Print this page
OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>
*** 4,13 ****
--- 4,14 ----
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
+ * Copyright 2019 Joyent, Inc.
*/
#include "ipf.h"
#include <sys/ioctl.h>
#include <syslog.h>
*** 14,23 ****
--- 15,25 ----
#ifdef IPFILTER_BPF
# include "pcap-bpf.h"
# define _NET_BPF_H_
# include <pcap.h>
#endif
+ #include <uuid/uuid.h>
#include "netinet/ip_pool.h"
#include "netinet/ip_htable.h"
#include "netinet/ipl.h"
#include "ipf_l.h"
*** 96,105 ****
--- 98,108 ----
struct {
union i6addr a;
union i6addr m;
} ipp;
union i6addr ip6;
+ uuid_t uuid;
};
%type <port> portnum
%type <num> facility priority icmpcode seclevel secname icmptype
%type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
*** 115,124 ****
--- 118,128 ----
%token <str> YY_STR
%token YY_COMMENT
%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
%token YY_RANGE_OUT YY_RANGE_IN
%token <ip6> YY_IPV6
+ %token <uuid> YY_UUID
%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
%token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
%token IPFY_IN IPFY_OUT
%token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
*** 125,134 ****
--- 129,139 ----
%token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
%token IPFY_TOS IPFY_TTL IPFY_PROTO
%token IPFY_HEAD IPFY_GROUP
%token IPFY_AUTH IPFY_PREAUTH
%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
+ %token IPFY_UUID IPFY_CFWLOG
%token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
%token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
%token IPFY_PPS
%token IPFY_ESP IPFY_AH
%token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
*** 516,525 ****
--- 521,532 ----
;
taginspec:
logtag
|nattag
+ |uuidtag
+ |cfwtag
;
nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\
$3, IPFTAG_LEN););
free($3); }
*** 528,537 ****
--- 535,550 ----
;
logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) }
;
+ cfwtag: IPFY_CFWLOG { DOALL(fr->fr_flags |= FR_CFWLOG;) }
+ ;
+
+ uuidtag: IPFY_UUID '=' YY_UUID { DOALL(uuid_copy(fr->fr_uuid, $3);) }
+ ;
+
settagout:
| IPFY_SETTAG '(' tagoutlist ')'
;
tagoutlist:
*** 540,549 ****
--- 553,564 ----
;
tagoutspec:
logtag
| nattag
+ | uuidtag
+ | cfwtag
;
matchtagin:
| IPFY_MATCHTAG '(' tagoutlist ')'
;
*** 1564,1573 ****
--- 1579,1589 ----
{ "bpf-v4", IPFY_BPFV4 },
#ifdef USE_INET6
{ "bpf-v6", IPFY_BPFV6 },
#endif
{ "call", IPFY_CALL },
+ { "cfwlog", IPFY_CFWLOG },
{ "code", IPFY_ICMPCODE },
{ "count", IPFY_COUNT },
{ "dup-to", IPFY_DUPTO },
{ "eq", YY_CMP_EQ },
{ "esp", IPFY_ESP },
*** 1639,1648 ****
--- 1655,1665 ----
{ "tcp-udp", IPFY_TCPUDP },
{ "tos", IPFY_TOS },
{ "to", IPFY_TO },
{ "ttl", IPFY_TTL },
{ "udp", IPFY_UDP },
+ { "uuid", IPFY_UUID },
{ "v6hdrs", IPF6_V6HDRS },
{ "with", IPFY_WITH },
{ NULL, 0 }
};