Print this page
OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>
*** 3,13 ****
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
*
! * Copyright (c) 2014, Joyent, Inc. All rights reserved.
*/
#if defined(KERNEL) || defined(_KERNEL)
# undef KERNEL
# undef _KERNEL
--- 3,13 ----
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
*
! * Copyright 2019 Joyent, Inc.
*/
#if defined(KERNEL) || defined(_KERNEL)
# undef KERNEL
# undef _KERNEL
*** 106,115 ****
--- 106,116 ----
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
# include <sys/libkern.h>
# include <sys/systm.h>
# endif
#endif
+ #include <sys/uuid.h>
/* END OF INCLUDES */
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
*** 1443,1452 ****
--- 1444,1454 ----
fr_addtimeoutqueue(&ifs->ifs_ips_utqe,
fr->fr_age[1], ifs);
is->is_sti.tqe_flags |= TQE_RULEBASED;
}
is->is_tag = fr->fr_logtag;
+ memcpy(is->is_uuid, fr->fr_uuid, sizeof (uuid_t));
is->is_ifp[(out << 1) + 1] = fr->fr_ifas[1];
is->is_ifp[(1 - out) << 1] = fr->fr_ifas[2];
is->is_ifp[((1 - out) << 1) + 1] = fr->fr_ifas[3];
*** 1522,1531 ****
--- 1524,1536 ----
is->is_sync = ipfsync_new(SMC_STATE, fin, is);
#endif
if (ifs->ifs_ipstate_logging)
ipstate_log(is, ISL_NEW, ifs);
+ if (IFS_CFWLOG(ifs, is->is_rule))
+ ipf_log_cfwlog(is, ISL_NEW, ifs);
+
RWLOCK_EXIT(&ifs->ifs_ipf_state);
fin->fin_rev = IP6_NEQ(&is->is_dst, &fin->fin_daddr);
fin->fin_flx |= FI_STATE;
if (fin->fin_flx & FI_FRAG)
(void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
*** 2312,2321 ****
--- 2317,2328 ----
is->is_maxdend = is->is_dend + 1;
}
is->is_flags &= ~(SI_W_SPORT|SI_W_DPORT);
if ((flags & SI_CLONED) && ifs->ifs_ipstate_logging)
ipstate_log(is, ISL_CLONE, ifs);
+ if ((flags & SI_CLONED) && IFS_CFWLOG(ifs, is->is_rule))
+ ipf_log_cfwlog(is, ISL_CLONE, ifs);
}
ret = -1;
if (is->is_flx[out][rev] == 0) {
*** 3395,3405 ****
is->is_pnext = NULL;
}
if (ifs->ifs_ipstate_logging != 0 && why != 0)
ipstate_log(is, why, ifs);
!
if (is->is_rule != NULL) {
is->is_rule->fr_statecnt--;
(void)fr_derefrule(&is->is_rule, ifs);
}
--- 3402,3420 ----
is->is_pnext = NULL;
}
if (ifs->ifs_ipstate_logging != 0 && why != 0)
ipstate_log(is, why, ifs);
! #if 0
! /*
! * For now, ipf_log_cfwlog() copes with all "why" values. Strictly
! * speaking, though, they all map to one event (CFWEV_END), which for
! * now is not supported, hence the #if 0.
! */
! if (why != 0 && IFS_CFWLOG(ifs, is->is_rule))
! ipf_log_cfwlog(is, why, ifs);
! #endif
if (is->is_rule != NULL) {
is->is_rule->fr_statecnt--;
(void)fr_derefrule(&is->is_rule, ifs);
}
*** 3929,3939 ****
}
return rval;
}
-
/* ------------------------------------------------------------------------ */
/* Function: ipstate_log */
/* Returns: Nil */
/* Parameters: is(I) - pointer to state structure */
/* type(I) - type of log entry to create */
--- 3944,3953 ----