Use unified print_dyn_rule_flags() function for debugging messages
instead of hand-made printfs in every place. MFC after: 1 week
This commit is contained in:
Alexander V. Chernikov
parent
ccaa6067c7
commit
a730ff05c1
@ -258,8 +258,12 @@ hash_packet(struct ipfw_flow_id *id)
|
||||
return i;
|
||||
}
|
||||
|
||||
static __inline void
|
||||
unlink_dyn_rule_print(struct ipfw_flow_id *id)
|
||||
/**
|
||||
* Print customizable flow id description via log(9) facility.
|
||||
*/
|
||||
static void
|
||||
print_dyn_rule_flags(struct ipfw_flow_id *id, int dyn_type, int log_flags,
|
||||
char *prefix, char *postfix)
|
||||
{
|
||||
struct in_addr da;
|
||||
#ifdef INET6
|
||||
@ -280,10 +284,14 @@ unlink_dyn_rule_print(struct ipfw_flow_id *id)
|
||||
da.s_addr = htonl(id->dst_ip);
|
||||
inet_ntop(AF_INET, &da, dst, sizeof(dst));
|
||||
}
|
||||
printf("ipfw: unlink entry %s %d -> %s %d, %d left\n",
|
||||
src, id->src_port, dst, id->dst_port, V_dyn_count - 1);
|
||||
log(log_flags, "ipfw: %s type %d %s %d -> %s %d, %d %s\n",
|
||||
prefix, dyn_type, src, id->src_port, dst,
|
||||
id->dst_port, V_dyn_count, postfix);
|
||||
}
|
||||
|
||||
#define print_dyn_rule(id, dtype, prefix, postfix) \
|
||||
print_dyn_rule_flags(id, dtype, LOG_DEBUG, prefix, postfix)
|
||||
|
||||
/**
|
||||
* unlink a dynamic rule from a chain. prev is a pointer to
|
||||
* the previous one, q is a pointer to the rule to delete,
|
||||
@ -296,12 +304,12 @@ unlink_dyn_rule_print(struct ipfw_flow_id *id)
|
||||
/* remove a refcount to the parent */ \
|
||||
if (q->dyn_type == O_LIMIT) \
|
||||
q->parent->count--; \
|
||||
DEB(unlink_dyn_rule_print(&q->id);) \
|
||||
V_dyn_count--; \
|
||||
DEB(print_dyn_rule(&q->id, q->dyn_type, "unlink entry", "left");) \
|
||||
if (prev != NULL) \
|
||||
prev->next = q = q->next; \
|
||||
else \
|
||||
head = q = q->next; \
|
||||
V_dyn_count--; \
|
||||
uma_zfree(ipfw_dyn_rule_zone, old_q); }
|
||||
|
||||
#define TIME_LEQ(a,b) ((int)((a)-(b)) <= 0)
|
||||
@ -639,32 +647,7 @@ add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
|
||||
r->next = V_ipfw_dyn_v[i];
|
||||
V_ipfw_dyn_v[i] = r;
|
||||
V_dyn_count++;
|
||||
DEB({
|
||||
struct in_addr da;
|
||||
#ifdef INET6
|
||||
char src[INET6_ADDRSTRLEN];
|
||||
char dst[INET6_ADDRSTRLEN];
|
||||
#else
|
||||
char src[INET_ADDRSTRLEN];
|
||||
char dst[INET_ADDRSTRLEN];
|
||||
#endif
|
||||
|
||||
#ifdef INET6
|
||||
if (IS_IP6_FLOW_ID(&(r->id))) {
|
||||
ip6_sprintf(src, &r->id.src_ip6);
|
||||
ip6_sprintf(dst, &r->id.dst_ip6);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
da.s_addr = htonl(r->id.src_ip);
|
||||
inet_ntop(AF_INET, &da, src, sizeof(src));
|
||||
da.s_addr = htonl(r->id.dst_ip);
|
||||
inet_ntop(AF_INET, &da, dst, sizeof(dst));
|
||||
}
|
||||
printf("ipfw: add dyn entry ty %d %s %d -> %s %d, total %d\n",
|
||||
dyn_type, src, r->id.src_port, dst, r->id.dst_port,
|
||||
V_dyn_count);
|
||||
})
|
||||
DEB(print_dyn_rule(id, dyn_type, "add dyn entry", "total");)
|
||||
return r;
|
||||
}
|
||||
|
||||
