From: Sepherosa Ziehau <sephe@dragonflybsd.org>
Date: Tue, 16 Sep 2008 12:16:08 +0000 (+0000)
Subject: - Rework ipfw(4) debug print macro
X-Git-Url: https://gitweb.dragonflybsd.org/~lentferj/dragonfly.git/commitdiff_plain/8d0865c8bc706b8ec0a936f7060ba34a71683b53

- Rework ipfw(4) debug print macro
- Add IPFIREWALL_DEBUG option
---

diff --git a/sys/conf/options b/sys/conf/options
index 4a2a837cb8..3d98dcdead 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -1,5 +1,5 @@
 # $FreeBSD: src/sys/conf/options,v 1.191.2.53 2003/06/04 17:56:58 sam Exp $
-# $DragonFly: src/sys/conf/options,v 1.92 2008/07/27 10:06:55 sephe Exp $
+# $DragonFly: src/sys/conf/options,v 1.93 2008/09/16 12:16:08 sephe Exp $
 #
 #        On the handling of kernel options
 #
@@ -290,6 +290,7 @@ IPFILTER		opt_ipfilter.h
 IPFILTER_LOG		opt_ipfilter.h
 IPFILTER_DEFAULT_BLOCK	opt_ipfilter.h
 IPFIREWALL		opt_ipfw.h
+IPFIREWALL_DEBUG	opt_ipfw.h
 IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
diff --git a/sys/config/LINT b/sys/config/LINT
index 1a2922ae49..157d0945c0 100644
--- a/sys/config/LINT
+++ b/sys/config/LINT
@@ -3,7 +3,7 @@
 #	as much of the source tree as it can.
 #
 # $FreeBSD: src/sys/i386/conf/LINT,v 1.749.2.144 2003/06/04 17:56:59 sam Exp $
-# $DragonFly: src/sys/config/LINT,v 1.171 2008/09/06 14:18:29 swildner Exp $
+# $DragonFly: src/sys/config/LINT,v 1.172 2008/09/16 12:16:08 sephe Exp $
 #
 # See the kernconf(5) manual page for more information on the format of
 # this file.
@@ -616,6 +616,7 @@ pseudo-device	stf			#6to4 IPv6 over IPv4 encapsulation
 options 	MROUTING		# Multicast routing
 options 	PIM			# Protocol Independent Multicast
 options 	IPFIREWALL		#firewall
+options		IPFIREWALL_DEBUG	#debug prints
 options 	IPFIREWALL_VERBOSE	#enable logging to syslogd(8)
 options 	IPFIREWALL_FORWARD	#enable transparent proxy support
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
diff --git a/sys/net/ipfw/Makefile b/sys/net/ipfw/Makefile
index 570b82fd67..62fcfb4415 100644
--- a/sys/net/ipfw/Makefile
+++ b/sys/net/ipfw/Makefile
@@ -1,5 +1,5 @@
 # $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.11.2.1 2003/02/14 14:09:21 maxim Exp $
-# $DragonFly: src/sys/net/ipfw/Makefile,v 1.5 2008/09/09 11:37:08 sephe Exp $
+# $DragonFly: src/sys/net/ipfw/Makefile,v 1.6 2008/09/16 12:16:08 sephe Exp $
 
 KMOD=	ipfw
 SRCS=	ip_fw2.c
@@ -11,6 +11,8 @@ opt_inet.h:
 
 opt_ipfw.h:
 	echo '#define IPFIREWALL 1' > ${.OBJDIR}/${.TARGET}
+	# Debug prints
+	#echo '#define IPFIREWALL_DEBUG 1' >> ${.OBJDIR}/${.TARGET}
 	#
 	# If you want it verbose
 	#echo '#define IPFIREWALL_VERBOSE 1' >> ${.OBJDIR}/${.TARGET}
diff --git a/sys/net/ipfw/ip_fw2.c b/sys/net/ipfw/ip_fw2.c
index 79d493855c..4eb8241df3 100644
--- a/sys/net/ipfw/ip_fw2.c
+++ b/sys/net/ipfw/ip_fw2.c
@@ -23,12 +23,9 @@
  * SUCH DAMAGE.
  *
  * $FreeBSD: src/sys/netinet/ip_fw2.c,v 1.6.2.12 2003/04/08 10:42:32 maxim Exp $
- * $DragonFly: src/sys/net/ipfw/ip_fw2.c,v 1.88 2008/09/16 11:40:38 sephe Exp $
+ * $DragonFly: src/sys/net/ipfw/ip_fw2.c,v 1.89 2008/09/16 12:16:08 sephe Exp $
  */
 
-#define        DEB(x)
-#define        DDB(x) x
-
 /*
  * Implement IP packet firewall (new version)
  */
@@ -78,6 +75,16 @@
 
