Bug 20198

Summary: log setup of dynamic rules for ipfw
Product: Base System Reporter: Stephen Montgomery-Smith <stephen>
Component: kernAssignee: Luigi Rizzo <luigi>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff
none
ddd none

Description Stephen Montgomery-Smith 2000-07-26 19:20:00 UTC 
Suppose I create a rule with ipfw:
ipfw add pass log from xxx to yyy via zzz keep-state
Then every packet processed by this rule will create a log entry.

It would be nice to have the possibility to create a rule thus:
ipfw add pass from xxx to yyy via zzz keep-state log
This would have the effect that when this rule is first encountered
it creates a log entry, but subsequenctly when the rule is 
encountered in its dynamic state, it is not logged.  There
is only one log when the dynamic rule is created the first time.

Of course, if this rule is encounted by a packet with different
ip/port combination, then another dynamic rule is created, and
so is a new log entry.

The above syntax is my suggestion, but maybe you guys would 
prefer something else.  If you like this, and it is adopted, 
then I will write a diff for the man file also.

Fix: Here is my patch.  

I use another of the bits of struct ip_fw.fw_flg bits, which seem 
to be in rather short supply - now only 6 bits left.

The small addition I made to ipfw.c to parse for the log option
works, but maybe I didn't do it in the spirit of the rest of the
code.
Comment 1 Sheldon Hearn freebsd_committer freebsd_triage 2000-07-27 12:31:49 UTC 
State Changed
From-To: open->feedback

Does ``logamount'' (see ipfw(8)) not suit your needs?
Comment 2 Stephen Montgomery-Smith 2000-07-27 18:06:24 UTC 
OK, how about this:

Neil Blakey-Milner wrote:
> 
> On Thu 2000-07-27 (10:38), Stephen Montgomery-Smith wrote:
> > > > add pass log logamount 10 from any to any 22 keep-state
> > >
> > > What about:
> > >
> > > add pass log logamount 10 from any to any 22 setup keep-state
> > >
> >
> > That doesn't seem to work for me.
> 
> Then that is the problem.  No need to add new semantics when the above
> is the obvious way it should function.  If you can determine why it
> doesn't work, then that's the fix.
>
Comment 3 Johan Karlsson freebsd_committer freebsd_triage 2000-10-11 20:59:07 UTC 
Responsible Changed
From-To: freebsd-bugs->luigi

Over to ipfw maintainer.
Comment 4 Stephen Montgomery-Smith 2001-06-17 14:27:29 UTC 
There was a request to close PR's.  This is my PR.  I don't
think that there was any interest in this (I myself stopped
using dynamic rules in ipfw), so
This PR can be closed

-- 
Stephen Montgomery-Smith
stephen@math.missouri.edu
http://www.math.missouri.edu/~stephen
Comment 5 Poul-Henning Kamp freebsd_committer freebsd_triage 2001-06-22 16:44:05 UTC 
State Changed
From-To: feedback->closed

done