Index: ip_fw2.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.192
diff -u -r1.192 ip_fw2.c
--- ip_fw2.c	6 Sep 2008 16:47:07 -0000	1.192
+++ ip_fw2.c	9 Sep 2008 07:48:19 -0000
@@ -134,8 +134,14 @@
 	int		fw_ngroups;
 	uid_t		fw_uid;
 	int		fw_prid;
+	int		fw_flags;
+	gid_t		fw_matched_gid;
 };
 
+#define UID_MATCHED	1
+#define GID_MATCHED	2
+#define PRID_MATCHED	4
+
 /*
  * list of rules for layer 3
  */
@@ -753,12 +759,14 @@
 static void
 ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args,
     struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg,
-    struct ip *ip)
+    struct ip *ip, int ugid_checked, struct ip_fw_ugid *ugid_cache)
 {
 	struct ether_header *eh = args->eh;
 	char *action;
 	int limit_reached = 0;
 	char action2[40], proto[128], fragment[32];
+	char user_info[60];	// uid_t => uint32_t -> 2**32 = max 10 digits
+	int ofs;
 
 	fragment[0] = '\0';
 	proto[0] = '\0';
@@ -999,18 +1007,34 @@
 				    (ip_off & IP_MF) ? "+" : "");
 		}
 	}
+	
+	if (ugid_checked) {
+		ofs = 0;
+		if (ugid_cache->fw_flags & UID_MATCHED)
+			ofs += sprintf(user_info + ofs, " (uid=%d)",
+			    ugid_cache->fw_uid);
+		if (ugid_cache->fw_flags & GID_MATCHED)
+			ofs += sprintf(user_info + ofs, " (gid=%d)",
+			    ugid_cache->fw_matched_gid);
+		if (ugid_cache->fw_flags & PRID_MATCHED)
+			ofs += sprintf(user_info + ofs, " (prison=%d)",
+			    ugid_cache->fw_prid);
+	} else {
+		user_info[0] = '\0';
+	}
+	
 	if (oif || m->m_pkthdr.rcvif)
 		log(LOG_SECURITY | LOG_INFO,
-		    "ipfw: %d %s %s %s via %s%s\n",
+		    "ipfw: %d %s %s %s via %s%s%s\n",
 		    f ? f->rulenum : -1,
 		    action, proto, oif ? "out" : "in",
 		    oif ? oif->if_xname : m->m_pkthdr.rcvif->if_xname,
-		    fragment);
+		    fragment, user_info);
 	else
 		log(LOG_SECURITY | LOG_INFO,
-		    "ipfw: %d %s %s [no if info]%s\n",
+		    "ipfw: %d %s %s [no if info]%s%s\n",
 		    f ? f->rulenum : -1,
-		    action, proto, fragment);
+		    action, proto, fragment, user_info);
 	if (limit_reached)
 		log(LOG_SECURITY | LOG_NOTICE,
 		    "ipfw: limit %d reached on entry %d\n",
@@ -1971,6 +1995,8 @@
 		ugp->fw_ngroups = cr->cr_ngroups;
 		bcopy(cr->cr_groups, ugp->fw_groups,
 		    sizeof(ugp->fw_groups));
+		
+		ugp->fw_flags = 0;
 	}
 }
 
@@ -2045,17 +2071,24 @@
 			return (0);
 		}
 	} 
-	if (insn->o.opcode == O_UID)
+	if (insn->o.opcode == O_UID) {
 		match = (ugp->fw_uid == (uid_t)insn->d[0]);
-	else if (insn->o.opcode == O_GID) {
+		if (match)
+			ugp->fw_flags |= UID_MATCHED;
+	} else if (insn->o.opcode == O_GID) {
 		for (gp = ugp->fw_groups;
 			gp < &ugp->fw_groups[ugp->fw_ngroups]; gp++)
 			if (*gp == (gid_t)insn->d[0]) {
 				match = 1;
+				ugp->fw_flags |= GID_MATCHED;
+				ugp->fw_matched_gid = *gp;
 				break;
 			}
-	} else if (insn->o.opcode == O_JAIL)
+	} else if (insn->o.opcode == O_JAIL) {
 		match = (ugp->fw_prid == (int)insn->d[0]);
+		if (match)
+			ugp->fw_flags |= PRID_MATCHED;
+	}
 	return match;
 }
 
@@ -2589,8 +2622,10 @@
 						    (ipfw_insn_u32 *)cmd,
 						    proto, oif,
 						    dst_ip, dst_port,
-						    src_ip, src_port, &fw_ugid_cache,
-						    &ugid_lookup, args->inp);
+						    src_ip, src_port,
+						    &fw_ugid_cache,
+						    &ugid_lookup,
+						    args->inp);
 				break;
 
 			case O_RECV:
@@ -2912,7 +2947,8 @@
 			case O_LOG:
 				if (V_fw_verbose)
 					ipfw_log(f, hlen, args, m,
-					    oif, offset, tablearg, ip);
+					    oif, offset, tablearg, ip,
+					    ugid_lookup, &fw_ugid_cache);
 				match = 1;
 				break;