 #include <net/ipfw/ip_fw2.h>
 
+#ifdef IPFIREWALL_DEBUG
+#define DPRINTF(fmt, ...) \
+do { \
+	if (fw_debug > 0) \
+		kprintf(fmt, __VA_ARGS__); \
+} while (0)
+#else
+#define DPRINTF(fmt, ...)	((void)0)
+#endif
+
 /*
  * Description about per-CPU rule duplication:
  *
@@ -281,7 +288,7 @@ static int ipfw_flushing;
 static int fw_verbose;
 static int verbose_limit;
 
-static int fw_debug = 1;
+static int fw_debug;
 static int autoinc_step = IPFW_AUTOINC_STEP_DEF;
 
 static int	ipfw_sysctl_enable(SYSCTL_HANDLER_ARGS);
@@ -872,9 +879,9 @@ do {									\
 	/* remove a refcount to the parent */				\
 	if (q->dyn_type == O_LIMIT)					\
 		q->parent->count--;					\
-	DEB(kprintf("-- unlink entry 0x%08x %d -> 0x%08x %d, %d left\n", \
-		(q->id.src_ip), (q->id.src_port),			\
-		(q->id.dst_ip), (q->id.dst_port), dyn_count-1 ); )	\
+	DPRINTF("-- unlink entry 0x%08x %d -> 0x%08x %d, %d left\n",	\
+		q->id.src_ip, q->id.src_port,				\
+		q->id.dst_ip, q->id.dst_port, dyn_count - 1);		\
 	if (prev != NULL)						\
 		prev->next = q = q->next;				\
 	else								\
@@ -1229,11 +1236,10 @@ add_dyn_rule(struct ipfw_flow_id *id, uint8_t dyn_type, struct ip_fw *rule)
 	ipfw_dyn_v[i] = r;
 	dyn_count++;
 	dyn_buckets_gen++;
-	DEB(kprintf("-- add dyn entry ty %d 0x%08x %d -> 0x%08x %d, total %d\n",
-	   dyn_type,
-	   (r->id.src_ip), (r->id.src_port),
-	   (r->id.dst_ip), (r->id.dst_port),
-	   dyn_count );)
+	DPRINTF("-- add dyn entry ty %d 0x%08x %d -> 0x%08x %d, total %d\n",
+		dyn_type,
+		r->id.src_ip, r->id.src_port,
+		r->id.dst_ip, r->id.dst_port, dyn_count);
 	return r;
 }
 
@@ -1258,7 +1264,7 @@ lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
 			    pkt->src_port == q->id.src_port &&
 			    pkt->dst_port == q->id.dst_port) {
 				q->expire = time_second + dyn_short_lifetime;
-				DEB(kprintf("lookup_dyn_parent found 0x%p\n",q);)
+				DPRINTF("lookup_dyn_parent found 0x%p\n", q);
 				return q;
 			}
 		}
@@ -1280,10 +1286,10 @@ install_state_locked(struct ip_fw *rule, ipfw_insn_limit *cmd,
 
 	ipfw_dyn_rule *q;
 
-	DEB(kprintf("-- install state type %d 0x%08x %u -> 0x%08x %u\n",
-	    cmd->o.opcode,
-	    (args->f_id.src_ip), (args->f_id.src_port),
-	    (args->f_id.dst_ip), (args->f_id.dst_port) );)
+	DPRINTF("-- install state type %d 0x%08x %u -> 0x%08x %u\n",
+		cmd->o.opcode,
+		args->f_id.src_ip, args->f_id.src_port,
+		args->f_id.dst_ip, args->f_id.dst_port);
 
 	q = lookup_dyn_rule(&args->f_id, NULL, NULL);
 	if (q != NULL) { /* should never occur */
@@ -1321,8 +1327,8 @@ install_state_locked(struct ip_fw *rule, ipfw_insn_limit *cmd,
 			struct ipfw_flow_id id;
 			ipfw_dyn_rule *parent;
 
-			DEB(kprintf("installing dyn-limit rule %d\n",
-			    cmd->conn_limit);)
+			DPRINTF("installing dyn-limit rule %d\n",
+				cmd->conn_limit);
 
 			id.dst_ip = id.src_ip = 0;
 			id.dst_port = id.src_port = 0;
@@ -2711,8 +2717,8 @@ ipfw_add_rule(struct ipfw_ioc_rule *ioc_rule, uint32_t rule_flags)
 
 	crit_exit();
 
-	DEB(kprintf("++ installed rule %d, static count now %d\n",
-		rule->rulenum, static_count);)
+	DPRINTF("++ installed rule %d, static count now %d\n",
+		rule->rulenum, static_count);
 }
 
 /**
@@ -3474,7 +3480,7 @@ ipfw_check_ioc_rule(struct ipfw_ioc_rule *rule, int size, uint32_t *rule_flags)
 			return EINVAL;
 		}
 
-		DEB(kprintf("ipfw: opcode %d\n", cmd->opcode);)
+		DPRINTF("ipfw: opcode %d\n", cmd->opcode);
 
 		if (cmd->opcode == O_KEEP_STATE || cmd->opcode == O_LIMIT) {
 			/* This rule will create states */