OS-7667 Udiff usr/src/uts/common/inet/ipf/fil.c

Print this page

OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>

@@ -3,11 +3,11 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  *
- * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
+ * Copyright 2019 Joyent, Inc.
  */
 
 #if defined(KERNEL) || defined(_KERNEL)
 # undef KERNEL
 # undef _KERNEL

@@ -2586,10 +2586,13 @@
         if ((ifs->ifs_fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
                 (void) fr_dolog(fin, &pass);
         }
 #endif
 
+        if (IFS_CFWLOG(ifs, fr) && FR_ISBLOCK(pass))
+                ipf_block_cfwlog(fr, fin, ifs);
+
         /*
          * The FI_STATE flag is cleared here so that calling fr_checkstate
          * will work when called from inside of fr_fastroute.  Although
          * there is a similar flag, FI_NATED, for NAT, it does have the same
          * impact on code execution.