? ip_fw2.c_uid_diff_2008_09_09 Index: ip_fw2.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.192 diff -u -r1.192 ip_fw2.c --- ip_fw2.c 6 Sep 2008 16:47:07 -0000 1.192 +++ ip_fw2.c 9 Sep 2008 00:11:49 -0000 @@ -753,12 +753,14 @@ static void ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg, - struct ip *ip) + struct ip *ip, int ugid_checked, struct ip_fw_ugid *ugid_cache) { struct ether_header *eh = args->eh; char *action; int limit_reached = 0; char action2[40], proto[128], fragment[32]; + char user_info[40]; // uid_t => uint32_t -> 2**32 = max 10 digits + int ofs; fragment[0] = '\0'; proto[0] = '\0'; @@ -999,18 +1001,28 @@ (ip_off & IP_MF) ? "+" : ""); } } + + if (ugid_checked) { + ofs = sprintf(user_info, " (uid=%d)", ugid_cache->fw_uid); + if (ugid_cache->fw_prid != -1) + sprintf(user_info + ofs, " (prison=%d)", + ugid_cache->fw_prid); + } else { + user_info[0] = '\0'; + } + if (oif || m->m_pkthdr.rcvif) log(LOG_SECURITY | LOG_INFO, - "ipfw: %d %s %s %s via %s%s\n", + "ipfw: %d %s %s %s via %s%s%s\n", f ? f->rulenum : -1, action, proto, oif ? "out" : "in", oif ? oif->if_xname : m->m_pkthdr.rcvif->if_xname, - fragment); + fragment, user_info); else log(LOG_SECURITY | LOG_INFO, - "ipfw: %d %s %s [no if info]%s\n", + "ipfw: %d %s %s [no if info]%s%s\n", f ? f->rulenum : -1, - action, proto, fragment); + action, proto, fragment, user_info); if (limit_reached) log(LOG_SECURITY | LOG_NOTICE, "ipfw: limit %d reached on entry %d\n", @@ -2589,8 +2601,10 @@ (ipfw_insn_u32 *)cmd, proto, oif, dst_ip, dst_port, - src_ip, src_port, &fw_ugid_cache, - &ugid_lookup, args->inp); + src_ip, src_port, + &fw_ugid_cache, + &ugid_lookup, + args->inp); break; case O_RECV: @@ -2912,7 +2926,8 @@ case O_LOG: if (V_fw_verbose) ipfw_log(f, hlen, args, m, - oif, offset, tablearg, ip); + oif, offset, tablearg, ip, + ugid_lookup, &fw_ugid_cache); match = 1; break;