Print this page
OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>
@@ -3,11 +3,11 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
*
- * Copyright (c) 2014, Joyent, Inc. All rights reserved.
+ * Copyright 2019 Joyent, Inc.
*/
#if defined(KERNEL) || defined(_KERNEL)
# undef KERNEL
# undef _KERNEL
@@ -106,10 +106,11 @@
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
# include <sys/libkern.h>
# include <sys/systm.h>
# endif
#endif
+#include <sys/uuid.h>
/* END OF INCLUDES */
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
@@ -1443,10 +1444,11 @@
fr_addtimeoutqueue(&ifs->ifs_ips_utqe,
fr->fr_age[1], ifs);
is->is_sti.tqe_flags |= TQE_RULEBASED;
}
is->is_tag = fr->fr_logtag;
+ memcpy(is->is_uuid, fr->fr_uuid, sizeof (uuid_t));
is->is_ifp[(out << 1) + 1] = fr->fr_ifas[1];
is->is_ifp[(1 - out) << 1] = fr->fr_ifas[2];
is->is_ifp[((1 - out) << 1) + 1] = fr->fr_ifas[3];
@@ -1522,10 +1524,13 @@
is->is_sync = ipfsync_new(SMC_STATE, fin, is);
#endif
if (ifs->ifs_ipstate_logging)
ipstate_log(is, ISL_NEW, ifs);
+ if (IFS_CFWLOG(ifs, is->is_rule))
+ ipf_log_cfwlog(is, ISL_NEW, ifs);
+
RWLOCK_EXIT(&ifs->ifs_ipf_state);
fin->fin_rev = IP6_NEQ(&is->is_dst, &fin->fin_daddr);
fin->fin_flx |= FI_STATE;
if (fin->fin_flx & FI_FRAG)
(void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
@@ -2312,10 +2317,12 @@
is->is_maxdend = is->is_dend + 1;
}
is->is_flags &= ~(SI_W_SPORT|SI_W_DPORT);
if ((flags & SI_CLONED) && ifs->ifs_ipstate_logging)
ipstate_log(is, ISL_CLONE, ifs);
+ if ((flags & SI_CLONED) && IFS_CFWLOG(ifs, is->is_rule))
+ ipf_log_cfwlog(is, ISL_CLONE, ifs);
}
ret = -1;
if (is->is_flx[out][rev] == 0) {
@@ -3395,11 +3402,19 @@
is->is_pnext = NULL;
}
if (ifs->ifs_ipstate_logging != 0 && why != 0)
ipstate_log(is, why, ifs);
-
+#if 0
+ /*
+ * For now, ipf_log_cfwlog() copes with all "why" values. Strictly
+ * speaking, though, they all map to one event (CFWEV_END), which for
+ * now is not supported, hence the #if 0.
+ */
+ if (why != 0 && IFS_CFWLOG(ifs, is->is_rule))
+ ipf_log_cfwlog(is, why, ifs);
+#endif
if (is->is_rule != NULL) {
is->is_rule->fr_statecnt--;
(void)fr_derefrule(&is->is_rule, ifs);
}
@@ -3929,11 +3944,10 @@
}
return rval;
}
-
/* ------------------------------------------------------------------------ */
/* Function: ipstate_log */
/* Returns: Nil */
/* Parameters: is(I) - pointer to state structure */
/* type(I) - type of log entry to create */