@ -701,7 +684,8 @@ lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
|
||||
)
|
||||
) {
|
||||
q->expire = time_uptime + V_dyn_short_lifetime;
|
||||
DEB(printf("ipfw: lookup_dyn_parent found 0x%p\n",q);)
|
||||
DEB(print_dyn_rule(pkt, q->dyn_type,
|
||||
"lookup_dyn_parent found", "");)
|
||||
return q;
|
||||
}
|
||||
}
|
||||
@ -720,38 +704,11 @@ ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
|
||||
{
|
||||
static int last_log;
|
||||
ipfw_dyn_rule *q;
|
||||
struct in_addr da;
|
||||
#ifdef INET6
|
||||
char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2];
|
||||
#else
|
||||
char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN];
|
||||
#endif
|
||||
|
||||
src[0] = '\0';
|
||||
dst[0] = '\0';
|
||||
DEB(print_dyn_rule(&args->f_id, cmd->o.opcode, "install_state", "");)
|
||||
|
||||
IPFW_DYN_LOCK();
|
||||
|
||||
DEB(
|
||||
#ifdef INET6
|
||||
if (IS_IP6_FLOW_ID(&(args->f_id))) {
|
||||
ip6_sprintf(src, &args->f_id.src_ip6);
|
||||
ip6_sprintf(dst, &args->f_id.dst_ip6);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
da.s_addr = htonl(args->f_id.src_ip);
|
||||
inet_ntop(AF_INET, &da, src, sizeof(src));
|
||||
da.s_addr = htonl(args->f_id.dst_ip);
|
||||
inet_ntop(AF_INET, &da, dst, sizeof(dst));
|
||||
}
|
||||
printf("ipfw: %s: type %d %s %u -> %s %u\n",
|
||||
__func__, cmd->o.opcode, src, args->f_id.src_port,
|
||||
dst, args->f_id.dst_port);
|
||||
src[0] = '\0';
|
||||
dst[0] = '\0';
|
||||
)
|
||||
|
||||
q = lookup_dyn_rule_locked(&args->f_id, NULL, NULL);
|
||||
|
||||
if (q != NULL) { /* should never occur */
|
||||
@ -833,38 +790,15 @@ ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
|
||||
if (parent->count >= conn_limit) {
|
||||
if (V_fw_verbose && last_log != time_uptime) {
|
||||
last_log = time_uptime;
|
||||
#ifdef INET6
|
||||
/*
|
||||
* XXX IPv6 flows are not
|
||||
* supported yet.
|
||||
*/
|
||||
if (IS_IP6_FLOW_ID(&(args->f_id))) {
|
||||
char ip6buf[INET6_ADDRSTRLEN];
|
||||
snprintf(src, sizeof(src),
|
||||
"[%s]", ip6_sprintf(ip6buf,
|
||||
&args->f_id.src_ip6));
|
||||
snprintf(dst, sizeof(dst),
|
||||
"[%s]", ip6_sprintf(ip6buf,
|
||||
&args->f_id.dst_ip6));
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
da.s_addr =
|
||||
htonl(args->f_id.src_ip);
|
||||
inet_ntop(AF_INET, &da, src,
|
||||
sizeof(src));
|
||||
da.s_addr =
|
||||
htonl(args->f_id.dst_ip);
|
||||
inet_ntop(AF_INET, &da, dst,
|
||||
sizeof(dst));
|
||||
}
|
||||
log(LOG_SECURITY | LOG_DEBUG,
|
||||
"ipfw: %d %s %s:%u -> %s:%u, %s\n",
|
||||
parent->rule->rulenum,
|
||||
"drop session",
|
||||
src, (args->f_id.src_port),
|
||||
dst, (args->f_id.dst_port),
|
||||
"too many entries");
|
||||
char sbuf[24];
|
||||
last_log = time_uptime;
|
||||
snprintf(sbuf, sizeof(sbuf),
|
||||
"%d drop session",
|
||||
parent->rule->rulenum);
|
||||
print_dyn_rule_flags(&args->f_id,
|
||||
cmd->o.opcode,
|
||||
LOG_SECURITY | LOG_DEBUG,
|
||||
sbuf, "too many entries");
|
||||
}
|
||||
IPFW_DYN_UNLOCK();
|
||||
return (1);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user