_lb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_lb.c,v 1.10 2010/01/12 03:20:51 mcbride Exp $ */ +/* $OpenBSD: pf_lb.c,v 1.11 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -51,6 +51,7 @@ #include <sys/pool.h> #include <sys/proc.h> #include <sys/rwlock.h> +#include <sys/syslog.h> #include <crypto/md5.h> @@ -93,8 +94,6 @@ #endif /* INET6 */ -#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x - /* * Global variables */ @@ -282,13 +281,13 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, if (sns[type] != NULL) { if (!PF_AZERO(&(sns[type])->raddr, af)) PF_ACPY(naddr, &(sns[type])->raddr, af); - if (pf_status.debug >= PF_DEBUG_NOISY) { - printf("pf_map_addr: src tracking (%u) maps ", - type); + if (pf_status.debug >= LOG_DEBUG) { + log(LOG_DEBUG, "pf: pf_map_addr: " + "src tracking (%u) maps ", type); pf_print_host(&k.addr, 0, af); - printf(" to "); + addlog(" to "); pf_print_host(naddr, 0, af); - printf("\n"); + addlog("\n"); } return (0); } @@ -408,11 +407,11 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, return (1); } - if (pf_status.debug >= PF_DEBUG_MISC && + if (pf_status.debug >= LOG_NOTICE && (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { - printf("pf_map_addr: selected address "); + log(LOG_NOTICE, "pf: pf_map_addr: selected address "); pf_print_host(naddr, 0, af); - printf("\n"); + addlog("\n"); } return (0); @@ -432,11 +431,10 @@ pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, struct pf_addr *saddr, if (pf_get_sport(pd->af, pd->proto, r, saddr, daddr, *dport, &naddr, &nport, r->nat.proxy_port[0], r->nat.proxy_port[1], sns, pd->rdomain)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: NAT proxy port allocation " - "(%u-%u) failed\n", + DPFPRINTF(LOG_NOTICE, + "pf: NAT proxy port allocation (%u-%u) failed", r->nat.proxy_port[0], - r->nat.proxy_port[1])); + r->nat.proxy_port[1]); return (-1); } PF_ACPY(saddr, &naddr, pd->af); diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index c0ac7095c74..c3708d724da 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.120 2009/09/01 15:51:06 jsing Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.121 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -37,6 +37,7 @@ #include <sys/kernel.h> #include <sys/time.h> #include <sys/pool.h> +#include <sys/syslog.h> #include <dev/rndvar.h> #include <net/if.h> @@ -114,13 +115,6 @@ struct pf_fragment *pf_find_fragment(struct ip *, struct pf_frag_tree *); struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment **, struct pf_frent *, int); -#define DPFPRINTF(x) do { \ - if (pf_status.debug >= PF_DEBUG_MISC) { \ - printf("%s: ", __func__); \ - printf x ; \ - } \ -} while(0) - /* Globals */ struct pool pf_frent_pl, pf_frag_pl, pf_cache_pl, pf_cent_pl; struct pool pf_state_scrub_pl; @@ -181,7 +175,7 @@ pf_purge_expired_fragments(void) if (frag->fr_timeout > expire) break; - DPFPRINTF(("expiring %d(%p)\n", frag->fr_id, frag)); + DPFPRINTF(LOG_NOTICE, "expiring %d(%p)", frag->fr_id, frag); pf_free_fragment(frag); } @@ -190,7 +184,7 @@ pf_purge_expired_fragments(void) if (frag->fr_timeout > expire) break; - DPFPRINTF(("expiring %d(%p)\n", frag->fr_id, frag)); + DPFPRINTF(LOG_NOTICE, "expiring %d(%p)", frag->fr_id, frag); pf_free_fragment(frag); KASSERT(TAILQ_EMPTY(&pf_cachequeue) || TAILQ_LAST(&pf_cachequeue, pf_cachequeue) != frag); @@ -208,8 +202,8 @@ pf_flush_fragments(void) int goal; goal = pf_nfrents * 9 / 10; - DPFPRINTF(("trying to free > %d frents\n", - pf_nfrents - goal)); + DPFPRINTF(LOG_NOTICE, "trying to free > %d frents", + pf_nfrents - goal); while (goal < pf_nfrents) { frag = TAILQ_LAST(&pf_fragqueue, pf_fragqueue); if (frag == NULL) @@ -219,8 +213,8 @@ pf_flush_fragments(void) goal = pf_ncache * 9 / 10; - DPFPRINTF(("trying to free > %d cache entries\n", - pf_ncache - goal)); + DPFPRINTF(LOG_NOTICE, "trying to free > %d cache entries", + pf_ncache - goal); while (goal < pf_ncache) { frag = TAILQ_LAST(&pf_cachequeue, pf_cachequeue); if (frag == NULL) @@ -383,7 +377,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, if (precut >= ip_len) goto drop_fragment; m_adj(frent->fr_m, precut); - DPFPRINTF(("overlap -%d\n", precut)); + DPFPRINTF(LOG_NOTICE, "overlap -%d", precut); /* Enforce 8 byte boundaries */ ip->ip_off = htons(ntohs(ip->ip_off) + (precut >> 3)); off = (ntohs(ip->ip_off) & IP_OFFMASK) << 3; @@ -397,7 +391,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, u_int16_t aftercut; aftercut = ip_len + off - FR_IP_OFF(frea); - DPFPRINTF(("adjust overlap %d\n", aftercut)); + DPFPRINTF(LOG_NOTICE, "adjust overlap %d", aftercut); if (aftercut < ntohs(frea->fr_ip->ip_len) - frea->fr_ip->ip_hl * 4) { @@ -443,13 +437,14 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, if (off < (*frag)->fr_max && (next == NULL || FR_IP_OFF(next) != off)) { - DPFPRINTF(("missing fragment at %d, next %d, max %d\n", + DPFPRINTF(LOG_NOTICE, + "missing fragment at %d, next %d, max %d", off, next == NULL ? -1 : FR_IP_OFF(next), - (*frag)->fr_max)); + (*frag)->fr_max); return (NULL); } } - DPFPRINTF(("%d < %d?\n", off, (*frag)->fr_max)); + DPFPRINTF(LOG_NOTICE, "%d < %d?", off, (*frag)->fr_max); if (off < (*frag)->fr_max) return (NULL); @@ -457,7 +452,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, frent = LIST_FIRST(&(*frag)->fr_queue); KASSERT(frent != NULL); if ((frent->fr_ip->ip_hl << 2) + off > IP_MAXPACKET) { - DPFPRINTF(("drop: too big: %d\n", off)); + DPFPRINTF(LOG_NOTICE, "drop: too big: %d", off); pf_free_fragment(*frag); *frag = NULL; return (NULL); @@ -502,7 +497,7 @@ pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, m->m_pkthdr.len = plen; } - DPFPRINTF(("complete: %p(%d)\n", m, ntohs(ip->ip_len))); + DPFPRINTF(LOG_NOTICE, "complete: %p(%d)", m, ntohs(ip->ip_len)); return (m); drop_fragment: @@ -552,7 +547,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, * no-df above, fine. Otherwise drop it. */ if (h->ip_off & htons(IP_DF)) { - DPFPRINTF(("IP_DF\n")); + DPFPRINTF(LOG_NOTICE, "IP_DF"); goto bad; } @@ -561,13 +556,13 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, /* All fragments are 8 byte aligned */ if (mff && (ip_len & 0x7)) { - DPFPRINTF(("mff and %d\n", ip_len)); + DPFPRINTF(LOG_NOTICE, "mff and %d", ip_len); goto bad; } /* Respect maximum length */ if (fragoff + ip_len > IP_MAXPACKET) { - DPFPRINTF(("max packet %d\n", fragoff + ip_len)); + DPFPRINTF(LOG_NOTICE, "max packet %d", fragoff + ip_len); goto bad; } max = fragoff + ip_len; @@ -591,7 +586,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, frent->fr_m = m; /* Might return a completely reassembled mbuf, or NULL */ - DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max)); + DPFPRINTF(LOG_NOTICE, + "reass frag %d @ %d-%d\n", h->ip_id, fragoff, max); *m0 = m = pf_reassemble(m0, &frag, frent, mff); if (m == NULL) @@ -619,7 +615,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, return (PF_DROP); bad: - DPFPRINTF(("dropping bad fragment\n")); + DPFPRINTF(LOG_NOTICE, "dropping bad fragment"); /* Free associated fragments */ if (frag != NULL) @@ -992,10 +988,12 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, if (got_ts) { /* Huh? Multiple timestamps!? */ - if (pf_status.debug >= PF_DEBUG_MISC) { - DPFPRINTF(("multiple TS??")); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: %s: multiple TS??", + __func__); pf_print_state(state); - printf("\n"); + addlog("\n"); } REASON_SET(reason, PFRES_TS); return (PF_DROP); @@ -1061,20 +1059,20 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, if (src->scrub && (src->scrub->pfss_flags & PFSS_PAWS) && (uptime.tv_sec - src->scrub->pfss_last.tv_sec > TS_MAX_IDLE || time_second - state->creation > TS_MAX_CONN)) { - if (pf_status.debug >= PF_DEBUG_MISC) { - DPFPRINTF(("src idled out of PAWS\n")); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: src idled out of PAWS "); pf_print_state(state); - printf("\n"); + addlog("\n"); } src->scrub->pfss_flags = (src->scrub->pfss_flags & ~PFSS_PAWS) | PFSS_PAWS_IDLED; } if (dst->scrub && (dst->scrub->pfss_flags & PFSS_PAWS) && uptime.tv_sec - dst->scrub->pfss_last.tv_sec > TS_MAX_IDLE) { - if (pf_status.debug >= PF_DEBUG_MISC) { - DPFPRINTF(("dst idled out of PAWS\n")); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: dst idled out of PAWS "); pf_print_state(state); - printf("\n"); + addlog("\n"); } dst->scrub->pfss_flags = (dst->scrub->pfss_flags & ~PFSS_PAWS) | PFSS_PAWS_IDLED; @@ -1179,25 +1177,29 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, * an old timestamp. */ - DPFPRINTF(("Timestamp failed %c%c%c%c\n", + DPFPRINTF(LOG_NOTICE, "Timestamp failed %c%c%c%c", SEQ_LT(tsval, dst->scrub->pfss_tsecr) ? '0' : ' ', SEQ_GT(tsval, src->scrub->pfss_tsval + tsval_from_last) ? '1' : ' ', SEQ_GT(tsecr, dst->scrub->pfss_tsval) ? '2' : ' ', - SEQ_LT(tsecr, dst->scrub->pfss_tsval0)? '3' : ' ')); - DPFPRINTF((" tsval: %lu tsecr: %lu +ticks: %lu " - "idle: %lus %lums\n", + SEQ_LT(tsecr, dst->scrub->pfss_tsval0)? '3' : ' '); + DPFPRINTF(LOG_NOTICE, + " tsval: %lu tsecr: %lu +ticks: %lu " + "idle: %lus %lums", tsval, tsecr, tsval_from_last, delta_ts.tv_sec, - delta_ts.tv_usec / 1000)); - DPFPRINTF((" src->tsval: %lu tsecr: %lu\n", - src->scrub->pfss_tsval, src->scrub->pfss_tsecr)); - DPFPRINTF((" dst->tsval: %lu tsecr: %lu tsval0: %lu" - "\n", dst->scrub->pfss_tsval, - dst->scrub->pfss_tsecr, dst->scrub->pfss_tsval0)); - if (pf_status.debug >= PF_DEBUG_MISC) { + delta_ts.tv_usec / 1000); + DPFPRINTF(LOG_NOTICE, + " src->tsval: %lu tsecr: %lu", + src->scrub->pfss_tsval, src->scrub->pfss_tsecr); + DPFPRINTF(LOG_NOTICE, + " dst->tsval: %lu tsecr: %lu tsval0: %lu", + dst->scrub->pfss_tsval, dst->scrub->pfss_tsecr, + dst->scrub->pfss_tsval0); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, "pf: "); pf_print_state(state); pf_print_flags(th->th_flags); - printf("\n"); + addlog("\n"); } REASON_SET(reason, PFRES_TS); return (PF_DROP); @@ -1242,12 +1244,13 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, * Hey! Someone tried to sneak a packet in. Or the * stack changed its RFC1323 behavior?!?! */ - if (pf_status.debug >= PF_DEBUG_MISC) { - DPFPRINTF(("Did not receive expected RFC1323 " - "timestamp\n")); + if (pf_status.debug >= LOG_NOTICE) { + log(LOG_NOTICE, + "pf: did not receive expected RFC1323 " + "timestamp"); pf_print_state(state); pf_print_flags(th->th_flags); - printf("\n"); + addlog("\n"); } REASON_SET(reason, PFRES_TS); return (PF_DROP); @@ -1269,15 +1272,16 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, src->scrub->pfss_flags |= PFSS_DATA_TS; else { src->scrub->pfss_flags |= PFSS_DATA_NOTS; - if (pf_status.debug >= PF_DEBUG_MISC && dst->scrub && + if (pf_status.debug >= LOG_NOTICE && dst->scrub && (dst->scrub->pfss_flags & PFSS_TIMESTAMP)) { /* Don't warn if other host rejected RFC1323 */ - DPFPRINTF(("Broken RFC1323 stack did not " + log(LOG_NOTICE, + "pf: broken RFC1323 stack did not " "timestamp data packet. Disabled PAWS " - "security.\n")); + "security."); pf_print_state(state); pf_print_flags(th->th_flags); - printf("\n"); + addlog("\n"); } } } diff --git a/sys/net/pf_osfp.c b/sys/net/pf_osfp.c index 75f33032e1a..0824e5b9ff2 100644 --- a/sys/net/pf_osfp.c +++ b/sys/net/pf_osfp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_osfp.c,v 1.15 2008/06/14 02:22:13 henning Exp $ */ +/* $OpenBSD: pf_osfp.c,v 1.16 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> @@ -24,6 +24,7 @@ #include <sys/pool.h> #endif /* _KERNEL */ #include <sys/mbuf.h> +#include <sys/syslog.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -40,9 +41,6 @@ #ifdef _KERNEL -# define DPFPRINTF(format, x...) \ - if (pf_status.debug >= PF_DEBUG_NOISY) \ - printf(format , ##x) typedef struct pool pool_t; #else @@ -60,11 +58,9 @@ typedef struct pool pool_t; # define pool_init(pool, size, a, ao, f, m, p) (*(pool)) = (size) # ifdef PFDEBUG -# include <sys/stdarg.h> -# define DPFPRINTF(format, x...) fprintf(stderr, format , ##x) -# else -# define DPFPRINTF(format, x...) ((void)0) +# include <sys/stdarg.h> /* for DPFPRINTF() */ # endif /* PFDEBUG */ + #endif /* _KERNEL */ @@ -240,8 +236,9 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const st optlen = MAX(optlen, 1); /* paranoia */ } - DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) " - "(TS=%s,M=%s%d,W=%s%d)\n", + DPFPRINTF(LOG_NOTICE, + "fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) " + "(TS=%s,M=%s%d,W=%s%d)", srcname, ntohs(tcp->th_sport), fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0, fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt, @@ -270,7 +267,7 @@ pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os) if (os == PF_OSFP_ANY) return (1); if (list == NULL) { - DPFPRINTF("osfp no match against %x\n", os); + DPFPRINTF(LOG_NOTICE, "osfp no match against %x", os); return (os == PF_OSFP_UNKNOWN); } PF_OSFP_UNPACK(os, os_class, os_version, os_subtype); @@ -279,13 +276,14 @@ pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os) if ((os_class == PF_OSFP_ANY || en_class == os_class) && (os_version == PF_OSFP_ANY || en_version == os_version) && (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) { - DPFPRINTF("osfp matched %s %s %s %x==%x\n", + DPFPRINTF(LOG_NOTICE, + "osfp matched %s %s %s %x==%x", entry->fp_class_nm, entry->fp_version_nm, entry->fp_subtype_nm, os, entry->fp_os); return (1); } } - DPFPRINTF("fingerprint 0x%x didn't match\n", os); + DPFPRINTF(LOG_NOTICE, "fingerprint 0x%x didn't match", os); return (0); } @@ -335,9 +333,9 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc) fpadd.fp_wscale = fpioc->fp_wscale; fpadd.fp_ttl = fpioc->fp_ttl; -#if 0 /* XXX RYAN wants to fix logging */ - DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d " - "(TS=%s,M=%s%d,W=%s%d) %x\n", + DPFPRINTF(LOG_DEBUG, + "adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d " + "(TS=%s,M=%s%d,W=%s%d) %x", fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm, fpioc->fp_os.fp_subtype_nm, (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" : @@ -359,7 +357,6 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc) (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "", fpadd.fp_wscale, fpioc->fp_os.fp_os); -#endif if ((fp = pf_osfp_find_exact(&pf_osfp_list, &fpadd))) { SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) { @@ -401,7 +398,8 @@ pf_osfp_add(struct pf_osfp_ioctl *fpioc) #ifdef PFDEBUG if ((fp = pf_osfp_validate())) - printf("Invalid fingerprint list\n"); + DPFPRINTF(LOG_NOTICE, + "Invalid fingerprint list"); #endif /* PFDEBUG */ return (0); } @@ -570,7 +568,8 @@ pf_osfp_validate(void) find.fp_wsize *= 2; if (f != (f2 = pf_osfp_find(&pf_osfp_list, &find, 0))) { if (f2) - printf("Found \"%s %s %s\" instead of " + DPFPRINTF(LOG_NOTICE, + "Found \"%s %s %s\" instead of " "\"%s %s %s\"\n", SLIST_FIRST(&f2->fp_oses)->fp_class_nm, SLIST_FIRST(&f2->fp_oses)->fp_version_nm, @@ -579,7 +578,8 @@ pf_osfp_validate(void) SLIST_FIRST(&f->fp_oses)->fp_version_nm, SLIST_FIRST(&f->fp_oses)->fp_subtype_nm); else - printf("Couldn't find \"%s %s %s\"\n", + DPFPRINTF(LOG_NOTICE, + "Couldn't find \"%s %s %s\"\n", SLIST_FIRST(&f->fp_oses)->fp_class_nm, SLIST_FIRST(&f->fp_oses)->fp_version_nm, SLIST_FIRST(&f->fp_oses)->fp_subtype_nm); diff --git a/sys/net/pf_ruleset.c b/sys/net/pf_ruleset.c index 313462fc7e6..31c5e86e7cb 100644 --- a/sys/net/pf_ruleset.c +++ b/sys/net/pf_ruleset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ruleset.c,v 1.5 2009/11/22 22:34:50 henning Exp $ */ +/* $OpenBSD: pf_ruleset.c,v 1.6 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -41,6 +41,7 @@ # include <sys/systm.h> #endif /* _KERNEL */ #include <sys/mbuf.h> +#include <sys/syslog.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -56,9 +57,6 @@ #ifdef _KERNEL -# define DPFPRINTF(format, x...) \ - if (pf_status.debug >= PF_DEBUG_NOISY) \ - printf(format , ##x) #define rs_malloc(x) malloc(x, M_TEMP, M_WAITOK|M_CANFAIL|M_ZERO) #define rs_free(x) free(x, M_TEMP) @@ -74,11 +72,8 @@ # define rs_free(x) free(x) # ifdef PFDEBUG -# include <sys/stdarg.h> -# define DPFPRINTF(format, x...) fprintf(stderr, format , ##x) -# else -# define DPFPRINTF(format, x...) ((void)0) -# endif /* PFDEBUG */ +# include <sys/stdarg.h> /* for DPFPRINTF() */ +# endif #endif /* _KERNEL */ @@ -196,8 +191,9 @@ pf_find_or_create_ruleset(const char *path) strlcat(anchor->path, anchor->name, sizeof(anchor->path)); if ((dup = RB_INSERT(pf_anchor_global, &pf_anchors, anchor)) != NULL) { - printf("pf_find_or_create_ruleset: RB_INSERT1 " - "'%s' '%s' collides with '%s' '%s'\n", + DPFPRINTF(LOG_NOTICE, + "pf_find_or_create_ruleset: RB_INSERT1 " + "'%s' '%s' collides with '%s' '%s'", anchor->path, anchor->name, dup->path, dup->name); rs_free(anchor); rs_free(p); @@ -207,9 +203,10 @@ pf_find_or_create_ruleset(const char *path) anchor->parent = parent; if ((dup = RB_INSERT(pf_anchor_node, &parent->children, anchor)) != NULL) { - printf("pf_find_or_create_ruleset: " + DPFPRINTF(LOG_NOTICE, + "pf_find_or_create_ruleset: " "RB_INSERT2 '%s' '%s' collides with " - "'%s' '%s'\n", anchor->path, anchor->name, + "'%s' '%s'", anchor->path, anchor->name, dup->path, dup->name); RB_REMOVE(pf_anchor_global, &pf_anchors, anchor); @@ -282,7 +279,8 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, strlcpy(path, s->anchor->path, MAXPATHLEN); while (name[0] == '.' && name[1] == '.' && name[2] == '/') { if (!path[0]) { - printf("pf_anchor_setup: .. beyond root\n"); + DPFPRINTF(LOG_NOTICE, + "pf_anchor_setup: .. beyond root"); rs_free(path); return (1); } @@ -304,7 +302,8 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, ruleset = pf_find_or_create_ruleset(path); rs_free(path); if (ruleset == NULL || ruleset->anchor == NULL) { - printf("pf_anchor_setup: ruleset\n"); + DPFPRINTF(LOG_NOTICE, + "pf_anchor_setup: ruleset"); return (1); } r->anchor = ruleset->anchor; @@ -342,7 +341,8 @@ pf_anchor_copyout(const struct pf_ruleset *rs, const struct pf_rule *r, sizeof(pr->anchor_call)); } if (strncmp(a, r->anchor->path, strlen(a))) { - printf("pf_anchor_copyout: '%s' '%s'\n", a, + DPFPRINTF(LOG_NOTICE, + "pf_anchor_copyout: '%s' '%s'", a, r->anchor->path); rs_free(a); return (1); @@ -364,7 +364,8 @@ pf_anchor_remove(struct pf_rule *r) if (r->anchor == NULL) return; if (r->anchor->refcnt <= 0) { - printf("pf_anchor_remove: broken refcount\n"); + DPFPRINTF(LOG_NOTICE, + "pf_anchor_remove: broken refcount"); r->anchor = NULL; return; } diff --git a/sys/net/pf_table.c b/sys/net/pf_table.c index 42fa919c4b4..073b745a69e 100644 --- a/sys/net/pf_table.c +++ b/sys/net/pf_table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_table.c,v 1.81 2010/01/12 03:20:51 mcbride Exp $ */ +/* $OpenBSD: pf_table.c,v 1.82 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -36,6 +36,7 @@ #include <sys/mbuf.h> #include <sys/kernel.h> #include <sys/pool.h> +#include <sys/syslog.h> #include <net/if.h> #include <net/route.h> diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 84d48fe84ff..8b2acb3ff8b 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.305 2010/01/13 01:54:38 jsg Exp $ */ +/* $OpenBSD: pfvar.h,v 1.306 2010/01/18 23:52:46 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -64,7 +64,6 @@ enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, enum { PF_TRANS_RULESET, PF_TRANS_ALTQ, PF_TRANS_TABLE }; enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; -enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; @@ -185,11 +184,44 @@ struct pfi_dynaddr { sa_family_t pfid_af; /* rule af */ u_int8_t pfid_iflags; /* PFI_AFLAG_* */ }; +#endif /* _KERNEL */ + + +/* + * Logging macros + */ + +#ifndef PF_DEBUGNAME +#define PF_DEBUGNAME "pf: " +#endif + +#ifdef _KERNEL +#define DPFPRINTF(n, format, x...) \ + do { \ + if (pf_status.debug >= (n)) { \ + log(n, PF_DEBUGNAME); \ + addlog(format, ##x); \ + addlog("\n"); \ + } \ + } while (0) +#else +#ifdef PFDEBUG \ +#define DPFPRINTF(n, format, x...) \ + do { \ + fprintf(stderr, format, ##x); \ + fprintf(stderr, "\n"); \ + } while (0) +#else +#define DPFPRINTF(n, format, x...) ((void)0) +#endif /* PFDEBUG */ +#endif /* _KERNEL */ + /* * Address manipulation macros */ +#ifdef _KERNEL #ifdef INET #ifndef INET6 #define PF_INET_ONLY |